Digicert has an online tool which checks whether you have any issues with the installed certificate. The good thing is that it can be done from anywhere, as it is web based. All you need to do is put your server IP or name and the tool will do the rest. It provides useful information such as the validity, certificate issuer, signature algorithm, key size etc.

The tool works for any SSL certificate (not locked to Digicert ones), which is really good.

Run the tool from here

Check out my previous article to know more about DigiCertUtil, another tool from Digicert.

A sample output is shown below.

I had written about backing up Exchange using Windows 2008 backup in one of my previous article. Now that 2008 R2 and Exchange 2010 has been out for a while, I thought it is a good time to see whether anything has changed and it has.

• As it is the case in Windows 2008, backup is not installed by default in 2008 R2 as well. You can install it either using ServerManager or Powershell.
• Backups can be stored on a local or network drive.
• Only disk backup is available, no option for tape.
• During exchange restore, new log files will be replayed & database will be brought to the latest state. You can deselect replay of logs during restore, if you want.

Two things have changed in 2008 R2 Server Backup.

• Folder level backups.
• Ability to backup passive database copies when servers are member of a DAG.

Let me explain. You can add items/folders that needs to be backed up while choosing the “Custom” backup option in 2008 R2.

When clicking “Add Items”, you can browse through the folder structure. While backing up Exchange databases, select the folder which has the database and log files. The default location is C:Program FilesMicrosoftExchange ServerV14Mailbox.

In 2008 R2, backups can be taken from both active and passive database copies of a DAG. This is a welcome feature as backups can only be taken from the active copy in Windows 2008.

The new features will be a huge relief for small businesses!

I was asked to troubleshoot an issue at a customer site where the Exchange 2010 servers stopped working. As usual, everything was working fine the previous evening!

The servers were throwing the following error message.

Source: MSExchange ADAccess
Event ID: 2114
Task Category: Topology
Level: Error
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=8000). Topology discovery failed, error 0×80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

The KB article mentioned gave outdated information (applicable to Windows 2000) and proved useless.

An information entry was logged in the event viewer just before the error.

Event Type:      Information
Event Source:      MSExchange ADAccess
Event Category:      Topology
Event ID:      2080
User:            N/A
Computer:      
Description:
Process MSEXCHANGETOPLOGYSERVICE.EXE (PID=8000). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
DC1.FQDN      CDG 1 7 7 1 0 0 1 7 1
DC2.FQDN      CDG 1 7 7 1 0 0 1 7 1

As the SACL Right was showing as zero, I quickly figured out that the exchange servers are not having the correct permissions to access the domain controllers.

Exchange does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller. You must have at least one server that satisfies each role (C, D, or G) and that shows 1 in the SACL right column.

I quickly checked the "Default Domain Controllers Policy" to see whether exchange servers had permissions on the "Manage Auditing and Security" under User Rights Assignment and that was fine.

I checked the NIC settings to see whether IPv6 was disabled and it was. I checked the registry to see whether it was fully disabled and it wasn’t. Hence I enabled IPv6 to be on the safe side. But, that didn’t fix the issue.

After looking around for a while, I found the cause of the issue. Someone had actually removed all Exchange servers from the default "Exchange Servers" group as part of AD "cleanup" process. Luckily, the group was still there. I added all the Exchange servers to the group and rebooted them to pick up the changes immediately.

Everything started working once the servers were back online!

I was at a customer site last week, working mainly on SAN certificates on Exchange and TMG servers. Exporting and importing the certificate between servers, making sure root and intermediate certificates are correctly installed etc. I was working with a tool that I have used before and thought of sharing it, as it makes working with certificates much easier.

The tool is DigiCertUtil.exe and is from Digicert. With this tool you can manage, troubleshoot and fix the SSL certificates on your server, all without having to open up a command prompt to run special certutil commands or dig through the MMC Certificate Snap-in.

DigiCertUtil.exe makes it easy to (from Digicert site):

• See all the SSL certificates installed on your server.
• Easily view details for each certificate.
• Fix intermediate certificate problems with one click.
• Import and Export your certificates to make a backup or move them between servers.
• Test a certificate to verify its private key is functional.
• Install a certificate to a pending request.
• Repair a certificate whose private key exists on the server but is not correctly associated with the certificate.

Download the tool (.exe) here or the zip file here

The good thing is that you can use the tool to manage certificates issued by any company. A must have tool for Exchange admins!

The Forefront Team has released three more videos in Technet which explains different antispam filtering options and powershell commands to export and import the configuration settings between servers.

Using Filtering in FPE

Using Antispam filtering in FPE

Using PowerShell to export and import FPE configuration settings

Check out the previously released videos here

I was playing with TMG & Exchange 2010 publishing and had to delete TMG & associated SQL Express 2008 installation. When I tried deleting SQL Express 2008 from the control panel, I got the error message below.

Rule "Restart Computer" Failed. A Computer Restart Is Required. You Must Restart This Computer Before Installing SQL Server

I am not a SQL expert, but I had to delete the installation to start fresh. The solution was to delete a registry entry and I was able to delete the SQL install.

Launch registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager

Delete the key "PendingFileRenameOperations" (Don’t restart the server, as it will put the registry key back).

Re-run the setup again and all will be green.

Now that all showed green, I could successfully delete the SQL Express installation.

Microsoft has released Best Practice Analyzers for Forefront TMG and UAG, in a time where companies have started moving to Exchange 2010 and upgrading ISA.

The Forefront Threat Management Gateway (TMG) Best Practices Analyzer Tool is designed for administrators who want to determine the overall health of their Forefront TMG computers and to diagnose current problems. The tool scans the configuration settings of the local Forefront TMG computer and reports issues that do not conform to the recommended best practices.

Download TMG Best Practice Analyzer Tool here

This BPA Tool is designed to support Forefront TMG only. Download the BPA Tool for Internet Security and Acceleration (ISA) Server from here

The Forefront Unified Access Gateway (UAG) 2010 Best Practices Analyzer Tool is designed for administrators who want to determine the overall health of their Forefront UAG computers and to diagnose current problems. The tool scans the configuration settings of the local Forefront UAG computer and reports issues that do not conform to the recommended best practices.

Download UAG Best Practice Analyzer Tool here

I came across three short videos on Microsoft Showcase site and thought of sharing it with my readers. These videos explain the different features in Exchange 2010 which helps you to stay on top of your messages.

Microsoft Exchange 2010: Clean Up Your Inbox

Microsoft Exchange 2010: On the Go Doesn’t Mean Out of Touch

Microsoft Exchange 2010: One Stop Messaging

Microsoft has published a whitepaper on publishing Exchange 2010 with their latest products, Forefront TMG and UAG. The whitepaper walks you through the entire process of using either Forefront TMG or UAG to publish Exchange 2010.

It starts by helping you decide whether to use Forefront TMG or UAG, makes sure you get the terminology understood, then provides step by step instructions to configure the environment. A “must read” document if you are thinking of using the latest Forefront products for publishing Exchange 2010.

Download the whitepaper here

I was at a customer site when I came across this error message in the event viewer.

“There is no available Hub Transport Server in the local site”. Event ID: 1008

The environment had both Exchange 2007 and 2010. Any emails sent from or sent to a 2007 mailbox doesn’t get delivered. I quickly checked the Exchange topology and found out that there were no Exchange 2007 HUB servers. Multiple 2010 HUB servers were present though and all servers were in the same AD site.

The reason for the error is that, when Exchange 2010 & 2007 co-exist, every mailbox server needs a hub transport server with a matching Exchange version in the same AD site. Due to the changes made in 2010, Exchange 2010 hub transport servers can’t pick up messages from and deliver messages to Exchange 2007 mailbox servers. Similarly, Exchange 2007 hub transport servers can’t communicate with 2010 mailbox servers. Therefore, you need to maintain your Exchange 2007 hub transport servers in an AD site until all Exchange 2007 mailbox servers are removed from that site.

Next time you are thinking about 2007 – 2010 coexistence, keep in mind that you need 2007 hub servers as well. Initial feeling will be that the latest version of hub server should be able to serve the previous versions, but NO!