4
Nov
2010
Posted by Juergen. Comments Off on No Personal Archive in Outlook 2010 with an old MSDN Key
Today I wasted several hours troubleshooting why I could not see the Personal Archive in Office Outlook 2010.
I was sure that this user in my new test environment had a Personal Archive; the archive was visible in Outlook Web App. I verified that I had installed the correct Microsoft Office version – Microsoft Office Professional Plus 2010. There were no error messages, but I could not see the archive mailbox!
Finally I found the blog article “No Access to Online Archive in Outlook 2010 Professional Plus?”, written by Jeff Guillet. This article explains the issue.
I used a MSDN license key that was generated this spring when Office 2010 was made available on MSDN. If you use this key then you cannot get access to the Personal Archive.
You have to generate a new key on MSDN and change the product key of the existing installation (Control Panel > Programs and Features > Microsoft Office Professional Plus 2010 > Change > Enter a product key).
Afterwards you can start to use the Personal Archive in Outlook 2010.
18
Aug
2010
Posted by Juergen. Comments Off on IT Admin Tech Talk 2010
I will deliver two sessions on Monday 27th September during the IT Admin Tech Talk 2010 event.
The first session is about high availability / disaster recovery planning for Exchange Server 2007 and Exchange Server 2010. The second session is about Exchange database backup / recovery and low level maintenance using ESEUTIL /ISINTEG.
2
Aug
2010
Posted by Juergen. Comments Off on Exchange Trusted Subsystem
During the past Exchange Server 2007 to Exchange Server 2010 migrations, I came across the following error message, when we selected a Client Access Server in the Exchange Management Console: “An IIS directory entry couldn’t be created. The error message is Access is denied.”
After searching the Internet we found the following two links that provide a solution for the error:
The security group “Exchange Trusted Subsystem” was not a member of the local Administrators group on the servers running Exchange Server 2007.
The Microsoft Exchange Team Blog article “Exchange 2007 Service Pack 2 Prerequisites” notes that this group is created during the Active Directory preparation phase. This group is then added to the local Administrators group of the Exchange server when you install the service pack.
I was aware of the role this security group has if you host the File Share Witness on a file server and not on an Exchange Server. This is described in this blog article written by Tim McMichael. However, I was not aware of the relation between this group and Role Based Access Control (RBAC). The TechNet article “Understanding Split Permissions” contains the following section:
“If RBAC allows an action to proceed, the action is performed in the context of the Exchange Trusted Subsystem and not the user’s context. The Exchange Trusted Subsystem is a highly privileged universal security group (USG) that has read/write access to every Exchange-related object in the Exchange organization. It’s also a member of the Administrators local security group and the Exchange Windows Permissions USG, which enables Exchange to create and manage Active Directory objects.”
You can find additional information about this topic in the article “Exchange 2010 and the Exchange Trusted Subsystem” and especially in this excellent summary “Busting the Exchange Trusted Subsystem Myth” written by Devin Ganger.
18
Jun
2010
Posted by Juergen. Comments Off on The Experts Conference Europe 2010
I had luck and two proposals have been accepted for the upcoming The Experts Conference Europe in Duesseldorf. I will present two sessions, one session about Backup & Recovery using VSS and another session about Jetstress & LoadGen.
I am looking forward to an interesting event and a nice time in Duesseldorf.
6
Jun
2010
Posted by Juergen. Comments Off on Exchange Disaster Recovery Workshop
I will deliver a half day workshop on 10 June 2010 about Exchange Server Disaster Recovery for the IT Administrator Magazine in Munich.
The event is already sold out.
6
Jun
2010
Posted by Juergen. Comments Off on Comparing AD Schemas
For an upcoming AD upgrade from Windows Server 2003 to Windows Server 2008 R2 I recommended to verify the procedure in a test lab. However, the customer was unsure which schema extensions he had deployed in his production environment.
You can setup a test lab AD forest and install the schema extension of the applications you are sure that have been deployed in your production AD forest, for example, Exchange Server 2007 or Office Communications Server 2007.
Now you can use the steps described in the TechNet Magazine article “Export, Compare, and Synchronize Active Directory Schemas” or in the Directory Services Team blog article “Determine Applied Schema Extensions with AD DS/LDS Schema Analyzer” to compare your production AD schema with the schema of your test lab using the AD DS/LDS Schema Analyzer.
This allows you to see which schema extension might be missing.
2
May
2010
Posted by Juergen. Comments Off on The Experts Conference 2010 Los Angeles
Initially I was afraid that my flight to LA will be canceled because of the ash ejected by the volcano in Iceland. However, I arrived in time and had a nice week in LA. It was the first time that I attended TEC US. Last fall I already delivered two sessions at TEC Europe in Berlin. TEC 2010 US was bigger than TEC Europe, but still small enough that it is very easy for attendees to interact with speakers. I often heard that this and the technical depth of the sessions are the main reasons why the event is popular.
On Monday I delivered a session about “Exchange Server 2010 Backup & Restore Using VSS” and on Tuesday a session about “Exchange 2010 Design Validation Using Jetstress & LoadGen”. Attendees will be able to download the slides from the event website.
I will likely post a blog article about these topics in the upcoming weeks.
11
Apr
2010
Posted by Juergen. Comments Off on SMTP Proxy Firewalls and TLS
I found the following issue while I implemented Transport Layer Security for a customer. We installed a SSL certificate on the Exchange server. However, emails sent to the Internet or received from the Internet were not secured with TLS. If we used telnet on the Exchange server to connect to port 25 on the localhost, then we saw the extended commands of the SMTP server, including STARTTLS. If we connected from the Internet to port 25 on the external interface of the firewall, then some of the extended SMTP commands were not visible.
The firewall was a WatchGuard FireBox. I found the following articles that describe the reason of this phenomenon:
The SMTP proxy module of the firewall stripped certain commands. After the firewall was reconfigured to use the SMTP packet filter module for incoming and outgoing traffic, TLS was working fine.
According to Microsoft Knowledge Base Article 948803 you can have the same problem with a Cisco ASA firewall.
11
Apr
2010
Posted by Juergen. Comments Off on OpenWrt on Netgear WNDR3700 Router
A few weeks ago I bought a new WLAN router. However, after a few days I encountered two issues with the Netgear firmware. The implementation of static routes is flawed. You can ping servers behind the second router, but you cannot connect to services provided by servers behind the second router. The second issue is that the firmware only supports port forwarding but not port address translation. You can map port A of the external interface to port A of an internal server. However, you cannot redirect port A of the external interface to port B of an internal server. This is a big disadvantage if you would like to connect with RDP to multiple internal servers from the Internet. With my old router I was able to connect to FQDN-WAN-Interface:PortA and I was redirected to InternalServer1:Port3389, or FQDN-WAN-Interface:PortB and I was redirected to InternalServer2:Port3389, and so on.
I recommend that you browse through the WNDR3700 discussion forum before you buy this device.
Initially I considered to return the router, but I made the decision to use it as an opportunity to refresh my programming skills. After my studies I worked several years as Unix and VxWorks system programmer.
I replaced the Netgear firmware with a self compiled version of OpenWrt. OpenWrt is a Linux distribution for embedded devices. You can find a detailed description of the necessary steps to build the firmware for the WNDR3700 on the OpenWrt website. Now I use Iptables to translated external and internal ports, and of course static routes are working, too.
12
Mar
2010
Posted by Juergen. Comments Off on Failover Clustering with multiple NICs on the same IP subnet
During the design phase of an Exchange Server 2010 environment I was asked if servers forming a DAG can use a shared IP subnet for the MAPI network and the Replication network.
The answer is NO.
I remembered from previous Windows operating system versions that there are issues with multiple adapters on the same subnet. This is described in Microsoft Knowledgebase Article 175767.
The Planning for High Availability and Site Resilience chapter of the Exchange Server 2010 online documentation provides this section:
“Each network in each DAG member server must be on its own network subnet. Each server in the DAG can be on a different subnet, but the MAPI and Replication networks must be routable and provide connectivity, such that:
- Each network in each DAG member server is on its own network subnet that’s separate from the subnet used by each other network in the server.
- Each DAG member server’s MAPI network can communicate with each other DAG member’s MAPI network.
- Each DAG member server’s Replication network can communicate with each other DAG member’s Replication network.
- There is no direct routing that allows heartbeat traffic from the Replication network on one DAG member server to the MAPI network on another DAG member server, or vice versa, or between multiple Replication networks in the DAG.”
The technical background is explained in this article Windows Server 2008 Failover Clusters: Networking posted on the Ask the Core Team blog:
“It is important in any cluster that there are no NICs on the same node that are configured to be on the same subnet. This is because the cluster network driver uses the subnet to identify networks and will use the first one detected and ignore any other NICs configured on the same subnet on the same node. The cluster validation process will register a Warning if any network interfaces in a cluster node are configured to be on the same network. The only possible exception to this would be for iSCSI (Internet Small Computer System Interface) connections. If iSCSI is implemented in a cluster, and MPIO (Multi-Path Input/Output) is being used for fault-tolerant connections to iSCSI Storage, then it is possible that the network interfaces could be on the same network. In this configuration, the iSCSI network in the Failover Cluster Manager should be configured such that cluster would not use it for any cluster communications.”
This three part blog article provides very good information about the network configuration of a Windows Server 2008 Failover Cluster.