Exchange 2010 RTM and SP1 OWA Integration With OCS 2007 R2

[tweetmeme source=”stalehansen” only_single=false]I recently integrated Exchange 2010 RTM OWA with OCS 2007 R2 for chat and presence. Having read some blog posts about how to implement the feature I decided to blog how I got this feature working based on these blogs and my own findings. I will cover the steps for both the Exchange 2010 RTM and SP1 versions since the steps are different.

Prerequisites

  1. Download and install OCS 2007 R2 Web Trust Tool on the Exchange 2010 server
    1. http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ca107ab1-63c8-4c6a-816d-17961393d2b8 
    2. Locate and install the following files in elevated mode by running cmd.exe as administrator
      • vc_redistx64
      • UCMAredist.msi
      • CWAOWASSP.msi
  2. If the Exchange 2010 server is running on Server 2008 R2 you also need to install the latest cumulative hotfix update for OCS 2007 R2 on the Exchange server
    1. http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b3b02475-150c-41fa-844a-c10a517040f4
    2. Download and run ServerUpdateInstaller.exe
    3. Also download the latest update for UCMAredist that is not included in CU5
    4. Reboot the server

Configuring Exchange 2010 RTM

NOTE: The below steps need to be done on all Exchange 2010 CAS servers in you deployment

  1. Download and run the PowerShell Script found in the below link
    1. https://msunified.net/exchange-downloads/script-imexintegration-ps1/
    2. The script will not configure anything
    3. It takes backup of web.conf and  generates the configuration you manually need to add the web.conf file
    4. The script makes it easy to generate the correct syntax for populating the below keys 
  2. Navigate to the web.conf file
    1. C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\web.conf
    2. Edit the file and search for the string IMPoolName
    3. Replace the three “add key” strings with the ones provided with the script
  3. In Exchange Management Shell run the following command to configure OWA Virtual Directory
    • Get-OwaVirtualDirectory -Server "CasServer" | Set-OwaVirtualDirectory -InstantMessagingType 1
      • NOTE: The RTM documentation states OCS, but that don’t work. Use 1 as InstantMessagingType
  4. Run IISreset in PowerShell

Configuring Exchange 2010 SP1

The Exchange 2010 SP1 guide is based on this great post written by Martin Sundström: http://msundis.wordpress.com/2010/06/21/integrate-ocs-2007-r2-with-exchange-server-2010-sp1-owa/ The configuration on Exchange is now moved from web.conf to the per server OWA Virtual Directory. I will definitely create a script automating the below process when I get more hands on :)

NOTE: The below steps need to be done on all Exchange 2010 CAS servers in you deployment 

  1. Get the active Exchange 2010 certificate using this command in Exchange Management Shell 
    • Get-ExchangeCertificate | Where-Object {$_.Services -match "IIS"} | Get-ExchangeCertificate | fl thumbprint,subject
      • This command gets the active certificate on the local server, because only one certificate can have IIS as service at a time
  2. Use the thumbprint and OCS pool FQDN in the command below
    • Get-OwaVirtualDirectory -Server "CasServer" | Set-OwaVirtualDirectory -InstantMessagingCertificateThumbprint 4DC1EE3506E06E971FF82AC8DD60015EAC11B21E -InstantMessagingServerName ocspool01.domain.local -InstantMessagingType OCS -InstantMessagingEnabled $true
      • NOTE: This time we use OCS as InstantMessagingType
  3. Run iisreset

Configuring OCS 2007 R2

In order to allow the Exchange 2010 server to communicate with OCS using SIP containing presence and chat you need to add every Exchange 2010 CAS servers as authorized hosts on OCS.

  1. On your OCS R2 Pool server configure authorized host
    • NOTE: Your user needs to be member of the RTCUniversalServerAdmins group
  2. Open Office Communications Server R2 under Administrative Tool
  3. Expand forest and Enterprise pool or Standard Edition Servers depending on you deployment
  4. Right click your pool and choose properties->Front End Properties
  5. On the Hosts Authorization tab
  6. You need to add the Client Access server FQDN and configure as the below image 
    • NOTE: This is the FQDN of your subject name (CN) on the certificate used on the CAS server

 

Troubleshooting the Installation (RTM)

Next are a few troubleshooting steps that can assist with some of the more common problems encountered with Exchange/OCS integration. I found these valid troubleshooting steps on Rand Morimoto’s post: http://www.networkworld.com/community/node/47348

Configuring the Firewall on the CAS Server

If the Client Access Server has the Windows Firewall enabled, it might need an exception to enable OCS 2007 R2 to communicate with it. To create the exception, perform the following steps:

  1. From the Control Panel, open Windows Firewall 
  2. On the left side of the Windows Firewall window, click .“Allow a Program Through Windows Firewall.
  3. Click Add Program; then click Browse.
  4. Browse to C:\Windows\System32\inetsrv and select w3wp.exe.
  5. Click Open and then click OK twice to apply changes and close the window. Be sure to perform this step on all CAS servers with IM integration enabled.

User Configuration

  • Before the user community can utilize the IM features, they must be “provisioned” for Office Communications Server R2 and must be enabled for Enhance Presence. When the user is initially enabled on OCS 2007 R2, he will automatically be enabled for Enhanced Presence.
  • Users must also have a valid SIP proxy address for the OWA IM integration component to enable the IM Integration UI.
  • When attempting to view the Instant Messaging contact list, a user might receive a notification that states
    • Instant Messaging Isn’t Available Right Now. The Contact List Will Appear When the Service Becomes Available.
  • If this occurs, perform the following steps:
    1. Using the same user account, confirm that you can access the IM services using the Office Communicator 2007 R2 client.
    2. If functional, confirm that the OCS Server name is properly entered in the Web.Config file of the CAS server.
    3. Also confirm the configuration of the Authorized Hosts option on the OCS pool contains all IM Integrated Client Access Servers.

OWA Certificate Error

If OWA cannot locate the certificate, an error stating The Local Certificate Specified Was Not Found in the Store for the Local Computer appears.

In this case, confirm that the value of the OCSCertificateIssuer and OCSCertificateSerialNumber fields in the Web.Config file are correct. Also ensure that there are blank spaces between every two characters in the serial number to separate octets in the string.

References

TechNet: http://technet.microsoft.com/en-us/library/ee633458%28EXCHG.140%29.aspx
Chris and Robin’s Technology blog: http://chrislehr.com/2009/11/implementing-integrated-ocs-in-owa-2010.htm
Martin Sundström: http://msundis.wordpress.com/2010/06/21/integrate-ocs-2007-r2-with-exchange-server-2010-sp1-owa/
Rand Morimoto: http://www.networkworld.com/community/node/47348

Script for Configuring Exchange 2010 Internal and External URLs

[tweetmeme source=”stalehansen” only_single=false]In Exchange 2010 you need to set the Internal URLs for various services on the Client Access Server. Outlook 2007/2010 uses Autodiscover to connect to the Exchange server. If the Internal URLs are configured wrong you could get certificate errors when logging on to Outlook as well as errors when using free busy and oof services internally. Also when deploying Outlook Anywhere you need to configure the External URLs correct for the same services to work.

This script may come in handy in the following scenarios:

  • Initial configuration, avoid typos
  • Expansion in the infrastructure with load balanced CAS
  • Change in internal FQDN if you change certificate name
  • When you have a total disaster on site 1 and need to fail over to a second site with a passive DAG server that holds all server roles

Please keep in mind:

  • The Script is developed for Exchange 2003 coexistence and migration scenarios
  • The script must not be run in an Exchange 2007 coexistence and migration scenario
  • For InternalURL the script will look for a CASArray (It is recommended to create a CASArray in any scenario)
  • The script assumes there is only one ADsite

About the script:

  • First you will be presented with som choices on what to do
  • InternalURL will autoconfigure based on CASArray
  • ExternalURL will prompt for public FQDN and assume one external address
    • Will use same FQDN for OWA, ActiveSync, Autodiscover and so on
  • Will prompt for Exchange 2003 URL
  • All configuration will output the changes made

 

Update 27.05.2010:

  • Added support for Exchange 2007 and Exchange 2007/2010 coexistence scenarios.
  • The script will check for Exchange version before applying any settings.
  • When applying Exchange 2010 Internal URL the script will match the CAS servers to the correct CASarray in the correct ADsite

 

Update 28.05.2010

  • Added option for checking current configuration
  • Corrected some errors on the Exchange 2007 configuration and listing of URLs
  • Tested in Exchange 2007 only deployments and Exchange 2010 and 2007 coexistence deployments

 The Script can be viewed and downloaded here: https://msunified.net/exchange-downloads/script-internalexternalurls-ps1/

Configure Exchange 2010 InternalUrl PowerShell script

[tweetmeme source=”stalehansen” only_single=false]

UPDATE: This script has been updated and revamped 07.05.2010 and described in this post: https://msunified.net/2010/05/07/script-for-configuring-exchange-2010-internal-and-external-urls/

In Exchange 2010 you need to set the internal URL for various services on the Client Access Server. Outlook 2007 uses autodiscover internally to connect to the exchange server. If internal URL is configured wrong you could get certificate errors when logging on to Outlook as well as errors when using other services internally.

This script may come in handy in the following scenarios

  • Initial configuration
  • Expansion in the infrastructure with load balanced CAS
  • Change in internal FQDN if you change certificate name
  • Change from https to http
  • When you have a total disaster on site 1 and need to fail over to a second site with a passive DAG server that holds all server roles

 It is a very simple script, if you have some advice to make the script better I would be happy if you let me know. The script does the following:

  • The server path is specified with a prompt
  • The script is set up with “-identity *” if you have more than one instance you need to specify wich instance you want to configure
  • The url is generated using the variable and the default location of the services
  • After configuring the URL’s the scritp lists all changes so its easy to doublecheck the configuration
  • The UM role is excluded because it is not supported to be hosted on the same server as CAS

To run the script do the following:

  • Copy this into a txt file and rename it to a ps1 file
  • Open powershell and navigate to the location where the file is saved
  • Use tab in powershell to get the correct run syntax
  • Run it and type the correct FQDN like this when prompted: https://yourcasserver.domain.local
#InternalURL.ps1
$urlpath = Read-Host "Type internal Client Access FQDN starting with http:// or https://"
Set-AutodiscoverVirtualDirectory -Identity * –internalurl “$urlpath/autodiscover/autodiscover.xml”
Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “$urlpath/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory –Identity * –internalurl “$urlpath/ews/exchange.asmx”
Set-oabvirtualdirectory –Identity * –internalurl “$urlpath/oab”
Set-owavirtualdirectory –Identity * –internalurl “$urlpath/owa”
Set-ecpvirtualdirectory –Identity * –internalurl “$urlpath/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "$urlpath/Microsoft-Server-ActiveSync"
#get commands to  to doublecheck the config
get-AutodiscoverVirtualDirectory | ft identity,internalurl
get-ClientAccessServer | ft identity,AutodiscoverServiceInternalUri
get-webservicesvirtualdirectory | ft identity,internalurl
get-oabvirtualdirectory | ft identity,internalurl
get-owavirtualdirectory | ft identity,internalurl
get-ecpvirtualdirectory | ft identity,internalurl
get-ActiveSyncVirtualDirectory | ft identity,internalurl

How to save your Exchange 2007 PowerShell session transcript

I was doing some troubleshooting when I came over an article for automating the process for saving your transcript in PowerShell to a file. The article can be found here : http://blogs.technet.com/benw/archive/2007/07/24/how-to-save-your-exchange-2007-powershell-session-transcript.aspx

In the article the author talks about editing the PowerShell Profile. I cant do this for every customer site I am at, so I have edited the syntax to fit my needs. If this is run after you launch PowerShell the file is saved at the root of your C drive.

CD \
$date = get-date -UFormat %y%m%d
Start-Transcript c:\$date.txt -append -noclobber

This will set the working directory to the root of the C drive (gives you more real estate to work with), defines a variable called $date, and specifies that it will get the date in the format of YearMonthDay (i.e. 090706), then tells Powershell to start the transcript, and it uses the variable we defined earlier to automatically create a new text file based on the current date.  Additionally, since the default behavior of start-transcript is to overwrite the previous file, we are telling it to append to an existing file (if present), and the -noclobber tells it to not overwrite the previous file.

Powershell does have some other options here.  The Start-Transcript command includes a -Path parameter that you can define, but it is not used here.

Allowing application servers to relay off Exchange Server 2007

To allow application servers to relay through your Exchange 2007 server do the following

  • Create a new internal receive connector in EMC
  • Add the servers that need to relay
  • When created edit the settings and navigate to Permission Groups
  • Select only Anonymous users, deselect other options
  • Navigate to the Authentication tab
  • Deselect every checkbox so that nothing is selected
  • Apply changes
  • Open EMS and run the following commandlet
  • Get-ReceiveConnector “InternalRelay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
  • Relay should now work for the selected servers

This information was based on this blog, http://msexchangeteam.com/archive/2006/12/28/432013.aspx

Deleted Mailbox not appearing in Disconnected mailbox in Exchange 2007

[tweetmeme source=”stalehansen” only_single=false]Deleted mailboxes will appear in disconnected mailbox list, but it will not reflect immediately. You have to wait for online maintenance to run and complete.

If you accidentally delete mailbox and if you wanted to reconnect it back then you may not be able to find it Disconnected Mailbox. You have to  run Clean-MailboxDatabase to get the deleted mailbox. Also if you want to disconnect the mailbox to re-add it to an other user or the same user do the following:

  • Disable the mailbox in EMC
  • When you disable a mailbox the user object stays in AD and the mailbox is marked for deletion.
  • The disconnected mailbox should appear in the disconnected mailbox view
  • If it is not appearing in the disconnected mailbox view run one of the following commands from powershell

Clean-MailboxDatabase \servername\SGName\Store
Cleaning Database of Individual Store

Get-Mailboxdatabase | Clean-MailboxDatabase
Cleans all the database in the Organization

Get-Mailboxdatabase | Where{ $_.Server –eq “<servername>”}| clean-MailboxDatabase
Cleans all the database in the specific store

Get-Mailboxdaatabase | Where{ $_.Name –eq “<DatabaseName>”}| clean-MailboxDatabase
Cleans all the Database which matches the specific name given in Databasename

  • After the command completes, check the event viewer for the following  event ID’s
    • Event ID 9531 – the clean mailboxdatabase process has begun
    • Event ID 9533 – a user does not exist in the directory or is not enabled for Exchange mail. This mailbox will be removed from mailbox store  in after the retention time has passed
    • Event ID 9535 – the process completes and lists that the mailbox was retained in the store
  • Finally you should see it in the disconnected mailbox view and you can connect it to the same AD user or an other AD user.

This blog was based on smtpport25’s blog, http://smtpport25.wordpress.com/2009/04/22/deleted-mailbox-not-appearing-in-disconnected-mailbox-in-exchange-2007/


If you need to restore the mailbox because it is not retained in the mailbox store, see these great sites for restore guide using Recovery Storage Groups
http://www.petri.co.il/using_rsg_in_exchange_2007.html
http://www.msexchange.org/tutorials/Working-Recovery-Storage-Groups-Exchange-2007.html

Request certificate using Exchange Management Shell

If you use the self-signed certificate assigned by the Exchange server itself there is a simple process to renew the certificate. You will typically get a note in the event viewer when the certificate is about to expire. Here’s a great blog that explains the process: http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

To request or renew a 3rd-party (or from internal PKI infrastructure) SAN certificate that resides on your Exchange server using EMS I found this approach being useful. In this example I used an internal PKI infrastructure to assign a certificate to my internal Exchange Servers behind a NLB cluster for the ClientAccess role. I found that if the certificate is requested through an internal PKI infrastructure the certificate is issued for a period of one year and has to be manually renewed.

  • Create a request using EMS with this command
  • New-ExchangeCertificate –GenerateRequest –SubjectName “C=net, O=msunified, CN=webmail.msunified.net” –DomainName webmail.msunified.net, webmail.msunified.local, cashub01.msunified.local, cashub02.msunified.local –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true
  • Open the req file, and copy everything except
  • —–BEGIN NEW CERTIFICATE REQUEST—–
  • —–END NEW CERTIFICATE REQUEST—–
  • Navigate to you CA server using the following url: http://CA-server/certsrv
  • click “request a certificate” and then select “advanced certificate request”
  • click  “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
  • past the content in the “saved request” window
  • hit submit
    •  If you have a 2003 CA and it does not support SAN certificates you need to enable it using this command
    • CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
    • Restart the certificate service and IIS
  • click “download certificate chain” and save the file
  • On the exchange server import the certificate
  • Import-ExchangeCertificate -Path c:\2009-2.p7b -FriendlyName “webmail.msunifed.net”
  • Copy the thumbprint and enable the certificate for the selected services
  • Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
  • Export the certificate for other exchange servers having the same role with certificate chain using IIS or open the local computer personal store
  • On the other servers import using IIS
  • On the other servers rund Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
  • Remove the old certificate with the following command Remove-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91

To renew self-signed certificates on the EDGE servers for the SMPT transport service

  • On the EDGE servers open EMS and do the following
  • Get-ExchangeCertificate | New-ExchangeCertificate (if its the only certificate on the server)
  • Remove-ExchangeCertificate -Thumbprint 1025C608027188FFA4DFAE77089D183DABACD077
  • You then have to re-establish the EDGE syncronizations with the new certificate
  • New-EdgeSubscription -FileName c:\newsub.xml
  • Copy the xml file to the internal servers
  • On the EMC for the HUB role in the organizational view, remove old edge subscription and then do a new one, specify the correct xml file
  • To synchronize the first time run from EMS the following commandlet: Start-EdgeSynchronization
  • To test the synch, run the following commandlet: Test-EdgeSynchronization

To be able to deploy SAN certificates from intern CA, you may have to extend the attributes: http://support.microsoft.com/kb/931351

This blog is loosely based on these sites
http://telnetport25.wordpress.com/2008/07/13/windows-2008-exchange-2007-renewing-an-existing-ssl-certificate-on-your-client-access-server/
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
http://www.exchangeinbox.com/article.aspx?i=114
http://msexchangeteam.com/archive/2007/07/02/445698.aspx

Get-MailboxDatabase oneliner

If you run the Get-MailboxDatabase commandlet with no switches it returns all the Exchange 2007 databases in the organization. If you are looking for a list of when each database had a full backup you need to use the -Status switch.

Get-MailboxDatabase -Status | Sort -Property LastFullBackup |ft Identity,LastFullBackup

This will return the Identity and the time for the last full backup of each database in sorted order. This is a useful list when doing maintenance in an Exchange organization.

If you need  a quick powershell script that dumps each Storage Group and its backup-related information visit the Exchangepedia Blog at: http://exchangepedia.com/blog/2008/09/script-get-storage-group-backup-status.html

Wrong version number on Exchange 2007 mailbox

I had a problem with a migrated user from Exchange 2003 to Exchange 2007 not showing the correct version number. It was not listed as Legacy Mailbox and it resided on a Exchange 2007 store. Running the get-mailbox command I saw that the version number on the mailbox was 0.0 and not 0.1 for Exchange 2007. Because of the mailbox being in this state the user could not connect to OWA. I got the following message:

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.InvalidADObjectOperationException
Exception message: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later.
Current version of the object is 0.0 (6.5.6500.0).

To resolve this problem you need to correct the properties of the mailbox. Do this by running  the following commandlet  in Exchange Management Shell:

Set-Mailbox -Identity <user> -ApplyMandatoryProperties

View KB 931747 article over at Microsoft Support, http://support.microsoft.com/kb/931747

Web Services InternalURL powershell configuration

If you are using a loadbalancer in front of the ClientAccess server or want to reconfigure the internal URL to point to http and not https you need to reconfigure a couple of services with the correct url so that autodiscover functions properly. To do so I have created a simple script to ease the process using powershell. The script does the following:

  • The server path is specified in the variable
  • Then we use -identity * if you have more than one instance you need to specifiy wich instance you want to configure
  • The url is generated using the variable and the default location of the services files
  • After reconfiguring the services we do a test of the connectivity to verify the configuration
  • Note that custom user credentials is used so that default credentials is not nessesary
  • OWA internal url has to be set manually

To run the script do the following:

  • Copy this into a txt file and rename it to a ps1 file
  • Navigate to the location where the file is saved
  • Use tab to get the correct run syntax

NOTE: This script has been updated in a post related to Exchange 2010 here: https://msunified.net/2010/01/13/configure-exchange-2010-internalurl-powershell-script/

$urlpath = "http://exchange-server.yourdomain.com"

Set-AutodiscoverVirtualDirectory -Identity * –internalurl “$urlpath/autodiscover/autodiscover.xml”
Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “$urlpath/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory –Identity * –internalurl “$urlpath/ews/exchange.asmx”
Set-oabvirtualdirectory –Identity * –internalurl “$urlpath/oab”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "$urlpath/Microsoft-Server-ActiveSync"

Test-WebServicesConnectivity -MailboxCredential (Get-Credential <Netbios domain name>\<username>) -TrustAnySSLCertificate
Test-activesyncConnectivity -MailboxCredential (Get-Credential <Netbios domain name>\<username>) -TrustAnySSLCertificate