Jude's Blog

Posts Tagged ‘exchange 2013

Move Transport Database Files in Exchange 2013/2016 Step by Step

leave a comment »

Issue:

In terms of sizing an Exchange Server environment, it is always advised and recommended to follow the Microsoft Sizing guides, this specifically means that you need to go through the Exchange Sizing Calculator. The tool gives you estimated values of how your databases, logs and transport queues are going to grow. So, if you do not properly plan these sizes, you might end up getting your disks full.

The scenario which I’m going to talk about is such situation where the free space of the C Drive almost got full. While digging in what’s being eating up the storage, we found out that the Exchange Transport queue, or Mail.que file is the culprit.

Exchange Transport Queue

A queue is a temporary holding location for messages that are waiting to enter the next stage of processing or delivery to a destination. Each queue represents a logical set of messages that the Exchange server processes in a specific order. In Exchange 2016, queues hold messages before, during and after delivery. Queues exist in the Transport service on Mailbox servers and on Edge Transport servers.

File Description
Mail.que This queue database file stores all the queued messages.
Tmp.edb This temporary database file is used to verify the queue database schema on startup.
Trn*.log Transaction logs record all changes to the queue database. Changes to the database are first written to the transaction log and then committed to the database. Trn.log is the current active transaction log file. Trntmp.log is the next provisioned transaction log file that’s created in advance. If the existing Trn.log transaction log file reaches its maximum size, Trn.log is renamed to Trn nnnn.log, where nnnn is a sequence number. Trntmp.log is then renamed Trn.log and becomes the current active transaction log file.
Trn.chk This checkpoint file tracks the transaction log entries that have been committed to the database. This file is always in the same location as the mail.que file.
Trnres00001.jrs
Trnres00002.jrs
These reserve transaction log files act as placeholders. They’re only used when the hard disk that contains the transaction log runs out of space to stop the queue database cleanly.

Solution:

In simple, we can move the Mail.que database and log files associated to a different location. The below step by step guide will take you through how you can achieve this.

Before going ahead, here are some tips when it comes to moving your queue database.

  • Ensure that the destination disk/drive has enough and additional buffer space, remember that during peak times, this can grow. If it’s possible to attach a separate disk for this, go ahead. It’s even better.
  • The move process requires the Exchange Transport service to be stopped until the data is moved to the new location. This means that there will be a downtime where mail flow on the server will be interrupted.
  • The transport queue files are located in the below path
    %ExchangeInstallPath%TransportRoles\data\Queue

Once you have the disk and the downtime planned, we can start the procedure.

  1. Navigate to the location that you would will be moving the data to.
  2. Create a folder where the queue database and transaction logs will be moved. In my case, I’m moving the data do the below path;
    "F:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue"
  3. Right click on the above folder “Queue”, select Properties
  4. Navigate to Security tab, click on Edit under Change permissions

  5. Under Permissions verify that the below accounts are listed and the shown permission level is present. It not, add the user/service account and assign permissions
    1. Network Service: Full Control
    2. System: Full Control
    3. Administrators: Full Control
  6. Click OK to apply the permissions to the folder.
  7. Open Notepad using Run as Administrator
  8. Using notepad, click Open and Navigate to the below path

    %ExchangeInstallPath%Bin\

  9. Open the EdgeTransport.exe.config file (you may want to take a backup of the file in case something goes wrong)
  10. On the config file lookup for the following content;
    <add key="QueueDatabasePath" value="<CurrentLocation>" />
    <add key="QueueDatabaseLoggingPath" value="<CurrentLocation>" />
  11. Now we need to modify the <CurrentLocation> and replace it with the new path for the queue files. In our case this will be as below;
    <add key="QueueDatabasePath" value="F:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue" />
    <add key="QueueDatabaseLoggingPath" value="F:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue" />

  12. Save and close notepad.
  13. Open Services.msc
  14. Stop the Microsoft Exchange Transport Service.

  15. Navigate to the below path where the old queue files are located at;
    %ExchangeInstallPath%TransportRoles\data\Queue
  16. Take a backup of all the files in the folder into a different location just in case.
  17. Move existing database files (Mail.que, Trn.chk, Trn.log, Trntmp.log, Trn nnnnn.log, Trnres00001.jrs, Trnres00002.jrs, and Temp.edb) to the new location. This is the location you mentioned in Step 11.

  18. Go to Services.msc and Start the Microsoft Exchange Transport service.

  19. Monitor the status of the new location and the files.
  20. Verify that the old path is empty and no new files are being created.
  21. Send a few mails with attachments to verify and monitor mail flow.

Advertisements

450 4.7.320 Certificate validation failed

leave a comment »

Issue


The environment was running Exchange Server 2016 (n-1)CU with Office 365 in a hybrid mode. The issue came up when users on-prem noticed that they are unable to receive emails from their own O365 cloud users. Looking more into this, figured out the following user mail flow scenarios;

  • On-prem users can send/receive mails within on-prem and to/from internet users
  • O365 cloud users can send/receive mails within O365 and to/from internet users
  • On-prem users cannot send/receive emails to/from O365 users

So obviously, this had to do something with the hybrid connector since that’s the tunnel that bridges the two environments.

So back to the basics, lets trace down the error messages and see if we can get a clue. In order to see where our mails are stuck, you need to first check the delivery reports. Log in to the O365 Exchange ECP as administrator and navigate to Message Tracing. On the message tracing log, you will see something like below;

11

We’re almost there now. The above indicates that why O365 is not delivering the mails to on-prem environment is because as on the first item, we have configured to use TLS between the hybrid environments. Thus due to whatever reason, the certificate presented from the on-prem public IP does not match the certificate that is been binded in the Hybrid Configuration. Now in order to validate this, we need to look at two points;

  • Ensure that the certificate is not expired
  • Check Hybrid Configuration certificate settings: To validate that you have the correct certificate open up the Exchange PowerShell module on your on-prem and run the below command;

Get-HybridConfiguration

12

Now as you can see, the Hybrid configuration is configured with the correct certificate. So nothing to worry on that.

  • Exchange Connector TLS settings: The next connection point would be our internal Exchange Server receive connector. Why this connector is important is that when O365 is trying to connect with the exchange server for mail delivery, it will try out TLS for authentication. This is because we have TLS enabled; meaning we should have the correct certificate binded to the corresponding Receive Connector. In many cases this would be the Default FrontEnd connector. Run the below command and ensure that the property tlscertificatename is set correctly and is the same as the above certificate.

Get-ReceiveConnector -Identity “<ExchangeServerName>\Default Frontend <ExchangeServerName>” | fl

In my case, the certificate was all fine and is set for the one as expected.

So, the certificate itself, exchange setup and office 365 hybrid setup is all configured as expected. Yet somehow, Office 365 is telling me that the certificate is not correct.

This is where we would need to properly test TLS in a more informative manner. We will now see how we can use a method where we can see the TLS communication that is made to our on-premises.

Enter CheckTLS web testing provider. The provider has many tools to check TLS mechanisms but in our case, we are looking at the receiving part. Thus we will head over here.

https://www.checktls.com/TestReceiver

What it does?

TestReceiver performs all the steps that Internet email systems go through to send email. It records every command and byte of data it sends and every answer and byte of data that the other email system sends. TestReceiver never actually sends an email, it just gets as close as possible, learning as much about the remote system as it can.

Because CheckTLS focuses on security, TestReceiver tries to establish a secure (TLS) connection with the recipient’s system. Along with recording everything, it looks at the security of the recipient’s system for things like: certificate contents and signers, encryption algorithms, key lengths, hostname mis-matches, incorrect wild-card usage, weak cyphers, etc.

So is this safe? absolutely. Since it only checks whatever is already published by your organization. It doesn’t grab your email ID, username or passwords.

  1. So head over to the site and under the Input fields, type your domain name in the eMail Target
  2. Ensure that under the Output Format you have selected Detail (this will provide you a verbose log of the connection status, more meaningful)
  3. Click Run Test.
  4. Give it some time to run the test and notice the logging which happen in the background. This is the session initiation that happens in real time.
  5. Once the test is completed, look in the detailed log.13

 

And we have found the culprit. Just have a closer look at the above image. You can see that the TLS authentication does start however the certificate validation fails. The reason is that the issuing certificate is not our Exchange Certificate, but a self signed certificate by the barracuda appliance which is front-ending to external connections.

When Office 365 tries to initiate a TLS session, it is getting this self signed certificate thus the required URLs are not found (mail.domain.com) hence it drops the connection and throws out;

450 4.7.320 Certificate validation failed.

If this is your case, bump up your network team and ask them to bind the correct certificate from the appliance. Once its configured properly, run the below tests again to validate that everything is all good.

  • CheckTLS Receive validation – Ensure correct certificate is thrown out
  • Office 365 Connector Validation

If everything is successful, send out couple of emails and you will see that mailflow is working as expected. For the mails that were queued, give some time and it’ll start flowing.

Got any inputs? Please feel free to let me know your ideas.

Cheers..

Exchange Server Upgrade | Step-by-Step

with one comment

The guide will cover upgrading an Exchange Server 2013 CU8 into Exchange 2013 CU15.

In a nutshell, this is the procedure:

  1. Prepare the existing environment
    1. Download the latest binaries
    2. Remove Interim Updates
  2. Perform Upgrade
    1. Enable Exchange Server maintenance mode (High Availability)
    2. Upgrade Schema
    3. Install Exchange Binaries
    4. Enable Exchange Server services

Prepare the existing environment

Download Exchange Server SP/RU/CU binaries

When you are performing an Upgrade, you can go ahead and install the latest Cumulative Update (CU). You DO NOT, need to install all previous CU’s one by one in an incremental way. This is because a CU is a full installation of Exchange Server plus a collection of all the updates, patches and changes that has been made available so far.

For an Example, if you are on Exchange Server 2016 RTM, you can straight away install CU4. Because CU4 will contain all changes made in each of the CU’s previously released.

Exchange 2016

Version Blog post
Exchange 2016 CU4 Released: December 2016 Quarterly Exchange Updates
Exchange 2016 CU3 Released: September 2016 Quarterly Exchange Updates
Exchange 2016 CU2 Released: June 2016 Quarterly Exchange Updates
Exchange 2016 CU1 Released: March 2016 Quarterly Exchange Updates
Exchange 2016 RTM Exchange Server 2016: Forged in the cloud. Now available on-premises

Exchange 2013

Version Blog post
Exchange 2013 CU15 Released: December 2016 Quarterly Exchange Updates
Exchange 2013 CU14 Released: September 2016 Quarterly Exchange Updates
Exchange 2013 CU13 Released: June 2016 Quarterly Exchange Updates
Exchange 2013 CU12 Released: March 2016 Quarterly Exchange Updates
Exchange 2013 CU11 Released: December 2015 Quarterly Exchange Updates
Exchange 2013 CU10 Released: September 2015 Quarterly Exchange Updates
Exchange 2013 CU9 Released: June 2015 Exchange Cumulative Update and Update Rollups
Exchange 2013 CU8 Released: Exchange Server 2013 Cumulative Update 8
Exchange 2013 CU7 Released: Exchange Server 2013 Cumulative Update 7
Exchange 2013 CU6 Released: Exchange Server 2013 Cumulative Update 6
Exchange 2013 CU5 Released: Exchange Server 2013 Cumulative Update 5
Exchange 2013 SP1 Released: Exchange Server 2013 Service Pack 1
Exchange 2013 CU3 Released: Exchange Server 2013 Cumulative Update 3
Exchange 2013 CU2 Released: Exchange Server 2013 Cumulative Update 2
Exchange 2013 CU1 Released: Exchange Server 2013 Cumulative Update 1
Exchange 2013 RTM Exchange Server 2013 Reaches General Availability

Remove Interim Updates

Now that you have downloaded the binaries, you need to get rid of the Interim Updates that may have been installed in your environment. In some cases, if an Interim Update is installed, Microsoft Exchange Server CU’s or SP’s cannot be installed. Therefore, before installing the binaries, read the release notes for any information on removal of interim updates. Below steps will guide for that;

  1. In Control Panel, double-click Programs and Features.
  2. In the Currently installed programs list, click Interim Update for Exchange Server 201X (KBxxxxxx), where xxxxxx is the Knowledge Base article number that is associated with the IU.
  3. Click Remove.
  4. At a command prompt, run sn.exe -Vu * to enable strong name verification.
  5. Run sn.exe –Vl to verify that strong name verification is enabled.

Perform Upgrade

Enable Exchange Server maintenance mode (High Availability)

If you have standalone servers in your environment, then an upgrade will require you to go in for a downtime. Why? Because the services needs to be stopped during the upgrade process. In such a scenario, skip to the Upgrade section.

However, if your environment consists multiple servers in terms of 2xCAS or 2xMBX or 2x(CAS+MBX) or any of a combined scenario, it is highly advised that you perform upgrading of the servers one by one. This will ensure that your environment will stay online using the rest of the high available servers taking the downtime away.

There’s a catch in here. Let’s say we have a 2 Mailbox Server scenario: Server A and B. You decide to mount all databases into ServerA and upgrade Server B. Although this seems an okay way to do, it is not the case. Reason is that the Active Manager and other Exchange backend workers doesn’t know that you are doing a planned maintenance. Thus, the workers will think that the server is in a failed state. Can we fix this? Absolutely. You have to take the services on Server B or the server that you are about to do the upgrade into ‘Maintenance Mode’.

Below steps will guide you to do so;

  1. Run Exchange PowerShell as Administrator.
  2. Run below command to drain connections on the Hub Transport service
    Set-ServerComponentState <SERVER> -Component HubTransport -State Draining -Requester Maintenance

  3. Run below command to disable cluster services
    Suspend-ClusterNode <SERVER>

  4. Run below command to prevent databases from being mounted on the server. It will also immediately move any mounted databases on the server to other servers if copies exist and are healthy.
    Set-MailboxServer <server> -DatabaseCopyActivationDisabledAndMoveNow $true

  5. Verify that no mailbox databases are mounted on the server.

    Get-MailboxDatabaseCopyStatus

  6. Run below command to block databases being automatically activated on the specified Mailbox server.
    Set-MailboxServer <server> -DatabaseCopyAutoActivationPolicy Blocked

  7. Run below command to put the state of all components together to Inactive.
    Set-ServerComponentState <server> -Component ServerWideOffline -State Inactive -Requester Maintenance

  8. Close PowerShell.

Upgrade Schema

Now that the server has been put to maintenance mode and you are ready to proceed with the Upgrade process. First thing we need to do is, update the schema. This is critical because without the required schema updates, the setup will not proceed.

  1. Run command prompt as Administrator.
  2. Run below command
    Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

  3. Run below command
    Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms

  4. Run below command
    Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

  5. Navigate to the Exchange installation binaries folder.
  6. Run setup.exe.
  7. On the Check for Updates window, select your choice and click OK.
  8. On the Upgrade window, click Next.
  9. On the License Agreement page select “I accept ….” and click Next.
  10. On the Readiness Check page, ensure no prerequisites are pending. Click Next to proceed.
  11. Now the installation will proceed.
  12. Once the installation is finished, click Finish.
  13. Restart the server.

 

Now that the server has been upgraded successfully we can resume Exchange services back to normal mode. Follow the below steps.

  1. Run Exchange PowerShell as Administrator.
  2. Run below command to enable connections on the Hub Transport service.
    Set-ServerComponentState <SERVER> -Component HubTransport -State Active -Requester Maintenance

  3. Run below command to enable cluster services
    Resume-ClusterNode <SERVER>

  4. Run below command to enable databases from being mounted on the server.
    Set-MailboxServer <server> -DatabaseCopyActivationDisabledAndMoveNow $false

  5. Run below command to enable databases being automatically activated on the specified Mailbox server.
    Set-MailboxServer <server> -DatabaseCopyAutoActivationPolicy Unrestricted

  6. Run below command to put the state of all components together to Activate.
    Set-ServerComponentState <server> -Component ServerWideOffline -State Active -Requester Maintenance

  7. Close PowerShell.

Now that your server is back in the game. It’s time to upgrade the second server. Perform the steps above from the beginning to do so.

Happy Upgrading!! J

Written by judeperera

January 6, 2017 at 11:45 am

Can I Add Remove Exchange Server 2013 Roles ? Watch out!

leave a comment »

With the all new architecture, Exchange Server 2013 RTM now only has 2 Primary Server Roles; Client Access and Mailbox. This however took a slight change of path with the Messaging team finally deciding to add Edge Transport role to the stack as well. Still, comparing to the previous Exchange Server versions, this is a totally different architecture in terms of almost everything.

One major thing that someone should very well focus on is the design. You should be pretty much sure on what roles that you are going to assign for your servers with the options of;

  • Install Standalone Server Roles*
  • Combine Server Roles

*Edge role cannot be collocated/combined with any other server role.

Now even with the above option, there is a tricky point for you when it comes to installing and uninstallation of the roles.

  1. You CAN install one exchange server role (MBX/CAS), and later add the other  role(CAS/MBX) to the existing server.

add

BUT

  1. You CANNOT remove a server role  in a multi-role server with both CAS and MBX installed.

remove

This scenario should be taken quite seriously since there should be no room for any changes once you install both roles. So let’s say what if you came across in a situation like this? Well, the only option is to remove/uninstall the server completely and re-deploy. Which! is going to be a pain for sure!

 

The above is valid for the following Exchange Server 2013 versions as mentioned here;

  • Exchange Server 2013 RTM
  • Exchange Server 2013 CU 1
  • Exchange Server 2013 CU 2

If it’s still the same for CU 3 and SP1? Well, I shall post ASAP and if you were able to check it out, let me know.

Cheers!!!

 

Written by judeperera

May 6, 2014 at 12:13 pm

Step by Step Guide for Installing Exchange Server 2013 Preview

with 78 comments

Update(2014-11-07): Covers the RTM installation.

The following section describes a step-by-step guide for the installation of Microsoft® Exchange Server 2013 Preview. The installation considers a single server deployment of Exchange Server 2013 with the Mailbox and Client Access Server roles collocated. Additional details of the topology and architecture of the lab environment which was used in the installation is described here;

Read the rest of this entry »

Written by judeperera

July 19, 2012 at 7:45 pm

Lync Server 2013 Preview Download Available Now

leave a comment »

It indeed has been a wonderful day for me with Microsoft. And that’s true for all IT Pro’s as well who are eager to test drive the next version of their skilled technology. With Office 2013 going as a ppublic beta, Microsoft has made Exchange Server 2013, Lync Server 2013 and SharePoint 2013 Preview versions as well for us to play before everything gets RTM’ed.

And for all Lync enthusiasts, they can get the download of the latest public preview right from the following image (click to download) which requires you to sign-in using a Live-ID.

Additionally, the following material are available online for references as well;

 

Want more?

Check out the official Lync 2013 Preview page over at http://lync.microsoft.com/en-us/Pages/Lync-2013-Preview.aspx

Happy Testing everyone 🙂

Written by judeperera

July 16, 2012 at 8:31 pm