TMG NLB and F5 Publishing Problems

Environment:

TMG array –> F5 Load Balancer –> Published service

Problem:

When traffic comes in through TMG to F5, F5 doesn’t respond correctly to the load balanced request and then TMG doesn’t see any response.

Reason:

1. F5 extracts the MAC address from the Ethernet header instead of arp requests
2. MS NLB uses MAC address spoofing to prevent switch port flooding in unicast NLB. NLB will mask the MAC address of a host with the NLB cluster host number and assign to each node in the cluster.
3. Since F5 doesn’t use arp requests, the NLB driver isn’t used to properly assign the correct MAC address to the sending host via the arp request.

Solution:

1. Set MaskSourceMAC registry value to 0 on the adapters on both TMG servers that are in the NLB array sending to F5. http://support.microsoft.com/?id=193602
2. Put a Hub between the F5 and the TMG array to prevent switch port flooding.

/Preparedomain error when security customizations have been done to Active Directory

Error:

Configuring Microsoft Exchange Server

    Organization Preparation                                  FAILED
     The following error was generated when "$error.Clear();
          if ($RolePrepareAllDomains)
          {
              initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:(
$RoleIsDatacenter -or $RoleIsPartnerHosted);
          }
          elseif ($RoleDomain -ne $null)
          {
              initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot
:($RoleIsDatacenter -or $RoleIsPartnerHosted);
          }
          else
          {
              initialize-DomainPermissions -CreateTenantRoot:($RoleIsDatacenter
-or $RoleIsPartnerHosted);
          }
        " was run: "PrepareDomain for domain Domain was unable to add the group CN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects,DC=domain,DC=local to the group CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=domain,DC=local on domain controller server.domain.local, because the current user does not have permissions to modify Exchange Servers. Please ensure that the current user can modify the membership of Exchange Servers and run PrepareDomain again.".

Problem:
The user doesn’t have permission to modify the AD groups it needs to modify.
“Exchange Server” group that was created by /preparedomain is member of “Windows Authorization Access Group” group. 
If the permission on that group are changed, /preparedomain may not be able to modify the membership of it. 
Of course, exchange setup gives you some bogus error, which does not make any sense.

Solution:

1. Verify that you are running the /preparedomain as a domain admin
2. Once we reset it’s permission by checking “inherted” option on the “Windows Authorization Access Group”,  we can manually add Exchange Server group as a member of “Windows Authorization Access Group” Group, and re run /preparedomain and it should run without error.

Problem with Exchange MMC Snap-in after April 11\2011 updates.

 

 

We have seen a recent rash of issues with Exchange MMC after April 11 updates, this is due to a .net change in the latest updates.

This issue is very specific to a system with

• .NET Framework 3.5 Service Pack 1
• .NET Framework 2.0 Service Pack 2
• Windows Vista Service Pack 2 or Windows Server 2008 Service Pack 2
• April 11 windows updates. (Specifically 2449742 or 2446709)

This problem occurs when the broken version of Hotfix 979744 is installed on your computer, and when security update 2449742 or 2446709 (part of security bulletin MS11-028) is installed in the affected environments, this problem generates the issues that are described in the "Symptoms" section.

You can apply the fix here to resolve http://support.microsoft.com/kb/2449742

Here is the KB that explains the issue http://support.microsoft.com/kb/2540222

Want to Become an MCM?! Even know what it is?

I am an MCM on Exchange 2010 and 2007 and I just wanted to do a quick promotion of the program.

What is and MCM? In short Microsoft Certified Master is the highest level of technical certification you can get on a Microsoft product. it is NOT “MCITP\MSCE +” it is well above that in terms of technical certification.

From a personal standpoint having the MCM certification goes a long way in singling you out as an expert both with customers and other members of the technical community.
From a business standpoint it can be the difference in who gets a contract and who doesn’t, and goes a long way to instill customer confidence.

I will also say it was one of the hardest yet most rewarding things I have ever done.
What does it take to become a MCM you ask?
Well start with the prerequisite requirements, already being a an exchange expert, add in 3 weeks of your life following in-depth training from the best in the industry (prep family and work for your absence), finally pass both written and practical examination and BAM! your now an MCM

Well I am not the best writer so I will refer you to some resources that can speak to it much better than I.

• Insiders View– Microsoft Video presentation

• The Road to Master – An excellent description from a good friend and fellow MCM

• Bojan the Career factor MCM participant
•  
• The Master Blog
•  
• The Official MCM Learning Site

GAL Sync without ILM / FIM

Very cool “quick” gal sync.

This is quite cool! – GAL Sync With Powershell: http://bit.ly/eX62sd”

Posted from WordPress for Android