Friday, June 6, 2008

New Certifications


May 2008 was a busy month for me.

In addition to writing a book, I passed five exams in the first three weeks and earned my MCITP:Enterprise Messaging Administrator (the premier Exchange 2007 administrator certification) and three MCTS certifications (SCOM 2007, ForeFront and Exchange 2007).

That makes 34 exams in a row that I've passed without failing, including my CISSP. Yes!! The streak remains unbroken!

I've put together a certifications page that lists the current certifications that I hold, which I'm rather proud of.

Tomorrow I'm off to TechEd and I can't wait! I'll be blogging at least once a day while I'm there. Check my blog all week. If you're going to TechEd yourself, I might meet you at the TechEd Blogger Ultra Lounge. See you there!

Labels: , , , , , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 1:00 PM   1 Comments Links to this post

Tuesday, March 11, 2008

Windows Server 2008 Upgrade Complete

In a previous post I mentioned that I was going to upgrade my network to Windows Server 2008. Well, I've completed the upgrade and it ROCKS!


I now have a single W2K8 Enterprise server running Hyper-V RC0. This server hosts two guests, one x86 domain controller and one x64 Exchange 2007 server running ForeFront Security for Exchange Server. The host server is running this blog as well as Exchange 2007 Edge services. The performance is outstanding! Much better than my old x64 Windows 2003 host running VMware.

The Exchange Team posted a great article, Speeding up installation of Exchange Server 2007 SP1 Prerequisites on Windows Server 2008. It offers XML files that configure the Windows Server 2008 prerequisites for Exchange 2007 SP1. While it wasn't that difficult to install everything manually, it would have saved some time for me if I had this before my upgrade.

Last night I completed the upgrade and decommissioned the old W2K3 DC, Exchange and Edge servers.

Please let me know if you have any issues with the blog. The migration went very smooth and I don't anticipate any problems.

Labels: , , , , , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 7:59 AM   0 Comments Links to this post

Tuesday, February 26, 2008

Top Ten Reasons to Move to Exchange 2007

Here are some key features and technologies Exchange Server 2007 provides that make a good business case for its use:
  • Fault Tolerance -- Exchange 2007 offers several forms of fault tolerance, right out of the box:

    • Local Continuous Cluster (LCR) maintains a continuously updated copy of the active mailbox database on a different LUN to provide immediate failover capability if the active database becomes corrupt. The second copy is activated manually by the administrator.

    • Cluster Continuous Replication (CCR) is a local cluster model where each node maintains its own database and replication is performed using log shipping. In the event of failure of a service, the cluster services immediately failover to the passive node and continue servicing client requests, minimizing client downtime. CCR clusters can be stretched over distance, providing a geographically dispersed clusters.

    • Standby Continuous Replication (SCR) is similar to CCR, but the failover node resides in a different geographic location. It utilizes log shipping for replication and the Hub Transport servers "fill in the blanks" for messages that may not have replicated since the time the active node went offline.


  • Disaster Recovery -- Outlook 2003 and Outlook 2007, along with the fault tolerance technologies listed above, provide a quick and easy disaster recovery strategy for nearly any outage. Outlook Exchange cached mode is another key technology to making disaster recovery as seemless as possible.


  • Mailbox Server Consolidation -- As a 64-bit messaging platform, Exchange 2007 is able to accommodate much larger mailboxes and mailstore databases than ever before. This allows you to greatly consolidate the number of mailbox servers needed to support the same number of users.


  • Exchange Edge Server -- Edge Server for Exchange is a non-domain server that acts as the SMTP gateway between the Internet and SCIF's internal network. It replaces both the current SMTP gateway and Interscan servers, saving both hardware and software costs. It provides anti-spam and anti-virus services for the organization. EdgeSync is a process that synchronizes the email addresses in AD and the user Junk Mail safe lists/block lists with the Edge server to reduce spam at the network edge.


  • Better Integration with Outlook -- Suspected spam that is not blocked by the Edge server is delivered to Outlook's built-in Junk E-mail folder. Users can choose to block or allow emails from users or domains directly from Outlook without the need for third-party software.


  • Forefront Security for Exchange -- Forefront antivirus is included with the Exchange 2007 Enterprise CAL. Forefront allows you to choose up to five different antivirus engines (from a collection of nine) that all emails are scanned against. This provides more defense in depth than previously possible.


  • Corporate Manage Folders -- Managed folders allow administrators to configure common corporate folders that will display in users' Outlook and OWA that have specific retention periods. For example, a folder named Legal may have a seven year retention policy. Any items in this folder older that 7 years will automatically be purged to maintain the company's corporate retention policy.


  • Improved Outlook Web Access -- Outlook Web Access (OWA) has been improved to provide much better performance and usability. The Private computer security setting now allows you to stay logged in for up to 24 hours. Calendaring and scheduling has been greatly improved. OWA now provides the ability to open another user's mailbox (assuming you have the appropriate rights to do so). Public Folders now open in the same OWA window. Searching for an email items takes only seconds, no matter how large the mailbox is.


  • Remote Access to Network Shares -- OWA provides the ability to "translate" UNCs to internal network shares. For example, if you click a link for //hofs01/share/CIOMeeting.ppt, OWA will fetch the document from the internal network (assuming you have rights to the document) and deliver it to you in OWA. You can also open a Windows SharePoint Services or file share by typing the address of the share to open directly in OWA.


  • WebReady Document Viewing -- WebReady Document Viewing renders common document types for you to view within OWA, even if the application is not installed on that computer. For example, if you want to view an Excel attachment from a machine that does not have Excel installed, click the "View as web page" link next to the attachment. Exchange 2007 will convert the spreadsheet to a web page for you to review.




Labels: , , , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 7:53 AM   0 Comments Links to this post

Saturday, February 9, 2008

Fix for Forefront Update Timeout Errors


I use Microsoft Forefront Security for Exchange Server on my Exchange 2007 Edge server.

Recently I noticed the following error in the Application Event log:

Event Type: Error
Event Source: GetEngineFiles
Event Category: Engine Error
Event ID: 6014
Date: 2/9/2008
Time: 10:08:43 AM
User: N/A
Computer: GATEWAY
Description:
Microsoft Forefront Server Security encountered an error while performing a scan engine update.
Scan Engine: Kaspersky5
Update Path: http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky5
Proxy Settings: Disabled
Error Code: 0xC0001F58
Description: The operation timed out.
Followed immediately by:

Event Type: Information
Event Source: GetEngineFiles
Event Category: General
Event ID: 2017
Date: 2/9/2008
Time: 10:08:43 AM
User: N/A
Computer: GATEWAY
Description:
Forefront Server Security has rolled back a scan engine.
Scan Engine: Kaspersky5
This was happening every 5 minutes after Event ID 2034, which reports that Microsoft Forefront Server Security is attempting a scan engine update of the Kaspersky5 scan engine.

To solve this error make the following change to the registry on the server running Forefront:
  • Open Regedit

  • Navigate to the following key:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server
  • Click New DWORD Value

  • Type EngineDownloadTimeout, and then press ENTER

  • Right-click the new value and select Modify

  • Select Decimal as the base, enter 600 in the Value data box, and then click OK. This setting causes the scan engine download process to time out after 600 seconds (10 minutes, instead of 5 minutes)

  • Exit Regedit

Note: You do not have to restart Forefront Server services or Exchange Server services after you change this registry entry.

Now perform a manual scanner update in Forefront:

  • Open Forefront Server Security Administrator

  • Click Scanner Updates under Settings

  • Select the appropriate scan engine that was previously timing out. In my case, Kaspersky Antivirus Technology

  • Click the Update Now button on the right side of the screen

Check the Application event log to ensure that the scan engine has updated properly (Event ID 2012).


Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 9:20 PM   8 Comments Links to this post

Monday, April 16, 2007

Eating My Own Dog Food

This weekend I upgraded my home production domain from Windows 2003 R2 (x32) and Exchange 2003 to Windows 2003 R2 SP2 (x64) and Exchange 2007. My goal was to pretend I was at a customer site and had to migrate this environment successfully to the new hardware.

My home production equipment consisted of a single Dell 4600 all-in-one box. It was a W2K3 R2 Enterprise domain controller with SP1, which also ran Exchange 2003 Enterprise SP2 and served as a DNS, WINS, WWW and file server. The server had a single Intel 2.8Ghz HT CPU, 2GB of RAM and a 160GB hard drive. My replacement server is a Dell E521 with an AMD Athlon 64 Dual-Core, 4GB of RAM and a 250GB hard drive.

Since I am still limiting myself to a single physical server, I decided to use VMware to virtualize most of my environment. All servers will run Windows Server 2003 R2 (x64) with SP2. The host server (GATEWAY) will be a workgroup server running Exchange 2007 Edge Server and VMware Workstation. The two virtual servers are DC01, a domain controller/DNS/WINS server, and EX01, an Exchange 2007 server with the Hub Transport, Client Access, and Mailbox roles. My LAN is connected to the Internet via a Netgear wireless router/firewall, as per the following diagram.















First I installed x64 Windows Server 2003 R2 Enterprise SP1 on GATEWAY and used the Microsoft Update site to install SP2, IE7, ADAM (required for Exchange Edge server) and all the critical updates. SP2 installs the Windows firewall by default, so I disabled it. Then I installed VMware Workstation 5.6. I chose Workstation since ESX will not recognize SATA drives and GSX only allows one snapshot per VM.

Next I created a base image VM using x64 Windows Server 2003 R2 Enterprise, upgraded to SP2, IE7 and all the critical updates, and disabled the firewall. I use this image to base all my servers on, which makes provisioning future servers a breeze.

I then created two new linked clone servers, DC01 and EX01 and joined them to the domain. I promoted DC01 to a domain controller and installed DNS and WINS. I installed IIS, .NET Framework 2.0 and 3.0, and the necessary patches on EX01 in preparation for Exchange 2007. I took a snapshot of both servers at this point and then began to install Exchange 2007.

Here's where it gets interesting. The Exchange 2007 setup has a lot of logic and workflow built into it. You pretty much install the DVD, answer a few questions and let it run. Setup will check that the server meets the prerequisites and pre-qualifies the environment to ensure a smooth installation. In theory. The installation went happily along updating the schema, preparing the domain and installing the server roles. But as it was installing the Hub Transport role it errored, saying that the disk could not be read and to try setup again later. It did not offer a "retry" button. The trouble turned out to be a smear of what I can only guess was macaroni and cheese on the DVD. Kids. Gotta love 'em.

So, I cleaned off the DVD and ran setup again. Now setup said that the Hub Transport role was not installed properly and to remove it first. Trouble is, neither setup or the Exchange Management Console (EMC) show that any roles have been installed, so I can't uninstall it. I'll spare you the gory details, but I tried uninstalling it using PowerShell, the switches in setup, and reverting to my snapshot. No good. I then removed the Exchange Administrative Group (FYDIBOHF23SPDLT) and Exchange Routing Group that setup automatically creates in a mixed mode environment using ADSI Edit. This let me run setup again, but now I got an error complaining that Exchange Administrative Group (FYDIBOHF23SPDLT) was missing. I recreated both the AG and RGC on the Exchange 2003 side (I had to use ADSI Edit again to rename the AG using the parentheses) and tried again. Success!

After I ensured that I had mail flow between the E2K3 and E2K7 servers, I installed the Edge Server role and Microsoft ForeFront (antivirus/antispam) on GATEWAY. This created a new RGC to the Internet on GATEWAY. I then created an EdgeSync subscription and tested it. I moved the mailboxes to EX01 and successfully tested OWA and Outlook.

Now to put it into production. I have one MX record published on the Internet for inbound email. My firewall allows SMTP port 25 and HTTP port 80 traffic to WWW (x.x.x.50). I reconfigured WWW to use a different address and configured GATEWAY to use x.x.x.50. I successfully tested inbound and outbound email and that my web pages worked properly from GATEWAY. I then reconfigured my firewall to forward SSL port 443 to EX01. Exchange setup automatically configures OWA on the CAS role to use SSL. I used ts.cco.com to look back into my OWA and successfully tested email again.

The final step was to decommission my old DC/Exchange 2003 server. There are a few steps I needed to do in Exchange 2007, such as re-home the OAB, replicate Public Folder content, etc. After that, it was simply a matter of deleting the RGCs to the Exchange 2003 AG, deleting the old AG itself, and uninstalling Exchange 2003. I'm pleased to say that the customer is very satisfied. :)

I learned a lot through this entire process. Highlights are:
  • Dog food is delicious.
  • Ensure your media is OK. Keep sticky fingers and food away! I was surprised at this, since setup copies the binaries to the local hard drive and re-compiles them.
  • Microsoft put a lot of work into the install process, but it's not perfect. I would imagine I would have had the same problem if the DVD was ejected during setup.
  • Never give up. I could have always used exmerge and rebuilt my domain, but few customers would accept this.
  • 64-bit hardware, lots of RAM and VMware are "good things"
  • Giving 512MB to my virtual DC and 2GB to my virtual Exchange Server yields respectable performance
  • Since VM Workstation won't start as a service, I enabled auto-logon on GATEWAY and wrote a script that launches and runs my VM team
  • Microsoft Forefront is still a Sybari product with Microsoft stickers on it (needs work)

Labels: , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 8:57 AM   6 Comments Links to this post