2011年12月18日 星期日

Exchange 2010 Outbound Mail Error

郵件可以正常收信但是無法正常發信,錯誤訊息如下:
451.4.4.0 Primary Target IP address responding with : "421.4.4.2 Connection dropped due to a ConnectionReset" Attempted failover to alternate host but did not succeed...

解決方法:
1. 確認DNS名稱解析是否正常
2. Firewall所提供服務Port是否有開啟
3. 在Exchange以及Exchange Edge上用Telnet溝通外部的郵件伺服器看看

*如果上述的動作都檢查了,另外第三步驟也確認無法與外部的郵件伺服器溝通,那可能您的ISP廠商有將服務線路過濾SMTP 25 Port所造成的,請ISP廠商線路重整,此問題即可解決.

2011年11月12日 星期六

使用AD GPO部署Lync Client

解決方法:

透過Windows Active Directory Domain的Group Policy來部署Lync Client有下列三大步驟:
* 取得Lync.msi的封裝檔案
* 替需要部署的用戶端新增加UseMSIForLyncInstallation (DWORD)的Registry Key
* 建立Windows Active Directory GPO部署Lync.msi檔案

另外,您可以參考下列整理的參考資訊:

取得Lync.msi的封裝檔案:
請先找一台Windows Client安裝完整的Lync Client軟體,完成安裝後,可以在%Program Files%\OCSetup\ 或 %Program Files(x86)%\OCSetup 的目錄中取得Lync.msi的封裝檔案。

替用戶端增加Registry Key以允許Lync.msi封裝檔的部署:
請參考知識庫文件中的說明:http://support.microsoft.com/kb/2477965/en-us 替每一台需要部署Lync Client的Windows用戶端新增加UseMSIForLyncInstallation (DWORD)值為1的Registry Key。

您可以參考下列文件為每一台Windows Client增加上述的Registry Key。
How to add, modify, or delete registry subkeys and values by using a registration entries (.reg) file
http://support.microsoft.com/kb/310516/en-us
Distributing Registry Changes
http://technet.microsoft.com/en-us/library/bb727154.aspx

透過Active Directory Group Policy部署Lync.msi:
透過AD GPO部署應用程式的作法您可以參考下列知識庫文件中的說明:
How to use Group Policy to remotely install software in Windows Server 2003 and in Windows Server 2008
http://support.microsoft.com/kb/816102/en-us
How to use Windows Installer and Group Policy to deploy the VPModule.msi in an Active Directory domain
http://support.microsoft.com/kb/887405/en-us (請將此案例中的VPModule.msi替換成Lync.msi)
How to assign software to a specific group by using Group Policy
http://support.microsoft.com/kb/302430/en-us

2011年11月1日 星期二

直接在 Windows 7 中燒錄 ISO 映像檔

使用方法:
1. 將光碟映像檔下載回來後,直接在檔案上按一下滑鼠右鍵,再點「開啟檔案」→「Windows 光碟映像燒錄程式」,即可用 Windows 7 內建的燒錄工具執行光碟燒錄工作。


2. 在「光碟燒錄機」選單中點選你的燒錄機,然後再按下「燒錄」按鈕,即可開始燒錄光碟。燒錄完成後,光碟機的托盤會自動打開,拿出光碟按「關閉」即可完成。

目的地端伺服器目前拒絕複寫要求

錯誤訊息如下:


解決方法:
試試看檢查下面幾項動作
1.Netlogon Service有沒有啟動或者服務重新啟動
2.是否有此值 HKLM\System\CCS\Services\NTDS\Parameters 底下的 "DSA Not Writable" .. 有的話把他刪除&重新開機
3.確定 repadmin /options dc1 是否還會有該兩項選項..有的話嘗試用先前的指令在試試看
repadmin /options DC1 -DISABLE_INBOUND_REPL
repadmin /options DC1 -DISABLE_OUTBOUND_REPL
4.確定 repadmin /options dc2 是否還會有該兩項選項..有的話嘗試用先前的指令在試試看
repadmin /options DC2 -DISABLE_INBOUND_REPL
repadmin /options DC2 -DISABLE_OUTBOUND_REPL
5.拒絕複寫要求的問題解決

2011年9月13日 星期二

RDP connection to Remote Desktop server running Windows Server 2008 R2 may fail with message 'The Local Security Authority cannot be contacted'.

狀況:
When attempting to establish a remote desktop connection using RD client (mstsc.exe) to a Remote Desktop server which is running Windows Server 2008 R2, you may encounter any of these messages:

The connection cannot be completed because the remote computer that was reached is not the one you specified. This could be caused by an outdated entry in the DNS cache. Try using the IP address of the computer instead of the name.

Or

An authentication error has occurred.
The Local Security Authority cannot be contacted

解決方法:
Remote Desktop in Windows Server 2008 R2 offers three types of secure connections:

Negotiate: This security method uses TLS 1.0 to authenticate the server if TLS is supported. If TLS is not supported, the server is not authenticated.
RDP Security Layer: This security method uses Remote Desktop Protocol encryption to help secure communications between the client computer and the server. If you select this setting, the server is not authenticated.
SSL: This security method requires TLS 1.0 to authenticate the server. If TLS is not supported, you cannot establish a connection to the server. This method is only available if you select a valid certificate.

To resolve the issue, change the remote desktop security on the RD server to RDP Security Layer to allow a secure connection using Remote Desktop Protocol encryption. Below are the steps:

1. Navigate to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
2. With RD Session Host Configuration selected view under Connections.
3. Right click RDP Listener with connection type Microsoft RDP 6.1 and choose Properties.
4. In general tab of properties dialog box under Security, select RDP Security Layer as the Security Layer.
5. Click OK.

Note: This setting does not need a restart of the Server or Remote Desktop Service.

參考文件:RDP connection to Remote Desktop server running Windows Server 2008 R2 may fail with message 'The Local Security Authority cannot be contacted'.

2011年9月3日 星期六

EMC Initialization Failed

After installing the two Client/Hub/Mailbox servers I can not get into the EMC and get the following error:

Initialization failed

The following error occurred when getting user information for 'DOMAIN\administrator':
The operation couldn't be performed because object 'S-1-5-21-502790489-3747709401-3226269444-500' couldn't ge found on 'Servername.domain.com'. It was running command 'Get-LogonUser'.

上述問題為 SID 衝突造成 EMC 無法正常用作而啟動錯誤

解決方法:
1. 先將 EXchange 2010 退出網域
2. 退出網域後,重新開機登入
3. 開機登入後,執行 Sysprep
4. 執行 Sysprep 後,重新開機登入
5. 開機登入後,再將 Exchange 2010 加入網域
6. 加入網域後重新開機
7. 開機登入後,開啟 EMC 錯誤訊息不在發生,上述問題已解決

2011年7月14日 星期四

Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Exception from HRESULT: 0x800B0109)

You may get this error during certificate request/assign.

Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Exception from HRESULT: 0x800B0109)

Install the Root CA cert chain on the server and run the wizard again to resolve the problem.

Lync 2010 Server Control Panel returns that error "Insufficient access rights to perform the operation" when attempting a move user or enable user command

When using the Lync 2010 Server Control Panel to enable or move an Active Directory, directory service domain user for use with Lync Server 2010 the following errors are returned:

Active Directory operation failed on "DC1.contoso.com". You cannot retry this operation: "Insufficient access rights to perform the operation"

The error that is described in the SYMPTOMS section of this article is caused by the combination of the following two reasons:

*The user account that is part of the Lync 2010 Server move or enable operation is a member of an Active Directory, directory service protected domain security group. Since the user account belongs to a protected domain security group it is unable to keep the RTCUniversalUserAdmins and RTCuniversalUserReadOnlyGroup Universal Security groups and their permissions as Access Control Entries (ACEs) to the protected domain security group's default Access Control List (ACL).
*The Lync 2010 Server Control Panel is not designed to delegate the permissions that are needed to complete the user account move or enable operation

Use the Lync Server Management shell to administer the following Lync 2010 Server PowerShell cmdlets to perform the user account enable of move operations:


Enable-CsUser -Identity "Bill Anderson" -RegistrarPool "pool01.contoso.com" -SipAddressType EmailAddress -SipDomain contoso.com

To view a list of examples for the usage of the Enable-CsUser Lync Server 2010 PowerShell cmdlet use the Lync Management Shell and enter the following PowerShell cmdlet: Get-Help Enable-CsUser -Examples

Move-CsUser -Identity "Bill Anderson" -Target "pool01.contoso.com"

To view a list of examples for the usage of the Move-CsUser Lync Server 2010 PowerShell cmdlet use the Lync Management Shell and enter the following PowerShell cmdlet: Get-Help Move-CsUser -Examples

Move-CsLegacyUser -Identity "Bill Anderson" -Target "pool01.contoso.com"

To view a list of examples for the usage of the Move-CsLegacyUser Lync Server 2010 PowerShell cmdlet use the Lync Management Shell and enter the following PowerShell cmdlet: Get-Help Move-LegacyCsUser -Examples

KB2466000

Lync Server Installation Error: Prerequisite installation failed: Wmf2008R2

Trying to Install Lync 2010 on Server 2008 R2 SP1, the installation failed with the following error while adding the first Lync Server Components:

“C:\Windows\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum” Cannot be found.

I looked for that file. It’s no where to be found. But it looks like it has a different version:

%systemroot%\system32\dism.exe /online /add-package /packagepath:%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum

I copied the file name mentioned in the error message, changed both file names (both .cat and .mum, didn’t know if they need each other during installation) and tried installing again.That Solved the problem. YA!!!

The official workaround for this issue has been released in Microsoft KB2522454

2011年7月12日 星期二

如何確認Exchange Update-Rollup的Build Number

在Exchange 2007之後更新Rollup Hotfix後,其Build number指的是位在Exchange Setup Folder\BIN目錄底下ExSetup.exe的版本

請參考官方部落格文章的說明:
http://blogs.technet.com/b/exchange/archive/2010/03/08/dude-where-s-my-rollup.aspx


所以執行下列指令後就可以得到正確的Build Number了

Exchange Server and Update Rollups Builds Numbers



Expired Exchange 2007 Certificate

Exchange 2007 憑證到期造成服務無法正常運作,此時需要將舊憑證重新延長使用期限

首先透過Exchange Management Shell執行下列指令來確認憑證是否到期
Get-ExchangeCertificate | List

完成上述指令後,確認到期憑證的thumbprint值,接著執行下列指令來延長憑證時間
Get-ExchangeCertificate -thumbprint “XXXXXXXXXXXX Old” | New-ExchangeCertificate

完成上述指令後,接著執行下列指令再確認憑證到期時間是否延長
Get-ExchangeCertificate -thumbprint “XXXXXXXXXXXX New” | fl

上述指令確認後,接著執行下列指令將相關服務套用使用期限已延長的憑證
Enable-ExchangeCertificate -thumbprint “XXXXXXXXXXXX New” -services IIS

上述全部完成後,再執行下列指令將已到期的憑證移除
Remove-ExchangeCertificate -thumbprint “XXXXXXXXXXXX Old”

2011年7月10日 星期日

Exchange 2010 #554 5.6.0 NDR

Exchange 2010用戶正常連線,傳送郵件至Internet沒有錯誤,但是由Internet傳送郵件至Exchange 2010用戶,會產生下列#554 5.6.0 NDR

#554 5.6.0 STOREDRV.Deliver.Exception:MailboxInfoStaleException.DatabaseNotFoundException; Failed to process message due to a permanent exception with message ExchangePrincipal ; DatabaseNotFoundException: 8146963c-c733-40a1-a82a-ac5c645a4602 ##

發生此問題的原因為Exchange DB所在的硬碟槽已經空間不足,請手動備份騰出硬碟空間,或者啟用循環記錄檔壓縮DB容量,完成上述動作重新啟用Exchange服務後,即可恢復正常.

參考資料:
http://technet.microsoft.com/en-us/library/bb331958.aspx

如何完整移除OCS Server

1. 停用SIP Account User
2. 照下列順序停用伺服器角色

Response Group Service
Outside Voice Control
Conferencing Announcement Service
Conferencing Attendant
Application Host
Application Sharing Server
A/V Conferencing Server
Web Conferencing Server
Web Components Server
Front End Server - If deactivation fails, run this again but check the force option.

3. 完成停用角色後,接著照下列順序移除應用程式

Application Host
Application Sharing Server
Audio/Video Conferencing Server
Conferencing Announcement Service
Conferencing Attendant
Outside Voice Control
Response Group Service
Web Conferencing Server
Standard Edition Server (Front-End)
Managed API 2.0 Core 64-bit
Managed API 2.0 Speech x64
Managed API 2.0 Windows Workflow Activities Server Speech Language Pack
OCS 2007 R2 Administrative Tools
Web Components Server
Core Components

4. 如有需要,將OCS Server退出網域並且移除AD Computer Account,接著在DNS Server上移除A Record & SRV Record,這樣就可以完整的移除OCS Server

2011年5月3日 星期二

How-to Renew Windows 2003 Domain Controller Client Authentication Certificates

How to verify the Enterprise CA Root Certificate

On the server hosting the Enterprise CA:

1. Load the Certificates MMC and then target it at the computer account (Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
2. Expand the Certificates (Local Computer) and then the Trusted Root Certification Authorities subfolder, then the Certificates folder.
3. Locate the CA Root Certificate and verify the Expiration date.
How to renew the Enterprise CA Root Certificate

On the server hosting the Enterprise CA:

1. Load the Certification Authority Tool (Start, Administrative Tools, Certification Authority)
2. Under 'Certification Authority (local), right-click the CA and choose All Tasks and then Renew CA Certificate ...
3. Follow the wizard to renew the CA certificate.
Verify that the Autoenrollment Policy is configured on the Enterprise CA

Before renewing or reissuing client authentication certificates on a DC server, you need to verify that autoenrollment is correctly configured. On the server hosting the Enterprise CA:

1. Load the certificate template MMC
2. (Start run, MMC, File Add/Remove Snap-in, Add, Certificates Templates, Add, Close, OK)
3. Find the Domain Controller Authentication template and double click
4. Select the Security TAB
5. find the domain Controllers entry and make sure Enroll and Autoenroll is checked in the permissions
6. Click OK.

Steps to Renew a soon-to-expire certificate

On the DC server:

1. Load the Certificates MMC and then target it at the computer account (Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
2. Expand the Certificates (Local Computer) and then the Personal subfolder, then the Certificates folder.
3. Locate the Client Authentication certificate for the Domain Controller and verify the Expiration date.
4. If the certificate has not expired, right-click the certificate, choose All Tasks and then Renew Certificate with Same Key ...
5. Complete the wizard.
6. Run a GPUPDATE /FORCE to force autoenrollment to issue a replacement of the existing certificate.

Steps to Replace an expired certificate

On the DC server:

1. Load the Certificates MMC and then target it at the computer account (Start run, MMC, File Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Next, Finish, Close, OK)
2. Expand the Certificates (Local Computer) and then the Personal subfolder, then the Certificates folder.
3. Locate the Client Authentication certificate for the Domain Controller and verify the Expiration date.
4. If the certificate has expired, right-click the certificate, choose All Tasks and then Request Certificate with Same Key ...
5. Complete the wizard.
6. Run a GPUPDATE /FORCE or reboot the DC server to force autoenrollment to replace the expired certificate.
7. Verify that a replacement certificate has been issued to the DC server in the Certificates folder (step 2).
8. If a replacement certificate was not issued, delete the expired certificate and rerun a a GPUPDATE /FORCE.

Renewing an IIS 5 or IIS 6 SSL Certificate

1. Open the Internet Information Services (IIS) Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager.
2. In IIS Manager, double-click the local computer, and then double-click the Web Sites folder.
3. Right-click the Web site for which you want to renew the SSL certificate on (ususally the Default web site), and then click Properties.
4. On the Directory Security tab, under Secure communications, click Server Certificate.
5. Click Next in the Welcome to the Web Server Certificate Wizard window.
6. Select Renew the current certificate, Click Next. Note that doing this will not affect your current live certificate. It will continue to work as before.
7. Select Prepare the request now, but send it later.
8. Enter a path and file name for the certificate request file (CSR). The path you provide is where the IIS wizard will save the CSR as a text file. The default path will be c:\certreq.txt . You'll need to be able to find and open this file in a text editor, such as Notepad.
9. Verify the contents of your request and then click Next.
10. At the Completing the Web Server screen, select Finish.
11. Now open a text editor such as Notepad and open the CSR file you just created at c:\certreq.txt (your path/filename may be different).
12. Copy the certificate into a text editor such as Notepad and save as yourdomain.cer on your desktop.
13. Return to the Directory Security tab of your site and click Server Certificate and select Process the pending request and install the certificate. Click Next.
14. Locate the yourdomain.cer file when prompted to locate your web server certificate. Click Next.
15. Review the summary screen and ensure that you are processing the correct certificate (check the expiration date). Click Next.
16. Click Next and then Finish on the confirmation screen. Your SSL certificate has now been renewed.

2011年4月28日 星期四

Understanding the Lync Server 2010 Planning Tool

The Microsoft Lync Server 2010 Planning Tool helps design Lync Server 2010 deployments. A new feature of the Lync Server Planning Tool gives you the ability to design a virtualized server environment as well as physical deployments. There has been some confusion on the output generated by the Planning Tool. This article discusses some issues with the tool and how to interpret the data generated. It also highlights other tools to help with your designs.

Understanding the Lync Server 2010 Planning Tool

2011年4月26日 星期二

DAG 的成員是否可以跨不同的AD Domain ( 相同的Forest )

查詢確認後您可以參考下列TechNet官方文件中的DAG Member需求

Planning for High Availability and Site Resilience


其中提到如下圖內容所述:

從上述內容可知 Exchange 2010 DAG 中的成員都必需要在同一個 Domain,所以您若要在不同網域中各建置一台 Exchange 2010 DAG Member 是不被支援的.
但您可以在不同 AD Domain 建置不同的 Exchange 2010 DAG 群組,例如:在 A 網域中建立DAG-A-Domain ,在 B 網域則另外建立一個 DAG-B-Domain 的 DAG 來提供 A 與 B 網域的高可用性.
或者,您可以將 A Domain 分割成兩個不同的 AD Site ,而其中一個 AD Site 建立在 B Domain 的 Location,如此便可以做到 A Domain DAG 的異地備援機制.

2011年4月23日 星期六

The Exchange Server 2010 Setup On Hyper-V Fails With 2147504141 Error

當在 Hyper-V 上執行安裝 Exchange 2010 ,在執行安裝過程中會失敗,並且產生下列的錯誤訊息,錯誤訊息如下 :

"An error occurred with error code ‘2147504141′ and message ‘The property cannot be found in the cache.’"

解決方法:
1. Open the Hyper-V Manager console.
2. Locate and Right-click the virtual machine on which you want to install Exchange Server 2010, and then click Settings.
3. Click the Management section in the Settings tab, and then click Integration Services.
4. Click to clear the Time synchronization check box, and then click OK.
5. Reinstall Exchange Server 2010 on the virtual machine.

或者參考此連結 : Error message when the Exchange Server 2010 setup on a Hyper-V virtual machine fails:“2147504141”

Can’t Install Exchange 2010 SP1 with Error

當在更新 Exchange 2010 SP1 時,會產生下列錯誤訊息,而造成無法繼續更新 SP1,錯誤訊息如下:

Some controls aren't valid. Setup previously failed while performing the action "Install". You can't resume setup by performaing the action "BuildToBuildUpgrade".


解決方法:
1. 開啟 regedit 並且找到下列機碼位置 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\
2. 在所要安裝的 Exchange 角色機碼裡,找到名稱為 Action 的機碼 (以此例為 MailboxRole)
3. 為了確保安全在執行任何修改的動作前,請確實備份
4. 找到 Action 機碼後刪除

刪除上述機碼後再重新執行 Exchange SP1 更新即可順利進行更新

2011年4月22日 星期五

Enable presence status “Appear Offline”

透過 PowerShell 在 Lync Server 上,執行下列指令來啟用 Lync Client "Appear Offline" 的狀態

Set-CsClientPolicy -EnableAppearOffline $true

Get-CsClientPolicy

Lync Database Creation Error

安裝佈署 Lync Server 的 Monitoring Server role 時,安裝過程中,且在建立新增資料庫時,會發生如下的錯誤訊息,

Running script: C:\Windows\system32\cscript.exe //Nologo "C:\Program Files\Common Files\Microsoft
Lync Server 2010\DbSetup\RtcCdrDbSetup.wsf" /sqlserver:sql.schertz.local\lync
/serveracct:SCHERTZ\RTCComponentUniversalServices /dbpath:C:\CsData\MonitoringStore\
lync\dbpath /logpath:C:\CsData\MonitoringStore\lync\logpath /logsize:1024 /verbose
—————
Installed SQL Server 2005 Backward Compatibility version is 8.05.2312
Connecting to SQL Server on sql.schertz.local\lync
SqlMajorVersion : 10
SqlMinorVersion : 0
SqlBuildNo : 2531
SQL version is acceptable: 10.0.2531.0
Opened database LcsCDR

Db version unknown. Clean install required.
(Major upgrade of database required.)

Due to schema changes this database cannot be re-used. It must be dropped and a new one created.
To preserve data, you must use this product’s backup/export restore/import solution. Examine the product documentation for instructions.
—————
Exit code: ERROR_NEED_MAJOR_UPGRADE_USE_IMP_EXP (-50)
—————

解決方法:
■ 執行 Topology Builder 並且從 Topology Builder 移除 Monitoring Server Role ,移除後關閉 Topology Builder 套用更改後的設定
■ 連線 SQL server 在 SQL Management Studio 上尋找並且移除 LcsCDR and QoEMetrics 特定的 DB
■ 重新執行 Topology Builder ,並且重新選擇安裝 Monitoring Server Role ,此時安裝過程順利進行,之前 SQL ‘Db server unknown’ 的錯誤訊息也不在發生

SQL Server Error During Lync Install

在安裝 Lync Server 的過程中,會發生如下的錯誤訊息,也就是 ERROR_VALIDATE_BAD_SQL_VERSION

Error: Script failed (code "ERROR_VALIDATE_BAD_SQL_VERSION") when installing "CentralMgmtStore" on "N-HCLT-LYNCSQL.hclt.corp.hcl.in". For details, see the following log file: "C:\Users\hcltocs\AppData\Local\Temp\Create-CentralMgmtStore-N-HCLT-LYNCSQL.hclt.corp.hcl.in-[2010_10_18][14_11_55].log"

Error: An error occurred: "Microsoft.Rtc.Common.Data.SqlConnectionException" "Cannot open database "xds" requested by the login. The login failed.
Login failed for user 'HCLTECH\hcltocs'."


而發生上述的問題,主要是Lync Server 後端的 SQL Server 有相對應的版本,也就是安裝時選擇的後端 SQL Server 版本目前不支援 Lync Server,而目前 Lync Server 支援的 SQL Server 版本如下,提供給各位參考.

*Standard or Enterprise Edition of SQL Server 2005 with Service Pack 3
*Standard or Enterprise Edition of SQL Server 2008 with Service Pack 1

2011年4月8日 星期五

Windows NLB 或 Hardware NLB Solution 的差異或建議為何 ?

首先您必需先瞭解 Network Load Balance 的 Affinity Type 的差異。

下列列出各種 NLB Affinity Type 的說明:
Existing Cookies :
此種 affinity 的方法是使用Client/Server Session間所傳遞的Cookie資訊來進行 LOAD BALANCE 。

此種方法只適用於使用 HTTP 的通訊協定而不適用於任何 RPC 的通訊協定用戶端。

OWA 使用表單型驗證所以很適合使用此種 affinity 方法或使用 Application Cookies 的 Affinity 方法。

Load Balancer Cookies:
此種 Affinity 方法很類似於 Existing Cookies 。 Load Balancer Cookies是由負載平衡器來產生 Cookies 而非依賴由 Client/Server Session 間所傳遞的 Cookie 資訊來進行負載平衡。

此種方法與Existing Cookies相同僅適用於HTTP通訊協定的負載平衡,不過與Existing Cookies不同的是用戶端還必需支援 Load balancer-generated cookies。

Exchange ActiveSync,Outlook Anywhere,及部份的 Exchange Web Services 並不支援此種負載平衡方法。

OWA,Exchange Control Panel 及 Remote Windows PowerShell 則適合使用此種 Affinity 方法。

Source IP :
Source IP 是目前最常見使用最廣泛的 Affinity 方法。

負載平衡器會記錄用戶端的來源 IP 以及目地伺服器端的 IP,所有來自相同 Source IP 的 Traffic 在指定時間內都會被導向至相同的目地端伺服器上。

使用此種方法會有兩種主要的缺點:
一 是若用戶端會經常變更 IP Address 則會導致 Affinity 中斷 ( 失敗 ) ,會造成用戶端可能必需被要求重新進行驗證。

如果您的環境中的用戶端會頻繁的變更 IP Address( 例如:手機用戶或行動裝置用戶在不同的無線 AP 區域移動 ) ,則不適用於此種 Affinity 方法。

二 是若您環境中的用戶端會共同使用相同的 Source IP( 例如都是透過 NAT 轉換進行存取 ) 則會造成平衡負載失敗。

因為所有的用戶端都使用相同的 Source IP 時會導致平衡負載器無法平均的分配用戶端流量到目的地端伺服器上,而會導致所有的用戶端流量都往同一個目的地伺服器造成負載不平衡。

SSL Session ID :
當用戶端開始進行 SSL 加密程序時會產生 SSL Session ID 。

使用 SSL Session ID 有兩個好處:
一 是相較於 Source IP Address 的 Affinity 方法, SSL Session ID 可以辨別出使用相同 Source IP 的用戶端。

二 是使用 SSL Session ID 並不需要進行 SSL 流量的解密。

SSL Session ID 並無法適用於所有的用戶端存取。例如,微軟的 IE8 在處理每一個瀏灠器處理程序時會建立一個新的 SSL Session ,這將導致使用此 Affinity 方法的用戶端負載失敗。

接著您可以參考 Exchange Server 2010 用戶端存取的 Load Balance 的建議


有關於 Network Load-Balance foe Client Access Server 您可以參考下列兩篇 TechNet 的文章內容的描述:
Understanding Load Balancing in Exchange 2010
Load Balancing Requirements of Exchange Protocols

下表為您整理列出負載平衡器的比較:


從上表中可以得知,使用 Software 的 NLB 有下述缺點:
O 無法與 Windows Failover Cluster 一起使用 ,亦即若您的客戶是三合一角色並啟用 DAG 的 HA 機制時將無法使用 Windows NLB 。

O 不支援 Service Health Check 功能 。

由於 Software NLB 只會檢查網路層連線的可用性而無法檢查應用層服務的可用性所以如果在 NLB 中的 CAS Server 的 IIS Service Failed 時,負載平衡器還是會持續將用戶端流量往此 CAS Server 傳送這將會造成用戶端存取及負載平衡的失敗。

O 在我們的測試結果我們不建議您將超過八台 Exchange Server 的 CAS/HUB 架構在 Windows NLB 中,因為這會造成效能使用上的問題。

O 僅支援使用 Source IP 的 Affinity 方法。

結論 : 在一個要求高可用性及高可靠度的使用環境中,我們會建議您優先使用硬體式的 NLB 解決方案。

2011年4月4日 星期一

設定DC為Time Server

設定網域環境中一台DC為Time Server,首先先確定在DC上目前Time Server的指向.



如果Time Server未指向正確的Server,請參考下列指令來完成Time Server的指向設定.



完成上述Time Server的指向設定,接著再做最後一次確認,確認無誤後即可完成.



小叮嚀:
• 確認 W32Time 服務已設定自動啟動.
• 確認防火牆設定允許 UDP 123 封包穿透.

2011年3月30日 星期三

Windows DC 虛擬化的效能影響

考慮要將所有的 Windows Domain Controller 虛擬化,所以想先確認是否會對其效能或其它Application 造成影響,您可以參考官方的 DC 虛擬化的考量手冊:

Planning Considerations for Virtualized Domain Controllers

上述參考資料其中提到了 Domain Controller 的優缺點如下圖內容所示:




上述也提到,在相同規格的硬體條件下在一個較為複雜的環境中,使用虛擬化的 Domain Controller 會比使用實體機器的 Domain Controller 減少 2~12% 的效能, 換言之,即使在最嚴格的條件下,除非您客戶目前執行在實體機器中的 Domain Controller 經常處於效能滿載的瓶頸中,否則執行虛擬化並不會對現有的環境有重大的效能影響.

您可以參考同一文章中針對 Domain Controller 在實體機器與虛擬機器的效能測試比較結果圖表:



此外,若您屬於中大型的架構則建議應該考慮將擔任 PDC Emulator 的 Domain Controller 放在實體機器中而不是將之虛擬化,如下圖之說明.



最後為了避免因為執行 Hyper-V 的機器或軟體本身的問題而造成整個 AD Domain 服務的停擺,會建議您在每一個 AD Domain 中至少保留 1~2 台的 Domain Controller 執行於實體機器中.



如果您的環境中有 Exchange Server,則針對 Exchange Server 的效能影響部份我們建議在一個中大型 ( 超過 500 個信箱 ) 且使用大量通訊群組 (Distribution Group) 的 Exchange 環境中, 擔任 GC(Global Catalog Server) 角色的 Domain Controller 為了效能考量,應該考慮將這些 GC Server 執行於實體機器上.

2011年3月29日 星期二

Windows 2003 RMS能否與 Windows 2008 AD RMS 共存使用

可以參考下列 TechNet 官方的網址說明:

Join additional servers to the AD RMS cluster



在上述內容中提到,一旦將新版的 AD RMS Server 加入到舊版的 Windows RMS Server 的叢集中之後 Windwos 2008/2008 R2 的 AD RMS 就會變更 RMS 的 Configuration Database Schema,而舊版的 Windows RMS Server 會因為這個改變而無法繼續處理用戶端的 RMS 請求.因此,在升級過程中您在安裝第一台 Windows 2008/2008 R2 的 AD RMS Server 之後,就應該要立即將其它舊版的 Windows RMS Server 進行取代的動作.

而上述的文件中也提到在 AD RMS 叢集中的所有 RMS Server 都必需執行相同版本的 Windows Server,所以現有環境可以將 Windows RMS 進行升級或轉移的動作,但無法讓兩個不同版本 Windows Server 的 RMS Server 同時處理 RMS Client 的要求.

2011年3月23日 星期三

Microsoft Excel Web App Error (Open & Edit from the Web Site)

使用Excel Web Access會發生如文字與下圖的錯誤訊息,"The file that you selected could not be found. Check the spelling of the file name and verify that the location is correct."



解決方法:
在SharePoint 2010 Central Administration中的System Settings,設定AAM (Alternate Access Mappings),您應該選擇Local Application,並且設定Url格式如同"http://SharePointServer:10000",接著編輯Public URLs,in the internet box you fill your internet url ,then click ok,and test,it works !!!

Microsoft Word Web App Error (Edit from the Web Site)

在MOSS Web Site上,透過網頁開啟Word文件是可以正常的開啟預覽,但是要編輯Word文件時,會發生如下圖的錯誤訊息.



解決方法 :
建議將Web Site移除並且重新建立Web Site,此問題即可解決.

2011年3月21日 星期一

Windows KMS Server 在啟用上是否有最低數量的限制 ?

目前環境有五套的 Windows Server 2008 以及不滿 25 套的 Windows 7, 在此情況下是否都可以透過 KMS Server 進行產品啟用 ?

有關 Windows KMS Server 的運作請參考 FAQ 網址:

http://www.microsoft.com/licensing/existing-customers/product-activation-faq.aspx

其中資料提到 KSM Server 的啟用運作如下圖所示:



從上圖可以清楚知道,若要透過 KMS Server 啟用 Windows Server 2008/2008 R2 則必需在網路上有 5 套 ( 含 ) 的伺服器向 KMS Server 提出啟動要求才會運作.

而若要啟用 Windows Vista 或 Windows 7 則必需在企業網路上要有 25 套 ( 含 ) 的用戶端電腦向 KMS Server 提出啟動要求才會運作.

所以,目前環境中僅能透過 KMS Server 啟用 Windows Server 2008 伺服器,而無法啟用 Windows 7( 因為數量不足 25 套 ).

若目前環境中 Windows 7 + Windows Vista 不足 25 套的話則可以透過 MAK 手動輸入金鑰的方式來啟動 Windows.

File Transfer Failures

Problem:
While attempting to upload a file using the Group Chat Client Console, the following error may be displayed :



Cause:
Group Chat Web Service is unable to write the file to the File Repository due to insufficient permissions.

Resolution:
In the properties of the MGCWebService virtual directory in IIS on the Group Chat server, configure Anonymous Access to use an account that is a member of the RTCComponentUniversalServices group.

By default, the IUSR account is used for Anonymous Access in IIS. This account does not have access to the File Repository (share) used by Group Chat.

2011年3月15日 星期二

Insufficient Display of Chat History

Problem:
Upon logging in to Group Chat, an insufficient amount of Chat History is displayed in the Group Chat Client Console.

Cause:
Product limitation, retrieval of backchat data from SQL database is expensive operation.

Resolution:
This is a perception issue, based on erroneous assumption of how product works.
Retrieval of chat history at user logon is limited to 50 lines, regardless of client setting.Decision was made to limit data retrieval upon user logon due to performance concerns.Chat History can still be searched, but only for Chat Rooms where Chat History is enabled.

Installation Failure – Multiple Domains

Problem:
Installing Group Chat into a different AD Domain than where OCS Groups exist will result in the following error:

* Error Applying Changes - Group 'RTCComponentUniversalServices‘ is not
found in Active Directory

Cause:
Group Chat installer will only search for OCS Groups using the default
naming context of current domain.

Resolution:
1) Create temporary set of OCS Groups that mirror the real OCS Groups and their membership in Active Directory Domain where Group Chat will be installed.
2) Create new security group called RTCGroupChatServices in domain where Group Chat
will be installed, and add the Group Chat service accounts to the membership of this group
3) Add the RTCGroupChatServices group to Message Queuing service with Full Control rights
4) Install Group Chat

Installation Failure on Windows 2008

Problem:
Installing Group Chat into a Windows 2008 server may result in the following error:



Cause:
Group Chat installer requires the SeImpersonatePrivilege right to create the MGCWebService virtual directory under the Default Web Site in IIS 7.0.


Resolution:
Run the installer using the elevated privileges of the built-in Administrator account.

On a Windows 2008 computer, this privilege is automatically granted in the security token of the Domain\Administrator account (Built-in account for administering the computer/domain), but not for other members of Domain Admins.  To prove this you can use the Whoami utility.

Whoami.exe /all (logged in as Domain\Administrator)

2011年3月14日 星期一

Allow Mailbox Access in Exchange 2010

Use the EMC to grant Full Access permission for a mailbox :

1. In the console tree, navigate to Recipient Configuration > Mailbox.
2. In the result pane, select the mailbox for which you want to grant Full Access permission.
3. In the action pane, under the mailbox name, click Manage Full Access Permission. The Manage Full Access Permission wizard opens.
4. On the Manage Full Access Permission page, click Add.
5. In Select User or Group, select the user to which you want to grant Full Access permission, and then click OK.
6. Click Manage.
7. On the Completion page, the Summary states whether Full Access permission was successfully granted. The summary also displays the Shell command used to grant Full Access permission.
8. Click Finish.

Use the Shell to grant Full Access permission for a mailbox :

Add-MailboxPermission "User A" -User "User B" -AccessRights FullAccess

Use the Shell to grant Receive As permission for a mailbox database :

Add-ADPermission -Identity "DB" -User "User A" -ExtendedRights Receive-As

* You can't use the EMC to grant Receive As permission for a mailbox database.

2011年3月9日 星期三

Outlook 語系調整

Outlook 安裝後與預設的 Office 語系不同,請參考下列步驟來完成修正

1. 開始 -> Microsoft office -> Microsoft Office 2010 工具 -> 調整 Microsoft Office 2010 語言喜好設定

2. 確定預設語言為版本後,執行指令: outlook.exe /resetfoldernames ,Outlook 2010 重新開啟後應會正常顯示預設的版本

2011年2月25日 星期五

DC & File Server 在同一台時的權限影響

DC 與 File Server 在同一台時,而同一個 OU 裡,委派權限以及 Server Operator 群組權限同時存在的條件下,此 OU 的使用者繼承權限會受影響,帳號裡的 Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here 勾勾會被拿掉.



微軟有 KB 說明這樣問題的解決方式 AdminSDHolder Thread Affects Transitive Members of Distribution Groups ,但是修改 AdminSDHolder 會有不預期的問題發生.

另外,建議兩個解決方法,但是前提下,OU 內的使用者不能加入 Server Operator 群組 :

1. DC 和 File Server 需使用2台不同的獨立 Server,使用者可以設定 Full Control OU ,OU 內的使用者可加入 File Server 的 Power User 群組.

2. 如果 DC 兼 File Server 的情況,需要額外建立一個使用者帳號,例如: OUadmin 給某個使用者使用,並設定 OUadmin 可 Full Control OU,所以使用者在 AD 中有 2 組使用者帳號,一個是普通權限的用途,一個是可以管理 OU 的用途.

2011年2月22日 星期二

The Name on the Security Certificate is invalid or does not match the name of the site

公司內部的使用者,透過Outlook 2007 or Outlook 2010 MAPI Client 連線 Exchange 2010 時,發生如圖的安全性警告訊息,主要的原因是內部使用者使用 https 連線 Exchange Server 時,內部 Exchange Server 連線名稱跟外部憑證名稱不符造成的.



解決方法:
1. 透過EMC來修改 Internal Url,此 Internal Url 要與 External Url 名稱相同



2. 或者透過 Exchange Power Shell 來修改 Internal Url,執行指令如下

Set-OWAVirtualDirectory –Identity ServerName\OWA (default web site) -InternalURL https://XXX.XXX.XXX/OWA

Set-OABVirtualDirectory –Identity ServerName\OAB (default web site) -InternalURL https://XXX.XXX.XXX/OAB

Set-WebServicesVirtualDirectory –Identity ServerName\EWS (default web site) -InternalURL https://XXX.XXX.XXX/ews/exchange.asmx

Set-ActiveSyncVirtualDirectory –Identity ServerName\Microsoft-Server-ActiveSync (default web site) -InternalURL https://XXX.XXX.XXX/Microsoft-Server-ActiveSync

另外,Exchange 2010 還須執行下列指令,如果是 Exchange 2007 的話,可以省略

Set-ECPVirtualDirectory –Identity ServerName\ECP (default web site) -InternalURL https://XXX.XXX.XXX/ECP

執行完成後確認上述設定是否透用



如果上述設定還未套用,以及憑證的錯誤警告訊息持續產生,請透過 Exchange Power Shell 再執行下列指令修改 CAS 的內容,此錯誤訊息的問題即可解決

Get-ClientAccessServer –Identity ServerName | Set-ClientAccessServer
–AutodiscoverServiceInternalUri https://XXX.XXX.XXX/autodiscover/autodiscover.xml

2011年2月9日 星期三

About the SMTP Connector

SMTP Connector 在 Exchange 2003 設定的套用範圍,如圖(一)是可以選擇套用整個組織還是路由群組,而在 Exchange 2010 名稱有些許的差異,如圖(二),如果未勾選 Scoped Send Connector 表示套用整個組織,如果勾選 Scoped Send Connector 表示套用路由群組



2011年2月7日 星期一

關於 Shared Folders and Shared-Folder Permissions

關於 Shared Folders and Shared-Folder Permissions 在 Member Server 與 Domain Controller 所需要的權限:
Members of the Administrators or Power Users group can share folders on a Windows member server. You have to be a member of the Administrators or Server Operators group to share folders on a domain controller of a domain.

What is the Server Operators?

關於Server Operators的權限範圍如下:
Members of this group can perform server management tasks such as creating, changing, and deleting shared printers, shared directories, and files. They can also back up and restore files, lock the server console and shutdown the system. They cannot modify system policies or start and stop services.

2011年1月30日 星期日

手動複製 DAG Mailbox Database 的方式

Exchange Server 2010 DAG 在做第一次資料庫的 Seeding 時是可以透過手動方式先將資料庫複製到目地端之後再進行後續的 Log Shipping 的同步動作的。

有關於手動複製 DAG Mailbox Database 的方式您可以參考下列兩篇 TechNet 文件中的說明:
Managing Mailbox Database Copies



Update a Mailbox Database Copy

Exchange 2010 DAG 的網路頻寬需求

列出 Exchange Server 2010 DAG 對網路頻寬的需求如下:



Exchange Server 2010 DAG 網路建議拓撲



Exchange 2010 ActiveSync Client Feature Confirm

在 Exchange 2010 中的 ActiveSync 用戶端是否可以做到指定使用者可以使用哪一支手機連上 Exchange 信箱? 亦即若使用者使用了非指定的手機裝置連線就會被 Block 而無法連上 Exchange 2010?

當然,在 Exchange Server 2010 SP1 會針對每一個連線上來的 Mobile Devices 進行 Access State 的檢查,這些檢查條件中就包含了確認該裝置是否有被 Personal Exemption 設為 Block 或 Allow,透過 Personal Exemption 亦可以指定使用者可以使用哪一支 Devices 連線 Exchange 2010



也可以參考網址資料 : Understanding Mobile Device Management

Exchange 2010 DAG 群組設定新增失敗

當Exchange 2010 DAG 群組設定新增失敗,會在Wizard產生下圖的錯誤訊息



最有可能的原因為Firewall or Anti-Virus造成的,建議照下列步驟確認並且重新執行,即可解決上述錯誤訊息:

1) Turn off Firewall & Anti-Virus
2) Uninstall Failover Clustering
3) Reboot to finish uninstall
4) Reinstall Failover Clusting
5) Reboot to finish Reinstall
6) Add Servers to DAG

Lync Server 2010 相關授權的參考資訊

Lync Server 2010 提供了下列兩種版本:


在 Lync Server 2010 的用戶端存取授權則有下列三種類型:


與先前 OCS 2007 R2 的授權比較如下圖內容所示:






任何一種用戶端存取授權 (Lync CAL) 都可以在 Lync Server 2010 的 Enterprise or Standard 伺服器上運作,您可以參考如下圖內容所示:


而您可以參考官方網址中的說明:Microsoft Lync Licensing

Skype for Business 相關問題

Microsoft Teams 擴展了 Skype for Business 功能,將聊天、會議、通話、協同合作、應用程式和檔案儲存整合到一個介面中。這個新的團隊合作中心可以幫助簡化使用者完成工作的方式,提高使用者滿意度,並加速業務結果。作為一個現有的 Skype for Bus...