Rob Golding

Over the past week, I’ve been upgrading my e-mail system to Exchange 2007 (I was previously using Exchange ‘03). For me, it’s very useful to have the systems that I write about, and consult for, installed at home in a “semi-production” manner. It means that I have a system to work on, and I am concerned with keeping it up and running as smoothly as possible – which introduces me to intricacies that I would not otherwise encounter, if I were just running a little test lab.

For example, when setting up Outlook Anywhere (the rebranded RPC/HTTP feature of Exchange, allowing Outlook users to connect from outside the organisation) I discovered a lot of “Sync Issues” appearing in my Inbox. The messages all had a common theme:

11:19:07 Synchronizer Version 12.0.6315
11:19:07 Synchronizing Mailbox ‘User’
11:19:07 Synchronizing Hierarchy
11:19:07 Done
11:19:09 Microsoft Exchange offline address book
11:19:09              Not downloading Offline address book files.  A server (URL) could not be located.
11:19:09       0X8004010F

Clearly, something was wrong with the Offline Address Book. I was only getting these messages when using Outlook Anywhere, however, so this issue was obviously specific to RPC/HTTP.

Looking up the error code, I found that the problem I was experiencing was very common, but that nowhere seemed to have the ultimate repair. The information available was sparse, and I had to put together my own solution – which I will document below.

First, I registered an extra DNS (A) record for my email domain, called “autodiscover”. I must be clear here, that this is for the mail domain, not for the domain used to access your OWA site. For example (and we’ll go with the Microsoft classic here), if your users have addresses such as user1@contoso.com, user2@contoso.com and you access your OWA via https://mail.contoso.com/owa, then you need to register an A record for autodiscover.contoso.com.

Next, I prepared a new certificate request, that would hopefully end up with me obtaining a certificate that I could use to replace the current one, which would be valid for both mail.contoso.com and autodiscover.contoso.com (to continue with our example) – so that my Outlook clients could successfully access the autodiscover service, and download the OAB. To do this, I used the following EMS command:

New-ExchangeCertificate -domainname mail.contoso.com, exchange.contoso.local, autodiscover.contoso.com -Friendlyname “Contoso Exchange CAS SAN Certificate” -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true –subjectname “c=GB o=contoso inc, CN=mail.contoso.com”

This command requires a little explanation. The -domainname switch is used to specify a list of addresses for which this server is valid. This is called a SAN (Subject Alternative Name). Not all CA’s support SANs, but Windows Server 2008’s CA Services does, which I will come back to later. Next, we give the certificate a “Friendly Name”, which is just a reference for you, the administrator. Then we specify that we are looking to generate and save a request, and that we want to be able to export the private key. The Subject Name is important, but also slightly confusing. You must specify your country code (US, GB, ES), your organisation name, and Common Name (CN) – which is the most important one. This must be the URL used to access the SSL service using a web browser, so mine was mail.contoso.com.

Once this request is saved, I passed it on to my CA to get the certificate issued. If you’re using a 3rd party CA (like VeriSign), then you’ll have to check first whether they support SANs. I use self-signed certificates, and my CA is running Windows Server 2008, which does support SANs, so I issued the request internally. This is done by accessing the CertSrv website, at http://servername/certsrv, and clicking the “Request a Certificate” link. Then, I chose “Advanced Request”, and pasted the reqest file’s contents into the box, and picked the “Web Server” template.

This presented me with a downloadable certificate, which I saved locally in CER format on the exchange server. Then I used the following command to import the certificate:

Import-ExchangeCertificate –path <certificate>

Once the certificate was imported, I enabled it for use with exchange. A similar command is used for this:

Enable-ExchangeCertificate

This prompted for a list of services, where I entered IMAP, IIS, SMTP as these are the default installed services. Only IIS actually gets used here, so I shouldn’t worry too much about this one. If you’re not sure, then just enter the same as me. Lastly, it asked for a thumbprint, which I copied and pasted from the output of the import command. Finally, after accepting the confirmation, the certificate was enabled.

And that was it. Both OWA and Outlook Anywhere are now working perfectly, and hopefully this post will help at least one other lost soul with the same problem!

Okay, so the network that I have been managing for some time now has just undergone a pretty big redesign. It’s actually a home network, but it spans 2 sites – my house and my friend’s house. They are “joined” by a site-to-site VPN connection, which gives us a load of benefits like easily sharing photos, programs, and an AD/Exchange forest.

Up until recently, the network was running with just one physical server at each site, we shall call them Site A and Site B, each with VMware Server installed. Both servers were configured almost identically, with the host machine running AD (Active Directory) and Exchange 2003, and a VM running ISA Server 2006 for the firewall/VPN. Another VM was used for hosting some websites in the Perimeter network.

The redesign saw one new server in at Site A and two new servers at Site B – although the main server at Site A has been upgraded significantly. The new servers were installed to take the firewall away from the Virtual Machine to a physical one – as this is much more secure. Also, the second new server at Site B hosts Exchange, while this is now on a VM at Site A.

This network doesn’t support many clients or users, but it used mostly for educational purposes. For that it is perfect. We have a multi-tree forest AD configuration, with one domain for each site (or each house!), and one Exchange organisation spans the entire forest, with one Exchange server at each site. This also helps if one server/network is down, as the other will pick up the email for both sites – so we have a failsafe if one network is having problems.

I have published a “public” version of the network diagram, with external IP addresses/names removed, just in case anyone might find it interesting. Just click the thumbnail for a fullsize version.

As you may have noticed, I’ve used the names of gods from Greek and Roman mythology for the servers. The web servers are the oldest ones there so they haven’t been renamed yet. Maybe an exiting project for the future!

Both networks now have a 20mb/784kb internet connection (up/down), so the VPN link is essentialy 784kb/sec both ways. That’s pretty good for things like AD replication, but not brilliant for sharing files and photos.

The active directory is the aspect of the network I am most proud of. Since the rebuild it has been working flawlessly, although I am forever looking at ways to expand the directory. The DC at each site hosts a DNS zone for both domains, which provides redundancy for DNS if one DC is down, and both servers hold a copy of the Global Catalog. This allows for fast directory searches from both sites, and gives each Exchange server a GC to look to.

The forest is split logically, as well as physically, into sites. This allowed me to easily alter the replication schedule for the Domain Controllers, although I decided to leave this at hourly intervals, as I saw no reason to alter this value.

Hopefully the AD forest and network infrastructure will provide a solid base to expand on, and I will post about any major additions to the network. At present the clients consist of XP and Vista machines, but we are soon to aquire a new desktop, which will be running Vista, that will make a nice addition to AD.

Up until yesterday, my Exchange server was my DC – they were one and the same. As anyone will tell you, this isn’t a particularly desirable configuration. For one thing, if you want to demote the DC, you have to uninstall Exchange first, and that means lots of migration and replication and…well it’s not very nice!

So, I finally took the big step, and migrated all the Exchange data off the DC, and uninstalled it. So now I have a seperate Exchange server, which means tons more RAM free on the DC.

This also allowed me to install something I’ve been looking at for quite some time now – WSUS 3. I now realise how useful this piece of software can be. I am only managing about 5 computers, plus a few servers, but this makes keeping the machines up-to-date so much easier. Plus, you get lovely graphs like this:

Also worth mentioning, is that the Exchange server I’ve been telling you about actually runs as a virtual machine under VMware on the DC. It has 2GB of RAM, and seems to be coping fine, but with 1GB assigned to the Exchange VM, and 384mb assigned to another VM I have running on there (a web server), task manager seems to be having problems getting the memory details correct:

So we have 1GB + 384mb + whatever else is running on there (WSUS, DC, DHCP etc), and we end up with 1.0GB (or there abouts). Something’s not right. Alas, the server seems to be handling the load fine, and with a gig of RAM apparently free, I have space to expand in the future. Brilliant.