Two or more Exchange Server 2010 Client Access Servers can be configured as a CAS array using NLB as long they are not also installed as Mailbox servers that are members of a Database Availability Group (DAG).
The reason is that DAG members utilize Windows Failover Clustering, which can’t co-exist with NLB.
To demonstrate the setup of a CAS array the following servers have been provisioned.
Server #1
Operating System: Windows Server 2008 64-bit R2
Name: EX3.exchangeserverpro.local
Primary Interface: 192.168.0.34/24
Secondary Interface: 192.168.0.36/24
Server #2
Operating System: Windows Server 2008 64-bit R2
Name: EX4.exchangeserverpro.local
Primary Interface: 192.168.0.35/24
Secondary Interface: 192.168.0.37/24
The IP address allocated to the NLB cluster will be 192.168.0.38.
Installing the Exchange Server 2010 Client Access Server Pre-Requisites
On each server, from an elevated Windows PowerShell prompt, run the following commands.
PS C:> Import-Module ServerManager
Note: In my lab the servers are also Hub Transport servers, and so I installed both sets of pre-requisites. I also use the -Restart switch to automate the restart of the servers, however you can remove this if you wish to control when the servers are restarted.
Installing the Exchange Server 2010 Client Access Server Role
From an elevated command prompt run the following unattended setup command.
Note: Again, my lab servers are also Hub Transport servers.
For only the Client Access Server role with Management Tools:
C:adminExchange Server 2010> setup /m:install /r:ca,mt
For both the Client Access and Hub Transport Server roles with Management Tools:
C:adminExchange Server 2010> setup /m:install /r:ca,ht,mt
Installing Windows Network Load Balancing
On each of the servers, from an elevated PowerShell window run the following commands.
PS C:> Import-Module servermanager
PS C:> Add-WindowsFeature NLB
Creating the NLB Cluster
After both servers have been prepared the NLB cluster can be created. On the first server launch the Network Load Balancing Manager from Administrative Tools.
From the Cluster menu choose New.
Connect to the first server for the NLB cluster.
Choose the interface that is to be used for the cluster, and then click Next.
Accept the default Host parameters and click Next.
Click Add and enter an IPv4 address for the NLB cluster, then click OK.
Click Next to continue.
Enter a name for the cluster. In this example I’m using casarray.exchangeserverpro.local. Click Next to continue.
Although the port rules can be made more specific, in this example the default rule is acceptable. Click Finish to complete the creation of the NLB cluster.
At this stage you should have a single host NLB cluster that is successfully converged.
Right-click the cluster name and choose Add Host to Cluster.
Enter the name of the second server and click Connect. Choose the interface to be used for the cluster and clickNext.
Accept the default Host Parameters and click Next.
There are no changed necessary to the port rules, so click Finish.
You should now have a dual host NLB cluster that is successfully converged.
One final step, on each of the NLB members run the following command to allow the NLB virtual IP address to be reachable from outside of the subnet that it resides in.
netsh interface ipv4 set int "NLB" forwarding=enabled
Replance “NLB” with the name of your NLB interface on your server.
Creating the Client Access Server Array
Now that the NLB cluster has been formed we can create the CAS array in Exchange Server 2010.
First, register a DNS record for the NLB cluster name.
Next, launch the Exchange Management Shell on one of the Exchange servers and run the following command.
[PS] C:>New-ClientAccessArray -Name CASArray -Site "Default-First-Site-Name" -Fqdn casarray.exchangeserverpro.local
Name Site Fqdn Members
---- ---- ---- -------
CASArray Default-First-Sit... casarray.exchangeserverpro.... {EX3, EX4}
Substitute the Name, Site, and FQDN as appropriate for your environment.
Updating Existing Mailbox Databases
When the CAS array has been established any new mailbox databases created on servers in that Active Directory Site will be configured with the CAS array as their RpcClientAccessServer.
However any existing mailbox databases need to be manually updates so that those mailbox users begin connecting to the new CAS array.
You can see here that the existing mailbox database on server EX2 is still configured with a standalone Client Access server as its RpcClientAccessServer.
Note that any existing Outlook profiles will not automatically update from the single Client Access Server to the new CAS array name. Those clients will not automatically failover to an alternate member of the CAS array when there is a server failure. You will need to update those profiles for them to receive the high availability benefits of the CAS array. This is one reason that it is important to establish CAS arrays prior to migrating user mailboxes to Exchange Server 2010.
Since Exchange 2010 CAS servers now handle all internal and external client traffic to Exchange mailbox servers including Outlook MAPI traffic, the need for a highly available CAS array is critical to your design.
So how do you load balance MAPI traffic? I found a some useful bits of information to help out:
Load balance your CAS servers in a CAS array by whatever method you choose – Both Hardware LB or Windows Network LB are supported load balancers
Create a MAPI A record in your internal DNS infrastructure that resolves to the Virtual IP Address (VIP) of the CAS load balancing array. The DNS entry, for example, could be outlook.school.edu
Configure your load balancing array to load balance the MAPI RPC ports:
TCP 135
UDP/TCP 6005-65535; or set static ports
Use the new-clientaccessarray cmdlet to create the CAS array object. Such as:
New-ClientAccessArray –Name “School CAS Array” –Fqdn “outlook.school.edu” –Site “Boulder”
5. You need to revisit any Exchange databases that were created before the CAS array was created and set the rpcclientaccessserver property to match the newly created CAS array. Such as:
The current server already has several drives set up.
Normally when we set it up and assigned a drive letter, it will automatically created an admin share of \\SERVER_NAME\[drive_letter]$
If these steps do not resolve the issue, try this alternate workaround:
Power down the source virtual machine.
Boot the virtual machine using the Windows Server 2008 R2 .iso file.
In the Installation Wizard, select Repair your Computer. For more information, see the Microsoft Knowledge Base article 2261423.Note: The preceding link was correct as of August 18, 2011. If you find the link is broken, provide feedback and a VMware employee will update the link.
Select Command Prompt.
Run these commands in the specified order:diskpart
list volume
select volume 1
attributes volume
attributes volume clear nodefaultdriveletter
Restart the virtual machine after removing the mounted .iso file.
Clone the virtual machine again.
Note: If you cannot power down the source virtual machine you can apply this alternate procedure on the resulting cloned virtual machine as well.
Disable the forms-based authentication for the Exchange virtual directory
To create a secondary virtual directory for Exchange that is based on steps 1 through 7 of the following procedure, make sure that forms-based authentication is disabled for the Exchange virtual directory before you make the copy. Before you follow these steps, disable forms-based authentication in Exchange System Manager. Then restart Internet Information Services (IIS). To do this, follow these steps:
Open Exchange Manager.
Expand Administrative Groups, expand the first administrative group, and then expand Servers.
Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
Click the Settings tab, clear the Enable Forms Based Authentication check box, and then click OK.
Close Exchange Manager.
Click Start, click Run, type IISRESET/NOFORCE, and then press Enter to restart Internet Information Services (IIS).
Create a secondary virtual directory for Exchange server
You must use Internet IIS Manager to create this virtual directory for Exchange ActiveSync and Outlook Mobile Access to work. If you are using Windows Server 2003, follow these steps:
Create the virtual directory
Start Internet Information Services (IIS) Manager.
Locate the Exchange virtual directory. The default location is as follows:
Web SitesDefault Web SiteExchange
Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
In the File name box, type a name. For example, type ExchangeVDir. Click OK.
Right-click the root of this website. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
Under Select a configuration to import , click Exchange, and then click OK.
A dialog box will appear that states that the “virtual directory already exists.”
Select the Create a new virtual directory option. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.
Note If the server is Microsoft Windows Small Business Server 2003 (SBS), the name of the Exchange OMA virtual directory must be exchange-oma. The integrated setup of Microsoft Windows Small Business Server 2003 creates theexchange-oma virtual directory in IIS. Additionally, it points the ExchangeVDir registry key to /exchange-oma during the initial installation. Other SBS wizards, such as the Configure E-mail and Internet Connection Wizard (CEICW) also expect the virtual directory name in IIS to be exchange-oma.
Configure the virtual directory
Right-click the new virtual directory. In this example, click exchange-oma, and then click Properties.
Click the Directory Securitytab.
Under Authentication and access control, click Edit.
Make sure that only the following authentication methods are enabled, and then click OK:
Integrated Windows authentication
Basic authentication
On the Directory Security tab, under IP address and domain name restrictions, click Edit.
Click the option for Denied access, click Add, click Single computer, and then type the IP address of the server that you are configuring.
lick OK two times.
Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.
Click OK, and then close IIS Manager.
Click Start, click Run, type regedit, and then click OK.
Right-click Parameters, click to New, and then click String Value.
Type ExchangeVDir, and then press Enter. Right-click ExchangeVDir, and then click Modify.
Note ExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-oma folder.
In the Value data box, type the name of the new virtual directory that you created in step 8. For example, type/exchange-oma. Click OK.
Exit Registry Editor.
Restart the IIS Admin service. To do this, follow these steps:
Click Start, click Run, type services.msc, and then click OK.
In the list of services, right-click IIS Admin service, and then click Restart.
If you want to reuse Forms-based Authentication on the Exchange server, follow these steps to re-enable Forms-based Authentication on the /Exchange virtual directory in Exchange System Manager.
Open Exchange Manager.
Expand Administrative Groups, expand the first administrative group, and then expand Servers.
Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
Click the Settings tab, click to select the Enable Forms Based Authentication check box, and then click OK.
Close Exchange Manager.
Click Start, click Run, type IISRESET/NOFORCE, and then press Enter to restart Internet Information Services (IIS).WAZOO
Delete the SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} user account from Active Directory, if it exists. By default, Exchange Server 2013 Setup creates the mailbox in the Users container in Active Directory. For details about how to delete a user account from Active Directory, see Delete a User Account.
Prepare Active Directory by running Microsoft Exchange 2013 (same for Exchange 2010) Setup with the /PrepareAD switch in the root domain of your Active Directory forest. For details, see Prepare Active Directory and Domains. (go to Exchange installation directory then run setup /p)
Use the Shell to enable the Discovery system mailbox.
Note:
You can’t use the EAC to enable the Discovery system mailbox.
This example enables the Discovery system mailbox. You must specify the fully qualified domain name (FQDN) of a global catalog server in the root domain of the Active Directory forest.
Enable-Mailbox -Arbitration -DomainController <FQDN of root global catalog server> -Identity "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}"
To resolve this issue, run the following command from the Exchange Management Shell:
Get-Mailbox -Arbitration and check the validity of the System MailboxSystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} SystemMailbox{1f05a927-af78-475a-aba4-fc281398eb54} FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}
In this case, two system mailboxes were corrupted:
Mapp Network drives i.e Z: then open command prompt as Administrator, modify the drive letter and folder location as per requirement then paste them to command prompt window.
This guide provides information that can be used to configure a Juniper SSG or Netscreen device running firmware version 5.4+ to support IPsec VPN client connectivity. The Shrew Soft VPN Client has been tested with Juniper products to ensure interoperability.
Overview
The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the push configuration method to acquire the following parameters automatically from the gateway.
IP Address
IP Netmask
DNS Servers
WINS Servers
Gateway Configuration
Create a Phase1 ID
Create a user that is used to define the phase1 id parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the New button and define the following parameters.
User Name = vpnclient_ph1id
Status = Enabled
IKE User = Checked
Simple Identity = Selected
IKE ID Type = AUTO
IKE Identity = client.domain.com
Create a Local Key Group
Create a Local Group that can be assigned to an Auto Key Advanced Gateway. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the New button and define the group name as vpnclient_group. Also add the vpnclient_ph1id user object as a group member.
Create an Auto Key Advanced Gateway
Create an auto key advanced gateway to configure the phase1 parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the New button and define the following parameters.
Gateway Name = vpnclient_gateway
Security Level = Custom
Remote Gateway Type = Dialup User Group
Group = vpnclient_group
Preshared Key = mypresharedkey
Local ID = vpngw.domain.com
Define Advanced Parameters
Click the Advanced button and define the following parameters.
Security Level – Custom
Phase 1 Proposal
pre-g2-3des-sha
pre-g2-3des-md5
pre-g2-aes128-sha
pre-g2-aes128-md5
Mode = Aggressive
Enable NAT-Traversal = Checked
Keepalive Frequency = 20
Peer Status Detection
DPD = Selected
Interval = 30
Retry = 5
When finished click Return.
Define Xauth Parameters
You will now see your auto key advanced gateway listed. Click non the Xauth button in the Configure column.
Define the following parameters.
Xauth Server = Selected
Allowed Authentication Type = Generic
Local Authentication = Selected
Allow Any = Selected
When finished click OK.
Create an Auto Key IKE Gateway
Create an auto key IKE gateway to configure the phase2 parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Clicking the New button and define the following parameters.
VPN Name = vpnclient_tunnel
Security Level = Custom
Remote Gateway Predefined = vpnclient_gateway
Define Advanced Parameters
Click the Advanced button and define the following parameters.
Security Level = Custom
nopfs-esp-3des-sha
nopfs-esp-3des-md5
nopfs-esp-aes128-sha
nopfs-esp-aes128-md5
Replay Protection = Checked
When finished click Return.
Create a Client Address Pool
Create a pool of addresses to be assigned to VPN clients. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Clicking the New button and define an IP Pool. For example, you could define a pool named vpnclient with a start IP address of 10.2.21.1 and and end address of 10.2.21.254.
Set Client Configuration Parameters
The client configuration parameters are stored in the global Auto Key Advanced XAuth parameters. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Define the following parameters.
Reserve Private IP for XAuth User – 480 minutes
Default Authentication Server = Local
Query Client Settings on Default Server – Unchecked
CHAP – Unchecked
IP Pool Name = vpnclient
DNS Primary Server IP = [ private DNS server address ]
DNS Secondary Server IP = [ private DNS secondary address ]
WINS Primary Server IP = [ private WINS server address ]
WINS Secondary Server IP = [ private WINS secondary address ]
Configure IPsec Policies
The last step for the tunnel configuration is to define policies that allow protected traffic to pass into your private network from the client. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
To create a new IPsec Policy, the from and to zones must be specified. An IPsec VPN Client policy is defined. Select the following zones and click the New button.
From = Untrust
To = Trust
Define the following parameters.
Name = vpnclient_inbound
Source Address
Address Book Entry = Dial-UP VPN
Destination Address
New Address = 10.1.2.0/24
Service = ANY
Application = None ( means ANY )
Action = Tunnel
Tunnel = vpnclient_tunnel [ Auto Key IKE vpn name ]
Create Local User Accounts
Create local user accounts that will be used during Xauth. Navigate to the following screen using the tree pane on the left hand side of the browser interface.
Click the new button and define the following parameters.
User Name – joe ( the xauth user name )
Status – Enable
XAuth User – Checked
User Password – **** ( the xauth user password )
Confirm Password – **** ( the same user password )
When finished press OK.
Client Configuration
The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs.
General Tab
The Remote Host section must be configured. This Host Name or IP Address is defined to match the Junipers public interface address. The Auto Configuration mode should be set to ike config push.
Phase 1 Tab
The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the Auto Key IKE Advanced definition.
Authentication Tab
The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth.
Local Identity Tab
The Local Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of “client.domain.com” to match the Phase1 User ID value.
Remote Identity Tab
The Remote Identity parameters are defined as Fully Qualified Domain Name with a FQDN String of “vpngw.domain.com” to match the Auto Key Advanced Gateway ID value.
Credentials Tab
The Credentials Pre Shared Key is defined as “mypresharedkey” to match the Auto Key Advanced Gateway Preshared Key value.
Policy Tab
The IPsec Policy information must be manually configured when communicating with Juniper gateways. Create an include Topology entry for each IPsec Policy network created on the gateway. For our example, a single Topology Entry is defined to include the 10.1.2.0/24 network.
How to migrate calendar meetings without losing the Option “Send Update”
To either move, recover , repair and migrate outlook mailbox or PST. It is worthwhile mentioning that after the migration of the outlook mailbox or PST to another Mailbox or PST everything will probably look fine. You may notice that in the newly migrated mailbox, all the meetings will be missing the “send Update” option. Because of this, you will be unable to send updates to the meeting attendees. The usual error is that the meeting request is not sent. The work around is simple but it is rarely mentioned on the support sites. Here is the workaround:
In order to migrate appointment from one mailbox/PST to another mailbox/PST without losing the Option “Send Update” in calendar meetings, you need to make sure that you move the calendar items not copy/paste or export/import. If you do a copy/Paste or Import/Export you will be unable to send updates to the meeting attendees in the destination calendar
Lets see the procedures to move the outlook calendar items
1) Just switch the calendar view to category view and move all the calendar items by performing the below steps
Click on View->current view -> by category
click on Edit->Select all ->Cut
2) Than go to the target calendar and paste it
Click on View->current view -> by category
click on Edit -> paste
Click on View->current view -> day/week/month
Now you can open any appointment and be able to “Send Update” to the meeting attendees
Note:
