Tuesday, March 22, 2011

MS hotfix for Exchange 2010 fails to install

Error: "An error occurred during the installation of assembly....The signature or catalog could not be verfied or is not valid"

I have received the above error on at least 2 occassions when installing hotifxes from MS.  This can be frustrating, especially if you don't have access to the engineer or did not receive the hotfix directly from MS.  The fix below has worked both times for me.

1) Download and install .Net 2.0 SDK for x64

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=1AEF6FCE-6E06-4B66-AFE4-9AAD3C835D3D&displaylang=en

2) Run the commands below:

cd "C:\Program Files\Microsoft.NET\SDK\v2.0 64bit\Bin"
SN.EXE -Vr *
SN.EXE -Vl


3) Reboot and try the install again.

Grade: Ugh!

Friday, March 4, 2011

Kerberos Authentication on the CAS Array

For MS documentation in its entirety please see the link below.


The steps below are shorthand sent to me by a colleague that I used on a recent engagement.  I would encourage anyone doing this for the first time to study the documentation and use a lab for your first go around. 


1)       Create new computer account in AD called “CASARRAY1”
2)       Run Exchange Management Script .\RollAlternateserviceAccountPassword.ps1 -ToSpecificServers -identity "CAS1","CAS2","CAS3" -GenerateNewPasswordFor "DOMAIN\CASARRAY1$"  (CAS servers here will not always include all CAS Array members, rather they should include all CAS servers that will need to authenticate requests for the associated CAS Array FQDN)
3)       Set SPNs using commands below:
a.       setspn -S http/webmail.contoso.com CASArray1$
b.      setspn -S exchangeMDB/ outlook.contoso.com CASArray1$
c.       setspn -S exchangeRFR/ outlook.contoso.com CASArray1$
d.      setspn -S exchangeAB/outlook.contoso.com CASArray1$
4)       Create Scheduled task to update password on computer account:  .\RollAlternateServiceAccountPassword.ps1 -CreateScheduledTask "CAS Array Kerberos Password Update" -ToSpecificServers -identity "CAS1","CAS2","CAS3" -GenerateNewPasswordFor "DOMAIN\CASARRAY1$"  
5)       Test via Outlook client by enforcing Kerberos authentication in the mail profile (more settings->security)
6)       Test by reviewing the address book service log (2011-02-05T06:04:21.072Z,139928,0,/o=Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=username,,10.10.10.10,CAS1,ncacn_ip_tcp,GetNewDSA,,5,Self,,Kerberos

*Don't forget to restart Blackberry services (or at least test functionality) after this change.

GradeThanks Chica!

Problem configuring and testing static ports on CAS servers

Problem Description: You configure the RCA (RPCClientAccessServer) service and AB (Address Book) service to use static ports according to your hardware loadbalancer documentation or technet article.  After a restart of these services you verify the server is listenting on the correct ports.  When testing from an Outlook client, you notice that the Outlook client is using port 7380 for its mail (RCA) connection and the correct static port for directory (AB.)

Error:  There is no error per se, but a netstat -na from a remote Outlook client (typically on a routed network) will appear to persistently bind on on port 7380, even after restart of client. Often times, local clients adjacent to the CAS will bind on the correct static port that you previously set in the registry.

Description:  Port 7380 is a dead giveaway that there is a riverbed in the mix.  Riverbed devices instruct
Outlook to connect over port 7380, regardless of the static port configured for RCA on the CAS.

Solution or Workaround:  No solution is neccessary. Rest assured that the riverbed will use the proper static port configured on the CAS and loadbalancing should work fine.  You can verify this functionality by reviewing your riverbed log.

Registry settings for Exchange 2010 SP1 RCA and AB static ports below:

HKEY_LOCL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeRpc\ParametersSystem
REG_DWORD:TCP/IP Port
value:59531-60554


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters
REG_SZ:RpcTcpPort
Value:59531-60554


See Also:

http://social.technet.microsoft.com/wiki/contents/articles/configuring-static-rpc-ports-on-an-exchange-2010-client-access-server.aspx

http://technet.microsoft.com/en-us/library/ff625248.aspx

GradeWho Knew?

Wednesday, March 2, 2011

Update Outlook 2003 clients with CAS Array Name?

One of the most enduring and painful shortcomings of the new RCA (RPCClientAccess) service in Exchange 2010, is it's inability to refer downlevel clients to the appropriate CAS server.  If you are using Outlook 2007 or 2010, this process is handled by the autodiscover service, but what to do if you have Outlook 2003 clients?  Unfortunately there are no really good options, but I will list some of what I have seen work at various customers.  To the best of my knowledge, the only supported method is to deploy a PRF file (also included below) or to manually change each client.  Ideally you would have created a CAS Array from the start and never had this problem.  But suppose you needed Kerberos authentication pre SP1, or you just plain made a mistake?

1) Swing server.  This seems like overkill, but it may be less work and easier than visiting every desktop in some scenarios.  The referal mechanisms still fucntion between Exchange 2003/2007 and Exchange 2010.  You could move mailboxes to a temporary Exchange 2007 server and then move them back to Exchange 2010.  Keep in mind that users will have to connect at least once to the mailbox while it is homed on the Exchange 2007 server for this procedure to be effective.  Also the move mailbox from 2010 to 2007 will incur downtime, but 2007 to 2010 the mailbox moveback will keep the mailbox online.

2) PRF File.  http://office.microsoft.com/en-us/office-2003-resource-kit/customizing-outlook-profiles-by-using-prf-files-HA001140258.aspx

3) VBScript.  In some cases, the PRF file simply doesn't work, or there is no easy way to deploy it.  I have included some sample VBScript at the end of this post that should help some advanced users.

4) Exchange 2003/2007 Spoof.  Don't try this one at home kids!  if you feel like rolling the dice or are very desperate, you could try the following.  Add host file entries on all Exchange servers and relevant domain controlllers for the CAS that is currently in the Outlook 2003 user profile 'server name' field.  Remove the SPN for that CAS (this will disable Kerberos authentication temporarily).  Change the A record for the CAS in DNS such that it points to the IP of an Exchange 2003 or 2007 server.  When clients log on, they will connect to the old Exchange 2003 or 2007 server and get referred to the CAS Arry name.  Once you are confident that most clients have had their Outlook profiles updated, undo the changes and add the SPN back in.

Sample VBScript

Const ServerName = <CAS Array FQDN>
Const ServerHex = <CAS Array FQDN in Hex>
Dim defaultProfile

defaultProfile = GetDefaultProfile("HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\DefaultProfile")
WriteRegistryFileAndMerge defaultProfile, ServerName, ServerHex

Function GetDefaultProfile(RegistryKey)
Dim WshShell
Dim strReturn

    Set WshShell = CreateObject("Wscript.Shell")
    If Len(RegistryKey) Then
        strReturn = WshShell.RegRead(RegistryKey) 'Check parm value
        If Err.Number = 0 Then
            GetDefaultProfile = strReturn
            On Error GoTo 0
            Exit Function
        Else
            Err.Clear
        End If
    End If

    Set WshShell = Nothing
    GetDefaultProfile = strReturn
    On Error GoTo 0
End Function

Function WriteRegistryFileAndMerge(ProfileName, name, binary)
 Set objFSO = CreateObject("Scripting.FileSystemObject")
 Set file = objFSO.CreateTextFile("profile_merge.reg", True)

 file.WriteLine("Windows Registry Editor Version 5.00")
 file.WriteBlankLines(1)
 file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\04ed552946e5ea48a65bcb2f19db0409]")
 file.WriteLine("""001e660c""=" & name & """")
 file.WriteLine("""001f662b""=hex:" & binary)
 file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
 file.WriteBlankLines(1)
 file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\13dbb0c8aa05101a9bb000aa002fc45a]")
 file.WriteLine("""001f662a""=hex:" & binary)
 file.WriteLine("""001e6602""=""" & name & """")
 file.WriteLine("""001e6612""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
 file.WriteLine("""101e6613""=hex:" & binary)
 file.WriteBlankLines(1)
 file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\aa1c0662f29b1c42aa3d30610610f421]")
 file.WriteLine("""001e660c""=""" & name & """")
 file.WriteLine("""001f662b""=hex:" & binary)
 file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
 file.WriteBlankLines(1)
 file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\efa40b5e07b9204abdc646aa5e83a6be]")
 file.WriteLine("""001e660c""=""" & name & """")
 file.WriteLine("""001f662b""=hex:" & binary)
 file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
 file.WriteBlankLines(1)
 file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\ff83a0e41446294d95bda883831cb0a9]")
 file.WriteLine("""001e660c""=""" & name & """")
 file.WriteLine("""001f662b""=hex:" & binary)
 file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
 file.Close()
 Set file = Nothing

 Set WshShell = CreateObject("Wscript.Shell")
 WshShell.Run "regedit /s profile_merge.reg", 1, True
 Set WshShell = nothing

End Function

Grade:  Why Did I Do That?

Exchange 2010 Install Fails

Problem Description: Installation of Exchange 2010 fails with error below

Error:  [ERROR] Active Directory operation failed on <domain controller.> This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152392, #1:
 0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 83fbc060 (msExchRMSComputerAccountsLink)
[08/16/2010 15:32:29.0661] [2] [ERROR] A value in the request is invalid.
[08/16/2010 15:32:29.0677] [2] Ending processing.

Description:  This error occurrs when the Exchange 2010 installation fails to successfully add the local computer account to the required Universal Security Groups in the Forest Root OU "Microsoft Exchange Security Groups."   Specifically, the local computer account must be added to the "Exchange Trusted Subsystem" and "Exchange Servers" Security Groups.

Solution or Workaround:  An easy workaround is to manually add the local computer account to these Security Groups prior to install.  If you want to dig into Active Driectory for root cause, you should start with examining your Sites and Services configuration along with replication and install account permissions.

GradeBummer!