Exchange 2007 installed on 2008 DC cant communicate with 2008 domain controller (itself)

Situation

Exchange services will not start if the 2008 server that exchange is on is the only Domain Controller, it MAY start if there is another DC in the environment

 

Root Cause:
Windows Server 2008 has made TCP/IPv6 the default communication protocol stack over which connections are made by clients connecting to the server that is running Microsoft Exchange. (Exchange is a client of Active Directory)
If you disable or do not configure IPV6 you will have problems communicating with itself.

 

There are 2 possible solutions to this issue

 

1. Enable and Configure ipv6 to have a the same address as the IPV4 address Ex  “::FFFF:192.168.x.x”

2. Disable IPV6 and modify local “host” file 

Note:   
In this step, %SystemRoot% refers to the local hard disk where the Windows system files are located.   

b. Search for the line that contains the term “localhost” by using the CTR+F key combination. 
c. Select the whole line and make it a comment by putting a number sign (#) at the beginning and end of the line. 
d. Press ENTER and, on the next line, type the following lines to provide the TCP/IPv4 address, hostname, and FQDN name for the Exchange server that is running both the Client Access and Mailbox server roles: 
  <TCP/IPv4 address>   <host name of the computer> 
  <TCP/IPv4 address>   <FQDN of the computer> 
e. Click Save, and then close the file.  
f. Reboot the server

This Document explainse the cause root cause but is not targeted to this issue.
http://technet.microsoft.com/en-us/library/cc671176.aspx
   

Doing a Disaster Recovery on a Exchange Server that is also a DC

Have you every worked on a failed exchange server that also happens to be a DC (not recommended, but it happens)

Well if you do and you find yourself trying to recover it here is how you can.

1. Note critical information
   1. What are the drive letters
   2. Where is the logs and database located
   3. What is the service pack level
2. Remove data from server
3. Format and re-install the OS – using the same drive letters
4. Seize Roles if they were on the failed server
5. Run through a metadata cleanup to remove the failed server from AD
6. Replicate changes to all DCs
7. Join rebuilt server to the domain  – Using the Same name
8. Add the Server object to the correct exchange groups
   1. Exchange 2007 – “Exchange Servers”, “Exchange Install Domain Servers”
   2. Exchange 2010 – “Exchange Servers”, “Exchange Install Domain Servers”, “Exchange Trusted Subsystem”
   3. Exchange 2003 – “Exchange Domain Servers”
9. Windows Update the Server
10. Do a disaster recovery install of exchange
    1. Exchange 2003 = setup /disasterrecovery
    2. Exchange 2007\2010 = Setup.com /m:recoverserver
11. Restore data using backup application or recovered databases from failure
12. and away you go!

Technorati Tags: Exchange 2007,Windows 2008,Windows 2003,Disaster recovery, Exchange 2010

Manual uninstall of Exchange 2k7 Edge server

When trying to uninstall Edge role you receive this message
“cannot find information about the local server in active directory. this may be related to a change in the server name”.

Even after setting name back to the original still cannot uninstall
If possible the best solution is to use remove-edgesubscription from the hub server, and format and re-install the edge server role.

Or if this is not possible

Perform a manual uninstall of Exchange Edge role

WARNING: Always be sure to have a backup of a Domain controller system state and registry of the server before making any changes

1. 1. Install and use “Windows Installer Cleanup Utility” to uninstall Exchange all 2007 entries on the edge server
   1. Use ADSIEdit.msc (may need to install from support tools) to remove the following entries
      1. Open ADSIedit.msc on the domain controlle
         1. Right click ADSI Edit and click connect to
         2. Select Configuration under well known naming contex
         3. Select Default (domain or computer that you logged in to
         4. Click o
      2. Browse to CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=First Organization, CN=Administrative Groups, CN=Exchange Administrative Groups (FYDIBOHF23SPDLT), CN=Servers
         1. Delete CN=<edgeserver
   2. Open ADSIedit.msc on the Edge serve
      1. Right click ADSI Edit and click connect to
         1. Click Advanced and change port to: 50389
         2. Select Configuration under well known naming contex
         3. Select Default (domain or computer that you logged in to
         4. Click ok
      2. Browse to CN=Configuration, CN=Services
         1. Delete CN=”Microsoft Exchange” key
2. Delete DNS entry for edge (not sure that was needed either)
3. On the edge Server run Regedit
   1. Delete all the MSExchange keys under HKLM\System\currentcontrolset
   2. Delete HKLM\software\microsoft\Exchange
   3. Delete HKLM\SYSTEM\Currentcontrolset\services\ADAM_MSExchange
   4. Delete HKLM\SYSTEM\Currentcontrolset\services\ EdgeCredentialsvc
   5. Delete HKLM\software\microsoft\software\windows\currentVersion\uninstall\ADAM_MSExchange$0
   6. Delete HKLM\software\microsoft\software\windows\currentVersion\uninstall\Microsoft Exchang
4. Delete c:\program files\Microsoft
5. Renamed c:\ExchangeSetupLogs to c:\old_ExchangeSetupLogs
6. reinstall Edge

Useful Exchange Powershell 2007\2010

(Active Work in progress)

2010=Orange
2007=Green
Both=Black

Mail Box

Function	Commandlet
Check DAG replication status	get-mailboxdatabasecopystatus
Check CCR replication status	get-storagegroupcopystatus
Test Cluster Replication health	test-replicationhealth
Clean Mail Box Database	Get-MailboxDatabase | Clean-MailboxDatabase
CSV Report for mail statistics ordered Greatest to least.	Get-MailboxStatistics | sort-object totalitemsize -Descending  | select-object displayname, itemcount, totalitemsize | Export-Csv -path c:\mboxStats.csv
Reseed all Storage groups	Get-StorageGroup -Server RR-MB-CLUS | suspend-StorageGroupCopy Get-StorageGroup -Server RR-MB-CLUS | Update-StorageGroupCopy -DeleteExistingFiles
Reseed all failed 2010 Mailbox databases (from passive node)	Get-MailboxDatabaseCopyStatus | where {$_.Status -like "Failed"} | suspend-MailboxDatabaseCopy Get-MailboxDatabaseCopyStatus | where {$_.Status -like "suspended "} | Update-MailboxDatabaseCopy –DeleteExistingFiles
Reseed all failed 2007 Storage Groups	Get-StoragegroupCopyStatus | where {$_.summarycopystatus -like "Failed"} | suspend-StoragegroupCopy Get-StoragegroupCopyStatus | where {$_.summarycopystatus -like "suspended"} | Update-StoragegroupCopy –DeleteExistingFiles
Remove all Move requests	get-moverequest | remove-moverequest

Client Access

Function	Commandlet
	Test-ActiveSyncConnectivity
	Test-OutlookWebServices
	Test-OwaConnectivity
	Test-WebServicesConnectivity

Transport\Edge

Function	Commandlet
	Test-EdgeSynchronization
	Test-Mailflow

 

Other

Function	Commandlet
	Test-ServiceHealth
	Test-SystemHealth
Cert Request for public CA	New-ExchangeCertificate -GenerateRequest -SubjectName "C=US, O=Company, CN=mail.domain.com" -domainname mail.domain.com,autodiscover.domain.com,hostname,hostname.domain.local -FriendlyName mail.domain.com -privatekeyexportable:$true -path c:\cert_myserver.txt
Import public cert	Import-ExchangeCertificate –Path “C:\CertificateFile.cer” | Enable-ExchangeCertificate -Services pop, smtp, iis, imap
use this then on any command you run that requires –credential the value is $cred	$cred = get-credential

 

RBAC YAY!!!

OK not yay ….. its all good until you have to go outside of the built in groups 😉
In case you don’t know “Role Based Access Control” is the new permission model for exchange 2010, it allows you to be granular and specific in your delegation of permissions, which is a great thing but takes a good deal of forethought to get properly configured. 
Not for the feint of heart, in fact wouldn’t recommend it unless you have a REAL need it. For most people the defaults(listed on the right) are good enough

The good news is once you do you can simply put your admins into the applicable groups.

So as I’m trying to figure this out here is what I came up with for syntax to give “Site 1 Mail Admins” management permission for users in OU “Site 1”

New-RoleGroup -name “OKC MAIL ADMINS” -Members “Site1 MAIL ADMINS” -Roles “Mail Recipients”, “User options”, “Mail Recipient Creation”, “Mail Enabled Public Folders”, “Distribution Groups”,” –RecipientOrganizationalUnitScope “ex2010/Lab Users/Site 1”

here is the break down

• New-rolegroup > the is the RBAC group your creating
• -name >(hmm wonder what I should put here…. maybe the name of my new group!)
• -Members > can be users or groups, I would highly recommend AD groups
• -roles > here is where it gets fun Full List of roles
  • Database Copies Role
  • Databases Role
  • Disaster Recovery Role
  • Distribution Groups Role
  • Mail Enabled Public Folders Role
  • Mail Recipient Creation Role
  • Mail Recipients Role
  • Mailbox Import Export Role
  • Mailbox Search Role
  • Message Tracking Role
  • Migration Role
  • Monitoring Role
  • Move Mailboxes Role
  • Public Folder Replication Role
  • Public Folders Role
  • Retention Management Role
  • Security Group Creation and Membership Role
  • Transport Queues Role
  • UM Mailboxes Role
  • UM Prompts Role
  • View-Only Configuration Role
  • View-Only Recipients Role
• –RecipientOrganizationalUnitScope  > this is the OU your group will manage in “Domain.local\OU 1\ OU2” format
  (Tip you can look for the exact OU with Get-OrganizationalUnit OU1)

So now I can add my admins to that group and they can Manage users and distro groups in that OU.
I do want to point out this is specific to exchange and is not the same as AD permissions.

WWW Service Missing !!

While not specificaly a exchange issue but could be on a Exchange server.
Had a situation where the WWW service was missing even after re-installing IIS.

Turns out there was a Group policy that changed permissions on the registry and did not allow the install.

Solution:

1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
2. Give full control to the administrators group on the SVCHOST key
3. Un-install WWW service only
4. Re-install WWW service

Now the service should be there and running

If you loved PFDAVADMIN…..

In 2010 PFDavAdmin is going away but the good new is there is a new tool called ExFolders

http://msexchangeteam.com/archive/2009/12/04/453399.aspx

You can DL here
http://msexchangeteam.com/files/12/attachments/entry453398.aspx

Quote from Ms Exchange Team

“For better or worse, ExFolders still has the same user interface as PFDAVAdmin, so things will look very familiar. However, there are a few changes I want to highlight.

• ExFolders must be run from an Exchange 2010 server – it cannot be run from a workstation as PFDAVAdmin could. It can connect to Exchange 2010 or Exchange 2007, but not older versions.
• Remove Item-Level Permissions is gone, because there are no item-level permissions in Exchange 2007 or 2010.
• DACL fix functionality is gone. With no WebDAV and no M: drive, non-canonical DACLs should be practically unheard of.
• Permissions export format between PFDAVAdmin and ExFolders are compatible.

There are also a few new features:

• Folder property imports are now supported. You were able to do folder property exports with PFDAVAdmin, but not imports.
• Item property exports are supported – that is, you can export a set of properties from all items in a folder. This feature request has come up again and again for troubleshooting purposes. Item property imports are not supported.
• ExFolders supports the new free/busy permissions that were introduced in Exchange 2007 and Outlook 2007.
• You can now connect to multiple mailbox stores at the same time, so you can run a batch operation against several mailbox stores or all mailboxes in the org if you need to.”

Exchange 2010 Interorg Freebusy without using Federation Gateway

OK, I was saying NO way is it this easy…… as long as autodiscover and EWS is working……

1. Create acct without mailbox on both domains  (i.e.ID: domainx.com\Freebusy, Pass: P@ssw0rd
2. On Foobar
   1. Set-AvailabilityConfig -OrgWideAccount “domain1.com\freebusy”
   2. $a = get-credential (domain2.com\Freebusy, Pass: P@ssw0rd)
   3. Add-AvailabilityAddressspace -Forestname domain2.com -Accessmethod OrgWideFB -Credential:$a
3. On Ex2010.net
   1. Set-AvailabilityConfig -OrgWideAccount “domain2.com\Freebusy”
   2. $a = get-credential (domain1.com\Freebusy, Pass: P@ssw0rd)
   3. Add-AvailabilityAddressspace -Forestname domain1.com -Accessmethod OrgWideFB -Credential:$a

And that’s it right?!
umm NO, that quite that easy… well it is IF you have internal DNS resolution and are syncing the contacts with the partner domain…

Interorg uses the INTERNAL URL for EWS which means that needs to be resolvable (This can be remedied by split DNS and change the internal URL or use WAN\VPN link to the partner network)

Also you must have contacts for the associated org in you org, best to use a tool like GALSync, ILM, or other identity management software.

http://technet.microsoft.com/en-us/library/bb125182.aspx

Re-create Exchange 2007 OWA Virtual Directories..

Have you had issues with OWA where you needed to re-create the directories? or maybe you made customizations and now it doesn’t work and you want to just get back to the default config?

Here are some scripts to get re-install the OWA virtual directories, they have been tested in lab environments

As with everything use at your own risk and always make a backup first!
YOU are responsible for your server\data.

ONLY do this if you have 1 CAS server and have not customized the OWA directories.

Save this as rebuildOWA.ps1 and run from powershell

************************Start of script**********************************************

$server = hostname

Get-OwaVirtualDirectory -server $server | Remove-OwaVirtualDirectory

New-OwaVirtualDirectory -name “owa” -OwaVersion Exchange2007 -WebSiteName “Default Web Site”

New-OwaVirtualDirectory “exchange” -OwaVersion Exchange2003or2000 -VirtualDirectoryType Mailboxes -WebSiteName “Default Web Site”

New-OwaVirtualDirectory “public” -OwaVersion Exchange2003or2000 -VirtualDirectoryType PublicFolders -WebSiteName “Default Web Site”

New-OwaVirtualDirectory “exchweb” -OwaVersion Exchange2003or2000 -VirtualDirectoryType Exchweb -WebSiteName “Default Web Site”

new-owavirtualdirectory “Exadmin” -owaversion:Exchange2003or2000 -virtualDirectoryType Exadmin -WebSiteName “Default Web Site”

Get-AutodiscoverVirtualDirectory | Remove-AutodiscoverVirtualDirectory

 New-AutodiscoverVirtualDirectory -WebsiteName “Default Web Site” -BasicAuthentication $true -WindowsAuthentication $true

IISRESET

************************End of script********************************************

Here is one for SBS 2008

Save this as rebuildSBSOWA.ps1 and run from powershell

************************Start of script**********************************************

$LocalServerName = hostname

$ActiveSyncMailboxName = “Windows SBS Mobile Mailbox Policy” + ” ” + $LocalServerName

$OABVDir = $LocalServerName + “\OAB (SBS Web Applications)”

$OAB = Get-OfflineAddressBook | Select-Object -Property Name

$strDomainDNS = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name

$DomainAdmins = $strDomainDNS + “\Domain Admins”

$OrgName = Get-OrganizationConfig | Select-Object -Property DistinguishedName

$DefaultExchangeCertificate = “CN=” + $LocalServerName

Get-ExchangeCertificate | Where { $_.Subject -eq “$DefaultExchangeCertificate” } | ForEach { Remove-ExchangeCertificate -Thumbprint $_.Thumbprint }

Get-OwaVirtualDirectory -server $LocalServerName | Remove-OwaVirtualDirectory

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2007” -ExternalAuthenticationMethods Fba

Set-OWAVirtualDirectory -InternalUrl “https://sites/owa/&#8221; -ClientAuthCleanupLevel “Low” -LogonFormat “UserName” -DefaultDomain $strDomainDNS -Identity “Owa (SBS Web Applications)”

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000” -VirtualDirectoryType “Exadmin” -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000” -VirtualDirectoryType “Mailboxes” -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000” -VirtualDirectoryType “Exchweb” -ExternalAuthenticationMethods Fba

New-OWAVirtualDirectory -WebsiteName “SBS Web Applications” -OwaVersion “Exchange2003or2000” -VirtualDirectoryType “PublicFolders” -ExternalAuthenticationMethods Fba

iisreset /noforce

cd $env:windir\system32\inetsrv

.\appcmd.exe unlock config “-section:system.webserver/security/authentication/windowsauthentication”

.\appcmd.exe set site “Default Web Site” /Bindings:http/*:80:

.\appcmd.exe start site “Default Web Site”

.\appcmd.exe start site “SBS Web Applications”

************************End of script********************************************

Installing Exchange 2007 SP2 on SBS 2008

1. Make sure your system is healthy and ready.Tank has a great checklist 
2. MOST IMPORTANT make a backup (its easy in 2008 you don’t have an excuse!)
3. install using the following tool http://www.microsoft.com/downloads/details.aspx?FamilyID=ffd2fe61-9278-489e-9b96-3816394c9cb6&displayLang=en