Exchange 2010 Outlook Anywhere users receiving prompts when proxied through Exchange 2013


Background

I was working with a customer who had Exchange 2010 & were in the process of migrating to Exchange 2013. As part of their migration process they pointed their Exchange 2010 Outlook Anywhere namespace (let’s call it mail.contoso.com) to Exchange 2013 in DNS. At this point all of their Outlook Anywhere clients should have been connecting to Exchange 2013 & then been proxied to Exchange 2010. While this was somewhat working, they also immediately noticed users were randomly being prompted for credentials, resulting in a negative user experience.

Sometimes the prompts would be when connecting to Public Folders while other times mail or directory connections from Outlook to Exchange.

Resolution

When I was approached with this issue/symptom it sounded familiar. After a search through my OneNote I realized I previously had a discussion with some people I know from Microsoft Support regarding this issue. Turns out this issue was recently addressed via http://support2.microsoft.com/kb/2990117 “Outlook Anywhere users prompted for credentials when they try to connect to Exchange Server 2013”.

This is actually an IIS issue with Server 2008 R2 (the operating system Exchange 2010 was installed on) that’s resolved by a hotfix. After installing the hotfix & rebooting the issue was resolved & their users no longer received the prompts.

 

 

Advertisements

External Connections to Internal Web Servers Over 443 Fail


Probably one of the strangest issues I’ve seen, at least it seemed that way at the time.

Scenario:

2 internal web servers experiencing the symptom, one running 2010 OWA and the other a custom web application on 443. All internal users can hit each page just fine. External users cannot hit the pages and they just receive a timeout. However, if the admin logs into either of the two servers locally or via RDP and then you try again externally, it works and they can hit the web pages. This behavior only happened on 443. Customer was just using a Cisco ASA for their firewall with no web publishing.

Resolution:

Customer was a school district and I was reminded of a former life where I worked for a school district where web filtering was common. We found out that external users could only hit the pages when an Admin was logged into either of the servers; not a regular user. Combined with the below Cisco thread I found when trying to potentially pin this on the ASA it seemed a web filter or Intrusion Detection System was killing our connections.

https://supportforums.cisco.com/thread/2043090

According to the thread a Filter/IDS on the inside could potentially be issuing resets for web traffic that it did not like. In our case it was the customers “iBoss” content filter that started blocking access after a firmware update. It worked when an Administrator was logged into the web servers because it could filter based on the currently logged on AD account and there were exclusions for the Admins.

Getting Lync PowerShell to use RBAC


You may find that some things will work in the Lync GUI that will not work in PowerShell (Access Denied), the reason for this is that RBAC only applies to remote PowerShell and local PowerShell uses the AD permissions and not RBAC.

To resolve this you can login to PowerShell using the following script: (Copy the contents to a file and name it Connect-Lync.ps1)

$usercredential = get-credential
$pso = new-pssessionoption -skipcacheck -SkipCNCheck -SkipRevocationCheck
$session= New-PSSession -ConnectionUri https://localhost/ocspowershell -credential $usercredential -sessionoption $pso
import-pssession $session

Note: 1. This script ignores the certificate (so it will work if your using a self signed cert)
          2. You may need to modify the execution policy to run this unsigned script in PowerShell “set-executionpolicy remote”

References:

http://technet.microsoft.com/en-us/library/gg399050.aspx
“Note
that RBAC applies only to remote management. If you are logged on to a computer running Lync Server 2010 and you open Lync Server Management Shell, RBAC roles will not be enforced. Instead, security is enforced primarily through the security groups RTCUniversalServerAdmins; RTCUniversalUserAdmins; and RTCUniversalReadOnlyAdmins.”

The Problem with Hardware VSS Providers and Cluster Technologies like CSV and DAG


In solutions like DAG and CSV you can have issues with VSS backups completing if you are attached to a SAN and using a hardware provider.
The reason for this is because the LUN needs to pause the processes accessing the LUN but if another server is the one in control  of data on that LUN its unable to do that on a single host.
Here are some details as well as ways to resolve this issue.

Scenarios:

1. CSV Issue

  • imageimageMultiple Servers with a shared CSV Volume and VMS distributed across nodes may fail if you are using hardware VSS providers because it wants to snapshot the entire LUN but the node you are running the snap shot from doesn’t have access to all the VMS in order to pause them before committing the snapshot.
  1. You can resolve this in one of 2 ways.
    1. Move all the VMs to a single node or host until the backup is completed.
    2. Disable or remove your hardware based VSS provider.

 

 

 

2. DAG Issue

imageimage

This issue may come up not because you are sharing LUNS and have active data  on separate nodes (as above) but because you may use a separate provider for Active and Passive backups. When you try to backup a LUN that has both active and passive databases a hardware provider may try to use two different writers to snapshot the LUN. You can verify this by moving all active databases to one node to backup.

  1. You can resolve this in one of 3 ways.
    1. Do not put multiple databases on a single LUN.
    2. Move all Databases to one node before running backup
  2. 3. Disable you hardware based VSS provider

 

NOTE: Disabling your hardware provider will likely cause your backups to take much longer

References

  • Disable Equal Logic VSS Writer – Run C:\Program Files\EqualLogic\bin>eqlvss /unregserver”
  • Disable Hardware VSS in DPM – Add the following key to the registry [Software\Microsoft\Microsoft Data Protection Manager\Agent\UseSystemSoftwareProvider]
  • How VSS Works
  • If you know how to disable other providers please let me know and I will add it to this document!

Configure Split DNS for a specific Host


 

Say I have domain.com and its hosted externally.
I add an exchange server and, I add an external record pointing to my server called mail.domain.com and it points to my external IP.
I ALSO want to be able to access my server using the internal IP instead of going through my firewall and back in. (This is called split DNS)

Split DNS = I have 2 DNS zones, one external and one internal for the same domain.
The issue is that you have to manage both zones individually (even if you only need one specific host record)

And alternative method is to create a zone JUST for that one host name.

Here are the directions to create a domain and same as parent A record

  1. Open DNS on your DC, right click Forward Lookup Zone, and select  New Zone
  2. image
  3. image
  4. image
  5. image
  6. image
  7. image
  8. image
  9. image
  10. image
  11. image

Now you have split DNS for the single host name only.

Exchange 2010 EMC cannot access AD configuration data after you demote a DC


Environment:

Exchange 2010/Domain Controller combo server running on Windows 2008 R2.

Problem:

Demote Domain Controller role, causes Exchange Management Console fails to retrieve any Exchange information with error message “Active directory response: The LDAP server is unavailable.”  It’s still looking for the demoted DC although it’s been cleaned out of AD/DNS. All Exchange services start fine, and Exchange Shell works fine.

Reason:

     The obsolete information is cached in an Exchange Management Console file in the Windows profile for the user. EMC is trying to connect to orginal DC that is stored in the file.

Solution:

   Go to the following folder and delete the Exchange Management Console file.

   C:\users\<specific user>\AppData\Roaming\Microsoft\MMC\Exchange Management Console

   Close EMC and reopen it.

Reference: http://support.microsoft.com/kb/2019500

/Preparedomain error when security customizations have been done to Active Directory


Error:

Configuring Microsoft Exchange Server

    Organization Preparation                                  FAILED
     The following error was generated when "$error.Clear();
          if ($RolePrepareAllDomains)
          {
              initialize-DomainPermissions -AllDomains:$true -CreateTenantRoot:(
$RoleIsDatacenter -or $RoleIsPartnerHosted);
          }
          elseif ($RoleDomain -ne $null)
          {
              initialize-DomainPermissions -Domain $RoleDomain -CreateTenantRoot
:($RoleIsDatacenter -or $RoleIsPartnerHosted);
          }
          else
          {
              initialize-DomainPermissions -CreateTenantRoot:($RoleIsDatacenter
-or $RoleIsPartnerHosted);
          }
        " was run: "PrepareDomain for domain Domain was unable to add the group CN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects,DC=domain,DC=local to the group CN=Exchange Servers,OU=Microsoft Exchange Security Groups,DC=domain,DC=local on domain controller server.domain.local, because the current user does not have permissions to modify Exchange Servers. Please ensure that the current user can modify the membership of Exchange Servers and run PrepareDomain again.".

Problem:
The user doesn’t have permission to modify the AD groups it needs to modify.
“Exchange Server” group that was created by /preparedomain is member of “Windows Authorization Access Group” group. 
If the permission on that group are changed, /preparedomain may not be able to modify the membership of it. 
Of course, exchange setup gives you some bogus error, which does not make any sense. Winking smile

Solution:

  1. Verify that you are running the /preparedomain as a domain admin
  2. Once we reset it’s permission by checking “inherted” option on the “Windows Authorization Access Group”,  we can manually add Exchange Server group as a member of “Windows Authorization Access Group” Group, and re run /preparedomain and it should run without error.

clip_image002