Categories
2007 2008 exchange

Exchange 2007 Clustering on Windows 2008

I have just spent an hour or three installing two Windows 2008 Enterprise Edition boxes to create an Exchange 2007 SCC cluster using Microsoft Virtual Server 2005 R2 to create the environment.

But I did not get that far, as Windows Server 2008 Failover Clustering shared storage requires SAS (Serial SCSI) or iSCSI and not traditional SCSI (Parallel SCSI). Microsoft Virtual Server 2005 R2 only emulates IDE (not supported for clusters anyway) or Parallel SCSI. So I could not create a failover cluster with shared storage tonight.

I will install the iSCSI target that I have and try again in a few weeks.

Categories
2003 2007 active directory error exchange kerberos virtual pc virtual server

ERROR_REPLICA_SYNC_FAILED_THE TARGET PRINCIPAL NAME IS INCORRECT

This rather imposing message is found if you try to force replication between to Active Directory Domain Controllers when one of the controllers machine account password is out of sync with the password as stored on the other domain controller.

I have seen this a number of times on Virtual PC or Virtual Server Active Directory deployments with more than one DC in the virtual environment.

So, how do you fix it:

  1. On the DC that is broken (the one that when using replmon reports the error above) set the Kerberos Key Distribution Center Service to manual and stop the service.
  2. From a command prompt on the broken DC enter the following:
    netdom resetpwd /s:name_of_working_DC /ud:domain\user /pd:*
    where domain\user is an administrator of the domain in the domain_name\user_name format. You will be prompted to enter your password.
  3. Upon pressing Enter, if the command fails then restart the broken DC and repeat the above command (this restart clears the Kerberos ticket cache and so clears the broken credential attempts that it has stored).
  4. Upon successful completion of the command in step 2 restart the broken DC. You must do this even if done already in step 3.
  5. Check that replication is working, and if so restart the Kerberos Key Distribution Center Service and set the service back to automatic.

This is a summary of Microsoft Knowledgebase Article 325850, with some more specific detail mentioned.

Categories
2007 exchange hotfix update

Update Rollup # For Exchange Server 2007

Blog updated 22nd February 2008

As Microsoft plan to release Update Rollups for Exchange Server 2007 every six to eight weeks (see KB937194), I will use this blog entry to list the current latest update:

The latest version of the Exchange 2007 update is Update Rollup 6 for Exchange Server 2007 – this can be downloaded from here (64 bit and 32 bit versions now available).

Microsoft plan to do these releases rather than issue hotfixes as the method of engineering Exchange has changed since the previous versions, and KB937194 (see earlier) describes why this is. Each update rollup contains all the previous updates, so you only need to deploy this patch and not any earlier patches as well.

If you have not yet installed Exchange 2007 yet, copy this patch to the Update folder on your installation point and it will get slipstreamed into the installation automatically upon running Setup.

Note that unlike updates #3, #4 and #5, a 32bit version of this update is not currently available.

Categories
2007 certificates exchange iis microsoft pkcs powershell web

Creating Subject Alternative Name Certificates with Microsoft Certificate Server

A new feature in digital certificates is the Subject Alternative Name property. This allows you to have a certificate for more than one URI (i.e. www.c7solutions.com and www.c7solutions.co.uk) in the same certificate. It also means that in web servers such as IIS you can bind this certificate to the site and use up only one IP address.

A number of commercial companies now sell certificates with the Subject Alternative Name field set, but this article describes how to use the Exchange Server 2007 command line to create certificate requests for other web sites that can be uploaded to Microsoft Certificate Server (which does not support this property in its own web pages) to create certificates for web servers such as IIS (which also do not support this property in the requests that they make).

The command that you need to run is via PowerShell, and specifically via the Microsoft Exchange Server 2007 extensions to PowerShell. So start up the Microsoft Management Shell and enter the following (replacing your domain names as indicated:

New-ExchangeCertificate -GenerateRequest:$true -Path c:\newCert.req -DomainName www.domain.com,sales.domain.com,support.domain.com -PrivateKeyExportable:$true -FriendlyName “My New Certificate” -IncludeAcceptedDomains:$false -Force:$true

The DomainName property is set to each URL that you want the certificate to be valid for, with the first value in the string being the value for the Subject field and all the values each being used in the Subject Alternative Name field.

Once you have executed the command above you will have a file with the name set in the Path property. This file can be opened in Notepad and used in Microsoft Certificate Services:

  1. Browse to your Microsoft Certificate Services URL and click Request a certificate
  2. Click advanced certificate request
  3. Click submit a certificate…
  4. Copy and paste the entire text of the certificate request from notepad into the Saved Request field on this page and select Web Server as the Certificate Template. Click Submit.
  • With a default installation the Web Server template value will not be present and that needs to be enabled by your Certificate Services administrator for your user account
  • With the default installation of Certificate Services, the certificate will now be ready to download. Click Download certificate (or Download Certificate Chain if the end server does not trust your issuer) to save your certificate to the computer.
  • Install the certificate on to the same computer that you issued the request from (this is a very important step), and then you can export the certificate and import it on your web server or firewalls.

To install the certificate, run the Import-ExchangeCertificate powershell command on the same computer as the request was issued from (this is a very important, it must be on the same computer). This is a simpler command to run that the creation of the request above.

The syntax of this command is (where the filename is the name of the file downloaded above):

Import-ExchangeCertificate c:\newCert.cer

To export the certificate to your web server or firewall you need to open the local computer certificate store in the Microsoft Management Console – run mmc, add a snap-in and choose Certificates, Computer account. You will find your certificates under the Personal store. You can right-click these certificates and export them (with the private key) to a .pfx file. This file can then be imported using the MMC tool on the web server or firewall ready for importing using an mmc with the certificates/computer account snap-in load into it.

Categories
2007 exchange powershell upgrade

Exchange Management Shell

I need a place to store useful Powershell commands for the administration of Exchange Server 2007, so I thought I would add them here:

Upgrading Exchange Organisation
Place Replicas of Public Folders on New Exchange Server

get-publicfolder -recurse Set-PublicFolder -Replicas:”server\public folder
database”,”server\public folder store (server)”

Enable ActiveSync Policy for Windows Mobile 2003 Smartphones and Pocket PC’s

New-ActiveSyncMailboxPolicy “Windows Mobile 2003 Users” -AttachmentsEnabled:$false -DevicePasswordEnabled:$false -AlphanumericDevicePasswordRequired:$false -PasswordRecoveryEnabled:$false -DeviceEncryptionEnabled:$false -AllowNonProvisionableDevices:$true -AllowSimpleDevicePassword:$false -DevicePasswordExpiration:unlimited -WSSAccessEnabled:$false -UNCAccessEnabled:$false

Enable ActiveSync Policy for Windows Mobile 5 Smartphones and Pocket PC’s

New-ActiveSyncMailboxPolicy “Windows Mobile 5 Users” -AttachmentsEnabled:$true -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$false -PasswordRecoveryEnabled:$true -DeviceEncryptionEnabled:$false -MinDevicePasswordLength:4 -MaxInactivityTimeDeviceLock:00:15:00 -MaxDevicePasswordFailedAttempts:8 -AllowNonProvisionableDevices:$false -AllowSimpleDevicePassword:$false -DevicePasswordExpiration:unlimited -WSSAccessEnabled:$true -UNCAccessEnabled:$true

Set ActiveSync Policy Against All Users for a Given Policy

get-mailbox Set-CASMailbox -ActiveSyncMailboxPolicy:”Name Of Policy

Categories
2007 2010 2013 exchange

P1 and P2 Headers in SMTP

P1 = the value on the MAIL FROM command of the SMTP connection (the message envelope) as defined in RFC 821.
P2 = the email address in the message body as defined in RFC 822. These include the FROM, REPLY TO and SENDER fields

For example, the following SMTP command sequence describes where P1 and P2 are used:

HELO server
MAIL FROM this_is@my_p1_address.com
RCPT TO: recipient@domain.com
DATA
FROM: this_is@my_p2_address.com
TO: recipient@domain.com
SUBJECT: This is a blog on P1 and P2

This is the text of the message
.

The MAIL FROM value should be your email address, but it does not have to be (ie one of the reasons why spam is so prevalent)
The FROM: header should match this, but this value is what is displayed in the email in Outlook (and other clients). The P1 address is used for routing and not display.

If the connection to an Exchange Server is anonymous then the P2 address will contain the display name and the email address, but if it is an authenticated connection then the P2 email address will be resolved to the value in the address book and this value will be displayed.

Categories
exchange windows server xp

Unable to Delete Active Directory Object

Whilst doing some tests on an Active Directory to do with permissions I removed all the permissions apart from SYSTEM. This proved what I wanted to prove, but I then could not delete the object or reset its permissions etc. to tidy up my test environment.

A search on the web for the problem returned one page and they had not solved it either. This was found here. Though they had deleted a user object and I had set permissions on an Exchange Server address list object I think the answer might be the same.

The problem in Exchange System Manager was “The specified directory service attribute or value does not exist” and “8007200a” when I tried to delete the object. Opening ADSI Edit would not let me delete the object (which appears as a notepad icon and not the folder icon it is supposed to be). Opening the object returns “An invalid directory pathname was passed” and deleting the object returns “This folder or one of its children has one or more property sheets up. Please close the property sheet before continuing with this action.

So taking the advice in the above link, and going a few steps further I managed to delete the object.

The key (in Windows Server 2003) is to use a command line tool called DSRM. This deletes active directory objects, but before it can be deleted the permissions need to be reset using another command line tool called DSACLS.

  1. Determine the distinguished name of the object. This is easiest to do in ADSI Edit by opening the parent item and copying the value of the distinguishedName property.
  2. Paste the copied distinguished name into Notepad and prepend to the text the name of the child object in the form of CN=child,distinguishedname.
  3. On the command line enter DSACLS “Distinguished Name” /A. The quotes are needed if there are spaces within the distinguished name. This will display the current permissions on the object for your interest.
  4. Repeat the above command but change the ending to /G Everyone:GA (remove the /A). This will grant full control to Everyone to this object. Remember that you are deleting this item so these permissions are temporary. This should be successful.
  5. Finally you can delete the object using DSRM if the object is a leaf object, but if not a leaf object then DSRM distinguishedName -subtree. It might also be possible to use ADSI Edit or the valid Active Directory administration tool to delete the object if the permission fix has worked.
Categories
2003 certificates exchange orange spv

Connecting a Windows SmartPhone to Exchange Server Protected with a Private Certification Authority Digital Certificate

Having recently obtained my first Windows Mobile powered SmartPhone, I needed to connect to my Exchange Server over the internet using ActiveSync. For those of you unfamiliar with Windows Mobile SmartPhones, they let you connect, using the phones internet connection (typically over a GPRS network), to your Exchange 2003 Servers to download your email at a given schedule. Additionally the SmartPhones running Windows Mobile 2003 and later support “Up-to-date Notifications”, where the emails are synchronised to your phone automatically upon arrival at the Exchange Server independent of the schedule. It was this Up-to-date Notifications feature that I wanted to implement, but it was not as straight forward as I thought it would be when I got down to it!

The reason was the phone. I have an Orange SPV C550 which is locked by Orange, the network operator. This means that you cannot install any software on the phone including any digital certificate that you need to connect to your Exchange Server.

To configure across the mobile network synchronisation of your e-mail you need to have Exchange ActiveSync enabled on your Exchange Server (it is on by default) and ensure that the “/Microsoft-Server-ActiveSync/*” path to an Exchange Server in your organisation is available through your firewall. If you do not use SSL to protect this HTTP session (not recommended) then you need do nothing to your phone apart from configure it to use the server synchronisation to get your email, but if you want to use HTTPS and the certification authority you are using to provide your digital certificates is a private certification authority you will find that you will not be able to connect as your phone will not trust the certificate issuer. Note that in test environments you can use the Disable Certificate Verification tool (see links below) to avoid this issue, but for a production network this is not recommended.

Therefore you need to unlock the phone and install the root certificate from your private certification authority and then relock the phone before you can make a secure connection to your Exchange Server from your Windows Mobile SmartPhone. The last step of locking your phone again is optional, but recommended as it maintains the security of your phone.

To unlock your Orange phone you need to follow these steps, though note that other mobile network operators will either provide unlocked phones or might have an equivalent process:

  1. Make at least one GPRS connection so that your device is registered at Orange
  2. That your handset is switched on and it has a good signal
  3. That you have a record of your IMEI number. You can get this by typing *#06# on the phone.
  4. Visit http://developer.orangews.com/orgspv/comdefq.aspx on a computer (you can do this on the phone, its just easier on a computer). At the time of writing this web page does not list the C550 phone as a phone it unlocks, but it does work.
  5. Choose to “Disable Certificate Security” and click Proceed. Enter the required information and your phone will make an internet connection (which you will be billed for) and it will unlock your phone. Once the phone is unlocked you will see a message in English and French telling you that “Your handset has had its certificate security disabled.”

Once the handset is unlocked you can install any application on the phone that you like, but for the purposes of connecting to your Exchange Server for Up-to-date Notifications:

  1. Start Internet Explorer on your phone and browse to a web site containing your root digital certificate (or use SPAddCert.exe if you already have the certificate downloaded to the phone’s memory. SPAddCert’s download location is on the list of links below). For example if your certificate server is the version that comes with Windows then visit http://servername/certsrv/certcarc.asp and download the certificate.
  2. Confirm that you want to install the certificate at the prompt. Assuming that the phone unlock was successful, the certificate will be installed.
  3. You can now relock your phone using the same process as described above, just choosing the “Enable Certificate Security” option instead. Though whilst your phone is unlocked you might want to investigate Global Contact Access from Microsoft (see the links below) to give your phone more access to your Exchange Server, such as the Global Address List and Free/Busy information.

Configuring Exchange ActiveSync on the Exchange Server is beyond the scope of this article, but full instructions can be found in the Microsoft Press Exchange Server 2003 Resource Kit on pages 892 onward to the end of the chapter.

Once you have the certificate installed you can configure the device to connect to the Exchange Server. This is done by starting the ActiveSync application on your phone and setting the options. Option 3, Server Settings controls this functionality and you need to choose menu item 4 (Connection). Here you need to enter your username, password and domain along with the server name, which is the web address to the Exchange ActiveSync server (for example mail.company.com). You can leave the SSL option selected as you now have the ability to do this connection securely, without needing to purchase a digital certificate from a public certification authority.

Links

Categories
2003 exchange

Exchange 2003 Resource Kit

The Exchange Server 2003 Resource Kit is almost ready for the shops. It should be available by the end of March 2005 and coming soon to the C7 Solutions web site is a book givaway. I have some copies to distribute as I am one of the authors of the book.