Monday, November 2, 2015

Install an older Exchange version after last server was removed

Consider a scenario where an Exchange environment was upgraded from let’s say Exchange 2007 to Exchange 2010 (I know, old versions). Some time after the admin removed the last Exchange 2007 server they find out that they a LOB application is not working correctly and they need to add a server with Exchange 2007 to allow it working again. The question is: can we add an older Exchange version after we removed the last server from the environment?

A community member on Reddit’s ExchangeServer community recently stated that this would not be possible:

…you won't be able to install a new 2007 server into a forest with 2010 servers once you've removed the last 2007 server…

In a follow-up discussion the poster referred to this article as his source:

Question: Is it possible to install Exchange 2003 or 2007 in a pure Exchange 2010 organization?
Answer: [...] If you have transitioned from Exchange 2007 to Exchange 2010 and the last Exchange 2007 server has already been decommissioned, the answer is again no. You will not be able to install Exchange 2007 at a later time in this organization because it’s now considered a pure Exchange 2010 organization.


This excerpt is from an article in the TechNet Magazine and was written by a well-known Exchange export so I don’t blame the Reddit poster at all. However, with my knowledge of how Exchange works I could not think of any reason why this shouldn’t work and this is the first time I heard of it.

My position on this subject is that there is no reason why you should not be able to add an Exchange 2007 server in a Server 2010 forest after the last Exchange 2007 was removed.

From a technical perspective there’s nothing special happening after you remove the last Exchange 2007 server. The Exchange environment does not keep count of the number of Exchange 2007 servers and there’s no process that implements a blocker when the count reaches <1. Also there’s no such thing as a ‘pure Exchange 2010 organization’, unless you want to say that there are no other Exchange versions than 2010 in the environment.

Time to validate this in a lab:

  1. Create a domain controller for a new forest, DFL and FFL set to Windows Server 2003
  2. Add a server with Exchange 2007 SP3
  3. Add a server with Exchange 2010 SP3
  4. Move the mailboxes and OAB generation to Exchange 2010
  5. Remove the Exchange 2007 mailbox database and storage group
  6. Uninstall Exchange 2007
  7. Add a server with Exchange 2007

As expected I was able to add the Exchange 2007 server to the environment without any issues.

Now in a real world environment there can be other factors involved but’s it’s good to understand that your Exchange organization does not add a block when you remove the last server of a certain Exchange version.

Friday, October 30, 2015

Is it possible to install Exchange 2016 on a domain controller?

Can we?

This is a question that comes up every now and then in the technical communities I’m involved in. Is it possible and supported to install Exchange on a domain controller? Often answered incorrectly with a variant of “not supported, unless you run SBS”. The official answer is a bit different: it is supported to install Exchange on a domain controller.

In fact, this is supported since Exchange 2000 and has not changed for every new version up to the recently released Exchange 2016. As we can find in the Exchange 2016 System Requirements page:


Installing Exchange 2016 on directory servers
For security and performance reasons, we recommend that you install Exchange 2016 only on member servers and not on Active Directory directory servers. However, you can't run DCPromo on a computer running Exchange 2016. After Exchange 2016 is installed, changing its role from a member server to a directory server, or vice versa, isn't supported.

So should we?

Supported but not recommended, why is that? There are multiple reasons why you should consider to install Exchange on a member servers.

Firstly both Exchange and an Active Directory domain controller are resource-intensive tasks. For instance, both need to cache data in memory for best performance and will try to claim resources to do so. Running both tasks on the same computer may impact the performance and end-user experience for both AD and Exchange.

Exchange supports an RBAC model which allows an organization to deploy the least amount of privileges to their admins to do their work. However, when an admin needs local administrative access to server which has Exchange installed he gains administrative access to Active Directory too. This would enable the admin to elevate their own privileges which of course is a security risk.

A domain controller with Exchange installed cannot be demoted to remove AD from the computer as long as Exchange is installed, the last version that did support this was Exchange 2000. This may mean that at some later time an organization may find they can’t remove domain controllers from their environment without removing Exchange from the server first. In the recent past this is something that organizations often encountered when they needed to remove Windows Server 2003 domain controllers in order to be able to raise the domain or forest functional level. By the way, you also can’t promote a server with Exchange already installed but that is a much less common scenario.

I briefly touched the subject of security when discussing your admins working on this server, security needs considered with user access in mind too. Some firewall ports need to be forwarded to this server to accept email and give access to OWA/Outlook on the web, ActiveSync, Outlook Anywhere and maybe even legacy protocols as POP3 and IMAP4. Nowadays Exchange is considered secure enough to expose it to the internet directly but do you want to allow hackers to target your domain controller too? Opening firewall ports to allow access from the internet to your domain controller is not something I would call a security best practice.

There’s even more reasons why you should not install on a Exchange server but I won’t do into too much details here. Use your favorite search engine to do a search on this topic and you will find a ton of discussions about this subject.

Yeah, but what if…?

I am aware that for some very small organizations it may not make sense to purchase additional hardware and Windows Server licenses. Certainly not from a cost perspective. With a small load it’s unlikely that performance is going to be an issue and many small business owners will consider the security implications something for large enterprises to be concerned about. After all, Microsoft until recently sold the Small Business Server products that did install Active Directory, Exchange, SharePoint, ISA/TMG and even SQL on a single box. If that was an acceptable solution, why shouldn’t we do that with just AD and Exchange?

Running Exchange on a domain controller is a supported solution and as long as you understand the impact, go ahead and deploy that single server. When performance, security and flexibility play a role and the budget or infrastructure allows for, it’s recommended to deploy a new Windows server and install Exchange on that server.

Wednesday, October 28, 2015

How to remove the Exchange Autodiscover SCP

Consider a scenario where you moved all your user’s mailboxes to Exchange Online, for instance after a cutover or staged migration and want to remove any dependencies on the local Exchange server. You may find that Outlook still connects to the local Exchange server for Autodiscover lookups, this is because Outlook is hard-coded to query an AD Service Connection Point to locate a server with the Autodiscover service. When this fails Outlook falls back to the next DNS based methods or uses a local XML file.

Exchange Management Shell

There are multiple ways to prevent Outlook from contacting the local Exchange server first, some of them make more sense than others. The preferred way is to use the Exchange Management Shell to clear the entry for the Client Access server from the SCP.

Set-ClientAccessServer –Identity ServerName -AutoDiscoverServiceInternalUri $null


This removes the SCP entry for this Exchange server.


If the above method can no longer be used a low level AD editor as EDSIEdit can be used to remove the SCP manually. The full path of the SCP is:

CN=ServerName,CN=Autodiscover,CN=Protocols,CN=ServerName,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,DC=Suffix

This object to remove has the Class type serviceConnectionPoint.


Alternative methods

One of the above steps is basically all you need to do. Alternatives include adding an ExcludeScpLookup value to the \Autodiscover registry key (KB article) and some articles even let you remove the Autodiscover virtual directory from IIS. This will of course make Outlook unable to query the local Exchange server for Autodiscover but why should you if you can simply remove the SCP.

How to verify?

As always, the proof is in the pudding. Use the Outlook test E-mail AutoConfiguration feature to verify the clients behavior. We’re specifically interested in the Log tab where we should see that Outlook is no longer able to query the SCP to obtain the Autodiscover url.

To start the Test E-mail AutoConfiguration tool, follow these steps:

  1. Start Outlook.
  2. Hold down the Ctrl key, right-click the Outlook icon in the notification area, and then click Test E-mail AutoConfiguration.
  3. Verify that the correct email address is in the E-mail Address box.
  4. In the Test E-mail AutoConfiguration window, click to clear the Use Guessmart check box and the Secure Guessmart Authentication check box.
  5. Click to select the Use AutoDiscover check box, and then click Test.

Earlier I wrote a short article about this tool, unfortunately available in Dutch only: Autodiscover testen met Outlook. But you’ll get the general idea. Focus on the first or third tab when you’re interested in the Autodiscover results, read the Log tab when you're interested in the Autodiscover process.

Wednesday, October 21, 2015

MySQL Workbench and ClearDB: "SSL Connection error: unable to get private key file"

When trying to access your ClearDB hosted databases with MySQL Workbench you may run into this error message:


SSL Connection error: Unable to get private key

In the MySQL Workbench connection settings on the SSL tab we need to select three certificate files, the CA certificate, the client certificate and the client key file.


These files can be obtained from the ClearDB database dashboard:


The issue is being caused by the client private key file, the one with 'key' in the name. In order to allow Workbench to connect to the database the password needs to be stripped from this file first. One way to do this is to use OpenSSL:

openssl rsa -in c092bb5f82771e-key.pem -out c092bb5f82771e-key.pem-nopassw.pem

Now use the new file in the Workbench connection settings and try again, Workbench should now be able to connect to your database.


Tuesday, October 13, 2015

How to view the last monitor response in NetScaler 10.5

When a monitor fails it can be very helpful to check the last result it received. The NetScaler 10.5 web interface does present this information, but you have to know where to look:

Open de properties of the Service Group, expand the Service Group Members, select a Service and click Monitor Details.

The result can be found under the Last Response column:


Monday, October 12, 2015

How to create a Citrix NetScaler LB vserver without an IP address

When configuring a Citrix NetScaler to load balance Exchange 2013 or 2016 you may want to create a load balancing virtual server without an IP and port combo. The reason is that you're going to bind the load balancing virtual server will to a content switching virtual server, clients won't access the lb vserver directly.

Many blog posts as well as Citrix documents as for instance their most recent Exchange whitepaper Microsoft Exchange 2013 with NetScaler: Authentication and Optimization tell you to select Not Directly Addressable. Unfortunately the Directly Addressable check box is no longer available in NetScaler 10.5 and newer.

Well, the feature is still available but has been renamed and moved to another location. If you're using the web interface, choose Non Addressable from the IP Address Type drop-down list no create a virtual server which is not directly accessible.


Maybe it's just me, but I could not found the cmdline alternative in the lb vserver section of the NetScaler Command Reference. So I create one with the web interface and looked it up in the config. Apparently all we need to do is enter the IP address and port number as 0.

add lb vserver my_lb_vserver ssl 0

In summary, the checkbox for Directly Addressable is replaced with the Non Addressable option in the IP Address Type drop-down list. If you're using the cmdline, set the IP address and port number as 0.

Friday, October 2, 2015

What does the new 'Phishing scam' button in Outlook on the web do?

The website formerly known as OWA

In case you misses it, Microsoft recently rebranded Outlook Web App (OWA) to Outlook on the web. I'm sure the marketing people had very good reasons to do so, but the OWA acronym has become a household name since it was introduced in Exchange 5.0. So technically speaking we should use the term Outlook on the web when discussing OWA on Exchange 2016 or in Exchange Online however I will use OWA a lot for probably a very long time. Enough about branding, let's discuss the actual topic.

The new Outlook on the web

Over the past couple of months Microsoft rolled out an updated version of OWA/Outlook on the web to all Office 365 tenants. The new features include Pin, Sweep and the Undo button:cropped and highlighted-New features coming to Outlook on the web 1

One feature that was added recently, in fact it's even absent from the above screenshot Microsoft used in their announcement, is the new Phishing scam action. This can be found in the actions drop-down list next to Reply all in the reading pane and under Junk in the top actions bar:


The question of course is what exactly happens when you apply this action to your message. At the time of writing there was no public documentation for Exchange or Exchange Online that describes the behavior of this action. However, the button was implemented in the consumer service earlier and is mentioned in the article Email and web scams: How to help protect yourself.


So the Phishing scam action deletes the item and marks the sender as unsafe, just as the Junk action, but it reports the message to Microsoft too. They then use the reported phishing scam emails to improve their filtering techniques to prevent them from arriving in your user's Inbox.

Should I use it?

Definitely encourage your users to use the Phishing scam action on phishing emails, this helps Microsoft fight these scams and make your user's Inbox a safer place. Technology can certainly help here, but in the end user education is the most important and effective way to reduce the risks of being scammed.

Just Office 365?

Interestingly enough the new feature is not in the on-premises Exchange 2016 which was just released this week. From an architectural perspective I see no reason why Microsoft shouldn’t implement the feature in the on-premises product too. After all this feature is nothing more than a slightly adapted version of the Junk feature that is already on-premises Exchange.


My expectation is that we see the Phishing scam action appear in one of the next Cumulative Updates for Exchange 2016. The same applies to Outlook 2006, I expect the same feature to be added in an upcoming update too.

Tuesday, September 29, 2015

Office 2016 update branches and how to force an upgrade for Office 365 ProPlus

Last week Microsoft released Office 2016, the most recent edition of their productivity suite including Word, Excel and Outlook. What does this mean for customers who consume Office as part of the Office 365 ProPlus subscription? Why was my Office version upgraded without any warning? Or why am I still on Office 2013?

Update branches

Microsoft introduced ‘update branches’ to release updates to three types of customers:

Read more about release branches in the TechNet Technical Library: Overview of update branches for Office 365 ProPlus or this excellent write-up by Perficient’s Joe Palarchio How Is The Office 2016 Release Relevant To My Office 365 Users?


I want it now!

So if you have Office 365 ProPlus and your Office 365 plan is not Home or Business Premium but for instance Enterprise, you may want to know if you can force an upgrade to Office 2016 on your computer. To achieve that we need to switch out Office install from Current Branch for Businesses to Current Branch. In an enterprise the admins would configure this with a GPO template for Office 2016 or with the Office Deployment Tool when Office is installed on the user’s computer.

The latter is very easy to upgrade Office 365 ProPlus on a single computer to, just follow this procedure.

  1. Download the Office Deployment Tool and extract the files to a temporary location, for instance C:\Office.
  2. Make a backup of the configuration.xml file and edit the contents to something similar to this:

        <Add SourcePath="c:\Office\" OfficeClientEdition="64" Branch="Current">
            <Product ID="O365ProPlusRetail">
            <Language ID="en-us" />
        <Updates Enabled="TRUE" Branch="Current" />
        <Display Level="Full" AcceptEULA="TRUE" />

    Note that the value for Branch is set to Current. Other valid values are Business or Validation (First Release).
  3. Execute .\setup.exe /download c:\Office\configuration.xml to download the Office files to your local computer, this may take a while.
  4. Next start the installation with .\setup.exe /configure c:\Office\configuration.xml

During the installation of Office you will be prompted to save your work and close any opened Office programs.


Enjoy Office 2016!

Wednesday, September 23, 2015

Using Exchange 2007? Do not upgrade to Outlook 2016

In case you missed it, this week Microsoft released the new Office suite: Office 2016. Of course the latest version includes an updated version of Outlook too. Many people are eager to explore the new version of Office and others found their Office was automatically updated to Office 2016. From an Exchange perspective it’s important to be aware of the fact that Outlook 2016 does not support connections to Exchange 2007.

Customers who upgrade to Outlook 2016 and try to connect to their Exchange 2007 mailbox see this error message presented: The resource that you are trying to use is located on an unsupported version of Microsoft Exchange. Contact your e-mail administrator for assistance

This information can of course be found in the Office System Requirements, but you have to look for it:


Technically speaking there are workarounds available such as have Outlook 2016 access the Exchange 2007 server with the IMAP4 or POP3 protocol, but this of course introduces serious limitations and is not comparable with connecting through a MAPI or Outlook Anywhere connection.

Microsoft released an article which describes this issue and instructs Office 365 Personal, Office 365 Home, or Office 365 University users who's Outlook was automatically upgraded to Outlook 2016 to contact Microsoft Support to assist with a roll-back to Office 2013. See Error: Unsupported version of Microsoft Exchange error when you use Outlook 2016 to connect an Exchange 2007 account.

By the way, if your organization is still using Exchange 2007 you may want to look into an upgrade to a more recent Exchange version or Exchange Online. Exchange 2007 is in the Extended Support phase since 2012 and will go out of support in April 2017.

Wednesday, July 29, 2015

Upgrade to Windows 10: Hyper-V no longer installed

Update: It seems the upgrade process has overwritten the default locations where my virtual machines were stored. If you did not yet upgrade and care for your Hyper-V VMs, be very careful. Make sure you move the virtual machines to a safe location first.

After upgrading my Surface 3 Pro to Windows 10 I noticed that Hyper-V was no longer installed. I spend some time in the new Settings app but could not find a way to enable Hyper-V again.

Fortunately this issue is very easy to fix. Open Control Panel and navigate to Programs, Turn Windows features on or off. Select Hyper-V and click OK to continue.


But before you do this, please check the full list and select or deselect any other features you want to install or remove.