Author Archives: Krishna - MVP

Routing Group Connector configuration for Exchange 2003 to Exchange 2010 in Multi AD site environment

Exchange 20071 Comment

One of the common issue when you are transition from Exchange 2003 to Exchange 2010 in multi Ad site environment that there is no Routing group connector created for each of the AD site. Exchange 2010 would create one routing group connector in the Ad site during the installation of first Hub transport server in the environment. This might not happen in the subsequent installation of Hub servers in multiple AD sites where Exchange 2003 servers is also residing.

To avoid this scenario we need to create Routing group connector manually for each of the AD site. Below is the example to create new Routing Group connector for a particular AD site. We need to make sure we add multiple exchange 2010 hub server for the parameter SourceTransportServers and similarly multiple exchanges 2003 at parameter TargetTransportServers. These servers should be based on the particular AD site and it will not allow adding servers form multiple AD site. It’s also important to make sure Bidirectional is set to $true. This is because routing group connectors are unidirectional by default and it has to be enable bidirectional if it needs to route email both the side else we need create two routing group connector in each site and  swap the values of sourcetransportserver and Targettransportservers parameter. PublicFolderReferralsEnabled parameter would help public folder referrals to use routing group connectors. This is important if you want to replication public folder between exchange 2003 and exchange 2010

Below is the command to create new routing group connector for a specific AD site

New-RoutingGroupConnector -Name "connector name – AD site" -SourceTransportServers "Hub2010-01.contoso.com, Hub2010-02.contoso.com” -TargetTransportServers "Exch2003-01.contoso.com, Exch2003-02.contoso.com” -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true

As multiple routes exists in the organization between exchange 2003 and exchange 2010, this can cause looping. To avoid looping we need to suppress Link state updates. Below TechNet link has the registry update steps to suppress Link state updates

http://technet.microsoft.com/en-us/library/aa996728(v=exchg.141).aspx

Lync 2010 Address book Service, a quick glance

Lync 2010Leave a comment

In the past I had written an article on Exchange 2010 address book service on how it generates the address book, distributed and client are updated. Here is the Web Link. I thought I should write one similar for Lync 2010 as well. This will give you a fair idea on Lync address book generation, synchronization and client updating process. Although it’s an entirely a different process than exchange 2010

Below is the high-level step to give you easy understating of this process

1. Lync address book service helps to generate both offline(Phones) and online address book(Lync) and its generally knows as Global Address list(GAL)

2. It also provides Address book web query service. Using these Lync clients can directory query active directory for group membership details.

3. Lync Address book service are part of the both Lync standard and Enterprise edition server

4. Only one server in a front pool can run address book service. So each front end pool will have its own address book server running address book service.

5. Address book service uses user replicator to query active directory service (AD DS) on a schedule interval and updates the data into the SQL Database RTCCab and RTC. This normally happen every 60 second

6. User Replica always performs read only from the Active directory and it use LDAP to query new and updated information on users, contacts and group objects from Active directory.

7. Address Book Server Synchronizes the user data from the RTCab database into files in the Address Book Server file store. It only pulls the new and updated data from the RTCab database. It occurs once every 24 hrs and by default it’s scheduled to run every day at 1:30 AM.

8. This schedule can be changed to multiple times depending on the requirement or it can be forced to run immediately with the help of Lync PowerShell cmdlets “Update-csAddressbook”

9. Address Book Server file store has two sets of address book files, One is for clients such as Lync 2010 with type .lsabs and other is the compact version for phone device in the format .dabs with some limited information which helps for the phone devices with lesser memory.

10. UNC Path of the Address Book Server file store is \\lyncserver\lyncshare\1-WebServices-1\ABFiles\

11. Multiples of .lsabs and .dabs are stored in Address Book Server file store. They are full address book files and delta address book files. Full address book files for lync clients start with the format F-xxxx.lsbs and delta file start with D-xxxx-yyyy.lsbs. Similarly for mobile devices, it starts with F-xxxx.dabs full version of files and C-xxxx-yyyy.dabs for compact delta version of the files. Where xxxx and yyyy represents the date in hexadecimal 0-based number of days since January 1, 2001

12. Address book file generations is most interesting part and below table 1 has outline the process of the same. This process is followed for both *.lsabs and *dabs types of files.

On Day 1 it generates full version of Address book file and on day 2, it generates one fuller version of the address book file along with the Delta file which information which are generated and updated after Day 1 full file generation. Similarly on Day 3, it generates one fuller version of the address book file and it also generated two delta file. First delta file has information which is generated between Day 2 and Day 3, second delta file has information which is generated between Day 1 and Day3. This goes on until for 30 days

DayFiles Generated (*.lsabs and *.dabs files)
Day 1Full (F1)
Day 2Full (F2), Delta of F2 – F1
Day 3Full (F3)

Delta of F3 –F2

Delta of F3 –F1

Day 4Full (F4)

Delta of F4 – F3

Delta of F4 – F2

Delta of F4 – F1

Day 5 – Day 29—-
Day 30
Full (F30)

Delta of F30-F29

Delta of F30-F28

—-

Delta of F30-F1

Table 1. Address book file generation (Table Source from TechNet – link)

13. Now the question is what happens on 31st day and how these files are deleted? Address book files will continue generate in the same fashion but from 31st day it also starts to delete all the files from Day 1 and on 32nd day it would generate the full and delta files and delete entire files of Day 2 files and this cycle continues.

14. How lync clients download the address book file? Once the lync client is authenticated then client will be provided with Address Book URL. It’s the UNC path of the Address Book Server file store.

15. Lync client uses this Address Book URL and attempts to download the current full data file for the first time and on following days it only downloads the delta files based on the last full download. E.g. on the 2 days client would only download delta of F2-F1 and on day 3 it would only download delta of F3-F2.

16. Lync client needs updated GAL immediately after every successful login, but it waits between 0 – 60 min to download the latest address book file after the successful login. This is just to make sure that clients are not overloading the server with address book request at a same time.

You have bunch of PowerShell cmdlets to manage Address book and few of them are below

Update-csAddressbook – To force synchronizes the all address book in the organization

Test-csAddressBoosService – Test and verify the address book service on the address book server

Set-CSaddressbookconfiguration – Configure various settings of Address book

Hope this article is informative and gives you a good idea on the address book service in lync 2010

Courtesy : TechNet.Microsoft.com

Exchange Profile Analyzer for Exchange 2003 and 2007, what is there for Exchange 2010 ?

Exchange 2007Leave a comment

EPA is great tool to understand the current users profile and it’s fairly simple to run this tool and generate the result.

This tool cannot be used for Exchange 2010 as it uses WebDev to pull the data and Exchange 2010 does not support WebDev

Here is the PowerShell script from Rob Campbell which can get the similar stats from exchange 2010 servers as well. This will scan through all the transport servers’ logs from the previous day, and generate stats for each user, by primary smtp address, for

Total Messages and Bytes Sent
Unique Messages and Bytes Sent
Total Messages and Bytes Received
for both Internal and External emails.

http://gallery.technet.microsoft.com/scriptcenter/bb94b422-eb9e-4c53-a454-f7da6ddfb5d6#content

Exchange 2010 Load balancer Preferred persistence Method

Exchange 2010Leave a comment

In Exchange 2010 load balancer are used to load balance Client Access traffic. Client Access server play a major role now and all types of clients connect to it. It is important to configure load balancer with correct preferred persistence method for different user traffic. So I thought we should have some quick reference guide so we can refer any time. I got this form one of the MS tech.ed presentations

 

Active Directory Cross Forest Migration from Active Directory 2003 to Active Directory 2008 – Part 3

Exchange 2007Leave a comment

This is the last and final part of  of Cross forest migration.

you can catch-up with Part 1 and  Part 2 before coming to this article.

Migrating Groups from red.com and green.com

1. Migrating the Global Security Group(Exchange Admins) with the member AD admins

Figure 44. Ad group with another AD group as member for migration

2. Start Active directory Migration tool from Administrative tools and right click on Active directory migration tool to select “group account migration wizard”

Figure 45. Starting Group account migration wizard

3. Select the appropriate source and target domain and appropriate domain controller

Figure 46. Selection source and target domain

4. select the option groups from domain

Figure 47. Selecting the manual group selection option

5. Add the Group Exchange Admin

Figure 48. Adding group exchange Admin for migration

6. Select the target OU where u want to drop the Group object in the target domain

Figure 49. Selecting the target the OU in the target domain

7. Select the option Copy group members, fix membership of group and migration group SIDs to target domain

Figure 50. Option to select to migrate group members along with the group

8. Type the account which has administrative rights on the source domain

Figure 51. providing admin account from the source domain

9. If you have any exclusion attribute then use the option, else click next to continue

Figure 52. Excluding Ad properties if any

10. select the option Do not migrate source object if a conflict is detected in the target domain. Just to make sure conflicting accounts are not merged. If you also have the option to merge users.

Figure 53. Conflict management option

11. Select the option Migrate passwords to migrate passwords for the group members.

Figure 54. Password Migration option for the group members

12. Under Group member Migration option , keep the Target account state as default “Target same as source”. If the source account is disabled then target account will also be disabled and if source account is enabled then the target account will also be enabled.

Figure 55. Selecting target account status after migration

13. Once all the desired options are selected then its time to click on finish and kick the migration process.

figure 56. Completing the group account migration wizard

14. Migration profess will start migrating groups and it group members based on the options selected. Once the migration is completed, logs can be viewed

Figure 57. Migration progress status

15. Log file will give you the group migration details. These log file is very important for verification and troubleshooting purpose.

Figure 58. Migration log details

We have successfully migrated users accounts and groups. ADMT provides various others wizards like

Service account migration Wizard

Computer account migration wizard

Password migration wizard

Reporting wizard

Security Translation wizard etc.

Figure 59. ADMT Migration Wizard

Once the user accounts are migrated then it’s time to move the mailbox from source to destination. Depending on the target environment you may have to decide the cmdlets to move the mailboxes.

As ADMT is a free tool it can save us some good amount of money but it’s very important to make sure the tool is fully tested in the lab and create the proper process document before starting to migration production users, groups and computers. Happy Migration 

Active Directory Cross Forest Migration from Active Directory 2003 to Active Directory 2008 – Part 2

Active Directory, Exchange 2007, Exchange 20103 Comments

This is continuation of Part 1. Please continue with part two

Creating and configuring ADMTAdmin Service account

Now we need to create and configure ADMT service account to make sure ADMT service account (admtadmin) account has appropriate rights to perform the migration tasks

1. Create a Server account admtadmin in green.com and add the green\admtadmin to the local domain admin group of green.com

2. Connect Red.com active directory users and computers and add green\admtadmin as member of built in Administrators group

Figure 17. Adding “green\admtadmin’ as the member of built-in administrators group in red.com

Preparing and configuration PES (Password Export Server)

1. Login to the domain member server in green.com where the ADMT tool is installed and run the below command. This is to generate the encryption key for importing in to import it the source domain controller. This command will generate the encryption key file at C:\Pes.pes and it will prompt for the password and confirm password.

admt key /option:create /sourcedomain:red /keyfile:”c:\PES.pes” /keypassword:*

Figure 18. Exporting Encryption key from ADMT server

2. Copy the file C:\pes.pes to the root Directory (c:\) source(red.com) domain controller

3. login to source domain controller (red.com) and install the PES tool.

4. During the installation it will prompt for the location of the encryption key. Click on browse and point to the encryption file which was copied recently (C:\pes.pes) and click on Next

Figure 19. Importing Encryption key file into the Password export server

5. Enter and confirm with the same password with used to which exporting the encryption key at point 1 above and click on next

Figure 20. Confirming with password for importing encryption key

6. It will prompt to PES Service account. Specify the account green\admtadmin account with the password and click on ok to continue. Once configuration is completed, server will prompt for the reboot and confirm to reboot the server.

Figure 21. providing green\admtadmin service account to run the PES serve service

7. Password Export server will not start automatically. It has to be start manually. Only start when ever required or when ever migration is performed.

Figure 22. Password Export server service is disabled by default

8. Right click on the service and select start. you should be able to see the started status on the services console

Figure 23. Password export server service status after manually starting the service

configuring source domain controller(red.com)

Once PES service is configured then we have to configure registry to allow password export. Below is the steps to perform the same.

1. Login to the domain controller and start registry editor (regedit)

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Access Allowpasswordexport and change the value form  0 to 1

Figure 24. Enabling password export settings from the registry

Disable SID Filtering

if we need SID history on the target domain, then we have to disable SID filtering. Run the below command on the target domain to disable SID filtering

netdom trust source.com /domain:target /quarantine:No /usero: source_admin_act   /passwordo: source_administrator_pwd

Figure 25. Disabling SID filtering

 

Migrating User from red.com and green.com

1. We will be migration user krishna.kumar from red.com to green.com. We can verify and make a note of user objectsid from the source domain with the help ldp tool or simple ldap query.

Figure 26. ObjectSid details of user krishna.kumar

2. login to the target domain member server with the green\admtadmin where ADMT tool is installed

3. Start Active directory migration tool from administrative tools

4. right click on the Active Directory Migration tool and select User Account migration wizard and click on Next

Figure 27. Starting the User Account Migration Wizard

5. Select source domain,source domain controller and Target domain and target domain controller and click on next

Figure 28. Source and Target domain details for migration

6. Select users from the domain under User Selection option and click on next

Figure 29. Manual user selection

7. Add the user krisha.kumar and click on next

Figure 30. Adding krishna.kumar for user migration

8. Create a Target OU in Target domain and point to the same to create the migrated user account

Figure 31. Select the target OU where the migrated used should be created

9. Select the option Migrate passwords

Figure 32. Selection migrate Password option and select the source domain controller

10. Select the option Target same as source and also enable to the option Migrate user SIDs to target domain and click on Next

Figure 33. option to selected on how to handle migrating accounts

11. Type account from the source domain which has administrative rights and click on next

Figure 34. Admin account for adding SID History on migrated account

12. Select some of the import option likes update user rights, Migrate associated user group, fix users group membership and click on next

Figure 35. Option to migrate associated user groups, profiles and settings

13. Entire AD properties will be migrated to the target account. Just in case if you need any kind of properties execution then figure 36 shows the option to exclude the same.

Figure 36. Option to execute ad properties on the migrating objects.

14. keep the default option do not migrate source object if the conflict is detected it the target domain and click on Next

Figure 37. Conflict management option

15. Click on Finish to kick start the user migration

Figure 38. Finishing the user migration

16. Once the migration is completed, you should be able to see the details on the screen. To get some advance or log detail, click on view log

Figure 39. Migration progress status

17. log file has some very good amount of information on what exactly happened during the migration. Details like Account been replicated, created, SID history added, password copied and other group membership details etc.

Figure 40. Migration log details

18. On the target domain we can see the Krishna.Kumar is create with all the group membership and also see that associated groups is also been migrated to the destination. You can also verify the entire user properties.

Figure 41. krishna.kumar user property after migration with group membership details

19. We can also verify the object Sid and Sid history been crated on the new object in the target domain. Sid history is the same source objectsid.

Figure 42. Objectsid and SidHistory details of krishna.kumar after migration

20. To check if the password is been copied, login to one of the client computer with the same password as the source domain. Below figure 43. shows the details of the login account with the domain name.

Figure 43. login details on krishna.kumar on the green.com workstation

Active Directory Cross Forest Migration from Active Directory 2003 to Active Directory 2008 – Part 1

Active Directory, Exchange 2007, Exchange 2010Leave a comment

When we say cross forest ad migration then the first thing which comes to the mind is Active Directory Migration Tool. It’s a free and very easy and powerful tool from Microsoft. Doesn’t look very fancy but does its task. There are various tools available in the market to perform cross forest migration but at we will talk about ADMT and its features and how we can use it. Before you work on ADMT in the production, you need to perform through understanding of the ADMT, test it in the lab and then it to the production.

Note: Not performing through testing can be distractive for the users. Users may lose password, lose share access and you will be in trouble.

ADMT features

1. It provide various wizards to migrate User accounts, computers accounts, service accounts, Group

2. Migrate Sid History which helps user to maintain the access to network share, application and other services even after the user been migrated to different forest

3. Migrate password form source forest to target forest.

                                                      

Red.com Green.com

Current Lab Setup

Red.com DomainGreen.com Domain
Domain controller (windows 2003) Domain controller(windows 2008)
following Software installed in Source domain controller
PES 3.1(Password Export Server)   		Domain member Server(windows 2003)
following Software installed
ADMT 3.0(Active directory migration tool)
.net Framework version 2.0
SQL 2005 with latest service pack

Installation of ADMT tool on the Domain member Server

Please follow the below process order to install prerequisites and ADMT. If you have domain member server is windows 2008 or Windows 2008 R2 then you can install the latest version of the ADMT 3.1 or 3.2 respectively. In my lab I have the domain member server as widows 2003 so I am forced to install ADMT 3.0

  1. Install Microsoft .NET Framework Version 2.0 Redistributable Package (x86)
  2. Install SQL 2005
  3. Install Latest SQL service pack
  4. Install ADMT tool and accept the default database selection (If SQL 2005 is not installed prior to installing ADMT tool then it will automatically install Microsoft SQL Server Desktop Edition)

DNS Configuration between forests

DNS Configuration is a one of the primary requirement to communicate between two forests

DNS can be configured in two ways, either by creating secondary zone or forwarders. Configuring forwarders is much easier then creating secondary zone. Secondary zone has a read-only copy of the particular domain but forwarders are just forward the request to the target domain. Response to the DNS request is much faster in secondary zone than forwarders

Let me show you show to create secondary zone.

  1. Login to Green.com Domain controller
  2. Access DNS Manager
  3. Right click on the forward lookup zone and select New zone and click on Next

Figure 1. Creating new Zone

   4. Select Secondary zone and click on Next

Figure 2. Creating new Secondary Zone

   5. Provide the target domain name and click on Next

Figure 3. Providing DNS Zone name

6. Provide red.com DNS server IP address and click on Next and click on finish to complete the configuration

Figure 4. Configuring with Master DNS server of red.com

7. Need to follow the above same process (1 to 6) on the red.com DNS server to create the secondary zone for green.com domain

Cross forest trust configuration

1. Connect to the Target domain controller (green.com) and access Active directory domain and trusts from the Administrative tools

2. Right click on Active directory Domain and trusts and click on properties.

Figure 5. Starting with Trust configuration

3. Select the Trust Tab and click on new Trust and select next on welcome screen

Figure 6. Trusts tab to start the new trust configuration between forests

4. Provide the trust name with the source domain red.com and click on next

Figure 7. Domain name which you wanted to trust

5. Select external trust, as you cannot create cross forest trust between AD 2003 and AD 2008 and click on next

Figure 8. Configuring External trust

6. Select “two way” trust and click on next

Figure 9. Selecting Two-way trust option

7. Select the option “both this domain and the specified domain”

Figure 10. Option to select trust on both from red.com and green.com

8. Input the source (red.com) account which has administrative privileges and click on next

Figure 11. Passing account having administrative privileges on red.com

9. Select “Domain-Wide authentication” for red.com and click on next

Figure 12. Selecting Domain-wide authentication on outgoing trust for local domain

10. Domain wide authentication for the local domain and click on next

Figure 13. Selecting Domain-wide authentication on outgoing trust for specified remote domain

11. Select “yes, confirm the outgoing trust”

Figure 14. Confirmation to create outgoing trust

12. Select “Yes, confirm the incoming trust” and next and click on finish the configuration.

Figure 15. Confirmation to create incoming trust

13. Successfully created outgoing and incoming external trust between both the forest

Figure 16. Successful status of external trust creation.

 

 

I hope you like this part of the article will soon come up the other parts of the articles.

Clearing some of the confusions behind the Exchange 2010 CAS arrays

Exchange 2007Leave a comment

Found a nice article on celarning some the confusions behind the CAS arrrays, which can save you with some good amount of money and time..

http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx

http://blogs.technet.com/b/exchange/archive/2012/03/28/demystifying-the-cas-array-object-part-2.aspx