.: Enow Solutions Engine: March 2010

Tuesday, March 30, 2010

All for one and one for all: The key to a successful Office Communications Server Deployment

By: Mahmoud Magdy

One of the key factors to ensuring a successful Exchange/OCS deployment is that the certificates and DNS configurations must be setup correctly. I can say that more than 90% of the issues I troubleshoot in Exchange/OCS implementations can be traced back to Certificates and DNS issues.

Exchange and OCS heavily rely on Certificates as a key element of secure infrastructure deployment by using MTLS and TLS. The challenge is that implementing the certificate is confusing and comes with a price.

In this post we will investigate how to overcome these challenges and how you can use a single certificate for our Exchange/OCS deployment. Let us cut to the chase and go to the cool stuff.

Exchange and SSL -- an old story I have to tell:

Exchange started using SSL certificates when Exchange 2003 was introduced. At that time things were simple. To implement the certificate, all you had to do was create a certificate with a single name, for example (mail.domain.com), where it resolved to the External IP that was Nat’d to the Front End Server IP or Virtual IP if you were using several FEs.

As we all know, implementing certificates in Exchange 2007/2010 is more complicated and cumbersome. Now we have your standard mail.domain.com and the new introduced autodiscover.domain.com to deal with. This change also created the need for UCC certificates.

UCC certificates allow multiple names to be included in the certificate. This type of certificate is commonly called a SAN (Subject Alternative Names). For those of you who have worked with ISA 2004 or 2006 this may recall some nightmares as these certificates were not supported.

In order to publish a website over SSL, the “to” field in the ISA publishing rule had to match the certificate’s common name or (subject name), or you would get the famous (the targeted principle name is not correct) error. So we had to use 2 certificates in order to work around that, or use a single certificate, but not use ISA to publish Exchange websites. What a headache!

OCS 2007 R2, like if Exchange is not enough:

When OCS 2007 R2 was introduced, more changes also needed to be taken into account. In OCS 2007 R1, Microsoft decided to use MTLS for server to server communication and TLS for server to client communication. This meant that you needed to use an internal Certificate Authority (CA) in order to issue certificates for internal servers. Implementing remote access solutions in OCS was not as simple as it was in Exchange because it did not work with internally issued Certificates. In addition, OCS required DNS entries internally that is different than your external DNS records. Is your head spinning yet? Let’s take a closer look at internal DNS records used for a typical OCS 2007 R2 Deployment:

Please note that Those IPs will be VIPs if you use HA deployment. They will be created using HLB (hardware load balancers) since OCS doesn’t support MS WLB.

Note: You can change comp.domain.com to any name you want, just make sure to enter that name in the setup or modify it using LCSCMD command line tool.

Now let us take a look at the external DNS records used by OCS by an external User:

Keep in mind that SIP is used for Edge client access, webcon and AVconf are sample DNS entries that could be changed as they are not hard coded.

Combine it all with Certificates:

Now you have a table that lists all of the DNS names that is required, all you need to do is pull a certificate for each name (duh, that is why I am here writing this post, we want them all in one certificate). You can use single certificate, but let us see first the names that I will need to include in the certificate:

The above table list all the names required for OCS and Exchange, but there are 2 catches here:

SAN certificates are not supported by ISA2004/2006 for SSL publishing, you will have to use ISA 2006 SP1 or TMG since this issue were fixed in both versions.
If you use single certificate for Edge web conference and Edge Access, you will find that Edge server requires that names must be matched between Access/web conference IPs (you will note that in the edge server configuration wizard, you will be able to change the name, but it will not take effect), so the name must be matched, thus the same IP must be used so you will have to change the ports between access and web conference (in typical configuration Access/Web conf will use port 443, since OC clients are hard coded to try to use port 443, so you will have to change the web conf port to any other port, use 444 for simplification).

The final note has 2 catches:

444 is a non standard port so you might have to adjust your firewall.

If you want to use port 443, then use a separate certificate for the Web Conference edge server IP.

You might wonder how I can change the port of the web conference without affecting the information worker, well the following diagram elaborates how web conference tokens are created:

The story begins when an external user clicks on the conference link (this external user is either domain user or anonymous user), then the following occurs:

The users access the Access Edge server and to get authenticated (Kerberos, NTLM for domain users or digest for anonymous users).

The front End server component contacts the web conf server component, AV component, Web component to add the user to the WEB MCU and AV MCU.

Pay attention in this step please, the user gets back an authentication token and configuration cookies that has the web conf edge/AV conf edge configuration and this is where the client gets notified about the ports used by the edge servers.

So as you can see web conf and AV conf ports are not hard coded, but are passed to the user in the config tokens.

Please note the web conf, front end and AV conf servers are located in the same box, but they were separated to elaborate how they work internally.

Avoid this common mistake:

One of the most common mistakes that we encounter in OCS implementations is seeing the FQDN for the AV authentication server and the port set to 443. This is not correct and will result in calling errors on the Office Communicator client. Please make sure that the AV authentication service uses port 5062.

Now after tons of notes, let’s make our final names table:

If you follow the suggestions listed in this article you will be able to use a single certificate for Exchange and OCS. Please note that I did not cover the internal edge certificate and pool certificate names as they are fairly simple to implement.

To help you, I have created my own Exchange/OCS certificate and DNS calculator. Please note this calculator is not supported by Microsoft and you should verify your configuration with a professional OCS/Exchange consultant. The calculator is very simple to use. All you will have to do is enter the OCS sip domain, host names used by edge server, OCS server type either (standard or enterprise) and DNS names and the certificate configuration will be created for you automatically.

To download the calculator, please use the link and credentials below:

Exchange/OCS Calculator:

http://support.enowzone.com/Downloads/OCS-DNS-Certificate-calculator-V1.4.xlsx

Credentials:
Username: enowzone\ese

Password: Tool4you

I hope that in this post I was able to help you out in your deployment and eliminate the confusion caused by using a single certificate for OCS and Exchange. Have a nice deployment and see you next time . . . !

Labels: Exchange Support, Exchange Tips, Office Communications Server R2

Monday, March 15, 2010

Migrating to Exchange 2010 Part 1: Preparing your Exchange environment

By Ismail Mohammed

Thinking about migrating to Exchange 2010? Wondering what you need to do to get your environment prepped for the big leap? This article series will teach you everything you need to know before upgrading to 2010.

In Part 1 of this series, you will receive step-by-step instructions for utilizing the Exchange Server Deployment Assistant – a very helpful pre-installation utility from Microsoft that will ensure you are ready to migrate your messaging platform. This tool will be used during the pre-deployment phase to ensure that you are considering all necessary factors before installing Exchange 2010 Server. These points of consideration include Active Directory Prerequisite concerns, Operating System requirements, Firewall Rules, Certificate Configurations and Server side prerequisites.

Why do I need the Deployment Assistant?

The reasoning behind the use of this tool is very simple. Sometimes the implementer or designer forgets the basic requirements needed for achieving successful implementations. If such requirements are left unattended, the implementer could waste his or her time trying to identify the root cause of the problem – a process which can turn into a major task.

How does it work?

The Exchange Server 2010 Deployment Assistant is an advanced version of the Exchange 2003 setup.htm file. Exchange 2003 setup.htm file is server level html, and provides instructions for how to complete the prerequisites for the installation of Exchange 2003. By adopting this URL-based tool, you are not only taking care of prerequisites on the server side, but you are also looking into Active Directory prerequisites as well. Plus, it will teach you how to implement additional configurations based on the Exchange Server Role, like how to install Exchange Server Role, finalize Certificate configuration details and the Help file as well.

The primary advantage of this tool is that it does not force you to go through thousands of pages to cross-check the basic prerequisites. Moreover, it reduces the risks of human error. Since this is purely a URL-based tool, simple click the link below – no installation is required.

Click here

This tool has been created based on the following scenarios, including:

Upgrade from Exchange 2003
Upgrade from Exchange 2007
Upgrade from Exchange 2003 and Exchange 2007
New Installation of Exchange 2010

Figure 1:

When you click on any of the options, it will take you to a series of questions. For our tutorial, let us assume that I want to do a new installation of Exchange Server 2010, so I will simply click on New Installation of Exchange 2010. Now it will display the set of questions, such as:

Are you planning to configure HTTPS\IMAP\POP?
Are you planning to use public folders in Exchange 2010?
Are you planning to deploy an Edge Transport server role?
Are you planning to deploy a Unified Messaging server role?

Figure 2:

Once you click on Next, you will be asked another set of question based on the answers you provided above regarding your new environment’s infrastructure.

Figure 3:

As per the above screen, you will see Navigate your checklist. This option will teach you how to access the tool, how to customize your answers, and in case any failure occurs, how to return to the section where it was discontinued. When accessing this tool for the first time, it will be beneficial to go through the navigate checklist. Once you are done put a tick mark in the bottom right hand corner and click on next -> which will take you to next step: Confirm the Prerequisite steps are done.

Am I finished yet?

Figure 4:

At this step, the tool will ensure that you are installing the CAS as per the proper guidelines put forth by Microsoft. Moreover, it will contain a link for you to learn more about CAS and an additional link to connect you to the latest Exchange Server 2010 updates. When installing CAS for the first time, I would recommend you follow this step properly to ensure zero errors.

Figure 5:

Add Digital Certificate on the CAS:

This step will show you how to add the digital certificate on the CAS. After that, enable Outlook Anywhere.Once you complete the installation, you can check that post installations tasks were completed, like verifying the installation task, entering product key details, transport post deployment task, etc by referring to Post-Installation Tasks.

Figure 6:

The final step is the Checklist Complete. This will show you the completion status of each task; plus, it will help to provide additional tools like Exbpa and some performance check analyzer information.

Figure 7:

Thanks to Microsoft for releasing such a valuable, easy-to-use tool. I believe it is the perfect pre-deployment utility to ensure you are on the right track for a successful migration to Exchange server 2010.

Now that you have successfully completed all the necessary prerequisites, join us in Part 2 of this series as we introduce another valuable tool that will help you prepare for the next phase of your migration to Microsoft’s latest messaging platform.

Labels: Exchange 2010, Exchange Migration

Tuesday, March 2, 2010

Understanding Exchange 2010 Storage Architecture: Part 3

By Mahmoud Magdy

In Part 1 of this series, we reviewed the Microsoft’s ESE (Extensible Storage Engine), and discussed the new storage enhancements that were introduced in Exchange 2010.

In Part 2, we continued our journey through the Exchange 2010 storage enhancements by exploring the concepts of logical and physical changes to the Microsoft ESE database.

In the final part of this series, we are going to explore some very clever changes Microsoft has made that significantly improves system performance. In this article we are going to take a look at the following areas:

- Read/write Coalescing and page compression
- Cache compression
- Online maintenance

Read/write coalescing and page compressions:
In Part 1 of this series, we noted that database page has been changed from 8 KB in Exchange 2007 to 32 KB in Exchange 2010. How does this change improve performance? Let’s compare how Exchange 2007 and 2010 would handle a 20 KB email item. Exchange 2007 would require 3 separate IOs to read this single email item in comparison to one read operation in Exchange 2010. Please see the following diagram to better understand this concept.

To better understand why this change is significant, it is helpful to look back to how data was previously managed in legacy versions of Exchange. Exchange 2003 was much like an infant in that it basically did whatever it needed when it wanted in regards to the database. Most babies eat, sleep, relieve themselves and play on their own schedule, much to their parent’s dismay. That pretty much sums up how Exchange 2003 used to write, read or delete items to the database. When Exchange 2007 was introduced, it was evident that the technologies had grown up. This progression has naturally continued in Exchange 2010.

One big area of improvement is that Exchange 2010 has a much larger page size and manages the read/write operations more efficiently. For example, when a read or write operation is received, the size of the item is compared to the page size to determine if the operation should be committed or to wait to gather more changes so that a single IO can be used. The following diagrams show how Exchange 2010 is much more efficient that Exchange 2007.

Notice how the same Read operation takes 3 transactions in Exchange 2007 as opposed to a single operation in Exchange 2010. The diagram below highlights how a Write process is handled more efficiently in Exchange 2010.

Now that Exchange 2010 has a larger page size, what happens for smaller pages in the cache? Since the cache is in memory and not on the Hard disk, you might assume that the whole 32 KB page would be used and this would result in a waste of memory. The engineers at Microsoft thought about this problem when introducing designing Exchange 2010 and created a nice solution. When a page is not fully utilized, Exchange uses cache compression. For example a page with 7 KB of data will be compressed in memory so that the extra space is not wasted. The diagram below graphically represents this concept.

Online Defragmentation:
In previous versions of Exchange, the maintenance of database was handled nightly by the exchange server. This included page purges and the handling of mailboxes that were deleted.
Due to the many storage related enhancements that were introduced in Exchange 2010, Microsoft wanted to assure that the detection of faults, logically or physically, were detected and handled as soon as possible. For this reason, the way Exchange maintained its databases was changed. Instead of waiting until the evening to perform these important tasks, Exchange now performs maintenance constantly.

You can enable a special option on the database and enable 24/7 database maintenance on the database. This new feature also recovers white space on the fly. This also really eliminates the need to perform off line defragmentations of the database. It also allows the database to recover from logical or physical errors at the database level in real time.

The above diagrams show the new features and architectural changes that occurred to the OLD and thus became OLD2, OLD provides Background/throttled process that maintains contiguity of “Sequential Tables” by rebuilding leaf level of B+ Trees, thus gives the Exchange 2010 the ability to get a defragmented database like below:

The above diagrams shows a live view that compares the Exchange 2010 DB vs. 2007 fragmentation level, it is clear that Exchange 2010 has maintenance over the older technology.

Talking about storage in Exchange 2010 never ends. I like reading and writing about it but at some time it should stop. I hope that I was able to give you a solid view of the Exchange 2010 storage architecture and its new features. In my next article, I will talk about certificate consolidation and considerations for Exchange/OCS deployments. I hope that you liked this series and that you will keep visiting our blog for cool blog entries from fellow ESE writers.

Labels: Exchange 2010, Exchange Information Stores, Exchange Support, Exchange Tips