Author Archives: Michel de Rooij

Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

Forefront Security for Exchange SP2 RU2

Posted on by
Reply

For people running ForeFront Security for Exchange SP2, Rollup 2 was released.

The related knowledgebase article kb2270641 mentions the following additional fixes:

  1. The FSCTransportScanner.exe process in Forefront Server Security for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1211603866
  2. The FSECCRService.exe process in Forefront Server Security for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1076269539
  3. Forefront Server Security for Exchange fails to write a crypto checkpoint in the RSA\Machine Keys folder
  4. The FSCController.exe process in Forefront Server Security for Exchange may stop responding, and this generates a Dr. Watson crash that references Bucket ID 1229588505
  5. The Forefront Security for Exchange GetEngineFile process crashes and Forefront is unable to perform a scan engine update
  6. Kaspersky scan engine in Forefront Security for Exchange does not update on a CCR cluster
  7. Forefront Security for Exchange does not install on Windows Server 2008 R2
  8. Forefront Security for Exchange now supports the Kaspersky 8 engine

For more details, consult the KB article. You can download FSE SP2 RU2 after submitting a hotfix request here.

Exchange ActiveSync and Hotmail

Posted on by
Reply

As of Monday, it is possible to synchronise your Hotmail account, i.e. e-mail, calendar and contacts, with your mobile using Exchange ActiveSync (EAS).

To synchronise your mobile with Hotmail, use the following settings:

Server m.hotmail.com
Username E-mail address, e.g. jandvries@hotmail.com
Password *****
Domain Leave blank
SSL Enabled

When asked, choose to accept the SSL certificate.

Synchronisation currently works for Windows Mobile 6.x, Windows Phone 7, iPhone, iPod Touch, iPad and Nokia E/S/N-Series with Mail for Exchange.

RBAC Overview Sheet 1.2

Posted on by
3

I’ve updated the Role Based Access Control (RBAC) Overview sheet with information of Exchange 2010 SP1. You can download version 1.2 of the RBAC Overview sheet from here.

The sheet contains information on the default RBAC configuration of Exchange 2010 RTM and Exchange 2010 SP1 and a list of differences found between the two setups.

For information on how to use the sheet, consult the post on the initial release here.

For those interested, there were 39 changes introduced in Exchange SP1 Final compared to SP1 Beta. Below are the differences. A “-” means an RBAC entry is removed in SP1 Final, a “+” means it was added:

- Discovery Management,Legal Hold,Enable-Mailbox
+ Discovery Management,Mailbox Search,Get-MailboxExportRequest
+ Discovery Management,Mailbox Search,Get-MailboxExportRequestStatistics
+ Discovery Management,Mailbox Search,New-MailboxExportRequest
+ Discovery Management,Mailbox Search,Remove-MailboxExportRequest
+ Discovery Management,Mailbox Search,Set-MailboxExportRequest
+ Discovery Management,Mailbox Search,Suspend-MailboxExportRequest
- Organization Management,Exchange Virtual Directories,New-PowerShellVirtualDirectory
- Organization Management,Exchange Virtual Directories,Remove-PowerShellVirtualDirectory
- Organization Management,Exchange Virtual Directories,New-PowerShellVirtualDirectory
- Organization Management,Exchange Virtual Directories,Remove-PowerShellVirtualDirectory
- Organization Management,Legal Hold,Enable-Mailbox
- Organization Management,Legal Hold,Enable-Mailbox
- Organization Management,Mailbox Import Export,Export-Mailbox
- Organization Management,Mailbox Import Export,Import-Mailbox
+ Organization Management,Mailbox Search,Get-MailboxExportRequest
+ Organization Management,Mailbox Search,Get-MailboxExportRequestStatistics
+ Organization Management,Mailbox Search,New-MailboxExportRequest
+ Organization Management,Mailbox Search,Remove-MailboxExportRequest
+ Organization Management,Mailbox Search,Set-MailboxExportRequest
+ Organization Management,Mailbox Search,Suspend-MailboxExportRequest
+ Organization Management,Message Tracking,Resume-MailboxExportRequest
+ Organization Management,Message Tracking,Resume-MailboxExportRequest
+ Organization Management,Monitoring,Test-AssistantHealth
+ Organization Management,Monitoring,Test-SmtpConnectivity
+ Organization Management,Monitoring,Test-AssistantHealth
+ Organization Management,Monitoring,Test-SmtpConnectivity
+ Organization Management,View-Only Audit Logs,New-AdminAuditLogSearch
+ Organization Management,View-Only Audit Logs,New-MailboxAuditLogSearch
+ Organization Management,View-Only Audit Logs,New-AdminAuditLogSearch
+ Organization Management,View-Only Audit Logs,New-MailboxAuditLogSearch
+ Recipient Management,Message Tracking,Resume-MailboxExportRequest
+ Records Management,Message Tracking,Resume-MailboxExportRequest
- Server Management,Exchange Virtual Directories,New-PowerShellVirtualDirectory
- Server Management,Exchange Virtual Directories,Remove-PowerShellVirtualDirectory
+ Server Management,Monitoring,Test-AssistantHealth
+ Server Management,Monitoring,Test-SmtpConnectivity
+ View-Only Organization Management,Monitoring,Test-AssistantHealth
+ View-Only Organization Management,Monitoring,Test-SmtpConnectivity

Besides RBAC information, you may also find this list and the Overview Sheet useful for spotting new cmdlets and changes in functionality.

DAC: Datacenter Activation Coordination Mode (Part 2)

Posted on by
3

Part 1: Active Manager, Activate!
Part 3: DAC and Exchange 2010 SP1

In an earlier article I elaborated on Exchange 2010’s Active Manager, what role it plays in the Database Availability Groups concept and how this role is played. In this article I want to discuss the Datacenter Activation Coordination (DAC) mode, what it is, when to use it and when not.

Note that the following information is based on Exchange 2010 RTM behavior. A separate Exchange 2010 SP1 follow-up will be posted describing changes found in Exchange 2010 SP1.

To understand the requirement for Datacenter Activation Coordination, imagine an organization running Exchange 2010. For the purpose of high availability and resilience they have implemented a DAG running on four Mailbox Servers, stretched over 2 sites running in separate data centers, as depicted in the following diagram:

Types of Failure
Before digging into Datacenter Coordination Mode, I first want to name certain types of failures. This is important, because DAC’s goal is to address situations caused by a certain type of failure. You should distinguish between the following types of failure:

  • Singe Server Failure – A single server fails. The server needs recovery (availability, fail over automatic);
  • Multiple Server Failure – Multiple servers fail. Each server needs recovery (availability, automatic);
  • Site Failure – All components in a site (datacenter) fail. Site recovery needs to be initiated (resilience, manual).

What you need to remember of this list is that each type of failure is different, from the level of impact to the actions required for recovery.

Quorum
With an odd number of DAG members, the Node Majority Set (NMS) model is used, which means a number of (n/2)+1 voters (DAG members) is required to obtain quorum, rounded downward when it’s not a whole number. Obtaining quorum is important because that determines which Active Manager gets promoted to PAM and the PAM can give the green light to activate databases.

With an even number of DAG members, the Node and File Share Majority Set (NMS+FSW) model is used. This means an additional voter is introduced in the form of a File Share Witness (FSW) located on a so called Witness Server. This File Share Witness is used for quorum arbitration. Regarding the location of this File Share Witness, best practice is to put it on a Hub Transport server in the same site as the primary mailbox servers. When combining roles, e.g. Mailbox + Hub Transport, put the FSW on another (preferably e-mail related) server.

So, given this information and knowing how quorum is obtained, we can construct the following table regarding quorum voting. As we can see, when using 4 nodes as in our example scenario, we require a File Share Witness and a minimum of 3 voters to obtain quorum.

DAG members Model Voters Required

2

NMS+FSW

2

3

NMS

2

4

NMS+FSW

3

5

NMS

3

10

NMS+FSW

6

15

NMS

8

Site Resilience
Consider our example with the primary datacenter failing. Damage is substantial and recovery takes a significant amount of time and you decide to fall back on the secondary datacenter (site resilience). That would at least require reconfiguring the DAG, because the remaining DAG members can’t obtain quorum on their own since they form a minority.

So you remove the failed primary datacenter components from the DAG, force quorum for the secondary datacenter and reconfigure cluster mode or Witness Server (depending on the number of remaining DAG members). After reconfiguring, the remaining DAG members can obtain quorum because they can now form a majority. And, because the DAG members in de secondary datacenter can obtain quorum, the Active Manager on the quorum owner becomes Primary Active Manager and the process of best copy selection, attempt copy last logs and activation starts.

Split Brain Syndrome
Consider your secondary datacenter is up and running and you start recovering the primary datacenter. You recover the server hosting the File Share Witness and both servers; network connection is still down. A problem may arise, because the two recovered servers together with the File Share Witness form a majority according to their knowledge. So, because they have quorum they are free to mount databases resulting in divergence from the secondary datacenter, the current state.

This situation is called split brain syndrome, because both DAG members in each datacenter can’t communicate with DAG members in the other datacenter. Both groups of DAG members may determine they have a majority. Split brain syndrome can also occur because of network or power outages, depending on the configuration and how the failure manifests.

Datacenter Activation Coordination
To prevent these situations, Exchange has a special DAG mode called Datacenter Activation Coordination mode. DAC adds an additional requirement for DAG members during startup, being the ability to communicate with all known DAG members or contact a DAG member which states it’s OK to mount databases.

In order to achieve this, a protocol was devised called Datacenter Activation Coordination Protocol (DACP). The way this protocol works is shown in the following diagram:

  1. During startup of a DAG member, the local Active Manager determines if the DAG is running in DAC mode or not;
  2. If running in DAC mode, an in-memory DACP flag is set to 0. This tells Active Manager not to mount its databases;
  3. If the DACP flag is set to 0, Active Manager queries the DACP flags of all other DAG members it has knowledge of. If one of those DAG members responds with 1, the local Active Manager sets the local DACP flag to 1 as well;
  4. If the Active Manager determines it can communicate with all DAG members it has knowledge of it sets the local DACP flag to 1;
  5. If the DACP flag is set to 1, Active Manager may mount its databases.

Note:

So, assume we enabled DAC for our example configuration and we recover the servers in the primary datacenter with the network connection still down. Those servers are still under the assumption that the FSW is located in the primary datacenter so – according to knowledge of the original configuration – they have majority. When starting up, their DACP flag is set to 0. However, they can’t reach a DAG member with a DACP flag set to 1 nor can they contact all DAG members they know about. Therefore, the DAG members in the primary site will not mount any databases, not causing split brain syndrome nor divergence.

If the recovered servers in the primary datacenter come online and the network is already up, the nodes will also not mount their databases because part of the procedure for switching datacenters is removing the primary datacenter DAG members from the DAG configuration. So, the DAG members in the primary datacenter contain invalid information and will be denied by the DAG members in the secondary datacenter.

Implementing DAC
Datacenter Activation Mode is disabled by default. To enable DAC, use the Set-DatabaseAvailabilityGroup cmdlet using the DataCenterActivationMode parameter, e.g.

Set-DatabaseAvailabilityGroup –Identity <DAGID> –DatacenterActivationMode DagOnly

Note that DagOnly and Off are the only options for the DatacenterActivationMode parameter.

Monitoring

If you’ve configured the DAG for DAC mode, and LogLevel is sufficient, you can monitor the DAG startup process using the EventLog. The Active Manager holding quorum check status every 10 seconds. It is responsible for keeping track of the status of the other DAG members. When sufficient DAC members are registered online, it will promote itself to PAM (like in non-DAC mode), which functions as the “green light” for the other Active Managers.

The Active Manager on the other DAG members will periodically check if consensus has been reached:

If the Active Manager holding quorum has promoted itself to PAM, the Active Manager on the other nodes will become SAM. After this the activation and mounting procedure will start.

Limitations
Unfortunately, it’s not an all good news show. DAC mode in Exchange 2010 RTM can only be enabled when using a DAG with 3 or more DAG members distributed over at least 2 Active Directory sites. This means DAC can’t be used in situations where you have 2 DAG members or when all DAG members are located in the same site. This makes sense for the following reasons:

  • In Exchange 2010 RTM, DAC only looks at the DACP flag querying DAG members. The FSW plays no part in it;
  • DAC is meant to prevent split brain syndrome which normally only can occur between multiple sites.

When you try to enable DAC using a 2 DAG member configuration, you’ll encounter the following message:

Database Availability Group <DAGID> cannot be set into datacenter activation mode, since it contains fewer than three mailbox servers.

When you try to enable DAC using a single site, the following error message will show up:

Database availability group <DAGID> cannot be set into datacenter activation mode, since datacenter activation mode requires servers to be in two or more sites.

Note that this message will also show up if you didn’t define sites in Active Directory Sites and Services at all, so make sure you define them properly.

But there is also good news: Exchange 2010 SP1 supports all DAG configurations. I’ll discuss this and other changes in Exchange 2010 SP1 DAC mode in a follow up article.

Additional reading
More information on Datacenter switchovers and the procedure to activate a second datacenter using DAGs in non-DAC as well as DAC mode can be read in this TechNet article. Make sure you compare the actions to perform for DAC and non-DAC setups and see that DAC makes life of the administrator much easier and the procedure less prone to error.

Exchange 2010 Endpoint Mapper Issue & Firewall

Posted on by
17

While upgrading one of my existing Exchange 2010 lab machines from RTM to SP1, I encountered the following error message during the upgrade:

Error:
The following error was generated when "$error.Clear();
          if (!(get-service MSExchangeADTopology* | where {$_.name -eq "MSExchangeADTopology"}))
          {
            install-ADTopologyService
          }
        " was run: "There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)".
There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)

The message appeared at the stage of upgrading the Unified Messaging components. I had a look at the ExchangeSetup.log file and it contained the the following information:

[08/27/2010 10:08:13.0948] [2] Beginning processing install-UMService
[08/27/2010 10:08:14.0011] [2] [WARNING] An unexpected error has occurred and a Watson dump is being generated: There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)
[08/27/2010 10:08:14.0027] [2] [ERROR] There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)
[08/27/2010 10:08:15.0823] [1] The following 1 error(s) occurred during task execution:
[08/27/2010 10:08:15.0823] [1] 0.  ErrorRecord: There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)
[08/27/2010 10:08:15.0823] [1] 0.  ErrorRecord: System.Runtime.InteropServices.COMException (0x800706D9): There are no more endpoints available from the endpoint mapper. (Exception from HRESULT: 0x800706D9)
at Interop.NetFw.INetFwRules.Add(NetFwRule rule)
at Microsoft.Exchange.Security.WindowsFirewall.ExchangeFirewallRule.Add()
at Microsoft.Exchange.Configuration.Tasks.ManageService.Install()
at Microsoft.Exchange.Management.Tasks.UM.InstallUMService.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
at System.Management.Automation.CommandProcessor.ProcessRecord()

It seems the error is caused while trying to add a firewall rule, indicated by Interop.NetFw.INetFwRules.Add (INetFwRules is the rules collection of the built-in Windows Firewall).

I had a quick check with the firewall settings on the machine and it turned out the Windows Firewall was disabled. I figured that perhaps adding the rules failed because setup couldn’t communicate with the firewall service.

I enabled the Windows Firewall and this time the upgrade process went fine:

[08/27/2010 10:23:10.0988] [2] Beginning processing install-UMService
[08/27/2010 10:23:11.0145] [2] Ending processing install-UMService