My blog has been finally moved to my own namespace, feel free to keep reading the site from Http://solarz.net
Latest Entries »
This continuation from the earlier post of the same name will take us through the second phase of the 2003 to 2010 Exchange migration I performed for a past student of mine.
Quick recap of what we’ve done up to now…
- Prepared the environment for the new Exch 2010 server (prepareAD schema and domain)
- Installed (2) VM’s. server names Ex10 & Ex11.company.com. Windows Server 2008 R2, patched the OS. Installed all Exch 2010 pre-req’s. Installed Exch 2010 into the new VM’s. Also installed the latest Roll-up.
So we have the platform ready, but all inbound and outbound mail is still routing through the old mailbox servers. Let’s start by getting all inbound mail into the new 2010 CAS role first. The company in question was using a “mail.company.com” hostname for the Exchange 2003 OWA environment which they planned on retaining. This is fine but the DNS configuration they were using would require us to get a new certificate for the new 2010 boxes (see Understanding Digital Certificates and SSL)
To cover all bases I recommended to get a new UCC / SAN certificate with the following names…
Why so many names?? well again, this particular environment had an external namespace with a normal DNS namespace (company.com) but their internal AD domain was a single label domain name (company). The certificate they purchased (Godaddy.com) was a “multiple domains – UCC” type with up to 10 domains. this allowed us to have the luxury of having any and every name (single label or not) to be resolvable internally or externally. Some may argue this is overkill. This admin inherited this environment and was in the position to make changes to get it into Microsoft recommended shape prior to the upgrade, so this was the easiest solution for him.
Now that we have this new cert installed on both new boxes as well as the old cert from the old 2003 box imported into the new ex10 & ex11 machines we are ready to start moving mail through the new machine.
He made changes to his Sonic wall rules and had all port 25 SMTP, 80 HTTP and 443 HTTPS traffic get redirected to the new ex10 CAS 2010 box. All client MAPI/ RPC / OA / OWA and EAS connections will now hit this box first. he also created a new public autodiscover.company.com A record resolving to the old public IP he was using before. Last but not least he created another new A record for legacy.company.com pointing to a NEW public IP he had available. This is for co-existence OWA purposes.
At this point all mailboxes are still on the 2k3 side. Before we even thought of moving a single mailbox, let’s test mail flow both in and out with the new 2010 HUB roles being the point of entry and exit. We did some quick tests from internal and external mailboxes from and to internal and external mail organizations. Success. Next we created a new 2010 mailbox. We created one called “Jay Cutler” since this admin was a Chicago Bears fan. Since we installed 2010 into the 2003 organization it automatically created a connector between the 2003 routing group to the new 2010 based one. Let’s login to this new mailbox (via MAPI and OWA) and send mail messages back and forth. Success. This also confirms 2010 CAS is functioning correctly. 2010 CAS servers automatically register a SCP (Service connection point) in AD for this!
So transport internal and external is confirmed and even between 2003 and 2010. Let’s turn our focus to client access. We used the Microsoft Exchange remote connectivity analyzer
to aid us in this. Using some credentials from AD, we could simulate and tell which types of remote connectivity works! RPC over HTTPS (outlook anywhere), OWA and even Exchange Active Sync are all testable here. After some tweaks to his sonic wall this worked great. This tool is IMMENSELY helpful since it not only tells you when something isn’t working, but gives suggestion on possible resolutions.
One of the big headaches many admins will have is the OWA co-existence. The new 2010 CAS cannot provide a 2003 OWA experience if the target mailbox is still on a 2003 back-end server. So during this phase it has to refer the OWA request back to the 2003 Front-end “legacy” server. See what we did there? this is the legacy A DNS record we made earlier. This new public IP address goes directly to the IP address internally of the old 2003 Exchange server. So the process works like this. You hit the new OWA 2010 login page using the old URL (Http://mail.companyname.com/exchange) you are automatically redirected to the actual URL of (Http://mail.company.com/OWA). The user enters their credentials. If the lookup shows the target mailbox is still on the 2003 box it’s redirected to a URL we set earlier using the Exchange Management Shell. (Http://legacy.company.com/exchange) Now to support this some settings had to be modified on the front end server and a patch had to be installed to support this new change.
Once this was working well and EAS was also hitting the 2003 server correctly we moved a few mailboxes both guinea pig and fake dummy mailboxes.
In part 3 I’ll cover the mailbox moves, DAG configuration and how to handle failover if one of the servers becomes unavailable.
PowerShell if you haven’t been exposed to it yet is an Awesome tool. Now for someone who’s as infrastructure focused as I am say a statement like that means a lot. I tried to teach myself VB 6 back in the day and almost put a gun in my mouth. I just don’t have the “Code Monkey” mentality. There are those of you out there that can just bang out lines of script or code and not even bat an eye over it. For me, it’s pulling teeth.
This is where PowerShell really stands out. It’s the best of both worlds. You have extreme reach into the OS and configuration via WMI and .NET extensions if you need it. YET, it’s very straight forward and actually pretty easy to read once your used to it. I will be covering some basic nuggets of PowerShell components as this blog evolves to aid you in some common management tasks.
Let’s look at our first example.
I’m an AD administrator and would like to use PowerShell to create new user accounts.
Now this seems pretty basic right? Heck, PowerShell 2.0 even gives you an entire module (built in on WS2008 once the role is installed, or as part of the RSAT suite. For win7 SP1 HERE) just focused on AD administration through powershell. For a list of all the cmdlets available in the module, click on the TechNet logo to be brought to the page..
So given this scenario the Cmdlet you would need is the New-ADUser Cmdlet. Now almost every Cmdlet you can run in the shell or the ISE you can pass “Parameters” too. Think of parameters like switches you can send to DOS commands. The one this bugget is concerned with is the –AccountPassword parameter. Now the interesting thing about this parameter is that it’s NOT required! Well Chad, when I am in ADUC I HAVE to enter in a password during the wizard. Well this method it’s not. Now if you omit this parameter, or mess it up, the account is still created. The exception is that the account cannot be enabled.
enough about all of this, let’s get to the goods.
NewADUser –Name “Chad Solarz” –AccountPassword “Pa$$w0rd”
Now we’ve only added the ONLY required parameter –Name. This syntax listed above will NOT work. Why? well the string of text we’ve used for the –AccountPassword parameter needs to be scrambled and not readable. It would be pretty unsecure if we had passwords all over the place in the code!There are many ways to do this. let’s discuss two of the most likely.
First is using the Read-Host cmdlet embedded into the syntax. The Read-Host cmdlet prompts the person running the syntax to be asked for the string to use for the password. Let’s see how this is added in..
NewADUser –Name “Chad Solarz” -AccountPassword (Read-Host -AsSecureString "AccountPassword")
Now you see the parenthesis being used. Like in math, those are always evaluated first. So the user of the script is asked for the password that needs to be used, then it stores it as a secured string value which can then be passed into the –AccountPassword parameter.
Another way is to “define” or assign the value of a Variable and then use that to be passed into the New-ADUser cmdlet.
$Password = Read-Host –AsSecureString
NewADUser –Name “Chad Solarz” –AccountPassword $Password
The Advantage to using the variable is that it’s re-useable to any other cmdlet in the same script.
Good luck and happy PowerShelling!
I had a few students in this week’s 50292 Windows 7 class ask if there’s a list of keyboard shortcuts listed in the book. I’ve just put some on here that deal with the use of the Windows logo key . I decided to point them here and the MSFT official site as well
The following table contains keyboard shortcuts that use the Windows logo key .
Press this key To do this
|Windows logo key||Open or close the Start menu.|
|Windows logo key +Pause||Display the System Properties dialog box.|
|Windows logo key +D||
Display the desktop.
|Windows logo key +M||Minimize all windows.|
|Windows logo key +Shift+M||Restore minimized windows to the desktop.|
|Windows logo key +E||Open Computer.|
|Windows logo key +F||Search for a file or folder.|
|Ctrl+Windows logo key +F||Search for computers (if you’re on a network).|
|Windows logo key +L||Lock your computer or switch users.|
|Windows logo key +R||Open the Run dialog box.|
|Windows logo key +T||Cycle through programs on the taskbar.|
|Windows logo key +number||Start the program pinned to the taskbar in the position indicated by the number. If the program is already running, switch to that program.|
|Shift+Windows logo key +number||Start a new instance of the program pinned to the taskbar in the position indicated by the number.|
|Ctrl+Windows logo key +number||Switch to the last active window of the program pinned to the taskbar in the position indicated by the number.|
|Alt+Windows logo key +number||Open the Jump List for the program pinned to the taskbar in the position indicated by the number.|
|Windows logo key +Tab||Cycle through programs on the taskbar by using Aero Flip 3-D.|
|Ctrl+Windows logo key +Tab||Use the arrow keys to cycle through programs on the taskbar by using Aero Flip 3-D.|
|Ctrl+Windows logo key +B||Switch to the program that displayed a message in the notification area.|
Windows logo key +Spacebar
|Preview the desktop.|
|Windows logo key +Up Arrow||Maximize the window.|
|Windows logo key +Left Arrow||Maximize the window to the left side of the screen.|
|Windows logo key +Right Arrow||Maximize the window to the right side of the screen.|
|Windows logo key +Down Arrow||Minimize the window.|
|Windows logo key +Home||Minimize all but the active window.|
|Windows logo key +Shift+Up Arrow||Stretch the window to the top and bottom of the screen.|
|Windows logo key +Shift+Left Arrow or Right Arrow||Move a window from one monitor to another.|
|Windows logo key +P||Choose a presentation display mode.|
|Windows logo key +G||Cycle through gadgets.|
|Windows logo key +U||
Open Ease of Access Center.
|Windows logo key +X||
Open Windows Mobility Center.
Ever wonder how authentication works inside of active directory? I did, so I did some digging and searching. MOST of the time, “it just works”. This leads most admins to never really pull back the covers or pop the hood on how authentication really works. This is really a shame since there is a lot happening behind the curtains and with great reasons why.
Our friends over at the “Active Directory Services team blog” http://blogs.technet.com/b/askds/ wrote an incredible article titled “Kerberos for the busy admin”. This extremely well written article gives you what you need to better understand kerberos without melting your frontal lobe!
Please read it here…
Want to remotely execute Exchange Specific Cmdlets without having to install the exchange 2010 management console? Maybe you have a BPOS or Office 365 account you want to administrate? Then these steps are for you.
When you connect to a remote Exchange 2010 server using a user name and password you specify, you direct the remote Shell to connect to the remote server using those credentials when it authenticates the session. The credentials can be different from your current user name and password. This is called explicit authentication. This procedure can be used even if there are no Exchange 2010 management tools installed.
- Click Start, point to All Programs, point to Windows PowerShell, and then click Windows PowerShell or Windows PowerShell ISE.
Windows PowerShell Integrated Scripting Environment (ISE) is the new Windows PowerShell graphical console and can be used instead of the traditional text-based PowerShell console.
- Enter your network credentials and store them in a variable by running the following command.
$UserCredential = Get-Credential
- In the dialog box that opens, type the user name and password of the administrator account that has access to administer the Exchange 2010 server you want to connect to, and then click OK.
- Open the connection to Exchange 2010 by running the following command.
- Import the server-side PowerShell session into your client-side session by running the following command.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://<FQDN of Exchange 2010 server>/PowerShell/ -Authentication Kerberos -Credential $UserCredential
After you perform this procedure, you can run Exchange cmdlets in the remote Shell.
An alternative if you DO have the EMC and EMS installed – how can we connect to the remote exchange server?
User the following syntax from within the EMS
Connect-ExchangeServer –ServerFqdn Van-ex2.contoso.com
Now you will have connections to the first server you were on *the local one* or one that was automatically selected for you, AND the new one you created. Use this cmdlet to confirm what you are and aren’t connected to
Now you can break your first connection if desired..
Remove-PSSession –id <ID# found from previous step>
As a Microsoft Certified Trainer (MCT) you would never expect me to post a blog review on a product that could somewhat compete with my company’s business. Now my company doesn’t produce any streamed or Computer Based Training (CBT) so this technically isn’t a conflict of interest.
I realize that people learn in different ways. People have very different lives. So some people would just rather have a relaxed video to talk them through a process or technology and can pick it up easily. Others require interaction with a Instructor Led Training (ILT) session. A lot of people can’t carve out the time away from work for a full blown ILT classroom environment. A lot of times your company can’t afford a full ILT class either. They have the desire to learn but can only afford a 30 minute span here or 2 hours a few times a week. If this is the case (and it is for a lot of people out there) then CBT learning is definitely for you.
Now it’s very rare that I endorse products on here. I try to shy away from such things as they could be taken the wrong way or can be misconstrued. So when I do, you know I do so because I really believe in the product or service.
Now that the *disclaimer* is out of the way let’s get to the goods. Maybe goods isn’t a correct word to describe the product were about to talk about, GREAT is a better word. I had the pleasure of reviewing a product from our friends over at Train Signal, (Follow them on Twitter – @TrainSignal). I have personally met some of the Train Signal team in person and they are a real pleasure to work with.
I have heard some pretty bad things about other CBT’s and was a bit hesitant at first. Within the first hour I was completely sold. The particular products I have been review is part of their Exchange 2010 series. In particular the Exchange 2010 MCITP and the soon to be released Exchange 2010 backup and recovery packages. I enjoyed the choice of formats. All of train signal’s products are available in a DVD or streaming option. I chose the DVD for one as I like to use my Windows Phone 7/zune device for podcasts in long car rides and the train commutes. The additional files and free transcenders for those of you which are certification hungry is a HUGE bonus. You are really getting a lot of content here for your buck.
Let’s talk about the instructor for both of these series for a bit. One of the biggest things that any online / remote instructor has to tackle is connecting with the audience. This is harder to convey things like body language and looks and glances are unavailable. Your style of delivery and tone / pitch of your voice really becomes truly make or break. Our instructor on these series is the soon to be famous J. Peter Bruzzese. (Follow him on Twitter – @JPBruzzese) J.P is a Microsoft MVP for Exchange, Triple-MCSE, MCT, MCSA, MCITP: Messaging, CNA, CCNA, CIW Master, and CIW Certified Instructor! He is definitely well versed in IT! As a fellow instructor I tend to be a little more critical than the normal student. I also like to consider myself a Subject Matter Expert (SME) in Active Directory and Exchange. So when I started going through J.P.’s courses I was very refreshed in his great delivery, style and technical acumen. No one ever knows everything about technology, but he has to be close. I’ve been teaching Exchange for years and I was able to pick up a few things! He uses great real world analogies and doesn’t completely swim in the Microsoft Kool-aid. He regularly references technologies that aren’t always MS focused or delivered, to give you a sense it’s not a sales pitch.
Now the content itself covers almost every possible reach in the Exchange 2010 landscape. Everything from Backup, recovery, new SP1 features, message management, etc.. The content is in the right size chunks. You don’t have to commit 2-3 hrs for a lesson, nor does the content delivered feel overpowering. So between the right size, J.P.’s delivery I found it to be a perfect fit. The beautiful and best part is that it’s SO on point. If you’re an Exchange 2010 admin who’s been thrown into the mix, you will learn best practices and look for things to optimize in your existing environment. For you cert-mongers out there it’s almost a complete solution for exam readiness. If you are planning a deployment, these series will be able to fully understand all the mechanisms involved to properly plan your upcoming migration to Exchange 2010.
In summary I give Train Signals products in general and especially the Exchange 2010 series a 5 out of 5 stars!
So near the end of January I was lucky enough to escaped the void of the classroom and get back to hands-on work. I was able to act as a consultant for my training firm and go on-site to an old student of mine’s place of business. Our task seemed simple. Migrate a single exchange 2003 server to a mailbox redundant 2010 solution.
Just drop down a few new 2010 boxes and call it a day right? Not so much. Any migration can have hiccups and issues along the way. We had originally chipped out four days to complete the process. Due to some SAN issues we lost our first day and then had to get everything ready in just 3. One box and about 350 mailboxes it should be easy right? We planned for extra time thank goodness. If we originally planned on 3 and now only got 2 we’d be very hard pressed to have that done. We did in fact get the major steps done in 3 days. let’s review all that happened.
For security purposes let’s not give out our clients domain name and such, let’s focus on what we know and what was learned over the 3 days. Here is where we started.
Single domain forest. All DC’s and GC’s were at the Exchange 2010 minimum of 2003 SP1 or higher. Domain functional level was 2003 as was the forest functional level. Permissions on the accounts to be used for installation were in place, so let’s get started. All inbound mail via his MX record was going into his SonicWall and then being placed into his Cisco IronPort device for scrubbing before being delivered to the 2003 Exchange server.
We began with bringing up the OS of the first Exchange 2010 box in a VMWare virtual environment. The OS was to be 2008 R2 Enterprise edition. Why enterprise? Well we planned on using a DAG (Database Availability Group). This HA (High Availability) feature requires the failover clustering component within Server 2008. That was still in standard edition back in the 2003 Server days, but has been removed in 2008 RTM and higher. So now that R2 server is ready and fully patched / updated, let’s get the Exchange pre-req’s on there for the Exchange bits install. To speed things up we used a pre-made script that automates all the installation of required items as they pertain to Exchange role requirements. You too can download it HERE. It was created by Exchange MVP Dejan Foro. You can hit his whole site here – www.exchangemaster.net.
Think your ready for Exchange install time? Not so fast son. There are four KB document fixes that will need to get put on 2008 R2 before anything else is started.
Before you start contemplating putting that Exchange 2010 media in or mounting that ISO. Check your DNS and active directory to ensure it’s solid and stable before continuing. Also make sure that you have your 2003 / AD settings all up to snuff.
- Ensure your 2003 address policies are not split between authoritative and non-authoritative. This may require you to modify or even rebuild them.
- Check your Recipient update services in that they are pointing to a valid DC that still exists
- Ensure any external or manually created trusts are working and verifiable.
- Is your domain a SLD? (Single label domain – “Consoso”, not “contoso.com” when you have ADUC open).
- Ensure IPv6 and the windows firewall is enabled. Either of these could kill your install of Exchange.
OK, NOW you can begin your installation of Exchange. I recommend copying the source files locally to a new folder called “C:\source” or something like that. Now download the latest rollup (RU) for the version of Exchange (RTM vs. SP1) and placing it in the \updates folder. This will slipstream the updates during the installation and save you steps later!
Step 1.) Preparation of AD
This went very easy as we had a single domain and all the rights necessary. Wasn’t a fast process but experienced no errors when we ran setup.com with the following switches..
/preparelegacypermissions – this is ONLY needed if you have 2003 exchange. Skip if you have 2007
/PrepareAD – do you know your organization name? you can find it in the ESM.
Step 2.) Install Exchange on your first server. Have a plan here. Don’t just rip off a “typical” install (core 3 roles – CAS/HUB/MBox) if you’re unsure, use the Exchange Deployment assistant.
We knew we were only going to have 2 servers with all three roles on them. We chose to do the “typical” install. We also set the “External” address for his CAS role to the same thing as his existing 2003 OWA URL (I.E. – “Http://mail.contoso.com”)
Now we have a fully functional Exchange 2010 server with nothing coming into it, and not hosting any mailboxes.
This is a great starting post and will continue to cover hiccups we hit in a future post. (ran out of time )
Windows phone 7. Is it a game changer? new paradigm? No. I own one. I’ve just moved from an iPhone 3G. Is it better than it? too early to say honestly. iPhone’s have had the luxury to evolve their platform over time. This is still RTM of WP7. I think the interface is fantastic and the “flow” of it refreshing. I do hate how few apps there are still. I expect this to improve over time as it has for the Droids. For that reason alone I still keep my old iPhone handy for certain things
The WP7 devices are consumer focused. I expect they’ll be ready for prime time in the enterprise soon as it evolves as has the iPhone. One of the things that shocked me was the serious limitations on the EAS policy features for WP7. Another being the NO local sync for non-cloud mail based users. My wife was personally affected by this. One of the reasons she stayed with the iPhone 4
Uber blogger extraordinaire Paul Thurrott (twitter @thurrott) expounds on what has been removed and what is really left when it comes to EAS support on WP7. The article “Windows Phone 7 and Exchange Activesync” can also be found on his WP7 primary page of http://windowsphonesecrets.com/ or his other site http://www.winsupersite.com/
Below is a tidbit of what Paul reports..
What is left?
Its important to note that Windows Phone 7 devices only support a subset of the Exchange ActiveSync (EAS) policies available with Exchange 2003, Exchange 2007, and Exchange 2010. Currently, Windows Phone 7 supports the following EAS policies:
- Password Required
- Minimum Password Length
- Idle Timeout Frequency Value
- Device Wipe Threshold
- Allow Simple Password
- Password Expiration
- Password History
- Disable Removable Storage
- Disable IrDA
- Disable Desktop Sync
- Block Remote Desktop
- Block Internet Sharing
If I have a NLB or hardware load balancer – why do I need a CAS array?
This is an excellent question and it’s all about client connectivity, transparency of the connection to the user and automagic cutover in the event of a CAS array member failing. this becoems even more important now that ALL client connections including RPC MAPI connections are now going through the CAS role. Heck if you look at the MAPI account config for an exchange mailbox user it now shows the CAS server name, not the Mailbox role server name. To avoid client reconfiguration or disconnection and forcing a re-query for available CAS boxes, we have CAS arrays to assist in this.
The following information was found in this TechNet page Understanding RPC Client Access. NOTE – this is for RPC high availability, if you still want OWA / EAS / ECP high availability MS recommends a solution like Forefront Threat Management Gateway.
When a Client Access server array is defined in an Active Directory site, it serves as a single contact point for all client connections within that Active Directory site. A Client Access server array can include one or many Client Access servers.
Each Active Directory site can have a single Client Access server array. A Client Access server array doesn’t provide load balancing. A separate load balancing solution is still needed. For more information about load balancing, see Understanding Load Balancing in Exchange 2010.
Microsoft recommends that you create a Client Access server array even if you only have a single Client Access server within your organization. When a Client Access server array is created, clients connect through the virtual name of the Client Access server array rather than directly to the fully-qualified domain name (FQDN) of your single Client Access server. If a single Client Access server needs to be replaced within an Active Directory site or a second Client Access server is added, no profile updates are necessary on the clients.
After a Client Access server array is defined within an Active Directory site, all Client Access servers within that Active Directory site are automatically part of the Client Access server array.
The high level steps are here..
- Create a Client Access array
- Configure load balancing
- Configure IP ports
- Configure RPC encryption settings
- Configure your Mailbox databases
- Ensure low latency and sufficient network speed
Create a Client Access Array
You can create a Client Access array within your Active Directory site by using the following command.
New-ClientAccessArray -Name name -Site site_name -FQDN internal_only_CAS_Array_FQDN
After the Client Access array has been created, you’ll also need to create the address in DNS and associate it with the virtual IP address used for the Client Access array.
It’s important that the (FQDN) specified in the command be only resolvable internally. If the name is also resolvable externally, these external clients will attempt to connect to the array via a TCP connection instead of HTTPS.
Configure Load Balancing
Load balancing is recommended for high availability, failover, and for spreading the traffic load over multiple servers to help performance. When you choose a load balancing solution, consider the following:
- Windows Network Load Balancing isn’t supported on Windows failover cluster servers.
- You can’t use a Client Access array across multiple Active Directory sites. Instead, create two Client Access arrays and load balance separately within the sites.
- Hardware load balancers typically monitor return traffic, port availability, or service availability to ensure that servers that can’t answer client requests aren’t given network connections.
- Some load balancing solutions, such as ISA 2006 or TMG 2010, can’t do RPC load balancing or monitor RPC services. These solutions aren’t recommended unless all clients are connecting via Outlook Anywhere and all traffic is encapsulated inside HTTP.
For more information about load balancing, see Understanding Load Balancing in Exchange 2010.
Configure IP Ports
An IP port is an opening through which information can pass from the originating computer to the destination computer. By default, the dynamic port range for outgoing connections on Windows Server 2008 R2 is 49152 to 65535. Exchange 2010 Client Access changes this range to 6005 through 59530. The range was expanded to provide sufficient scaling for large deployments. This is a large range of ports to balance through your firewall between the client and the Client Access servers or Client Access array.
By fixing the MAPI and directory endpoints, you can greatly reduce the number of ports that need to be load balanced. The MAPI endpoint can be statically configured in the registry and the directory endpoint can be fixed in a configuration file.
To fix the MAPI endpoint, use the following setting in the registry.
HKLM\SYSTEM\CurrentControlSet\ Services\MSExchangeRPC\ParametersSystemTCP/IP Port [DWORD] is the value for the IP port to use
To fix the directory services endpoint, edit the RpcTcpPort value in the configuration file Microsoft.Exchange.AddressBook.Service.Exe.config.
Microsoft doesn’t recommend that you change the default value of the Outlook Anywhere ports.
Configure RPC Encryption Settings
In Exchange 2010, the RPC endpoint is encrypted by default. However, Outlook 2003 doesn’t enforce encrypted MAPI connections. When you upgrade your organization to Exchange 2010, your clients running Outlook 2007 or later versions will automatically be compatible with the change to RPC Client Access, since they support RPC encryption by default. Outlook 2003 doesn’t use RPC encryption, however, and RPC Client Access requires it by default. If you haven’t turned off RPC encryption, which we don’t recommend, your users will need to configure Outlook 2003 for RPC encryption or you’ll need to use a Group Policy to force Outlook 2003 to use RPC encryption.
Symptoms of this problem include the following error messages:
- Cannot start Microsoft Office Outlook. Unable to open the Office window. The set of folders could not be opened.
- Unable to open your default e-mail folders. The information store could not be opened.
If your users are using Cached Exchange Mode, Office won’t display an error, but will start in disconnected mode.
For more information about this issue, including workarounds, see Outlook Connection Issues with Exchange 2010 Mailboxes.
Configure Outlook 2003 to Use RPC Encryption
To configure Outlook 2003 to use RPC encryption, use the following steps.
- Click Tools > E-Mail Accounts > View or Change an Existing Account.
- Select the account and click More Settings.
- Select the Security tab.
- Select Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server.
- Click OK.
In addition to the RPC encryption requirement, UDP notification support was removed from Exchange 2010. As a result, Outlook 2003 can only use polling notifications in online mode. This will result in a slight delay in updates to item status (30 seconds on average with up to a one-minute delay) when changes are made to items in a mailbox accessed by Outlook 2003. There are two workarounds for this issue:
- Use Outlook 2003 in Cached Exchange Mode.
- Adjust the polling interval on the Client Access server. This will impact the performance of the Client Access server.
For more information about this issue, see E-mail messages take a long time to send and receive.
Configure Your Mailbox Database
Each Mailbox database contains an RPCClientAccessServer value. This value is established when the database is created and it determines the Client Access server or Client Access array that the clients with mailboxes on that Mailbox server will use. This value also determines the location of the RPC end point. For Outlook 2007 and Outlook 2010 clients, this value is obtained from the Autodiscover service.
The default value of the RPCClientAccessServer is determined by the following rules:
- If you have configured a Client Access Server array within your Active Directory site, the address of that array will be used.
- If an array does not exist within the Active Directory site and if you have both the Client Access server role and the Mailbox server role on the same physical server, the value of RPCClientAccessServer property for a particular Mailbox server will be the same as the Mailbox server.
- Otherwise, the value of the RPCClientAccessServer property for a particular Mailbox server will be set to a random Client Access server within the Active Directory site.
We don’t recommend that you install all the server roles on a single computer that’s also a domain controller. Although this configuration is supported, it’s not recommended.
- If you created a Mailbox database before the creation of a Client Access array or the installed a Client Access server within the Active Directory site, you’ll need to reconfigure the value of the RPCClientAccessServer property. If no Client Access server exists in the Active Directory site when the Mailbox database is created, the value of the RPCClientAccessServer property will be set to the FQDN of the Mailbox server. To configure the value of the RPCClientAccessServer property, use the following command.
Set-MailboxDatabase <name> -RPCClientAccessServer <internal_only_CAS_Array_FQDN>
Latency and Bandwidth Requirements
For users running Outlook without Cached Exchange Mode, high latency times between the client and the server directly affect how frequently Outlook is unresponsive. In general, a latency of greater than 200 milliseconds (ms) to the home Mailbox server will result in poor client performance.
Because latency between the Client Access server and the mailbox should be less than 10 ms, we recommend that the value of the RPCClientAccessServer property always be configured to a Client Access array in the active Mailbox database site.
Changing the value of the RPCClientAccessServer property will force all clients to reconnect.
Configuring the Address Book Service
The Address Book service is configured through the Microsoft.Exchange.AddressBook.Service.config file. This file allows you to configure the following:
- The number of concurrent connections per user (the default limit is 50).
- Disable or enable logging.
- The location, size, and retention period for the log files.
To set the value of the maximum number of sessions per user, use the following value: <add key=“MaxSessionsPerUser” value=“50” />
To enable logging, use the following value: <add key="ProtocolLoggingEnabled" value="true" />