Exchange 2010 and RIM support

There are no updates or any news as far as I know yet  from RIM  in regards to Exchange 2010. RIM has  not announced any type of support for Exchange 2010.

Exchange 2010 has changed a lot compared to Exchange 2007 and hence current version of BES in not compatible with beta version of Exchange 2010.

To be honest I would love to see some testing going forward and hopefully RIM will catch up the official release day of Exchange 2010 which will be Soon (-: ( Shisss don’t ask, it will be ready when it is read)

The bottom line is,  there is no support as of yet and we are hoping RIM is working on it to catch up the official Exchange 2010 release day….

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

What is business justification going from Exchange 2007 to Exchange 2010

 

I got perfect response to previous post from Mark Arnold whom I  respect *Tons* here is the link to his article

With all respect here is my response and my vision for near future,  the cost saving ( exchange 2010) and even better & improved positive mail experience with reasons I will be bringing up one more time, I believe these reasons will  make the difference.

 

 

Response:

Mark , I enjoy your blogs and have respect to your knowledge you are one of most respected source in my personal opinion when it comes to Exchange (-:

I never said SAN will disappear  to be clear I said it will be off the Exchange plate. My logic  and experience is telling me *huge savings"* and here are reasons I am listing why?

• Having said the SAN is off the Exchange plate to me is perfectly right statement .Configuring Exchange with DAS is much cheaper and I am sure you won’t argue about it. The argument was considerations IOPS which is true, but I remember least another 50 percent I/O decrease compare the Exchange 2007 is achieved with Exchange 2010, due to major schema changes on mailbox tables. ( still need testing I totally agree), MS is so sure they don’t even care about RAID configuration basically they say use JBOD exchange  2010 will run on it, to be we don’t have to worry about the special RAID configuration separation logs from Databases using RAID 1, RAID 10 and so forth. Would it be better if we still go for RAID configuration provides fast read and write, I would think yes but, I have to underlined , since the application is much lighter most off the operations done within the memory not on the HD and therefore much far less I/O fear is my understanding and this is why MS says recommended mailbox size what ever the needs for business, 20 gig 30 gig , Exchange 2010 does care anymore.
• We have been using and working with NETAPP as SAN for many of our clients and have had only *Positive*  it rocks , our only experience is positive  to be honest, never failed us even once over years. This includes DR (snap managers) and SMBR single mailbox recovery made my life , easy over years and lead us to success in many cases. I have again nothing but positive experience so far. Good thing in life comes with cost (-: and this is true in this example.
• The dependency of SAN for exchange so far is critical for us, because many of our client’s demands high availability and again with NetAPP this is so easy to achieve. (or any other major SAN provider has similar offerings) , remember additional licensing for these capabilities contributes the cost $$$$.
• Now I will tell you, the SAN spindals Exchange servers use are SCSI not SATA due to performance considerations & fears as you would imagine related to SLA’s most of the time, the cost of these drives ,plus, support is very expensive most of the time, and also other futures I have listed to make Exchange redundant required additional licensing and cost $$$. Some of my clients would love to offload these SCSI drives and use them for SQL servers and other application would save them $$$ right of the bat.
• Now the statement “Exchange is off the SAN plate “ is going to be correct, since DAG provides redundancy I can configure Exchange servers with DAS not SAN and here is my first saving and I know this is going to be *Huge*

• Second, I might be using SAS drives not SCSI for the DAS shelves and I know the saving is going to be *Huge*
• I don’t have to purchase no more any third party utility to provide me redundancy and I don’t have to worry about performance as much as I worried before and I don’t need SAN engineer to work with me to curve the LUNS and maintain the SAN for me, because DAS comes with mush simpler software in my opinion and much easy to manage and Exchange administrator can and will do everything SAN engineer has done, and this is to me another *Saving*
• I don’t have to pay money for third party to do the archiving for me because Exchange 2010 does it out the box and I don’t have to keep or dedicate SAN for archived mail for exchange, I will simply keep them in DAS and here is another saving for me and all these third-party software cost, licensing, implementation, maintenance no longer needed and this is another *Saving* for me (-:

When I write the article I was being honest and letting everyone know what I see as my vision. Exchange 2010 is not a simple upgrade but to me it is the greatest mail application has ever existed and reasons I listed above will make Exchange off the SAN.

I remember when we asked for business justification the answer we got from MS simple and effective,

We ask for one business justification MS gave us tree of them (-:, I am sure you will remember (-:

• Cost
• Cost
• Cost

when I deploy exchange 2010 with DAS (-:, I promise to come back and update this article and mention about performance , user experience and capacity, and cost savings if there will be any (-: and I do know numbers will be much lower ( my vision) with much & far better messaging experience for large environments,  including BES implementation,  If I am wrong I promise to admit as well  (-:

Warm regards,

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

Exchange 2010 High Availability and Why it is different from Exchange 2007?

Harold seems to post Scotts video in regards to High availability in exchange 2010. One of the most exiting future for sure build into Exchange 2010 is DAG ( database availability group)

• Remember In exchange 2007 CCR, Cluster continues replication you can have one active one passive database configuration..
• DAG gives you 16 mailbox servers thus you get 16 copies of each database on each server.

Scott Schnoll shares insights on the new High Availability option in Exchange Server 2010 that provides for better availability of Exchange databases using DAGs.

When design comes into as you can tell very flexible and smart design might be the best suit in your large environment.

Check it out real nice one, click on below picture

 

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

What is business justification going from Exchange 2007 to Exchange 2010

I remember myself having hard time to talk about going from 2003 to 2007 (-: , yet burning desire to implement exchange 2007.

The short story as the same question goes and comes back, the business reason why should anyone bring exchange 2010? I wrote many little articles to discuss why and will continue to write as I see myself more an more be implementing exchange 2010 than any other version ever before (-:

Exchange 2010 will simply save $$$$$ for your business and here are some of the major bullets how

• Use cheap storage to provide San (DAS) direct attached storage to exchange, as I said several times Exchange is off the SAN plate first time in the history……..
• Huge savings from expensive SAN , and single person will be able to take care of many things within the application without needing any third party software or tools
• Less complexity since no other product is being used for high availability and archiving.
• Exchange archiving will provide basic regulatory requirements, such as policy’s to implement security practices and satisfy auditing needs. E-mails older than 6 years ( archived e-mails cannot be deleted)
• No third party utility to manage archived e-mail, all build into exchange application
• Great looking menu, light fast OWA experience and outlook 2010 will add more joy into exchange 2010 journey.
• True DR solution is build right into product, if companies choose to implement DAG ( data availability group) they are redundant , every single mailbox and its content it available if one server goes down, end user experience is a minute interruption and valuable messaging experience right comes backup.
• Major schema changes implemented to mailbox tables, allowed huge I/O reduction , there is simply no need for SIS ( gone)
• Better delegations for IT administrator, giving more options to end users (create DL and invite others) taking away heavy load from IT administrators.
• Exchange 2010 is fully redundant right out the box just like active directory servers….. You have to take every single Exchange server down in DAG to stop end user getting their mails
• Another 50 % I/O reduction, the Exchange application operation much lighter faster application working more efficient.

So have your management understand the $$$ saving part, true build  redundancy and providing mailbox to end user as big as 20 30 GIG so they never have to delete any single mail until get retire (-: and let  your management decided not too move !!!…………………….. (-:

I truly believe when it comes to cost reduction management gives quick decision , it has always been this way and wont change….

 

 

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.wordpress.com (Blog

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=916). Topology discovery failed, error SBS 2008

Problem: Exchange information store and SA is not coming up, event logs are showing topology errors, Event ID: 2114

Log Name:      Application Source:        MSExchange ADAccess Date:          9/4/2009 3:39:41 PM Event ID:      2114 Task Category: Topology Level:         Error Keywords:      Classic User:          N/A Computer:      SBS.to.local Description: Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=916). Topology discovery failed, error 0×80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description.

Cause :

Disabling IPV6 on the TCP/IP properties of the NIC Card will create this problem on SBS 2008 installation

Solution:

Enable IPV6 on the NIC Interface

Issues After Disabling IPv6 on Your NIC on SBS 2008

Properly Disabling IPv6

SBS 2008 is designed to fully support IPv6 and has IPv6 enabled by default.  Most users should never need to disable IPv6, however if you must disable IPv6 here is how to disable it properly:

Important: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 (http://support.microsoft.com/kb/322756/)

 

Uncheck Internet Protocol Version 6 (TCP/IPv6) on your Network Card.  In Registry Editor, locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Double-click DisabledComponents to modify the DisabledComponents entry. Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps: In the Edit menu, point to New, and then click DWORD (32-bit) Value. Type DisabledComponents, and then press ENTER. Double-click DisabledComponents. Enter "ffffffff" (eight f’s), and then click OK:

• Reboot the SBS 2008 server

 

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog

RSA SecurID Ready Implementation Guide Exchange 2007 ISA Server 2006

I spend guide a bit to get this working (-: and figured out the official published guide needs serious updates which I addressed all previous articles and putting summary together……

Anyway, if you are planning to implement RSA on your environment reading previous articles will save you tons of headache, trust me (-:, I learned the hard way and as always don’t want anyone to go trough the same path hence sharing with you guys the missing parts on this document, OWA is already standard for most of the government places and two factor authentication is way to go for most of the remote access scenarios, fisrt download the official RSA implementation guide fro here

 

Now you will need click here to get it

Now you are ready to move on , pay attention to below steps

• After downloading SDTEST.exe make sure you get this make it work !!!!! before start messing with ISA server or Exchange server, if the SDTES wont succeed you will waste your time!!!
• Ask RSA Guy to fallow the steps on the RSA guide and make sure you have sdconfig.rec file

Once you get this file copy  the file on the ISA servers below directories

• Windows\System32 folder
• C:\Program Files\Microsoft ISA Server\sdconfig directories

On the ISA server , if you have two legs as below

make sure you add static route so that the test utility is able to talk to RSA servers.

issue route print

• 172.26.7.197  gateway for internal network
• 172.26.114.202 ISA server IP

route add 172.26.114.202 mask 255.255.255.255 172.26.7.197 –p

 

• Add the following String Value registry entry on each ISA Array Member restart “wspsrv.exe”

 

• PrimaryInterfaceIP
• HKEY_LOCAL_MACHINE\Software\SDTI\AceClient
• Where the string value of PrimaryInterfaceIP is the IP address assigned to the interface that communicates with the RSA Server

 

• After restarting firewall service test once more , bingo it works

 

• before we move on  copy the local secret SecureID file from system32 into SDConfig folder.

• SECURID from <windir>\system32 to …\Microsoft ISA Server\sdconfig
• On each ISA Server, run the SDTEST.EXE utility.  This utility allows you test user authentication from an Agent Host to the RSA Authentication Manager Server.  Upon a successful user authentication, the Node Secret file (SECURID) will be created in the <windir>\system32 folde

• Read this to understand why you just did above (-:
• The SDTEST Authentication Utility is used to verify that a computer running ISA Server can authenticate to a computer running RSA Authentication Manager.  Note the following:   SDTEST.EXE requires the SDCONF.REC to be located in the …\system32 folder to run and test authentication successfully.  However, for ISA server to successfully authenticate to the RSA server, SDCONF.REC must be located in the ..\Microsoft ISA Server\sdconfig folder.  Also note that SDTEST.EXE does not require a Node Secret to authenticate, but the ISA Server does require a Node Secret to authenticate.

Now move on the ISA Server

• Backup ISA Configuration
• Configure CAS Listener
• Configure client authentication on the listener

here is the link click on the picture

Configure Exchange default website, click on the picture for details

 

Now time to test it

I hope this saves time and headache to some of you out there

 

Cheers,

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog

RSA OWA & ISA 2008 Exchange 2007

100; Access denied, RSA ACE/Server rejected the passcode that you supplied. Try again with a valid passcode.

One last thing I forgot to mention is to copy the local secret SecureID file from system32 into SDConfig folder.

• SECURID from <windir>\system32 to …\Microsoft ISA Server\sdconfig
• On each ISA Server, run the SDTEST.EXE utility.  This utility allows you test user authentication from an Agent Host to the RSA Authentication Manager Server.  Upon a successful user authentication, the Node Secret file (SECURID) will be created in the <windir>\system32 folder.

• The SDTEST Authentication Utility is used to verify that a computer running ISA Server can authenticate to a computer running RSA Authentication Manager.  Note the following:   SDTEST.EXE requires the SDCONF.REC to be located in the …\system32 folder to run and test authentication successfully.  However, for ISA server to successfully authenticate to the RSA server, SDCONF.REC must be located in the ..\Microsoft ISA Server\sdconfig folder.  Also note that SDTEST.EXE does not require a Node Secret to authenticate, but the ISA Server does require a Node Secret to authenticate.

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog

RSA ISA 2006 Exchange 07 CAS Configuration Part III

Now it is time to jump on ISA server and make the configurations to make RSA work. lets start with backing up ISA configurations in case (-:, things go well and we need to roll back the changes.

Log into ISA server Open ISA Console we will backup entire ISA configuration as well as one rule which we will make the changed on , click on Arrays, server right click Export (backup)

 

Next

 

 

 

we can accomplish same for single rule

Now the first rule I have is existing OWA Rule , you can disable this rule create another one delete if you wish or modify it all these will work, I prefer modifying existing one…

right click on the existing rule go to properties

 

Click Properties once more and place check mark on

• HTML form Authentication
• RSA SecureID

Click on 

• Authentication delegation
• Basic authentication

 

• Click okay to get out, log into CAS server
• Server configuration
• Client access
• open properties Exchange ( default Web Site)
• click Authentication and set it to (Basic authentication , password is sent in clear text)

click okay and issue

• iisreset /noforce

Now if you open your webmail URL you will see similar window to below

 

Username: Your username

Passcode: Your 6 pin secret + 6 Pin RSA Generated Code

If your 6 Pin Code is 123456 and RSA token is showing XXXYYY

Passcode:123456XXXYYY

Password: Your Password

you will see your e-mails after successful login to OWA with two ways authentication…

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog

RSA & OWA ( 2007) Two Factor Authentication with ISA 2006

Here is part two we continue troubleshooting the implementation RSA & ISA 2006 Exchange 2007 CAS servers.

As I said earlier on part I, don’t bother to pock around if you cannot make the SDTEST.exe

Because, rest of the steps wont work and you will at the end need local secret to be copied from.

In previous post we were getting “106-web-server-is-busy-try-again” and when we try to use SDTEST.exe from ISA 2006  Server  we start getting

Problem:  cannot communicate with RSA ACE/Server

Possible cause: you have two NIC Cards on the ISA server one is Public other one is Internal Communication. The test utility does not know how to use the Internal NIC and using External NIC and hence cannot even start communication with RSA server. If you go to Application event log you will notice ACECLIENT errors as fallows

make sure  the SDTEST and does know which interface to use so add static route to your ISA Servers as needed. ( see Part 1 for details)

if static route is there and you are getting this time “Access Denied” yet you do know the user name and postcode is correct check the fallowing

Add the following String Value registry entry on each ISA Array Member restart “wspsrv.exe”

• PrimaryInterfaceIP
• HKEY_LOCAL_MACHINE\Software\SDTI\AceClient
• Where the string value of PrimaryInterfaceIP is the IP address assigned to the interface that communicates with the RSA Server.

 

 

After restarting firewall service test once more , bingo it works

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog

RSA with OWA 106: The Web server is busy.

I am in the process of configuring RSA with OWA 2007 , ISA server and posting some of experiences as I face them

here is the error “106-web-server-is-busy-try-again” this one is real generic and if you Google you will get several hits and scenarios how to deal with below situation….

The best way in my opinion is to deal with error above fallow the tips below and save time and headache to yourself

I assume you are using as fallow

• ISA server ( or servers)
• CAS server ( or servers)
• RSA / ACE Server ( servers)

The goal is

• Enable RSA token with OWA to accomplish two way authentication

First before you do anything ask your RSA Admin guy to give you SDCONF.REC  file. This file contains the source IP addresses ( ISA servers) destination IP addresses for RSA servers  and some other authentication information to make the  RSA work.

Once you get this file copy  the file on the ISA servers below directories

• Windows\System32 folder
• C:\Program Files\Microsoft ISA Server\sdconfig directories

Now download RSA Test Authentication Utility or Internet Security and Acceleration (ISA) Server 2006

RSA Test Authentication

Now you need to extract the files and place them to this directory

• C:\Program Files\Microsoft ISA Server ( assume you install ISA binaries on C drive if not change it accordingly

now find  sdtest.exe  in this directory and double click on it

Now click on the RCA ACE /Server Test Directly

 

if you are having problem it might be ISA server or remember in DMZ firewall needs to be configured allow access from ISA server to RSA server UDP port 5500, this is mentioned ion the RSA implementation paper, if you have done all these move on with below scenario

ISA is blocking traffic or  your test does not even getting to RSA servers because, ISA has two legs one is external interface one id internal interface, most likely your RSA server sitting inside and you have to add static route to ISA servers as fallows

issue route print

172.26.7.197  gateway for internal network

172.26.114.202 ISA server IP

route add 172.26.114.202 mask 255.255.255.255 172.26.7.197 –p

after this go to ISA Server click on networks

click on Addresses , use Add range

 

• insert the IP addresses of RSA server to allow communication

Now you test should work and you should be ready to move on second step

I will post part two for the rest of the work

download RSA Guide

 

oz Casey Dedeal,

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +

Http://smtp25.blogspot.com (Blog)

Http://telnet25.spaces.live.com (Blog)

Http://telnet25.worldpress.com (Blog