ccolonbackslash

Just another WordPress.com site

Category Archives: Exchange

HA Exchange 2010 two All-In-One servers in a DAG, CAS arrays, Windows NLB….. – confusion and solution

In the process of lab testing for the viability of a HA mail installation with HP’s E5000 series of messaging appliances I came up against some confusion about the configuration of the CAS array when using a 2 member DAG where the servers also host the CAS and HT roles. I am aware a hardware Load Balancer is required for this to work but was not clear on exactly how to configure exchange to work with such a device.

Initially in a lab I configured a DAG between two exchange 2010 VM’s, this seemed to be working as expected. Next instruction was to add both servers to a CAS array, and assign a VIP and put this in DNS.

I then configured a CAS array, assigned a VIP and configured the DNS record. The array included the two all-in-one servers, it created successfully  but none of my clients were able to connect, neither was i able to ping the array address. Further reading, in particular this: http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx  led me to realise:

  1. Windows NLB is needed for a CAS array to work without additional hardware.
  2. Windows NLB is incompatible with Server 2008 R2 failover clustering.
  3. Server 2008 R2 failover clustering is needed for DAG…
  4. I need a DAG….
  5. Therefore i cannot use windows NLB…..

Which led me to read the “Best practices for networking and load balancing with the E5000 messaging systems” pdf on the HP site.

Essentially I’d gone about it backwards:

  • You still create the CAS Array, but use a VIP that is assigned to the load balancers and it is that IP that must be defined when you create the array. Once this is in place and the HLB is configured they proxy the requests to the separate CAS servers and all is good.
  • It seems the CAS array is  a simple object, a pointer more than a mechanism, a CAS array object does not load balance your traffic, Windows NLB does that or in our case, our hardware load balancer, all the object does is tell the mail client where to go to get mail.

Fix: Lync password prompts when connecting over Edge server : “Type your user name and password to connect for retrieving calendar data from outlook.”

Although we are no longer witnessing exchange password prompts, upon migration to Lync from communicator, we now see command prompts from Lync when both Outlook and Lync are started OUTSIDE the network, so over the edge and outlook anywhere WITHOUT vpn. Although yet to widely deploy we are seeing this behaviour consistently in our pilot and I’ve been unable to resolve the issue. Unlike the other post referring to this, these prompts are dismissable and do not return (you just get the red bangs)

I have just opened an MS case on this and although awaiting further info, they seem fairly convinced it is our use of Kerberos-Constrained Delegation on the outlook anywhere site that Lync is trying to use that causes the recurring issue. This particular set of authorisation prompts crops up when Lync attempts to get calendar information from. If you disable windows integrated authentication in IE, it goes away. This problem is utterly unrelated to the Lync infrastructure.

When I have more clarity from the engineers  I will post back though it seems that they want to change our authentication method for EWS/outlookanywhere on our TMG listener for the exchange CAS so we no longer use KCD. I’ve tried all manner of solutions, the only thing that gets rid of the prompts in the meantime is disabling integrated authentication in IE as per a number of technet articles, this isn’t a great solution however as may cause problems for other apps and will require touching every machine or deploying by gpo.

If you aren’t using KCD you may have some luck with this http://msexchangeanywhere.wordpress.com/2011/12/29/how-to-fix-lync-services-signin-type-your-user-name-and-password-to-connect-for-retrieving-calendar-data-from-outlook/.

____________________

MS tech got back to me – it seems Lync definitely doesn’t like KCD on OutlookAnywhere. Microsoft’s engineers recommendation is to allow exchange to do direct authentication rather than allowing TMG to proxy/pre authorise, for us this involved two changes:

  1. Change authentication method on your outlook anywhere rule in TMG from ‘Kerberos Constrained Delegation’ to ‘No delegation, but client may authenticate directly’.
  2. Add ‘All Users’ to the allowed user sets on the rule.
Once this was applied, no more authentication requests.

No changes needed to the listener providing it is set up as MS ask.

I will update after speaking to the engineer with any further explanation.

Having been round in circles for months on this, please don’t hesitate to contact me if you are having similar issues.

Save yourself 15 minutes installing pre-req’s on an Exchange 2010 install on Server 2008 R2

Copy and paste the script on the page linked here to a notepad file, save as a .ps1 and run before installing exchange.

Even downloads the filter pack for you http://www.bhargavs.com/index.php/2009/11/18/script-to-install-exchange-2010-pre-requisites-for-windows-server-2008-r2/

Many thanks to the author of the linked page Bhargav Shukla, the original author of the script Anderson Patricio and Pat Richard. With lab installs i think this has given me around 2 hours of my life back all told.

Free/Busy Exchange 2007 unavailable for single user due to infinitely recurring appointments

I’ve just spent two days dealing with a free/busy calendar viewing issue, combined with an inability to accept recurring appointments on an iPhone connected over ActiveSync to Exchange 2007.

The symptoms were this:

  • No one could view this particular execs free busy information from either Outlook 2010 or OWA on Exchange 2007. Everyone elses freebusy was viewable by all staff. This issue had been extremely long-standing, the users mailbox had been migrated up from Exchange 4 and we’d previously dealt with issues of non-inherited permissions caused by a cretinous admin giving him domain admin permissions to resolve “problems”.
  • Every so often when this users iPhone synced or he accepted an appointment he received “Synchronization with your iPhone failed for” blah blah “this appointment is still viewable in outlook or OWA”.
  • He was most distressed.

Initial attempts to solve this had been to look at logs, run outlook.exe /cleanfreebusy. This made no odds, as i later discovered this was due to this being a legacy command that cleans public folder free busy not availability service free busy (please correct me if I’m wrong).

I did some sniffing around without knowing about the availability services on Exchange 2007 and discovered that legacy free busy was supposed to be submitted to public folders and used outlook 2003 to try to view this users free busy and it worked fine.

Further investigation revealed that the only calendar items that were failing to be accepted on the iPhone were recurring appointments, further to that the only ones that seemed to be having an issue were those with no end date. I tried updating these to have an end date but then it seemed there was another issue here, when i tried to send the update i received a red pop up: “Can’t open this item. The property does not exist”. Clicking ok to this and then pressing send update seemed to work, but when i checked on the calendar items in list view it had updated the recurrence to end in the year 4500.

Googling revealed this dead thread:

Seemed similar but no conclusions. And this which was nearer.

I looked at the permissions on the mailbox and found NT Authority\Self was missing from both full access and send as, and corrected this using add-mailboxpermissions. I also cleaned up a load of other sledgehammer permissions fixes applied by someone in times of yore and restarted the IS.

This didn’t help so was nothing to do with the bodged permissions (seems silly to have thought it was now). I then increased the exchange logging for all of the availability services as it seemed both the iPhone issue and the freebusy were probably down to the same thing, corrupt or damaged calendar items. You no longer have to do this through powershell as of sp2, this post helped me here:

Exchange SP2 diagnostic logging config

As soon as i upped the logging and checked the freebusy i saw error 4009’s on the exchange server for my problem user:

“Exception returned is: Microsoft.Exchange.Data.Storage.ObjectNotFoundException: Cannot open embedded message. —> Microsoft.Mapi.MapiExceptionNotFound: MapiExceptionNotFound: Unable to open property 0x3701000D”

Of course it was not able to identify the problem calendar item, however that’s where this tremendously useful post from Nuttin But Exchange came in handy as it references a different problem with similar consequences but also links to a tremendously useful cmdlet from msexchangeteam.com that will scan a calendar and tell you on what days problem appointments are allowing you to go in and correct/delete. You can get this script here. You’ll also need EWS on the Exchange server if it’s not installed already and the machine running the cmdlet must be on PowerShell/WinRM 2.0. Given EWS has been updated since the cmdlet was written you’ll need to change the version in the path referring to ver 1.0 in the script to 1.1 before it will work, see below:

“C:\Program Files\Microsoft\Exchange\Web Services\1.0\Microsoft.Exchange.WebServices.dll”
All syntax is in the comments in the cmdlet.

So after running this script we found 25 bad days in the calendar, went through them all with his PA and every single one of them was a recurring appointment with no end (or the year 4500), once corrected, freebusy was available again and the user in question was able to view those meetings in their iphone.

Glad to put this one to bed. Not sure why more users weren’t affected as can’t imagine he was the only iphone user with infinitely recurring appointments, or why these appointments would also break freebusy? Any comments welcomed.