Sunday, April 18, 2010

You cannot start the Microsoft Exchange Transport service on an Exchange Server 2007 Hub server

You cannot start the Microsoft Exchange Transport service on a Microsoft Exchange Server 2007 Hub server. When this occurs, the following error message is logged the Application event log:
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Routing
Event ID: 5023
A transient configuration error was detected while the routing configuration was loading. Exception details: The local server isn't a member of any routing group. : Microsoft.Exchange.Transport.Categorizer.TransientRoutingException: The local server isn't a member of any routing group.

This issue occurs because there is no value for the msExchHomeRoutinggroup attribute on the Exchange 2007 Hub server object in Active Directory directory service.

To resolve this issue, follow these steps:

1. Open the ADSIEdit tool, and connect to the configuration context.
Locate the Exchange Administrative Group object.
2. Open Properties for the Exchange Routing Group object, and copy the distinguishedName value.
3. Locate the Servers object in Exchange Administrative Group.
4. Select Properties for the Exchange 2007 Hub server, and find the msExchHomeRoutingGroup attribute
5. Open the msExchHomeRoutingGroup attribute, and enter the distinguishedName value that you copied in step 3 for the Exchange 2007 Routing Group.
6. Verify that the Exchange 2007 server is visible in the Exchange Routing Group in Exchange System Manager.
7. Restart the Microsoft Exchange Transport service on the Exchange 2007 Hub server.


Identify Exchange Server 2010 ActiveSync certificate errors

The easiest way to find out if you have a certificate-related problem is to log into Outlook Web App (OWA). OWA and ActiveSync both require SSL, and use the client access server (CAS). ActiveSync and OWA also use the same SSL certificate, so if OWA works properly, you can rule out a certificate issue.
As you test OWA, here are some things to keep in mind:
• By default, Exchange Server 2010 is configured to use a self-signed certificate with OWA. However, self-signed certificates are not compatible with ActiveSync. You need to use a valid X.509 certificate.
• When you enter the URL for OWA, make sure that the URL points to the same CAS that ActiveSync is using.
• Be sure to use the HTTPS prefix in your OWA URL.
• When OWA loads, make note of any certificate-related warning messages you receive. If the certificate has expired, it will not work with ActiveSync.
• If you receive a warning that the certificate name does not match the host name, verify that you have entered the server's fully qualified domain name (FQDN) as a part of the URL --, as opposed to https://Lab-E2K10/owa.
Entering the URL without using a FQDN can trigger false certificate identity errors. If a certificate identity error is legitimate, you will need a new certificate.
• You will receive a warning message (Figure 1) if the computer does not trust the certificate authority (CA) that issued the certificate to Exchange Sever 2010. Both Windows and Windows Mobile are configured to trust most major third-party certificate authorities by default.

Figure 1. A certificate-related warning message may signal an untrusted CA.

If you are using your own CA, you must configure your computers and mobile devices to trust it. Windows-based CAs have a Web interface you can use to download a CA certificate. This certificate then must be added to the computer or device's certificate store. The Web interface is accessible at /CertSrv target="_blank">http:///CertSrv (Figure 2).

Figure 2. Use the certificate authority's Web interface to download required CAs.

• An Enterprise certificate authority that is running Windows Server 2008 does not allow Web enrollment for mobile devices unless you install the Network Device Enrollment Service. Although it's possible to download the CA certificate, which allows the device to trust your Enterprise CA, using other methods, it's best to use the Network Device Enrollment Service.
• When you attempt to access OWA using an HTTPS session, Internet Explorer may display an error message stating that the page cannot be displayed. If this occurs, try accessing OWA using an HTTP session, instead of HTTPS.
If you receive a message telling you that the HTTP session is forbidden, there is probably an issue with the server's SSL certificate or its bindings. If you continue to receive the same error whether you use HTTP or HTTPS, this may signal a DNS problem.

A crash course in IIS 7

Unlike its earlier versions, Exchange Server 2010 requires Windows Server 2008 and Internet Information Sservice (IIS) 7. And the process for setting up SSL is quite different in IIS 7 than it was in IIS 6.
In IIS 7, SSL certificates are applied at the server level. If you look at the IIS Manager and select the listing for your IIS server, the details pane will contain a Server Certificates icon (Figure 3).

Figure 3. SSL certificates are applied to IIS 7 at the server level.

When you click the Server Certificates icon, the details pane displays the SSL certificates currently associated with the server. As you can see, the Actions pane contains an option to create a certificate request. If you're using your own CA, you'll have to use this link to create a text file containing the certificate request.
Next, use the certificate enrollment website to perform a certificate request, using the contents of the text file. When this process is complete, the website will allow you to download a certificate. After doing so, you must use the Complete Certificate Request link (Figure 4) to make IIS aware of the new certificate.

Figure 4. Clicking on the Server Certificates icon causes IIS 7 to display the existing SSL certificates.

Although SSL certificates are managed at the server level, SSL encryption is actually enabled or disabled at the individual website level. OWA and ActiveSync are both a part of the Default Web Site and have SSL enabled by default. You can use the SSL Settings icon to verify that SSL encryption is enabled (Figure 5).

Figure 5. SSL is either enabled or disabled at the website level.

Configuring a site's bindings

One step that often is overlooked involves configuring a site's bindings. In the case of SSL, site bindings tell IIS which certificate it should use for a particular site. If you look back at Figure 5, you'll notice a Bindings link, which is located in the Actions pane. Clicking on this link displays the existing site bindings.
To make sure that the site is using the correct certificate, select the HTTPS binding and click Edit. The IIS Manager will display the Edit Site Bindings dialog box (Figure 6), lets you choose the certificate you'd like to use with the site.

Figure 6. Select the certificate you'd to associate with the website.

When testing this procedure in the lab, I ran into some problems and discovered they were related to the bindings. Although the bindings on my Exchange 2010 Server were configured correctly, they became corrupted -- causing Internet Explorer to display a Page Cannot Be Displayed error when I attempted to access OWA.


Exchange Server 2010 SP1 allows storage provisioning

More like a feature pack, Exchange Server 2010 SP1 includes archiving and discovery enhancements; better Outlook Web App (OWA) performance; and mobile user and management improvements. One of the most important new features in SP1 is the ability to provision users' personal archive to a different mailbox database than the primary mailbox.

Improving storage in Exchange Server 2010
Currently, an archive mailbox must reside on the same database as that for a primary mailbox. This requirement limits the benefits of using a personal archive and, in some cases, makes an archive detrimental because of the additional server storage and maintenance needed, said Rob Sanfilippo, an Exchange analyst at the independent analyst firm Directions on Microsoft in Kirkland, Wash.
Allowing the primary and personal archive mailboxes to reside on different mailbox databases is a big improvement because administrators can put archives on dedicated disks or servers that have separate storage, maintenance routines, and fault tolerance configurations, Sanfilippo said.
Most of the other improvements in SP1 address functionality gaps or minor improvements that didn't make it into the original release.
An additional function is tether-free Information Rights Management (IRM) support via Exchange ActiveSync (EAS) so that end users can send and receive IRM-protected mail without connecting their device to Windows Mobile Device Center for provisioning.
SP1 will also bring several new management user interface (UI) enhancements for management tasks in the Exchange Management Console (EMC) and Exchange Control Panel (ECP).
The additions to the EMC, including tools to create retention policy tags, and ECP should be helpful and bring greater parity among these tools and the Exchange Management Shell, Sanfilippo said.
The Multimailbox Search feature, which can be used for e-discovery of email to comply with information laws and regulations, now includes a new search preview and a new search result deduplication option, and added support for annotation of reviewed items.
Microsoft also improved the performance of Outlook Web App and addressed common problems. For one, attaching a very large file no longer creates hang-ups with the rest of the OWA functions. The UI has also been simplified so that it is easier to use on small screens such as netbooks, tablets and other devices.