I am sorry I have not written many posts lately, what you may not know is that I just had my first child a few weeks ago and have been living the new baby life.  The good news is I now have a little assistant that I have already begun his training to assist with the site.  Let me introduce you to my new little helper and Exchange Genie Jr.

The next Exchange Genie

Get-MailboxDatabase -Status | fl name,databasesizes

Name         : DB001

DatabaseSize : 141.8 GB (152,220,270,592 bytes)

 Name         : DB002

DatabaseSize : 98.17 GB (105,412,362,240 bytes)

Today in Exchange 2010 when a user logs onto OWA and selects the options button they are taken into what is now called the Exchange Control Panel or ECP which has added some functionality for users.  One problem that I have found is that Microsoft has provided users with some nice links telling them how to configure their mobile device or Outlook anywhere but those links directt users to Outlook.Com configuration which tends to generate support calls.

Those links are controlled by a file located here  C:\Exchange\ClientAccess\ecp\PersonalSettings\QuickLinks.ascx , this file can be copied and modified with company faq settings to direct users to the appropriate place. I must note that every RollUp applied or Service Pack will overwrite your custome file and you must recopy the file back to this directory.  The 2nd point I need to make is that every build of Exchange (after rollup or service pack) you need to copy the new file and modify that file because Microsoft could have made changes in security or configuration, reusing the same old file could cause issues.  You will also have to copy this file to each CAS server.

Lets logon to OWA and take a look at the default settings:

You can see when I hover over Connect  Outlook to this account the url is set to http://help.Outlook.com

Close OWA

1. On your CAS server browse to the following file C:\Exchange\ClientAccess\ecp\PersonalSettings\QuickLinks.ascx copy this file to your desktop so we can edit it

2.  Open the QuickLinks file with Notepad

3.  I have highlighted the section we are going to work on which is the Mobile section

4.  We are going to remove this line <div><asp:Literal ID=”ltlMobileDevices” runat=”server” Text=”<%$ Strings:QLPushEmail %>” /></div>

5.  Insert and href like this : <ecp:<P><A HREF=http://www.exchange-genie.com target=”_blank”> Configure your mobile device with Active Sync for Beta Mail </A></P>

6. Save our file

7. Rename the origianl file to .old or some other extension

8. copy and paste our new file into the following location C:\Exchange\ClientAccess\ecp\PersonalSettings\QuickLinks.ascx

9. Logon to OWA into ECP

10. Hover over the Mobile link and you will see the url now points to http://exchange-genie.com

The only 2 items you should modify in this file are related to Mobile and Outlook connections

One of the biggest advantages to RU1 is allowing functionality with RIMs BES servers, however RIM is suppose to release an MR1 soon for Exchange 2010 intergration that will be required on the BES servers

Changes http://support.microsoft.com/?kbid=976573

RIM information to configure Exchange 2010 and BES

http://na.blackberry.com/eng/services/server/exchange/2010support.jsp

Today Oct. 8th the best versions of Microsoft Exchange has been offically released!

http://msexchangeteam.com/archive/2009/10/08/452775.aspx

Exchange 2010 is Code Complete and on its way to General Availability

We are happy to announce that Exchange 2010 is Code Complete!  Our senior leadership team has signed off on the final code, and it has been sent to our early adopters for one final look before its public release. This Release to Manufacturing (RTM) milestone means we are on our way to general availability and the launch at Tech·Ed Europe 2009 (http://www.microsoft.com/europe/teched/) in early November.

For those of you attending Tech·Ed in Berlin this year, be sure to check out the Unified Communications track, which is packed with technical content on Exchange 2010. And be sure to visit us at the Exchange product booth in the Exhibition Hall and let us know what you think of the product. Crystal Flores, who interviewed some of you on video at Tech·Ed North America earlier this year, will be on-hand in Berlin in a few weeks, armed with a camera and interview questions.  A group of us are also marching to Las Vegas for Exchange Connections the same week where our fearless leader Rajesh is giving the keynote.

We hope to see you in Berlin or Vegas, but if you can’t join us in person, tune in via the Web (www.thenewefficiency.com) to be part of the launch.

- The Exchange Team

As you will discover later in this blog a common issue that user experience if they are running Outlook 2003 is related to the default configuration requiring encryption to be enabled on the Outlook client or connections will fail. I will go into more detail later on this topic.

When a user opens Outlook today a number of items occur but the main one I am going to talk about is the connection from the client directly to the mailbox server to retrieve their mail via mapi-rpc. 

How clients connected pre Exchange 2010

Some of the issues with this configuration even when using an SCC or CCR cluster is during a failover the client connection point will be disrupted even if only for a few moments. This also means that clients are making a direct connection to the server which is limited to 60k connections to the information store. This does not mean 60k users, as client makes a number of connections to the system.

As the Exchange team looked at how they can better scale Exchange 2010 one of the new techniques was to move the client connection endpoint to the CAS server instead of the mailbox server. This allows for a number of things to happen.

1. During a database move/failover the client end point does not go down and makes the move seamless to the user
2. If you reach the 60k port limit you just add an additional CAS server to the rpc array

Let’s take a look at our Exchange settings….

How do I know what my mapi end point is?

At first thought you may think this is configured per user however that is not the case. To find out what your rpc client end point is you need to run the following command get-mailboxdatabase “yourdatabase” | fl  name,rpc* the output of this command will show you each  RpcClientAccessServer associated with each database.

By default there is no rpc array configured, the name of a random CAS server in the same AD site will be directly associated with each database.

Let’s run our command and see what settings we have  get-mailboxdatabase | fl  name,rpc*

You can see that our  RpcClientAccessServer points to my CAS server

Let’s create a new mailbox database in EMC:

Open EMC -> Organization Configuration -> mailbox

Right click and select New Mailbox database

I am going to call my database rpcservercheck and specify the server as E14Ex1

Specify the logs and database path

C:\db\db and c:\db\logs

**note I dont recommend these location but this is just a lab **

Click New to complete the database

Now that we create the new database lets run our command again:

You can see the new database also shows the CAS server, since I only have one CAS in this environment they are configured the same.

Outlook Profile

After setting up an Outlook profile let’s take a look at see that our mapi end point is now the CAS server

With Outlook 2007 click Tools – Accounts Settings

Select the profile and click Change

We can see that our Microsoft Exchange Server information points to the CAS  fqdn and not our mailbox server

If we hold down CTR and right click the Outlook system tray icon we can bring up our connection status

You can see that all Directory and mail connections are now going to the CAS server with 1 exception, public folders. Yes, public folders calls are still direct connections from the client to the mailbox server hosting the public folder.

WireShark

If we use a network sniffer  to capture traffic from our client 192.168.1.59 we can see that NSPI and MAPI requests from Outlook are all directed to the CAS

How does this work?

On each CAS server there is a new service that runs called the MSExchangeRPC which runs as  Microsoft.Exchange.RpcClientAccess.Service.exe and listens on port 6001 for HTTP connection and uses dynamic ports by default for tcp/ip connections

By default when you install Exchange 2010 the files that makeup this service will be located in  C:\Program Files\Microsoft\Exchange Server\V14\Bin

When connections are made to the CAS server by the mapi client, the CAS server then creates a channel to the mailbox server to retrieve the mailbox data.  The CAS server will create a maximum of 100 Rpc connections to the mailbox server

Encryption

As I briefly mentioned in the introduction by default Exchange requires the client to connect with encryption enabled.  This is not set on each database but on each rpc server and can be found with the following command  Get-RpcClientAccess | fl server,encrypt*

 [PS] C:\>Get-RpcClientAccess | fl server,encrypt*

Server             : E14-EX1

EncryptionRequired : True

Server             : E14-EX2

EncryptionRequired : True

 Server             : E14CAS1

EncryptionRequired : True

After running the command you can see that each CAS and Mailbox server has this configuration. You may ask why would the mailbox server require this is all the client connections are direct to the CAS? You may recall that I stated above that the clients still connects direct to the mailbox server  for public folder access.

How do I know if my Outlook client is setup to use encryption?

Let’s look in our Outlook client to see this setting:

Using the same steps as before open your Outlook settings -> click More Settings

Select the Security Tab

We can see that Outlook 2007+ defaults to having encryption enabled however Outlook 2003 does not

 If you have a large number of Outlook 2003 users you have a few options:

1. Use Group Policy to enable this setting
2. Disable this settings on the Exchange Server with the  Get-RpcClientAccess | Set-RpcClientAccess -EncryptionRequired:$false

**Recommended configuration is to keep encryption enabled**

1. Have users manually enable this setting
2. script

**Note this will also affect Outlook Anywhere users (formerly Rpc.https) **

Configuring an Rpc Array

Now that we have a basic understanding of how MOMT is used lets configure our first Rpc Array. You can use NLB or a hardware Load Balancer like F5 for the rpc array as either is supported however you cannot use NLB if your server is multi roled and a member of a DAG.

The dns entry for the array should not use a public dns name and only needs to be resolvable to the internal network.

Lets start with the Get-ClientAccessArray command just to show that we do not currently have an array

1. Create a DNS entry for your array name (I am going to use Site1Array.ExchangeGenie.local)

a. Open the DNS administration tool

b. Select the appropriate DNS Zone (for me .ExchangeGenie.local)

c. Right click and create a new host record (a cname would work as well)

d. Input the name and Ip for the record

e. Click Add Host

F. Click Done

G. Validate the record had been created

 H. Lets use Nslookup to validate the record is seen

Create an RPC Array

From an EMS window we will use the new-clientaccessarray command if you use the help …. get-help new-clientaccessarray, we can see the command takes in 2 require parameters FQDN and Site

If you dont know your AD site information you can use the get-ADSite command to get that information

As you can see I have renamed my default site to GenieSite1

New-ClientAccessArray -Name Site1Array.ExchangeGenie.Local -fqdn Site1Array.ExchangeGenie.Local -Site GenieSite1

As you can see we now have a new array called Site1Array.ExchangeGenie.Local

**Note the memeber paramenter will show every Exchange 2010 CAS in the AD site of the Array, which CAS server actually participate are based on the NLB nodes **

Does this mean you are done?

No,  creating an array but its self does nothing we have 2 additional steps 1. create the NLB for the Array and 2. associate the array to our database.

Creating an NLB for our Array

I am going to use WNLB for this blog which is a viable option however for large organization a hardware load balancer is advised.

If NLB is not installed on your CAS server you will need to do that first.

1. Open Server Manager

2.  Select Features

3.  Select Network Load Balancing

4. Click Next

5. Click Install

 6. Click close after the installation completes successfully

7. Launch NLB Manager

8.  From the file menu click Cluster -> New

9. Input the IP address or hostname of the CAS server and click Connect

10.  Select Next

11. Select Next unless you need to add an additional dedicated ip to the server

12. Click Add to add the VIP for the cluster ** this should match the ip that we used to create our dns record for the array**

13.  Enter the IP asscociated with the array and click OK

14.  Click Next

15.  Enter an FQDN that will be associated with the NLB, I have selected Mulicast for my cluster mode however please select the method that best fits your environment.

16.  Click Next

17. Click Remove to delete the default listening ports

 You can choose to listen on all ports however lets use the minimum required for the array which we will later scope down even lower. The minimum ports required will be 135, 1024-65535

a.   Click Add

b.  Remove the check box “All” so that we can scope which IP the ports listens on

c.  Add port 135 – 135 TCP and click OK

d. Report for port 1024 -65535 TCP and click OK

18.  Click Finish to complete building the NLB

Validate the NLB has been created properly

 Associating the Array with databases

 The final step for us is to associate the client array with our existing databases.  Any new databases will be automatically associated with the array in that site.

Lets open our Outlook client so we can see our current settings

Let’s use the following command to set our new array on all the current databases we have created 

Get-MailboxDatabase | Set-MailboxDatabase -RpcClientAccessServer site1array.exchangegenie.local

**Please note the above command would do all databases you can use the –server switch to scope the databases returned you can use something like this to scope the site

C:\>Get-ExchangeServer | where {$_.isMailboxServer -eq $true -and $_.Site -eq ‘ExchangeGenie.Local/Configuration/Sites/GenieSite1′} | Get-MailboxDatabase **

We can validate the array association with the following command  Get-MailboxDatabase | fl rp*

***Please note it could take a few minute for this information to get updated for clients do to the store cache**

If we look at our client setting, they will get updated with autodiscover if the client is Outlook 2007+, for Outlook 2003 the client should be redirected after connecting to the current configured server.

You can see that all communication (except pf) is now connecting to our new client array

Scoping the Mapi Ports

By default when you open your Outlook client it attempts to make a connection to the rpc port ( 135) on the server andnegotiate a dynamic port above 1024 for usage.  If there are no firewalls between the clients and servers then you dont mind all the traffic however in many scenarios there are firewalls between the client network and servers.  To keep from the requirement of open port 135 and 1024 – 65535 you can make a few simple modifications to your CAS server to reduce the number of ports that are required to be open on the firewall.

There are 3 modifications you must make 1. Mapi which is a registry key change 2. Addres Book (NSPI) which is modifed in the config file and 3. Referral Service (RFR) modified in the config file.

We can restrict Rpc Client Access Array to a single port for each of the following settings Mapi,Address Book, and Referral Service let’s take a look at the default configuration below:

Key:HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC\ParametersSystem

Value:TCP/IP Port

Type:DWORD

*Note you will need to modify the same registry key on mailbox servers that host the public folder role

Earlier you saw the network wireshark data with the server making connections to the CAS on radom high number ports, in this section we are going to scope the port range down to 3 ports of our choosing.  Please note the client will still need access to port 135 for the initial connection.

Scoping the CAS server ports

1. Open the regsitry editor (start -> run -> regedit

2. browse to HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeRPC

3. Create a new key ParametersSystem (Right click new-> key)

4. Create a new Dword TCP/IP Port

5. Input a port I have selected 50000

6. Restart the Microsoft Exchange RPC Client Access Service

7.  Open a command window and run NetStat -na

We can see that we are connecting the CAS server on port 50,000 and 135

**You will need to repeat these steps for any mailbox server this is hosting a public folder database**

8.  Open Microsoft.Exchange.AddressBook.Service.Exe.config  with notepad (default location is C:\Program Files\Microsoft\Exchange Server\V14\Bin)

9.  Modify the section “RpcTcpPort” to the port you desire, I am going to use 50,001 since I used 50,000 for the mapi port

10. Restart the Microsoft Exchange Active Directory Topology Service (note this will stop all the Exchange services)

11. Open a command window and run NetStat -na

You can see we are now listeing on port 50,000 for map and port 50,001 for Address Book

If we open Outlook again and run a netstat -na from our client we can see that we are connecting to the CAS server on port 50,001 and 50,001 and to our mailbox on port 50,000

CAS IP 192.168.1.60 and Mailbox 192.168.1.57 and CAS Array 192.168.1.61

My coworkers first reaction was  hey, why are the sending limits so low, 5mb is nothing for an attachment size?

My first response was, we do not have 5mb attachment limits but have them to set to 30mb ……….

What to do?

I opened a trusty TS session to the CAS server that he was connected too and I knew that in the web.config file there is a setting that OWA uses to specify that max attachment size.

Note : By deafult the web.config file is located C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa

After I opened the web.config file with notepad I located the section for <httpRuntime maxRequestLength=”30000″ />

The <httpRuntime maxRequestLength=”30000″ /> is stored in Kb which mean that OWA defaults to 30MB attachment size limits so that could not be that users problem

Where are all the attachment size limits?

1. trasnport config

2. Send connectors

3. recieve connectors

4. users mailbox settings

Lets open EMS and take a look…………

The first command we are going to run is get-mailbox Brian.Tirch | fl max*

we can see that current the user does not have any limits set for sending or receiving.

Next we check our send connector which by default is configured for a 10mb limit so that could not be it……

that does not appear to be the issue ….

Lets check the receive connector which by default is set to 10mb

we can see the connectors on each server are set to 10mb and should not be causing the issue…with only one place left to check and that is the transport configuration.

Lets use the get-transportconfig | fl max* command to get our settings

by default in Exchange 2010 this should be set to 10mb but in this situation you can see that we are set to Unlimited just like on our users properties.

After checking all the settings there is nothing configured to force OWA to a 5mb attachment limit so now what do you do………. After reaching out to some friends in MS who ran into this before we found out that unlimited on the transport config does not really mean no limit

The problem here is the meaning of Unlimited…  Basically Unlimited means that the values for the MaxSendSize and MaxMessageSize are not specified.  It doesn’t mean any size message will be sent. 

There are limits for mailbox, system, and connectors.  The MaxSendSize for the system is set with set-TransportConfig.  The MaxMessageSize for the ReceiveConnector and SendConnector are set on those connectors.  When the attributes for a user, “submissionContLength” and “deliverContLength” are not set in AD (default setting) a query by “get-TransportConfig” will return that the size is also unlimited.  However, the exact meaning is that the MaxSendSize is that the setting is not specified.
In this case, the sending code will use its own way to decide what is the maximum allowed send size.  If the client is OWA, the default maximum allowed message size is 5MB when the MaxSendSize is not specified.  If the MaxSendSize returns a value, OWA will use that value up to the value set on the maxRequestLength in the web.config.