Monthly Archives: March 2010

E14 – New-ClientAccessArray

by

0

 


In simple terms a CAS Array is a set of Exchange 2010 CAS servers that are load balanced using either Windows Network Load Balancing, Microsoft ISA Server or a third party load balancing appliance.

Without configuring a CAS Array the Outlook client will connect to a single CAS server within the Active Directory Site and the connection would fail should that CAS server go offline.

•So the array configuration takes two steps which are:

1. Configure the CAS servers in a Windows Network Load Balancing cluster.
2. Configure the CAS Array in Exchange.
"

There can be only one CAS array configured per Active Directory Site.

Also while creating a new Mailbox database in the AD site, the value for the CAS Array was automatically picked up.

New-ClientAccessArray –name “BQT CAS Array” –FQDN BQT-CAS.MSFT.corp.com

 

[PS] C:\Windows\system32>New-ClientAccessArray -name "MSFT CAS Array" -Fqdn "mail.MSFT.com" -Site "BQT"

 

image

 

[PS] C:\Windows\system32>Get-ClientAccessArray | fl

RunspaceId        : ebdf1c27-5bea-4340-ac8e-bade81284e3d
Fqdn              : mail.MSFT.com
Site              : corp.com/Configuration/Sites/BQT
SiteName          : BQT
Members           : {BQT-E14CAS1}
AdminDisplayName  :
ExchangeVersion   : 0.1 (8.0.535.0)
Name              : MSFT CAS Array
DistinguishedName : CN=MSFT CAS Array,CN=Arrays,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Gr
                    oups,CN=MSFT,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=com
Identity          : MSFT CAS Array
Guid              : 0a28a536-c7c7-4cfe-a3ce-69df9a2ab712
ObjectCategory    : corp.com/Configuration/Schema/ms-Exch-Client-Access-Array-2
ObjectClass       : {top, server, msExchExchangeServer, msExchClientAccessArray}
WhenChanged       : 2010/3/18 下午 01:29:48
WhenCreated       : 2010/3/18 下午 01:29:48
WhenChangedUTC    : 2010/3/18 上午 05:29:48
WhenCreatedUTC    : 2010/3/18 上午 05:29:48
OrganizationId    :
OriginatingServer : dc13.MSFT.corp.com
IsValid           : True

 

Get-ClientAccessArray -site bqt | Set-ClientAccessArray -name "BQT-CAS-Array"
Get-ClientAccessArray -site bqt | Set-ClientAccessArray -fqdn bqt-cas.MSFT.corp.com

 

 

Blog Extended Reading

More Information & Reference

1. New-ClientAccessArray
2. Uncovering the new RPC Client Access Service in Exchange 2010 (Part 1)
3. Exchange 2010 & CAS Array with NLB

image

E2K7 CCR: How to Configure the Node and File Share Majority Quorum

by

0

 

如何設定檔案共用見證

 

  • <ShareUNCPath> 是指檔案共用的 UNC 路徑 (例如 \\E2K7HUB1\MNS_FSW_E2K7CCR)。
  • <CMSName> 是指叢集信箱伺服器的名稱 (例如 E2K7CCR)。
  • <Directory> 是指共用目錄的完整路徑 (例如 C:\MNS_FSW_DIR_E2K7CCR)。
  • <CSA> 是叢集服務帳戶。
  • <ClusterName> 是叢集本身的名稱 (例如 EXCLUS1)。

 

image

 

image

image

image

建立並保護檔案共用見證的檔案共用

  1. 在命令提示字元中執行下列命令,以建立將用於共用的目錄:
    mkdir <Directory>
    建議對目錄名稱使用下列命名慣例:"MNS_FSW_DIR_<CMSName>"

  2. 執行下列命令來建立共用:
    net share <shareName>=<Directory> /GRANT:<CSA>,FULL
    我們建議對共用名稱使用下列命名慣例:"MNS_FSW_<CMSName>"

  3. 執行下列命令來指派權限給共用:
    cacls <Directory> /G BUILTIN\Administrators:F <CSA>:F
    使用叢集服務帳戶登入時,請確認可從第一個叢集節點存取共用。使用 Windows 檔案總管或另一個應用程式,驗證是否藉由開啟檔案共用來使用共用。若使用叢集服務帳戶以外的帳戶,則會收到「拒絕存取」的訊息。

 

設定 MNS 仲裁來使用檔案共用見證

  1. 若要設定內容,請在命令提示字元中執行下列命令:
    Cluster <ClusterName> res "Majority Node Set" /priv MNSFileShare=<ShareUNCPath>

  2. 步驟 1 中執行的命令完成時,會產生警告訊息。此訊息指出必須重新啟動資源,才能使變更生效。下列是從步驟 1 命令中產生之輸入的範例:
    Cluster <ClusterName> res "Majority Node Set" /priv MNSFileShare=<ShareUNCPath>

    系統警告 5024 (0x000013a0)。

    內容已存放,但要到下次資源連線時,變更才會全部生效。

    如果共用無法使用或無法存取,則可能會產生拒絕存取的錯誤。

    視您的權限而定,您可能需要使用叢集服務帳戶,從工作階段中存取共用。存取測試是由叢集服務所完成,此叢集服務可存取具有適當權限設定的共用。

  3. 執行下列命令來重新啟動資源及執行變更:
    Cluster <ClusterName> group "Cluster Group" /move
    上一個命令會產生類似於下列的輸出:

    Moving resource group ‘Cluster Group’
    群組                     節點          狀態
    叢集群組 <節點名稱> 線上

  4. 重複步驟 3 中的命令以完成組態。

  5. 若要檢查檔案共用內容值,請執行下列命令:
    Cluster <ClusterName> res "Majority Node Set" /priv

 

C:\Users\exchadm>cluster /list
叢集名稱
———–
2008CLUSTER
BQT-CLUSTER1
2008CLUSTER
BQT-CLUSTER1
BQT-DAG1
V2008

 

C:\Users\exchadm>cluster resource
列出所有可用資源的狀態:

資源                 群組                 節點            狀態
——————– ——————– ————— ——
Exchange 系統服務員執行個體 (BQT-CCR1) BQT-CCR1             CCM1            連線

Exchange 資訊儲存庫執行個體 (BQT-CCR1) BQT-CCR1             CCM1            連線

First Storage Group/Mailbox Database (BQT-CCR1) BQT-CCR1             CCM1
     連線
IPv4 Static Address 1 (BQT-CCR1) BQT-CCR1             CCM1            連線
Network Name (BQT-CCR1) BQT-CCR1             CCM1            連線
Second Storage Group/BQT-CCR1_SSG_JUN (BQT-CCR1) BQT-CCR1             CCM1
      連線
Third Storage Group/BQT-CCR1_TSG_OCT (BQT-CCR1) BQT-CCR1             CCM1
     連線
檔案共用見證 (\\BQT-MB07\NFSM) 叢集群組                 ccm2            連線
叢集 IP 位址             叢集群組                 ccm2            連線
叢集名稱                 叢集群組                 ccm2            連線

 

Blog Extended Reading

More Information & Reference

1. How to Configure the Node and File Share Majority Quorum
2. Using a file share witness with Exchange 2007 CCR
3. 如何設定檔案共用見證

image

E14 – Configure Outlook Anywhere in an Environment with Earlier Versions of Exchange

by

0

 

 

When you deploy the Outlook Anywhere feature (formerly known as RPC over HTTP) on a Microsoft Exchange Server 2010 Client Access server that will provide access to Microsoft Exchange Server 2007 or Exchange Server 2003, you must configure Outlook Anywhere for the earlier versions.

Looking for other management tasks related to Exchange 2010 Outlook Anywhere? Check out Managing Outlook Anywhere.

  Configure Outlook Anywhere for Exchange Server 2003

You can configure Outlook Anywhere for the original release version of Exchange 2003 and for Exchange 2003 with Service Pack 1 (SP1) or SP2 by following the configuration steps for RPC over HTTP for these versions of Microsoft Exchange. For detailed steps, see How to Configure Outlook Anywhere with Exchange 2003

  Configure Outlook Anywhere for Exchange Server 2007

Use the EMC or the Shell in Exchange Server 2007 to enable Outlook Anywhere for your organization. For detailed steps, see How to Enable Outlook Anywhere.

  Other Tasks

After you configure Outlook Anywhere for earlier versions of Exchange, you may also want to:

 

 

 

Blog Extended Reading


More Information & Reference

Configure Outlook Anywhere in an Environment with Earlier Versions of Exchange

   

image

E14 – Proxying for Outlook Web App

by

0

 

image

The following scenario shows how incoming requests are handled for a user who connects to an Exchange 2010 Client Access server named CAS-01 using Outlook Web App.

  1. The Client Access server queries Active Directory to determine the location of the user’s mailbox and the version of Microsoft Exchange installed on the Mailbox server. If the user’s mailbox is on an Exchange 2010 Mailbox server, go to step 3.
  2. E2K3 user 無法使用 https://exchangeFQDN/OWA 存取E2010 CAS
    image 

    3. Outlook Web Access could not find a mailbox for MSFT\bqt.msv12. If the problem continues, contact technical support for your organization and tell them the following: The mailbox may be stored on a Microsoft Exchange 2000 or Microsoft Exchange 2003 server, or the Active Directory user account was created recently and has not yet replicated to the Active Directory site where this Client Access server is hosted.

    Request
    Url: https://oaw.MSFT.com:443/owa/auth/error.aspx
    User host address: 10.82.162.143

     

  3. 需透過 https://exchangeFQDN/Exchange 來存取

    透過E2010 CAS 經proxy 直接到同site 或不同site 的E2K3 B-E

    If the user’s mailbox is on an Exchange 2003 server and the user tried to access Outlook Web App using https://domain name/owa, they’ll receive an error.

    If the user tries to access https://domain name/exchange or https://domain name/public, the incoming request is proxied to the Exchange 2003 server that hosts the user’s mailbox and the Outlook Web App virtual directory.

    If the incoming request is to an Exchange 2010 Client Access server in a different Active Directory site than the destination back-end server, the request will be proxied to the destination back-end server directly, even if there’s an Exchange 2010 Client Access server within the destination Active Directory site.

    If the incoming request is to an Exchange 2010 Client Access server within the same Active Directory site as the destination back-end server, the request will be proxied directly to the destination back-end server.

  4. E2010 users 存取OWA時, 若AD 所決定用戶所屬的CAS server, 此台CAS 有External URL, 會使用Redirect Mode, 若沒有External URL, 則會改用Internal URL 來進行proxy.

    且Windows 整合驗證需啟用.

    If the user’s mailbox is on an Exchange 2010 mailbox server, CAS-01 locates a Client Access server in the same Active Directory site as the user’s mailbox server. When one is found, Exchange 2010 determines whether the Client Access server has the InternalURLproperty configured and whether the authentication method on the virtual directory is set to Integrated Windows authentication. CAS-01 then determines whether an external URL is specified.

    If so, the user is redirected to the server specified by the ExternalURLproperty. If an external URL isn’t specified, CAS-01 will proxy the user’s request to the Client Access server that’s specified by theInternalURL property.

  5. An internal URL is configured automatically during Exchange 2010 Setup. For Client Access servers that don’t have an Internet presence, the ExternalURL property should be set to $null.

  6. Proxying Configuration
    If your Client Access server is Internet-facing, set the ExternalURL property on the Exchange ActiveSync and Outlook Web App virtual directories using the Exchange Management Console or the Exchange Management Shell. The InternalURL property is configured automatically during the initial setup of Exchange 2010 and should rarely have to be changed.

    The ExternalURL property should contain the domain name that’s registered for your Exchange organization in DNS. The following table contains the appropriate values for theExternalURL and InternalURL properties for an Internet-facing Client Access server for the Exchange organization named http://www.contoso.com. The second table contains the appropriate ExternalURL and InternalURL property values for a non-Internet-facing Client Access server in a second Active Directory site for http://www.contoso.com. You must configure the authentication method on all these virtual directories to be Integrated Windows authentication. Proxying isn’t supported for virtual directories that use other authentication methods.

  7. If new Outlook Web App virtual directories are created using the Exchange Management Shell, you must manually configure theInternalURL property on those virtual directories.

image

 

image 

Blog Extended Reading


More Information & Reference

Understanding Proxying and Redirection

   

image

E14 Proxying for Exchange ActiveSync

by

0

 

image

If User 1 tries to access Client Access server 02 using Exchange ActiveSync, they’ll receive an error because Client Access server 01 is the appropriate Client Access server for their mailbox.

1. The following scenario shows how incoming requests are handled for a user who connects to an Exchange 2010 Client Access server named CAS-01 using a mobile device.

2. The Client Access server queries the Active Directory to determine the location of the user’s mailbox and the version of Microsoft Exchange installed on the Mailbox server. If the user’s mailbox is on an Exchange 2010 computer that has the Mailbox server role installed, go to step 3

3. Exchange ActiveSync 都透過proxy 運作至相同或不同AD site 上的Exchange 2003 B-E ActiveSync IIS virtual directory.

E2010 CAS 可直接proxy 至E2K3 B-E.

If the user’s mailbox is on an Exchange 2003 server, the incoming request is proxied to the Exchange 2003 server that hosts the user’s mailbox and the Exchange ActiveSync virtual directory. By default, in Exchange 2003, the Exchange ActiveSync virtual directory was installed on all mailbox servers. If the incoming request is to an Exchange 2010 Client Access server that’s in a different Active Directory site than the destination back-end server, the request will be proxied directly to the destination back-end server, even if there is an Exchange 2010 Client Access server within the destination Active Directory site. If the incoming request is to an Exchange 2010 Client Access server within the same Active Directory site as the destination back-end server, the request will be proxied directly to the destination back-end server.

4. E2K3 上的Windows 整合驗證需啟用才可讓E2K3 B-E users 透過E2010 CAS 進行virtual directory 驗證.

Users who have mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This enables the Exchange 2010 Client Access server and the Exchange 2003 back-end server to communicate using Kerberos authentication.

image

5. E2010 users 需透過CAS 的 internalURL 及Windows 整合驗證來進行ActiveSync proxy.

否則無法進行ActiveSync proxy.

若有ExternalURL 的CAS, 意即有internet facing 的CAS, 將會無法進行ActiveSync proxy.

必須直接設定所屬AD Site 正確的ExternalURL for ActiveSync Internet Access.

If the user’s mailbox is on an Exchange 2010 Mailbox server, CAS-01 locates a Client Access server in the same Active Directory site as the user’s Mailbox server. If there’s a Client Access server closer to the user’s Mailbox server, Exchange 2010 determines whether the Client Access server has the InternalURL property configured and if the authentication method is Integrated Windows authentication.

If so, the user is proxied to the Client Access server specified by the InternalURL property. Otherwise, the request is rejected. An error code is returned to the mobile phone if the request is rejected. If the proxied Client Access server has the ExternalURL property configured on the Microsoft-Server-ActiveSync virtual directory, an HTTP error code 451 will be returned.

image

6. Proxy 不支援基本驗證, 需啟用Windows 整合驗證
Proxying isn’t supported between virtual directories that use Basic authentication. For client communications to be proxied between virtual directories on different servers, the virtual directories must use Integrated Windows authentication.

Proxying InternalURL and ExternalURL settings for an Internet-facing Client Access server

image

Proxying InternalURL and ExternalURL settings for a non-Internet-facing Client Access server
image
Blog Extended Reading

More Information & Reference
Understanding Proxying and Redirection

image

E14 Overview CAS Proxy AND Redirection

by

0

 

1. A Client Access server can also perform redirection for Microsoft Office Outlook Web 應用程式 URLs. Redirection is useful when a user is connecting to a Client Access server that isn’t in their local Active Directory site.

2. If you don’t have multiple Active Directory sites in your organization, you don’t have to configure Exchange 2010 for proxying or redirection.

3. in Microsoft Exchange Server 2003, the front-end server communicates with the back-end server over HTTP. In Exchange 2010, the Client Access server communicates with the Mailbox server over RPC. You must have an Exchange 2010 Client Access server in every Active Directory site that contains a Mailbox server. Proxying occurs when one Client Access server sends traffic to another Client Access server. An Exchange 2010 Client Access server can proxy requests in the following two situations:

  • Between Exchange 2010 Client Access servers   Proxying requests between two Exchange 2010 Client Access servers enables organizations that have multiple Active Directory sites to designate one Client Access server as an Internet-facing server and have that server proxy requests to Client Access servers in sites that have no Internet presence. The Internet-facing Client Access server then proxies the request to the Client Access server closest to the user’s mailbox. This is known as CAS-CAS proxying.
  • Between an Exchange 2010 Client Access server and Exchange 2007 Client Access servers   Proxying requests between an Exchange 2010 Client Access server and an Exchange 2007 Client Access server enables Exchange 2010 and Exchange 2007 to coexist in the same organization.

4. Proxying is supported for clients that use Outlook Web 應用程式, Exchange ActiveSync, and Exchange Web Services. Although the Availability service supports proxying, it has its own built-in logic for handling proxying and doesn’t require explicit configuration. Proxying is supported from one Client Access server to another Client Access server when the destination Client Access server is running the same version of Microsoft Exchange as, or an earlier version of Microsoft Exchange than, the source Client Access server. The following figure shows how proxying works in an organization that has multiple Client Access servers and multiple Mailbox servers.

5. In each Exchange organization, only one Client Access server must be Internet-facing. A Client Access server that has no Internet presence doesn’t have to have its own Internet host name. It relies on the Internet-facing Client Access server to proxy all pertinent requests from external clients.

6. Proxying won’t work for Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) clients. A client who’s using POP3 or IMAP4 must connect to a Client Access server in the same Active Directory site as their Mailbox server.

7. Communications between Client Access servers in different sites occur over Secure HTTP (HTTPS).

8. If User 1 tries to access Client Access server 02 using Exchange ActiveSync, they’ll receive an error because Client Access server 01 is the appropriate Client Access server for their mailbox.

 

Blog Extended Reading

More Information & Reference
Understanding Proxying and Redirection

image

Ticket: Exchange 2003 – Deleting this mailbox store may result in the loss of system messages used by Exchange

by

0

 

 

When does the System Attendant mailbox get created? Can it be moved or re-created?

The System Attendant mailbox is created when the system attendant is created on a server. It is associated with the first mailbox store created on a server.
If an attempt is made to delete the mailbox store containing the System Attendant mailbox, the following warning will appear:

Deleting this mailbox store may result in the loss of system messages used by Exchange, such as Free/Busy or Key Management Security. If you choose to continue, you need to restart the system attendant service after the store is deleted.

image

If the store is then deleted, the System Attendant mailbox will be moved automatically into another mailbox store on the server, that is, the HomeMDB value on the directory object will be updated.

The system attendant service must be restarted to reconfigure MSExchangeFBPublish to use the new mailbox location, and the mailbox object may not reappear under the Mailboxes node of Exchange System Manager until it is used in the future.
If there is a System Attendant directory object but no mailbox object, the mailbox store object will be re-created automatically in the mailbox store referenced by the HomeMDB attribute as soon as it is needed. Note that one cause of this is using a blank store for troubleshooting.

image

步驟:

1. 您可以移除First  Storage Group 的 mailbox store

2. 當出現下列訊息時繼續刪除

Deleting this mailbox store may result in the loss of system messages used by Exchange, such as Free/Busy or Key Management Security. If you choose to continue, you need to restart the system attendant service after the store is deleted.

3. 刪除後直接重新啟動Exchange System Attendant Service 即可

4. Event ID 會有警告資訊提醒您要重啟service, 以重新配置 System Attendant 這個信箱的mailbox store

Microsoft Exchange System Attendant has detected that the system attendant object in the DS has been modified. System Attendant needs to restart the Microsoft Exchange Free Busy Publishing Service.

 

Blog Extended Reading

More Information & Reference
Overview of Exchange 2000 Server and Exchange Server 2003 Special Mailboxes

image