Friday, May 27, 2016

Exchange 2007 and 2003 Coexistence

Moving on to bigger and greater things! Exchange 2007!

Exchange 2007 introduced new server roles (or at least renamed them), Hub Transport Server, CAS server, and Mailbox Server. It also came with other server roles like Edge and Unified but we won't get into those for now...cause I dont know squat about them.

Exchange 2007 also introduced the new name for the default OWA virtual directory /OWA. No more /Exchange from here on out.

This brings me to the point of this post. Normally given the right configuration your 2007 server should be able to process a request of and if a 2003 user logs in it will proxy that connection back to the 2003 server. 

Except sometimes it doesn't. In one very specific case redirection will fail. If your 2007 server has the Mailbox role installed onto the same server as the CAS role then you are out of luck, better go buy another server.

The worst part about all of this is that I only found this documented in one tiny spot buried in a Technet article. I felt like an archeologist discovering the struggles of an ancient civilization.

Article in question 

Next time you have a client that is upgrading from 2003 to 2007 in the year 2016, watch out for this gotcha...

Wednesday, May 25, 2016

AAD Connect and Password Syncs

AADConnect is great isn't it? It syncs all your info to the fluffy cloud.

Almost all of it.

When you run a sync, anytime after the initial sync, it does not sync on prem users passwords even if you have password sync enabled. I'm sure that there is a built in schedule to sync passwords but what if you have a user who logged into the tenant and was able to change their password and you need to sync it back to the on prem password right away? A full sync or delta sync or a kitchen sink is not going to help here.

Now you could have password write back enabled if you have Azure AD Premium but not everyone has the cash for that. What you can do though is reset that users password on prem. Doing this on prem will force a password sync to the tenant right then and there.


Forest vs Domain Functional Level

This is another small issue that I spent more time on that I needed.

Noticing a trend yet?

What might not be apparent to some is that domain functional level and forest functional level are changed in two separate yet similar locations. I ran into this when trying to install a 2012 R2 DC into a 2003 environment.

To change the domain functional level you need to do it from AD Domains and Trusts under the domain named object

To make a change to the actual forest functional level you need to go up one area in the tree.

One small click for man, one giant difference for your environment...or something like that, I'm not an astronaut.

Monday, May 23, 2016

Labing out Exchange 2003 in 2016

Cutting my teeth on Exchange 2013 means I had it easy compared to the days of old. As a project I had to go back and stand up a brand new Exchange 2003 environment in my lab.

To be fair this was not as painful as I had imagined.

There were some leftover ideas from days gone by that immediately stood out to me such as having to change from disc 1 to disc 2 during the installation and schema update, the overall design of the interface, the lack of CLI tools, and good old /exchange.

My first true test, which I failed, came in the form of SSL and not knowing the way 2003 works. 2007 and up comes with a self signed certificate when using https, 2003 does not. I spent 2 days trying to figure out why https would not work on my /exchange directory until I realized that I either needed to stand up an internal CA or get a trusted 3rd party cert. Here is a link that shows my pleas to reddit for help (spoiler: not the first or last time this will happen)

Lesson learned.

I ended up going with a 3rd party SAN cert with the names,,, and in preparation for what is to come.