Active Directory 2019 and Exchange 2019 – what’s new

The short answer is – not much.

Exchange 2019 was released a few weeks back, but was effectively un-usable, as Exchange 2019 requires Windows Server 2019…. and Windows server 2019 got pulled from release (like Windows 10 1809) due to some issues.

Windows Server 2019 was re-released a few days ago, which allowed nerds everywhere (including me) to put Server 2019 and Exchange 2019 into a test environment.

The most striking thing that is immediately noticeable is that everything looks the same…. The install process, the GUI, the management, all looks the same as it did in 2016. To me, this is a good thing – while Microsoft of the past seemed to believe that moving functions between areas was good – some consistency is nice to have too.

 

Active Directory

First appearances indicate there is nothing new in AD 2019, the installation process and management is exactly the same as 2016.

While installing, there is not even an option to set the forest and domain functional level to “2019” – only 2016.

A quick look at the schema version indicates it has increased and quick google finds this article

https://blogs.technet.microsoft.com/389thoughts/2018/08/21/whats-new-in-active-directory-2019-nothing/

So, while there is something new in the schema, its an incredibly small update….. and there are no new features or functionality of any type to focus on.

 

Exchange 2019

Exchange 2019 is a bit the same as AD, everything appears to be the same as Exchange 2016, from the install process to the management interface.

A google comes up with this

Should you upgrade to Exchange Server 2019?

So there are some changes and feature updates – but these updates may not have an impact/matter to your organization.

 

I found these two releases interesting overall as

  • AD is the core of many enterprise networks
  • Exchange is a core business application

To see a new release of both of these products with very minimal improvements I think demonstrates where all Microsoft’s development effort is going (which, to be fair, we already knew)

 

Migration of public folders to exchange 2013/2016

I’ve done a few of these…. but most corporates (at least that I’ve dealt with) use public folders quite lightly – if at all…. so the migrations have been quite simple.

 

Recently, I was tasked with moving a smaller business (through a partner) from 2007 to 2013 then 2016.

The mailbox move from 2007 to 2013 went flawlessly.

Then we came to their public folders…. approx. 400GB – from which they apparently run a lot of their business.

Ran through the (painful) process of removing trailing spaces, backslashes, dead permissions etc… not hard – just slow, manual and annoying.

There is an article here that talks about the hassle of migrating PF’s – https://thoughtsofanidlemind.com/2013/12/13/migration-modern-public-folders/

On the first migration attempt, the extent of these corrupt items and oversize items was discovered (3000 corrupt items and hundred’s of items that were oversize) – then discussed with the business.

So here we have the first fucking boomingly huge issue with public folder migration…. there are no powershell commandlets to help you get the size of items (you can get the size of folders, but that’s not helpful) that will be considered oversize… so you cannot identify these items prior to migration. To add to that, even if you could identify them, there is no nice way to say “export these items to PST, then delete” or as part of the migration batch “migrate all large items”

The next issue here is that through the GUI, you can see a list of skipped items and why they were skipped (corruption or oversize) – there doesn’t appear to be way to get this information via powershell so you nicely export it and give it to the customer (or sort it yourself)

The business stated that corrupt PF’s weren’t vital, but the large items were needed.

Even after lifting the size limit to 500MB, there were still lots of items that were too large.

I tried to accommodate these large items and found the exchange migration mailbox (a default database which I leave in the default location) – which should only ever be used in transit, proceeded to grow, fill up the disk that logs were on and cause a dirty shutdown and corruption…  so I haven’t my lesson there…. if a client is using PF’s as a file store for items of 500mb over – refuse to migrate until these items are removed…. (unfortunately you need run a “dummy migration” then look at the skipped items list to identify these items!)

Anyway – long story short – the moral of this, very annoyed, story

Public folder migration to Exchange 2013/2016 sucks. It has clearly been put in as an after-thought to appease some organisations – and is only suitable for light users of PF’s

If a customer is a heavy public folder user, do not change the default “large item” size to accommodate them. Refuse to migrate them and notify them the items will be lost.

 

Exchange 2013/216 receive connector selection process

On a recent gig, the local tech wanted some more detail on the receive connector selection process… I explained the whole “most defined” IP set wins (i.e. 192.168.0.23 will be selected over 192.168.0.0/24), but was unable to find any TechNet articles to back that up.

Fortunately, this guys nails it, with a good explanation and examples…

http://markgossa.blogspot.com.au/2016/01/receive-connector-selection-exchange-2013-2016.html

good work Mark Gossa.

 

KB3124557 sets exchange 2013/2016 services to disabled

A patch for exchange 2013 and 2016 sets all exchange services (and IISAdmin and W3SVC) to disabled after installing

https://technet.microsoft.com/en-us/library/security/ms16-010.aspx

Its not a disaster, just simply set all the services back to automatic, start them, and away you go….

Still, the joke conspiracy from a mate of mine a while back of “The marketing team are forcing the exchange team to fuck up updates, as a way of pushing people to exchange online”, based on the amount of botched updates, is becoming more and more plausible.

Handy list of antivirus exclusions for MS products

http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

I am still very much of the opinion that file level anti-virus does not belong on servers such as exchange, SQL, SCCM etc… however, for places that flat-out refuse to apply logic – and want anti-virus on everything, this is a very good starting point to apply the mountains of exclusions required.

Direct Access 2012 and Outlook RPC/HTTP

I have a client for whom i recently implemented 2012 Direct Access…. there was a number of teething problems in the implementation – but once its working, DA is actually pretty good.

If i could ask the product team for anything in DA 2012 R2, it would be

  • re-introduce wildcard certificate support (it was in UAG DA for 2008 R2, not sure why it got left out of 2012)
  • Make the status reporting dashboard check for local firewall status (that its on and that the rules have been correctly added) as part of its health check
  • Release Win7 SP2 and make it support “simple” DA auth (i know this isn’t going to happen… but it doesnt mean it wouldn’t be nice!)

Anyhoo….. at this particular client, they had decided to do one of my most hated things – use the same url internally and externally for the configuration of web services in exchange. I avoid this configuration where-ever possible…. although i understand at small sites where only one server is present – it may seem like the only option – solutions such as TMG (or another reverse publsiher), SAN certificates or creating additional exchange web services on different ports are all valid ways of getting around that config.

As to why it had been done at this client who is substantially larger…. well, the consultancy that did it…. i have very different views to them on good practices for exchange design…. and the client has a DAG without a load balanced CAS – so there is no true fail-over anyway…. grrr…. but i digress.

Due to the configuration of the same url’s internally and externally for web services, i added an entry into the DA NRPT so it would always resolve to the internal name…. issue is, that users were still getting prompted for auth, because the outlook client detected a slow connection and used RPC/HTTP, which is configured for basic auth (another config item i diagree with).

What i had not know before (because i hadnt needed to) was that you can disable RPC/HTTP on a per-mailbox basis…. using the command

Set-CASMailbox –Identity <alias> –MAPIBlockOutlookRpcHttp $True

While the better solution is to fix the exchange design (different URL’s and NTLM for RPC/HTTP) – its a handy work-around.

Exchange 2013 Gotcha’s

Found this article today

http://theessentialexchange.com/blogs/michael/archive/2013/01/06/exchange-server-2013-gotchas.aspx

it’s nigh on 3 months old – but it lists some of the issues with Exchange 2013 RTM.

Prior to finding this article – I hadn’t been able to find any list of issues with the release, but my own list of issues was growing.

Exchange 2013 release seems to have been rushed a little, but lets hope that these issues are addressed by CU1 (which is due anytime now) – and I’m really hoping the EMC makes it back in by SP1 (but I doubt it!)

Exchange 2010 recovery scenario – OS disk dead

Exchange recoveries don’t come up very often these days (for me at least), with exchange 2010 and win 2008R2 being so solid… and virtualisation… the loss of server hardware or corruption of the OS is just becoming less and less common.

Anyhoo – a client had a SAN disk die – and for reasons which I didn’t delve too deeply into, apparently the RAID5 didn’t work and they lost one vdisk…. (yes, it sounds suss to me too…. this was a EVA4400… so not a cheap SAN)  this vdisk happened to have the exchange OS partition on it…. but the database and log disks were fine….

So, we built up a server with the same name as the old one, gave it the same IP and joined it the domain…. the connected the logs and database drives to the newly built server.

Using ADSIEdit, I then looked up the path to the database, as the client could not remember which drive had which letter – if your in this situation, fire up ADSIEdit and connect to the configuration partition, then navigate to CN=DatabaseName,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ORGNAME,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=blah,DC=au

have a look at the properties msExchEDBFile and msExchESEParamLogFilePath…. this will help you allocate the drive letters correctly should you run into a site that doesn’t know this or have it documented.

Next issue – versioning…. the client wasn’t sure which Service Pack version exchange 2010 was at, but though it was SP2.

I grabbed the SP2 media and after installing the pre-reqs, ran setup /mode:RecoverServer

First error came up for the CAS and HT roles…. must install a version of 14.1.218.5 or later….. that number relates to Exchange 2010 SP1 RTM…. funny, SP2 is later than SP1… but oh well…. SP1 it is….

So I grabbed the SP1 media and re-ran the setup command…. and proceeded to get

[ERROR] The internal transport certificate for the local server was damaged or missing in Active Directory. The problem has been fixed. However, if you have existing Edge Subscriptions, you must subscribe all Edge Transport servers again by using the New-EdgeSubscription cmdlet in the Shell

because there is not another exchange server within this environment, I cant simply remove the edge transport from the GUI… so I went searching in ADSIEdit to

CN=HTServer,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ORGNAME,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=blah,DC=au

Go to the properties of the HTserver container and the properties of the property “msExchEdgeSyncCredential” – remove the 3 entries.

Try the recovery again, and get

     A Setup failure previously occurred while installing the HubTransport role.

Either run Setup again for just this role, or remove the role using Control Panel.

Awesome…. try to uninstall via control panel, no go, try to uninstall via command line, no go…. so, the solution:

  • Open up regedit
  • Navigate to HKLMSoftwareMicrosoftExchangeServerV14
  • Delete the “Action” and “watermark” keys

Now re-run the install – all is good…. yay!

Next up, re-allocate the certificates on the server, re-associate the edge transport – and test (and then upgrade to SP2 RU5v2 as of time of writing!)

All in all, the recovery procedure is still good, but complicated a bit by the edge transport being present (im not a fan of edge transports…. use a HT with forefront for exchange with port 25 published via TMG instead….. or if you prefer, an ironport)

Exchange/Lync/Office 2013 now available

well, so much for “available to technet subscribers in mid november” – Exchange, Lync and Office 2013 are available on the technet downloads site now….

Exchange 2013 is kind of usless right now – as to interoperate with exchange 2010, SP3 is required (http://technet.microsoft.com/en-us/library/aa996719(v=exchg.150).aspx) – and SP3 isnt out yet – and according to this (http://blogs.technet.com/b/exchange/archive/2012/09/25/announcing-exchange-2010-service-pack-3.aspx) wont be out until “1st half” of 2013…. thats a potential long wait…. so really, the product has bene released before its ready.