Wednesday, August 13, 2008

Transitioning your Active Directory to Windows Server 2008

You might be running Windows Server 2003 and Windows Server 2003 R2 Domain Controllers at the moment and you're looking to replace these servers with Windows Server 2008 Domain Controllers to utilize the new features of Windows Server 2008. You might also be looking to replace your aging Windows Server 2003 and Windows Server 2003 R2 Domain Controllers with spanking new Windows Server 2008 Domain Controllers, while keeping your Active Directory running smoothly.

This post intends to help you with this transition in a structured, balanced and thorough way and describes:

Ways to migrate

Upgrading your Windows Server 2003 Active Directory environment to Windows Server 2008 can be done in three distinct ways:

  • In-place upgrading
    Windows Server 2003 and Windows Server 2003 R2 can both be upgraded in-place to Windows Server 2008, as long as you keep the following in mind:
    • The Windows Server 2003 patchlevel should be at least Service Pack 1
    • You can't upgrade across architectures (x86, x64 & Itanium)
    • Standard Edition can be upgraded to both Standard and Enterprise Edition
    • Enterprise Edition van be upgraded to Enterprise Edition only
    • Datacenter Edition van be upgraded to Datacenter Edition only

In-place upgrading requires you to run adprep.exe before starting the upgrade process on the Domain Controllers. Check this post from Jorge for more information.

  • Transitioning
    Migrating this way means adding Windows Server 2008 Domain Controllers to your existing Active Directory environment. After successfully moving the Flexible Single Master Operations (FSMO) roles you can simply demote the previous Domain Controllers, remove them from the domain and throw them out of the window.

    Transitioning is possible for Active Directory environments which domain functional level is at least Windows 2000 Native.
  • Restructuring
    A third way to go from Windows Server 2003 Domain Controllers to Windows Server 2008 Domain Controllers is restructuring your Active Directory environment. This involves moving all your resources from one (Windows Server 2003) domain to a new and fresh (Windows Server 2008) domain. Using tools like the Active Directory Migration Tool (ADMT) are priceless in these kind of migrations.

Reasons to transition

I feel transitioning is the middle road between the two other ways to migrate to Windows Server 2008:

  • Restructuring means filling a new Active Directory from scratch
  • In-place upgrading means you're stuck with the same hardware and limited to certain upgrade paths
  • Transitioning means you get to keep your current Active Directory lay-out, contents, group policies and schema. Transitioning also means moving to new machines, which can be dimensioned to last another three to five years without trouble.

Transitioning is good when:

  • You worked hard to get your Active Directory in the shape it's in.
  • Your servers are faced with aging.
  • In-place upgrading leaves you with an undesired outcome (for instance 32bit DC's)
  • You need a chance to place your Active Directory files on different partitions/volumes.

When done right your colleagues might not even suspect a thing! The downside is you need to know exactly what you're doing, because things can go wrong pretty fast. that's why I wrote this post.

Steps to transition

Transitioning to Windows Server 2008 Domain Controllers consists of the following steps:

Before you begin

Avoid common mistakes
There is a very good Microsoft Knowledge Base article on Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain, written by community experts. I suggest you read it. (twice) Most of the contents also apply to transitioning from Windows Server 2003 (R2) to Windows Server 2008

Plan your server lifecycle
It's not uncommon for a Domain Controller to sit on your network for a period of five years. I believe you should take this in mind when selecting and buying a server. You should plan your partitions (or volumes) carefully and place the Active Directory files on separate volumes when your needs justify it. The Windows Server catalog helps you pick systems that will run Windows Server 2008 with ease.

Assess your readiness
Microsoft has kindly provided a tool to scan systems to assess whether systems are capable of running Windows Server 2008, whether drivers are available (either from Microsoft update or on the installation media) and what problems you might encounter when deploying Windows server 2008. I recommend checking your systems with this tool, which is called the Microsoft Assessment and Planning Solution Accelerator (MAP for short).

Backups
Make backups of all your Domain Controllers and verify you can restore these backups when needed.

Documentation
It is a good thing to know exactly what you're migrating. When things go wrong you might need to be able to revert back to the old situation. This might require the Directory Services Restore Mode (DSRM) password and credentials for service accounts, which might not be written down anywhere. In multiple Domain Controller, multiple domain, multiple forest and multiple sites scenarios it's very wise to make a table containing the relevant information per Domain Controller in terms of Flexible Single Master Operations (FSMO) roles, Global Catalog placement, domain membership, site membership, replication topology, routing tables, IP addressing, etc.

Communication
When done right your colleagues might not even suspect a thing, but it's important to shed some light on what you're doing. (Make someone) communicate to the end users that you're going to mess with the core of their infrastructure. This might result in colleagues understanding you're (really) busy and might also result in problems being reported fast. Both are good things if you'd ask me...

Prepare your Active Directory environment

Before you can begin to introduce the first Windows Server 2008 Domain Controller into your existing Active Directory environment, you first have to prepare the Active Directory.

Microsoft provides a tool called adprep.exe to facilitate this preparation. You need to run the following commands on the following servers in your Active Directory environment:

Command Domain Controller
adprep.exe /forestprep Schema Master
adprep.exe /domainprep Infrastructure Master
adprep.exe /domainprep /gpprep Infrastructure Master
adprep.exe /rodcprep * Domain Naming Master

* Optional when you want to deploy Read Only Domain Controllers.

After preparing your Active Directory for Windows Server 2008 be sure to check the process. Breadcrumbs to failures may be found in the event viewer, but real men will check the adprep.log files. If your life depends on it, you can use the HowTo Jorge wrote to check forestprep and domainprep succesfully replicated to all Domain controllers.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot Active Directory replication.

Install the first Windows Server 2008 Domain Controller

You could already start installing Windows Server 2008 on a fresh box and make it a member of the domain, while preparing your Active Directory. When you're done preparing your Active Directory you can safely go ahead installing the first Windows Server 2008 Domain Controller by promoting a Windows Server 2008 box to a Domain Controller, using dcpromo.exe.

When running dcpromo.exe make sure you select to make this Domain Controller an extra Domain Controller for the Active Directory domain you're transitioning. Type a secure password for Directory Services Restore Mode (DSRM).

Tip:
Write down the the Directory Services Restore Mode (DSRM) password.

Since each Active Directory Domain Controller stores a copy of the Active Directory information, like users, computers, etc. and the NETLOGON and SYSVOL shares, your new Windows Server 2008 Domain Controller will be open for business after you restarted it to complete the wizard.

Install additional Domain Controllers

Installing additional Windows Server 2008 Domain Controllers is as easy as purchasing them, licensing them, installing them and promoting them. There's really nothing to it: Once you've introduced the first Windows Server 2008 Domain Controller you know how to do it.

If you find installing loads of Domain Controllers is a tedious job you might want to promote servers to Domain Controllers using answer files. When Domain Controllers need to be placed in locations with limited connectivity or bandwidth constraints you might want to explore the Install from Media (IFM) possibilities.

Take care of FSMOs and GCs

Using the Active Directory Sites and Services MMC Snap-in make new Windows Server 2008 Domain Controllers Global Catalog servers appropriately.

Also transfer Flexible Single Master Operations (FSMO) Role to appropriate servers. You can use the Graphical Interface to move the Flexible Single Master Operations (FSMO) from your Windows Server 2003 servers to Windows Server 2008. Another option is using ntdsutil.

In multiple Domain Controller scenarios Jorge has a good rule of thumb on Global Catalogs and the Infrastructure Master Flexible Single Master Operations (FSMO) Role. Either:

  • Don't make the Domain Controller holding the Infrastructure Master Flexible Single Master Operations (FSMO) Role a Global Catalog server;
  • Make all Domain Controllers Global Catalog servers.

When your environment includes Microsoft Exchange Server reboot a Domain Controller after making it a Global Catalog server. Microsoft Exchange communicates with Active Directory through Global Catalogs using MAPI. Although the Active Directory Sites and Services MMC Snap-in doesn't ask for it you need to restart a Domain Controller at least one time after making it a Global Catalog before it starts talking MAPI.

Make sure your Windows Server 2003 Domain Controllers are no longer clinging on to any of the Flexible Single Master Operations (FSMO) Roles using the graphical user interface, using replmon or the following command using netdom.exe from the Resource Kit:

netdom.exe query fsmo

Check proper installation and replication

It is a best practice to review the logs to identify any problems that might have occurred during the promotion. The logs to scrutinize specifically are:

  • dcpromo.log
    All the events regarding the creation and removal of Active Directory, SYSVOL trees and the installation, modification and removal of key services
  • dcpromoui.log
    all the events from a graphical interface perspective

Also check the event viewer.

Allow sufficient time for proper replication to all Domain Controllers. (In large environments with specific replication needs this might take hours.) When you feel all changes have been replicated use the replmon and repadmin tools to check and optionally troubleshoot proper Active Directory replication.

Demote Windows Server 2003 Domain Controllers

I've seen Domain Controllers became the prostitutes of the server room in many environments. Any software that didn't require a dedicated server or was deemed highly dependent on the Active Directory was installed on the Domain Controller. When you're one of the administrators treating their Domain Controllers like that you're going to have a hard time demoting your Domain Controllers. Testing demotions in a separate (virtual) testing environment could give your a clear picture on the behavior of your Windows Server 2003 ex-Domain Controllers though!

From my personal experience I can tell you it's not recommended to demote a Domain Controller when it has Exchange Server or Internet Information Services installed after it was promoted. You're going to have to find another box to install these services on.

When your Windows Server 2003 Domain Controllers are also Domain Name System (DNS) servers it is recommended to change the DNS zones into Active Directory Integrated DNS zones (when possible) so they get replicated to any Domain Controller running the DNS service. Installing the DNS Server role on a Windows Server 2008 would then suffice to migrate DNS settings. Be sure to change the DNS information on your other servers and workstations, before removing DNS servers from your network.

You can safely demote a Domain Controller using the dcpromo.exe command. If you're unsuccessful you might want to try to remove the server from Active Directory the hard way, which Jorge describes here. (leaving out the percussive maintenance option though)

Raise the domain functional level

After you've successfully demoted the last Windows Server 2003 Domain Controller for a specific domain (or you don't feel the need to ever add pre-Windows Server 2008 Domain Controllers to your Active Directory environment) you're ready to raise the Domain functional level of that domain.

Upgrading the domain functional level to Windows Server 2008 adds the following features to your environment:

  • Distributed File System Replication (DFS-R) support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents with minimal replication traffic compared to FRS.
  • Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.
  • Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
  • Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain, instead of per domain only.

Note:
Raising the functional level is a one way procedure. Once you've raised your domain functional level there's no way to return to the previous domain functional level.

Raising the domain functional level in Windows Server 2008 looks remarkably similar to raising the domain functional level on Windows Server 2003:

  1. Log on to the Domain Controller holding the PDC emulator FSMO role with a user account that is a member of the Domain Administrators group..
  2. Open Active Directory Domains and Trusts.
  3. In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
  4. In Select an available domain functional level, click Windows Server 2008, and then click Raise.

Upgrade the forest functional level

After you've successfully upgraded the domain functional level of all the domains in your Active Directory forest you're ready to upgrade the Forest functional level. This will not add any features, but will result in all domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

Note:
Raising the functional level is a one way procedure. Once you've raised your forest functional level there's no way to return to the previous forest or domain functional levels.

To upgrade the forest functional level to Windows Server 2008 perform the following actions:

  1. Log on to the Domain Controller of the forest root domain holding the PDC Emulator FSMO role with a user account that is a member of the Enterprise Administrators group.
  2. Open Active Directory Domains and Trusts.
  3. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
  4. Under Select an available forest functional level, click Windows Server 2008, and then click Raise.

Concluding

Transition your Active Directory to Windows Server 2008 seems as easy as running adprep and installing Windows Server 2008 Domain Controllers. It might be in small shops with one single Domain Controller in one single Active Directory domain in its own forest with one single Active Directory site.

Be sure to check whether what you're doing is successfully installed, performed and replicated before you screw up your Active Directory environment though!

Monday, July 28, 2008

Migrating from POP/IMAP to Exchange Server 2007 using Microsoft Transport Suite

Introduction

Microsoft released a new version of the Microsoft Transport tool and this new release has new capabilities such as migrating from POP3 and IMAP4 servers to Exchange Server 2007. The process can be summarized in a few steps: create a CSV list with all the mailbox information and import this file into Microsoft Transporter, from there we can choose which accounts will be migrated, time range of the data to be migrated, etc.

In this article series we are going to go through the entire process. We will start with the installation process, how to define permissions to use Microsoft Transporter; and finally migrate some mailboxes from either POP3 (Part 1) or IMAP4 (Part 2) to Exchange Server 2007.

Installing Microsoft Transporter Suite for Internet Mail

The installation process is straightforward, download Microsoft Transporter, the version should be the newest one.

The tool can be installed in either 32bit or 64bit versions of Windows Server 2003, Windows Vista or Windows XP. The software requirements are .Net Framework 2.0, MMC 3.0, PowerShell 1.0 and Exchange Server 2007 SP1.

To install the Microsoft Transporter tool:

On the first screen click on Next.

End-User License Agreement. Click I accept the terms in the License Agreement and click Next.

Select Components and Install Location. In our case we are not going to play with Lotus Domino, then let us install only Transporter for Internet Mail, and then click on Next, as shown in Figure 01.


Figure 01

Ready to install. Just click on Install button to start the Microsoft Transporter installation.

Final screen of the wizard, just click on Finish.

The process is totally straightforward and the Microsoft Transporter Suite can be installed in a workstation or on the Exchange Server 2007 box as well.

Configuring Exchange Server 2007 permissions

In order to migrate from POP3/IMAP4 the user must have the Exchange Recipient Admin and Exchange Impersonation rights in at least a single CAS Server.

To validate if the current user belongs to the Exchange Recipient Admin we can run the following command:

Net user /domain

The user must be part of the Exchange Recipient Admin.

To configure Exchange Impersonation we need to figure out first what the Distinguished Name of the CAS Server is. Run the following Get-ClientAccessServer cmdlet (Figure 02):

Get-ClientAccessServer | select name,distinguishedname | fl


Figure 02

The Exchange Impersonate permission can be assigned to a single CAS Server or all of them, if we are going to specify the CAS during the mailbox migration wizard. To add the permission use the Add-ADPermission cmdlet (Figure 03), using the following syntax:

Add-ADPermission –Identity -User -ExtendedRights ms-Exch-EPI-Impersonation

In Figure 03 we will use the cmdlet syntax above with an extra parameter, that is –Whatif, which will simulate the action that would be performed by the cmdlet. If everything goes well, we can remove the –WhatIf and run the cmdlet again. In our example, we added it to a single CAS Server.


Figure 03

Generating the .CSV file to be used by Microsoft Transporter

We will now move data from a generic POP3 Server to Exchange Server 2007, in order to accomplish this task we have to create a .CSV file with the following columns:

  • SourceIdentity: The e-mail account that the user has in the POP3 Server
  • SourceServer: The name or IP of the POP3 Server
  • SourceLoginID: the account user name used to connect on the POP3 server
  • SourcePassword: the user’s password
  • TargetIdentity: the Exchange Server 2007 identity will receive the data from the previous POP3 Server settings

We can create a .csv file directly in notepad or we can use Microsoft Excel to do this. Our list with some users can be seen in Figure 04.


Figure 04

The TargetIdentity must exist before using the Microsoft Transporter tool, the value of TargetIdentity can be any e-mail address (Primary or secondary). We can use the same CSV file to create the users or mailboxes in case of a new environment. To create objects using a CSV file please see this article on how to manage mailboxes in Exchange Server 2007.

Migrating from POP3 Server to Exchange Server 2007

Next, we are going to copy content from a generic POP3 Server to Exchange Server 2007. The user list was created in the previous section and now we are going to import them into the tool and use the migration wizard later on in order to copy the content. Before starting the copy we will see the current information that a user has in the generic server which supports POP3 (Figure 05).


Figure 05

Okay, now we know the content that we are going to move, let us use the Microsoft Transport to copy the content:

  1. Open Microsoft Transporter Suite for Internet Mailboxes.
  2. In the main screen click on Add Mailboxes... button. (Figure 06)


Figure 06

  1. Add Mailboxes. Select the CSV file created in the Excel and click on Import. (Figure 07)


Figure 07

  1. Security Warning. A message informing us that the password information contained in the CSV will be stored in a file called InternetMailbox.tbin. Just click OK.
  2. On the main screen we have three different views to work with: All Mailboxes, Mailboxes Ready for Migration and Mailboxes Already Migrated. Let us click on All Mailboxes to see all the mailboxes imported from the CSV file and let us start the migration of a single user, click on a single user and click on Migrated Selected Mailboxes. (Figure 08)


Figure 08

  1. Select Mailbox Type. Select POP and we are not going to use a secure connection to the POP3 Server (995 SSL), we also going to specify which CAS (Client Access Server) and in our case that CAS was the only one that we gave Exchange Impersonate permissions. Click on Next. (Figure 09)


Figure 09

  1. Select Data Range. We can specify a time range to migrate from the POP3 server to Exchange Server 2007. We will get all the content, click on All e-mail and click on Next. (Figure 10)


Figure 10

  1. Review Selected Mailboxes. A summary is shown. Just click on Migrate.
  2. Migration Complete. The final page displaying the migrated data, just click on Finish.

Now, it is time to test if our migration went well. Log in using the user Anderson Patricio (the same user whose mailbox was on the generic POP3 server) and we can validate that the current content in OWA is the same as the POP3 server (Figure 11). Microsoft Transporter preserves the following characteristics: attachments, rich content, status information (read or unread).


Figure 11

Migrating from an IMAP4 server

The wizard used by Microsoft Transporter Suite for Internal Mail to copy data from an IMAP4 server to Exchange Server 2007 is a little bit different from the process performed in the first article. Using an IMAP4 Server as source we are able to configure two new items: Folder Mapping and IMAP4 authentication.

Let’s start the process:

  1. Open Microsoft Transpoter.
  2. All the mailboxes imported from the .CSV file will be listed in All Mailboxes item. We can click on the Mailboxes Ready for Migration item which will show all mailboxes ready to be migrated from the CSV file(s). Select a couple of mailboxes and click on the Migrated Selected Mailboxes item located on Toolbox Actions
  3. Select Mailbox Type. Let’s migrate our users using the IMAP protocol, and tick the two check boxes: the first to not use SSL to copy data (If you have a server that supports SSL tick this one) and we are going to specify the CAS Server. Click on Next.
    Note:
    The account that is running the wizard must have Exchange Impersonation rights on the CAS server as we have seen in the first article.


Figure 01

  1. IMAP Folder Mapping. This is the first new feature when we use the IMAP protocol. For now we are going to leave the default setting which is use the default folder mapping and click on Next. In the next section we will validate how to change some settings to manage folders from the source server during the migration using an XML file called FolderMap.xml. (Figure 02)


Figure 02

  1. IMAP Authentication. This is the second new feature using IMAP. Microsoft Transporter is able to use a single account to authenticate against the IMAP server and copy data to Exchange Server. This account must have administrator credentials to log in to all accounts selected for migration on Microsoft Transporter. We are going to explain this new feature in the next section, for now let’s leave the default settings and click on Next. (Figure 03)


Figure 03

  1. Select Data Range. We can define either a range or All e-mail to copy messages from the source IMAP Server. (Figure 04)


Figure 04

  1. Review Selected Mailboxes. An overview will be shown, just click on Migrate to start the copy from the source IMAP server.

After this process we will be able to see all the messages, calendar, notes, Tasks in the Exchange server 2007 mailboxes.

Using the Administration Credential feature

When the IMAP protocol is used and the source server has the ability to allow an account to access another user’s mailboxes, then we can use that specific account to log in to the source server to migrate the data, as shown in Figure 05.


Figure 05

If we are going to use this resource we do not need to add the column SourcePassword into the CSV file because that password will not be used.

Using Mapping folders

Microsoft Transporter can use an XML file to match the IMAP source folders with the Exchange Server 2007 default folders. During the Microsoft Transporter installation a file called Foldermap.xml that can be found at c:\program files\Microsoft Transporter tools\Config is installed. We can use this file to create our own definitions. For example: if the source mailbox receives all new messages in a folder called New Items we are able to associate this folder to match with the default folder Inbox.

The default mapping table has these definitions:

Folder on IMAP Server

Folder on Exchange Server 2007

Inbox, New Mail, [Root]

Inbox

Outbox

Outbox

Sent Items, Sent Mail, Sent

Sent Items

Drafts, Draft

Drafts

Deleted Items, Trash

Deleted Items

Junk E-mail, Spam

Junk E-mail

Contacts

Migration Items\Contacts

Journal

Journal

Tasks

Migration Items\Tasks

Notes

Notes

Calendar

Calendar

Table 01: This table can be found in the Microsoft Transport help file

If a different folder exists in the source server it will be created in the Exchange Server 2007 mailbox, if the folder already exists in the Exchange Server 2007 mailbox the content will be merged. Let’s use a couple of scenarios to demonstrate how to use the mapping folder feature.

To configure a custom folder mapping file click on Use a custom folder mapping in the wizard section named IMAP Folder Mapping, as shown in Figure 06.


Figure 06

Scenario 01: The user below (Figure 07) has a folder named Projects on the IMAP4 server. If we run the Microsoft Transporter Wizard that folder will be created automatically in the user’s mailbox.


Figure 07

Let’s create a copy of the file Foldermap.xml and save it as CustomFolderMap.xml and add the following parameters to that file (see Figure 08). That parameter will redirect all the information located in the Project folder of the source mailbox to the Exchange Server 2007 mailboxes in subfolder Projects folder under the Inbox folder.


Figure 08

Scenario 02: In this second scenario we do not want to move the contents of the source folder Projects. For this scenario we can add the following parameters into our XML file.



Using the example above the folder Project will not be created in the destination mailboxes.

Conclusion

In this final article we have seen how to use the Microsoft Transporter Suite for Internet Mail to copy data from POP/IMAP servers to Exchange Server 2007. We also saw how to configure extra options that can be used with IMAP protocols, such as: using an administrator account to move all users without knowing the user’s password and how to use a file to map folders from the source server to Exchange Server 2007.

Saturday, July 26, 2008

Load Balancing Exchange 2007 Client Access Servers using Windows Network Load-Balancing Technology

What is Network Load Balancing and how does it Work?

Network Load Balancing (NLB) technology can be used to distribute client requests across a set of servers. Windows NLB is often used to ensure that stateless applications such as IIS-based web servers can be scaled out by adding additional servers as client load increases. Doing so makes sure that clients always experience acceptable performance levels. In addition, it reduces downtime caused by a malfunctioning server as the end-users will never know that a particular member server in the Windows NLB is or has been down.

Windows NLB clusters can provide scalability for services and applications based both on TCP and UDP. On top of that you can have up to 32 servers in a Windows-based NLB cluster.

Windows NLB is included in both the Windows Server 2003 Standard and Enterprise edition (even the Web edition includes this component), and because Windows NLB is a standard component, it does not require you to use any special or specific server hardware for each member server in the NLB cluster.

When Windows NLB has been properly configured, all servers in the NLB cluster are represented by a single virtual IP address and by a fully qualified domain name (FQDN). When a client request comes in, it will be sent to all servers in the Windows NLB cluster. The client will then be mapped to a particular server and the request to the other servers will be dropped. Having said that, you can use affinity to direct specific client request to particular member servers. You can even configure each member server with a priority.

Figure 1.1 below shows a very simple setup consisting of two Exchange 2007 Client Access servers configured in a Windows NLB. Both Client Access servers accept the client requests and send them to the respective back-end servers depending on the type of request.


Figure 1.1: Load-Balanced Exchange 2007 Client Access Server topology

Unicast and Multicast Mode

A Windows NLB cluster can be configured in either unicast or multicast mode, where unicast is the default mode.

Unicast Mode
With the WNLB cluster configured in unicast mode, the MAC address of each server’s network adapter will be changed to a virtual cluster MAC address, which is the MAC address that will be used by all servers in the Windows NLB cluster. When unicast mode is enabled, clients can only connect to the servers using the cluster MAC address.

Multicast mode
With the Windows NLB cluster configured in multicast mode, a multicast MAC address is added to the cluster adapter of each server in the cluster. Note that I write “is added”, as each server will retain their original MAC addresses.

A Windows NLB cluster, no matter what mode it is configured in, works with just a single network adapter installed in each server, but it is recommended to install a second network adapter in each server, in order to achieve optimal performance, and to separate ordinary and cluster related network traffic.

So what mode should I use for my Exchange 2007 Client Access solution and how many network adapters should I install in each Client Access server? Well, best practice recommendations are to install two network adapters and use unicast mode, so that the host and cluster network traffic are each separated in their own respective network adapter.

Note:
In addition to Windows NLB, you also have the option to use DNS round robin mechanisms to load balance the Client Access servers in your Exchange 2007 messaging environment, but the Windows NLB is recommended over DNS round robin as the latter only provides a minimum level of fault tolerance. The reason being that if a particular Client Access server does not respond to client requests, the client requests must be repeated until a server responds as information about client connections and unavailable Client Access servers are not maintained. Because the Windows NLB component is included in both the Windows Server 2003 Standard and Enterprise edition, there is really no excuse for choosing DNS round robin over WNLB.

Although the above might make it sound complex and time consuming to deploy a Windows NLB-based load-balancing solution, it is actually relatively easily to accomplish, as I will show you throughout this article series.

Purpose of the Client Access Server

Before we dive into the configuration part of Windows NLB clusters, I thought it would be a good idea to give you a brief description of what purpose Client Access servers have. This will give you a better understanding of why it is important to load-balance this Exchange 2007 server role.

The Client Access Server replaces the front-end server we know from Exchange 2000 and 2003 and adds some additional functionality. The Client Access server provides mailbox access for all types of Exchange clients except Outlook MAPI clients, which as most of you are aware, connect directly to the Mailbox Server. This means the Client Access server manages access for any user who accesses their mailbox using Outlook Anywhere (formerly known as RPC over HTTP), Outlook Web Access (OWA), Exchange ActiveSync (EAS), POP3 and last but not least IMAP4.

In addition to providing client access, the Client Access server is also responsible for providing access to things such as automatic profile configuration, free/busy information, Out of Office (OOF) messages, the Offline Address Book (OAB) as well as Unified Messaging (UM), but only with respect to Outlook 2007 and Outlook Web Access 2007 (and Windows Mobile 6.0 devices sometime in the future). These are the only two clients, which can take advantage of the new web-based Exchange Autodiscover and Availability service, which are responsible for providing access to the above mentioned client features.

Note:
Legacy clients such as Outlook 2003 and earlier, and Windows mobile 5.0 devices cannot use Autodiscover or availability service.

Prerequisites

If you want to deploy the solution explained in this article series in your own lab environment, you will need the following:

  • 1 server acting as Domain Controller (with the Microsoft CA component installed)
  • 2 servers with the Client Access server roles deployed (two NICs in each)
  • 1 server with the Mailbox and Hub Transport server roles deployed
  • 1 Windows XP/Vista client with Outlook 2007 installed

Depending on your specific hardware specifications, you could install the Mailbox and Hub Transport server roles on the domain controller, but even in lab environments it is a good idea to keep the roles separated.

To get up to speed as quickly as possible, I recommend you use a virtual environment, and make use of a parent disk. This makes it a breeze to get your servers up and running by using linked clones.

You now know what a NLB cluster is all about and can begin to set up your lab environment. This will enable you to be ready for the next part of this article series which will provide you with step-by-step instructions to configure a Windows NLB cluster.

Creating the FQDN for the NLB Cluster in DNS

With the environment up and running, the very first thing you want to do is to create a record for the NLB cluster name in DNS. To do so log on to the domain controller in your Active Directory forest, then open the DNS manager by clicking Start > Run and type dnsmgmt.msc.

Now expand the Forward Lookup Zones container and right-click on the respective forward lookup zone for your Active Directory. On the context menu select New Host (A), then type the name you want to use. As you can see in Figure 2.1, I used MAIL for the purpose of this setup. Then type the IP address you want to use as the Windows NLB cluster IP address (this should be an IP address on the same subnet as the NLB member servers).


Figure 2.1: Creating a DNS Record for the Windows NLB Cluster name in the DNS Manager

Now click Add Host (Figure 2.2) then OK and Done. Close the DNS Manager.


Figure 2.2: Entering the DNS name and IP address

Important:
In order for clients on the Internet to connect to the specified Internet name, you must also create a record on the DNS servers hosting your domain. This task is typically done on the DNS servers located at your ISP.

Configuring the Network Settings

Although not necessary (as explained earlier), we will use unicast mode with two network adapters installed in this setup (this gives us the most optimal performance). To configure the second network adapter in each Exchange 2007 Client Access server, open Network Connections and give each LAN connection a meaningful name as shown in Figure 2.3.


Figure 2.3: Naming the Network Connections

Now open the Property page for the NLB LAN adapter, then configure the TCP/IP settings as shown in Figure 2.4. As you can see you should only specify an IP address and a Subnet mask. When ready click OK.


Figure 2.4: Configuring the TCP/IP Settings for the NLB LAN

We now have to change the binding order for the network connections. This is done by clicking Advanced > Advanced Settings in the Network Connections window shown back in Figure 2.3. Under the Adapters and Bindings tab, make sure the Public LAN connection is listed first as shown in Figure 2.5 then click OK.


Figure 2.5: Changing the binding order for the Network Connections

Enabling Network Load Balancing on the First Client Access Server

Okay it is time to enable NLB on the first Client Access server in our setup. This can be done via the property page of the network adapter, or by using the Network Load Balancing Manager. I will enable it via the property page of the network adapter, and then add the second Client Access server to the NLB cluster in the next section. So let us open the property page of the NLB LAN adapter, then check Network Load Balancing as shown in Figure 2.6. With Network Load Balancing selected click the Properties button.


Figure 2.6: Enabling Network Load Balancing

Under the Cluster Parameters tab (Figure 2.7), enter the IP address, subnet mask and full Internet name for the NLB cluster. Next make sure Unicast is selected under Cluster operation mode.


Figure 2.7: Configuring the Cluster Parameters

Now, click the Host Parameters tab and enter the IP address and subnet mask configured for the network adapter (Figure 2.8). Let the other settings stay at default.


Figure 2.8: Configuring the Host Parameters

Click the Port Rules tab then select the default port rule and click Remove.

We now need to add a port rule for each of the ports the NLB cluster should accept client requests on. To do so, click the Add button, then enter the respective port under Port range (Figure 2.9). Also make sure Affinity is set to Single. Finally click OK to add the port rule.


Figure 2.9: Configuring the NLB Cluster Port Rules

Do this for each required port, so you get a list of rules similar to what is shown in Figure 2.10 depending on what client access services you want to allow in your organization.

Note:
If you support other types of Internet clients such as POP3 and IMAP4, you would also need to add port 110 and 143 respectively.


Figure 2.10:
List of Configured Port Rules

Click OK and OK again to the Information message you receive (Figure 2.11).


Figure 2.11: Informational dialog box

Now add the new virtual cluster IP address under the TCP/IP property page of the network adapter as shown in Figure 2.12.


Figure 2.12: Adding the NLB Cluster IP Address on the TCP/IP Settings Page

Finally click Add then OK

We have now set up a Windows NLB cluster with one member server.

Adding the Second Client Access Server to the NLB Cluster

What good is a NLB cluster with only one member server? Correct, not very good. So let us add the second Exchange 2007 Client Access server to the cluster as well. To do so open the Network Load Balancing Manager by clicking Start > Run and typing NLBMGR.EXE (or click Administrative Tools > Network Load Balancing Manager). This will open the Network Load Balancing Manager shown in Figure 2.13.


Figure 2.13: Network Load Balancing Manager

To add the second server to the NLB cluster, click Cluster in the menu, then Add Host. In the appearing window, type the name of the second Client Access server then hit Connect (Figure 2.14). Select the respective cluster and click Finish.


Figure 2.14: Adding the Second Client Access Server to the NLB Cluster

Next, type the IP address and subnet mask of the network adapter that should be associated with the NLB cluster then click Finish (Figure 2.15).


Figure 2.15: Configuring the Host Parameter Settings for the Second Client Access Server

Now wait for a little while in order for the server to be added and configured accordingly (Figure 2.16).


Figure 2.16: Second Client Access Server added to the NLB Cluster

Close the Network Load Balancing Manager.

We have now load-balanced the two Client Access servers in our lab environment. But there are still quite a few configuration steps to do.

Testing the Load-Balanced Client Access Server Setup

Before we continue with the remaining configuration steps, now would be a good time to test whether we have an NLB cluster that works as expected. To do so, open a browser on one of the servers or a client if you prefer, then type the FQDN for the NLB Cluster, in my setup this is https://mail.ehlo.dk/owa. As can be seen in Figure 3.1 below, we’ll get a couple of security alerts, since we’re trying to access OWA 2007 via the NLB cluster name. This is because the FQDN isn’t included in the self-signed SSL certificate that is installed on each Client Access server during the Exchange 2007 setup. We’ll fix this problem later, for now let’s just click Yes.


Figure 3.1: Certificate Security Warning

The familiar OWA 2007 forms-based authentication logon page will now appear, and we can access OWA by logging on with a username and password as shown in Figure 3.2.


Figure 3.2: OWA 2007 Forms-based Logon Page

Because of the certificates issue, Exchange ActiveSync and Outlook Anywhere will not work yet, so there’s no reason to test access from those clients at this stage (we will do so later in the article).

Simulating Downtime of the First Node in the NLB Cluster

Accessing OWA 2007 using the NLB cluster name didn’t show us much else than that we were able to connect to the first Client Access server in our NLB cluster. To test whether the single point of failure that exists in organizations with only one Client Access server deployed have been eliminated, let’s try to simulate a malfunctioning Client Access server. We can do this by disabling the NLB LAN network adapter on the first server as shown in Figure 3.3.

Note:
The NLB LAN adapter should be disabled on the first Client Access server in the NLB cluster as this is the server that has the highest priority. Also note that if you’re connected to this Client Access server using a remote desktop connection, you’ll get disconnected.


Figure 3.3: Disabling the LAN Connection

With the network adapter disabled, let’s try to access OWA 2007 once again. If the NLB cluster has been configured correctly, a nice OWA 2007 forms-based logon page should appear and things looks good so far.

With that we can conclude the NLB cluster works as expected.

Considerations when running the Hub Transport Server role on the NLB Cluster Nodes

For economical reasons, many organizations choose to install both the Client Access and Hub Transport server roles on the same physical boxes in order to keep the total number of Exchange 2007 servers as low as possible. If you plan on following a similar approach, and at the same time want to load-balance the Client Access servers using NLB, you must make sure SMTP (and if used secure SMTP aka TLS) are excluded under the Port Rules tab on the NLB property page (Figure 3.4). The reason for this is that Exchange 2007 Hub Transport servers have been designed with resiliency built in (that is if one Hub Transport server doesn’t respond to an SMTP connection, another Hub Transport server in the site will respond), and therefore shouldn’t be load-balanced using NLB.

Important Note:
If you use other ports for SMTP communication, these should also be excluded in the NLB cluster configuration.

Warning!
Although configuring the Client Access server role in a Windows NLB on servers with both the Client Access and Hub Transport server roles works perfectly, the scenario is unsupported by Microsoft. The reason is this scenario wasn’t tested extensively using the Exchange 2007 RTM version. It will instead be supported with Exchange Server 2007 SP1.


Figure 3.4: Port Rules Definitions

Creating a new SSL certificate on the First Node

Because the FQDN used to access the Client Access servers in our NLB cluster doesn’t match the FQDN specified in the common name field nor the subject alternative names field in the default self-signed SSL certificate that automatically is installed on each Client Access server during Exchange 2007 setup (Figure 3.5 and 3.6), we must create a new certificate.


Figure 3.5: Subject Alternative Names on CAS01 Certificate Property page


Figure 3.6: Subject Alternative Names on CAS01 via the Exchange Management Shell

For the purpose of this article series, we’ll generate a new certificate using an internal Microsoft certificate authority server, but in a corporate production environment, you would in most situations want to submit the certificate request to a 3rd party certificate authority.

Note:
Because we need a certificate in which multiple FQDNs have to be specified, we must use a subject alternative name (SAN) certificate. At the time of this writing only a handful 3rd party CAs offer these types of certificates, most of which are listed in the following KB article: http://support.microsoft.com/kb/929395.

As we’re going to generate a request for a new SAN certificate, we must use the New-ExchangeCertificate cmdlet for this purpose, as the IIS Manager isn’t capable of creating requests for SAN certificates. To do this launch the Exchange Management Shell, then type the following command (replace the names with your own):

New-ExchangeCertificate –GenerateRequest –SubjectName “C=dk, O=EHLO organization, CN=mailehlo.dk” –DomainName mail.ehlo.dk, autodiscover.ehlo.dk, cas01.ehlo.dk, cas02.ehlo.dk –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true

After hitting Enter, the thumbprint for the new certificate request will be listed as shown in Figure 3.7.


Figure 3.7: Generating a request for a new SAN Certificate

Submitting the SAN Certificate to a Microsoft Certificate Authority

With the SAN SSL certificate request generated, we can submit it to our Microsoft CA, or almost that is. The reason I why I say so, is because by default a Microsoft CA cannot handle certificates with the SAN field properly. To fix this issue log on to the Domain Controller and open a command prompt window, then type the following command:

Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2

After hitting Enter, you should see the old and new value as in Figure 3.8.


Figure 3.8: Changing the EditFlags on the Microsoft CA

Now restart Certificate Services (CertSVC) service on the Microsoft CA server (Domain Controller) in order to have the changes applied (Figure 3.9).


Figure 3.9: Restarting the Microsoft Certificate Service

We’re now ready to submit the certificate request to the Microsoft CA. One way to do this is to open a browser and type http://dc_name/certsrv. On the Welcome page, click Request a certificate (Figure 3.10).


Figure 3.10: Microsoft Certificates Welcome page

On the Request a Certificate page, click advanced certificate request (Figure 3.11).


Figure 3.11: Requesting a Certificate

On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file (Figure 3.12).


Figure 3.12: Selecting the second option on the Advanced Certificate Request page

Now paste the content of the certificate request file into the Base-64-encoded window as shown in Figure 3.13. Then select Web Server in the certificate template drop-down menu and click Submit.


Figure 3.13: Submitting the Certificate Request

The certificate has been issued and you can download a DER or Base 64 encoded version by clicking Download certificate or Download certificate chain. Let’s select Base 64 encoded followed by clicking Download certificate chain (Figure 3.14).


Figure 3.14: Downloading the issued Certificate

It’s time to import the issued certificate using the Import-ExchangeCertificate cmdlet. We do this by typing the following command:

Import-ExchangeCertificate –Path c:\certnew.p7b

The certificate has now been imported to the personal certificate store.


Figure 3.15

To verify the certificate looks like expected, let’s now type the following command:

Get-ExchangeCertificate -Thumbprint | FL


Figure 3.16: SAN Certificate - Detailed Information

Finally we need to enable the certificate for the client services, our end-users will use to connect to their mailboxes. In this setup I’ll enable the certificate for OWA, EAS, Outlook Anywhere, POP3 and IMAP4. To do so we need to type:

Enable-ExchangeCertificate –Thumbprint -Services “IIS, POP, IMAP”


Figure 3.17:
Enabling the SAN certificate

The certificate has now been enabled for these services but only on the first Client Access server in our NLB cluster.

Importing and Enabling the SAN SSL certificate on the Second Client Access Server in the NLB Cluster

To import the SAN certificate on the second Client Access server in the NLB cluster, we first need to export it from the first Client Access server. When doing so, we need to make sure we export the certificate with its private key. This is done by opening the Certificates snap-in. To open the Certicates snap-in, click Start > Run and type mmc.exe to first open an empty MMC window. Now click File > Add/Remove Snap-in > Add > Select Certificates > Click Add > Select Computer Account > Click Next > Finish > Close and finally OK. Expand Certificates (Local Computer) > Personal, then right-click on the certificate that should be exported. On the context appearing menu, select All Tasks > Export (Figure 3.18).


Figure 3.18: Selecting Export on the Context Menu

In the Certificate Export Wizard, click Next. On the Export Private Key page, select Yes, export the private key as shown in Figure 3.19 then click Next.


Figure 3.19: Exporting the private key

On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX) and tick Include all certificates in the certificates path if possible as shown in Figure 3.20. Click Next.


Figure 3.20: Selecting the format to use

Enter a password and click Next (Figure 3.21).

Note:
Make sure you remember this password as you need it when importing it on the second Client Access server.


Figure 3.21: Enter a password in order to protect the private key

Now specify the path to where you want to save the .PFX file (Figure 3.22), then click Next.


Figure 3.22: Specifying the path for the .PFX file

Finally click Finish.

Okay with the certificate exported, let’s copy it to the C: drive of the second Client Access server, and then open the Exchange Management Shell on that server. To import the certificate, type the following command:

Import-ExchangeCertificate –Path c:\exported_cert.pfx –Password:(Get-Credential).password

When pressing Enter, you’ll be prompted for the password you specified earlier on as shown Figure 3.23. It doesn’t matter what username you specify as this isn’t used in this type of authentication.


Figure 3.23: Importing the certificate

After clicking OK, the certificate has been imported (Figure 3.24).


Figure 3.24: Certficate imported

Now copy the certificate thumbprint to the clipboard, then enable the certificate for the required services by typing the following command (just like we did on the first Client Access server):

Enable-ExchangeCertificate –Thumbprint -Services “IIS, POP, IMAP”


Figure 3.25: Enabling the SAN certificate on the second Client Access Server

The SAN certificate has now been properly enabled on both servers, and if the clients trust the root CA from our internal Microsoft CA, we should no longer get security warnings, when accessing OWA via the NLB cluster name as shown in Figure 3.26.


Figure 3.26: Accessing OWA 2007 without security warnings

Testing Outlook 2007 Connectivity

Now that we have verified OWA 2007 access works as expected, let’s move on and test connectivity using Outlook 2007. In order to do so, let’s switch to the client machine and launch Outlook 2007. On the Auto Account Setup page, enter the name, E-mail address and password for a mailbox-enabled user in your setup then click Next.


Figure 3.27

Using the Exchange 2007 Autodiscover service, Outlook 2007 will now try to configure your Outlook profile settings automatically. If everything goes well, the configuration should complete within a minute and you should see a screen similar to the one shown in Figure 3.28.

Note:
If the client doesn’t trust the root CA certificate, you’ll get one or two security warnings during this process.


Figure 3.28: Outlook configuration completed successfully

Now that the Outlook profile has been configured properly, click Finish in order launch Outlook 2007. With Outlook open, let’s see whether the autodiscover service works properly. We can do this by right-clicking on the Outlook icon in the System tray, while holding down the CTRL key, then in the context menu selecting Test E-Mail AutoConfiguration. On the Test E-mail AutoConfiguration page, enter your E-mail address and password, then clear Use Guesssmart and Secure Guesssmart Authentication and click Test.

After a little while, you will be informed whether the URLs to the different Outlook features, that are dependent on the Autodiscover service, are valid and working correctly. As can be seen in Figure 3.29, Outlook AutoConfiguration, Out of Office (OOF), the Offline Address Book (OAB) and Unified Messaging are all dependent on the Autodiscover service.


Figure 3.29: Autodiscover dependent features works as expected

If we click on the XML tab, we can see the content of the Autodiscover XML file used by the respective Outlook profile (Figure 3.30).


Figure 3.30:
Autodiscover XML file used by the Outlook profile

Testing Exchange ActiveSync Connectivity

In this article we won’t use a Windows Mobile device to test whether Exchange ActiveSync (EAS) works as expected. Instead we’ll use the Test-ActiveSyncConnectivity cmdlet which allows us to simulate a full synchronization from a Windows mobile device against a specified mailbox.

To test Exchange ActiveSync connectivity via a specific Client Access server type:

Test-ActiveSyncConnectivity –ClientAccessServer

As can be seen in Figure 3.31 below Exchange ActiveSync connectivity to a mailbox works fine via both Client Access servers (the latency is of course not acceptable, but this is a test lab).


Figure 3.31: Testing Exchange ActiveSync Connectivity

For more detailed test results type:

Test-ActiveSyncConnectivity –ClientAccessServer | FL

Okay we have reached the end of part three, which was the last in this three part article series on how you deploy Client Access server in a NLB setup, install valid SAN certificates and finally test client connectivity. I hoped you enjoyed it!