Category Archives: Microsoft Exchange 2010

08.27.12
by

Exchange 2010 – Handling different Internal and External Domain Names


One of the issues I ran into with a recent migration from Exchange 2003 to Exchange 2010 was dealing with DNS Namespaces.

The company domain was not the same as the external domain name. Example:

Internal: mail.domain.local
External: mail.domain.com

When you purchase your exchange SSL certificate this may not be a problem. Just make sure you add your local url and server name into the pool with your certificate and all will be fine.

The problem comes when your internal domain name matches someone else’s external domain. The issuing certificate company will not be able to authenticate a certificate for you based on another domain that is not owned by you.

This in itself can cause some nightmares with the internal url structure for Exchange 2010.

Exchange 2010 uses a plethora of url’s to determine where everything is. This all wraps up into what is called Autodiscover.

To find these url’s in your exchange install use these commands in the ESM:

get-AutodiscoverVirtualDirectory

get-ClientAccessServer
get-webservicesvirtualdirectory
get-oabvirtualdirectory
get-owavirtualdirectory
get-ecpvirtualdirectory
get-ActiveSyncVirtualDirectory

each listing can have a specific setting for internal and external url.

What kind of problems can I run into?

First and foremost the problem I ran into was you could not access Automatic Replies via outlook.

“The automatic reply settings cannot display because the server is currently unavailable. Try again later”

To troubleshoot this the first thing you want to do is test your email auto-configuration via outlook. Hold the Ctrl button down and right-click the Outlook icon in the desktop tray to access the option.

This nifty little feature can definitely point you in the right direction. Once you run this be sure to uncheck GuessSmart and Secure GuessSmart Authentication. Enter your account password and let her rip. When the process is done running you will be presented with some output.

This output will list your internal and external urls along with any directories that have been setup.
The key here is the AutoDiscoverService.

In my case it pointed externally to https://mail.domain.com/, a lot of my urls were pointing there. From inside our organization there was no way to access this url because our internal domain name was different then our external one.

So how do we fix this?

“Split-Brain” DNS.

Split-brain DNS is a Domain Name System (DNS) configuration method that enables proper name resolution of local resources from both inside and outside of your local network.

The idea is to resolve and external dns records internally and trick Exchange autodiscover services into  thinking that the domain you listed on your SSL Certificate resolves.

How to Create a Forward Lookup Zone

To create a new forward lookup zone:

    1. Start the DNS snap-in. To do this, click Start, point to Administrative Tools, and then click DNS.

 

  • Click the DNS Server object for your server in the left pane of the console, and then expand the server object to expand the tree.

 

 

  • Right-click Forward Lookup Zones, and then click New Zone. The New Zone Wizard starts. Click Next to continue.

 

 

  • Click Primary zone to create a master copy of the new zone. Click Next.

 

 

  • In the Name box, type the name of the zone (for example,external.com, and then click Next.

 

NOTE: This name is typically the same as the DNS suffix of the host computers for which you want to create the zone.

 

  • On the Zone File page, accept the default file name for the new zone file, and then click Next.

 

 

  • Click Next.

 

 

  • Click Finish.

 

 

The new zone is listed under Forward Lookup Zones in the DNS tree.

Next we add a record for a DNS (A) Record for webmail and point it internally to our Exchange 2010 Server. This will allow the Autodiscover services to work the way they were intended. This fixes the Out of Office and the Auto Configuration.

How to Create a Host Record

To create a host or “A” record:

    1. Start the DNS snap-in.

 

  • Click the DNS Server object for your server in the left pane of the console, and then expand the server object to expand the tree.

 

 

  • Expand Forward Lookup Zones.

 

 

  • Under Forward Lookup Zones, right-click the zone that you want (for example, example.com), and then click New Host (A).

 

 

  • In the Name (uses parent domain name if blank) box, type the name of the host that you want to add. For example, if you want to add a host record for a Web server, type www.

 

 

  • In the IP address box, type the IP address of the host that you want to add. For example, type 192.168.0.100.

 

 

  • Select the Create associated pointer (PTR) record check box, and then click Add Host. You receive a message similar to the following:
    The host record www.example.com was successfully created.

    Click OK.

 

 

  • When you are finished adding hosts, click Done.

 

 

Note: If you have websites externally that also use the same domain name, Example: http://www.external.com. You will also need to create a blank (A) record, and a www (A) record to point to the external address for those sites. Otherwise you will no longer be able to access your external website internally.

By doing this all of your configurable urls for Exchange 2010 can be the same. This reduces the risk that one or more of your Outlook options stop working.

Did this article help you? Let me know!!

Questions? Drop me a line!

08.24.12
by

Exchange 2003 to Exchange 2010: The “Swing” Migration – Part 5


In the last part we had corrected some errors in the event log and our server was now humming along in complete unison with our Exchange 2003 Server.

The scenario:
Exchange 2003 still hosting email from internal and external sources. Exchange 2010 in place and able to pass email back and forth to the legacy Exchange Server. Public folder replication has been verified and we are ready to move mailboxes.
I had initially scheduled time a couple of weeks ago to start perform mailbox moves to test everything out. My plan was to move the three IS mailboxes and test connectivity and mail flow for a week before moving other mailboxes. The plan was slightly flawed as I later found out.
How was I going to do it? The easiest method without having to change external MX/DNS Records was this:
  1. Change the address of the Exchange 2003 Server to a unique IP that I had setup with a DNS record earlier to go to legacy.exchange2003.com.
  2. Change the Exchange 2010 Server IP to match that of the old Exchange 2003 Server.
  3. Thus the new server becomes the front end and the old server passes email to any accounts that have not been moved.
The Flaw:
The big change in OWA would cause some ripples in our association cellphone use. Since we use ActiveSync this would break all the Cellphones. Why? Our Exchange 2003 did not use an SSL certificate. The new Exchange 2010 required one.
Thus ended my first attempt when I made all the changes only to find out that our firewall service had not opened port 443 to the OWA Address.
Tip: Make sure port 25 and 443 are open to your OWA Address BEFORE you switch server IP’s. Once this port is verified open you can move forward.
The process:
  1. Change the IP on the Exchange Server 2003 to an unused IP that has a DNS record setup for legacy.mail.com (insert your domain here)
  2. Delete the DNS record for your Exchange 2003 Server in your local DNS.
  3. Create a new record for the new IP address for Exchange 2003.
    • This WILL break mail flow for the moment.
  4. On the Exchange 2010 Server change the IP to the one your old Exchange 2003 Server had.
    • The reason for this is that the DNS/MX records are already in place for webmail.mail.com so we will not need to wait for any external records to propagate before we can start operating.
  5. Delete the old record in DNS for Exchange 2010 and create a new record with the correct address.
  6. Test your original webmail. It should go to the Exchange 2010 Server now.
    • Don’t forget that the webmail now uses https and ends with /OWA instead of /Exchange.
  7. Test the url you setup for legacy.webmail.com/exchange and make sure you can access any mailboxes still on the old server.
You have now successfully swapped your mail servers! Now the fun part.
Test mail inbound and outbound to internal and external accounts. I used a Hotmail and a Gmail account for testing. **Important: Test more then one exchange account. In my scenario I thought it wasn’t working but it ended up being a permissions glitch on a single account. All other accounts worked fine.
Once testing has been completed I bit the bullet and moved all mailboxes attached to cellphone accounts.
Prior to moving servers I had done some preliminary research and sent out instructions on changing email settings on Windows Phone 7 to allow email to flow again. The only configuration difference was that SSL needed to be checkmarked to work.
Some isolated incidents where an Error presented itself after making this change required the Email, Contacts, Tasks, and Calendar to be un-synced. Once un-synced you could resync only email and then the rest and everything would work fine.
Important steps to take upon moving mailboxes:
  • Watch your mail flow like a hawk. Make sure the queues aren’t backing up on either server.
  • Prepare for fallout. Have instructions and documentation ready for the next business day.
  • Familiarize yourself with Exchange System Manager 2010 (ESM).
  • If you have copiers/scanners or other devices that utilize email prepare to reconfigure them if need be.
    • Technically this shouldn’t be a problem if mail is flowing correctly.
In the next post I will go through some of the problems I ran into after the switch and how to fix them.
Let me know how your installs went!
References:
07.13.12
by

Exchange 2003 to Exchange 2010: The “Swing” Migration – Part 4


Good morning and welcome back! Today I am going to do some updates on coverage for the current Exchange Server 2010 “Swing Migration” from Exchange Server 2003.


Initially this weekends maintenance was going to cover four main items:

    1. Replicate Public Folders

 

  • Install SSL Certificate for OWA

 

 

  • Redirect the Domain FQDN for Exchange

 

 

  • Swap the IP Addresses from Exchange 2003 to Exchange 2010

 

 

  • Verify Mail Flow between servers

 

 

I will take a bit of time to explain how these items came about and the steps needed to proceed. In the original instructions some of these items were not mentioned or taken into account.


Replicating Public Folders:


On the Exchange 2003 Server, open Exchange System Manager > Locate the Public folders > If you cannot see your public folders, change the view to “View Public Folders”.

 

Select each one of your public folders, go to its properties and add in the New Exchange 2010 Server as a replication partner.

Note: If you have a lot of “Nested Public folders” then this can take ages, see this article here on Public Folder Migration from Exchange 2003 to Exchange 2010.
Note: If mail cannot flow from 2003 to 2010 then the public folders will NEVERreplicate make sure that works before expecting the folders to replicate OK.

In order to verify if the replication is working you can click “Details” on the properties screen to find the Sync status. I have found it will show one of two status messages. “In Sync” or “Local Modified”. So far as I can tell both mean the folders are syncing as this seems to be a quirk with Exchange 2003 not showing correct status reports. I recommend testing thoroughly before assuming it is working.


Install SSL Certificate for OWA:


One of the things that I also found we needed to facilitate was purchasing a SSL certificate in order to make sure OWA worked correctly. Our current setup did not use a certificate which is not secure but is easier to setup on the new server than to transfer.

My suggestion, GET YOUR CERTIFICATE AHEAD OF TIME!!!

Hosting solutions can take up to 4 days I have found to complete this process. Make sure you know your domain names ahead of time and the requirements needed to request a certificate. Here’s what I learned:

  1. Exchange requires a specific SSL Certificate called a UCC. Unified Communications Certificate.
  2. Each service or domain name you use will count as a single domain on the certificate. Example:
    1. Autodiscover.domain.com
    2. webmail.domain.com
    3. domain.com
    4. internal.domain.com
      1. This all means you would need 4 seats on the certificate. Certificate come in 5, 10, and higher flavors.
  3. Shop around for prices!! They are not all built the same.

I will add instructions on installing Exchange certificates in another post, but every major hosting service also supplies support and instructions on them.

**Important note: When applying for your certificate make sure you have a (1) Signed letter of Intent, and a (2) Proof that you can operate under the name being certified or (3) Federal Tax information. The hosting company will ask for these items to verify your claim to certificate.

Redirect the Domain FQDN for Exchange

Ok this one came out of left field and hit me when I was applying for my SSL Certificate.

Problem: My internal domain name does not match my external webmail domain. On top of that I do not own the external equivalent of my internal domain name. Therefore no authority can be given to the hosting certificate to provide SSL for it.

Answer: You need to redirect your internal domain on the new Exchange server to see the external one. How do I do this?

To reconfigure your domain to use only the external domain name you have a couple of options. If you are using Active Directory you can migrate an internal Active Directory domain to a registered External name. This will change the internal FQDN of your Exchange Servers so they will become a valid subdomain of your registered domain (e.g. change from CASServer01.yourcompany.internal to CASServer01.yourcompany.com) allowing you to use a SAN certificate or a Wildcard to secure these names. Alternatively, you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems.

Redirecting your Exchange Server to use the External DNS Name

To update your Exchange 2007 or Exchange 2010 server you will need to run the following commands from the Exchange Management Shell and replace the Server running the Client Access Role with your external domain name. These commands update the URL for the Autodiscover service, Exchange Web Services (EWS) and the OWA Web-based Offline Address book respectively.

Before running these commands you will just need to check make sure a DNS record exists mapping the IP Address to the Exchange Client Access (CAS) server.

Note: Each of these commands below should be run on a single line in the Exchange Management Console (EMC):

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “HostName\EWS (Default Web Site)” -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity “HostName\oab (Default Web Site)” -InternalUrl https://mail.yourdomain.com/oab

Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

1. Open IIS Manager by clicking Start, then enter inetmgr.

2. Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.

This is about as far as I went on my Saturday maintenance. I had to wait on a SSL certificate that seemed to take forever and even if I did switch it I would have to recycle 40 cellphones that are not currently set up to use SSL.

Know when to call it quits. I verified that mail would flow back and forth and left it be for my next two week testing period.

Lessons learned.

I have yet to hear anyone else’s nightmare stories but I am sure they are out there!!! Lets hear them!

Resources:

 
http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
http://www.petenetlive.com/KB/Article/0000234.htm

06.29.12
by

Exchange 2003 to Exchange 2010: The “Swing” Migration – Part 3


Cleaning up errors after installation of Exchange 2010 in a co-existing environment setup.

At this point the new Exchange 2010 Server is peacefully co-existing with the Exchange 2003 Server. I have not changed routing or anything.

Referring back to Exchange 2003 to Exchange 2010: The “Swing” Migration – Part 2, I ran into a few errors during my 2 week testing period. These errors appeared every 15 minutes in the event log and were always in the same group of 3.

Event ID: 2501

Source: MSExchange ADAccess

Process MSEXCHANGEADTOPOLOGY (PID=1416). The site monitor API was unable to verify the site name for this Exchange computer – Call=DsctxGetContext Error code=8007077f. Make sure that Exchange server is correctly registered on the DNS server.
——————————————————

Event ID: 2604
Source: MSExchange ADAccess

Process MSEXCHANGEADTOPOLOGY (PID=1416). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object EX2010 – Error code=8007077f.
 The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.
——————————————————
Event ID: 2601
Source: MSExchange ADAccess
Process MSEXCHANGEADTOPOLOGY (PID=1416). When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account – Error code=8007077f.
 The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.
——————————————————

After hours of scouring the web I found the problem revolved around the network bindings on the new Exchange 2010 Server. The server itself had 4 NIC cards with only a single card in use. This caused problems when it was trying to retrieve information from servers.

Solution:
 To modify network adapter bindings in Windows Server 2008
    1. Log on to the computer by using an account that has Administrator rights.
  • Click Start, click Run, type ncpa.cpl, and then click OK.
    1. In the Network Connections dialog box, press ALT+N to display the Advanced menu.
    1. Click Advanced Settings.
    1. In the Connections box, click the active network connection, and then click the arrow to move the connection to the top of the list.
  • Click OK.
    1. Restart the Microsoft Exchange Active Directory Topology service. When you restart this service, the following dependent services must also be stopped and restarted:
    • Microsoft Exchange Transport Log Search
    • Microsoft Exchange Transport Log
    • Microsoft Exchange Service Host
    • Microsoft Exchange Search Indexer
    • Microsoft Exchange Replication Service
    • Microsoft Exchange Mail Submission
  • Microsoft Exchange Mailbox Assistants
    • Microsoft Exchange File Distribution
  • Microsoft Exchange EdgeSync
  • Microsoft Exchange Anti-spam Update
Resources:

Did you find this solution helpful?
What other odd errors have you run across?