Exchange Server 2010 - Management Console Error

 

While logged onto an Exchange 2010 server, and opening the Exchange Management Console, an error message appears. This error message can be traced to one of two things.  Either the Exchange 2010 Server is really having communication problems with the In-Site Domain Controllers or there is profile corruption on the account you are using to log into the Exchange 2010 Server.  More times than not, it is indeed the profile corruption of the Exchange Management Console file.   

Remediation Steps:

Verify Communication with Domain Controllers:

First Verify the Exchange 2010 Server is not receiving errors during MSExchange DSAccess suitability testing.  This can be verified within the Event log\Application

EventID:  2080
Source:  MSExchange ADAccess

If  not all of your In-Site domain controllers are listed OR the suitability score differs significantly from one another.  Be sure to investigate whether or not there are communication and/or replication issues with your DCs.  If all looks good, move on to the profile corruption fix.

Profile corruption:

TO FIX:

1. Log into IOPMAIL01, navigate to the following location:
C:\Users\<Username>\AppData\Roaming\Microsoft\MMC\

2. Delete or rename the following file: “Exchange Management Console”

3. Log out and log back in. Open the Exchange Management Console and errors should be gone.

Exchange Server 2010 SP1 – SSLOffloading

 

If you will be leveraging a Hardware Load Balancer for your Exchange 2010 environment there are some additional Exchange specific setting modification required to get this working, whether you are using PassThrough, SSLOffloading or ReverseSSL (aka SSLBridging).

• System Requirements for this configuration:   EXCHANGE SERVER 2010 “SP1”

Options for Load Balancing Exchange 2010 CAS Servers using Hardware Load Balancer:

• Pass Through

• Simple and a very common deployment method
• Configuration Requirements
• Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
  "RpcTcpPort"="60001"
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
  "TCP/IP Port"=dword:0000ea60 
  

• Reverse SSL (aka SSL Bridging) ---  Recommended

• More advanced configuration, and more advanced forms of loadbalancing available.
• Benefits:
• Secure communications end-to-end; no passwords in clear text between HLB and CAS
• Less configuration required on Exchange 2010 than SSLOffloading below.
• If your Exchange 2010 CAS are already configured, the only configuration remaining is   Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
  "RpcTcpPort"="60001"
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
  "TCP/IP Port"=dword:0000ea60
• Disadvantages:
• Does not offload (encryption and decryption) cpu processing from the CAS Servers.
   

• SSLOffloading 

  (Note the script as the end of this article will configure all of these parameters for you)

• More advanced forms of loadbalancing available.   (This Article provides steps to configure)
• Configuration Requirements
• Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
  "RpcTcpPort"="60001"
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
  "TCP/IP Port"=dword:0000ea60
  
• Remove “Require SSL from Default Website and All Exchange Virtual Directories on each CAS Server
• Enable Outlook Anywhere, Set Authentication Basic and Set Outlook Anywhere SSLOffloading to TRUE
• Set OWA for SSLOffloading
  
  New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD
  
• Modify the web.config file for Autodiscover and EWS
  
  # Configure web.config files
  $path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path
  (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config
  $path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path
  (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config

 

Important
If you configure SSL offloading on an Exchange 2010 CAS server, all user passwords will be sent in clear between the HLB device(s) and the CAS servers, so it's important the traffic is sent over a secure network not accessible by malicious users. If the security policy within the organization states that all passwords should be sent in an encrypted form (even when occurring over a secure network), it's recommended to enable reverse SSL on the HLB device(s). In addition, it's recommended to enable reverse SSL, if the organization does not have a secure network in place between the HLB device(s) and the CAS servers or if there's no noticeable performance gain of offloading SSL to the HLB device(s) in the environment.

SCRIPT to Configure CAS for SSLOffloading

 #This script will configure the Exchange 2010 Client Access Servers

# for Hardware loadBalancer with SSLOffloading enabled.
#
# System Requirements: EXCHANGE SERVER 2010 "SP1"
#
#
# Set registry key

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD

# Assign Static Port for MSExchangeAB

New-Item -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB -Name Parameters

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters -Name RpcTcpPort -Value 60000 -PropertyType REG_SZ

# Assign Static Port for MSExchangeRPC

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem -Name "TCP/IP Port" -PropertyType DWORD -Value 0000ea60

# Disable RequireSSL on websites

."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Autodiscover" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/ecp" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/EWS" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Microsoft-Server-ActiveSync" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/owa" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/rpc" -commitPath:APPHOST -section:access -sslFlags:None

 

# Configure web.config files

$path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path

(

Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config 

$path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path

(

Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config 

# Configure Outlook Anywhere

$enabled = Get-OutlookAnywhere –Identity "$($env:COMPUTERNAME)\RPC*"

If ($enabled)

{Set-OutlookAnywhere –Identity

"$($env:COMPUTERNAME)\RPC*" -SSLOffloading $true}

Else

{

Write-Host "Configure Outlook Anywhere and remember to check the box to enable SSL Offloading"}

Write-Host -f Red "NOTE: Run `"iisreset /noforce`" to complete the process"

Exchange 2010 SP1 Upgrade Install Issues

 

Installation of Exchange 2010 SP1 Upgrade results in “AuthorizationManager CheckFailed” error, and Exchange is uninstalled.

 Culprit:   Powershell Execution Policy.  Round 3 below describes the remediation steps.   The other rounds merely prove that multiple solutions published over the Internet did not fix this issue.

The Error:

My first installation of Exchange 2010 SP1 upgrade to my existing Exchange 2010 Client Access Server was a complete failure.  Following AD prep and prerequisite checks/installs, I proceeded with the upgrade and During the Preparing Files section of the install I received the “AuthorizationManager Check Failed” message. 

After clicking FINISH on the installation wizard, I noticed that Exchange 2010 no longer existed on that server.  The Removing Exchange files is actually the step prior to “Preparing Files”, isn't that lovely.  Fortunately, I always snapshot my servers prior to Rollup and Service Pack installation, so I was able to rollback and try pass number two. 

Failed Remediation Attempts

Below are the various FAILED remediation steps I took to try and get through this upgrade successfully.  You will see some of these scattered around the Internet.  None of them worked for me.  The solution at the end of this article is the real deal, and fixed my problem.

• Tried uninstalling previous rollups (Had Rollup 4 installed) – Upgrade failed
• Changing Execution policy to unrestricted as well as Bypass (local machine policy only) – Upgrade failed.
• Disabled UAC – Upgrade failed
• Downloaded instllation (upgrade) exe set to “UNBLOCK” before execution. – Upgrade failed
• Set within IE (Internet Options \ Advanced \ Security)  - Upgrade failed
  
• All inclusive settings from above – Upgrade failed.

 

The Solution (Successful): 

1.  Download Ex2010 SP1 from the Internet on to the machine you are installing SP1.  Following file download, Right Click the exe file > Properties >  “UNBLOCK”.  Extract the file to a location on the local system.
Note: The download was only executed on the first Exchange 2010 server I upgraded.  I copied the files over to the other Exchange 2010 for the other servers upgraded.

2. Download and Install any prerequisites required for the SP1 installation.

3. Open Powershell and check the ExecutionPolicy for that server.   Be Sure to check the ExecutionPolicy using the GET-EXECUTION POLICY –LIST      command.  If you merely run the Get-ExecutionPolicy command, the LocalMachine execution policy will only be displayed.

If the execution policy is different from the image below, in particular the Machine and User Policy settings being set other than “UNDEFINED” then check to see what is applying the settings.  Could be either Local Policy or Domain Policy (GPO).

The image below lists the desired settings:

To verify a GPO applying the settings, perform the following:

1. Open a command widows with extended rights “Run as administrator”.
2. At the command prompt, type and then press ENTER:
   
   gpresult /z > PolicySettings.txt
   
3. Open the file PolicySettings.txt in Notepad and Search for the following entry in the list:
   
    
   
   Note where in the Group Policy hierarchy that this entry resides. Repeat this step to determine whether there are other entries that reference "PowerShell."
   
4. If Enabled, modify the GPO setting this value to “NotConfigure”.
5. Perform a GPUPDATE /force on the Exchange server you are installing SP1 and verify that the policy is no longer applied. 
6. Verify the settings ExecutionPolicy again like above.  Once things look like above proceed with the installation.
   From Powershell:   Get-ExecutionPolicy –list    
7. Once the settings look good, proceed with the upgrade installation.   Be sure to run the installation with elevated privileges.  I normally open a command prompt (Run As Administrator), navigate to the installation directory and execute the installation.
8. This procedure was successful and consistent across all my Exchange 2010 servers

Of course if you have AD DS Group Policy that was the culprit, once you have fixed the policy it should apply (verify though) to the remainder of the Exchange servers. 

Cannot Activate Database Copy: Content Index Catalog Files in Failed State

 

 

When activating a database copy in an Exchange Server 2010 Database Availability Group it may fail with an error message that catalog index files are in a failed state.

 

When you view the copy status of the mailbox database the content index is in a failed state.

[PS] C:\>Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name              : Mailbox Database 01\EX1
ContentIndexState : Failed

Name              : Mailbox Database 02\EX1
ContentIndexState : Healthy

To resolve the issue update the content index on the server on which it has failed.

[PS] C:\>Update-MailboxDatabaseCopy "Mailbox Database 01\EX1" -CatalogOnly

The content index should now be in a healthy state.

[PS] C:\>Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name              : Mailbox Database 01\EX1
ContentIndexState : Healthy

Name              : Mailbox Database 02\EX1
ContentIndexState : Healthy

After the content index is healthy you can attempt to activate the database copy again.

Forefront Client Security – Collection Database creation Failure

 

Problem:

While installing FCS roles (Management, Collection Server, Collection Database, Reporting Server and Reporting Database) on a server, the requirements, the verifying settings and requirements shows all is well (image below).  That is until you initiate the install and the installation bombs out with an error on the creating collection database task.  I have run into many posts about this same issue and just about every one of them has a different solution or they gave up.  Some of the solutions say that its because .NET framework 1.1 is not installed, or Collation settings are not set correctly, etc..  

Now I have tried just about every solution out there, and none of them fixed my issue.  So I took matters into my own hands and ventured away from the standard installation wizard.  Below is the solution that got me to the point where I successfully created the Collection Database on the server, and then I was able to resume installing the remaining roles.

Note:  I have only encountered this issue on Windows 2003 x32.  All other installs on Win2008 have been successful.   Below is an image of the FCS server and the roles (consolidated).
 
 

 

Solution:

A little more information about my configuration will explain the solution.   I had the OS installed on C:\ (Of Course), and SQL 2005 installed on E: Drive.  Well eventhough I configured SQL 2005 default database location to the E:\ drive (which of course was permissioned correctly), and specified E:\… for the installation files,  the FCS Client installation wizard was still attempting to create the Database on C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data. 

The wizard does not do what you would expect it to do.  Has a mind of its own apparently.

The FIX”:

Permission the SQLServer2005MSSQLUser$<computername>$MSSQLSERVER local group and/or the Installation Account your are using Full control , and permission to the MSSQL\  and child directories.  Once this was completed, I was able to complete the Collectino Database creation process and installation FCS Server.  Following the installation, you can move the databases to the desired location.  To do that you will have to stop Client Security services, detach the databases (OnePoint and SystemCenterReporting), move the files and Attach the databases.

Exchange 2010 – Antivirus Exclusions

 

If you're deploying file-level scanners on Exchange 2010 servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both memory-resident and file-level scanning. This section describes directory exclusions, process exclusions, and file name extension exclusions for each server or server role

Directory Exclusions
Server role	Exclusion Type	Item(s)	Exclusions	Exclusion Consolidated Paths
Mailbox Server Role	File-Level	Databases	Command to Retrieve the location:   Get-MailboxDatabase -server <servername> | format-list *path*
		Log Files
		Checkpoints
		Database Content Indexes (default is same location as databases)
		Group Metrics files	%ExchangeInstallPath%\GroupMetricsExchangeInstallPath%\TransportRoles\Logs   and %ExchangeInstallPath%\Logging)
		Offline Address Book Files	%ExchangeInstallPath%\ExchangeOAB
		IIS System Files	%SystemRoot%\System32\Inetsrv
		Temporary Folder	Same Path where Eseutil.exe resides
		Mailbox database temporary folder	%ExchangeInstallPath%\Mailbox\MDBTEMP
		Any Exchange aware Anti-Virus Folders
		Mailbox Server that is a member of a Database Availability Group (DAG)	%Winnt%\Cluster
		Witness Server directories:  (Typically on the Hub Transport Server)	\\%SystemDrive%:\DAGFileShareWitnesses\<DAGFQDN>
Hub Transport Server Role	File-Level	Log Files:  Message Tracking, Connectivity logs,…	Default path:   %ExchangeInstallPath%\TransportRoles\Logs Command to Retrieve the location:  Get-TransportServer <serverName> | Format-List *logpath*,*tracingpath*	%ExchangeInstallPath%\TransportRoles\
		Pickup and Replay directories	Default Path:  %ExchangeInstallPath%\TransportRoles Command to Retrieve the location: Get-TransportServer <serverName> fl *dir*path*
		Queue database, checkpoint and log files	Default path:  %ExchangeInstallPath%\TransportRoles\Data\Queue
		Sender Reputation database, checkpoint, log files	Default Path:  %ExchangeInstallPath%\TransportRoles\Data\SenderReputation
		IP filter Database, Checkpoint, log files	Default Path:  %ExchangeInstallPath%\TransportRoles\Data\IpFilter
		Temporary Folders	Exchange Servere Temp folder:  TMP
			OLE Conversions:    %ExchangeInstallPath%\Working\OleConvertor
		Any Exchange aware Anti-Virus Folders
Edge Transport Server Role	File-Level	AD LDS log files	Default:  %ExchangeInstallpath%\TransportRoles\Data\ADAM
		Pickup and Replay directories	Default Path:  %ExchangeInstallPath%\TransportRoles Command to Retrieve the location: Get-TransportServer <serverName> fl *dir*path*	%ExchangeInstallPath%\TransportRoles\
		Queue database, checkpoint and log files	Default path:  %ExchangeInstallPath%\TransportRoles\Data\Queue
		Sender Reputation database, checkpoint, log files	Default Path:  %ExchangeInstallPath%\TransportRoles\Data\SenderReputation
		IP filter Database, Checkpoint, log files	Default Path:  %ExchangeInstallPath%\TransportRoles\Data\IpFilter
		Temporary Folders	Exchange Servere Temp folder:  TMP
			OLE Conversions:    %ExchangeInstallPath%\Working\OleConvertor
		Any Exchange aware Anti-Virus Folders
Client Access Server Role	File-Level	Servers using IIS 7.0:    Temporary files	"%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files"
		Servers using IIS 6.0:  Temporary files	"%SystemRoot%\IIS Temporary Compressed Files"
		IIS System Files	%SystemRoot%\System32\Inetsrv
			InetPub\logs\logfiles\w3svc
		Internet Related Sub Folders	%ExchangeInstallPath%\ClientAccess
		Servers with POP3:	%ExchangeInstallPath%\Logging\POP3
		Servers with IMAP4:	%ExchangeInstallPath%\Logging\IMAP4
		Temporary Folders for Conversions:	Exchange Servers Temp Folder:   TMP
			%ExchangeInstallPath%\Working\OleConvertor
Unified Messaging Server Role	File-Level	Grammer Files for different locales	%ExchangeInstallPath%\UnifiedMessaging\grammars
		Voice Prompts	%ExchangeInstallPath%\UnifiedMessaging\Prompts
		VoiceMail Files	%ExchangeInstallPath%\UnifiedMessaging\Voicemail
		Temporary Files	%ExchangeInstallPath%\UnifiedMessaging\temp
Forefront Protection for Exchange	File-Level	Forefront install folder	Default: "%Program Files%\Microsoft Forefront Security\Exchange Server"	%Program Files%\Microsoft Forefront Security\Exchange Server
		Archived Messages	Default:  "%Program Files%\Microsoft Forefront Security\Exchange Server\Data\Archive"
		Quarantined files	Default:  "%Program Files%\Microsoft Forefront Security\Exchange Server\Data\Quarantine"
		Antivirus Engine files	Default:  "%Program Files%\Microsoft Forefront Security\Exchange Server\Data\Engines\x86"
		Configuration Files	Default:  %Program Files%\Microsoft Forefront Security\Exchange Server\Data
Process Exclusions
Server role	Exclusion Type	Process exclusions
Set these for all Server Roles	Process-Exclusion	Cdb.exe	Microsoft.Exchange.Search.Exsearch.exe
		Cidaemon.exe	Microsoft.Exchange.Servicehost.exe
		Cluster.exe	MSExchangeASTopologyService.exe
		Dsamain.exe	MSExchangeFDS.exe
		EdgeCredentialSvc.exe	MSExchangeMailboxAssistants.exe
		EdgeTransport.exe	MSExchangeMailboxReplication.exe
		ExFBA.exe	MSExchangeMailSubmission.exe
		GalGrammarGenerator.exe	MSExchangeRepl.exe
		Inetinfo.exe	MSExchangeTransport.exe
		Mad.exe	MSExchangeTransportLogSearch.exe
		Microsoft.Exchange.AddressBook.Service.exe	MSExchangeThrottling.exe
		Microsoft.Exchange.AntispamUpdateSvc.exe	Msftefd.exe
		Microsoft.Exchange.ContentFilter.Wrapper.exe	Msftesql.exe
		Microsoft.Exchange.EdgeSyncSvc.exe	OleConverter.exe
		Microsoft.Exchange.Imap4.exe	Powershell.exe
		Microsoft.Exchange.Imap4service.exe	SESWorker.exe
		Microsoft.Exchange.Infoworker.Assistants.exe	SpeechService.exe
		Microsoft.Exchange.Monitoring.exe	Store.exe
		Microsoft.Exchange.Pop3.exe	TranscodingService.exe
		Microsoft.Exchange.Pop3service.exe	UmService.exe
		Microsoft.Exchange.ProtectedServiceHost.exe	UmWorkerProcess.exe
		Microsoft.Exchange.RPCClientAccess.Service.exe	W3wp.exe
Forefront Protection for Exchange Server	Process-Exclusion	Adonavsvc.exe	FscStatsServ.exe
		FscController.exe	FscTransportScanner.exe
		FscDiag.exe	FscUtility.exe
		FscExec.exe	FsEmailPickup.exe
		FscImc.exe	FssaClient.exe
		FscManualScanner.exe	GetEngineFiles.exe
		FscMonitor.exe	PerfmonitorSetup.exe
		FscRealtimeScanner.exe	ScanEngineTest.exe
		FscStarter.exe	SemSetup.exe