Thursday, July 30, 2009

An example of what not to do. Article published on setting up an Edge 2007 Server without EdgeSync.

Ehlo All,

Yes, you read the title correctly, an Edge 2007 Server without EdgeSync. Why would anyone ever deploy an Edge 2007 Server without EdgeSync, the synchronization functionality? You got me. But, Neil Hobson published on an article how to set it up. You can check it out here, but I do not recommend this configuration, and would be very curious to know why the quoted organization couldn't use it. He really should have elaborated why it was done, since this is NOT recommended.

For some background, check out this MSDN blog which has the pro's/con's for EdgeSync. Check it out here. To summarize you lose gateway based recipient filtering, safelist block/accept, config and admin is easier on setup, and traffic is encrypted by default. If you do without EdgeSync, do not spend the money on an Exchange license. Save it for another mail gateway product. Sometimes, publishes article of questionable value, this is one of them until they elaborate the purpose of runnings without EdgeSync.


Friday, July 24, 2009

Great Time Saving Tip for Installing Exchange 2007 SP1 on Windows 2008

Ehlo All,

Want to safely speed up install times and make less mistakes (e.g. forgetting to install a prerequisite, role, or feature) on your installs of Exchange 2007 SP1 on Windows 2008. The smart creators of Exchange (aka Microsoft Exchange Server Team) via their blog announced and released a GREAT tool. Normally, you have to separately install numerous prerequisites, roles, and features which can take a while. So, they released an all-in-one way to do this via XML files for each role option. Here are the 6 options with 2 clarified. Or you can manually install the needed software via this Microsoft TechNet article.

Exchange-Base = installs Server Manager, PowerShell, and RSAT-ADDS
Exchange-ClusMBX = clustered mailbox


Exchange 2007 SP2 is coming soon (before Oct)

Ehlo All,

According to the official Microsoft Exchange Server Team Blog posting, Exchange 2007 SP2 is arriving before October 2009. Technically, they said Q3 2009, but easier to say before October, than July, August, or September. 3 biggest changes will be:

1) ability to backup with an OS provided tool within Windows 2008 (right now you can't w/o 3rd party)
2) auditing Exchange events (e.g. configuration changes, etc)
3) interoperability with Exchange 2010 (I plan to jump as quickly as I can to 2010 once my 2 critical Exchange add-on apps work)


Exchange 2007 SP1 Update Rollup 9 Released

Ehlo All,

MS Exchange Server Team Blog announced on 7/17/09 that the Exchange 2007 SP1 update rollup 9 was released. You can read more about it here. I've downloaded it and loaded it on my own production server and no issues to report. I did notice when I installed it, I had skipped rollup 8, and even on reboot, Windows Updates wanted rollup 8 installed. Which is wrong, since rollups are cumulative. I hide rollup 8. Oh well, don't make a mistake and install a downgraded version.


Thursday, July 23, 2009

Field Notes - Exchange 2007 Edge Troubleshooting

Ehlo All,

So, I figured I would share more of my daily work from the field. That means more troubleshooting, upgrade issues, successes, and all around adventure. A client of REEF Solutions (using REEF Solutions' hosted clustered spam, virus, and DoS protection solution which has handled about 550,000+ messages a day over the past month) with their own in-house IT staff was working on an Exchange 2007 migration from 2003 that had email flow problems and almost 9,000 valid messages were stuck in the Edge queue. I was called in to assist after the client's IT was on the phone with Microsoft Professional Support Services for over 3 hrs and there was no solution and they were considering reinstalling Edge. Client was restless, since email downtime was suppose to end after 7 days or so, but it didn't.

The client had migrated to 2 new servers, an Exchange 2007 Mailbox/CAS/Hub & Edge both on Windows 2008 Server 64 bit. During the upgrade they implemented an Exchange 2007 Edge Server. This was to replace an existing non-Exchange smtp gateway server. They previous had a single Exchange 2003 environment. After the Edge implementation, email would flow from the Mailbox Server to Edge to Internet, but not the reverse. Client IT had tested and telneting between the Edge and Mailbox worked, and vice versa, but email would not flow. Edge was in a DMZ. MS PSS had done a lot of things, but the email was still not flowing. During the the entire week long downtime, REEF Solutions had queued up email off-site (9k of valid non-spam messages) for the client.

Troubleshooting and Solution
1) Running the built-in Exchange troubleshooting analyzer reported errors on both servers. Running it on Mailbox reported not seeing Edge, and vice versa. This was because the DMZ didn't have those ports open for RPC and other ports. Not a big deal, but makes troubleshooting harder.
2) pinging the Mailbox and Edge servers NETBIOS name worked from both servers.
3) from Mailbox and Edge, telneting via port 25 to generate "homemade" email both ways was successful.
4) on Mailbox ran "Test-EdgeSynchronization" and it passed with flying colors.
5) on Mailbox ran "Test-EdgeSynchronization -VerifyRecipient" and it was successful. Obviously, pick an email in your domain. This is testing the AD Application Mode (ADAM) replication [1 way from AD -> Edge] for storage of configuration and recipient information. This is because Edge is a non-domain computer and doesn't have access to AD like a normal domain based server.
6) checked the hosts files on both servers. And added due to a known IPv6 issue, the NETBIOS and FQDN of each server and the other server in their hosts file. So, if your mailbox server was called "mailboxsrv", in the hosts file would say " mailboxsrv" and then line 2 would be "" and comment out the ::1 localhost entry to "#::1 localhost".
7) on Mailbox server in EMC - Organization Configuration - Hub Transport - Send Connectors - EdgeSync - Inbound to Mailbox Server - Route mail through the following smart hosts: {your mailbox server IP})
8) on Edge, saw an Event log error for a non-valid SSL cert, so on the Mailbox and Edge server, if I recall, under EMC - Hub Transport - Send Connectors - Network - unchecked "Enable Domain Security (Mutual-Auth TLS)". This is an excellent article by MVP Elan Shudnow that discusses transport layer security between Edge and Transport.
9) on Mailbox, ran "Start-EdgeSynchronization" and the configuration changes I made replicated to the Edge server.
10) since all inbound port 25 is restricted from REEF's clustered email filtering solution, I generated email from their and tested inbound flow from cluster - edge - mailbox, and it was successful. And then I tested outbound email and it worked. Then the 9k message queue quickly reduced down to 0.

FYI: if you need to reinstall the Edge or Transport Server and have messages in your queue, you can backup it up, re-install Edge or Transport services, and then restore the database. Edge queue database is ESE based, like Exchange. An excellent article by explaining the backup and restore process by Joshua Raymond is here.

Problem solved.

Monday, July 20, 2009

Exploring iSCSI for the 1st Time - An Easy Intro for new beginners

Ehlo All,

So, I have to admit it. I'm an iSCSI SAN newbie. While people are afraid to repair an Exchange database via eseutil, install and configure the SSL certificate for Exchange 2007's Outlook Anywhere, routing groups, and configure DNS TTLs, I'm very comfortable with all that. On the other hand, iSCSI, that's a foreign language to me. With terms like target IQN, LUN mapping, SCSI Serial No, SCSI ID, blockio, etc, it's understandable, at least to me. To summarize, iSCSI target means iSCSI sharing server, iSCSI intiator means client.

So, I finally had 2 scenarios that warranted that I setup an iSCSI environment. I needed more storage capacity in my ESXi environment and one of my "traditional" Windows 2003 Server. Traditional meaning a physical server. So, while adding internal storage is possible, it would have been a real pain since all the slots were filled. So, I had an existing Windows 2003 Server with a LOT of extra storage (4.4 trillion bytes, or 4.4 TB). I made a BIG mistake when quoting storage for it, so I have way to much storage on one server. So, how could I reliabily share storage over the network and appear as a locally connected drive letter on boot, iSCSI!

I considered 3 options, since I needed it to run on top of an existing Windows Server OS.
1) formerly LeftHand Networks (aka LHN) SAN VSA (VMware appliance). LHN was a hardware and software SAN vendor. They use to offer a free* VSA 8.0 which included a management application to configure the SAN solution. *I searched, and could not find the free unlimited usage VSA option anymore, so I would not recommend this approach.
2) open-source/free OpenFiler (aka OF) SAN (Linux, VMware, 2 Xen options, and more). This is really designed for the Linux crowd, some experience SAN users, or diligent admins.
3) Starwind (Windows). Designed for the SAN newbie and offers a free option.
[updated Starwind URL to correct one as per below comment.]

LHN VSA: I had LHN's VSA working in a cluster replicating file data, but decided I only wanted one VSA running for this. But for some odd reason when I removed it from the cluster, it would not let me add volumes to it. I spent a few hours troubleshooting this, but it looks like HP (which acquired LHN) dropped the free VSA option and the great support website. So, I decided to "drop" VSA as an option as well.

OF: I downloaded the OF 2.3 VMware VMDK, unzipped it, and placed it in a VM directory and it booted right up within VMware Server 2.0.1. Changed the IP and password via the web interface and ran the web based updater. Very clean interface, but very few wizards and little documentation. They also charge $60 for the manual. I guess the manual is not open-source. A bit frustrating especially since this is a community product. I would normally donate to the cause, but I'm not a fan of their business model approach. So, I used the following 2 websites and 1 OF forum posting to understand what I needed to do. Not surprisingly, that forum poster left OF and went to Starwind. OF is really designed for bare metal computer installs with your own hardware RAID already setup. But if you know the limitations, it can work for other purposes.

Overview with screenshots of OF iSCSI configuration

Overview with screenshots of ESX iSCSI connection to OF

Bonus - Good Overview of iSCSI and OF (connecting with Windows Server iSCSI initator)

At the end of the day, OF is serving iSCSI storage in my environment.
- Windows 2003 R2 Server running 3Ware 9550SXU-4LP hardware with RAID 5 configuration
- VMware Server 2.0.1 running on above Windows 2003 R2 Server
- OpenFiler VM configured for 2 additional virtual hard drives, each 100GB which are in a OF software RAID 1 setup. Protect against software corruption.
- ESXi handling the iSCSI initator to the above server (but you could easily make Windows the iSCSI initator which I plan to do in a few weeks. Microsoft offers for free the iSCSI initator.)


Tuesday, July 14, 2009

Exchange 2007's Outlook Anywhere Overview Article

Ehlo All,

Here is a good overview and refresher article about Exchange 2007's feature of Outlook Anywhere. I added my 2 cents via the comments about not needing expensive SAN/UCC SSL certificates for auto-discovery functionality. There's a lot of mis-information about this on the internet. Which reminds me, an upcoming blog posting will discuss Exchange 2007's auto-discovery feature and how it's not the answer to the holy grail which many make it out to be.