Author: Ward

Exchange 2010: Setting Static RPC ports when using a Kemp LoadMaster

When you use a Kemp LoadMaster for Loadbalacing Exchange 2010 you need to set static RPC ports.

By default Windows Server 2008 and 2008 R2 are configured with a dynamic RPC range of 49152-65535 for outbound connections. When the Exchange 2010 Client Access server role is installed on Windows Server 2008 or 2008 R2, the dynamic RPC port range is changed to 6005-59530 and the highest usable port number is set to 60554.

Exchange 2010 RPC Client Access Service

By default the RPC Client Access service on an Exchange 2010 Client Access server uses the TCP End Point Mapper port (TCP/135) and the dynamic RPC port range (6005-59530) for outgoing connections, every time an Outlook clients establish a connection to Exchange.

To set a static port for the RPC Client Access service on an Exchange 2010 Client Access server, you need to open the registry on the respective server and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC

Here, you need to create a new key named ParametersSystem, and under this key create a REG_DWORD named TCP/IP Port. The Value for the DWORD should be the port number you want to use.

Configuring static ports for the RPC Client Access service

RPC.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
"TCP/IP Port"=dword:0000e88c

Note

Microsoft recommends you set this to a unique value between 59531 and 60554 and use the same value on all CAS in any one AD site.

When you’ve configured the port, it’s required to restart the Microsoft Exchange RPC Client Access service in order for the changes to be applied.

Exchange 2010 Address Book Service

To set a static RPC port for the Exchange Address Book Service, create a new REG_SZ registry key named “RpcTcpPort” under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters



RPCAB.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
"RpcTcpPort"="59533"

Microsoft recommends you set this to a unique value between 59531 and 60554 and use the same value on all Exchange 2010 Client Access servers in any one AD site.

When you’ve configured the port, it’s required to restart the Microsoft Exchange Address Book service in order for the changes to be applied.

Exchange 2010 Public Folder connections

By default public folder connections uses the TCP End Point Mapper (TCP/135) and the dynamic RPC port range (49152-65535) for outgoing connections, every time an Outlook client establish a connection to Exchange.

To set a static port for public folder connections, follow the same steps as those required for configuring static ports for the RPC CA service. Just bear in mind you need to perform them on the Exchange 2010 servers that stores public folder databases. This is because public folder connections from an Outlook client occur against the RPC Client Access service on the Mailbox server role.

Verifying the Statically Configured Ports are used

In order to verify that the static ports configured are used, the netstat.exe tool can be used:

Netstat -an -p tcp

image
Verifying the configured static ports are used on the Client Access and Mailbox servers
In my next blog post I will show how to config a Kemp Loadmaster.

Reference:
Link: Configure Static RPC Ports on an Exchange 2010 Client Access Server

Exchange 2010 DAG Maintance

When you need to performing maintenance on DAG nodes here is the process you want to go through In my environment I have two nodes in a dag. For more nodes the same process
 
All the commands below are run in an administrative exchange powershell prompt.

Type add first: cd $exscripts and press enter.

Now you are in the Exchange Scripts folder.

Exchange Node 1: 
Process for running maintenance on exchange database servers
.\StartDagServerMaintenance.ps1 -ServerName <Dag Node 1>

Run maintenance on <Dag Node 1>

When you are finished on Node 1
.\StopDagServerMaintenance.ps1 -ServerName <Dag Node 1>

Exchange Node 2:
.\StartDagServerMaintenance.ps1 -ServerName <Dag Node 2>

run maintenance on <Dag Node 2>

When you are finished on Node 2
.\StopDagServerMaintenance.ps1 -ServerName <Dag Node 2>

When done performing maintenance on one or multiple servers (hopefully one at a time to maintain full database availability for end users!) you can end up with a sub-optimal active database layout, especially if you have a cross-site DAG. To resolve this you have to rebalance the databases based on the priorities set for them upon creation.
 
Rebalance databases across dag
.\RedistributeActiveDatabases.ps1 -DagName <Your DAG Name> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution -Confirm:$false

If you get any errors you may have to re-index the search catalog for the passive database. Rather than hunting down which ones need to be fixed you can just fix them all with the custom script I wrote below (or for only the mail servers with issues). When finished running these commands then try to run the maintenance or rebalance scripts again.
 
Fix/Rebuild Search Catalogs
Get-MailboxDatabaseCopyStatus -Server <Dag Node 1> | where {$_.Status -like "Healthy"} | Update-MailboxDatabaseCopy –catalogonly

Get-MailboxDatabaseCopyStatus -Server <Dag Node 2> | where {$_.Status -like "Healthy"} | Update-MailboxDatabaseCopy -catalogonly

Enable TPM devices on HP Laptops trough MDT

Yes, It can be done and it is pretty simple to. Here is what you need and how you should do it. Basically, the only thing you need is “BiosConfigUtility.EXE” and a text file with settings in it, add that to the TS and it will work like a charm, 🙂

Step One – Get the utility

The utility is a part of HP’s SSM (SP49507), SSM stands for “HP System Software Manager” and version I have been playing with is 2.14 Rev A. Download that from the ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe and if you need to see if your PC is in the list, check ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.html

Step Two – Create the file

This is how the file should look like and it should have the name TPMEnable.REPSET

image

If you look at the picture, you can see that in every section there is a *. That is our default value that will be pushed into the bios.

Step Three – Create a Command and verify that it works

Now, be a bit careful, TPM is a security device and if you look your self out, it could be “tricky” to get back, so now you have been notified at least. So, we need a command to set all this and also to set a BIOS password and here it is:

BIOSConfigUtility /SetConfig:TPMEnable.REPSET /NewAdminPassword:"Password1"

So, if you take the BIOSConfigUtility.exe and TPMEnable.REPSET and put them in the same folder and run the command (elevated) with a password that is better then mine and then reboot the machine, you will see that it is going to enable the TPM chip and now you can just enable BitLocker on the machine.

Step Four – Getting stuff into the TS

Now, this can be done in different ways, one is to create a Script, or a batch file or an MDT Application. The reason for me to have an application, is very simple. When I work at customers I create a lot of “things”, if they are applications, they are pretty easy to copy inside the deployment workbench, from my personal Deployment share to the customers and vice versa. I like drag and drop, it makes life more…relaxed…:-) One other story, if they are applications, you could use the “MandatoryApplications001=” in CS.ini

So this is how it looks in my Task Sequence

image image

(No, sorry, my password for TPM is not 111-something, trust my…)

Now when I have the application I can open my Task Sequence and modify that like this:

image image

In the first picture you can see that I have added the application called “CUSTOM – Hewlett-Packard – BIOS Configuration” and in the other picture you can see that I have one condition to run this and that is same condition as the task “Enable Bitlocker” has.

So, that was pretty easy, right 🙂

Step Five – some more things…

Configure BitLocker:

image

This is my settings (also default)

Just one small thing. Modify/Set this BDEKeyLocation= to something, otherwise the keyfile ends up locally on the c: drive…:-)

Rollup 6 for Exchange Server 2007 SP3.

Earlier today the Exchange team released Update Rollup 6 for Exchange Server 2007 SP3.

De following list calls out the most important fixes which are included in this release:

22656040 An Exchange Server 2007 Client Access server may respond slowly or stop responding when users try to synchronize the Exchange ActiveSync devices with their mailboxes

2498852 "0x80041606" error message when you perform a prefix search by using Outlook in online mode in an Exchange Server 2007 environment

22653334 The reseed process is unsuccessful on the SCR passive node when the circular logging feature is enabled in an Exchange Server 2007 environment

22617784 Journal reports are expired or lost when the Microsoft Exchange Transport service is restarted in an Exchange Server 2007 environment

2289607 The week numbers displayed in OWA do not match the week numbers displayed in Outlook for English users and French users in an Exchange Server 2007 environment

For the complete list check HERE
General Notes:

Note for Forefront Protection for Exchange users For those of you running Forefront Protection for Exchange, be sure you perform these important steps from the command line in the Forefront directory before and after this rollup’s installation process. Without these steps, Exchange services for Information Store and Transport will not start after you apply this update. Before installing the update, disable ForeFront by using this command: fscutility /disable. After installing the update, re-enable ForeFront by running fscutility /enable.

Setup KMS Server for Windows Server 2008 R2 or Windows 7

Open the command prompt and run the following command:

cscript c: \ Windows \ System32 \ slmgr.vbs / ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

Enter the product key xxxxx Windows Server 2008 R2. It is also able to activate Windows 7. The following text appears when the command is successful.

Microsoft ® Windows Script Host Version 5.7
Copyright © Microsoft Corporation. All rights reserved.
Installed product key xxxxx-xxxxx-xxxxx-xxxxx-xxxxx successfully.
The installation of the KMS server is complete. The server installs itself on port 1688. This port must be opened to be put in the firewall. To change the port the following command can be used.

Slmgr.vbs / SPRT xxxx
Once the firewall is open and the key is installed, the KMS server service has to be restarted. Do this by using the following command:

slsvc & net stop & net start slsvc

To check whether the data will be registered correctly in the DNS, the following command:

nslookup-type = srv _vlmcs._tcp

Here, the following output should appear:

_vlmcs._tcp.test.local SRV service location:
priority = 0
weight = 0
port = 1688
svr hostname = kms.wardvissers.local
internet address = 192.168.150.7 kms.wardvissers.local

Clients / Servers

The clientele / servers need to connect to the KMS host will automatically find the host by dns. When the client / server using a MAK key is activated. Should this be put back to a KMS client key. These keys are released by Microsoft. When this key is set on the client / server will automatically look for a KMS host. When not present, the client / server activation.

KMS client keys:

Windows 7 Enterprise: 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
Windows Server 2008 Standard: TM24T-X9RMF-VWXK6-X8JC9-BFGM2
Windows Server 2008 Enterprise: YQGMW-MPWTJ-34KDK-48M3W-X4Q6V
Windows Server 2008 R2 Standard – YC6KT-GKW9T-YTKYR-T4X34-R7VHC
Windows Server 2008 R2 Enterprise – 489J6-VHDMP-X63PK-3K798-CPX3Y

The following commands can the key be changed from MAK to KMS here are the xxxxx is one of the above keys.

slmgr.vbs / ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
Note: To ensure that the client is forced to activate the command to be executed on the client.
slmgr-ato

It can happen that the RMS server returns the following message. This is because the KMS server is just beginning to work with 25 clients and 5 servers.

You can find here the list with error codes & solutions: http://support.microsoft.com/kb/938450

Special thanks to:Harm Hoekstra

Public Folder Migration from Exchange 2003 or 2007 to Exchange 2010

Step 1: Replicating Exchange 2003 or 2007  PF’s to Exchange 2010

Add PF replica’s to an Exchange 2010 Server:

.\AddReplicaToPFRecursive.ps1 -server "Exchange 2003/2007 Server" -TopPublicFolder "\" -ServerToAdd "Exchange 2010 Server"

Replicate the System Folders to an Exchange 2010 Server:

.\AddReplicaToPFRecursive.ps1 -TopPublicFolder "\NON_IPM_Subtree" -ServerToAdd "exchange2010 server”

If you are planning to have multiple Exchange 2010 PF servers, you can repeat the Cmdlet

From the Exchange 2010 server: Update-PublicFolderHierarchy -Server "Exchange 2010 Server"

Step 2: Moving Exchange 2003/2007 PF’s to Exchange 2010

As a last step, after you confirmed that all the PF have been replicated to the Exchange 2010, you can move all replicas from Exchange 2003/2007 to Exchange 2010. The "move all replicas" will actually remove the Exchange 2003/2007 replicas.

To move all Exchange 2003/2007 replicas to Exchange 2010, which will actually remove the Exchange 2003/2007 replicas:

.\MoveAllReplicas.ps1 -Server "Exchange 2003 Server" -NewServer "Exchange 2010 Server"

Additional Cmdlets

To view a list of the replicas in the public folder hierarchy: Get-PublicFolder -recurse |fl name,replicas

For System Folders: Get-PublicFolder -recurse \non_ipm_subtree |fl name, replicas

To compare content replicated between the source and destination servers: Get-PublicFolderStatistics

Reference

Move Public Folder Content from One Public Folder Database to Another Public Folder Database – http://technet.microsoft.com/en-us/library/bb331970.aspx

Exchange 2010 Outlook Mobile Update

This guide was created to help you deploy the new Outlook Mobile update for the Windows Mobile 6.1 devices that connect to your Exchange 2010 servers. This guide focuses on Microsoft Exchange Server 2010 RTM & SP1 & SP2 and Windows Mobile 6.1, and covers the following topics:

· Overview

· How to configure your Exchange 2010 for the Outlook Mobile update

· Details about the Outlook Mobile update

· How to get support for Outlook Mobile updates

· How to subscribe for future updates

Overview

First, we’ll review the overall update experience that’s built into Exchange 2010.

clip_image002

As part of the Outlook Mobile update, users will receive an update notification in an e-mail message in their Inbox. The purpose of this message is to inform them that there’s an Outlook Mobile update for their phone.

The message will instruct the user to click an inline link. This prompts the phone to download the Initial Setup CAB. After the Initial Setup CAB is installed, it will check for available updates specific to the user’s device type.

Next, if an Outlook Mobile update is available, it will be downloaded and installed. The user will receive a notification message that tells them they need to restart their device. After the device is restarted, it will resynchronize the data (e-mail, calendar, contacts, and tasks) with the Exchange server so it will be compatible with the new format of Exchange Server 2010. After that synchronization is complete, the user will be ready to experience the new features in the Outlook Mobile update.

How to Configure Your Exchange 2010 Server for the Outlook Mobile Update

Now that you understand the tasks that the Outlook Mobile update performs, we’ll cover how to configure your Exchange server so that your users who have Windows Mobile 6.1 devices will receive the update notification e-mail message.

How to determine whether a user will receive the update notification e-mail message

The update notification e-mail message will be sent to the user’s device if the following conditions are true:

· The user’s mailbox is on a server running Exchange Server 2010.

· The Exchange ActiveSync mailbox policy parameter AllowMobileOTAUpdate is set to $True.

· The Windows Mobile OS version is 6.1. To check which version the device is running, from the Help About screen, look for the OS and Windows Mobile 6.1 build number (Start > Settings > System > About). You should see Windows OS = “Windows CE 5.2”, and the Windows mobile build should be between 19202 and 21142.

AllowMobileOTAUpdate

The AllowMobileOTAUpdate setting is one of the standard Exchange ActiveSync mailbox policy settings. This is the main setting that determines whether the update notification e-mail message is sent to the device.

The default value for the AllowMobileOTAUpdate parameter is enabled ($True). To confirm that your Exchange ActiveSync mailbox policy has this setting enabled, follow these steps:

1. Check which policy the user is assigned to by running the following command.

Get-CasMailbox <user> | fl ActiveSyncMailboxPolicy

In the preceding example, the result is the following.

ActiveSyncMailboxPolicy : Default

2. Check that the policy returned in the preceding step has the AllowMobileOTAUpdate setting enabled by running the following command.

Get-ActiveSyncMailboxPolicy Default | fl AllowMobileOTAUpdate

If the AllowMobileOTAUpdate setting is set to $True, the following will be returned.

AllowMobileOTAUpdate : True

Details About the Outlook Mobile Update

The following section covers the end user experience for the Outlook Mobile update. The update notification e-mail message the user receives will look like this.

clip_image004

The user can click the first link in the message to start the download. This downloads the initial setup CAB, which is necessary to find the appropriate Outlook Mobile update for that user’s device.

Next, the user will see a URL Confirmation page that informs them that they’re being taken to a Web site. The user should click Yes to continue. Clicking No will cancel the update process.

clip_image006

After the file begins downloading, the user will be asked if they want to open the file, save it to a location, or click Cancel. The user should click Yes to continue opening the file, making sure that the open file after download box is selected.

clip_image008

The next screen they’ll see is the progress bar that shows that the initial setup CAB is being downloaded and installed.

clip_image010

The initial setup CAB finds the appropriate Outlook Mobile update for the user’s specific device. After the initial setup CAB is installed, it connects to the Outlook Mobile Update Service to find the update. If an update is found, the user will be asked if they want to download the Outlook Mobile update. The user should select Yes to download and install the update.

clip_image012clip_image014

clip_image016clip_image018

After the Outlook Mobile update has been installed, the user needs to restart their device to ensure that all new Outlook Mobile files loaded correctly.

clip_image020

After the user restarts their device, they’re presented with a warning message that informs them that they need to resynchronize their data with Exchange. This is necessary because the existing format of the synchronized data isn’t compatible with the new features built into Exchange Server 2010. The user should click Yes in this warning message box.

clip_image022

Occasionally, a user may see the following error, which can appear when the resynchronization hasn’t yet occurred. The user will need to manually resync their data with Exchange.

clip_image024

How to Subscribe for Future Updates

There may be updates available for your users’ Windows Mobile 6.1 phones in the future. The Outlook Mobile update package will ask users if they would like Outlook Mobile to automatically check for updates on a regular schedule. Users should click Yes to automatically check for updates and receive notification when new updates are available.

clip_image026

Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Microsoft released Rollup 1 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

Issues that are fixed in this rollup package:

2654016 A client may be unsuccessful in accessing a Java SSO application published to the web in a Threat Management Gateway 2010 environment

2653703 You receive an "Error: Subreport could not be shown" error message in the User Activity or Site Activity report in a Forefront Threat Management Gateway 2010 environment

2654585 UDP packets may become backlogged when you increase the "Maximum concurrent UDP sessions per IP address" setting in a Forefront Threat Management Gateway 2010 environment

2624178 Threat Management Gateway 2010 administrators may be unable to generate reports

2636183 Both sides of a TCP connection are closed when the client or remote application half-closes the TCP connection in a Forefront Threat Management Gateway 2010 environment

2653669 Summary information for the Top Overridden URLs table and for the Top Rule Override Users table display incorrect information in a Forefront Threat Management Gateway 2010 environment

2617060 Forefront TMG 2010 enables L2TP site-to-site connections in RRAS

2655951 Japanese characters in the subject line of an Alert email message are not readable in the Japanese version of Forefront Threat Management Gateway 2010

2654068 "The Web Listener is not configured to use SSL" warning message may occur when you configure a Web Listener to use a valid SSL certificate in a Forefront Threat Management Gateway 2010 environment

2654193 You receive a "Bad Request" error message when you try to access Outlook Web App in a Forefront Threat Management Gateway 2010 environment

2654074 String comparison may become case-sensitive when you publish a website by using Forefront Threat Management Gateway 2010

2658903 The Forefront Threat Management Gateway Firewall service (Wspsrv.exe) may crash frequently for a published website secured by SSL after you install Service Pack 2

Note that along the lines of products like Exchange, cumulative updates for ForeFront TMG are now also called Rollup instead of Software Update or Update.

You can request ForeFront TMG SP2 RU1 directly from support here.

mail-enabled public folders stopped working after installing Exchange 2010 in existing Exchange 2003 or 2007 environment

I recently came across the following issue while performing an Exchange 2007 to Exchange 2010 migration for a company that still heavily utilised mail-enabled public folders. The client’s Exchange environment was quite old and had been previously migrated from Exchange 5.5 to 2003 and hadn’t been properly decommissioned with the original move to 2007, but that’s another story!

Issue

The issue I had was that once I moved all receive connectors to the new Exchange 2010 server, emails sent to any of the mail-enabled public folders (which were still being replicated between the 2 servers) was being rejected with the following NDR:

#< #5.2.0 smtp;554 5.2.0 STOREDRV.Deliver.Exception:ObjectNotFoundException; Failed to process message due to a permanent exception with message The Active Directory user wasn’t found. ObjectNotFoundException: The Active Directory user wasn’t found.> #SMTP#

The following error was found in Event Viewer:

Log Name: Application
Source: MSExchange Store Driver
Date: 7/09/2010 2:00:02 AM
Event ID: 1020
Task Category: MSExchangeStoreDriver
Level: Error
Keywords: Classic
User: N/A
Computer: server@domain
Description:
The store driver couldn’t deliver the public folder replication message “Folder Content (PublicFolderDatabase@domain)” because the following error occurred: The Active Directory user wasn’t found.

Solution

Given this Exchange environment was originally running versions prior to Exchange 2007, the legacy Administrative Group and all its empty subcontainers still existed. An explanation from the Microsoft Exchange Team of why this issue occurs can be found here: http://msexchangeteam.com/archive/2010/05/05/454821.aspx

The solution to this issue was to delete the empty Servers container from the legacy Administrative Group.

Using ADSIEdit.msc, connect to a domain controller and navigate to:

CN=Configuration , CN=Services, CN=Microsoft Exchange, CN=[ExchangeOrganisationName], CN=Administrative Groups, CN=[LegacyAdministrativeGroupName], CN=Servers.

Right click the Servers container and select Delete

Click Yes

Restart the Microsoft Exchange Active Directory Topology Service and the Microsoft Exchange Information Store on both the Exchange 2007 & Exchange 2010 Servers

Internet Explorer Stops Randomly when using TMG als proxy or Error 502 The number of HTTP requests per minute exceeded the configured limit.

Some users report that Internet stops Randomly. After investing i say the following error:

image

On the TMG Management server I saw also the The number of HTTP requests per minute exceeded the configured limit.

Solution:

1. Open TMG Management Console

clip_image001
2. Go Intrusion Prevention System

3. Flood Mitigation
clip_image002

4. Click on the Edit button: The number of HTTP requests per minute exceeded the configured limit
clip_image003
Default = 600 I configured = 3000

Translate »