Can the Hybrid Cloud really work?

Hi guys,

On May 4th I will be presenting a live webinar on Hybrid Cloud solutions for Exchange and what it means for your business, your users and your datacentre.

More info on the official Cobweb Blog here: http://www.cobweb.com/learn-now/events/hybrid-cloud-webinar.aspx#oliver

Be sure to sign up as we take you on a journey through an Exchange Hybrid Cloud deployment and you get real world answers both from myself and the customer the solution was catered for.

See you there!

Take Care


Oliver Moazzezi MVP - Exchange Server

Cannot activate a Database Copy because of a corrupt Catalog

Hi,

Recently I had an issue activating a database in an Exchange 2010 DAG.


"An Active Manager operation failed. Error: The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database cop 'Database02' on server 'xxxxx' has content index catalog files in the following state: 'Failed'.. [Database: Database02, Server: xxxxx]
"

This issue was of course stopping me from activating the copy and performing maintenance on the server currently hosting the active copy. Yes I have more than 2 copies of the database in the DAG, but rather than mounting another copy, I decided to fix the issue.

You are able to update a mailbox copies catalog rather than performing a full database update. You can perform this by simply using the -CatalogOnly parameter for the Update-MailboxDatabaseCopy cmdlet.


Example: Update-MailboxDatabaseCopy Database\DAGServer -CatalogOnly

Once the catalog had updated, I was able to successfully move and activate the database on the required DAG member.

Take Care


Oliver Moazzezi MVP - Exchange Server

Securing Exchange UM with TLS for Microsoft Lync Integration

When integrating Exchange UM with Lync Server Unified Messaging must be running in either TLS or dual mode. For it to run in either of these modes a valid certificate from a CA must be installed on the Exchange UM server, rather than the standard self signed certificate.

However!

Simply adding a valid cert from your internal CA to Exchange UM and assigning it to the UM service using Enable-ExchangeCertificate or the Certificate Wizard UI in the Exchange Management Console does not solve the issue.

What we must do is set the UM service to run in either TLS or dual mode. To do this follow these steps.


1. You have succesfully added a certificate from your internal CA for Unified Messaging, you are now either using Powershell or the UI to assign this cert to your UM service, you then get this error:

2. This means you haven't set the UM service to run in either TLS or dual mode, TLS is enforced and dual mode means it runs allowing both. To set the UM service to the correct configuration fire up Powershell and run:

Set-UMserver - UMStartupMode dual -identity 'UMServer'

If you want to force TLS:

Set-UMserver - UMStartupMode TLS -identity 'UMServer'

If you have multiple UM servers and they all have the relevant certificate already in their certificate store then we could for example run:

Get-UMserver Set-UMserver - UMStartupMode dual/tls (selecting only one here).

3. We can now try and assign the certificate again via either Enable-ExchangeCertificate or via the Exchange Certificate Wizard UI in the Exchange Management Console:

4. Once this configuration change is made we must restart the UM service

Restart-Service MSExchangeUM

The service is now restarted and the UM service is running in either TLS or dual mode with the certificate from your internal CA.

You are now ready to proceed with the next step of integrating UM with Lync. Watch out for the next part of this process coming soon.

Take Care


Oliver Moazzezi MVP - Exchange Server

Installing Zune for WP7 on Windows 2008 R2 SP1

I recently upgraded my workstation to Windows 2008 R2 to take advantage of HyperV and to get to know it better. In doing so I resolved all the usual issues with a Server OS by installing the Desktop Experience a few selected drivers. However I could not install Zune to sync my Windows Phone 7. NOT COOL MAN!

Luckily there are some how to guides on the internet that showed how to get past this block, unfortunately they were all pretty old and the Zune installer has changed since this information was made public.

So, here is the latest guide on installing Zune onto Windows 2008 R2 SP1. This is current for Zune release 4.8.2345.0 and is the current Zune download as of April 2012.

1. Download Zune, once you have downloaded the package, open a command prompt and unpackage the exe with /x

2. Once unpackaged you should see a directory structure like so

3. Locate the relevant install package for you, in my case I am running the 64bit version of Windows 2008 R2 so I selected the x64 directory. From here locate the package folder, and within this is 'zune-x64.msi'. Run this msi file from an elevated command prompt. Notice it is running as administrator. To do this simply right click command and select 'Run as Administrator'

4. Once this is done, Zune will be installed! However... I found that my Windows Phone 7 would not connect to Zune. To remedy this we also need to install another msi file. 'Zunewmdu-x64.msi'

5. You may or may not have to reboot. I didn't have too, once the above msi file was installed I connected my Windows Phone 7 and...


Success!!

Take Care


Oliver Moazzezi MVP - Exchange Server

Tenant Isolation in a Hosted Exchange Environment

With the removal of the /hosting edition of Exchange Server and the reintroduction and support of hosting using the /enterprise version of Exchange Server I thought it a good idea to cover some topics that help an IT Admin implement certain features for tenant isolation into the /enterprise edition of the product.

A feature a tenant may require is tenant or semi-tenant isolation. This is where the tenant cannot contact any other tenants in the Hosted Org. A customer may require total lockdown or require just a subset of users have this restriction in place.

Luckily with Transport Rules and some Powershell magic we can implement this feature. In a perfect world you will have a front end or control panel that can configure this magic for you, but if your control panel is one step behind, this is the backend steps you need to take to implement it.


Firstly you will need a Transport Rule to disallow the tenant or certain users within the tenant, to send outside of the Organization.

If you are using HMC, or have a framework that works along the lines of HMC, for example, an AllUsers and AllAdminUsers groups, then we can lock a tenant down with these security groups. If however only part of a tenant is to be isolated, then we will need to create another group, adding the required users to that group and then potentially hiding that group from the GAL so as not to mess up a nice clean address book view. So back on track..

..This is simply achieved with a transport rule like the following:

New-TransportRule -Name 'Tenant Isolation - Outside Org Test' -Comments 'Another Transport rule to block my tenant from sending outside of the org. Entirely a test.' -Conditions 'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromMemberOfPredicate','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SentToScopePredicate' -Actions 'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.DeleteMessageAction' -Enabled $true -Priority 'number'

This looks like so in the UI:

However on top of this you also need to provide a way of locking down messaging within the Org. As The Enterprise version of Exchange has no concept of 'tenant's, you need to build another Transport with an Exception.

The above rule then allows the tenant to recieve emails from the users within but stops communication to other tenants on the hosted platform.

We can then look to modify the rules further, maybe for example by modifying 'silently drop the message' to actually inform the user the message was indeed refused with a custom error.


So the above controls outbound messages, but we still need to be able to control who can send messages to the isolated tenant or the isolated users. We can again use Transport Rules, but again we would need to create two, one for inside the organization and another for outside. In this instance I prefer to perform the lock down on the user object itself, this creates less transport overhead on your messaging subsystem.

Finally, if your hosting framework cannot support message delivery restrictions then you can tie this into your tenants OU and selected users with a little powershell. This can be run as a scheduled task against the tenant as a ps script. The below is an example I have made and use but will need some modification.

#Allow users to only recieve messages from a specified DL
#Modify $NIS and $AllUsers as appropriate
#Test in Test Lab prior to running in Live
#Confirm $NIS and $AllUsers are valid targets with Get-DistributionGroup
#Replace $NIS with a 'No Internet Sending Security Group' created in Control Panel for the Tenant
#Replace $AllUsers with the HMC4.5/hosting framework AllUsers Group for the Tenant

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010Get-DistributionGroupMember $NIS set-mailbox -AcceptMessagesOnlyFromDLMembers $AllUsers

The end result is as follows:

Isolated tenant/user sending out to the internet:

Isolated tenant/user sending to another tenant in the Hosted Exchange platform:

Another tenant or external user trying to send to the isolated tenant/user:

Take Care


Oliver Moazzezi MVP - Exchange Server

HyperV IaaS ,SCVMM and the Cobweb Control Panel

Cobweb provides many products other than Exchange. Through our Control Panel customers can choose web hosting, CRM, Sharepoint, Office Communication Server (Lync coming soon), Backup products, you name it.

A product we recently launched is dedicated virtual machines using Microsoft HyperV R2 with SP1.

We can provide dedicated Windows 2008 R2 vm's to customers, spinning them up on demand based on customers needs.

I recently trialled this service so thought i'd post on how easy the entire experience is.


Normally my login to the Control Panel looks like this. You can see I make use of many feature rich products and services

















Using a trial customer account I tried the HyperV product. You can see below that just HyperV is present. This is because this trial account does not have any other products or services assigned. If for example I wanted to purchase HyperV on my actual subscription, the HyperV option would be present with all the other services I currently have. This provides a seamless end user experience when managing all your Cloud applications and services from the Provider.

















So I was interested in what I could do with the virtual machine via the Control Panel. This is the view I was presented with when looking at the actual service. The two main options are Virtual Machine configuration and Parallels Plesk.

















So if I drill down into Virtual Machine configuration you'll see I have quite a few options. Firstly I have some pretty basic functionality like being able to start, stop or shutdown the virtual machine. Secondly I can manage lease IP addresses - this allows me to assign more public IP addresses to the server, should I need multiple addresses assigned.

Finally I can configure my virtual machine for vCPU, ram and disk. This is all purchased through billing, and once purchased immediately available to assign to my vm's.

















At the top is the Remote Console, when clicking this I can then get direct access through the browser to administer my vm via RDP over HTTPs. This is provided to the end user via SCVMM (System Centre Virtual Machine Manager) and is part of the SCCM suite.

















Out of the box direct RDP isn't available, but this is just a service desk call away to get configured - remember, you'll ideally need a static IP address to manage them this way.



Take Care


Oliver Moazzezi MVP - Exchange Server

Released: Update Rollup 1 for Exchange 2010 Service Pack 2

The Exchange Team realsed RU1 for SP2 yesterday. For the full details and download please see here.

A copy of the article is below.

---------------------------------------------------

Earlier today the Exchange CXP team released Update Rollup 1 for Exchange Server 2010 SP2 to the Download Center.

This update contains a number of customer-reported and internally found issues since the release of SP2. See KB 2645995: Description of Update Rollup 1 for Exchange Server 2010 Service Pack 2' for more details.

Note: If some of the following KB articles do not work yet, please try again later.

We would like to specifically call out the following fixes which are included in this release:

New updates for Dec DST - Exchange 2010 - SP2 RU1 - Display name for OWA.
http://support.microsoft.com/kb/2616230 Exchange 2010 CAS server treats UTF-7 encoding NAMESPACE string from CHS Exchange 2003 BE server as ASCII, caused IMAP client fails to login.
http://support.microsoft.com/kb/2599663 RCA crashes when recipient data is stored in bad format.
http://support.microsoft.com/kb/2492082Freebusy publish to Public Folders fails with 8207 event.
http://support.microsoft.com/kb/2666233 Manage hybrid configuration wizard won't accept domains starting with a numeral for FOPE outbound connector FQDN.
http://support.microsoft.com/kb/2557323 "UseLocalReplicaForFreeBusy" functionality needed in Exchange 2010.
http://support.microsoft.com/kb/2621266 Exchange 2010 Mailbox Databases not reclaiming space.
http://support.microsoft.com/kb/2543850 Exchange 2010 GAL based Outlook rule not filtering emails correctly.

General Notes:

For DST Changes: http://www.microsoft.com/time.

Note for Forefront Protection for Exchange users For those of you running Forefront Protection for Exchange, be sure you perform these important steps from the command line in the Forefront directory before and after this rollup's installation process. Without these steps, Exchange services for Information Store and Transport will not start after you apply this update. Before installing the update, disable ForeFront by using this command: fscutility /disable. After installing the update, re-enable ForeFront by running fscutility /enable.



Take Care


Oliver Moazzezi MVP - Exchange Server

Source Side Operation Failed - Exchange 2010 DAG

I came across this today. I have no idea why the database failed to replicate correctly, especially as it was a new database with no users on it. However fixing it was fairly trivial.

The issue:

Once I was back in the console I actually couldn't see the suspended and failed copy without having to restart EMC (a refresh would not work) however EMS did infact show it:

So via Powershell I simply ran the Resume-MailboxDatabaseCopy and this fixed the issue.


Testing via EMC I noticed once it was restarted I was able to see the failed and suspended database so could have performed it via the UI if I needed too.

Root cause analysis was not done as I was unable to replicate the issue. Hopefully this article will help any other Admins with the issue that may not be quite as quick at fixing it.

Take Care


Oliver Moazzezi MVP - Exchange Server

Changing byte metrics in Powershell to MB or GB

By using Get-Mailbox and piping this to Get-MailboxStatistics, data is returned in varying metrics based on the actual mailbox size the users have.


To streamline this you can convert all values to MB or GB by using the following:


MB
Get-Mailbox -ResultSize unlimited Get-MailboxStatistics Sort-Object TotalItemSize -Descending ft @{label="Total Size (MB)";expression={$_.TotalItemSize.Value.ToMB()}} -auto out-file "X:\report.csv"

GB
Get-Mailbox -ResultSize unlimited Get-MailboxStatistics Sort-Object TotalItemSize -Descending ft @{label="Total Size (GB)";expression={$_.TotalItemSize.Value.ToGB()}} -auto out-file "X:\report.csv"



Where "X:\report.csv" is the where you want the file to be created.


Please note this simply exports the mailbox size values in MB or GB. It does not append the DisplayName of the user or anything else.


Take Care


Oliver Moazzezi MVP - Exchange Server

EMC 2007/2010 IE9 bug fixed

Microsoft have release an IE9 fix to resolve the interoperability issues with between Exchange 2007 and 2010 EMC. Great news (not that I ever get use EMC anymore, well at least that was until this announcement Future of /Hosting Mode).

Anyway back to the fix… Exchange 2007 or 2010 EMC might fail to close with "You must close all dialog boxes before you can close Exchange Management Console". The Exchange team have posted this on there blog with links to the fix, http://blogs.technet.com/b/exchange/archive/2011/10/17/a-fix-for-the-interoperability-issues-between-exchange-2007-and-2010-emc-and-ie9-is-now-available.aspx.

Daniel