Tuesday, October 19, 2010

Exchange Server 2010 - Management Console Error

 

While logged onto an Exchange 2010 server, and opening the Exchange Management Console, an error message appears. This error message can be traced to one of two things.  Either the Exchange 2010 Server is really having communication problems with the In-Site Domain Controllers or there is profile corruption on the account you are using to log into the Exchange 2010 Server.  More times than not, it is indeed the profile corruption of the Exchange Management Console file.   

clip_image001

Remediation Steps:



Verify Communication with Domain Controllers:

First Verify the Exchange 2010 Server is not receiving errors during MSExchange DSAccess suitability testing.  This can be verified within the Event log\Application

EventID:  2080
Source:  MSExchange ADAccess

image

If  not all of your In-Site domain controllers are listed OR the suitability score differs significantly from one another.  Be sure to investigate whether or not there are communication and/or replication issues with your DCs.  If all looks good, move on to the profile corruption fix.

Profile corruption:

TO FIX:

1. Log into IOPMAIL01, navigate to the following location:
C:\Users\<Username>\AppData\Roaming\Microsoft\MMC\

2. Delete or rename the following file: “Exchange Management Console

3. Log out and log back in. Open the Exchange Management Console and errors should be gone.

Wednesday, October 13, 2010

Exchange Server 2010 SP1 – SSLOffloading

 

If you will be leveraging a Hardware Load Balancer for your Exchange 2010 environment there are some additional Exchange specific setting modification required to get this working, whether you are using PassThrough, SSLOffloading or ReverseSSL (aka SSLBridging).

  • System Requirements for this configuration:   EXCHANGE SERVER 2010 “SP1”

Options for Load Balancing Exchange 2010 CAS Servers using Hardware Load Balancer:

  • Pass Through

image

    • Simple and a very common deployment method
      • Configuration Requirements
        • Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
          "RpcTcpPort"="60001"
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
          "TCP/IP Port"=dword:0000ea60 
  • Reverse SSL (aka SSL Bridging) ---  Recommendedimage

    • More advanced configuration, and more advanced forms of loadbalancing available.
      • Benefits:
        • Secure communications end-to-end; no passwords in clear text between HLB and CAS
        • Less configuration required on Exchange 2010 than SSLOffloading below.
        • If your Exchange 2010 CAS are already configured, the only configuration remaining is   Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
          "RpcTcpPort"="60001"
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
          "TCP/IP Port"=dword:0000ea60
      • Disadvantages:
        • Does not offload (encryption and decryption) cpu processing from the CAS Servers.
           
  • SSLOffloading 

    (Note the script as the end of this article will configure all of these parameters for you)

image

    • More advanced forms of loadbalancing available.   (This Article provides steps to configure)
      • Configuration Requirements
      • Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
        "RpcTcpPort"="60001"
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
        "TCP/IP Port"=dword:0000ea60
    • Remove “Require SSL from Default Website and All Exchange Virtual Directories on each CAS Server
    • Enable Outlook Anywhere, Set Authentication Basic and Set Outlook Anywhere SSLOffloading to TRUE
    • Set OWA for SSLOffloading

      New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD
    • Modify the web.config file for Autodiscover and EWS

      # Configure web.config files
      $path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path
      (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config
      $path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path
      (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config

 

Important
If you configure SSL offloading on an Exchange 2010 CAS server, all user passwords will be sent in clear between the HLB device(s) and the CAS servers, so it's important the traffic is sent over a secure network not accessible by malicious users. If the security policy within the organization states that all passwords should be sent in an encrypted form (even when occurring over a secure network), it's recommended to enable reverse SSL on the HLB device(s). In addition, it's recommended to enable reverse SSL, if the organization does not have a secure network in place between the HLB device(s) and the CAS servers or if there's no noticeable performance gain of offloading SSL to the HLB device(s) in the environment.

SCRIPT to Configure CAS for SSLOffloading

 #This script will configure the Exchange 2010 Client Access Servers

# for Hardware loadBalancer with SSLOffloading enabled.
#
# System Requirements: EXCHANGE SERVER 2010 "SP1"
#
#
# Set registry key

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD

# Assign Static Port for MSExchangeAB

New-Item -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB -Name Parameters

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters -Name RpcTcpPort -Value 60000 -PropertyType REG_SZ

# Assign Static Port for MSExchangeRPC

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem -Name "TCP/IP Port" -PropertyType DWORD -Value 0000ea60

# Disable RequireSSL on websites

."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Autodiscover" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/ecp" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/EWS" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Microsoft-Server-ActiveSync" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/owa" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/rpc" -commitPath:APPHOST -section:access -sslFlags:None

 

# Configure web.config files

$path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path

(

Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config 

$path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path

(

Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config 

# Configure Outlook Anywhere

$enabled = Get-OutlookAnywhere –Identity "$($env:COMPUTERNAME)\RPC*"

If ($enabled)

{Set-OutlookAnywhere –Identity

"$($env:COMPUTERNAME)\RPC*" -SSLOffloading $true}

Else

{

Write-Host "Configure Outlook Anywhere and remember to check the box to enable SSL Offloading"}

Write-Host -f Red "NOTE: Run `"iisreset /noforce`" to complete the process"

Monday, October 11, 2010

Exchange 2010 SP1 Upgrade Install Issues

 

Installation of Exchange 2010 SP1 Upgrade results in “AuthorizationManager CheckFailed” error, and Exchange is uninstalled.

 Culprit:   Powershell Execution Policy.  Round 3 below describes the remediation steps.   The other rounds merely prove that multiple solutions published over the Internet did not fix this issue.

The Error:

My first installation of Exchange 2010 SP1 upgrade to my existing Exchange 2010 Client Access Server was a complete failure.  Following AD prep and prerequisite checks/installs, I proceeded with the upgrade and During the Preparing Files section of the install I received the “AuthorizationManager Check Failed” message. 

image

After clicking FINISH on the installation wizard, I noticed that Exchange 2010 no longer existed on that server.  The Removing Exchange files is actually the step prior to “Preparing Files”, isn't that lovely.  Fortunately, I always snapshot my servers prior to Rollup and Service Pack installation, so I was able to rollback and try pass number two. 

Failed Remediation Attempts

Below are the various FAILED remediation steps I took to try and get through this upgrade successfully.  You will see some of these scattered around the Internet.  None of them worked for me.  The solution at the end of this article is the real deal, and fixed my problem.

  • Tried uninstalling previous rollups (Had Rollup 4 installed) – Upgrade failed
  • Changing Execution policy to unrestricted as well as Bypass (local machine policy only) – Upgrade failed.
  • Disabled UAC – Upgrade failed
  • Downloaded instllation (upgrade) exe set to “UNBLOCK” before execution. – Upgrade failed
  • Set within IE (Internet Options \ Advanced \ Security)  - Upgrade failed
    image
  • All inclusive settings from above – Upgrade failed.

 

The Solution (Successful): 

1.  Download Ex2010 SP1 from the Internet on to the machine you are installing SP1.  Following file download, Right Click the exe file > Properties >  “UNBLOCK”.  Extract the file to a location on the local system.
Note: The download was only executed on the first Exchange 2010 server I upgraded.  I copied the files over to the other Exchange 2010 for the other servers upgraded.

2. Download and Install any prerequisites required for the SP1 installation.

3. Open Powershell and check the ExecutionPolicy for that server.   Be Sure to check the ExecutionPolicy using the GET-EXECUTION POLICY –LIST      command.  If you merely run the Get-ExecutionPolicy command, the LocalMachine execution policy will only be displayed.

If the execution policy is different from the image below, in particular the Machine and User Policy settings being set other than “UNDEFINED” then check to see what is applying the settings.  Could be either Local Policy or Domain Policy (GPO).

The image below lists the desired settings:
image

To verify a GPO applying the settings, perform the following:

  1. Open a command widows with extended rights “Run as administrator”.
  2. At the command prompt, type and then press ENTER:

    gpresult /z > PolicySettings.txt
  3. Open the file PolicySettings.txt in Notepad and Search for the following entry in the list:

    image 

    Note where in the Group Policy hierarchy that this entry resides. Repeat this step to determine whether there are other entries that reference "PowerShell."
  4. If Enabled, modify the GPO setting this value to “NotConfigure”.
  5. Perform a GPUPDATE /force on the Exchange server you are installing SP1 and verify that the policy is no longer applied. 
  6. Verify the settings ExecutionPolicy again like above.  Once things look like above proceed with the installation.
    From Powershell:   Get-ExecutionPolicy –list     image
  7. Once the settings look good, proceed with the upgrade installation.   Be sure to run the installation with elevated privileges.  I normally open a command prompt (Run As Administrator), navigate to the installation directory and execute the installation.
  8. This procedure was successful and consistent across all my Exchange 2010 servers

Of course if youimage have AD DS Group Policy that was the culprit, once you have fixed the policy it should apply (verify though) to the remainder of the Exchange servers. 

Wednesday, October 6, 2010

Cannot Activate Database Copy: Content Index Catalog Files in Failed State

 

 

When activating a database copy in an Exchange Server 2010 Database Availability Group it may fail with an error message that catalog index files are in a failed state.

alt

 

When you view the copy status of the mailbox database the content index is in a failed state.

[PS] C:\>Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name : Mailbox Database 01\EX1
ContentIndexState : Failed

Name : Mailbox Database 02\EX1
ContentIndexState : Healthy


To resolve the issue update the content index on the server on which it has failed.



[PS] C:\>Update-MailboxDatabaseCopy "Mailbox Database 01\EX1" -CatalogOnly


The content index should now be in a healthy state.



[PS] C:\>Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name : Mailbox Database 01\EX1
ContentIndexState : Healthy

Name : Mailbox Database 02\EX1
ContentIndexState : Healthy


After the content index is healthy you can attempt to activate the database copy again.