TPOV

When you run the Get-FederationInformation commandlet in Exchange 2010 (Service Pack 2) you might run into an apparently vague error. This problem might prevent you from succesfully completing the Exchange 2010 Service Pack 2 Hybrid Configuration Wizard, because that wizard runs the Get-FederationInformation commandlet as well.

Here’s an excerpt from what you might see when you run into the problem, during the Hybrid Configuration Wizard;

[1/10/2012 13:14:31] INFO:Running command: Get-OrganizationRelationship
[1/10/2012 13:14:31] INFO:Cmdlet: Get-OrganizationRelationship –Start Time: 1/10/2012 2:14:31 PM.
[1/10/2012 13:14:31] INFO:Cmdlet: Get-OrganizationRelationship –End Time: 1/10/2012 2:14:31 PM.
[1/10/2012 13:14:31] INFO:Cmdlet: Get-OrganizationRelationship –Processing Time: 31.2498.
[1/10/2012 13:14:31] INFO:Running command: Get-FederationInformation -DomainName ‘domain.com’
[1/10/2012 13:14:31] INFO:Cmdlet: Get-FederationInformation –Start Time: 1/10/2012 2:14:31 PM.
[1/10/2012 13:14:58] ERROR:System.Management.Automation.RemoteException: Federation information could not be received from the external organization.
[1/10/2012 13:14:58] INFO:Cmdlet: Get-FederationInformation –End Time: 1/10/2012 2:14:58 PM.
[1/10/2012 13:14:58] INFO:Cmdlet: Get-FederationInformation –Processing Time: 27781.0722.
[1/10/2012 13:14:58] INFO:Disconnected from On-Premises session
[1/10/2012 13:15:4] INFO:Disconnected from Tenant session
[1/10/2012 13:15:4] ERROR:Updating hybrid configuration failed with error ‘Subtask Configure execution failed: Creating Organization Relationships.

When you run the commandlet from the management shell, you see an error that just states that the command failed because it could’t retrieve the federation information.

To troubleshoot this problem, it is important to understand how this command actually works.

The Get-FederationInformation commandlet is run from the Exchange Online tenant. The tenant will attempting to query the on-premises Client Access Server (CAS) to obtain the information it needs to create the cloud side of the organization relationship.

This task failing is usually caused by one of the following conditions:

• The autodiscover DNS record for primary smtp domain is not resolvable.
• The DNS record resolves to a pre-2010 SP1 CAS (e.g. a 2007 CAS or a 2010 RTM CAS).  For the hybrid configuration to work, the DNS record must resolve to a 2010 SP1 or greater CAS.
• There is an issue with publishing the autodiscover and EWS virtual directories to the Internet. (Examples are; bad/internally issued certificate or preauthentication is turned on at the TMG layer or some other intermediate device.)

Bottom line is the cloud tenant needs to be able to resolve the autodiscover record for any hybrid domain (e.g. autodiscover.domain.com) to an Exchange Server 2010 SP1+ Client Access Server, and then be able to access both the /autodiscover and /EWS virtual directories.

Just a little learning snack on Outlook Web App Proxying versus Redirection.

Let’s say we have two Active Directory sites, both with at least one Mailbox Server and both with at least one Client Access Server and we want users to be able to use Outlook Web App from the internet.

This means that at least one of the Client Access Servers should be accessible from the Internet. The internet accessible CAS should have Forms Based Authentication enabled, and must have a valid certificate installed on the OWA virtual directory. Furthermore, the internet accessible CAS server must have an External URL associated with it; the URL that Internet users use to access the OWA pages.

Scenario 1 – The second CAS is not accessible from the Internet (Proxying)

In this scenario, only the CAS in one site, let’s say SiteA, is accessible from the Internet. That means that the CAS on the second site, let’s say SiteB, is not accessible from the Internet and has no External URL associated with it. In this scenario, you should enable Windows Integrated Authentication on the CAS in SiteB. Users will access the CAS in SiteA from the Internet. If a user that has a mailbox in SiteB access the CAS in SiteA, that CAS ‘sees’ that the users mailbox resides in SideB, and that that CAS has no External URL associated with it. It will then proxy the request to the CAS in SiteB. So the client accesses the CAS in SiteA, and the CAS in SiteA proxies the request to the CAS in SiteB.

Scenario 2 – The second CAS is accessible from the Internet (Redirection)

In this scenario, both the Client Access Servers in SiteA and in SiteB are accessible from the Internet. Both CASses will have to be configured with an External URL and a valid certificate for the hostname as defined in the External URL. Both of the CASses should have Forms Based Authentication enabled.

If a client access the CAS in SiteA, but has a mailbox in SiteB, the CAS in SiteA ‘sees’ this and sends an HTTP Redirect message to the client. The client then access the CAS in SiteB.

Yes, it’s that simple… really…

Every now and then you might run into a problem that your Linux box just won’t reboot. …and you do not have console access. If so, try this;

echo s > /proc/sysrq-trigger

echo b > /proc/sysrq-trigger

The first command sync’s the drives, the second bounces your box.

If you want to automate tasks for Microsoft Office applications, for example in Microsoft Word or Microsoft Excel, you can do so from C#.

You will have to choose though, if you want use Early Binding or Late Binding.

This sample shows you how you can use both Early- and Late Binding for Office Automation by using Word and Excel.

Read the rest of this entry »

For some this might come as a surprise, for others this might be no more then logic…

After working well over 10 years with the same colleagues, starting at BaByXL BroadBand DSL, then Tiscali and finally Winitu Consulting, I decided that it’s time for a change… This change also implies that, after being an MVP (Microsoft Most Valuable Professional) for about 12 years, that era comes to an end as well.

June 1. 2011 I’ll be starting a new career at Microsoft.

Due to the fact that the position at Microsoft is in an entirely different field of work, I’ll be saying goodbye to many of you.

Whosoever desires constant success must change his conduct with the times.

— Niccolo Machiavelli

In C# there is no way to implicity cast one enum to another.

One possible way around this is by assigning values to each enum member. If the values of the first enum match the values of the second enum, you use two casts; the first casting the first enum value to an integer, and the second casts the integer to the second enum.

But this will only work if the values match, or if there is a function that you use to ‘calculate’ the second value.

If this is not possible, you can use Extension Methods to cast one enum to another.

Here is a generic example that uses two enum types. One is a custom ‘Day’ enum. The idea is that is should be possible to cast the custom ‘Day’ enum to the DayOfWeek enum, that is defined by default in C#. (I didn’t say this example was useful, but it’s the idea that counts.)

 public enum Day { Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, }

Now, we implement two custom extension methods. One on the Day enum AND one on the DayOfWeek enum to enable some sort of conversion;

 public static class DayExtensions

{

   public static DayOfWeek ToDayOfWeek(this Day day)

   {

      switch (day)

      {

         case Day.Friday: return DayOfWeek.Friday;

         case Day.Monday: return DayOfWeek.Monday;

         case Day.Saturday: return DayOfWeek.Saturday;

         case Day.Sunday: return DayOfWeek.Sunday;

         case Day.Thursday: return DayOfWeek.Thursday;

         case Day.Tuesday: return DayOfWeek.Tuesday;

         case Day.Wednesday: return DayOfWeek.Wednesday;

         default: throw new ArgumentOutOfRangeException("day");

      }

   } 

   public static Day ToDay(this DayOfWeek day)

   {

      switch (day)

      {

         case DayOfWeek.Friday: return Day.Friday;

         case DayOfWeek.Monday: return Day.Monday;

         case DayOfWeek.Saturday: return Day.Saturday;

         case DayOfWeek.Sunday: return Day.Sunday;

         case DayOfWeek.Thursday: return Day.Thursday;

         case DayOfWeek.Tuesday: return Day.Tuesday;

         case DayOfWeek.Wednesday: return Day.Wednesday;

         default: throw new ArgumentOutOfRangeException("day");

      }

   }

}

After creating these extension methods, you can use them as such;

Day day = DateTime.Now.DayOfWeek.ToDay();

DayOfWeek day = Day.Friday.ToDayOfWeek();

Have fun.

During my stay at TechEd 2010 in New Orleans, I had to work the Exchange Server 2010 Flexibility and Reliability booth. Although most questions were on the Exchange DAG, the second most popular discussion was around the Client Access Server (CAS) and CAS-Arrays.

Hence, the 10 most predominant questions (and of course, the answers to them);

Q1. Is it true that there can be only 1 CAS Array?

A1. There can be only 1 CAS Array per Active Directory Site. The name of the CAS Array is stored as a string on the AD-Site object. When you use the Powershell command New-ClientAccessArray you see that you have to provide an AD-Site by means of the –Site parameter.

Q2. Can I create a CAS Array when I need it, or do I need to set it up in advance?

A2. No, you can create a CAS Array whenever you need it. But keep in mind that an Exchange Database is ‘linked’ to a certain CAS Server or CAS Array. If you do not create a CAS Array up front, and decide to create one after Exchange databases have been created, you have to manually ‘link’ the existing database to the CAS Array. (This can be done with the Powershell commandlet Set-MailboxDatase; Get-MailboxDatase | Set-MailboxDatabase –RPCClientAccessServer ‘cas-array.domain.local’) Otherwise, clients will keep using the first CAS Server rather then the CAS arrray for accessing the mailbox server. Luckily, you can have a CAS array with only one server. Since best practice is to install the CAS Server before creating an Exchange 2010 mailbox server, create the CAS right after creating the CAS server.

Q3. Is it true that there can be only 8 servers in a CAS Array?

A3. No. There can be any number of CAS servers in a CAS Array. But since many use Microsoft’s Network Load Balancing for load balancing client access to the servers, they are limited to 8 servers; it a limit imposed by Microsoft Network Load Balancing, not by the CAS Array design).

Q4. Can I stretch a CAS Array over multiple IP-Subnets?

A4. Depends. There can be only one CAS Array per AD-Site. So if both IP Subnets are in a different AD-Site, you cannot.

Q5. Do I need a Hardware Load Balancer in front of my CAS Array?

A5. Not necessarily. Depending on the clients you want to support (EAS, POP, IMAP, OWA, Outlook, RPC over HTTPS) certain load balancing solutions are better suited then others. I have seen Microsoft Network Load Balancing seen used with success, whilst others have problems with this ‘free’ solution. All different protocols require different affinity implementations on the load balancer, some protocols support redirection, some support proxying.

Q6.Do I need CAS arrays in my primary site and my DR site?

A6. Most probably yes. Although DAG’s can span sites, you need to set up a CAS array in your primary site and in your DR site.

Q7. If my DAG fails over to my DR site, will my clients still be able to connect?

A7. Most probably not. Remember; You will have a different CAS Array (with a different CAS Array name) in the DR Site. Since the mailbox database is linked to a specific CAS Array, if the primary site fails, the databases might be up and running in the DR site, but the clients will still try to access the CAS Array in the failed site. So you need to change the RPCClientAccessServer on the mailbox databases that are now in the DR site. If you set it to the name of the CAS Array in the DR site, client will now need to access the database by means of the CAS Array name in the DR Site. This can be done by means of autodiscovery, but if you have older Outlook clients, you have to change the outlook profile. Furthermore, take DNS into account in such a scenario; start by lowering the TTL of the DNS records of the CAS Array’s name so that in case of a failure you can change DNS records fast. (That’s also important for all other clients besides of Outlook!)

Q8. If I upgrade from Exchange Server 2003 or 2007 to Exchange Server 2010, can I replace the old CAS servers or Front-Ends with Exchange 2010 CAS servers first?

A8. No. An Exchange Server 2010 CAS server will not serve mailboxes that are running on older versions of Exchange. So if you still have mailboxes on let’s say Exchange 2007 servers, you will need an Exchange Server 2007 CAS server to service those clients. If you try to access the Exchange 2007 mailbox through the Exchange 2010 CAS server, the server will redirect the client to the Exchange 2007 CAS (if the protocol supports it). So in stead of replacing the ‘old’ CAS servers, install NEW CAS servers. This introduces some extra complexity; since the new CAS server(s) or CAS array cannot have the same name as the old CAS Server(s) or array, you need to introduce a new namespace or DNS name. And, because of that, you might have to purchase new certificates. Yes, the CAS role is the most tricky role in the Exchange portfolio of server roles…

Q9. How many CAS Servers do I need?

A9. Although this answer depends on a lot of important factors like server sizing, protocols used, client profile, etc. there is a rule of thumb here; You will need approximately 3 CAS servers for each 4 mailbox servers.

Q10. How many certificates (of what sort) do I need for my CAS Servers?

A10. It all depends. For one single CAS array you will obviously need at least one certificate; a certificate that has the name of the CAS ARRAY. That certificate can be used on all servers in the CAS Array. If you have let’s say 2 CAS arrays in 2 sites, and each CAS array serves as a fallback for the other CAS array, it is recommended that you purchase a SAN certificate with the names of both CAS arrays in it. Install that certificate on all CAS servers in both arrays/sites. But there could be other scenario’s that would require you to put more names on the SAN certificate. You can also use wildcard certificates, but make sure that all your clients support wild card certificates. For example, most older Windows Mobile devices will have problems with wildcard certificates. Always make sure that the root CA of the certificate is trusted by the device you use.

So where are my iPhone and BlackBerry questions?

Well, since the implementation of the iPhones ‘ActiveSync’ is lacking a lot of functionality, I will not go into much details here. The iPhone currently does not support the ActiveSync redirect. Something you will be using in a DR scenario. Furthermore, it does not implement a lot of policies you can set in Exchange with regards to mobile devices. (And the iPhone even ‘tells’ Exchange that all policies were applied, when in fact, they were ignored completely.) Microsoft is really pushing Apple towards implementing all of this, but they cannot force customers to do so. Just be aware of all the 3rd party EAS clients out there as they might not be as good as you think…

As far as BlackBerry’s go; get some expensive BlackBerry Enterprise product and see how far it get’s you. Be sure to test all failover scenario’s and keep track of the load on your CAS servers!

Working the Exchange booth during TechEd 2010 in New Orleans, I got lot of questions regarding the Database Availability Group, or DAG, in Exchange Server 2010. Here’s the 10 most predominant questions (and of course, the answers to them);

Q1. Can I use the DAG with Exchange Server 2010 Standard Edition?

A1. Yes, you can use the DAG with Exchange Server 2010 Standard Edition. Yet, with Exchange Server 2010 Standard Edition you are limited to 5 databases at most per mailbox server. With Exchange Server 2010 Enterprise Edition you can have anywhere from 1 to 100 databases per mailbox server.

Q2. How many mailbox servers can I have in a single DAG?

A2. You can have up to 16 mailbox servers in a single DAG. This limit is not so much imposed by the Exchange product, but it is a limitation of the Windows clustering technology that is behind Exchange’s DAG.

Q3. Can I have more then 1 DAG in a single Active Directory Site?

A3. Yes you can. Although you can have only 1 Client Access Server (CAS) Array per AD-site, you can have multiple DAGs in a single AD-Site.

Q4. How large can a single database in a DAG be?

A4. Whether you are using a DAG or not, a single mailbox database in Exchange Server 2010 (Standard or Enterprise) can hold up to 16TB of data. Depending on how you will or will not backup the data in these databases will impact how large you want a single database to become. Restoring 16TB of data, if required, takes a long time. Even from a fast disk array…

Q5. Can I run a DAG on Windows Server 2008 (R2) Standard Edition?

A5. No. Since Exchange Server 2010 uses Windows Clustering for running the DAG, you need a Windows version that supports clustering. Hence, Windows Server 2008 (R2) Standard Edition cannot be used. You will have to use either Windows Server 2008 (R2) Enterprise Edition or Datacenter Edition.

Q6. Can a DAG span multiple IP Subnets?

A6. Yes. Since Exchange Server 2010 uses Windows Clustering for running the DAG, and Windows Clustering now supports stretching the cluster over multiple IP-subnets, you can span a DAG over multiple IP-subnets.

Q7. Can I have a DAG server ‘in the cloud’?

A7. No you cannot have a DAG server ‘in the cloud’ using Microsoft Exchange Online.

Q8. Do I need an odd number of mailbox servers in a DAG?

A8. In order for a cluster to make decisions about whether a database is ‘up’ or not, we need an odd number of servers making that decision. By default, each member of the DAG has one vote. If you have an even number of nodes, and the first two nodes were separated of the other two nodes, there is no way of telling if the passive copy of the data on one of those two nodes should be activated. Therefore, another voter is required. In stead of having to put another mailbox server in the DAG, you can use a File Share Witness to break the tie. This ‘server’ does not have to be part of DAG. Hence, no, you do not need an odd number of mailbox servers in a DAG.

Q9. Will failover in a DAG always be automatic?

A9.Depending on the design of your DAG, failover may occur automatically or not. So, it depends.If you have four servers in your DAG, of which two reside in Data Center A and two reside in Data Center B, and you have a File Share Witness in Data Center A, databases will not fail over automatically to Data Center B mailbox servers in case you loose Data Center A completely because there can never be a majority of voters in Data Center B in this scenario. You will have to plan for a manual (or scripted) failover in this scenario.

Q10. Do all mailbox servers in the DAG have passive copies of all active databases?

A10. No. You can have 10 mailbox servers in a single DAG and set it up in such a way that there are never more then (for example) 3 copies of each active database at any given time. So you can, for example, have 30 active databases distributed over the 10 nodes in you DAG. Each node can than have 3 active databases. You can now configure each node to have, again, for example, 6 passive copies only.

Remember that in a DAG you can failover a single database, and you do not always have to failover an entire server!

Hope this helps!

The beta version long anticipated Service Pack 1 for Exchange 2010 is available for the public now!

http://go.microsoft.com/fwlink/?LinkId=193120

There are some pretty cool features in SP1 like Mailtips and the seperation of the Online Archive from the regular mailbox.

Read the rest of this entry »

This week, starting valentines day, I’ll be at the MVP Global Summit. This year, and for the first time, in beautiful Bellevue.

I’ll be home on a monday… somewhere around noon…

I will keep in touch.