Friday, April 3, 2009

Exchange 2007 POP/IMAP between Active Directory sites .. with solution!

As a follow up to the previous post, Pop and Imap can work between sites as well. The referenced paper says they can't, but it is incorrect.

To enable Imap between a CAS server and Mailbox server in 2 separate AD sites, edit this file
C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe.config

and change this line to true.
<add key="AllowCrossSiteSessions" value="false" />



POP3 is eerily similar.

To enable Pop3 between a CAS server and Mailbox server in 2 separate AD sites, edit this file
C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopIma\Microsoft.Exchange.Pop3.exe.config

and change this line to true.
<add key="AllowCrossSiteSessions" value="false" />



Note to Microsoft: A quasi-legible text based configuration file. Thank you!
Posted by at No comments:

Thursday, April 2, 2009

Exchange 2007 OWA between Active Directory sites .. with solution!

Exchange.
Owa.
2 separate sites.
2 separate internet connections.
Site A has the mailboxes.
Site A's internet connection goes down.
Site B's internet connection is fine, and the ds-3 between the sites is fine.

I try to connect to OWA in Site B and I get...

"For best performance, connect to https://SiteA.mydomain.com/owa"

YOU HAVE GOT TO BE FREAKING KIDDING ME! ARGH!

Ok. A google search and check the Exchange Blog comes up with this link.
Understanding Proxying and Redirection

According to this paper a couple of things are at work. First off, Exchange is trying "Redirection" to send me to the OWA host in my active directory site. You can disable redirection by removing the "External Url" from the OWA service in Exchange manager.

Click webmail. Username/password. Does it work?

... Nope, same results.

(Wait for Active directory replication....)

Testing again. Click webmail. Username/password. Does it work?

... Nope. New Results. A great two line error message that tells the user to tell their Exchange administrator that there is no available OWA server in the same site as the mailbox. Also, an event is logged in the event viewer.

(OMG! A descriptive error and an event gets logged?! Obviously this part of the code was outsourced. ;) )

Anyway, back to the paper again. Exchange Owa won't access a mailbox in another AD site. It just won't do it and there is no convincing it otherwise.

The options are:
1. Setup an ISA server to intelligently load balance Owa access. (no.)
2. Move the Servers into the same AD site. (no.)
3. Enable "Proxying". (this sounds promising.)

OWA Proxying takes the request from SiteB's owa server and relays it internally to SiteA's owa server. That is great if SiteA's internet connection goes down, but does jack-diddly-squat for our availability if SiteA's OWA server goes kaput.

Some redundancy is better than none, right? Let's configure proxying.

Here are the Gotchas.
1. Redirection has to be disabled. (Remove those ExternalURL's)
2. Communication is via https. (This is okay, I put the internal names on our UCC ssl cert.)
3. Authentication for the OWA sites has to be set to Windows integrated.

WTH?! The users just got used to pretty forms based authentication. You go to all the trouble of building a proxy subsystem and you can't relay the credentials?! Another show stopper. Grr.

So my options are to setup 2 more owa servers with integrated authentication. Get 2 more names on our ssl cert, and set it up. That's great and all, but exchange licenses don't grow on trees.

Solution!
I played with it for a while and came up with this solution. It is functional, but not really elegant in my opinion.

In both sites, I opened IIS and created a new website called OwaProxy. I set the site to use the same ssl certificate as the "real" OWA sites, but bind to port 444 instead of 443. In the powershell console, I created a new \owa directory with Integrated Authentication.

(here is the command)

New-OwaVirtualDirectory -Name "OwaProxy" -ExternalAuthenticationMethods WindowsIntegrated -ExternalUrl $null -Internalurl https://sitea.mydomain.local:444/owa -Owaversion exchange2007 -websitename "OwaProxy"


After the OWA Websites/virtual directories are created in both sites, there are two more gotchas. First, it still didn't work until I opened the Exchange Management console and changed the authentication type from forms to WindowsIntegrated. This is a bug, Imho, as we explicitly set the authenticationmethod to integrated in powershell. It gets configured properly in IIS too, but here you have to change it with the GUI.

The second gotcha is an easy one. Any of this cross-site stuff is dependent on Active Directory, so you have to wait for (or force) ad replication before your changes take effect.

That solved it. I could now access my 1GB SiteA mailbox from SiteA or SiteB. We have a 45mbps ds-3 between sites, and there was a 2-3 second pause after logging in to SiteB's owa server. I can live with that.

Please leave a comment if this helps.

Thanks,
Ellie
Posted by at No comments:

Monday, March 30, 2009

csvde to excel Human readable LastLogon or LastLogonTimestamp

I was given the task of making a human legible report of Users, OUs, and Last Login Times. Easy enough right? I logged in to one of the servers as an admin and ran


F:\>csvde -r "(objectClass=user)" -f output.csv 
-l cn,givenName,sn,n,ou,lastLogon

* note.. all that is on one line. I wrapped it because blogger was cutting it off.

That worked great, but excel choked on the dates. It turns out this is because the dates are not "normal" timestamp dates. "Normal" timestamps are based on the number of seconds since midnight on 1/1/1970. The timestamps in Active Directory in UTC format, a 64 bit number based on the number of nanosecond since 1/1/1601 divided by 100! For even more complexity, Excel's dates are based on the number of days since 1/1/1900. Arrgh.

As theoretical knowledge goes, that is all fine and good.. but how do we use it in excel?

The formula to convert from Active Directory LastLogon or LastLogonTimestamp is:


=IF(C2>0,C2/(8.64*10^11) - 109205,"")


Explanation:
  • C2 is the cell that contains the Timestamp.

  • The If() statement hides the value if the user has not logged in.

  • (8.64*10^11) is the number of nanoseconds in a day divided by 100.

  • 109205 is the number of days, including leap days, between 1601 and 1900. (Remember, 1900 is when excel dates "start")



That's it. Paste in your formula and format it as a date, or date/time. The times returned are in GMT. All of the other solutions I saw in my google searches pointed to a vbScript solution. Please leave a comment if this helps you.

Thanks,
Ellie

P.s. If you want it in Central US time (GMT-6), subtract 0.25 (That is 6 hours divided by 24 hours in a day). For Eastern time (GMT-5), subtract 0.208333333 .. (5/24).
Posted by at 61 comments:

Tuesday, March 17, 2009

Rpc over http and UCC SSL gotchas

Here is a quick note for those using UCC certificates for RPC over Http. The name of your rpc/http server has to be the common name of your ssl certificate, an alternative name will not work. Between this bug, the IPv6 bug, and the complete lack of any logging facilities, I am starting to get the feeling that this service was written by an intern. (and not a good one)
Posted by at No comments:

Wednesday, March 11, 2009

SOLVED: Blackberry Internet Service (BIS duplicate messages from Exchange

A number of my users have been reporting duplicate messages on their Blackberry handhelds when we reconfigured them to use our shiny new Exchange 2007 Servers. After some digging, a message was being re-delivered to the handheld every time the message was A.) Marked Read, B.) Replied to, C.) Found in a search. This occurs only with Blackberry Internet Service (BIS) users connecting to the Exchange server with IMAP.

As it turns out, Exchange is changing the IMAP message ID every time one of the above actions occurs*. This causes RIM to see the message as new and re-transmit it to the handheld.

The options to fix it are..

Switch BIS to POP3 instead of IMAP. But then deleted items sync won't work.
Switch to Blackberry Enterprise Server. $5k in software fees, more depending on your user count.
Switch BIS to OWA..

That last option is the most promising. Unfortunately, with Exchange 2007 and forms based OWA authentication (the default), the normal url https://example.com/exchange doesn't work. Neither does https://example.com/owa.

What does work... the magic bullet for BIS+OWA on Exchange 2007 is..
http://example.com/exchange/you@example.com

I have not found this tidbit on any forums or documentation, and I really hope it helps someone.

Good Luck,
Ellie



* Constructive criticism for Microsoft. You stupid cod-flogging idiots. Why in the name of potato would you do such a thing?! Did you even _look_ at the RFC? This is what IMAP flags are designed to do. Please, please fix this, print the RFC and use it to flagellate the committee that designed this AND the committee that approved it.
Posted by at 4 comments:

Friday, March 6, 2009

Upgrating old Ubuntu Lts server's ssh

A minor Ubuntu annoyance today.. I have an old Ubuntu LTS server that tripped a nessus scan because the openssh version was too old.

I did an apt-get upgrade, but the ssh packages wouldn't upgrade, failing with this error...

root@bna-fw1:~# apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
The following packages have been kept back:
linux-image-server openssh-client openssh-server


I checked in the /etc/apt directories looking for some reason why it was held back to no avail.. Then I checked dpkg -l openssh-server but the package wasn't marked as held either. Then I gave up and googled it. As it turns out, upgrading ssh requires you to install the oops-sorry-we-made-ssh-unsecure-won't-happen-again package openssh-blacklist package and apt-get "upgrade" can't install a new package. This seems like an open manhole waiting to swallow any sysadmin that blindly trusts apt-get upgrade for updates..

The command to fix it and upgrade openssh-server/client is...

apt-get install openssh-blacklist



-ellie
Posted by at No comments:

Tuesday, January 13, 2009

Updated: Exchange 2007 Splitting OWA and Autodiscover onto two different websites.

This post explains how I split Exchange Web services and Autodiscover into two separate websites so that I could use two separate SSL certificates ($30) instead of a $300 UCC certificate.

We have a wildcard certificate (*.foo.com) for our primary domain. Since we have a metric crapton of servers it saves us loads of money.

The exact minutiae of getting Outlook Anywhere working will be another post. Suffice it to say that A.) It has a showstopper IPV4/IPV6 bug out-of-the-box and B.) Wildcard certificates do not work with Outlook Anywhere.

Happy to have that particular learning experience behind me and $15 later we had a GoDaddy certificate for newmail.foo.com. Yeah!

Now that was working it's time to setup the Autodiscover service. I set a SRV record for autodiscover to point to newmail.foo.com, but the users were getting a pop-up asking for permission to connect to it. I am an anti-popup person. So I setup autodiscover.foo.com in DNS to point to the OWA webserver. Did it work?

No.

Why?

Another SSL problem with the certificate names. "autodiscover.foo.com" != "newmail.foo.com"

ARGH!

The Microsoft solution is to use a certificate with multiple "Subject Alternative Names", also known as a Unified Communications Certificate. They cost about $300. Personally I don't like spending that for a certificate. That's why we got a WILDCARD certificate you asshats!

After a healthy dose of expletives, I set out to move the autodiscover "application" to a separate website using our existing wildcard certificate.

Here is the part where that "doing it the hard way" feeling comes in. I couldn't find any commands or options to setup the /Autodiscover application under the new website.

After about 10 minutes of trying to figure out how to copy the settings over, I ...


  1. Set another IP for the new site.
  2. Popped a hole in Mr. Firewall for http and https.
  3. Opened IIS.
  4. Created the new site.
  5. Edited the bindings to use the right ssl certificate.
  6. Stopped IIS.
  7. Opened c:\windows\system32\inetsrv\config\applicationhost.cfg in notepad.
  8. Copied <sites><Application Path> information from the default site to the autodiscover site. See update note below.
  9. Copied the <locations> information from the default site to the autodiscover site.
  10. Whispered a prayer of penance to the IT gods.
  11. Started IIS.


Update 2009-03-17: I WAS doing it the hard way! There is a powershell command to create a new autodiscover virtual directory. It is new-autodiscovervirtualdirectory.

And wow, It worked! Was I ever surprised?!

Ttfn,
-ellie
Posted by at No comments:
Subscribe to: Posts (Atom)