Friday, November 21, 2008

Rollup 5 for Exchange Server 2007 Service Pack 1

If you have not had chance to look into RU5, here it is , along with all the fixes. There are quite a bit fixes and I recommend you all to schedule deployement to your exchange 2007 servers

more information can be obtained below KB953467

http://support.microsoft.com/?kbid=953467


Best,

Oz ozugurlu MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com/


Tuesday, November 11, 2008

Why we should not install Exchange on Domain Controllers

This post below is from TechNet and to me it is very interesting and has a great value. It seems to be the case for installing Exchange on a domain controllers happening time to time and making me say all the times

No, No, No (- :, same way around I most often get upset to see another application on the domain controllers and yes I do know Microsoft gives you everything and tell you install it Small business servers makes me always say

no no no, please (-: don't do it.

The point is for those of you work in enterprise environment will know the best practice is to dedicate separate resources for any server and off course it cost more $$$$.

Anyways, some of the basic troubleshooting skill and knowing some the trash holds for exchange and outlook is the key to identify the bottlenecks and performance related issues which is addressed in this article

Here is the situation:

The domain controller was configured by somebody else, w2k3 with all Sp's. I had to install exchange 2003 on that server.

The installation went fine, and exchange is working perfect ....BUT The webmail is working fine, but the communication between exchange and

Outlook is a problem. When I configure outlook to use exchange, and when I click on 'check name',

the DNS resolving is already slow, but it resolves .... . Then, when I want to start outlook it says (on all clients) that there is no communication possible with the Exchange server and outlook shuts down

Response

Thomas, this is going to be third time you will hear the same thing (-: installing exchange on a domain controller is *** no, no, no for many reasons, obvious one is the performance and unhappy clients and more work for you. Complicating scenarios in such will make clients and business suffer in my opinion.

Anyway the way Exchange application is build by design, will consume all memory resources for instance ( Store.exe) and will let even your OS ( windows 2003) or your DC's Lsas.exe not being so happy up front may cause replication problems and lookup problems and performance problem soon or later.

For future references please do not install exchange on a domain controller "Since domain controllers busy they authenticate users, they deal with (.dit) database and they don't like sharing their resources with any other applications as well as exchange.

In your case they even do more, they are GCs, WINS and who knows if you have other services turned on.

Now for your outlook slowness problem let's focus on the statement you made

"Communication between exchange and Outlook is a problem."

When you configure exchange for a client from outlook for the name of your exchange servers and client name window on the setup, you can put there the name of your domain controller instead of your exchange server.

This will trigger quick look up for the user mailbox location process the request will go to AD database and locate the user object, and the attribute called "ExchangeHomeDB" will be located and the name of the exchange server will be placed into the outlook setup quickly.

Before I speculate more the problem can you please post some of the event logs from your exchange server (application logs) if there is anything interesting.

General questions I would ask

Does outlook client closes up on all the workstations? Try multiple workstations and make sure this is not client side issue as wrong link speed on the NIC, or bad switch etc.

Open outlook from one of the client with outlook /RPCdiag and observe the window to see where outlook application is trying to connect?

As it was suggested before since you have the exchange and DC/GC on the same box this will generate stress on the DC and exchange lookup ups might be the problem, poor performance from DC/GC to the exchange will cause slowness.

Are you seeing any errors " Outlook is retrieving data from exchange server" the famous Christmas Balloon

Check this article it might give you an idea how outlook works

http://smtp25.blogspot.com/2007/05/outlook-is-retrieving-data-from_23.html


Remember

The server that Outlook queries for this information is either a "Microsoft Exchange Server" or "Global catalog server" which is same box in your case

If the server name appears as a NetBIOS name, the data is being retrieved from an Exchange Server computer. If the server name appears as a fully qualified domain name (FQDN), the data is being retrieved from a global catalog server.

You may have to turn on some of the performance counter on the exchange server to indentify the bottleneck

On the bottom of this article

Troubleshoot performance issues

Physical disk (all instance)


  • Avg Disk Sec/Read
  • Avg Disk Sec/Write
  • Current Disk Queue Length


MSExchangeIS


  • MSExchangeIS
  • RPC Averaged Latency
  • RPC Requests
  • RPC Operations/Sec


Finally

Typically, it is a good idea for the RPC Requests counter to be lower than 10.

If it is higher than 25, this is an indicator of a resource bottleneck.

Only 100 requests can be handled at the same time.

If the RPC Requests reach 100, the client will experience refused connections

The recommended values for the Avg Disk Sec/Read counter and for the Avg Disk Sec/Write disk counter are as follows:

  • Good < 20 msec
  • Fair < 30 msec
  • Poor < 40 msec
  • Cache/Exec < 1 msec
  • Cache/Good < 2 msec
  • Cache/Fair < 4 msec

You need to spent time to identify all these and come up with conclusion

Good luck

Oz

Oz ozugurluMVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com/

Friday, November 7, 2008

Some Random Thoughts for AD & DNS best practices.





DNS as known as Domain name system and widely accepted and it is being used heavily with active directory and ADDS services. I have noticed most of the time administrators try to find the tune up the DNS or wonder what the correct way to deal with it is. I decided to put some best practices and tune up I use it all the time and share with you all here on my blog.

Before we dive into DNS I wanted to refresh some good information in regards to DNS ports.

  • Most of us do know DNS uses port 53 UDP and TCP it depends the query.
  • DNS Service uses dynamic UDP ports (above 1023) for all client standard query messages
  • The client requests from a random port above 1023 to server port 53
  • DNS Servers response from the port 53 to the originating port on the client (above 1023)
  • Only the server-to-server communication goes from port 53 to port 53. The requests as well as the responses.

What are the some of the best practices when it comes to configuring and tuning DNS servers in active directory? Please note that most of the experienced administrators will recommend using AD integrated DNS.

  1. Point DNS servers to itself in the TCP/IP properties as their Primary DNS. Pointing AD/DNS server to ISP DNS servers on the TCP/IP Properties is NO NO NO !!!!!!
  2. Install DNS on domain controllers and use Active directory integrated DNS option.
  3. Using more than 2 NIC on the DC's/DNS's are NO NO NO !!!!!!
  4. Every DC registers bunch of dynamic records in DNS and having two NIC will confuse the clients and applications who are trying to locate services from DCs, so avoid the trouble and don't let this happen. Most often I see genius idea of having second interface on the domain controller for backup purpose (backup VLAN)
  5. Disable all other interfaces if there are any and name them "Disabled do not enable" on the TCP IP properties of each disabled interface, on the advance tab "register this connection's addresses in DNS" Unchecked, in case the interface gets enabled and register itself to the DNS database.
  6. Forward the recursive queries which your domain is not authoritative for to the ISP DNS servers and let them do the heavy work. ( internet connectivity for the servers and clients)
  7. Enable the root hints option beside forwarders if the forwarders won't response the queries.
  8. On the NIC card properties of your DC/DNS make sure the option "register this connection's addresses in DNS" is checked, the box is ticked.
  9. Go to your DNS, forward lookup zone locate _msdcs.yourDomain.org , go to properties , click on name servers and make sure all the servers listed there are domain controller and they are functioning properly. Each IP listed there will claim to be the DNS name space for your domain and will response the queries. If there is an IP address no longer DC/DNS remove it from the list
  10. Go to your DNS, forward lookup zone locate _msdcs.yourDomain.org , on the bottom make sure "Secure only" is selected , or otherwise if you have UNIX servers updating DNS you will need to enable secure and none secure, but most of the cases "Secure ONLY" unless you really know the environment don't pock around with this settings and leave it secure.

    Make sure the zone Type is Active Directory-Integrated.

    You can enable dynamic updates from command line

    dnscmd ServerName /Config {ZoneName..AllZones} /AllowUpdate {10}


  11. Same goes for SOA and NS records make sure the IP addresses listed there are healthy valid DC/DNS servers
  12. Open DNS console at the very top where you see the computer icon , make a right click and go to properties
  • Interfaces, listen on
  • Select "Only the following IP Addresses"
  • Make sure there is one interface (Production) listening on DNS
  • I recommend renaming each NIC card as "Production" so you know by looking at the interface what it is.

  1. Click on forwarders
  • List the ISP IP addresses under forwarders for internet name resolution
  • Enable "Use root hints no forwarders are available"
  1. Click on Advance
  • Enable following
  • Fail on load if bad zone data
  • Enable round robin
  • Enable netmask ordering
  • Secure cache against pollution
  • Make sure "name Checking" is Multibyte (UTF8)
  • Load zone data from active directory and registry
  1. Click on monitoring
  • Select a test type
  • Simple query against this DNS server
  • A recursive query to other DNS servers
  • Make sure it passes

Couple things to remember

  • Never install any other application on the DC itself , DC' s are busy they do have ADDS database installed on them and they authenticate users, leave them alone.
  • Installing Exchange on Domain controller is NO NO NO !!!!!!
  • Installing any other application on DC is NO NO NO !!!!!!
  • Not following MS best practices on the physical and logical partition of the domain controllers NO NO NO !!!!!!

Best practices for DNS

Frequently Asked Questions About DNS

Troubleshoot DNS Name Resolution

10 DNS Errors That Will Kill Your Network

Troubleshooting Active Directory DNS Errors

Troubleshoot DNS Name Resolution

Oz ozugurlu

MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com

Monday, November 3, 2008

Outlook 2003: Inbox - unable to display folder



Problem

On Terminal server some users are reporting 'Unable to display folder' for the users Inbox". Al other folders seems to be fine, and users can compose new e-mail and sent it without any problems, however accessing inbox generates the error.

Solution:

After poking around with security settings, we discovered the fix was very easy, start outlook with the /cleanviews switch. The outlook did freeze up a little bit and magic switch did do the trick.

Why this happened:

I wish I could come up with logical answer for the corruption of default views, I am in the dark, who knows, the reality is that knowing some of the outlook switches are very useful and save time for sure

I did a post while back about these switches, here are some of the handy ones

  • /cleanviews
  • /CleanProfile
  • /CleanReminders
  • /CleanRules
  • /ResetFolders
  • /Rpcdiag

Oz ozugurlu

MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com