As a Microsoft unified comms specialist partner, we run Microsoft Office Communications Server 2007. It works a treat in an EBS environment, in fact, EBS provides the ideal bas As part of our setup, we have an OCS edge server which allows users outside the company to connect to our OCS infrastructure and make use of it’s services, e.g. IM, presence, voice etc.

We have a number of people (partners, consultants etc) who would benefit from using OCS, but will never actually log on to our main network and access EBS resources. As such, we created some new user accounts in active directory and set them up for OCS. After enabling them for remote access, some of them were able to log on to OCS externally. After a short period of time, they couldn’t log on, and we could not figure out why. Every aspect of the users and OCS configuration seemed to be ok.

Eventually, we figured out what it was – EBS licensing. Each user had to be assigned a user CAL within the EBS management console. A quick query with the EBS team confirmed that this is expected behaviour. As the user authenticates to AD (even though they never access any other resources), they require a CAL. This is true whether running standard Windows or EBS, but the difference is that EBS ENFORCES the licence requirement whereas Windows does not.

So, external OCS users who authenticate require an EBS (or Windows if not using EBS) user CAL, and OCS standard user CAL and an OCS enterprise CAL to enable the full suite of OCS functionality. If they are a voice user and require exchange UM, they would also require an Exchange Enterprise CAL.

This one had me stumped for a while - remote web workplace on our EBS system had been working fine, but suddenly stopped working. I could login to RWW no problem, pick a machine from the list and try and connect, but would then get a dialog with "An internal error has occured (error 50331656)."

Searching online found virtually nothing related to this message other than someone having a RWW issue on SBS.

After some investigation ourselves then involving the EBS TAP support team, we tracked it down to the lack of a certificate on the Terminal Services Gateway. This Server 2008 role is installed on the Messaging server. After assigning the correct certificate, RWW works perfectly.

I later realised what caused the problem - we had a certificate on our EBS messaging server which didn't include autodiscover.domain.com and autodiscover.domain.local so we created and assigned a new one, while deleting the old one.

We didn't realise that this certificate was also assigned to the TS Gateway and deleting the certificate left it without one assigned.

I'll talk about autodiscover and certificates in a forthcoming post.

Service manager has looked like a very interesting product for change and configuration management as well as helpdesk operations. There was a Beta 1 released over a year ago, but the product team decided to scrap the original product and go back to the drawing board.

The bad news was the release was pushed back to 2010! The good news is Beta 1 of the new version has just been made available:

https://connect.microsoft.com/SelfNomination.aspx?ProgramID=2733&pageType=1&SiteID=446

We needed a new certificate on our Exchange 2007 CAS server including the autodiscover prefixes in the SAN, so I wanted to submit a new request to our internal CA.

The process was as follows:

1) Use the Digicert tool https://www.digicert.com/easy-csr/exchange2007.htm to quickly get the command line required including the SANs

2) Enter the command line (New-ExchangeCertificate) on to the exchange server (in our case our EBS messaging server)

3) Submit the created request file to our internal CA (EBS Management Server). This is where the problem arose - when trying to process the request from the certification authority MMC, I got an error 0x80094801 - the request contains no certificate template information.

The solution is to use certreq.exe with the following paramaters to specify the template to be used:

certreq -submit -attrib "CertificateTemplate:WebServer" request.txt

4) Process the pending request on the messaging server using IIS

5) Use Get-ExchangeCertificate to list the available certificates

6) Copy the thumbprint from the output of 5) and use Enable-ExchangeCertificate to enable the new cert for the web services.

Enable-ExchangeCertificate -Thumbprint THUMBPRINT -Services IIS

And we should be good to go!

I've been working on an OCS enterprise voice deployment with Exchange Unified messaging and as part of the process was setting up an auto attendant.

I got the routing all working and could call into the AA, but got a voice message "Please call back later. Goodbye" and was disconnected. I eventually made the AA not speech enabled and then when calling in, got the expected "welcome to the Microsoft Exchange auto attendant".

Checking the log files on the UM server indicated a problem with one of the grammar files for Automatic Speech Recognition.

I'll fix this later, but at least I now know where the problem lies and have some error messages to go on.

Today, I needed to download a password protected zip file (as it happens, beta OCS compatible firmware for an IP phone), but when downloading, was presented with the following:

As TMG is unable to decrypt the file and inspect it's contents, by default it's blocked.

This is controlled by the malware inspection policy in TMG.

Under the block encrypted files setting.

I needed this file, but obviously didn't want to open a security hole, so I added the specific site to "Sites Excluded from malware inspection" on the exceptions tab.

When I now attempt to download the file from the web site TMG allows it through ok.

Nick King, technical product manager for EBS has just presented the first EBS focused session at this year’s TechEd EMEA. I was pleased to see the room about 80% full and obviously a fair amount of interest in EBS.

Nick presented a deep dive on EBS 2008 covering product details and the deployment process in some detail. Virtualization was discussed numerous times, including a look at the different supported scenarios using Hyper-V.

Gary Purchase then went on to give a quick demo showing how easy it is to develop add-ins for EBS.

Nick announced that a trial version of EBS will be available from 12th November!

I’m now into my second day of TechEd EMEA 2008, with a focus around EBS and Unified Comms. I’ll post reviews and notes on some of the sessions as the week goes on.

I’m here with the EBS team at the Windows Essential Server Solution stand and will be on hand most of Thursday / Friday to answer EBS related questions.

I’m also taking part in a chalk talk session on EBS on Thursday afternoon alongside Oliver Sommer and Mikael Nystrom, two MVPs also heavily involved in the EBS TAP program.  We will be talking about each of our EBS production deployments, our experience and lessons learned.

We’ve now been running the RTM version of EBS for a couple of weeks and everything is looking good.

The actual migration from Release Candidate 0 to RTM was a fairly painless process, and for the management and messaging servers simply involved installing various Windows Server 2008 updates and updating the EBS components.

The security server migration actually involved replacing the server using the EBS replacement mode install. I recorded any changes we had made to the firewall rules etc in TMG and then simply rebooted the server from the RTM security DVD. Replacement mode worked flawlessly, picking up the relevant settings from the configuration partition.

After completing the security replacement mode install, I simply recreated our customer firewall rules and we were good to go!

Note: Now that we are RTM we would be able to export and import the rules from TMG rather than re-creating them, it’s just that there were significant changes from the beta to RTM.

So far our first couple of weeks living with EBS RTM have shown no issues at all.

It feels pretty good to have been the first in the world to start a production deployment of EBS and the first in the UK to be RTM!

Look out for lots more EBS posts in the coming weeks, including articles on DPM, and Office communications Server integration.

Last weekend, we completed our third EBS production deployment as part of the EBS tap program, and I have to say, I was astounded, not only by the ease of install, but also by the speed!

This table shows how long it has taken us to complete the deployment of the 3 core EBS servers (not including the guided configuration).

Now all these installs have been into different environments, but the key point is how comprehensive and robust the EBS setup process is as we approach the release version. Not only is the setup itself very robust, but the preparation and planning tools allow you (actually, force you) to identify pre-existing issues with your environment and fix them before being able to install EBS.

I'd like to say a big thank you and congratulations to the EBS setup team, as this shows just how much effort has gone into this and what a great result you have achieved!

A number of times, I've gone to install SCE 2007, but been blocked by the pre-requisite requirements, primarily to do with IIS.

I've then gone and installed IIS and ASP.net, but it still blocks on asp.net v2 being required. Even after a restart this still blocks the install.

The solution is to register asp.net v2 with IIS, as it doesn't seem to have been registered correctly.

The solution is to use the following command:

%windir%\microsoft.net\framework\v2.0.50727\aspnet_regiis.exe -i

This will register asp.net v2 and allow SCE setup to progress.

I'm pleased to say that the covers have finally been taken off and the release date for EBS has been announced here at the Microsoft Worldwide Partner Conference in Houston, TX.

The big day will be November 12th!

By the time of launch, we will already have three live production deployments under our belt, including our own deployment which has been live since December 2007. We already have one customer deployed and running EBS, with another to follow soon.

As things ramp up towards the launch of EBS, look out for more articles and information on here as and when I'm allowed to post!

More info on the launch http://www.microsoft.com/presspass/features/2008/jul08/07-07QAvanroekel.mspx

Microsoft finally announced earlier today that Hyper-V has released to manufacturing.

It's been imminent for a while, RC1 having been made publicly available a few weeks ago, and the release version is finally here.

It looks like it should be a pretty painless upgrade from RC1 - I've just upgraded our pseudo-production system (which I moved some VMs to today from VS2005) with no problems. Just make sure to shutdown any virtual machines and merge / remove any snapshots before attempting to upgrade.

Full details and links to the download available here:

http://support.microsoft.com/kb/950050

Two things that seem to be incredibly hard to find on the microsoft web site are the livemeeting client and the outlook conferencing add-in, so here are the links to the latest versions:

Livemeeting Client: http://office.microsoft.com/en-us/help/HA101733831033.aspx

Conferencing Add-in for Outlook: http://office.microsoft.com/en-us/help/HA102368901033.aspx

The conferencing add-in now adds a nice "Meet Now" button - great for demo's instead of having to send a meeting request for now!

Over the course of the next couple of posts, I’m going to take a step by step look at protecting Essential Business Server with Microsoft Data Protction Manager 2007.

After LOB applications, and possibly file shares, the data held in the Exchange databases is probably the most important that your company holds, therefore I’m going to start by looking at protection of the Exchange storage groups. I’ll then go on to cover other aspects of protecting Exchange and then the other servers.

I’m not going to cover the base install of DPM, as it’s a pretty straightforward task. Note: DPM Must be installed on a separate server – NOT one of the EBS core servers! You could always use the 4th server in EBS premium.

In terms of hardware requirements, DPM likes lots of RAM – 4GB is ideal, although our production box only has 3. The other requirement is disk space – and lots of it! I see no reason why this couldn’t be cheap, high capacity SATA. Note, that DPM does NOT support USB hard disks – it will however support IDE, SATA, SCSI, SAS and eSATA. In our production system, we’re using internal SATA and external eSATA without any problems.

DPM is available in 32 bit and 64 bit versions, but for reasons that will become apparent, it’s much simpler to go down the 64 bit route when protecting EBS-  choosing 64 bit will make life much easier!

Step 1: Disable Circular Logging on EBS Messaging Server

Circular logging is turned on by default on EBS – this means that the exchange transaction logs are overwritten after a period of time. As we will be running an Exchange aware backup that truncates the logs after a successful backup, we don’’t want circular logging.

Open the Exchange Management console on the EBS messaging server and go to the properties of the storage group.

 

right click the Exchange storage group, click properties. Clear the checkmark on the Enable Circular Logging Box.

Step 2: Copy Required exchange files to DPM server

DPM uses eseutil from the Exchange binaries to perform consistency checking on the backed up data. To do this, it needs to have a local copy of eseutil.exe and ese.dll from the exchange server.

If you are running 64 bit DPM, simply copy the files from \\messaging\c$\Program Files\Microsoft\Exchange Server\bin to C:\program files\MicrosofDPM\ DPM\bin on the DPM server.

If however, you are running 32 bit DPM, then life is slightly more complicated, as you will need to find the 32 bit versions of these files. The easiest thing to do is download and install the Exchange Management tools on the DPM server. They can be obtained from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6be38633-7248-4532-929b-76e9c677e802 Make sure that you download the version that matches your release of Exchange (for the current release of EBS, this is Exchange 2007 SP1).

Once installed, again, copy the files from C:\Program Files\Microsoft\Exchange Server\bin to C:\program files\MicrosofDPM\ DPM\bin

Once done, this will allow DPM to check the consistency of it’s exchange backups. Again, note that the version of the files on the DPM server needs to match the exchange server, and you may need to keep them updated in future (e.g. after the release and application of exchange 2007 sp2).

Step 3: Deploy the DPM agent to the Messaging Server

On the messaging server, connect to where you have the install files for DPM – in my case, I copied them to the DPM server. Run the agent installed (x64 version).

net use k: \\svrdpm\c$\DPM2007\agents

k:

dpmagentinstaller_amd64.exe

The agent will now be installed. Once complete a reboot will be required, but it is not initiated by the agent installer. Manually restart the server when appropriate.

Step 4: Attach the Client to the DPM Server

From the DPM server, we need to run a DPM powershell script to connect the agent to the DPM sever.

Open the DPM Management Shell and run Attach-ProtectedServer.ps1. Enter the name of the DPM server, the name of the server to attach, then your user credentials.

 

Step 5: Set the DPM Agent to connect to the server

The last step should have connected the agent to the server, but I haven’t had it work at this stage – the DPM console lists the server, but shows an error connecting to the protected server. We need to ensure that the agent is configured correctly and that the firewall on the protected server is allowing connections from the DPM server.

To do this, go to the protected server, open a command prompt and navigate to the DPM binaries folder (normally C:\program files\MicrosofDPM\ DPM\bin ) and run the following command:

SetDPMServer –dpmServerName DPMSERVER where DPMSERVER is the name of your DPM server. This will configure the DPM agent correctly and also configure the Windows Firewall as appropriate.

The DPM management console should now show that the server is able to communicate with the agent (on the management tab). In this screenshot, I’ve already protected MESSAGING, but MANAGEMENT just has the agent installed.

Step 6: Configure the protection group and add the exchange databases

I’ll continue with this in the next post.

I've been luck enough to get accepted onto the Live Mesh preview and have been exploring it for the last few days. It always looked like it would be useful, but now it has a real tangible use!

I've just obtained an Asus eeePC - the tiny little 7" solid state laptop that's been creating so much interest over the last few months. I wanted one primarily as an internet access device, but also for note taking and a quick simple tool for blogging.

Replacing the standard Linux image with Windows was pretty straightforward, but as much as I do like Vista, I think it would be a step too far for this machine, so I went with a clean install of XP SP3.

The eee PC is a bit of a departure from most current laptops, as it uses a small solid state disk (SSD) rather than a hard disk. This does limit it's disk space to 4GB, but it should be much faster than a hard disk and should have a positive effect on battery life and resilliency, as it has no moving parts.

Using nlite to remove non-essential parts of windows, I got my install down to under 1GB, leaving me over 2.5GB of space to install office, apps and data. I'll be interested to see just how long the solid state drive lasts - although these devices have a finite number of times each block can be written to, based on the online research I've done, this should not be a problem with a modern drive, and the device should have a long lifespan.

So, where you may be asking does Mesh come into this picture? Well, I already have mesh installed on my home PC and work laptop. By installing mesh on the eee pc, I can now sync automatically between the devices. Basically, I have 2 folders on my desktop - one for work, one for personal files. Simply saving or copying a file into one of these folders causes the file to be instantly replicated to all my devices! So, no more forgetting about files I've been working on on the home PC or vice versa!

More than that, I can also choose to share these folders with another person simply by emailing them an invite to the folder. On top of this, I can also access the files from any other device, if I have chosen to sync them onto my "live desktop", a virtual desktop hosted by Microsoft, that I guess is a kind of smarter version of skydrive.

Here is a picture of the mesh interface showing my devices:

I can access this web page from anywhere, and access files via the live desktop. If any of the connected devices are online, I can even remote desktop directly to them, although this is very slow - I assume because mesh is run from US datacentre's right now.

More on mesh to come...

Microsoft have just announced the pricing for Essential Business Server and Small Business Server, along with details on the public preview.

http://www.microsoft.com/presspass/press/2008/may08/05-13PublicPreviewPricingPR.mspx

Now that this information is in the public domain, I'm allowed to talk more about what we've been doing with EBS over the last month or so.

Look out for lots more posts in the coming days!

I'm sitting here at Newark airport waiting for a connection to Seattle. I'm on my way to Microsoft Redmond for some more in-depth training from the product team on Essential Business Server (more on that later).

I've got wireless Internet access, and have a remote desktop opened onto our production EBS beta 2 management server via the remote web workplace. From there I have a RDP session opened to another machine on our internal network. (can't run OA directly on management as scripting is disabled, not that it would be a great move from a security perspective anyway). From there I have then opened a web session to the onboard administrator on our HP c3000 blade system. From there, is yet another hop to the Integrated lights out management on the management server blade on the test system!

The fact that this work at all is quite incredible! In reality, it works better than I would have expected - contended wireless-> transatlantic link -> remote desktop -> remote desktop -> OA -> ILO.

Anyway, the upshot of all of this is that using the ILO and out of band management, I can finish configuring the firewall rules and VPN on my current EBS test system from half way round the world!

So, now that we are running EBS in production, what hardware are we using?

None of our existing servers were really up to the job, and we would require a clean install in any case, so new hardware was the only option. We decided on the very cost effective HP ProLiant DL385 - Dual processor capable AMD opteron boxes.

To keep costs under control, we have gone for fairly basic spec machines:

Management - Single Opteron, 2GB ECC RAM, 2 x 146GB SAS RAID1 - O/S, 3 x 72GB SAS RAID 5 Data

Security - Single Operton, 2GB ECC RAM, 2 x 146GB SAS RAID1 - O/S and data

Messaging - Single Opteron, 2GB ECC RAM, 2 x 146GB SAS RAID1 - O/S, 3 x 72GB SAS RAID 5 Data

Although the minimum requirements for EBS are stated as 2GB RAM on the messaging server, quite soon after install, we ran into some  performance issues. Upgrading to 4GB have cured these problems, and we have had a stable system since.

When we move to release candidate sometime later this year, we will migrate onto a new HP c3000 Blade System - more on this soon.

While the documentation for Essential Business Server covers the process for migrating public folders from and existing Exchange 2000 or 2003 server to EBS, it does not cover the steps required if migrating from Exchange 2007.

At present, this probably won't be too common a scenario, but it will happen. In our environment for example, we have been running Exchange 2007 more or less since it released so we could use it's Unified Messaging features.

It turns out that migration is a pretty straightforward process, although it's not particularly well documented - there's not a great deal out there on exchange 2007 public folders.

Create Database

The first step is to create a public folder database if one was not already created during EBS setup. To do this, open ESM on the EBS Messaging Server, go to server configuration -> Mailbox -> select the EBS server, then select a storage group (create a new storage group if required), then right click and select "New Public Folder Database".

Enter the location for the database and name it.

Replicate Folders

The next step is to replicate the folders across from the old server to the EBS Messaging server. There is an exchange powershell script that will do exactly this:

Open the exchange management shell on the EBS messaging server, then navigate to the c:\program files\microsoft\exchange server\scripts folder. Execute the script MoveAllReplicas.ps1:

.\MoveAllReplicas.ps1 -server OLDSERVER -newserver NEWSERVER

This will start the process of adding a replica to each public folder, replicating the data and removing the original server from the replica list. Depending on the amount of data, this could take hours or even days. You can monitor progress in the events logs, checking for exchange replication messages.

To confirm that the process is complete, use the Get-PublicFolderStatistics cmdlet and specify the server name:

Get-PublicFolderStatistics -server OLDSERVER

When replication is complete, there should be no output from this command. You can also check the statistics for the folders on the new server.

Update Default Public Folder Database

This is the step that I missed initially, and couldn't understand why my outlook clients were not accessing the folders on the EBS messaging server. Each mailbox database has an associated default public folder database associated, and directs outlook clients to this. From ESM open the properties of the mailbox database and go to the client settings tab and change the default database to your newly migrated public folder database.

Confirm All is Well

You can now dismount the database on the old server and ensure that clients can successfully access public folders. You can verify that the clients are no longer trying to connect to the old server by  CTRL-right clicking the outlook system tray icon and checking connection status:

Finally Remove Database

Now that all the replicas have been removed and we've checked everything is ok, we can now go ahead and remove the original public folder database. Note that exchange will prevent you from doing so if it still contains data.

Simply delete the database from ESM. Note that it must be mounted for exchange to verify it is safe to delete it and go ahead and delete.