Exchange 2010 Management tool start up problems

Something that has been posted a LOT on the Exchange 2010 Forums on Technet - people with issues starting the EMC or EMS in Exchange 2010. Many of these step from the slightly different management via WinRM. The Microsoft Team blog posted a GREAT write up on how to troubleshoot the different common errors and address them all!

http://msexchangeteam.com/archive/2010/02/04/453946.aspx

Migrating PKI from Windows 2003 to Windows 2008 R2

Many customers are running into the need for a Windows 2008 or newer PKI infrastructure in order to enroll and auto enroll newer client operating systems like Windows 7, Vista, and Windows 2008 Server.

Actually, many business customers found the lack of certificate support in Vista (without upgrading their CA's later) as one of the reasons it wasn't business ready. With Windows 7 being almost 10 years newer than Windows XP, many business customers are ready for a software refresh and Windows 7 has enough other appealing features to help that decision along.

There are basically two routes to go; in place upgrade or migration. The only time I would attempt an in place is on a VM so that a snapshot could easily be taken and rolled back in the case of a failure. A migration gives a fresh start, but requires some additional time to complete because between steps you need to wait for certs to issue to clients.

Because certificates are fairly sensitive information, I won't post screen caps, but rather overview the process.

Research and Design

Research what your existing CA is in use for. Anything it has issued needs to be either determined to be invalid (expired, not in use, not needed) or documented as something to replicate on the new CA. The other decision on design is around what CA architecture and hierarchy you want or need. Depends on the size and complexity of your organization this can differ greatly. For most organizations under 2000 users, I would say a single CA is sufficient, and if an additional are needed, use the PKI planning guides that Microsoft provides, or better yet, read Komar's 2k8 PKI book.

Implement and Re-Issue certs

Depending on your usage, this could take a long time. Audit existing certificates, revoke the ones that are not in use or expired, and start re-issuing them on the new CA architecture. For larger organizations, this may take months to complete. Luckily, you can choose to have both CA's active. I recommend changing the certificate templates on the old CA to read only, and no longer allow enroll and auto enroll as you migrate each template type successfully, this way, the old CA still validates certificates issued that you haven't updated while you can work on updating them, without any noticeable downtime.

Decommission Legacy CA

The "easy" part for sure. Removing a CA (Unlike uninstalling Exchange) there are no checks or audits to make sure you did everything correctly. If you didn't notice that your Cisco ASA or VPN Concentrator had a certificate issued and miss it, it may cause some issues for you. I recommend stopping and disabling your legacy CA for a few days or even weeks (this depends on your comfort level, and organization) before you make the decision to decommission. Even then, before you decommission, I would also really recommend taking a complete backup of the server.

Windows 7 - Gaining access to all options in one screen

I found this posted on a forum and found it hard to believe, but it does work and it's pretty neat!

Just create a new folder and name it:
AllAccess.{ED7BA470-8E54-465E-825C-99712043E01C}

The "AllAccess" can be anything - on the other forum, I saw it as "god mode," "admin mode" and some other names - pick whatever you would like.

All this folder contains is easy one stop access to all Windows 7 options and control panels in one location. Depending on what you have installed, the number of options here will vary of course, but I had 276 different panels to view/choose from.

Happy New Year! (and some announcements)

New year, and on my xmas break I did not get a chance to move the blog from blogger to wordpress as I had hoped I would, but instead I needed to change my policy on comments. It now requires a google account and a word verification. I apoligize for these restrictions, but for those of you marketing Viagara, it means I can reply to you and tell you to stop bothering me.

Happy New Year, and I hope you all have a great 2010!

Ways Outlook Web Access 2010 ROCKS - Part 4 of Many

Wow. Being able to delete 282 unread emails with the same subject has NEVER been so easy. OWA 2010 from Exchange 2010 includes conversation view, which allows you to do this… and yes, that is a right click context menu in IE, Firefox, or Safari.

Exchange 2010 – Enterprise Client Access Licenses

Some customers have asked about what an Enterprise CAL in Exchange 2010 grants you compared to the standard CAL. It is important to know that Exchange CAL's are additive (this was also true in exchange 2007) so an Enterprise CAL is not a "covers all" - you need the Standard and the Enterprise CAL.

The most complete licensing comparison on Exchange 2010 is here:
http://www.microsoft.com/exchange/2010/en/us/Licensing.aspx

And from the CAL chart there, we can see the detailed parts that are granted with an Enterprise CAL.

So let's detail these.

Advanced Activesync Policies
Within Organization Configuration, Client Access, Exchange ActiveSync Mailbox Policies, anything changes from the defaults on the Device, device Applications, or Other tab require an Enterprise CAL











You can see in these screenshots, that pretty much anywhere Enterprise CALs are being used there is an icon and a reminder.

Premium Journaling

If you have ever used an archiving product, you have probably used standard journaling. This is where every email written to a particular database is also copied to a single mailbox. Typically, then the 3rd part archive product picked up those emails and wrote them elsewhere. Premium journaling is under Organization Configuration, Hub Transport, Journal Rules. When you go to create a new journal rule, you see the same Enterprise CAL notification.

Unified Messaging

If you enable UM for a user, you need an Enterprise CAL.

Retention Policies

There are two different Managed Folders.. Default and Custom. Default folders are your Calendar, Contacts, Inbox, Draft, Sent Items, Tasks, Etc. Custom is anything you want to create and deploy to your users outside of this. When you create a new Custom folder policy, you see the Enterprise CAL notification.

Integrated Archive

Integrated Archive mailbox is new for Exchange 2010. When you attempt to enable archive for a mailbox, you get the Enterprise CAL notification shown below.



Multi-mailbox search and legal hold

This is the Discovery Management role within the RBAC (Role Based Access Control) that can be controlled via the ECP (Exchange Control Panel) This one does NOT give an Enterprise CAL notification when you add a user to the role group.

IPC, Transport Decryption, etc

This is a multifaceted one, that is not highlighted as Enterprise CAL required when you configure it either. I will default to Technet for descriptions of each of these features, as they have them neatly collected here:
http://technet.microsoft.com/en-us/library/dd351035.aspx