Sembee Blog

SSL certificates are a constant source of pain for Exchange administrators. With Exchange 2007 and 2010 so heavily dependant on web services, getting SSL setup correctly is important for correct operation. 

A lot of SSL certificate deployment is now being done for mobile device support, and then you open a new issue - SSL certificate compatibility. 

Recently I found a large list of SSL certificate and client compatibility. 

It is from a Danish SSL reseller called FairSSL:

http://www.ssltest.net/compare/sar.php

Most useful for mobile platform compatibility, the combinations it lists are significant. 

On the same site they also have a tool to verify that your SSL certificate is installed correctly. Most of the SSL vendors also provide this, but if you don't have the login details (perhaps because the certificate was just supplied to you) then it is a useful service to have:

http://www.ssltest.net/

With more SSL providers now using intermediate certificates to issue the certificates, rather than the root, getting the certificates installed correctly can mean the difference between SSL working and not. 

Exchange 2003, Exchange 2007, Exchange 2010, SSL Certificates Exchange 2003, Exchange 2007, Exchange 2010, SSL Certificates

IPv6 has and continues to cause a lot of confusion for network administrators. I suspect that a lot of it is down to misunderstanding about the new system and therefore people blame it for problems because it is new. 
In forums, I see a lot of people who simply post that the problem is "IPv6" and it should be disabled because it is "known to cause problems". I have been asked to clean up Exchange deployments where IPV6 has been disabled, simply because the installer believed it would cause issues if it wasn't. 

In many cases this is simply not true - IPv6 is not the cause of many problems and in the default configuration on Windows 2008/2008 R2 will not get in the way of day to day operations. 

However IPv6 is not going to go away and very soon most network administrators are going to need to do something with it, whether they like it or not. Therefore getting experience with it now, before being forced to do so can only benefit the network administrator. 

Back in the summer, just after the World IPv6 day, I decided to look at using IPv6 myself and have been running an IPv6 network at home ever since. The web sites that I operate are also IPv6 enabled and if you are already using IPv6 you may well be reading this blog posting having accessed the site using Ipv6. 

Initial Experiences with IPv6

Having now lived with IPv6 for a few months, I thought I would write up my experiences with using it. In brief, I have found it to be largely trouble-free. I was caught out by a few small issues at the beginning, but after being setup correctly, it has been largely set and forget. 

IPv6 Addresses and Getting Started

The first thing you have to do is get hold of an IPv6 subnet. Most ISPs are currently not issuing IPv6 addresses, so you have to source them from elsewhere. Having researched on the easiest way to do this, I settled on using a tunnel broker, specifically Hurricane Electric (HE). 
It was easy enough to sign up with them, and before long I had the single address required. HE are giving out the addresses free, and allow you to choose where to create tunnel to. I chose London, being in the UK. 

I built a Windows 7 machine in a virtual machine, and followed their instructions to enable it - which was simply a matter of entering some commands in to a Command Prompt to configure the tunnel, which Windows 7 supports natively. 
For the tunnel to create, HE need to be able to ping your EXTERNAL IPv4 address, so a firewall change might be required. 

Once entered, I tried to ping ipv6.google.com, only for it to fail. 

Therefore I hit the first problem, which is probably the most common issue with IPv6 - hardware support. 

I am fortunate that I have dual internet connections, regular ADSL and a cable internet. My ADSL had a Cisco router on it, and I quickly discovered that Cisco only support IPv6, even pass through, on specific OS types and I had the wrong one. I wasn't paying for the upgrade for a test (And was planning to drop the Cisco router a few months later when I got fibre internet), so I decided to use the second connection. 

Switching over to my cable internet connection, which used DDWRT, the tunnel passed through immediately and I was on the internet using IPv6. 

I have to say, it was a rather underwhelming experience - it just worked. 

Putting the Network on to IPv6

With the single machine on IPv6, I thought I would see if I could put my entire home network on as well. This meant the router needed to support it. I played around with DDWRT for a while, but found it wasn't easy to configure with IPv6 information. Therefore I changed my attention to my public web server. 

The web site that you are reading this posting on is actually a virtual server. The firewall that protects it is a VM, and generally I can do what I like with the system. A look around at other software firewalls it quickly became clear that the best one for IPv6 was monowall. It didn't take long to install a fresh VM with monowall and used a spare external IPv4 address. 

After requesting a second subnet from HE I entered them in to the firewall and I was online. Took minutes to configure monowall. I then set the firewall rules so I could ping out etc and all was good. I modified the firewall rules to allow inbound traffic and after a few minutes configuring the DNS records, I was able to browse my web server with IPv6 from my test system at home. 

Using IPv6 also gives the strange sensation of the same IP address internally as well as externally. No NAT involved. I haven't been in that situation since a job back in 1999, where the employer had enough public addresses that we could use them internally as well. 

IPv6 Addresses

One of the things that did start to cause me a headache was dealing with the IP addresses themselves. You have so many and they are so long. However I quickly learned about the "::" shortcut, which allows you to shorten the addresses. What this means is that instead of using:

2001:470:1f09:1ab5:0000:0000:0000:0090

I can use this instead:

2001:470:1f09:1ab5::90

From an understanding point of view, I found that using the same number at the end of the IP address for both IPv4 and IPv6 made managing the addresses much easier. For example this blog is on 85.234.131.90, so I used ::90 at the end of the IPv6 Address. 

With the addresses configured on the web server, it means I can just look at the last number to ensure that I am putting in the correct bindings to the web server. 

Boyed by the success of getting the public web site to work, I looked again at my home network. Switching the DDWRT router for a monowall virtual machine meant that I was able to configure the home network for IPv6 quickly, and also meant that I now had a static IPv6 address running over my dynamic IP address cable internet connection. 

With the addresses the length they are, you have a lot of addresses available to you. 

I subnetted my allocation down further, which has allowed my labs to have their own IPv6 subnet. This means my labs "could" be seen from the internet, if I set the rules to allow that to happen in the firewall. Once IPv6 is widely used, I can see that as a major advantage, particularly if you are testing email servers. 

DHCP or Not

One of the features of IPv6 is that removes the need to have traditional DHCP. Instead you enter information on your router and it is able to "announce" that information which IPv6 clients are able to find. 

Microsoft do provide an IPv6 DHCP server, which I had some success configuring, but as the information from the router was correct, it wasn't something I pursued. 

Most of the systems on my network I entered static IP address information for, but I did find they were getting an automatic address as well, which must be a feature of IPv6. However when reviewing WSUS for example, the static address I assigned is being entered in to WSUS as the server's IP address. 

The impression I am getting though is that the IP address of the system is going to be less important, at least internally. I have set static addresses in the public DNS and on the servers, and those work correctly, but internally the network is also using the automatic addresses. 

With the length of the IP address, remembering them for doing testing isn't going to be easy. Therefore I can see in the future that DNS will become more important, so that you can simply ping or nslookup the host name, to get its IPv6 address, then work from there. 

DNS

I mentioned DNS above. 

Backwards compatibility for DNS on IPv6 works really well - you have two entries for most things - an IPv4 A record and an IPv6 AAAA record. The AAAA record takes priority. 
This can of course give unexpected results, particularly when troubleshooting. Therefore what I have done is create three records for hosts where I am likely to want to do troubleshooting (mail servers mainly).

1. The regular host name - so host.example.com - both A and AAAA records. 
2. A IPv6 specific host name - so ipv6.host.example.com  - this is an AAAA record only. 
3. An IPv4 specific host name - so ipv4.host.example.com - no AAA record. 

A good example of this in action can be seen on a basic IP address display site I built. 

If you browse to the site normally then you will have the IPv6 address displayed if you are using IPv6 and the IPv4 if you are using IPv4. 

http://check.sembee.info/ 

However further down the page are links to other versions of the page - one for displaying just the IPv4 address and then one that displays both IPv4 and IPv6. Moving through the pages you will notice that the host name in the browser bar changes, so that the correct DNS entry is used. 

Email

As an Exchange MVP, I was of course interested in how this would work for email. 
For email it is just a matter of adding the additional AAAA record for the host name. 
MX records point at host names, and then the client resolves the host name to an IP address. 
Therefore my MX record hosts have both IPv4 and IPv6 addresses. 
Although monitoring the email I have found that I have received just three emails (all marketing) from IPv6 hosts. 

Drawbacks with IPv6

The major issues with IPv6 is support of the address type. 
I quickly discovered that the antispam solution I am using cannot cope with IPv6 addresses, but as spammers aren't using it, it hasn't been a problem so far. 
I also discovered that my web stats application doesn't support IPv6, so I have no real ideal how many people are accessing my web sites with IPv6. Certain applications also have issues with IPv6, but in a lot of cases this is only if it is pure IPv6, not a mixed network. 
The length of the IP address I think will be something that many network admins will find difficult and will miss being able to type in the four sets of numbers from IPv4. I fully expect IPv4 to be used internally for some time to come, perhaps with IPv6 being used just for internet traffic.

Conclusion

As you can test Ipv6 with almost no disruption to the production network, it is something that network admins should take a look at, so that they simply get their heads around it. Then as it becomes more widely used, they  have already been through the learning curve. 

Networking General, IPv6 Networking General, IPv6

An interesting little issue with a client's configuration caused a problem recently.

The problem only affected users off site using Outlook Anywhere. While they could get their email correctly, the availability service didn't. This stopped Out of the Office from working correctly unless OWA was used, or the end user was in the office.  

This particularly configuration uses a Client Access Server in a data centre, which proxies over a site to site VPN in to the main office where another CAS, plus the mailboxes are actually located. Therefore the issue had to be around a configuration difference between the two servers. 

Running 

get-clientaccesserver servername |fl 

on the server in the data centre and comparing it to the server in the main office, showed that the value for AutodiscoverSiteScope was populated with the AD site for the main office. This was because the server in the data centre had been built in that location initially and then moved. 

Removing that entry so it was blank resolved the issue:

Set-clientaccessserver servername -AutodiscoverSiteScope $null 

A five minute fix resolved an annoying problem for the end users. 

Exchange 2007, Exchange 2010, MS Exchange Server, Outlook Exchange 2007, Exchange 2010, MS Exchange Server, Outlook

I wanted to update my Windows 7 installation DVD so that it not only installed any version of Windows 7, but also both the 64 bit and the 32 bit. It would be used on both a memory stick and DVD. 

While searching around the internet, I found various techniques using various third party tools. However as I didn't have any of the third party tools and wasn't about to buy them for this single task, I found my own way of creating the DVD using tools that Microsoft have already provided. 

Requirements

• Windows 7 ISOs/DVDs of 64 bit and 32 bit. Doesn't matter which version, as long as it isn't Starter Edition. I probably wouldn't use a vendor supplied disk either as you never know what changes they have made to it. MDSN, Technet or Retail will be fine. 
• Windows 7 Automated Installation Kit. This is a free download from Microsoft here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34&displaylang=en  - this file downloads as an ISO - hence the need for an ISO mount tool. 
• An ISO mount tool.
• Optional: A virtual machine platform to test on. 

Method

1. Create two temporary directories. One called WIM and one called DVD. 
2. Mount each ISO in turn and copy the file "Install.WIM" to the directory "WIM". Rename the file that comes from the 32 bit DVD/ISO x86.WIM and the one from the 63 bit DVD/ISO x64.WIM
3. Copy the entire contents of the 32 bit Windows ISO in to the directory called DVD. 
4. Delete the file "ei.cfg" from the copy of the DVD that you have created. This is the file that locks the installation media to a specific version of Windows 7. If it isn't present, setup prompts you for the version you wish to install. 
5. Install Windows 7 AIK - this is the option "Windows AIK Setup" when you run StartCD from the downloaded ISO.
6. With the Windows 7 AIK installed on your computer run the Deployment Tools Command Prompt.
7. Type the following commands in the Command Prompt window. Change the  paths and drive letters to match where you have stored the files.
   Alternatively, copy all of these commands in to a notepad document, rename the document run.bat (or whatever you like) and run that instead.
   IMAGEX /Export E:\WIM\x86.WIM 5 E:\WIM\INSTALL.WIM "Windows 7 Ultimate x86"
   IMAGEX /Export E:\WIM\x64.WIM 4 E:\WIM\INSTALL.WIM "Windows 7 Ultimate x64"
   IMAGEX /Export E:\WIM\x86.WIM 4 E:\WIM\INSTALL.WIM "Windows 7 Professional x86"
   IMAGEX /Export E:\WIM\x64.WIM 3 E:\WIM\INSTALL.WIM "Windows 7 Professional x64"
   IMAGEX /Export E:\WIM\x86.WIM 3 E:\WIM\INSTALL.WIM "Windows 7 Home Premium x86"
   IMAGEX /Export E:\WIM\x64.WIM 2 E:\WIM\INSTALL.WIM "Windows 7 Home Premium x64"
   IMAGEX /Export E:\WIM\x86.WIM 2 E:\WIM\INSTALL.WIM "Windows 7 Home Basic x86"
   IMAGEX /Export E:\WIM\x64.WIM 1 E:\WIM\INSTALL.WIM "Windows 7 Home Basic x64"
   IMAGEX /Export E:\WIM\x86.WIM 1 E:\WIM\INSTALL.WIM "Windows 7 Starter x86"
8. Copy the new install.wim created above in to the \Sources directory of the DVD directory created in step 3, replacing the existing. 
9. Back in the Deployment Tools Command Prompt, run the following command:
   oscdimg.exe -lWindows7 -m -u2 -b"E:\DVD\Boot\etfsboot.com" E:\DVD E:\Windows7.ISO
   Where 
   
   • Windows7 is the name of the DVD (note the lack of space between the l and the name),
   • E:\DVD is the source directory
   • E:\Windows7.ISO is the destination ISO name. 
10. Test the ISO using VMWARE Player or other VM technology, before burning to DVD. 
11. For memory stick use, simply take an existing USB memory stick used for installing Windows 7 and copy the Install.WIM file created above and replace the existing. It will then support both. 

Networking General Networking General

If you were affected by the Blackberry Internet Service outage today (10th October 2001) and your Blackberry connects to an in-house email server running Exchange server (2003 or higher), then you really should be running a BES (Blackberry Enterprise Server) or BES Express (BESX).

A Blackberry connected to a BES/BESX gives you the full functionality of the Blackberry with true two way synchronisation of Email, Contacts, Calendar and Tasks. It is an extension of your Inbox. No need to maintain two sets of data that kind of synchronises. 

If you use BESX, then the software is free and you do not have to change your device subscription/tariff. For smaller installations the software can be installed on your server in  a few hours and give you complete control over the devices that connect. 

If you are in an industry where the email traffic is sensitive, the data exchange between your Blackberry and the BES/BESX cannot be intercepted as the encryption is managed by your server, not the one at RIM. This provides a more secure mobile email solution. 

Through my company Sembee Ltd, I can install and configure a BES Express for you for just £250 plus VAT if installed on to an existing server (other terms and conditions apply). That includes post installation configuration and guidance on maintenance, handset setup etc. 

For more information, contact me through the company web site at http://www.sembee.co.uk/ 

Amset IT Solutions Ltd. / Sembee Ltd., Blackberry, Exchange 2003, Exchange 2010, MS Exchange Server, Small Business Server Amset IT Solutions Ltd. / Sembee Ltd., Blackberry, Exchange 2010, Exchange 2007, Exchange 2003, MS Exchange Server, Small Business Server

Just spoken to the Technology Editor at BBC Online to provide them with some background information on the Blackberry infrastructure following today's outage. 

http://www.bbc.co.uk/news/technology-15243892 

I briefly explained why Enterprise users were largely not affected. 

Amset IT Solutions Ltd. / Sembee Ltd., Blackberry Amset IT Solutions Ltd. / Sembee Ltd., Blackberry

During a recent migration from Exchange 2007 to 2010 I found I was unable to remove the public folder store from the Exchange 2007 server. 

It was returning the following error when using remove-publicfolderdatabase or using EMC on Exchange 2007. 

Remove-PublicFolderDatabase : Object is read only because it was created by a future version of Exchange: 0.10 (14.0.100.0). Current supported version is 0.1 (8.0.535.0).

Obviously the Exchange 2010 server had touched the database in some way, probably due to the Offline Address Book migration. 

The fix was quite simple - remove it using the Exchange 2010 Exchange Management Shell. Can't use the GUI as the Exchange 2007 public folders do not appear in there.

Get-PublicFolderDatabase -Server EXCH2007 | Remove-PublicFolderDatabase

Where "Exch2007" is the name of the Exchange 2007 server. 

After removing the database I refreshed the GUI and was then able to drop the Storage Group and complete the removal of Exchange 2007. 

Exchange 2007, Exchange 2010, MS Exchange Server Exchange 2007, Exchange 2010, MS Exchange Server

Recently deployed an SBS 2011 server for a client down in the New Forest. Shortly after going live with this server, we experienced one of the oddest issues I have experienced. The fix was very simple, but the symptoms left us scratching our head. 

The server was intermittently receiving email. I could send it messages, but other accounts could not. Sometimes email from Google Mail would come through, other times they wouldn't. Same for Hotmail and other services. 

As it was intermittent, I was confidently ruling out the Exchange part as I said I could send it email. It was responding to telnet commands quite happily. 

Therefore we started to consider issues such as the router (it was something odd), the ISP as it was one that I hadn't used before and wasn't quite the same as others in the UK. Things were changed around and still the problem continued. 

The major symptom was the "Service Unavailable" was received by the clients, but it was on a 4.x.x error code, so email wasn't failing immediately. That error message usually means the anti-spam filtering it blocking the email. As the anti-spam agents are installed by default on SBS 2011, they were removed, no change. We had also installed AV on to the server, so that was checked and removed to ensure it wasn't affecting anything. 

This went on for a few days.

Then clutching at straws I started to go through the entire setup comparing it to my reference SBS 2011 server here in my home office. This reference server is basically an SBS 2011 installation that has had the wizards run, is kept patched, but isn't used or touched in any other way. It is an out of the box install. No third party software installed, and it isn't exposed to the internet. I have them for all three versions of SBS (2003, 2007 and 2011) that I work with. 

When I got to the Receive Connectors, I immediately noticed something was wrong, and I had overlooked something. 

This is a screenshot of the Receive Connector as I saw:

What this meant was that any email server with an IP address of below 192.168 was able to send email to the server, but anything above that couldn't. It would appear that some of the major email providers like Google Mail are routing their email out through high number IP addresses!

Furthermore, this wasn't being corrected by the fix my network wizard, which I had run a number of times to ensure that I hadn't missed something. 

As soon as I corrected the setting and restarted the Microsoft Exchange Transport Service for good measure, the email started to flood in. 

Exchange 2010, Small Business Server Exchange 2010, Small Business Server

The blog has been very quiet for a few months, and even my forum posting level has dropped, and that is because I have moved house. 

I am now located in the Thames Valley, midway between Newbury (home of Vodafone) and Reading (home of Microsoft UK). It took me a little while to settle in, as I moved from a very small one bedroom flat (apartment) in to a three bedroom detached house. Although oddly my stuff appears to have grown to fill the space!

I now have a real office instead of the corner of the lounge, a real kitchen instead of the corner of the lounge and a lounge without a kitchen and my office in it. I also have a garden, which is somewhat of a shock as I am so not green fingered. 

Anyway all good fun and I am now back up to speed with client work. 

Personal Personal

An increasing issue appears to be a certificate prompt being seen by Outlook 2007 and higher clients following the introduction of additional CAS servers, or new multiple role servers holding the CAS role. 

While this has been an issue for some time and well known to those running a multiple server environment, the increasing number of postings on forums about this problem has probably occurred as single Exchange 2007 servers start to get to end of life and people migrate to Exchange 2010. 

The cause of this is usually autodiscover. 

What is Happening

CAS Servers have a value called "AutoDiscoverServiceInternalUri". This is published in to the domain as a Service Connection Point (SCP) and is queried by Outlook 2007 and higher as part of the internal autodiscover process. It tells the client where to connect to for the account information. 

If you have multiple CAS servers then they will all be publishing this information to the domain, in effect overwriting each other. 

This command will show you the name and the value set on all Client Access Servers in the org:

Get-ClientAccessServer |select name,AutoDiscoverServiceInternalUri

The Resolution

There are two resolutions to this issue, depending on your setup, and future plans. 

1. The simple fix is to bring forward the introduction of the trusted SSL certificate and get it installed on to the new server. The value for "AutoDiscoverServiceInternalUri" should match one of the host names on the SSL certificate. Remember that most SSL providers will not allow multiple certificates with the same names on them to be issued, so you may have to get a new certificate issued to cover all servers with the CAS role. 
   
2. Set the value for AutoDiscoverServiceInternalUri to be the same on all CAS Servers. If this is a specific server name, rather than a generic name, then you will need to change that value on all servers if you remove that server from production. Alternatively you could ensure that autodiscover.example.com resolves internally on your network to the IP address of a CAS server, then set all CAS servers to use that value. Then when the servers are changed, all you need to do is update the DNS. If you have clients on your internal network which are not members of the domain, then you may well have already configured this. 

Multiple AD Sites

If you have your CAS servers in multiple AD sites, then you may well have to consider using site scope to control which server the clients will connect to. There are other things to consider if this is the best thing to do or not and this Technet article explains how to use Site Scope: http://technet.microsoft.com/en-us/library/aa997633(EXCHG.80).aspx

CAS Array

This is not related to the Exchange 2010 CAS Array function, and you shouldn't use the CAS array host name for this. The CAS array doesn't use HTTPS and also shouldn't be resolvable from outside. 

Exchange 2007, Exchange 2010, MS Exchange Server, Outlook