ACTIVE DIRECTORY PREPARATION AND INSTALLATION OF CAS SERVER
At Day 1, we planned our new Exchange 2007 organisation and we decided the order of jobs we have to do. After this introduction part, we can get into the real job; installation of Exchange 2007 servers. But first is first, i have to control the level of forest and domain infrastructures (whether they are 2003 native or not). In addition, i have to control the DC’s Operating Systems and Service Pack levels (whether they are at least Windows 2003 SP1 or not). After these controls, i logon one of the DC’s and install Powershell 1.0. After that, i put the Exchange 2007 DVD on the DVD-ROM drive and enter the commands (shown below) in command line prompt. At this point, i want to give an advice to you that you should back up your Active Directory before these commands. Because we are changing / adding lots of attributes directly to the Active Directory schema with these commands (anything can happen). I prefer to wait enough time after each command, to be sure that everything is working well. Here are the commands:
setup.com /PrepareLegacyExchangePermissions setup.com /PrepareSchema setup.com /PrepareAD setup.com /PrepareDomain setup.com /PrepareAllDomains
Setup.com is the executable file in Exchange 2007 DVD. With these commands, we prepare the Active Directory schema and domain infrastructures for Exchange 2007 organisation. The user that runs the commands must be a member of Schema Administrators group for /PrepareSchema or Domain Administrators group for /PrepareDomain commands. In addition, if we are doing all these jobs on a 32bit server, we have to use 32bit version of Exchange 2007 DVD (just for these commands). But we couldn’t use 32bit version Exchange 2007 on production servers because Microsoft doesn’t support it. This means that 32bit version is just for testing environments and for Active Directory preparation. Also there couldn’t be an Exchange 2003 product installed on the DC which you run these commands. Otherwise, you will have an error.
After i run the commands for Active Directory preparation, i write a registry entry to all Exchange 2003 servers in my organisation. For this purpose, i open the registry and find HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RESvc\Parameters . Under this key, i create DWORD entry called SuppressStateChanges and give a vlue of 1. Here is why i am doing this: Exchange 2003 servers are communicating with each other by broadcast messages to understand the status of connections between them. These broadcast messages are two types: major and minor. Sometimes these broadcast messages cause too much network traffic. By setting the SuppressStateChanges value to 1, we ignore the minor messages.
Figure 1: Registry key entry for Exchange 2003 servers
For my first Exchange 2007 server, i install Windows 2008 64bit Server. This is going to be the CAS server. A 14.5 GB disk partition will be sufficient (1.5GB for Exchange 2007 files, 10GB for Operating System files, 3GB for Pagefile) but i recommend (at least) a 35GB disk partition for installation. After the installation of Windows 2008 server, i install service pack 2 and all the hotfixes. I make the server a member of mstip.com domain and install all the prerequisites (at command prompt) for Exchange 2007 installation:
a) ServerManagerCmd -i Powershell
b) ServerManagerCmd -i Web-Server
c) ServerManagerCmd -i Web-ISAPI-Ext
d) ServerManagerCmd -i Web-Metabase
e) ServerManagerCmd -i Web-Lgcy-Mgmt-Console
f) ServerManagerCmd -i Web-Basic-Auth
g) ServerManagerCmd -i Web-Digest-Auth
h) ServerManagerCmd -i Web-Windows-Auth
i) ServerManagerCmd -i Web-Dyn-Compression
j) ServerManagerCmd -i RPC-over-HTTP-proxy (if Outlook Anywhere will be used)
After the installation of prerequisites, i run the setup.com file from Exchange 2007 DVD and choose “Install Exchange Server” option. The wizard is self explanatory. I only have to be careful at the screen which i select the custom installation. On the next screen i mark “Client Access Server Role” and “Management Tools” boxes. That is all. After the installation, i will have a CAS server. But i get an error at the last stage which says “Cannot start service MSExchangeServiceHost on computer’.’.” I open the services.msc snap-in and see that the message is true. I try to restart the MSExchangeServiceHost service but it doesn’t work. Therefore, i google :(.
I try various solutions for the problem. First, i add Administrator and Exchange Servers objects to the “Access this computer from network” local policy setting on the Exchange server, but it doesn’t work out. After that i disable the IPv6 property of the local network connection and it doesn’t solve the problem either. Thirdly, I add the CAS server’s Active Directory object to the Domain Admin group in Active Directory. This solves my problem but i don’t like it because it gives unnecessary permissions to the server’s object. I take back this action and add the CAS server’s Active Directory object to the “Manage Auditing and Security Log” Group Policy setting. This setting is located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment container of the Default Domain Controllers Policy. This trick also solves my problem and it is more preferable. But there occurs another little problem with this configuration. Windows Update service on the Domain Controllers stop working after this setting change. After i add the Administrators group to the same setting, it is solved too.
CAS server will be used for three main purposes which are OWA, Outlook Anywhere and ActiveSync. Most probably, OWA will be the mostly used one. I have to choose an easy web address which might be remembered by the users. I decide mail.mstip.com for this purpose. Also i have to prepare redirectons for our OWA interface because it will use https protocol and nobody will write https on browsers link bar. I will do it through IIS administrative interface. Therefore, when users write http://mail.mstip.com to their web browsers, it will automatically be redirected to https://mail.mstip.com. We do the following for this:
1- Open the IIS administrative interface on CAS server (Start -> Programs -> Administrative Tools -> IIS Manager)
2- At left hand side, i expand the local computer and sites container. Click on “Default Web Site”
3- I select “Featured View” on right side and select HTTP redirect under IIS section
4- I fill the “Redirect requests to this destination” box.
5- I enter the whole /owa path (https://mail.mstip.com/owa)
6- I fill the “Only redirect requests to content in this directory (not subdirectories)” box under “Redirect behavior” part
7- I select “Found (302)” from “Status Code” list
8- I press the Apply button under Actions menu and run the command iisreset through command prompt
Figure 2: Redirection of Default Web Site to /owa directory
Until now, we redirect the Default Web Site and all the subdirectories to https://mail.mstip.com/owa directory. But that will cause some other problems in the future, therefore i exclude some of the subdirectories. The subdirectories that have physical path are excluded as follow: Double click the HTTP redirect icon and clean the “Redirect requests to this destination” box.
Figure 3: Exclusion of subdirectories from redirection
“Redirect requests to this destination” box of the subdirectories that have not physical path (i.e. /exchange , /Exchweb , /Public) comes non-selective so i couldn’t clear the box. The redirection for these directories are done as follow:
Open a command prompt and go to %WINDIR%\System32\Inetsrv directory. Run appcmd set config “default web site/exchange” /section:httpredirect /enabled:false –commit:apphost (this example is for /exchange subdirectory)
After doing all, entering https://mail.mstip.com takes me to the subdirectory /owa successfully. But writing http://mail.mstip.com gives me an error page of Error 403 : Access denied. To get rid of this error page i do the followings:
Double click the “Error Pages” icon for Default Web Site in IIS administrative console and right click the Status Code line 403 and choose Edit. Select the “Respond with a 302 redirect” in the opening screen and write https://mail.mstip.com/exchange to the URL line. After that i no longer get the error.
Figure 4: Redirection for the error page of default web site
Lastly, we have to deal with the DNS entry for mail.mstip.com. I enter the FQDN on both internal and external DNS servers because i will use the same FQDN in LAN and WAN connections.
In Day 2, we deal with the Active Directory preparation and installation of CAS server. I also talk about few problems that we faced. That is all for today. In Day 3, we will buy an SSL certificate for our CAS server and implement it. Bye for now.
RSS feed for comments on this post.
