Installing Exchange 2010 on Windows Server 2008 R2 DC
A time ago I installed a Exchange 2010 server on Windows server 2008 R2 x64 for a friend of mine that couldn't get his Mac (buit-in Mail program) with Snow Leopard working with Exchange 2003.
First some technical data:
Exchange version (Get-ExchangeServer | fl name,edition,admindisplayversion): 14.0 Build 639.21
After installing and forwarding the http/https ports, there were no problems for the mac, after a while I was also preparing to switch my account to 2010 on all computers, then the problems began.
On the Exchange 2003 server I used ISA server 2007, where you just select the RPC protocol to be allowed and ISA does the rest. (Client PCs connect on 135, and then the server assigns the client a private port in the 49152-65535 range, wich the ISA firewall will open automatically if needed)
The new Exchange 2010 server is behind an transparent Linux firewall (using Shorewall), and the RPC range is too big to just open all the RPC ports. I thought, limiting the RPC range is an option, but RPC over HTTPS is a much safer way and because the Belgium internet provider Telenet blocks all outgoing traffic on port 135, from clients to the internet (since the blast virus centuries ago!), RPC over HTTPS had to be configured anyway.
Some errors I ran into:
- Error Message: This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust (http://support.microsoft.com/kb/297681)
- Indefinitely loop of asking for logon credentials (login and password) when opening outlook, username and password were correct of course, but they weren't accepted(I found out this was because the authentication type wasn't the same for IIS, the client and Outlook Anywhere)(on the bottom there is a link with other causes and solutions)
- After using outlook for a while (2-3minutes) (configured to connect without SSL), it prompts 3 certificate errors
Steps that worked for me:
Because windows seems to have a seriously strict certificate policy I also just installed the certificate services on the server.
Step 1 Installing Windows Server 2008 R2 x64 and Exchange 2010
- Install Windows Server 2008 R2 x64 (Configure your static IP and computername)
- Run DCPROMO
- Install Roles
- Active Directory Certificate Services
- Certification Authority
- Certification Authority Web Enrollment
- Web Server IIS
- Security: Basic Authentication
- Security: Windows Authentication
- Performance: Static Content Compression
- IIS 6 Management Compatibility: IIS6 Metabase Compatibility
- Active Directory Certificate Services
- Install Features
- RPC over HTTP Proxy
- Install 2007 Office System Converter: Microsoft Filter Pack
- Set startup mode of "Net.Tcp Port Sharing Service" to Automatic: Using the powershell: Set-Service NetTcpPortSharing -StartupType Automatic
- Install Updates (to be sure) and reboot
- Install Exchange 2010
Step 2 Installing Certificate
- Follow this tutorial to install the certificate signed by your own CAhttp://gretech.be/blog/index.php/2010/04/24/installing-exchange-certificate-using-ad-certificate-services-gui-on-exchange-2010/
Step 3 Enable Outlook Anywhere (RPC over HTTP)
- Open Exchange Management Console
- Server Configuration > Client Access > Right click your server > Enable Outlook Anywhere
- Fill in the External host name, check NTLM, complete the wizard(I chose to use NTLM, because with NTLM it is possible to remember your password in windows, so you aren't always asked to enter credentials when opening outlook. check later steps to configure that on your client windows PC)
- Reboot
- Check that it is activated: Event viewer > Richt click Application log > Filter > Event ID: 3006, normally there is a log that says it is enabled;
- HOSTS file edit, Normally this action is only needed if the exchange server is a Domain member, and is not required if the Exchange server and DC are the same. But just to be sure I did it anyway:
- Open C:\Windows\system32\drivers\etc\hosts file
- comment #::1 if needed
- add something like this: (gretechmail is the computername):::1 localhost91.196.171.202 gretechmail
91.196.171.202 gretechmail.adn.gretech.be
Enable Outlook Anywhere Video tutorial (Only step 1 needed)
Default settings for Exchange-related virtual directories in Exchange Server 2007
Step 4 Autodiscover
- Create the CNAME autodiscover.emaildomain.com (f.e. if your email domain is @gretech.be, create a domain autodiscover.gretech.be and point it to the mailserver, in our case: gretechmail.adn.gretech.be)or you can also use a SRV record if your DNS allows this
: http://support.microsoft.com/kb/940881
More autodiscover options and troubleshooting can be found here: http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/
Testing Autodiscovery: Test-OutlookWebServices -Identity Administrator | fl
Problem: First Autodiscover didn't work for me, after running the above command in the Exchange shell, I've got the following error:
When contacting https://gretechmail.adn.gretech.be/Autodiscover/Autodiscover.xml received the error The remote server returned an error: (500) Internal Server Error.
The solution that worked for me was:
Remove-AutodiscoverVirtualDirectory -Identity "gretechmail\Autodiscover (Default Web Site)"
New-AutodiscoverVirtualDirectory
Step 5 Configuring Exchange 2007 Hub Transport role to receive Internet mail (this applies only when installing all exchange services on 1 server, so no edge server)
http://msexchangeteam.com/archive/2006/11/17/431555.aspx
- Server Configuration > Hub Transport > Default Receive connector: Allow anonymous connections on the receive connector
- Organization Configuration > Hub Transport > Accepted domains: Accept your domains to enter the server
- Organization Configuration > Hub Transport > Create new Send Connector (to Internet, all domains) (http://www.petri.co.il/configuring-exchange-2007-send-external-email.htm)
- Enable Anti-spam (using the poweshell):cd "C:\Program Files\Microsoft\Exchange Server\V14\Scripts\"./install-AntispamAgents.ps1
restart-service msexchangetransport
- Disable the Microsoft Exchange EdgeSync service service
Step 6 Configure outlook and remember my password
- Install the CA certificate in IE with admin rights
(XP: use the created Rootinstall.asp page of step 2
Vista/7: Download, Open and install the CA-cert.cer file created in step 2 in the "Trusted Root certification authorities" folder) - Control Panel > View profiles > Add > Enter a profile name.
- Normally if autodiscover works, you can enter your name and email according to the AD data.
But, for testing purposes, screenshots of the manual procedure below.
- Control Panel > View profiles > Add > Enter a profile name.
- Manually configure server settings > Select Microsoft Exchange and click next
- Server: f.e gretechmail.adn.gretech.be (in our case)Username: f.e. Gregory BeankensClick more setting (ignore errors)
- On the Security tab
- Encryption > Check Encrypt data between Microsoft Outlook and Microsoft Exchange
- Logon network security > Negotiate Authentication
- On the Connection tab
- Check Connect to Miscrosoft Exchange using HTTP
- Click Exchange Proxy Settings (check screenshot below)
- Click OK in all the windows and then Next to finish the wizard
How to remember my password:
- Control panel > User accounts, if necessary click on your account name
- On the left, manage your credentials (manage your network passwords in vista) > Add
Domain: - The AD domain name (f.e. adn.gretech.be)Username: Username (f.e. Gregory Beankens)
(ADdomainName\Username in Windows XP and Vista)
Handy installation guide for 2007, looks like 2010 installation.
http://www.commodore.ca/windows/exchange/how_to_setup_exchange_2007_in_2hours.htm
Other solutions for the indefinitely loop of asking for logon credentials (login and password) when opening outlook.
Installing Exchange Certificate using AD Certificate Services (GUI) on Exchange 2010
Installing all the necessary Roles & Features
- Role: Active Directory Certificate Services
(Certification Authority & Certification Authority Web Enrollment)
(if asked for an expire date, put it on 2060 or so)
Summary:
First we create a certificate server for the domain, after that we export a certificate request from Exchange, we import it in the created Certificate Authority server using the web interface, then save the .cer file and import that one in Exchange again. After all that, do not forget to import the Certificate Authority certificate on the client pcs to avoid security warnings.
Step 1: Creating exchange certificate and exporting the request:
Follow this tutorial:
http://blogs.microsoft.co.il/blogs/eldadc/archive/2009/07/15/how-to-configure-exchange-2010-certificate.aspx
- On the Organization and Location page, save the .req file for e.g. C:\Exch_req.req.
When asked to send the request to a certificate authority, goto step 2. After step 2 continue the above tutorial.
Step 2: Submit Certificate request to your Certificate server
- In IE on your Certificate Server, surf to https://127.0.0.1/certsrv (first make sure 127.0.0.1 is a trusted website)
- Click Request a certificate
- Advanced certificate request
- Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
- Open C:\Exch_req.req with notepad, and copy the thumbprint (the string between the start and end message)
- Paste this thumbprint in the Saved Request: field
- Change the Certificate Template to Web Server
- Click Submit
- Download the Base64 version, .cer and .p7b version, save them to C:\exch-sert.cer and C:\exch-sert.p7b
- Continue the tutorial from step 1.
Step 3: Get your CA certificate and create installation web page for clients (so clients accept all certificates from this CA)
- Again goto https://127.0.0.1/certsrv/
- Click Download a CA certificate, certificate chain, or CRL, and click Yes in the Web Access Confirmation dialog
- Select Base 64
- Click Download CA certificate and save it to C:\CA-cert.cer
- Create an edit C:\Inetpub\Wwwroot\Rootinstall.asp
- Open: http://support.microsoft.com/?scid=kb%3Ben-us%3B297681&x=6&y=7 and goto step 3, copy that text in the file.
- Replace
Set MyFile = fs.OpenTextFile("c:\certificates\base64.cer", 1)
by
Set MyFile = fs.OpenTextFile("C:\CA-cert.cer", 1) - Browse to the Rootinstall.asp file from a client browser. If your root certificate is not already in the store, you are prompted to install it.
Vista / Windows 7: The Rootinstall.asp page doesn't seem to work in Vista and 7, Clients have to install the certificate manual.
To allow clients to download the above created .cer file, open the Server Manager and open IIS7,
First add the mime type: (IIS > Mime Types, add extension: .cer, type: application/pkix-cert)
Second, rename the .cer mapping to .cer1 to allow the file to be downloaded by the clients.
Links
http://it.thelibrarie.com/weblog/?p=55
Cisco 877 (800 serie) RFC 2684 (before 1483) multi-protocol over ATM, config Dommel CityConnect (Wan DHCP, ADSL2+)
Config I use for the Belgium provider Dommel with the Cityconnect ADSL2+ they offer.
- WAN IP: DHCP (ATM0.1 point-to-point)
- LAN Router IP: 10.10.10.1
- DHCP Range: 10.10.10.10 10.10.10.240
- DNS Server forwarding requests to OpenDNS
- NTP Server forwarding requests to 81.246.92.140 and 212.68.213.7 (be.pool.ntp.org ip's)
- Timezone Paris
- Incoming ACL: 101
- Outgoing ACL: 100
- SSH via WAN on port 822
- SNMP Private string: privateString
- SNMP Public string: publiekeString
- Logging previous 300 console commands
!* cisco-axelius.axelius.be.CiscoConfig
!* IP Address : 10.10.10.1
!* Community : privateString
!* Downloaded 21/03/2010 19:07:58 by SolarWinds Config Transfer Engine Version 5.5.0
!
! Last configuration change at 19:06:47 Paris Sun Mar 21 2010 by admin
! NVRAM config last updated at 19:06:53 Paris Sun Mar 21 2010 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco-axelius
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ...
!
no aaa new-model
!
resource policy
!
clock timezone Paris 1
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp excluded-address 10.10.10.241 10.10.10.254
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name axelius.be
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto pki trustpoint TP-self-signed-4008809079
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4008809079
revocation-check none
rsakeypair TP-self-signed-4008809079
!
!
crypto pki certificate chain TP-self-signed-4008809079
certificate self-signed 01
30820250 ...
quit
username admin privilege 15 secret 5
archive
log config
logging enable
logging size 300
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
description Fysieke ADSL (ATM) Interface
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description ATM Routed Bridge Encapsulation (RBE) Subinterface t.b.v. Internet
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 8/35
encapsulation aal5snap
protocol ip inarp
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
no ip virtual-reassembly
!
interface Dialer0
no ip address
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 822
ip dns server
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=17
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any established
access-list 101 permit udp host 212.68.213.7 eq ntp any eq ntp
access-list 101 permit udp host 81.246.92.140 eq ntp any eq ntp
access-list 101 permit udp host 208.67.220.220 eq domain any
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 permit tcp any any eq 822
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip any any
snmp-server community privateString RW
snmp-server community publiekeString RO
snmp-server location Hasselt
snmp-server contact GregoryBE
!
control-plane
!
banner login Authorized access only!
Gretech Configured router. Unauthorized access will be logged.
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17179862
ntp master
ntp server 81.246.92.140 prefer
ntp server 212.68.213.7
end
Links:
http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a008071a5d0.shtml
http://forums.overclockers.com.au/showthread.php?t=460519
Updating ESX 3.5 to 4.0: PANIC: Failed to find HD boot partition
In September I successfully updated a ESXi 3.5 host to ESXi 4.0.
A week ago I needed to upgrade another server,
so I thought no need backing up de VM's this time before doing the upgrade.
Of course, with no backup the upgrade failed, the ESXi server rebooted after performing the upgrade with vSphere and came up with the following message:
PANIC: Failed to find HD boot partition.
Before trying the repair wizard on the ESXi 3.5 CD, I backup-ed all VM's to another machine over the network using an Ubuntu Live CD, how to mount the VMFS store:
- In the software sources, enable the Universe library and reload the packages
- Open a terminal: su
- apt-get install vmfs-tools
- mkdir /vmdir/
- vmfs-fuse /vmdir/ /dev/sda3 (look up your sda, in gparted f.e.)
Also useful to know to fasten the backup:
- Mounting a Samba share to a dir:
apt-get install smbfs
sudo mount -t smbfs -o username=usernamePC,password=ShareAccessPassword,workgroup=MSHOME,gid=smb,uid=$USER,fmask=770,dmask=770,rw "//DEVMACHINE/Share with Spaces" /createdDir
So, after creating a backup, I tried the ESX 3.5 repair wizard, wich is useless, it re-installs ESX and leaves the VMFS store unallocated.
I then just installed ESXi 4 (that formats the full disk)
Second problem: I started VSphere update client, when scanning for updates I get:
The scan operation has failed... Check the logs.
The problem wasn't very known on the internet, so I just reinstalled a second time. Surprisingly the problem disappeared and updates where installed correctly.
Then I just installed VMware converter on the backup PC to re-import the VM's to the ESXi server in the new VMware 7 format.