Sam.McGeown.co.uk

I’ve just fixed an issue with Routing for my mixed Exchange 2003/2007/2010 environment.

The environment is a single AD domain with 4 sites, Site1, Site2, Site3 and Site4. In Site1, Site2 and Site3 there are 3 Exchange 2003 servers, one per site. In Site4 there is an Exchange 2007 SP2 server (CAS, Mailbox, HT). All the connectors required worked as expected, and inter-site routing works as expected.

I introduced into the mix a 2010 Enterprise server (CAS, Mailbox, HT) to Site1 as a prelude to a full upgrade of the site to Exchange 2010. When a test mailbox from Exchange 2010 attempts to send to a mailbox in Site1 Exchange 2003, it routes via the Site4 Exchange 2007.

Find out which site (if any) is a transport hub:

Get-ADSite

Find out the Site Link costs, and the Exchange specific costs (if set). Exchange costs override AD site costs:

Get-ADSiteLink

List the Routing Group Connectors:

Get-RoutingGroupConnector

List the Routing Group Connectors with their costs:

Get-RoutingGroupConnector | ft Name,Cost

For me the issue was that the Routing Group Connector set up for Exchange 2010 in Site 1 had a cost set to 100, whereas all other RGCs had a cost set to 1. This meant Site1 –> Site4 –> Site1 had a cost of 2. Site1 (2010) –> Site1 (2003) had a cost of 100. It’s easy to see why it won.

Using the following command I was able to set the costs to the same:

Set-RoutingGroupConnector -Identity "<Administrative Group>\<Routing Group>\<Connector>" -Cost 1

It’s quite difficult to get a grip on why the RGC cost takes precedence over the AD site cost, or the Exchange specific site cost – effectively you have 3 different settings to govern the mail routing. From my problem-solving steps, it would seem that The RGC takes precedence, followed by the Exchange specific cost, followed by the AD site link cost.

Any Exchange Guru out there care to correct or confirm?

Sam

Exchange 2010, Exchange 2007, Exchange 2003, Exchange Exchange, routing, troubleshooting

I’ve spent a fair bit of time today trying to sort out my iPhone sync to my Exchange Server, failing miserably. It used to work, pre-upgrade to iOS4, but for some reason fails to sync.

Symptoms were:

• iPhone fails to sync, generic timeout error (or is very slow)
• https://www.testexchangeconnectivity.com/ successfully tests the mailbox access

 

The server was configured as per http://support.microsoft.com/kb/817379/en-us to allow OWA/ActiveSync with SSL on OWA.

The iPhone was configured to accept the SSL certificate on the Exchange Server.

My brother Tom sent me this Apple KB (http://support.apple.com/kb/TS3398) which he’d found from the other side – Exchange servers he was managing were under very heavy load, which is another symptom of this issue.

I installed the new configuration as per the article, restarted the phone and the issue was fixed!

Exchange, Exchange 2003, Exchange 2007, Exchange 2010 iphone, iOS4, iphone4, exchange, activesync

This is a pretty specific set of instructions for a specific environment:

• If
• you are using Microsoft System Center Operations Manager 2007
• and
• you have a Microsoft Certificate Services 2003 Certificate Authority on your domain
• and
• you have non-domain Windows Server 2008 servers you wish to monitor or set up as a gateway server.

 

Getting a certificate for either a Gateway Server or remotely monitored Server can be a touch vexing. If you’re installing on the same domain as the SCOM management server the security settings take care of themselves, not so for non-domain servers, which require mutual certificate authentication. The Gateway must trust the Domain CA and identify itself as trusted to the Management Server. I have bashed my head against this several times now, so I thought I’d make a precise blog post to cover the steps required!

In this scenario, we will have 2 servers CA01, the Windows 2003 Certificate Authority, and Gateway01, the SCOM 2007 gateway. The certificate template for Operations Manager has been created on CA01 as per the documentation and is called “OperationsManagerCert”. On Gateway01 I have copied the Gateway installer to c:\SCOM\Gateway and the SCOM Tools to c:\SCOM\Tools. SCOM01 is our SCOM collection server.

CA01: Navigate to https://ca01/certsrv and download the CA Certificate.

Gateway01: Copy the CA Certificate to the c:\SCOM folder by whatever means you have. Open mmc.exe and add the Certificates Snap-in for the local computer account. Right click the Trusted Root Certification Authorities store and Import the CA01 CA certificate.

Gateway01: Open notepad and create a new certificate request file with the contents below. Name the file Gateway01.inf and save in c:\SCOM

[NewRequest]

Subject="CN=<FQDN of Gateway01>"

Exportable=TRUE

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

Gateway01: Open a command prompt as administrator and navigate to c:\SCOM, use certreq.exe to generate a certificate request:

certreq –new –f Gateway01.inf Gateway01.req

Gateway01: Open Gateway01.req in notepad and copy the contents to clipboard.

CA01: Open https://ca01/certsrv and start a new advanced certificate request, create the certificate request using a base64 encoded CMC. Paste the data from Gateway01.req into the “Saved Request” box. Select your SCOM certificate template and click next. Save the response as a Base 64 encoded certificate.

Gateway01: Copy the certificate file over to c:\SCOM on Gateway01 by whatever method you have available. Open a command prompt with admin rights and approve the new certificate with certutil.

certreq –accept Gateway01.cer

Check that the certificate has been imported into the Computer/Personal store using mmc.exe.

SCOM01: At this point you can either install your SCOM agent, or Gateway Server on Gateway01 – if you are installing the Gateway Server like me, you need to first approve the Gateway using the Gateway Approval Tool. Open a command prompt as administrator and navigate to “c:\Program Files\System Center Operations Manager 2007” or wherever your SCOM install is. Copy the Microsoft.EnterpriseManagement.GatewayApproval.Tool.exe from Support Tools into the parent folder (it requires .dlls in that folder).

Microsoft.EnterpriseManagement.GatewayApproval.Tool.exe ¬

/ManagementServerName=SCOM01 /GatewayName=Gateway01

Gateway01: Run the Gateway Server installer and enter the details of the Management Server and Management Group name. When that’s finished, you need to tell SCOM which certificate to use with the MOMCertImport.exe tool located in c:\SCOM\Tools

MOMCertImport /SubjectName Gateway01.Domain.Lcl

Give it a few minutes and you should be able to see the new gateway under Management Servers in the Administration console for SCOM. Remember to right-click, properties, security and allow the server to act as a proxy if it’s reporting for other servers.

I use the same procedure to install Agents in my DMZ that don’t have access to the certificate services – likewise our production web servers isolated in their hosting environment.

I hope this helps you, I know this is an article that I will be referring back to time and time again!

Certificate Services, Windows Server 2008, Windows Server 2003, System Center Operations Manager SCOM, windows server 2003, Windows Server 2008, certificates, gateway, agent

I’m currently testing an Exchange 2010 server for the organisation prior to a migration project, specifically testing moving mailboxes backwards and forwards. Something that confused me slightly for a few minutes was this: if there is an existing Move Request (pending, in progress, failed or completed) you will not see the “New Local Move Request” or “New Remote Move Request” -

Fortunately this is very simple to counter – simply clear the old “Move Request” and the options will be back in the Mailbox options:

Exchange, Exchange 2010 Move Request, Exchange 2010

Shhhh, don't tell the spam-bots, but after a blissful month of having broken the comments system and not having enough time to fix it, I've finally got round to doing it! Comments will now work without errors - and the spam-bots should have a hard time getting past reCaptcha too!

At some point I'll update to 1.6.1, but for now, I'm glad it's working again!

BlogEngine.NET, Blogging comment, blogengine, recaptcha