Exchange 2007 installed on 2008 DC cant communicate with 2008 domain controller (itself)


Situation
Exchange services will not start if the 2008 server that exchange is on is the only Domain Controller, it MAY start if there is another DC in the environment
 
Root Cause:
Windows Server 2008 has made TCP/IPv6 the default communication protocol stack over which connections are made by clients connecting to the server that is running Microsoft Exchange. (Exchange is a client of Active Directory)
If you disable or do not configure IPV6 you will have problems communicating with itself.
 
There are 2 possible solutions to this issue
 
1. Enable and Configure ipv6 to have a the same address as the IPV4 address Ex  “::FFFF:192.168.x.x”

2. Disable IPV6 and modify local “host” file 

Note:   
In this step, %SystemRoot% refers to the local hard disk where the Windows system files are located.   

b. Search for the line that contains the term “localhost” by using the CTR+F key combination. 
c. Select the whole line and make it a comment by putting a number sign (#) at the beginning and end of the line. 
d. Press ENTER and, on the next line, type the following lines to provide the TCP/IPv4 address, hostname, and FQDN name for the Exchange server that is running both the Client Access and Mailbox server roles: 
  <TCP/IPv4 address>   <host name of the computer> 
  <TCP/IPv4 address>   <FQDN of the computer> 
e. Click Save, and then close the file. 
 
f. Reboot the server

This Document explainse the cause root cause but is not targeted to this issue.
http://technet.microsoft.com/en-us/library/cc671176.aspx

   

Doing a Disaster Recovery on a Exchange Server that is also a DC


email_exchange_iconHave you every worked on a failed exchange server that also happens to be a DC (not recommended, but it happens)

Well if you do and you find yourself trying to recover it here is how you can.

  1. Note critical information
    1. What are the drive letters
    2. Where is the logs and database located
    3. What is the service pack level
  2. Remove data from server
  3. Format and re-install the OS – using the same drive letters
  4. Seize Roles if they were on the failed server
  5. Run through a metadata cleanup to remove the failed server from AD
  6. Replicate changes to all DCs
  7. Join rebuilt server to the domain  – Using the Same name
  8. Add the Server object to the correct exchange groups
    1. Exchange 2007 – “Exchange Servers”, “Exchange Install Domain Servers”
    2. Exchange 2010 – “Exchange Servers”, “Exchange Install Domain Servers”, “Exchange Trusted Subsystem”
    3. Exchange 2003 – “Exchange Domain Servers”
  9. Windows Update the Server
  10. Do a disaster recovery install of exchange
    1. Exchange 2003 = setup /disasterrecovery
    2. Exchange 2007\2010 = Setup.com /m:recoverserver
  11. Restore data using backup application or recovered databases from failure
  12. and away you go!

Manual uninstall of Exchange 2k7 Edge server


When trying to uninstall Edge role you receive this message
“cannot find information about the local server in active directory. this may be related to a change in the server name”.

Even after setting name back to the original still cannot uninstall
If possible the best solution is to use remove-edgesubscription from the hub server, and format and re-install the edge server role.

Or if this is not possible

Perform a manual uninstall of Exchange Edge role

WARNING: Always be sure to have a backup of a Domain controller system state and registry of the server before making any changes

  1. 1. Install and use “Windows Installer Cleanup Utility” to uninstall Exchange all 2007 entries on the edge server
    1. Use ADSIEdit.msc (may need to install from support tools) to remove the following entries
      1. Open ADSIedit.msc on the domain controlle
        1. Right click ADSI Edit and click connect to
        2. Select Configuration under well known naming contex
        3. Select Default (domain or computer that you logged in to
        4. Click o
      2. Browse to CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=First Organization, CN=Administrative Groups, CN=Exchange Administrative Groups (FYDIBOHF23SPDLT), CN=Servers
        1. Delete CN=<edgeserver
    2. Open ADSIedit.msc on the Edge serve
      1. Right click ADSI Edit and click connect to
        1. Click Advanced and change port to: 50389
        2. Select Configuration under well known naming contex
        3. Select Default (domain or computer that you logged in to
        4. Click ok
      2. Browse to CN=Configuration, CN=Services
        1. Delete CN=”Microsoft Exchange” key
  2. Delete DNS entry for edge (not sure that was needed either)
  3. On the edge Server run Regedit
    1. Delete all the MSExchange keys under HKLM\System\currentcontrolset
    2. Delete HKLM\software\microsoft\Exchange
    3. Delete HKLM\SYSTEM\Currentcontrolset\services\ADAM_MSExchange
    4. Delete HKLM\SYSTEM\Currentcontrolset\services\ EdgeCredentialsvc
    5. Delete HKLM\software\microsoft\software\windows\currentVersion\uninstall\ADAM_MSExchange$0
    6. Delete HKLM\software\microsoft\software\windows\currentVersion\uninstall\Microsoft Exchang
  4. Delete c:\program files\Microsoft
  5. Renamed c:\ExchangeSetupLogs to c:\old_ExchangeSetupLogs
  6. reinstall Edge

Useful Exchange Powershell 2007\2010


(Active Work in progress)

2010=Orange
2007=Green
Both=Black

Mail Box

    Function Commandlet
    Check DAG replication status get-mailboxdatabasecopystatus
    Check CCR replication status get-storagegroupcopystatus
    Test Cluster Replication health test-replicationhealth
    Clean Mail Box Database Get-MailboxDatabase | Clean-MailboxDatabase
    CSV Report for mail statistics ordered Greatest to least. Get-MailboxStatistics | sort-object totalitemsize -Descending  | select-object displayname, itemcount, totalitemsize | Export-Csv -path c:\mboxStats.csv
    Reseed all Storage groups

    Get-StorageGroup -Server RR-MB-CLUS | suspend-StorageGroupCopy

    Get-StorageGroup -Server RR-MB-CLUS | Update-StorageGroupCopy -DeleteExistingFiles

    Reseed all failed 2010 Mailbox databases (from passive node) Get-MailboxDatabaseCopyStatus | where {$_.Status -like "Failed"} | suspend-MailboxDatabaseCopy

    Get-MailboxDatabaseCopyStatus | where {$_.Status -like "suspended "} | Update-MailboxDatabaseCopy –DeleteExistingFiles

    Reseed all failed 2007 Storage Groups Get-StoragegroupCopyStatus | where {$_.summarycopystatus -like "Failed"} | suspend-StoragegroupCopy

    Get-StoragegroupCopyStatus | where {$_.summarycopystatus -like "suspended"} | Update-StoragegroupCopy –DeleteExistingFiles

    Remove all Move requests get-moverequest | remove-moverequest

Client Access

    Function Commandlet
      Test-ActiveSyncConnectivity
      Test-OutlookWebServices
      Test-OwaConnectivity
      Test-WebServicesConnectivity
       
       

Transport\Edge

    Function Commandlet
      Test-EdgeSynchronization
      Test-Mailflow
       
       

 

Other

    Function Commandlet
      Test-ServiceHealth
      Test-SystemHealth
    Cert Request for public CA New-ExchangeCertificate -GenerateRequest -SubjectName "C=US, O=Company, CN=mail.domain.com" -domainname mail.domain.com,autodiscover.domain.com,hostname,hostname.domain.local -FriendlyName mail.domain.com -privatekeyexportable:$true -path c:\cert_myserver.txt
    Import public cert

    Import-ExchangeCertificate –Path “C:\CertificateFile.cer” | Enable-ExchangeCertificate -Services pop, smtp, iis, imap

    use this then on any command you run that requires –credential the value is $cred $cred = get-credential
       

     

RBAC YAY!!!


OK not yay ….. its all good until you have to go outside of the built in groups 😉
In case you don’t know “Role Based Access Control” is the new permission model for exchange 2010, it allows you to be granular and specific in your delegation of permissions, which is a great thing but takes a good deal of forethought to get properly configured.  image
Not for the feint of heart, in fact wouldn’t recommend it unless you have a REAL need it. For most people the defaults(listed on the right) are good enough

The good news is once you do you can simply put your admins into the applicable groups.

So as I’m trying to figure this out here is what I came up with for syntax to give “Site 1 Mail Admins” management permission for users in OU “Site 1”

New-RoleGroup -name “OKC MAIL ADMINS” -Members “Site1 MAIL ADMINS” -Roles “Mail Recipients”, “User options”, “Mail Recipient Creation”, “Mail Enabled Public Folders”, “Distribution Groups”,” –RecipientOrganizationalUnitScope “ex2010/Lab Users/Site 1”

here is the break down

So now I can add my admins to that group and they can Manage users and distro groups in that OU.
I do want to point out this is specific to exchange and is not the same as AD permissions.

WWW Service Missing !!


While not specificaly a exchange issue but could be on a Exchange server.
Had a situation where the WWW service was missing even after re-installing IIS.

Turns out there was a Group policy that changed permissions on the registry and did not allow the install.

Solution:

  1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
  2. Give full control to the administrators group on the SVCHOST key
  3. Un-install WWW service only
  4. Re-install WWW service

Now the service should be there and running

If you loved PFDAVADMIN…..


In 2010 PFDavAdmin is going away but the good new is there is a new tool called ExFolders

http://msexchangeteam.com/archive/2009/12/04/453399.aspx

You can DL here
http://msexchangeteam.com/files/12/attachments/entry453398.aspx

Quote from Ms Exchange Team

“For better or worse, ExFolders still has the same user interface as PFDAVAdmin, so things will look very familiar. However, there are a few changes I want to highlight.

  • ExFolders must be run from an Exchange 2010 server – it cannot be run from a workstation as PFDAVAdmin could. It can connect to Exchange 2010 or Exchange 2007, but not older versions.
  • Remove Item-Level Permissions is gone, because there are no item-level permissions in Exchange 2007 or 2010.
  • DACL fix functionality is gone. With no WebDAV and no M: drive, non-canonical DACLs should be practically unheard of.
  • Permissions export format between PFDAVAdmin and ExFolders are compatible.

There are also a few new features:

  • Folder property imports are now supported. You were able to do folder property exports with PFDAVAdmin, but not imports.
  • Item property exports are supported – that is, you can export a set of properties from all items in a folder. This feature request has come up again and again for troubleshooting purposes. Item property imports are not supported.
  • ExFolders supports the new free/busy permissions that were introduced in Exchange 2007 and Outlook 2007.
  • You can now connect to multiple mailbox stores at the same time, so you can run a batch operation against several mailbox stores or all mailboxes in the org if you need to.”