Countdown to TechEd 2010 in New Orleans, LA: 2010-06-07 00:00:00 GMT-08:00

Thursday, January 21, 2010

How to Configure Change Password for OWA 2003/2007/2010 Mixed Environments

The Change Password feature in OWA will break when you reconfigure the environment to use Exchange 2007 or Exchange 2010 CAS servers as front-end servers for Exchange 2003 mailbox servers.  This is because the the CAS server don't have the necessary ASP pages installed that OWA 2003 links to.

telnetPORT25 wrote a great article explaining the step-by-step process, along with screenshots, to fix this problem.  I'm listing the high-level steps here (mainly to act as my long-term memory).
  • Logon to the Exchange 2007/2010 CAS server
  • Copy the %SystemRoot%\System32\inetsrv\iisadmpwd folder and files from the OWA 2003 FE server to the CAS server's %SystemRoot%\System32\inetsrv folder
  • Open IIS Manager and add a new Virtual Directory off the Default Web Site named IISADMPWD with a physical path of %SystemRoot%\System32\inetsrv\iisadmpwd
  • Right-click the new IISADMPWD virtual directory and select Convert to Application
  • Select the MSExchangeOWAAppPool
  • Restart IIS (iisreset /noforce or select the server in IIS Manager and click Restart)

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, January 19, 2010

Exchange 2010 DAG Replication Port

Michel de Rooij, a Dutch technology consultant, posted a nice concise article about the port used by Exchange 2010 for DAG replication.
"... the port used for DAG log shipping and seeding, which is 64327 by default. Looking back at Exchange 2007 this is good; the port is static and DAGs use regular TCP, where CCR/SCR in Exchange 2007 uses 445 for log shipping (over SMB) and a dynamic port for seeding. And if it’s two things some network people hate it’s SMB and dynamic ports. On the other hand, 64327 in the dynamic range defined by IANA; according to IANA dynamic ports cannot be registered (claimed).
Fortunately, the port can be changed when required. To change the port for a DAG use the Set-DatabaseAvailabilityGroup cmdlet with the ReplicationPort parameter like this, where can be any number between 1 and 65535:
Set-DatabaseAvailabilityGroup -Identity DAGID -ReplicationPort

Note that Exchange will not adjust the Windows Firewall rules accordingly, so you need to create a firewall exception on each DAG member to make replication work. Even better, you should do this before changing the DAG port to prevent interrupting the replication longer than necessary."
For a full list of the ports used by Exchange 2010, see the Exchange Network Port Reference.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, December 14, 2009

Is Microsoft Forefront Protection 2010 for Exchange Server x86 or x64?

After installing Forefront Protection 2010 for Exchange (FPE), I ran Task Manager to see what processes were running. I was surprised to see almost all of the Forefront processes are 32-bit. I asked Microsoft why this is, since Exchange 2007 and Exchange 2010 are 64-bit only applications.

It turns out that this is because the antivirus engines are still 32-bit. FPE uses up to five different scan engines from different vendors to scan emails (Authentium, Kaspersky, Microsoft, Norman, and VirusBuster). The AV vendors are working to create 64-bit versions of their scan engines, but there is no ETA at this time.

Each scan engine requires approximately 250 MB of memory. Less memory is required if Intelligent Engine Management (IEM) is not enabled and fewer than 5 engines are selected.

Considering that each scan engine is runs in its own discreet process, there may not be much of an advantage running 64-bit, anyway. 32-bit scan engines also mean that they can be used on the 32-bit non-production versions of Exchange for testing. Even so, I'd rather see the Forefront Team create a 32-bit version for testing and a 64-bit version for production once the AV vendors have 64-bit scan engines.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, December 7, 2009

Microsoft/Prometric Exam FAIL

Not me, Microsoft and Prometric (again). For the second time in a week, I am unable to take a beta Microsoft exam that I received an invitation to take.

The first was for 71-659: TS: Windows Server 2008 R2, Server Virtualization. This exam I never got a chance to sign up for, even though I tried 10 minutes after registration opened. That's because some yahoos blogged about the exam and gave the registration code to everyone on the planet. Unfortunately, this was also blogged by a Microsoft MVP. Nice.

The second was for 71-663: Pro: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010. This time, I was able to register and got a confirmation email immediately from Prometric. My friends markmorow and cxi on Twitter recommended that I confirm that my exam wasn't canceled. I went to the Prometric site today and sure enough, it was canceled.

No notification was sent to me about the cancellation. Nice again. The Microsoft Born to Learn website had this to say about it.

I contacted Prometric, who gave sent me the following information:

Dear Candidate,

Thank you for your interest in the Microsoft Beta 071-663, PRO: Designing & Deploying Messaging Solutions w/MS Exchange Server 2010, examination. Microsoft authorized a registration cap of 300 registrations for this beta. Unfortunately, your appointment was scheduled beyond this cap and, as a result, needed to be cancelled. Due to this, you may have received an email confirmation of the cancellation.

Microsoft is, however, authorizing one free attempt to take the live examination at no cost to you when it is released next year. You will receive an email within a week which will include a voucher number valid for the 070-663 live examination. Please ensure to save the voucher number for use on your exam. It will be required at the time of registration to receive the exam at no cost.

We appreciate your business and apologize for any inconvenience this may have

Thank you.

I'll be looking for this voucher when the Exchange 70-663 becomes official. If you, like me, didn't receive a cancelation email and showed up at the test site, go to to request reimbursement for lost work and travel time.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, November 20, 2009

Microsoft Exchange Server 2010 Transport Server Role Architecture Diagrams

Microsoft has produced two Exchange 2010 Transport diagrams:
  • Exchange 2010 Hub Transport Extensibility

  • Exchange 2010 Hub Transport Role Architecture

Both diagrams are produced as PDF files that can be printed out in almost any size.

While I think these diagrams are visually beautiful, I rarely (if ever) refer to diagrams like this. They do, however, add a certain je ne sais quoi to the geekiness of any Exchange architect's office.

Labels: ,

Subscribe in a reader Subscribe by Email

Tuesday, November 10, 2009

Exchange Server 2010 RTM Upgrade and Installation - Phase 3

This is the third and final phase of my Exchange 2010 / Windows Server 2008 R2 / Hyper-V migration. Phase 1 can be read here and phase 2 can be read here.

At this point, my Hyper-V host server is still running Windows Server 2008 SP2 and also functions as my Exchange Edge Transport server (currently Exchange 2007 SP2). It is hosting three VM guests: a Windows Server 2008 R2 domain controller/global catalog server; an Exchange 2007 SP2 server running the Hub/CAS/Mailbox roles; and a new Exchange 2010 server running the Hub/CAS/Mailbox roles. All mailboxes have been moved to the new E2010 server.

In phase 3, I will uninstalled the Exchange 2007 Edge Transport server role from the host, upgrade the host server to Windows Server 2008 R2, install the Exchange 2010 Edge Transport role, and decommission my last Exchange 2007 Hub/CAS/Mailbox server.

I began by uninstalling Forefront Security for Exchange Server from the Exchange 2007 Hub/CAS/Mailbox server. In order to do this, you must stop all the Exchange services and then uninstall the product using Programs and Features in Control Panel.

Next, I created a new Public Folder database on the Exchange 2010 Mailbox server and enabled replicas on the E2010 mailbox server using the Exchange 2010 Public Folder Management Console in the Exchange Management Console (EMC). I then removed all the Public Folder replicas from the Exchange 2007 Mailbox server role using the Exchange 2007 Public Folder Management Console in the EMC.

You cannot decommission an Exchange mailbox server that contains active mailboxes. They must be moved to another server or disabled. Since I had already moved all my user and resource mailboxes to the new Exchange 2010 server, all that was left was the system CAS mailbox which must be disabled (it cannot be deleted or moved). This is accomplished using the following command from the Exchange Management Shell (EMS):

Get-Mailbox -Database "EX\Mailbox Database" Disable-Mailbox

Now I'm finally ready to uninstall Exchange 2007 from the Hub/CAS/Mailbox server using Programs and Features in Control Panel. However, removal of the Mailbox role fails with the error, "Object is read only because it was created by a future version of Exchange: 0.10 ( Current supported version is 0.1 (8.0.535.0)." I also discover I get the same error if I try to delete the E2007 Public Folder database.

After some research, I found that the only way to delete the "upgraded" Exchange 2007 Public Folder store is using ADSIEdit. This is detailed here, but the basic steps are to navigate to the Public Folder store in ADSIEdit and delete it, which I've done here.

Once the Public Folder database was removed, I ran the uninstallation again, which then succeeded. After Exchange 2007 was uninstalled, I completed the decommissioning by dis-joining the Exchange 2007 server from the domain and turned it off. I then tested mailflow to ensure that inbound/outbound SMTP email is working properly.

Next, I began the operating system upgrade of the Hyper-V host server by uninstalling Forefront Security for Exchange Server and the Exchange 2007 Edge Transport role. This went very smoothly with no issues.

In preparation for my OS upgrade, I shutdown and exported my two Hyper-V VMs to a new folder, H:\Exports. Exporting an VM exports the VM configuration, which includes the hardware, drives, networks (and most importantly, MAC addresses) to an XML file. This allows you to import the VM into a new Hyper-V host server without further configuration.

My process for upgrading the host server was to perform an in-place installation, not an upgrade. This is performed by booting to the Windows Server 2008 R2 DVD and choosing a new installation. Setup will warn that there is already a copy of Windows installed and prompt to continue. When you continue, setup will copy all the old user folders (Documents and Settings), Program Files, and the Windows folders to a new folder named C:\Windows.old, which can be accessed later from the new operating system. When setup completed, I was left with a base Windows Server 2008 R2 server.

I then installed the Hyper-V role and imported the VMs from H:\Exports. I started them up and verified that everything was running properly. I was very pleased to see that the VMs performed faster, due to R2's improved handling and performance of dynamic VHDs.

Next, I installed the Exchange 2010 Edge Transport server role on the host server, reconfigured my anti-spam settings, and created a new Edgesync subscription. After importing the Edgesync subscription in the Exchange 2010 Hub Transport server, I tested Edgesync and mailflow, which worked as expected.

I hope this series helps some of you out!

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Friday, October 30, 2009

How to Use a Recovery Database in Exchange 2010

This is another in my series of articles on Exchange 2010.  In this post I'll be writing about the Recovery Database feature in Exchange 2010.

Exchange 2010 no longer has the notion of Storage Groups, which were used in Exchange 2007 and 2003 to contain logical groupings of databases.  E2010 now simply lets you create databases on mailbox servers.  E2010 Standard Edition lets you create up to 5 databases per server. The Enterprise Edtion scales up to 100 databases per server.

In Exchange 2003/2007 you could restore a database "on top" of an original database to replace the existing database, or you could restore the database "along side" the existing database to recover select mailboxes or items.  You can do the same thing with Exchange 2010.  The difference is that in Exchange 2003/2007, you created a Recover Storage Group (RSG) to restore the database into.  In Exchange 2010, you simply restore the database and connect to it as a Recovery Database (RDB).  Here's how you do it in Exchange 2010.
Note: Ross Smith IV has a great article on single item recovery in Exchange 2010.  This assumes that the item can be recovered from the dumpster.  This article covers how to restore from a backup when the item cannot be recovered from the dumpster.  For example, on the rare occasion when a user realizes he/she deleted a folder or item past the dumpster retention period.
First, you have to have a good backup that contains the item to be recovered.  Windows Server 2008 and Windows Server 2008 R2 have the built-in Windows Server Backup feature.  I cover how to use WSB to backup Exchange here.

Now you must restore the data, but redirect it to another location.  In Windows Server Backup, this is done by choosing to recover the Exchange application (detailed in my previous article) and recovered to another location.  Typically, this is a new folder on the same Exchange server:

Once the recovery is complete, the database (EDB file) and transaction logs (LOG files) will reside in the new recovery D:\Recovery folder.  Note that WSB will not create this folder, it must already exist.

Now you need to add this database to the Exchange mailbox server as a Recovery Database. Currently, this is done using the Exchange Management Shell (EMS), as there is no way to do this from the GUI.  Run the following command to create a Recovery Database:
New-MailboxDatabase -Recovery -Name RDB1 -Server EX1 -EdbFilePath "D:\Recovery\Mailbox Database 1882717321.edb" -LogFolderPath "D:\Recovery"
This will cause Exchange to create a new recovery database named RDB1 on server EX1 using the database and logs in D:\Recovery.  Once this command is run, you will see the recovery database in the Exchange Management Console (EMC), but it must be brought into a clean shutdown state before it can be mounted.

To bring the database into a clean shutdown state, use ESEUTIL /R to perform a recovery of the database.  Often, I've seen that Exchange is unable to perform a successful recovery, giving the following error:
Operation terminated with error -1216 (JET_errAttachedDatabaseMismatch, An outstanding database attachment has been detected at the start or end of recovery, but database is missing or does not match attachment info) after 11.625 seconds.
In these cases, I have run an ESEUTIL /P (repair) to force the database into consistency.  Once the database has been successfully recovered or repaired, mount the database in EMC or using the Mount-Database cmdlet.

Now we're ready to recover deleted items from the recovery database.  In order to do this, though, you need Organization Management rights in Exchange 2010.  The following are cmdlet examples for recovering items from the RDB:

This example restores a mailbox for user Keith Johnson, overwriting the existing mailbox:
Restore-Mailbox -ID 'Keith Johnson' -RecoveryDatabase RDB1
This example restores Keith Johnson's mailbox content into an Investigation mailbox:
Restore-Mailbox -ID 'Keith Johnson' -RecoveryDatabase RDB1 -RecoveryMailbox Investigation
This example restores only the mail with the word "contract" in the subject and the word "CompanyABC" in the body of the message from the Inbox or Saved folders.
Restore-Mailbox -ID 'Keith Johnson' -RecoveryDatabase RDB1 -SubjectKeywords 'contract' -ContentKeywords 'companyabc' -IncludeFolders \Inbox,\Saved
There are a lot of different options in the Restore-Mailbox cmdlet and recovery databases that make it a powerful tool for recovery.  Take the time to learn them before you need to use them.

Labels: , ,

Subscribe in a reader Subscribe by Email

How to Backup Exchange 2010 RTM at Release Timeframe

As with any other major release of Exchange, there will be a gap in third-party vendor support for Exchange 2010 when it is released to general availability next month.

One of those gaps will be supported backup solutions for Exchange 2010.  Thankfully, Microsoft recognized this and added VSS backup support to the built-in Windows Server Backup feature in both Windows Server 2008 and Windows Server 2008 R2.  This capability has been introduced in Exchange 2007 SP2 and Exchange 2010 RTM, allowing you to backup Exchange 2007 SP2 and Exchange 2010 using a native VSS application provider.

Exchange automatically registers its application provider in VSS when Exchange 2010 is installed or when the Exchange 2007 server is upgraded to SP2.  This happens even if the Windows Server Backup feature isn't installed on the server yet.  You simply need to add the Windows Server Backup feature using Server Manager to your Exchange server to enable the Exchange aware VSS backup capability. 

Windows Server Backup (WSB) will allow you to perform Exchange aware backups, similar to NTBackup, with a few notible points:
  • Legacy (streaming) backups are not supported.
  • Since Windows Server Backup performs volume-only Volume Snapshot Service (VSS) backups, there is no specific "Exchange only" backup capability.  When you perform a backup of a volume that contains Exchange data (EDB and log files), WSB automatically performs an Exchange aware backup.  The only visual queue you will see is this, just before the data is backed up:
  • Once WSB notifies Exchange that the VSS Full Backup has completed successfully, Exchange will truncate the log files for all the Exchange 2010 databases or Exchange 2007 SP2 Storage Groups.
Note: The default behavior of WSB is to perform a VSS Copy Backup, which will not truncate the logs. To configure a VSS Full Backup you must configure a Custom backup (not Full Server), add the volumes that contain the Exchange data, click Advanced Settings, and select VSS Full Backup on the VSS Settings tab.
  • Backups must be run against the active node on Database Availability Groups (DAGs) or the active node in an Exchange 2007 CCR cluster.  When the backups complete successfully and the logs are truncated on the active node, the same operation will occur on the passive node.
  • You can backup either to a local hard drive or a network share
  • There is no remote server backup functionality. You must perform the backup from the Exchange server.
  • You can schedule the backups using WSB or install the WSB command line extensions to run a backup from the command line.
  • When restoring, you do not have to restore the whole backed up volume. You can choose to restore only Exchange application data by choosing to recover only the Exchange application, as shown:

And then select Exchange:

  • Recovery can be performed to the original location (overwriting the existing data) or to a new folder or location.  If you choose to recover to another location, WSB will copy just the application data, not recover the Exchange application itself.  You can then use this data in an Exchange 2010 Recovery Database (RDB) or an Exchange 2007 Recovery Storage Group (RSG).
  • You can redirect the restore of an Exchange application to another server.
  • Microsoft Data Protection Manager (DPM) 2010 is also in beta and is available for download.
In a future article, I will explain the process of using an Exchange 2010 Recovery Database (RDB) to recover data from a backup set.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, October 22, 2009

Exchange Server 2010 RTM Upgrade and Installation - Phase 2

These are my notes for phase 2 of my migration from Exchange 2007 SP2 to Exchange 2010 RTM. My notes for phase 1, where I introduced the first Exchange 2010 Hub/CAS/Mailbox server into my existing Exchange 2007 environment, can be read here.

Now in phase 2, I needed to configure the new 2010 server, test mailflow, move the mailboxes, and configure ActiveSync.

I decided to create a third phase, where I will decommission the Exchange 2007 Hub/CAS/Mailbox server, migrate the Windows Server 2008 SP2 Hyper-V host server to Windows Server 2008 R2, and install the Exchange 2010 Edge Transport role on it.

I configured the logging for each server and resubscribed my Edge Transport server. If you don't do this, you'll get the following warning in the Application event log of the 2010 Hub Transport server:
Log Name: Application

Source: MSExchange EdgeSync
Date: 10/22/2009 3:07:25 PM
Event ID: 1032
Task Category: Topology
Level: Warning
Keywords: Classic
User: N/A

Microsoft Exchange EdgeSync can't find the replication credential on to synchronize with Edge server This may happen if joined the current Active Directory site after subscription for was established. To have this Hub Transport server participate in EdgeSync, re-subscribe to the current Active Directory site.
There's no need to remove the old subscription. Just create a new subscription file using the New-EdgeSubscription cmdlet on the Edge Transport server and import it using the New Edge Subscription action in EMC on the 2010 Hub Transport server, as usual. It will update the existing Edge subscription for the new 2010 server.

Next, I reconfigured port forwarding for my Client SMTP Send Connector (TCP port 587) to be directed to the new 2010 server. I tested this using my iPhone, which is connected to my home email using IMAP4 and SMTP. In this configuration, the iPhone gets email from the Exchange 2007 server, but sends email through the Exchange 2010 server. Both incoming and outgoing emails tested fine.

Now I needed to move the mailboxes to the new 2010 server. This is accomplished using the Exchange 2010 Management Console to perform Local Move Requests to the database on the 2010 server. Once the move is completed, I cleared the Move Request in the console to complete the move.

Now it was time to move IMAP services to the new 2010 server. As in previous versions of Exchange, the Microsoft Exchange IMAP4 and Microsoft Exchange POP3 services are set to manual and stopped, by default. I changed the Microsoft Exchange IMAP4 service to automatic and started it. Then I reconfigured port forwarding for IMAP4 (TCP port 143) and IMAP4/TLS (TCP port 993) to be directed to the new server. I sync'd the iPhone using secure IMAP and it worked fine.

Note: I use self-signed certificates for Exchange 2007 and 2010. The iPhone will give a warning saying that the certificate may not be trusted. When you continue anyway, the certificate is automatically installed on the iPhone and you won't be prompted again. Cool!

Next, I used the Microsoft Exchange ActiveSync Connectivity Tests in the Microsoft Exchange Remote Connectivity Analyzer to test that ActiveSync is working properly. This tool allows you to remotely test several aspects of you Exchange infrastructure, including Outlook and ActiveSync AutoDiscover records, ActiveSync functionality, Outlook Anywhere, inbound / outbound SMTP email, and more from a Microsoft-hosted website. Very. Very. Cool. The Exchange team just recently updated the ExRCA to work with Exchange 2010.

Here, I ran into an unexpected problem. The ActiveSync tests were failing in ExRCA with the error, "Exchange ActiveSync returned an HTTP 500 response", as shown below.

Unfortunately, the "Tell me more about this issue and how to resolve it" link refers to a less than helpful article for Exchange 2003. I checked the event logs and found the following error in the Application event log:
Log Name: Application

Source: MSExchange ActiveSync
Date: 10/22/2009 9:18:03 PM
Event ID: 1053
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A

Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Keith Johnson,CN=Users,DC=expta,DC=com" container under Active Directory user "Active Directory operation failed on This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.
After a bit of research, I discovered that this happens when a user is a member of a Windows built-in group. In my case, the user was a member of Domain Admins. As you probably know, it's best practice to only use admin accounts for administrative functions and to not use them for regular user functions, such as ActiveSync.

To fix the problem, you must remove the user from the built-in group and reconfigure the user's security to apply inheritance (in ADUC, select the Security tab, Advanced, and check Include inheritable permissions from this object's parent). If you don't remove the user from the built-in group, Windows will deselect inheritance.

Once I did all this and retested the ActiveSync functionality using ExRCA, I was ready to configure ActiveSync for my most important user - my wife with her iPhone. It worked like a charm.

There's just a little bit of cleanup to do now. I need to move the Offline Address Book to the new 2010 server and then I can move on to phase 3, where I will decommission the Exchange 2007 server and upgrade the Hyper-V host and Edge Transport server.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, October 19, 2009

Exchange Server 2010 RTM Upgrade and Installation Notes

I installed Exchange 2010 RTM into my Exchange 2007 SP2 environment this weekend. This article explains the upgrade process, steps, issues, and resolution for those issues.

My environment consists of a single Windows Server 2008 SP2 Hyper-V host server, running the Exchange 2007 SP2 Edge Transport role. There are two VMs -- one Windows Server 2008 R2 DC/GC and one Exchange 2007 SP2 Hub/CAS/Mailbox server running on Windows Server 2008 SP2.

My upgrade will be in two stages, as shown above. Stage one is to remove the Exchange 2010 RC1 beta, introduce Exchange Server 2010 RTM into my existing Exchange 2007 environment, and to migrate all the mailboxes to it. Stage two is to upgrade my host server from Windows Server 2008 to Windows Server 2008 R2 and decommission the Exchange 2007 infrastructure.

Prior to stage one, I've already replaced my existing Windows 2008 SP2 DC/GC with a new Windows 2008 R2 DC/GC and installed Exchange Server 2007 SP2. Exchange 2007 SP2 extends the Active Directory schema to include all the new Exchange 2010 attributes and allows for interoperability between the two versions.

Removing the Exchange 2010 RC1 Beta
Before I began to install Exchange Server 2010 RTM, I wanted to completely remove Exchange 2010 RC1 (build 639.11) from my environment. As with any other version of Exchange, you need to move/remove all mailboxes from the E2010 RC1 server first.

The only mailboxes I had on Exchange 2010 RC1 were test accounts that I used when writing for the book, "Exchange 2010 Unleashed", so I simply deleted them with the following commands in the Exchange 2010 Management Shell (EMS):

[PS] C:\>Get-MailboxDatabase

Name Server Recovery ReplicationType
---- ------ -------- ---------------
Mailbox Database 0767927725 EX1 False None

[PS] C:\>Get-Mailbox -Database 'Mailbox Database 0767927725' | Remove-Mailbox
This will delete all the regular mailboxes in the specified database. Exchange 2010 also uses hidden arbitration mailboxes, which must be deleted before the mailbox server can be decommissioned. Chris Lehr wrote a great article explaining arbitration mailboxes, which I highly recommend reading. If you don't delete the arbitration mailboxes you will get the following error when you try to uninstall the Exchange 2010 mailbox role:

Uninstall cannot continue. Database 'Mailbox Database 0767927725': This mailbox database contains one or more mailboxes or arbitration mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database . To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database -Arbitration. Before you can remove this mailbox database, you must disable, move, or remove user mailboxes and move arbitration mailboxes.
Run the following command in EMS to delete the arbitration mailboxes:
Now you can uninstall all the Exchange 2010 RC1 roles and management tools using Control Panel > Programs and Features. This will also uninstall the Microsoft Full Text Indexing Engine for Exchange, also listed in Programs and Features. Once the uninstallation completes, restart the server.
[PS] C:\Get-Mailbox -Arbitration | Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed

Installing Exchange 2010 RTM
Installing Exchange 2010 RTM is very straight-forward and has very few prerequisites in Windows Server 2008 R2, since it already includes Powershell V2 and WSMan. Windows Server 2008 will require ManagementPlatformx64.msi to install these components.

Here are the steps I used for installation of Exchange 2010 RTM:

  • Extract Exchange2010-RC1-x64_639-21.exe to a destination folder and run Setup.exe
  • Select Step 3. Choose Exchange Language Option and Install only languages from the DVD
  • Select Step 4. Install Microsoft Exchange. The Exchange 2010 binaries will copy to a temporary folder for installation.
  • Click Next at the Introduction screen
  • Accept the license agreement and click Next
  • Enable automatic error reporting and click Next
  • Select Custom Exchange Server Installation and click Next
  • Select the Mailbox Role, Client Access Role, and Hub Transport Role. The Exchange 2010 Management Tools are installed automatically. Click Next.
  • Check The Client Access server role will be Internet-facing. Enter the FQDN for the CAS (i.e., and click Next.
  • Select the Customer Experience Improvement Program choice and click Next. The Exchange Readiness Checks will run.
  • The Readiness Checks said that the Hub Transport and Mailbox roles require the 2007 Office System Converter: Microsoft Filter Pack (
  • Download and install FilterPackx64.exe. Click Back and Next to re-run the Exchange Readiness Checks.
  • Click Install to install Exchange 2010 RTM. The installation ran without error in 9 minutes; 24 seconds on my Hyper-V VM.
  • Clear the Finalize installation in the Exchange Management Console checkbox and click Finish
  • Click Step 5: Get critical updates for Microsoft Exchange. Windows Update will run. If prompted, install and run the ActiveX component to install Microsoft Update for other products.
  • Click Check for new updates and install any needed updates. Restart if prompted.
  • Click Close in the Exchange 2010 setup program
  • Launch the Exchange Management Console and verify the Exchange 2010 version is build 639.21.
  • Restart the Exchange 2010 server if it was not restarted for the updates, just to ensure that all the services come up OK.
  • Create a test mailbox on the new server and test mailflow
This is where I'm at right now.  I still need to move my mailboxes from the Exchange 2007 mailbox server to Exchange 2010 before moving on to phase 2.  I'll post again when that's done.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, October 16, 2009

Exchange 2010 Certified!

This morning I received the following email from Microsoft:

Congratulations on earning your Microsoft Exchange Server 2010, Configuration certification! We hope you enjoy the benefits of your certification and of membership in the Microsoft Certified Professional community.
Nice way to start the day!

Labels: ,

Subscribe in a reader Subscribe by Email

Thursday, October 15, 2009

How to Convert Local and Global Groups to Universal Groups

As you may know, Exchange Server 2007 and Exchange Server 2010 force you to create all new distribution groups as universal distribution groups.

The reason for this is that Exchange 2007/2010 requires a local Global Catalog (GC) server in the Exchange site to query for group expansion. A GC can expand domain local, global, and universal groups. However, domain local groups (and sometimes global groups) can only be expanded within the domain local scope. If the GC is a member of the domain, it will be unable to expand a domain local group in the subdomain.

Universal groups can be used anywhere in the same Windows forest. A GC is able expand universal groups in any domain or subdomain in that forest, as long as the domain functional level (DFL) and forest functional level (FFL) are at least Windows Server 2003 Interim Level.

Obviously, the issue with group expansion only occurs in multi-domain "enterprise" environments, but Exchange 2007/2010 doesn't care. Distribution groups and mail-enabled security groups must still be universal groups, even in a single domain environment.
If you're moving from Exchange 2000/2003 to Exchange 2007 or Exchange 2010, you're going to want to convert all your domain local and global distribution and mail-enabled security groups to universal groups so they can be managed using the Exchange management tools.

You can change group types and group scope using Active Directory Users and Computers (ADUC), but you can only do one group at a time. When I first started writing this article I was convinced that Powershell was the best way to do this. But due to limitations in the way that Powershell accesses Active Directory, my scripts were getting quite large and complicated, even when using third party Powershell extensions like Quest's free ActiveRoles Management Shell for Active Directory. I started to look for other ways to perform bulk changes of distribution and security groups.

The most efficient way I found is to use the internal Windows dsquery and dsmod tools. These handy and oft-forgotten tools are installed with the operating system in Windows 2000 and later.

The following command will produce a list of all the groups in the domain and their scope (domain local, global, or universal) and whether the group is a security group. The output is redirected to the Groups.txt file:

This command can take a while to run if the domain contains a large number of groups. It took about a minute to process over 6,100 groups.
dsquery group -limit 0 | dsget group -samid -scope -secgrp > Groups.txt
The command to convert all domain local and global groups (both distribution and security groups) is:
dsquery group -limit 0 | dsmod group -c -q -scope u
The first part of this command uses dsquery to query AD for all groups and then pipes the collection to dsmod to convert each group to a universal group. The -c switch tells dsmod to output any errors and continue. The -q switch tells dsmod to run in quiet mode (suppress successful changes).

Note: Some groups cannot be converted to Universal groups. All of the Windows built-on groups are global and cannot be converted to a different group scope.

Also know that a global group cannot have a universal group as a member. When you see this error, it means that the group is a member of another group that cannot be converted to a universal group (for example, the built-in Account Operators group. Sometimes, this can be like chasing a rat down a hole. The groups may be so deeply nested that it's hard to find the group that is preventing the conversion.

Sometimes it helps to run the conversion command again. For example, dsmod may be unable to convert Group-A to a universal group because it contains the domain local group, Group-B. Later in the process, Group-B is converted from a local group to a universal group. If you run the conversion again, Group-A can now be converted.

Note: Exchange 2007 and Exchange 2010 will automatically convert universal distribution groups to universal security groups if the distribution group is used to apply security settings for a MAPI or Public Folder. My next article will cover this in more detail.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, October 8, 2009

Exchange 2010 - Stick a Fork in it

It's done!  The Microsoft Exchange Team reported today that Exchange 2010 is code complete and on its way to general availability.

I think this is the best version of Exchange I've ever worked with.  Finally, Exchange Server is truly enterprise ready with true high availability built in, not just as an afterthought.

Exchange 2010 is scheduled to RTM in November along with the launch of TechEd Europe 2009.

I'm proud to have been a co-writer for the upcoming book, "Exchange 2010 Unleashed," by Sams Publishing.  I've been working with it through several alpha and beta builds and have been consistently impressed with the build quality and the direction that Microsoft is taking with this product.


Subscribe in a reader Subscribe by Email

Monday, September 28, 2009

Sizing Recommendations for Exchange 2010

There are some changes in architecture in Exchange 2010. All clients, even Outlook, connect via the Client Access Servers (CAS). There are some changes in recommendations around the ratio of resource for CAS/Hub and the mailbox servers.

Microsoft provides detailed guidelines on this Technet page and this one.

The basic guidelines for server role ratios are as follows. They're based on the number of mailbox server cores.
  • Hub Transport Server — 7:1 (no antivirus on Hub) or 5:1 (antivirus on hub). 1GB of memory for each core.
  • Client Access Server (CAS) — 4:3 (note this is much higher than with previous Exchange installations). 2GB of memory for each core.
  • Domain Controller — 1:4 (32-bit Domain Controller (DC)) or 1:8 (64-bit DC, and the DC has enough memory to cache the entire NTDS.DIT file).
  • Edge Transport Server — Based on peak connections and messages per second and average message size. 1GB of memory for each core.
Each mailbox server should have 4GB of memory plus 2-10MB per mailbox, based on if the mailbox is in light, average, or heavy use.

Thanks to John Savill for the info.

Labels: ,

Subscribe in a reader Subscribe by Email

Wednesday, August 19, 2009

RAM Upgrade

I just doubled the RAM on my Hyper-V server to 16GB. This is the server that hosts this blog, as well as my other domains and Exchange 2007. Much faster!

Now I have more room to add another Windows Server 2008 R2 test domain and Exchange 2010. Good thing, too, since I just got an invitation email from Microsoft to take the beta exam 71-662: TS: Microsoft Exchange Server 2010, Configuring. I'll probably be taking that in September.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, July 30, 2009

Exchange 2007 won't be coming to R2

Microsoft Exchange Server 2007 is supported on Windows Server 2003 and Windows Server 2008 servers, but will not be supported on the upcoming Windows Server 2008 R2 operating system.

The reason, according to Michael Atalla, group product manager in the Unified Communications group at Microsoft, is lack of resources. "We are focusing our resources on getting Exchange Server 2010, which will be fully tested and supported on Windows Server 2008 and Windows Server 2008 R2, customer ready to be released later this year."

This means that if you're planning to do a complete operating system refresh when Windows Server 2008 R2 is released later this year, you'll have to move to Exchange 2010 as well. Not that I need any more reasons to do so, anyway. Exchange 2010 rocks!

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, July 24, 2009

How to Tell Which Version of PowerShell is Installed

One of the easiest ways I've found to determine which version of PowerShell is installed on a computer is to run the $host.version command.

The output will display the Major version, Minor version, Build, and Revision number. For example, here is the output from a computer with PowerShell V1 installed:

And here is the output from a Windows Server 2008 R2 beta computer, which has PowerShell V2 integrated into the operating system:

Note that the Build and Revision numbers are -1, indicating that the PowerShell V2 CTP (beta) is installed. Once PowerShell V2 RTW (Release to Web) is available, the Build and Revision numbers should both be zero.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Tuesday, June 2, 2009

What's New with Exchange 2010 ActiveSync and Outlook Mobile

Some great new changes are coming with Exchange Server 2010 ActiveSync.

Many more partners beyond Windows Mobile have licensed the ActiveSync protocol for syncing email to your mobile device. Here are just a few:

Architecture-wise, Exchange 2010 ActiveSync has the same connectivity flow as Exchange 2007.

Here are some of the new Exchange Server 2010 ActiveSync features:

Block/Allow/Quarantine List
You can setup a single list to block/allow mobile devices as needed. You can also quarantine devices such as new untested devices, etc.

Over the Air Update ModeYou can now push new Outlook Mobile updates and/or new versions to Windows Mobile 6.1 and above. This is really nice since you no longer have to wait for a new Windows Mobile OS version to obtain a new version of Outlook Mobile.

SMS SyncThe ability to send SMS text messages through Exchange and Exchange ActiveSync is used to sync SMS messages with a user’s mobile device. Benefits of SMS sync:

  • User can use OWA, Outlook, and Outlook Mobile to respond
  • SMS messages are backed up on the server
  • Recipients can respond to messages
  • User can switch “screens” while still seeing all their messages

IMAP/POP3 Service DiscoveryYou can now autodiscover/autoconfigure the IMAP/POP3 settings from your mobile device by just specifying your email address, just like you can now with Outlook 2007.

Here are some of the new Outlook Mobile features:

Conversation ViewConversation view is invaluable. This allows you to have a nicer mobile email experience when trying to skim through the onslaught of emails. This is the same experience you will have in Exchange 2010 OWA and Outlook 2010, but really makes a huge difference on a mobile device.

Reply State
You can now see which emails you have replied to or forwarded.

Conversation Actions
You can now ignore threads, move entire threads to folders, etc. from your mobile device.

Nickname Cache
Very nice that your nicknames follow you now. Especially useful for external recipients you email often.

Voice Card
You no longer have to download an attached voicemail before you can play it. You just hit play and hear the voicemail. Another cool feature is the ability to see a written transcription of the voicemail in the body of the message. Very useful for meetings and noisy airports, where you can't play the voicemail.

Get Free/Busy
I love this feature. You can now easily check someone's Free/Busy times at a glance from your phone instead of breaking out the laptop, etc.

As you can see, there are some very useful features coming to Exchange Server 2010 ActiveSync and the new Outlook Mobile.

Labels: ,

Subscribe in a reader Subscribe by Email

Tuesday, May 19, 2009

Exchange 2007 SP2 due Q3 2007

On May 11, Microsoft announced that Exchange Server 2007 Service Pack 2 will be released in the third quarter of this year. SP2 extends the feature set of Exchange 2007 to include more functionality and sets the foundation for migrating to Exchange 2010.

Key new features of Exchange Server 2007 SP2 include:
  • Enhanced Auditing - New Exchange auditing events and audit log repository enable Exchange administrators to more easily audit the activities occurring on their Exchange servers. It allows the right balance of granularity, performance, and easy access to audited events via a dedicated audit log repository. This simplifies the auditing process and makes review of audited events easier by segregating audited events in a dedicated location.
  • Exchange Volume Snapshot Backup Functionality - A new backup plug-in has been added to the product that will enable customers to create Exchange backups when a backup is invoked through the Windows Server 2008 Backup tool. Exchange Server 2007 didn't have this capability on Windows Server 2008 and additional solutions were required to perform this task.
  • Dynamic Active Directory Schema Update and Validation - The dynamic AD schema update and validation feature allows for future schema updates to be dynamic deployed as well as proactively preventing conflicts whenever a new property is added to the AD schema. Once this capability is deployed it will enable easier management of future schema updates and will prevent support issues when adding properties that don't exist in the AD schema.
  • Public Folder Quota Management - SP2 enables a consistent way to manage quotas by improving the current PowerShell cmdlets to perform quota management tasks.
    Centralized Organizational Settings - SP2 introduces new PowerShell option that enable centralized management of many of the Exchange organization settings.
  • Named Properties cmdlets - SP2 enables Exchange administrators to monitor their named property usage per database.
  • New User Interface for Managing Diagnostic Logging- SP2 enables Exchange administrators to easily configure and manage diagnostic logging from within the Exchange Management Console.

Exchange SP2 will be a free download to all Microsoft Exchange Server 2007 customers. It will be a requirement to migrate to Exchange Server 2010.

Labels: ,

Subscribe in a reader Subscribe by Email