Wednesday, March 31, 2010

How to Brand OWA 2007 and 2010 with the Server Name

If your Exchange 2007 or Exchange 2010 environment includes more that one CAS server, it's sometimes helpful to know which one a client is connecting to.  Environments with more that one CAS usually use some form of hardware or software load balancing, making it difficult to troubleshoot OWA issues.

A relatively easy way to do this is to brand each CAS server's OWA logon page with the server name.  This way, end-users are able to provide the server name if they run into problems.

For Exchange 2007, navigate to C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth folder and open the logon.aspx file using Notepad.

Add either of the two edits shown in the screenshot below:


Adding the server name as highlighted above in red will visibly add the server name to the logon screen, as shown below:


Adding the server name as highlighted above in blue will add the server name "invisibly" below the logon screen.  To view the server name, click anywhere on the screen and press CTRL-A to select all.  You can then see the server name, as shown below:


For Exchange 2010, navigate to the C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\auth folder and open the logon.aspx file using Notepad.


Add the server name, as shown in the screenshot below:


This will add the server name to the logon screen, as shown below:


Important Note: These edits are overwritten anytime an Exchange Server update is applied to the CAS servers.  This is because every update includes a complete reinstallation of the Exchange binaries, and the logon.aspx file you edited will be overwritten.

Typically, the logon.aspx page rarely changes, so you can usually make a copy of it after you've made your edits and copy it back after the update.  However, there are no guarantees that the file will not be changed by an update.  If so, you will need to re-edit the logon.aspx file.

Tuesday, March 30, 2010

Fix for SCOM DNS 2008 External Resolution Monitor in Constant Error State

If you're using System Center Operations Manager 2007 (SCOM) you may notice that your Windows Server 2008 DNS servers are in a chronic critical state, due to the DNS 2008 External Resolution Monitor.  This monitor is in the Windows Server DNS 2000/2003/2008 Management Pack for Operations Manager 2007.

The DNS 2008 External Resolution Monitor performs an NSLOOKUP query for a host (NS) record at www.microsoft.com to verify that external resolution is functioning properly.  Further details can be read here.

Assuming that DNS forwarding and name resolution is functioning properly, you can correct this false error by creating an override for the Query Type.  Override the default value (ns) for the DNS Server class with the override value of A, as shown below:


This will cause the monitor to perform lookups for A records, which should succeed.  If the monitor still fails, you may indeed have a DNS name resolution problem.

Monday, March 29, 2010

How to Use Telnet to Send SMTP Email to Exchange 2007 and 2010

Unlike previous versions of Exchange, Exchange Server 2007 and Exchange 2010 use strict RFC compliance to send and receive SMTP email.  This can cause some unexpected behavior if a server or application the sends email to Exchange does not comply with RFC 5322 or RFC 2822.

Many email administrators know how to use the Telnet client to send SMTP email.  In this article I’ll show you how to send RFC compliant email using Telnet.  Doing so also allows you to also add X-Headers to your email, which I’ll explain later.

First, you need to have access to the Telnet client.  This is already installed as part of the operating system on all Windows platforms prior to Windows Vista or Windows 2008.

To install the Telnet Client for Windows Vista and Windows 7:
  1. Open Control Panel > Programs and Features
  2. Select Turn Windows features on or off
  3. In the list that appears, check the box beside Telnet Client
  4. Click OK
For Windows Server 2008 and Windows Server 2008 R2:
  1. Open Server Manager and select Features
  2. Click Add Features
  3. Check Telnet Client, click Next and Install
You may also want to try PuTTY.  PuTTY is a free Telnet/SSH client that has extended features, such as logging and appearance personalization.  More importantly, PuTTY allows you to use the backspace key to correct typing mistakes – something the Telnet client won’t do.

So, on with the demo.  Let’s start first with an example of the way most people use Telnet to send email.  Use your Telnet client to connect to the SMTP server on port 25 and issue the following commands.  I’ve color coded what I type in blue and what the server returns in maroon.
telnet exchange.domain.com 25
220 exchange.domain.com Microsoft ESMTP MAIL Service ready at Sun, 28 Mar 2010 08:49:36 -0700
helo domain.com
250 VLHC.scif.com Hello [10.1.117.29]
mail from:user1@domain.com
250 2.1.0 Sender OK
rcpt to:user2@domain.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>

Subject:Test email using Telnet
This is a test.
.

250 2.6.0 <9c642f92-e0e3-4b9e-b3d3-21054eed3247@exchange.domain.com> Queued mail for delivery
quit
221 2.0.0 Service closing transmission channel
Connection to host lost.
Assuming that the recipient email address is valid and the configuration on the Exchange server allows the email to be relayed, this results in an email being sent to user2@domain.com.  However, you will notice a few peculiar things about the email that was received.

First, the To: field in the email is blank.  If you look at the SMTP headers, you will see that the To: header shows “Undisclosed recipients:;”, as shown below.


The second issue with the email is that the body of the message is blank.  It should show “This is a test.

Here’s how to send that same email using RFC 2822 compliance to have it displayed correctly in Outlook.  Use your Telnet client to connect to the SMTP server on port 25 and issue the following commands.  This time I've used the color green to indicate the changes.
telnet exchange.domain.com 25
220 exchange.domain.com Microsoft ESMTP MAIL Service ready at Sun, 28 Mar 2010 08:52:17 -0700
helo domain.com
250 VLHC.scif.com Hello [10.1.117.29]
mail from:user1@domain.com
250 2.1.0 Sender OK
rcpt to:user2@domain.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>

to:user2@domain.com
Subject:Test email #2 using Telnet
          <
---This is a CRLF
This is a test.
.

250 2.6.0 <10c637ec-f8fb-4753-85c4-76d5c4f76108@exchange.domain.com> Queued mail for delivery
quit
221 2.0.0 Service closing transmission channel
Connection to host lost.
This results in an email where the To: field is displayed correctly in both the SMTP headers and the email itself, and the body of the message is displayed, as shown below.


The difference between the two emails are the “to:user2@domain.com” immediately after the “data” command and before the “Subject:…” command.  There must also be a blank line after the
Subject and before the body of message is entered.

Technically, the to: line can be entered as either to:user2@domain.com or to:John Smith <user2@domain.com>.  Outlook will attempt to auto-resolve the To: line to the display name stored in Active Directory and will overwrite the display name entered.  Keep in mind that the
To: command does not have to match the address used in the RCPT command. If the address entered cannot be resolved, Outlook will display the display name listed on the To: line, or just the email address if none was entered.

If you want to add a custom X-Header, you add it anytime after the DATA command and before the Subject:... command.  For example:
data
354 Start mail input; end with <CRLF>.<CRLF>
to:user2@domain.com
X-My-Test-Header:My Data

Subject:Test email with custom X-Header
This results in the X-My-Test-Header: My Data being added to the SMTP header, as shown below:


X-Headers are often used to add metadata to an email message.  Antivirus and anti-spam solutions usually add some form of X-Header to emails to show what type of processing has occurred and possibly what score has been applied to the message.
You can use the X-Headers to create Hub Transport rules that act upon messages in a particular way. For example, you can set the Spam Confidence Level (SCL) on a message based on the anti-spam solution's score, reported in an X-Header.

You can also use this method to test that the X-Headers are promoted properly in Exchange. You can read more about named property promotion here.

Thursday, March 25, 2010

Fixing Leading and Trailing Whitespace in Exchange Objects

You must remove all the leading and trailing spaces from Exchange 2000/2003 user names, group names, and Public Folder names prior to migrating them to Exchange 2007 or Exchange 2010.  Previous versions of Exchange and Outlook would let you create these objects, usually by accident.  Exchange 2007 and Exchange 2010 have strict conformance rules that will not allow this, so you'll have to fix it before the objects are migrated.

For example, you may use the Exchange AddReplicaToPFRecursive.ps1 script to add your Exchange 2007 or 2010 servers as replicas to your Public Folders.  If the Public Folder contains leading or trailing whitespace you will receive an error in the Exchange Management Shell (EMS):

Set-PublicFolder : The Name property contains leading or trailing whitespace, which must be removed.
At C:\Program Files\Microsoft\Exchange Server\Scripts\AddReplicaToPFRecursive.ps1:147 char:24
+ $_ | Set-PublicFolder <<<< -server $_.OriginatingServer;
WARNING: Object \Information Technology\Website Resources\Software Development has been corrupted and it is in an inconsistent state. The following validation errors have occurred:
WARNING: The Name property contains leading or trailing whitespace, which must be removed.

Use the following PowerShell one-liners to trim the leading and trailing whitespace from Exchange objects in AD:

USER OBJECTS

Single User Object:
Get-Mailbox -Identity USER | Foreach { Set-Mailbox -Identity $_.Identity -DisplayName $_.DisplayName.Trim() }

All User Objects:
Get-Mailbox | Foreach { Set-Mailbox -Identity $_.Identity -DisplayName $_.DisplayName.Trim() }




PUBLIC FOLDERS

Single Public Folder:
Get-PublicFolder -Identity "\Test\SubPath\PublicFolderName" | Set-PublicFolder -Identity $_.Identity -Name $_.Name.Trim()

All Public Folders:
Get-PublicFolder -Identity "\" -Recurse -ResultSize Unlimited | Foreach { Set-PublicFolder -Identity $_.Identity -Name $_.Name.Trim() }





DISTRIBUTION GROUPS

Single Distribution Group:
Get-DistributionGroup -Identity GroupName | Set-DistributionGroup -Identity $_.Identity -DisplayName $_.DisplayName.Trim()

All Distribution Groups:
Get-DistributionGroup | Foreach { Set-DistributionGroup -Identity $_.Identity -DisplayName $_.DisplayName.Trim() }




Note: These commands all give a warning if the object is not changed, which you can safely ignore:

WARNING: The command completed successfully but no settings of '\xxxxx\xxxxxx\xxxxx\IT Department Calendar' have been modified.


Another configuration that can cause errors is when a Public Folder alias contains spaces. Use the following one-liners to remove spaces from Public Folder aliases:


Remove Spaces From a Single Public Folder Alias:
Get-PublicFolder -Identity "\Test\SubPath\PublicFolderName" | Get-MailPublicFolder |
Where {$_.Alias -like "* *"} | ForEach-Object { Set-MailPublicFolder $_.identity -Alias:($_.Alias -Replace " ","") }

Remove Spaces From All Public Folder Aliases:
Get-PublicFolder -Identity "\" -Recurse -ResultSize Unlimited | Get-MailPublicFolder |
Where {$_.Alias -like "* *"} | ForEach-Object { Set-MailPublicFolder $_.identity -Alias:($_.Alias -Replace " ","") }




These PowerShell one-liners demonstrate how easily some tasks can be performed.  This might take days to do using the GUI with thousands of objects.

Wednesday, March 3, 2010

Slow Outlook Startup Performance (Part 2)

In an earlier article, I discussed how Outlook startup performance suffers when Outlook Anywhere is configured on the corporate network.

I received an email from a reader, Bruce Lane from Microsoft, who mentioned that he ran across a configuration that was causing slow Outlook startup, as well.

Bruce writes,
New to Outlook 2007 is calendar caching. This allows users to see other peoples’ calendars even if they are working offline.


The problem is that this causes a tremendous amount of client<->server traffic. The problem is especially bad if the user has many other users calendars open (more than 5 or 6). The people that were experiencing the worst problems were the admin assistants for the most senior people in the organization. They often have many calendars open.


We saw horrible start up times (3 to 4 minutes) and big lags to change views caused by the calendar caching. Luckily there is a setting in the Outlook profile to disable this feature. 

Thanks very much for the tip, Bruce!

How to Securely Deploy iPhones with Exchange ActiveSync - Phase 6 - End-User Deployment of the ActiveSync Profile

This is the seventh and last post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here.  In this phase I will demonstrate the steps and procedures that the end-user will perform to configure their iPhone for ActiveSync.  I will also cover some advanced reverse proxy configurations, such as using Microsoft Threat Management Gateway (TMG), ISA, Tivoli Access Manager (TAM), etc.

As a review, the infrastructure has been built and the necessary software and certificates have been installed and configured.  Members of the ActiveSync Administrators group configure iPhone Configuration Profiles, one per iPhone, which includes the user's ActiveSync configuration settings and the ActiveSyncUser user certificate.  Each iPhone Configuration Profile (iCP) is married to the iPhone and exported to the EAS share, which is also a website virtual directory on the CAS server.  The iCP is named for the user for which it is intended (i.e., jqsmith.mobileconfig).

In this final phase, the user authenticates to the EAS website using Safari from the iPhone.  The iPhone automatically downloads the iCP that matches the username.

Here are the steps in detail:

The user is instructed to tap Safari on the iPhone and navigate to https://webmail.companyabc.com/eas (where webmail.companyabc.com is the public FQDN for the CAS server).  The user logs into the Secure Website using the user's AD logon name and password, as shown:


After successfully logging in, the iPhone will download the user-specific ActiveSync Configuration Profile, as shown.


The green Verified indication signifies that the profile was encrypted and signed for this device.

If the user taps More Details on the profile, the details of the configuration profile are displayed showing the ActiveSync server and the email address used in the configuration profile, as shown.  Note that the user cannot tell that a user certificate is embedded in the configuration profile.


Back on the Install Profile screen, tap Install and Install Now to begin installing the profile.

Note that the iPhone only supports one Exchange ActiveSync profile at a time (I sincerely hope this changes in the near future).  If the user already has Exchange ActiveSync configured, the iPhone will display the warning, "Can't install Profile. Only one Exchange account can be set up at a given time."  Remove the existing ActiveSync settings and begin the process again.

If the iPhone already has a passcode configured, the user will need to enter it at this time to begin installing the profile.

During installation of the profile the user is prompted for his/her AD password to connect to their mailbox, as shown:


Enter the AD password, tap Return, and then tap Next to complete installation of the profile.  When the profile has been successfully installed, tap Done.  The user can now close Safari.

If a device lock passcode has been configured in the Exchange ActiveSync Policy, the iPhone will display a message that the user must accept the new policy.  It will then prompt the user for a passcode using the complexity requirements specified in the EAS policy.

It may take a few minutes to complete synchronizing the user's email, calendar, contacts and tasks for the first time.

If at any time in the future the user needs to re-install the ActiveSync Profile on the iPhone (for example, after a hardware reset or software restore), simply follow these steps again.

Removing the ActiveSync Profile
If the user wants to remove the ActiveSync Profile, follow these steps.  Removing the ActiveSync profile also removes the user certificate from the iPhone.

Tap Settings on the iPhone home screen and then tap General.  Scroll to the bottom and tap Profiles.  Tap the profile to remove and then tap Remove.  If the iPhone has a passcode configured, it must be entered to remove the profile.


Reverse Proxy Scenarios
Some environments secure their Client Access Servers from direct Internet communication using Microsoft ISA, Threat Management Gateway (TMG) server, or another reverse proxy solution.

In these scenarios, the public ActiveSync connection and authentication is made at the reverse proxy.  The reverse proxy then proxies the authentication to the internal CAS server(s).  The CAS servers, themselves, act as reverse proxies to the mailbox servers.

With an environment such as this, you need to install the certificate and private key on the reverse proxy server(s).  The reverse proxies need to be configured to require client certificates and use Basic Authentication.  They must then pass the certificate, username, password to the CAS servers to complete the connection.  This diagram should help.


I hope this series helps you with the deployment of iPhones in your Exchange ActiveSync environment.  I welcome your comments.


This concludes my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise.

Other articles in this series:

Tuesday, March 2, 2010

How to Securely Deploy iPhones with Exchange ActiveSync - Phase 5 - Creating the Website for iPhone Profile Deployment

This is the sixth post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here.  In this phase, we will create the deployment website that end-users will use to download the appropriate iPhone Configuration Profile created in Phase 4.

Since you're most likely using Outlook Web Access served up by the CAS servers, these make a natural choice for hosting the website.  I'll cover how to do this using a single CAS server and then follow up with guidance and best practices for environments with multiple CAS servers.

Add the ASP Role Service to the Web Server
Begin by logging into the CAS server with administrator credentials and opening Server Manager.  Expand Roles and select Web Server (IIS).  Right-click Web Server (IIS) and select Add Role Services.  Under Application Development add the ASP role service, as shown.


Click Next and Install to complete the installation.  No restart is required.

Create the EAS Virtual Directory
Open Internet Information Services (IIS) Manager.  Expand the CAS server name > Sites > Default Web Site.  Right-click Default Web Site and choose Add Virtual Directory.  Enter EAS for the Alias and click the (...) button to browse for the Physical Path.  Navigate to C:\inetpub\wwwroot and click the Make New Folder button.  Name the new folder EAS and click OK twice.


Configure the EAS WebSite Permissions
Right-click the new EAS virtual directory and choose Edit Permissions.  Click the Sharing tab and configure the EAS share with the following share permissions: Add ActiveSync Users (Read) and ActiveSync Admins (Full Control).  Remove Everyone from the share permissions. 

On the Security tab click Advanced and Change Permissions.  Uncheck Include inheritable permissions from this object's parent, click Add (for Windows Server 2008, click Copy), and click OK twice.  Click Edit and remove the Users (CASname\Users) group.  Add ActiveSync Users (Read & Execute, List Folder Contents, Read) and ActiveSync Admins (Full Control), and click OK twice.

Configure the EAS WebSite Authentication
Select the EAS website and double-click Authentication.  Disable Anonymous Authentication and enable Basic Authentication.  Select Basic Authentication and click Edit in the Actions pane.  Enter the domain name for the Default Domain and click OK.

Configure MIME Handling
MIME handling tells the web server how to handle different file extensions and associates file extensions with applications.

Select the EAS website and double-click MIME Types.  Click Add in the Actions pane.  Enter mobileconfig for the File name extension and application/iphone-configuration for the MIME type, as shown, then click OK.


Create the Default Document for the EAS Website
We now need to create a default ASP document for the folder.  This ASP page will be used to cause the iPhone to automatically download the correct iPhone Configuration Profile.

Download the default.asp page here.  Edit default.asp to replace webmail.companyabc.com in the second to last line with the FQDN of your publicly available CAS server.  Save the file in the EAS folder.  You can now close Internet Information Services (IIS) Manager.

Putting It All Together
Now that we have the EAS share and website configured, it's simply a matter of exporting the iPhone configuration profiles to the EAS share (as described in Phase 4), using the ActiveSync user's logon name as the name of the file (for example, jqsmith.mobileconfig). 

You then instruct the user to enter https://webmail.companyabc.com/eas in Safari from the iPhone.  The user will be prompted for authentication to access the website.  After the user enters his/her AD username and password, the iPhone Configuration Profile that matches the logon name will be downloaded to install on the iPhone.  I'll cover those steps in detail in the final phase.

Special Configuration for Multiple CAS Servers
If your environment has more than one CAS server in a load-balancing solution used for OWA, you need to perform the procedures above for each of those CAS servers.

You will also need to make sure that you copy the encrypted and signed iPhone Configuration Profiles to each CAS server's EAS share when you export it.  If this pertains to your environment, I recommend using DFS to replicate and distribute the profiles amongst the participating CAS servers.  With DFS you can save the iPhone Configuration Profiles to \\domain\EAS and it will replicate to all the CAS servers automatically.

This completes the configuration of the EAS deployment website.





This concludes Phase 5 of my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise.  In the last phase I will provide the end-user instructions and procedures.

Other articles in this series:

How to Securely Deploy iPhones with Exchange ActiveSync - Phase 4 - Creating the iPhone Configuration Profile

This is the fifth post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here. In this phase, we will create iPhone Configuration Profiles using Apple's iPhone Configuration Utility.  I will also show you how to embed the user certificate and private key into the profile and how to marry the profile to a specific iPhone. 

Let's get started.

First, you will need to download and install the Apple iPhone Configuration Utility (iCU).  The latest version as of this writing is version 2.2.0.185 and is the one I will use here.  The iCU only installs on Windows XP SP3 or Windows Vista SP1 or greater.  It will not install on Windows Server.  It also requires NET 3.5 SP1.

Note: The iCU is not an enterprise class software program.  All the configurations, hardware profiles and configuration profiles are stored locally on the workstation in %USERPROFILE%\Local Settings\Application Data\Apple Computer\MobileDevice folder.  For this reason, I recommend using a single workstation for iPhone management and to backup this folder and child folders to a network location periodically.

Begin the configuration process by logging into the workstation with the credentials used to request and install the user certificate created in Phase 1.  This user has the ActiveSyncUser user certificate stored in his/her personal certificate store.  It will be needed later in this process.

Before the iPhone can be configured it must be activated on the AT&T network.  This is performed using iTunes.  Simply launch iTunes, connect the new iPhone to the computer using the USB cable, and follow the iTunes Setup Assistant.  Once the iPhone is activated you can close iTunes.

Now launch the iPhone Configuration Utility.  The iPhone will automatically be added to the Devices Library in the iCU, as shown below:


In the Devices library, click the iPhone and enter the user's name and email address to identify the device profile.  Note that most iPhones will have the helpful name "iPhone", so the Contact info you enter here will help you out later.

Now click the Configuration Profiles library and click the New icon to create a new base configuration profile.  The base configuration profile can be used for configuration settings that cannot be made using the Exchange ActiveSync Policy, such as iPhone Restrictions or VPN settings.  Apple calls these configurations "payloads".

To create a new base configuration, select the General (Mandatory) setting and enter a Name, Identifier, Organization, and Description, as shown. 


Choose whether the base configuration profile can be removed.  Choices are Always, With Authentication (using a password), or Never.  For base configurations, I recommend With Authentication to prevent end-users from easily removing company restrictions.  You must then supply the Authorization password.  Notice there is no "Save" button anywhere.  Whatever you configure is written immediately to the configuration profile(s).

You can now configure your base configuration settings and restrictions, as shown.  Refer to the iCU help for configuration settings.  If you want to delete a payload from a profile, click the minus sign in the top right corner of the configuration item.


I recommend using Exchange 2007 / 2010 ActiveSync over-the-air policies for any configuration that can be configured using them (for example, device locking duration and passcode complexity).  This will give you the greatest amount of flexibility and will allow you to make changes on the fly.

Now deploy the iPhone Base Profile to the iPhone by clicking the iPhone name under DEVICES on the left pane.  Select the iPhone Base Profile and click Install.


The iPhone will prompt you to install the iPhone Base Profile, as shown below.  Tap Install and the Install Now.  After the profile installs, tap Done.


Back in the iCU, click the Configuration Profiles library.  Click the New icon again to create the ActiveSync Profile.  Configure the General (Mandatory) section as shown:


I recommend setting Security so that the ActiveSync Profile can Always be removed.  This will allow users to remove the EAS profile, which will help later if you ever need to re-deploy the EAS profile.

Now click the Exchange ActiveSync section and configure your ActiveSync settings for the iPhone.  Enter the Account Name, Exchange ActiveSync Host, Domain, User, and Email Address, as shown:


Do not enter the user's password.  The iPhone will prompt the user for any field you leave blank when it installs the profile.  Going forward, the only items you will need to configure for subsequent ActiveSync profiles are the User and Email Address.

Click the + sign under Authentication Credential Name.  The Personal Certificate Store will open for you to add the ActiveSyncUser user certificate to the Exchange ActiveSync profile, as shown:


Enter the password you entered for the certificate's private key in Phase 1.  The certificate and private key will be added to the Exchange ActiveSync configuration.  Check Include Authentication Credential Passphrase to include it in the profile, otherwise the device will prompt the user for the passphrase (not good).


You now have a fully configured iPhone ActiveSync Configuration Profile.  All that's left is to export the ActiveSync Profile so that the user can install it.  You need the user to do this because the profile will prompt for the user's Active Directory password (something I hope you don't know).

Ensure that the ActiveSync Profile is selected and click the Export button.  The Export Configuration Profile window will open.  Select Create and sign encrytped configuration profile for each selected device from the dropdown box and select the correct device, as shown below.  Then click Export.  This will "marry" the ActiveSync configuration profile to the selected device, preventing it from being installed on any other iPhone.  This is how we meet the requirement that "only authorized devices can access Activesync".


Now I need to jump forward a bit.  In the next phase, I will explain how to create the deployment website.  For now, let's assume that the website already exists and that the UNC path to the share for that website is \\EXCAS1\eas.  Save the configuration profile to that share, naming the profile with the AD user's logon name (for example, jqsmith.mobileconfig).

Congratulations!  You have now created a unique ActiveSync configuration profile with the embedded ActiveSyncUser user certificate, and encrypted and married the profile to a specific iPhone.



This concludes Phase 4 of my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise.  The next phase will cover how to create the website for end-user iPhone profile deployment.

Other articles in this series:

Devotion to Duty

A friend of mine sent this to me.  :)


Thanks to http://xkcd.com/

Monday, March 1, 2010

Configuring Domain Controller Usage in Exchange 2007 CCR Geo-Clusters

Exchange 2007 Cluster Continuous Replication (CCR) can be configured to span different geographic sites.  These are sometimes called "stretch" or "geographically dispersed" clusters.  In Windows Server 2003, special networking configurations need to be made to stretch a single subnet across the two geographically dispersed locations.  This is made much easier using Windows 2008, since the 2008 clustering service can span different subnets, one in each location.

Even so, Exchange 2007 requires that both nodes of the CCR cluster must reside in the same Active Directory site.  Best practice says that there should be redundant Global Catolog servers in each location, in case of an outage in either location.  The trouble is that if each node of the CCR cluster and all the Global Catalogs reside in the same AD site, Exchange servers may (probably will) bind to a GC that is not in the same geographic location as the server, which can lead to problems. 

Consider the following example:


A CCR geo-cluster called EXCCR exists in an Active Directory site called E2K7.  NODE1 is in San Francisco and NODE2 is in Las Vegas.  There are two Global Catalog servers in each site, SFDC1 and SFDC2 in San Francisco and LVDC1 and LVDC2 in Las Vegas.  Because all six servers reside in the same AD site, Exchange will bind to any one of the four GCs.  In this example, NODE1 is active and NODE2 happens to be using SFDC1 for Global Catalog and Configuration Domain Controller services.  During this time, NODE2 is reaching across the WAN for GC services, which is not very efficient.

If there is a location specific outage in San Francisco (earthquake, power interruption, or some yahoo takes out a fiber trunk with a backhoe) the CCR cluster will fail over to Las Vegas, but the GC NODE2 is using (SFDC1) is unavailable, too.  Exchange services will not fail over correctly and an outage occurs -- something that the CCR cluster is supposed to prevent.

This condition affects all Exchange servers in the E2K7 site, including all Hub Transport and Client Access Servers.

The way to design around this problem is to configure the CCR node in each location to exclude the GCs in the remote location.  This is done using the following command from the Exchange Management Console, as shown for the Hub Transport server, EXHUB1:

Set-ExchangeServer -id EXHUB1 -StaticExcludedDomainControllers:sfdc1.domain.com,sfdc2.domain.com

Note that the Domain Controllers specified must be in FQDN form, separated by commas, with no spaces.  

You would do the same for NODE1, specifying LVDC1 and LVDC2.

The result is that each node will always use the local GCs for that node.  If both of those local GCs are unavailable for some reason, Exchange will temporarily bind to any GC in a remote site in the domain.  This binding will occur automatically within 15 minutes.  When the local GCs become available again, Exchange will re-bind to them within 15 minutes.  Perfect!

It's a little different for the CCR mailbox server since the Set-ExchangeServer cmdlet runs against the CMS name.  The cmdlet configures the registry of the active node, so you need to run it twice, as shown (assuming that NODE1 is the active node in San Francisco):

Set-ExchangeServer -id EXCCR -StaticExcludedDomainControllers:lvdc1.domain.com,lvdc2.domain.com

Then fail the CCR cluster over to NODE2 and run:

Set-ExchangeServer -id EXCCR -StaticExcludedDomainControllers:sfdc1.domain.com,sfdc2.domain.com

After this has been configured on both nodes the StaticExcludedDomainControllers value will be different, depending on which node is active.

...

While researching this article, I came across something unexpected.  I set the StaticExcludedDomainControllers value using the Set-ExchangeServer cmdlet and it works as expected.  But when I try to view the configuration using the Get-ExchangeServer cmdlet, the value appears empty, as shown:


The reason it shows null is because the StaticDomainControllers, StaticGlobalCatalogs, StaticConfigDomainController, and StaticExcludedDomainControllers variables are stored in the Exchange server's registry, not in Active Directory.  According to Microsoft, this is "by design" to prevent performance issues caused by the Remote Registry call needed to retrieve the values.  I'm not aware of any other cmdlet that has this behavior.

In any event, to view the configuration of these variables you must use the -Status switch, as shown:


The registry key where these values are stored is HKLM\System\CurrentControlSet\Services\MSExchange ADAccess\Profiles\Default. The value is a Multi-String Value (REG_MULTI_SZ) called ExcludedDCs.

How to Securely Deploy iPhones with Exchange ActiveSync - Phase 3 - Publishing User Certificates to Active Directory

This is the fourth post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here. In this phase, we will publish the same user certificate to each user object in Active Directory that is a member of the ActiveSync Users security group.

As mentioned earlier, ActiveSync will be configured to require user certificates for authentication.  This means that the user needs a user certificate with the private key and ActiveSync will check this certificate for a matching certificate in Active Directory.  We need to publish the user accounts in Active Directory, as shown below.


When you view the properties of the published certificate, you see that it was issued by the CA (W2K8R2-CA) and that the certification path is valid, since we published the root CA certificate to all machines in the domain using Group Policy in Phase 2.


While this is a fairly simple process to do, I wrestled with different ways of doing it programmatically.  I finally decided to use VBScript to publish the certificate to AD.  I chose VBScript instead of PowerShell because I could not be certain that the ActiveSync Administrator(s) would have PowerShell installed.

The script uses CAPICOM, which is a security technology from Microsoft that allows Microsoft Visual Basic, Visual Basic Script, ASP, and C++ programmers to easily incorporate digital signing and encryption into their application.  To use CAPICOM, you must download and register the CAPICOM.DLL on the computer that runs the script.  The script automatically registers the DLL, as long as it resides in the same network share where the ActiveSync user certificate resides.

First, download CAPICOM and extract the contents to get the CAPICOM.DLL file (we have no need for any of the other files or examples).  Then create a network share that the mobile administrators have access to (for example \\fileserver\iPhone).  Copy the CAPICOM.DLL, the ActiveSyncUser.cer user certificate (exported in Phase 1), and the vbscript below to the share.  You will need to edit the script to reflect the name you used for your ActiveSync Users group in AD, the path to CAPICOM.DLL and the user certificate, and the name of the user certificate if necessary.

Here's the Publish Mobile Cert.vbs script:

'======================================================================================================================================
'Publish Mobile Cert.vbs -
The admin running the script must have rights to modify the user accounts that are members of the ActiveSync Users group in AD.

'Jeff Guillet
'02/10/2010
'
'This script publishes the mobile user certificate into Active Directory for all members of the ActiveSync Users security group
'
'Micosoft link for CAPICOM: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=860EE43A-A843-462F-ABB5-FF88EA5896F6
'=======================================================================================================================================


On Error Resume Next


'Configure constants
Const ADS_PROPERTY_UPDATE = 2
Const ADS_PROPERTY_APPEND = 3


'--------------------------------------------------------------------------
'Modify the three variables below, as required
'--------------------------------------------------------------------------
eASUsersGroup = "ActiveSync Users"
pathToFiles = "\\fileserver\iPhone\"
certFile = "ActiveSyncUser.cer"
'--------------------------------------------------------------------------


msg = "This script publishes the '" & certFile & "' certificate to all members of" & vbCRLF
msg = msg & "the '" & eASUsersGroup & "' security group. Do you want to continue?"
r = MsgBox(msg, vbYesNo + vbQuestion, "Publish Mobile Cert")
If r = vbNo then Wscript.Quit


'Create log file
Set fso = CreateObject("Scripting.FileSystemObject")
Set FullLog = fso.OpenTextFile(pathToFiles & "Publish Mobile Cert.log", 8, True)


'Check for and set dependencies
'--Check for CAPICOM.DLL
Set FSO = CreateObject("Scripting.FileSystemObject")
If NOT FSO.FileExists ("C:\Windows\System32\capicom.dll") Then
If NOT FSO.FileExists (pathToFiles & "capicom.dll") Then
MsgBox pathToFiles & "capicom.dll is missing. Cannot continue.", vbCritical, "Missing File"
Wscript.Quit
Else
FSO.CopyFile pathToFiles & "capicom.dll", "C:\Windows\System32\"
End if
End if
'--Check for certificate
If NOT FSO.FileExists (pathToFiles & certFile) Then
MsgBox pathToFiles & certFile & " is missing. Cannot continue.", vbCritical, "Missing File"
Wscript.Quit
End If
'--Register CAPICOM.DLL
Set WshShell = WScript.CreateObject("WScript.Shell")
Return = WshShell.Run("regsvr32 C:\Windows\System32\capicom.dll /s", 0, true)

'Load the certificate file and convert it to Base-64
Set Certificate = CreateObject("CAPICOM.Certificate")
Certificate.Load pathToFiles & certFile
BinaryEncodedCertificate = Certificate.Export(CAPICOM_ENCODE_BINARY)
Set Utilities = CreateObject("CAPICOM.Utilities")
ArrayEncodedCertificate = Utilities.BinaryStringToByteArray(BinaryEncodedCertificate)

'Configure connection to Active Directory
Set con = CreateObject("ADODB.Connection")
con.Provider = "ADsDSOObject"
con.Open "DS Query"
Set command = CreateObject("ADODB.Command")
Set command.ActiveConnection = con
command.Properties("searchscope") = 2
command.Properties("Page Size") = 20000
command.Properties("Timeout") = 180

'Get default domain
Set oRoot = GetObject("LDAP://rootDSE")
oDomain = "LDAP://" & oRoot.Get("defaultNamingContext")

'Construct and execute query to get the eASUsersGroup
command.CommandText = "SELECT AdsPath FROM '" & oDomain & "' WHERE name = '" & eASUsersGroup & "' AND objectClass = 'Group'"
Set rs = Command.Execute

'Append to the log file
FullLog.writeline String(75, "=")
FullLog.writeline "Publish Mobile Cert.vbs"
FullLog.writeline Now
FullLog.Writeline "Adding the mobile user certificate to the following users:"
FullLog.writeline String(75, "-")

'Loop through the result set
Do While NOT rs.EOF
Set oGroup = GetObject(rs.fields(0))
groupDN = oGroup.distinguishedName
'Publish the certificate to each member of the group
For Each Member In oGroup.Members
userCount = userCount + 1
'Append the certificate to the user's certificate store in Active Directory
Set UserObj = GetObject("LDAP://" & member.distinguishedName)
UserObj.PutEx ADS_PROPERTY_APPEND, "userCertificate", Array(ArrayEncodedCertificate)
UserObj.SetInfo
If Err.Number = 0 Then
FullLog.writeline member.distinguishedName
Else
FullLog.writeline "Unable to update user: " & member.distinguishedName
errorCount = errorCount + 1
End If
Next
Exit Do
Loop

FullLog.writeline String(75, "=") & vbCRLF & vbCRLF

msg = "Successfully published the certificate to " & userCount - errorCount & " user accounts." & vbCRLF
msg = msg & "Review the Publish Mobile Cert.log for details."
If errorCount > 0 Then
msg = msg & vbCRLF & vbCRLF & errorCount & " error(s) were encountered."
MsgBox msg, vbExclamation, "Publish Mobile Cert"
Else
MsgBox msg, vbInformation, "Publish Mobile Cert"
End If
Here's a link to the script for those of you averse to copying and pasting.

To run the script you must have rights to modify the user accounts that are members of the ActiveSync Users security group.  Simply double-click the script to run it.  The script will register CAPICOM.DLL, connect to Active Directory and search for the ActiveSync Users group, enumerate all the members of the group, and publish the ActiveSync user certificate to each user.  A log file is generated in the folder path specified in the script each time it is run.

We have now completed publishing the ActiveSync user certificate to the user accounts in Active Directory that are members of the ActiveSync Users group.



This concludes Phase 3 of my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. The next phase will cover how to create the iPhone Configuration Profile using Apple's iPhone Configuration Utility.

Other articles in this series: