Exchange 2010 DAG and Hyper-v Cluster supportability statement – Supported but how

Source
We all have been tought that Exchange 2010 DAG cannot be installed on a hyper-v Cluster or ESX Cluster (generally any hypervisor clustering), this is a correct statement but not entirely true.
the correct statement that Installing Exchange 2010 DAG is not supported on Hypervisor Clustering only when you confiure the VM that hosts the Exchange as highly available machine, thus you control the High availability of he VM using clustering.

if you Install Hyper-v or ESX clustering, you can Install Exchange 2010 DAG normally on a VM that is hosted on any single host of the Hypervisor cluster as long as this machine is not highly available from the Hypervisor point of view meaning that you cannot move it using live migration or Vmotion.
you can now install the DAG on your Hypervisor Cluster physical server normally, don’t make the VM highly available, size the IOPs and Memory and you are fine.
Hope that this helps you in your virtualization and Exchange Project

Old password still works after you change it through Outlook Web Access

This one was new for me, We are working on an Exchange 2007 implementation which serve remote users. During the testing phase we discovered that when users change their password using the OWA they will be able to logon using their OLD and NEW password. !!!!

after some googling we had nothing. MS newsgroups helped us to figure this out.

This behavior is by design. We can change the password in AD, and it will work immediately, but there will be a 15 minutes delay before OWA changing this password. Which means that during this 15 minutes period, we can log on OWA by using both old password and new password.

For the detailed information of this topic, we can refer to this article:

Old password still works after you change it through Outlook Web Access

http://support.microsoft.com/kb/267568

There is also a method provided by KB267568 to change this default interval.

Restrict Send to Certian Distribution List

In using Exchange 2007 Server, sure we have multiple DL and we may want to restrict who has access to the any of the distribution list.

By doing that you keep your mail flow in the safe side and prevent anyone from accidentally sending a private message to everyone on the server and you can prevent people from responding to an all-employees distribution creating annoying spam.

1. Open your EMC
2. Navigate to Recipients Configuration
3. Navigate to Distrubution Groups
4. Right Click the group you want to restrict access to and choose Proprieties
5. Press Mail Flow Setting Tab
6. Double Click Mail Delievery Restriction and edit your Scope

Recipient permission delegation in Exchange Server 2007

This is a good articale in MSExchange team blog

http://msexchangeteam.com/archive/2007/02/12/435171.aspx

Exchange Server.. Two servers in two different sites

 

The situation is you have two separate Exchange servers in two sites and they share the same public domain name.

So the question is how does the exchange server in the first site know to forward emails to the exchange server in the second site for second site user’s?

i.e., if you have user on server 1 called user1@domain.com and user on server 2 called user2@domain.com and the MX record point to server 1.

if you send mail to user1 it will arrive to his mail box but if you send to user2 it will not arrive as his mail box is not on server 1 ( the one that the MX record point to ).

So the question is how does the exchange server in the first site know to forward emails to the exchange server in the second site for second site user’s?

Here you are the solution.

Exchange Configuration

1. You have to choose a primary site for your public name. This primary site is the one that will receive all the email. In this example, Cairo is Primary, Alex is secondary.
2. Setup MX records for your primary domain pointing to these servers.
3. Create a recipient policy on each server for your primary domain. Make sure that the option about exchange being responsible for all email delivery to this address is enabled. It should be the primary recipient policy.
4. Create sub domains for each site in the DNS of each server.
   Therefore if you had two sites of Cairo and Alex then you would have
   • Cairo.domain.com
   • Alex.domain.com
5. While working in the internal DNS of each server, create MX records with the external IP address of the other server.
   Therefore the Cairo site will have DNS zones for Alex.domain.com and in this zone will be a DNS entry for mail.Alex.domain.com. Each of those would also be set as MX records.
   These MX records do NOT appear on the Internet, but traffic will flow on them because your local machine is looking up the MX records from the location DNS.
6. On each server, add a new additional recipient policy – but don’t make it default. This new recipient policy should match the location.
   Continuing with our example:
   • In Cairo, it would be Cairo.domain.com
   • In Alex it would be Alex.domain.com
7. The key is that it should NOT be the default policy on any site.

The result of this should be that all users have two email addresses – the default one ending in domain.com and a secondary one that ends location.domain.com.

NOTE: It is important that your DNS is configured correctly. The server should be configured to use your active directory domain controllers for DNS – no external DNS servers should be used.
If you need to use external DNS servers for performance reasons then configure these as forwarders on the active directory DNS servers.

Adding the Remote Users

On the primary server create a mail enabled contact for all users located on the other servers. When creating the contact, initially put in the email address for its home address (Cairo.domain.com). Once created, wait a moment for recipient policy to stamp the account. You should find that the contact now has two email addresses, @domain.com and @Cairo.domain.com. Do not add local users as they will already have an email address.

Repeat on the other server.

• Cairo will have mail enabled contacts for Alex.
• Alex will have mail enabled contacts for Cairo.

Sanity Check

As this can cause an email loop if not configured correctly, there is a sanity check that you can make to ensure that you have it correct.
On the properties of the contact, click on the tab “Exchange General”. In the email address box, it should say SMTP then username@location.domain.com. If it says username@domain.com then it is wrong and needs to be changed.
On the email addresses tab, the default email address should be @location.domain.com

End Result – Features and Benefits

The net result of this procedure is

• Email for your primary domain can be delivered to any server and it will be routed correctly this is useful for backup queuing of email if the other server is down.
• Users can type in the full public email address (username@domain.com) from any site and it will be routed correctly.
• Users from all sites will appear in the GAL.
• You can create distribution lists on all three sites with the same membership.
• By using mail enabled contacts the email destined for the other sites is not stored on your server – taking up no storage space on the server.
• The sites only need an internet connection – no direct site connection required.

It can take a while to initially configure, but once done, very easy to maintain if you have limited servers.

For any inquiries Kindly don’t hesitate to contact me directly.

The Exchange Server 2007 installation fails during the PrepareSchema

The operation could not be performed because the object ‘Microsoft.Exchange.Data.Directory.SystemConfiguration.ResourceBookingConfig’ could not be found <Domain_Controller_Name>.

This problem occurs because the Resource Schema object under Global Settings in Active Directory directory service is missing.

To solve this problem you have to manually create it.

1- Click Start, click Run, type adsiedit.msc, and then press ENTER.

2- Locate the following location:

DC=<Domain>, DC=<suffix>

CN=Global Settings, CN=<Organization Name>, CN=Microsoft Exchange, CN=Services, CN=Configuration,

3- Right-click CN=Global Settings, click New Object and then click Next.

4- Click msExchResourcesChema, and then click Next.

5- In the Value field, type Resource Schema.

6- Right-click the Resource Schema object, click Properties, and then click msExchVersion.

7- Set the value of the msExchVersion attribute to 4535486012416.

8- Retry Setup /prepareSchema It should work fine

Exchange 2007: Delivery has failed to these recipients or distribution lists

Two weeks ago client called me and was screaming that he has clients facing problem with their mail.

The error when we sent mail to them was:

Subject: Undeliverable: Subject

Delivery has failed to these recipients or distribution lists:

‘<User>’
This recipient e-mail address was not found in the recipient e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the recipient e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

Sent by Microsoft Exchange Server 2007

Diagnostic information for administrators:

Generating server: Servername.domainname.com IMCEAEX_O=FIRST+20ORGANIZATION_OU=FIRST+20ADMINISTRATIVE+20GROUP

_CN=RECIPIENTS_CN=user@domainname.com
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

Original message headers:

Received: from Servername.domainname.com ([192.168.3.20]) by Servername.domainname.com([192.168.0.1]) with mapi; Fri, 11 April 2008 06:24:22 -0400
Content-Type: application/ms-tnef; name=”winmail.dat”
Content-Transfer-Encoding: binary
From: User2 Displayname <user2@domainname.com>
To: ‘User Displayname’
<IMCEAEX_O=FIRST+20ORGANIZATION_OU=FIRST+20ADMINISTRATIVE+20GROUP

_CN=RECIPIENTS_CN=USER@domainname.com>

The users have valid mailboxs and all the rest are alright.

After some times I discovered that the system admin disconnect those clients before and recreate their mailboxs instate of reconnect them.

so I made small test .. open my OWA and send those users mail… so guess what happen??? yes.. they got it.

the problem is that the rest of users are caching the old accounts and is using autocomplete in Outlook, which is resolving to the old e-mail address
because their cache has that old address, The OWA do not cache names so I can send via it to users new mailbox.

So what is the solution?? It can be done by two ways:

1- Delete current mailboxs and create users accounts and reconnect them .

2- Outlook maintains a “nickname” list that is used by both the automatic name checking and the AutoCompletion features. The nickname list is automatically compiled as you address email messages. If the nickname cache becomes corrupt, Outlook may not be able to identify recipients, may offer incorrect recipients, may send to an incorrect or old email address, or may send the message to the wrong person.

If you are having problems with a single recipient, you can easily delete the one cached entry as shown in the following section, “Delete a single cached entry”. Otherwise, proceed to the section titled “To delete your Nickname Cache file” further below.

To delete a single cached entry

1. Open Outlook
2. Open a new message window; go to the File menu and choose New – Mail Message.
3. Type one or more letters of the recipient name or address; this will show memorized (cached) entries in a drop-down list. Use the arrow keys on your keyboard to select the entry to be deleted. With the entry highlighted, press the DEL or DELETE key or your keyboard.

This removes the entry from your autocompletion cache.

To delete your Nickname Cache file.

Use the following steps that are appropriate for your version of Microsoft Windows to reset the Outlook nickname cache. After you restart Outlook, Outlook generates a new nickname cache.

Microsoft Windows XP

1. Exit Outlook.
2. Start Microsoft Windows Explorer.
3. On the Tools menu, click Folder Options, and then click the View tab.
4. Under Advanced Settings, select the Show hidden files and folders check box.
5. Click OK.
6. Click Start, point to Search, and then click All files or folders.
7. In the Search Companion box, type *.NK2 in the All or part of the file name box.
8. In the Look in box, select your local hard disk drive.
9. Click Search.
10. Right-click the .NK2 file with the name of the profile that you want to reset, and then click Rename.
11. Rename the file to profile name.bak, and then press ENTER.
12. Exit Windows Explorer.
13. Restart Outlook.

1. Microsoft Windows Vista

Exit Outlook
Click the Start Menu
Click Search
Click Advanced Search
Check the box for ‘Include non-indexed, hidden, and system files (might be slow)
Search for *.NK2 in the ‘Name’ field

Edgesync Credentials Not Found For Edge Transport

I have an Edge Server deployed in a DMZ. I generated and imported the edge subscription w/o errors. But when i run test-EdgeSynchronization on the Hub transport server i get “No Edgesync credentials were found for edge transport server…” I also receive error 1032 MSExchange EdgeSync “no credentials for edge server” in the Hub transport servers app log.

After some investigation I found out what was the cause of this problem and fixed it. It was a certificate mismatch between the Hub Transport server and the Edge Server. Actually exchange 2007 see mismatch credential in case that Exchange self signed certificate is missing (corrupted or deleted by mistake).

Steps to check the certificate problem:

1. Verify that Hub is able to communicate with Edge on port 50636.
2. Run “Get-ExchangeCertificate” cmdlet on Hub and see if there are any certificates.
3. If there are no certificates found,then regenerated Exchange self signed certificate.
4. In the Exchange Management Shell, run the “New-ExchangeCertificate” cmdlet.
5. It throws a warning and creates a new Exchange Server Certificate.
6. Restart the Transport Service on the Hub.
7. Verify that the thumbprint of the new certificate now matches with the version stored in AD .
8. Remove the present Edge Subscription from the Hub and restart Transport Service.
9. Run “Remove-EdgeSubscription” on the Edge and restart Transport Service.
10. Create a new Edge Subscription on the Edge using “New EdgeSubscription” cmdlet and import the xml file to Hub.
11. Re-subscribe the Edge using the new Subscription file.
12. Initiate synchronization using “Start-EdgeSynchronization” CMDlet.

Now the EdgeSync shall work fine.

Cannot send or receive e-mail messages behind a Cisco PIX firewall

I face problem with Exchange server mail flow.

My client has PIX firewall facing the Internet and ISA 2006 behind it.

I placed my edge server in the DMZ zone and 2 HUB and 2 CAS and SCC mailbox in the internal domain. Suddenly all mail flow stopped and stuck in the Queue in the HUB and the Edge servers.

On the hub server, the get-queue | fl command give the following output

Identity : HUBCAS01\4
DeliveryType : SmtpRelayWithinAdSiteToEdge
NextHopDomain : edgesync – so1-moi to internet
NextHopConnector : 1758a6af-6ef1-4b74-a978-494f28088105
Status : Retry
MessageCount : 1
LastError : 451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted
failover to alternate host, but that did not succeed. Eithe
r there are no alternate hosts, or delivery failed to all al
ternate hosts.
LastRetryTime : 4/7/2008 1:18:59 PM
NextRetryTime : 4/7/2008 1:23:59 PM
IsValid : True
ObjectState : Unchanged

Identity : HUBCAS01\Submission
DeliveryType : Undefined
NextHopDomain : Submission
NextHopConnector : 00000000-0000-0000-0000-000000000000
Status : Ready
MessageCount : 0
LastError :
LastRetryTime :
NextRetryTime :
IsValid : True
ObjectState : Unchanged

You can make these changes to work around a specific problem.

1.Establish a Telnet session to log on to the Cisco PIX firewall. Alternatively, use the console to log on to the Cisco PIX firewall.

2.Type enable, and then press ENTER.

3.When you are prompted for your password, type your password, and then press ENTER.

4.Type configure terminal, and then press ENTER.

5.Type no fixup protocol smtp 25, and then press ENTER.

6.Type write memory, and then press ENTER.

7.Reload the Cisco PIX firewall.

The PIX Software Mailguard feature filters SMTP traffic. This feature was also referred to as Mailhost in earlier versions. In PIX Software versions 4.0 and 4.1, you use the mailhost command to configure Mailguard. In PIX Software version 4.2 and in later versions, you use the fixup protocol smtp 25 command. Mailguard allows connections to an e-mail host only through Transport Control Protocol (TCP) port 25. It logs all SMTP activity. Additionally, it allows only the minimum SMTP server commands found in Request for Comments (RFC) 821, Section 4.5.1.These SMTP server commands are the following seven commands:

•HELO

•MAIL

•RCPT

•DATA

•RSET

•NOOP

•QUIT

Note In addition to the Cisco PIX firewall, there are several firewall products that have SMTP Proxy capabilities that may produce the issues that are described earlier in this article.