There are two common password scenarios that occur:

1. When a users password has expired and they attempt to logon to OWA the user fails to logon and receive a generic error message.

2. When a new user account is created and an administrator wants to force the user to change their password at next logon, however the user will not be able to logon to OWA

Exchange 2007 SP3 and Exchange 2010 SP1 have remedied the two issues above by creating a new module in IIS that detects a user has an expired password or the user account is set to “user must change password at next logon”. 

You may ask what do I need to do?

http://technet.microsoft.com/en-us/library/ff607232(EXCHG.80).aspx

1. Log on to the Exchange server that is running the CAS role by using an account that has local administrator rights

2. Start Registry Editor, and then locate the following registry subkey:

3. HLKM\SYSTEM\CurrentControlSet\Services\MSExchange OWA

4. Create the following DWORD value if it does not already exist:

5. Value name: ChangeExpiredPasswordEnabledValue type: REG_DWORDValue data: 1

6. Exit Registry Editor

7.  From a command window perform an IISReset

Let walk through some tests:

1. Create a new user called PwdTest

a. Open EMC

b.  Expand Recipient Configuration and select Mailbox

c. From the actions pane select New Mailbox

d. On the new Mailbox wizard select “User Mailbox” and click Next

e. Select New User and click Next

f.  Input PwdTest for the userId information and validate the check box “User must change password at next logon”

g. On the Mailbox Settings page leave the default and click Next

h. On the Archive Settings check the radius button “don’t create an archive” and click Next

i. On the New Mailbox page click New

j.  Click Finish to complete the mailbox creation

2. Now that we have created our new mailbox and have the account set to force a password change for our user we need to attempt to logon to OWA

a.  Open the OWA logon Page and attempt to logon with our new user PwdTest

b.  Notice we receive a generic password error message

3.  As we see the logon fails until we modify the Registry of our CAS server

a. Start the Registry editor : Start – Run –RegEdit
b. Expand to  HLKM\SYSTEM\CurrentControlSet\Services\MSExchange OWA

c. Create the following DWORD Value: ChangeExpiredPasswordEnabled

d.  Set the value to 1

e. Exit Registry Editor

f.  From a command window perform an IISReset

4.  Now that we have created the appropriate Registry key we can attempt to logon to OWA again

a.  Open the OWA logon page and attempt to logon with the PwdTest user

b. We are now presented a change password form

c. After completing the form you will receive and successful change message

d. You are now presented the OWA logon form again. Attempt to logon with the newly created password

e. you now have a successful OWA logon

Get-MailboxDatabase -Status | fl name,databasesizes

Name         : DB001

DatabaseSize : 141.8 GB (152,220,270,592 bytes)

 Name         : DB002

DatabaseSize : 98.17 GB (105,412,362,240 bytes)

Today in Exchange 2010 when a user logs onto OWA and selects the options button they are taken into what is now called the Exchange Control Panel or ECP which has added some functionality for users.  One problem that I have found is that Microsoft has provided users with some nice links telling them how to configure their mobile device or Outlook anywhere but those links directt users to Outlook.Com configuration which tends to generate support calls.

Those links are controlled by a file located here  C:\Exchange\ClientAccess\ecp\PersonalSettings\QuickLinks.ascx , this file can be copied and modified with company faq settings to direct users to the appropriate place. I must note that every RollUp applied or Service Pack will overwrite your custome file and you must recopy the file back to this directory.  The 2nd point I need to make is that every build of Exchange (after rollup or service pack) you need to copy the new file and modify that file because Microsoft could have made changes in security or configuration, reusing the same old file could cause issues.  You will also have to copy this file to each CAS server.

Lets logon to OWA and take a look at the default settings:

You can see when I hover over Connect  Outlook to this account the url is set to http://help.Outlook.com

Close OWA

1. On your CAS server browse to the following file C:\Exchange\ClientAccess\ecp\PersonalSettings\QuickLinks.ascx copy this file to your desktop so we can edit it

2.  Open the QuickLinks file with Notepad

3.  I have highlighted the section we are going to work on which is the Mobile section

4.  We are going to remove this line <div><asp:Literal ID=”ltlMobileDevices” runat=”server” Text=”<%$ Strings:QLPushEmail %>” /></div>

5.  Insert and href like this : <ecp:<P><A HREF=http://www.exchange-genie.com target=”_blank”> Configure your mobile device with Active Sync for Beta Mail </A></P>

6. Save our file

7. Rename the origianl file to .old or some other extension

8. copy and paste our new file into the following location C:\Exchange\ClientAccess\ecp\PersonalSettings\QuickLinks.ascx

9. Logon to OWA into ECP

10. Hover over the Mobile link and you will see the url now points to http://exchange-genie.com

The only 2 items you should modify in this file are related to Mobile and Outlook connections

One of the biggest advantages to RU1 is allowing functionality with RIMs BES servers, however RIM is suppose to release an MR1 soon for Exchange 2010 intergration that will be required on the BES servers

Changes http://support.microsoft.com/?kbid=976573

RIM information to configure Exchange 2010 and BES

http://na.blackberry.com/eng/services/server/exchange/2010support.jsp

//this scripts gets all the database names and counts the number of users per database

 $dblist=Get-MailboxDatabase

($dblist | %{write-host $_.name (get-mailbox -database $_.name).count})

http://www.microsoft.com/presspass/press/2009/nov09/11-09techedeurope09pr.mspx

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=05741f65-2a7b-4070-879f-d74208d6171d#tm

Today Oct. 8th the best versions of Microsoft Exchange has been offically released!

http://msexchangeteam.com/archive/2009/10/08/452775.aspx

Exchange 2010 is Code Complete and on its way to General Availability

We are happy to announce that Exchange 2010 is Code Complete!  Our senior leadership team has signed off on the final code, and it has been sent to our early adopters for one final look before its public release. This Release to Manufacturing (RTM) milestone means we are on our way to general availability and the launch at Tech·Ed Europe 2009 (http://www.microsoft.com/europe/teched/) in early November.

For those of you attending Tech·Ed in Berlin this year, be sure to check out the Unified Communications track, which is packed with technical content on Exchange 2010. And be sure to visit us at the Exchange product booth in the Exhibition Hall and let us know what you think of the product. Crystal Flores, who interviewed some of you on video at Tech·Ed North America earlier this year, will be on-hand in Berlin in a few weeks, armed with a camera and interview questions.  A group of us are also marching to Las Vegas for Exchange Connections the same week where our fearless leader Rajesh is giving the keynote.

We hope to see you in Berlin or Vegas, but if you can’t join us in person, tune in via the Web (www.thenewefficiency.com) to be part of the launch.

- The Exchange Team

As you will discover later in this blog a common issue that user experience if they are running Outlook 2003 is related to the default configuration requiring encryption to be enabled on the Outlook client or connections will fail. I will go into more detail later on this topic.

When a user opens Outlook today a number of items occur but the main one I am going to talk about is the connection from the client directly to the mailbox server to retrieve their mail via mapi-rpc. 

How clients connected pre Exchange 2010

Some of the issues with this configuration even when using an SCC or CCR cluster is during a failover the client connection point will be disrupted even if only for a few moments. This also means that clients are making a direct connection to the server which is limited to 60k connections to the information store. This does not mean 60k users, as client makes a number of connections to the system.

As the Exchange team looked at how they can better scale Exchange 2010 one of the new techniques was to move the client connection endpoint to the CAS server instead of the mailbox server. This allows for a number of things to happen.

1. During a database move/failover the client end point does not go down and makes the move seamless to the user
2. If you reach the 60k port limit you just add an additional CAS server to the rpc array

Let’s take a look at our Exchange settings….

How do I know what my mapi end point is?

At first thought you may think this is configured per user however that is not the case. To find out what your rpc client end point is you need to run the following command get-mailboxdatabase “yourdatabase” | fl  name,rpc* the output of this command will show you each  RpcClientAccessServer associated with each database.

By default there is no rpc array configured, the name of a random CAS server in the same AD site will be directly associated with each database.

Let’s run our command and see what settings we have  get-mailboxdatabase | fl  name,rpc*

You can see that our  RpcClientAccessServer points to my CAS server

Let’s create a new mailbox database in EMC:

Open EMC -> Organization Configuration -> mailbox

Right click and select New Mailbox database

I am going to call my database rpcservercheck and specify the server as E14Ex1

Specify the logs and database path

C:\db\db and c:\db\logs

**note I dont recommend these location but this is just a lab **

Click New to complete the database

Now that we create the new database lets run our command again:

You can see the new database also shows the CAS server, since I only have one CAS in this environment they are configured the same.

Outlook Profile

After setting up an Outlook profile let’s take a look at see that our mapi end point is now the CAS server

With Outlook 2007 click Tools – Accounts Settings

Select the profile and click Change

We can see that our Microsoft Exchange Server information points to the CAS  fqdn and not our mailbox server

If we hold down CTR and right click the Outlook system tray icon we can bring up our connection status

You can see that all Directory and mail connections are now going to the CAS server with 1 exception, public folders. Yes, public folders calls are still direct connections from the client to the mailbox server hosting the public folder.

WireShark

If we use a network sniffer  to capture traffic from our client 192.168.1.59 we can see that NSPI and MAPI requests from Outlook are all directed to the CAS

How does this work?

On each CAS server there is a new service that runs called the MSExchangeRPC which runs as  Microsoft.Exchange.RpcClientAccess.Service.exe and listens on port 6001 for HTTP connection and uses dynamic ports by default for tcp/ip connections

By default when you install Exchange 2010 the files that makeup this service will be located in  C:\Program Files\Microsoft\Exchange Server\V14\Bin

When connections are made to the CAS server by the mapi client, the CAS server then creates a channel to the mailbox server to retrieve the mailbox data.  The CAS server will create a maximum of 100 Rpc connections to the mailbox server

Encryption

As I briefly mentioned in the introduction by default Exchange requires the client to connect with encryption enabled.  This is not set on each database but on each rpc server and can be found with the following command  Get-RpcClientAccess | fl server,encrypt*

 [PS] C:\>Get-RpcClientAccess | fl server,encrypt*

Server             : E14-EX1

EncryptionRequired : True

Server             : E14-EX2

EncryptionRequired : True

 Server             : E14CAS1

EncryptionRequired : True

After running the command you can see that each CAS and Mailbox server has this configuration. You may ask why would the mailbox server require this is all the client connections are direct to the CAS? You may recall that I stated above that the clients still connects direct to the mailbox server  for public folder access.

How do I know if my Outlook client is setup to use encryption?

Let’s look in our Outlook client to see this setting:

Using the same steps as before open your Outlook settings -> click More Settings

Select the Security Tab

We can see that Outlook 2007+ defaults to having encryption enabled however Outlook 2003 does not

 If you have a large number of Outlook 2003 users you have a few options:

1. Use Group Policy to enable this setting
2. Disable this settings on the Exchange Server with the  Get-RpcClientAccess | Set-RpcClientAccess -EncryptionRequired:$false

**Recommended configuration is to keep encryption enabled**

1. Have users manually enable this setting
2. script

**Note this will also affect Outlook Anywhere users (formerly Rpc.https) **

Configuring an Rpc Array

Now that we have a basic understanding of how MOMT is used lets configure our first Rpc Array. You can use NLB or a hardware Load Balancer like F5 for the rpc array as either is supported however you cannot use NLB if your server is multi roled and a member of a DAG.

The dns entry for the array should not use a public dns name and only needs to be resolvable to the internal network.

Lets start with the Get-ClientAccessArray command just to show that we do not currently have an array

1. Create a DNS entry for your array name (I am going to use Site1Array.ExchangeGenie.local)

a. Open the DNS administration tool

b. Select the appropriate DNS Zone (for me .ExchangeGenie.local)

c. Right click and create a new host record (a cname would work as well)

d. Input the name and Ip for the record

e. Click Add Host

F. Click Done

G. Validate the record had been created

 H. Lets use Nslookup to validate the record is seen

Create an RPC Array

From an EMS window we will use the new-clientaccessarray command if you use the help …. get-help new-clientaccessarray, we can see the command takes in 2 require parameters FQDN and Site

If you dont know your AD site information you can use the get-ADSite command to get that information

As you can see I have renamed my default site to GenieSite1

New-ClientAccessArray -Name Site1Array.ExchangeGenie.Local -fqdn Site1Array.ExchangeGenie.Local -Site GenieSite1

As you can see we now have a new array called Site1Array.ExchangeGenie.Local

**Note the memeber paramenter will show every Exchange 2010 CAS in the AD site of the Array, which CAS server actually participate are based on the NLB nodes **

Does this mean you are done?

No,  creating an array but its self does nothing we have 2 additional steps 1. create the NLB for the Array and 2. associate the array to our database.

Creating an NLB for our Array

I am going to use WNLB for this blog which is a viable option however for large organization a hardware load balancer is advised.

If NLB is not installed on your CAS server you will need to do that first.

1. Open Server Manager

2.  Select Features

3.  Select Network Load Balancing

4. Click Next

5. Click Install

 6. Click close after the installation completes successfully

7. Launch NLB Manager

8.  From the file menu click Cluster -> New

9. Input the IP address or hostname of the CAS server and click Connect

10.  Select Next

11. Select Next unless you need to add an additional dedicated ip to the server

12. Click Add to add the VIP for the cluster ** this should match the ip that we used to create our dns record for the array**

13.  Enter the IP asscociated with the array and click OK

14.  Click Next

15.  Enter an FQDN that will be associated with the NLB, I have selected Mulicast for my cluster mode however please select the method that best fits your environment.

16.  Click Next

17. Click Remove to delete the default listening ports

 You can choose to listen on all ports however lets use the minimum required for the array which we will later scope down even lower. The minimum ports required will be 135, 1024-65535

a.   Click Add

b.  Remove the check box “All” so that we can scope which IP the ports listens on

c.  Add port 135 – 135 TCP and click OK

d. Report for port 1024 -65535 TCP and click OK

18.  Click Finish to complete building the NLB

Validate the NLB has been created properly

 Associating the Array with databases

 The final step for us is to associate the client array with our existing databases.  Any new databases will be automatically associated with the array in that site.

Lets open our Outlook client so we can see our current settings

Let’s use the following command to set our new array on all the current databases we have created 

Get-MailboxDatabase | Set-MailboxDatabase -RpcClientAccessServer site1array.exchangegenie.local

**Please note the above command would do all databases you can use the –server switch to scope the databases returned you can use something like this to scope the site

C:\>Get-ExchangeServer | where {$_.isMailboxServer -eq $true -and $_.Site -eq ‘ExchangeGenie.Local/Configuration/Sites/GenieSite1′} | Get-MailboxDatabase **

We can validate the array association with the following command  Get-MailboxDatabase | fl rp*

***Please note it could take a few minute for this information to get updated for clients do to the store cache**

If we look at our client setting, they will get updated with autodiscover if the client is Outlook 2007+, for Outlook 2003 the client should be redirected after connecting to the current configured server.

You can see that all communication (except pf) is now connecting to our new client array

Scoping the Mapi Ports

By default when you open your Outlook client it attempts to make a connection to the rpc port ( 135) on the server andnegotiate a dynamic port above 1024 for usage.  If there are no firewalls between the clients and servers then you dont mind all the traffic however in many scenarios there are firewalls between the client network and servers.  To keep from the requirement of open port 135 and 1024 – 65535 you can make a few simple modifications to your CAS server to reduce the number of ports that are required to be open on the firewall.

There are 3 modifications you must make 1. Mapi which is a registry key change 2. Addres Book (NSPI) which is modifed in the config file and 3. Referral Service (RFR) modified in the config file.

We can restrict Rpc Client Access Array to a single port for each of the following settings Mapi,Address Book, and Referral Service let’s take a look at the default configuration below:

Key:HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC\ParametersSystem

Value:TCP/IP Port

Type:DWORD

*Note you will need to modify the same registry key on mailbox servers that host the public folder role

Earlier you saw the network wireshark data with the server making connections to the CAS on radom high number ports, in this section we are going to scope the port range down to 3 ports of our choosing.  Please note the client will still need access to port 135 for the initial connection.

Scoping the CAS server ports

1. Open the regsitry editor (start -> run -> regedit

2. browse to HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC

3. Create a new key ParametersSystem (Right click new-> key)

4. Create a new Dword TCP/IP Port

5. Input a port I have selected 50000

6. Restart the Microsoft Exchange RPC Client Access Service

7.  Open a command window and run NetStat -na

We can see that we are connecting the CAS server on port 50,000 and 135

**You will need to repeat these steps for any mailbox server this is hosting a public folder database**

8.  Open Microsoft.Exchange.AddressBook.Service.Exe.config  with notepad (default location is C:\Program Files\Microsoft\Exchange Server\V14\Bin)

9.  Modify the section “RpcTcpPort” to the port you desire, I am going to use 50,001 since I used 50,000 for the mapi port

10. Restart the Microsoft Exchange Active Directory Topology Service (note this will stop all the Exchange services)

11. Open a command window and run NetStat -na

You can see we are now listeing on port 50,000 for map and port 50,001 for Address Book

If we open Outlook again and run a netstat -na from our client we can see that we are connecting to the CAS server on port 50,001 and 50,001 and to our mailbox on port 50,000

CAS IP 192.168.1.60 and Mailbox 192.168.1.57 and CAS Array 192.168.1.61