Error when Creating an Recovery Storage Group in 2007

You may get an error similar to this when you are trying to create a RSG in 2007

Error encountered while trying to add database (Mailbox Database) into recovery storage group (Recovery Storage Group). Error message is: The mailbox database that you specified is already associated with a recovery mailbox database. Specified mailbox database: DATA-BASE-GUID.

 

This may be caused by an existing RSG, this includes on your 2003 exchange server.

Remove any RSGs on all exchange servers and re-run the RSG creation on 2007

More TMG and Exchange Goodness?

I have recieved several questions and comments on the TMG posts, I just wanted to say that they were initaly designed to be a easy “get it working” process.

If you would like more detail or a specific post please let me know and I’ll do more TMG\Exchange goodness.
Usefull sugestions = Tell me how to publish Sharepoint through TMG, or how do I configure OA publishing with integrated auth.
Not so usefull = Yeah man give me more TMG!

Exchange 2007/2010 certificates and new Go Daddy

I found recently a situation where the Godaddy cert chain wasn’t installed and some phone clients had issues, the following is a proven request\import process to install the cert and chain.

 So I gave this process to a friend and found out that I should either rename or subtitle this post, “Getting SBS 2008 to recognige your 2048 bit certificate” – great side effect!

1. First make your cert request in powershell, it should look something like this:
   • New-ExchangeCertificate -GenerateRequest -SubjectName “C=US, O=Company, CN=mail.domain.com” -domainname mail.domain.com,autodiscover.domain.com,hostname,hostname.domain.local -FriendlyName mail.domain.com -privatekeyexportable:$true -path c:\cert_myserver.txt
   • IMPORTANT: don’t do any new cert requests or run any wizards until the cert is imported
2. Send the cert request to Godaddy as a UCC certificate
3. Import the Certificate to complete the request
   • Import-ExchangeCertificate –Path “C:\CertificateFile.cer” | Enable-ExchangeCertificate -Services pop, smtp, iis, imap
4. Export the certificate
   1. Start –> Run –> MMC –> Add Snap-in –> certificates –> Local computer
   2. Right click certificate –> all tasks –> export
      1. Include the certificate chain and private key
      2. Enter a password
5. Re-Import certificate including chain (this imports the chain certs also)
   1. Right click in a blank area of the certificate MMC –> all tasks –> import
   2. Select the certificate you exported –> import –> include the certificate chain.

 

And yes there are other was to get to the same result, this is just a simple easy to explain way

Add users to a distribution group from a .csv file in exchange 2007\2010 Powershell

1. First make a CSV with 1 column called “PrimarySmtpAddress” populate with all the SMTP address of the users your adding to the distro (example below)
2. Copy to the system that the command will be run on.
3. Now run the following command in Exchange 2007 Powershell

import-csv C:\Distro1.csv | foreach {add-distributiongroupmember -id Distro1-member $_.PrimarySmtpAddress }

1. Highlighted locations need to be modified to match the file and group names as this is just an example.
2. Note: you can get the members with the following

                Get-DistributionGroupMember Distro1.csv | Export-Csv C:\Distro1.csv

 

#TYPE Microsoft.Exchange.Data.Directory.Management.ReducedRecipient
PrimarySmtpAddress
2007user@domain.net
2003user@domain.net
2010user@domain.net

 

 

To do this on a new group you can follow this article at exchangeteam.com

Publish Exchange 2010 with TMG (cont)

Walkthrough on publishing all roles through TMG. (Part 4/4 SMTP)

This assumes:

1. you have a MX record pointed to a name that points to the external IP of your TMG
2. You have already configure your exchange to allow anonymous access on the receive connector

Configure SMTP rule on TMG

1. Open Forefront TMG
2. Click on 
3. In the Action Pane under Task click
4. 
5. 
6. Enter your Transport Server internal IP
7. 
8. 
9. 
10. You should now be able to send mail through your TMG to your Exchange.

• Publish OWA 1/4
• Publish Outlook Anywhere/Autodiscover 2/4
• Publish Activesync 3/4

Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

1. OWA
2. EWS\Outlook anywhere
3. Active sync
4. SMTP

Publish Exchange 2010 with TMG (cont)

Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 3/4 active sync)

Configure Active sync rule on TMG

1. Open Forefront TMG
2. Click on
3. In the Action Pane under Task click 
4. Give the rule a Name ill name mine “2010 Activesync”
5. 
6. Next –> Next
7. 
8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
9. 
10. The external name is what you use to access active sync(Also needs to be on the cert)
11. 
12. Select the Listener OA listener created on Part 2.
13. 
14. 
15. 
16. Finish
17. Now Outlook anywhere is published!

Go Back To OWA

Go Back to Outlook anywhere

Move on to SMTP

Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

1. OWA
2. EWS\Outlook anywhere
3. Active sync
4. SMTP

Publish Exchange 2010 with TMG (cont)

Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 2/4 EWS\Outlook anywhere)

Configure Outlook anywhere rule on TMG

1. Open Forefront TMG
2. Click on
3. In the Action Pane under Task click 
4. Give the rule a Name ill name mine “2010 OA”
5. 
6. Next –> Next
7. 
8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
9.  
10. The external name is what you use to access OA (Also needs to be on the cert)
11. 
12. Click new to make a new Listener
13. 
14. Name it whatever you want, I named mine “Basic Auth” because I am going to use it for Basic auth for OA\EWS.
15. 
16. Select one of the External IPs listed (not all IP addresses or you cant do multiple auth methods)
17. 
18. Select the certificate you imported earlier
19. 
20. Use HTTP Authentication
21.  
22. Click –> Next –> Finish –> Select the Listener.
23. 
24.  
25. 
26. Finish
27. Now Outlook anywhere is published!

• Go Back To OWA
• Now on to Active sync

Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

1. OWA
2. EWS\Outlook anywhere
3. Active sync
4. SMTP

Publish Exchange 2010 with TMG (Forefront Threat Management Gateway)

Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 1/4 OWA)

Keep in mind to do it this way you need to have the following

1. At least 2 External IPs listed on the external NIC (in order to have both forms based auth for OWA\ECP and Basic for OA,EWS,EAS
2. A multi-name trusted Certificate with all applicable names (For more information) –This is critical!
3. TGM can authenticate with AD already (either domain joined or authentication configured)

Start By preparing the exchange server

1. Configure Exchange 2010 for basic authentication
   1. Run the following on the CAS server that will be published
      • Set-OwaVirtualDirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
      • set-WebServicesVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
      • set-EcpVirtualdirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
      • set-OabVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
      • set-ActiveSyncVirtualDirectory -id <CasServer>\* -BasicAuthentication $true
2. Copy the 3rd party certificate to the TMG server.
   1. Click Start –> Run –> Type MMC
   2. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
   3. Click Personal –> certificates
   4. Right Click on 3rd party certificate and click all tasks –> export
   5. Click Next –> Yes, Export Private Key –> Base-64 –> next –> Browse for file location.
   6. Next-> finish
   7. Copy certificate file to the TMG server
   8. Click Start –> Run –> Type MMC
   9. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
   10. Click Personal –> Right Click certificates –> all task –> import –> next –> select file –> next –> next finish
3. Configure OWA Rule on TMG
   1. Open Forefront TMG
   2. Click on
   3. In the Action Pane under Task click 
   4. Give the rule a Name ill name mine “2010 OWA”
   5. 
   6. Next –> Next
   7. 
   8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
   9. 
   10. The external name is what you use to access OWA (Also needs to be on the cert)
   11. 
   12. Click new to make a new Listener
   13. 
   14. Name it whatever you want, I named Mine FBA because I am going to use it for Forms Based auth for OWA.
   15. 
   16. Select one of the External IPs listed (not all IP addresses or you cant do multiple auth methods)
   17. 
   18. Select the certificate you imported earlier
   19. 
   20. Use Form Authentication
   21. 
   22. You can configure SSO if you have other sites that will use this listener
   23. 
   24. Click –> Next –> Finish –> Select the Listener.
   25. 
   26. 
   27.  
       You CANNOT use “all users” here you need to have authenticated users or another group that requires authentication or your will not get prompted for auth. and get a 500.24 in browser
   28. Finish
   29. Now OWA is published!
4. Now on to EWS\Outlook Anywhere

 

Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

1. OWA
2. EWS\Outlook anywhere
3. Active sync
4. SMTP

No return path for OOF in 2007 and 2010

I recently found that there is a null\blank value for the return path for Out of Office in 2007 and 2010 (this is changed behavior from 2003).

As per RFC 2298 Message Disposition Notification (MDN) messages should be sent with blank sender. The OOF reply messages are an MDN. – this is to help prevent looping

Also 5321 –4.5.5 deals with messages that should not be looped
http://www.faqs.org/rfcs/rfc5321.html

The issue is that some anti-spam products will block sending out messages with blank return path.

There is some guidance as to how to deal with those messages here: (specifically base the rule to allow from the internal subnet if the From field is correct)
http://www.faqs.org/rfcs/rfc3834.html

DAG Cross Site\Subnet networking – Additional Configuration

When you add servers to a DAG it will create a network for every subnet\NIC that server is connected to, this is nice because as soon as you add the server it can replicate with the other nodes.
However there are some post configuration steps you need to take otherwise replication will occur over the MAPI\Client network and never use the replication network.

1. You should NEVER have multiple gateways, if you have a private\heartbeat network that is routed you need to remove the gateway and add a static route.
   Example: You configure the gateway on the public NICs  
   and configure the following static routes:
   Site A 
   Site B 
    
2. Next you will notice your “DAG Networks” may look something like this
   The issue with this configuration is that there is no clearly defined replication or mapi networks, so what we need to do is collapse them into 2 dag networks.
3. Modify the networks to include both subnets, (I named mine for easy identification.
   i.e. Combine 10.0.1.x with 10.0.2.x and 192.168.2.x and 192.168.1.x
   
4. I would also recommend disabling replication on the MAPI or client network, (it will be used anyway if the replication network is not available.

You should now be replicating over the replication network, you can verify with the following:

• Get-MailboxDatabaseCopyStatus <DatabaseName> -ConnectionStatus | fl name, outgoingconnections,incomminglogcopyingnetwork