KEMP Series: How to Configure an L7 KEMP Virtual Load Balancer (VLB) for Exchange 2013

February 3, 2015, 11:11 am

≫ Next: KEMP Series: How to Configure an L4 KEMP Virtual Load Balancer (VLB) for Exchange 2013

≪ Previous: KEMP Series: How to Configure General Settings on the KEMP Virtual LoadMaster

This is part three in a series of articles detailing load balancing for Exchange using the KEMP virtual load balancer (VLB). In this article we will be configuring the VLB as a Layer 7 load balancer for Exchange 2013.

The other articles in this series are:

Introduction to Load Balancing for Exchange and Other Workloads
How to Configure General Settings on the KEMP Virtual LoadMaster
How to Configure an L7 KEMP Virtual Load Balancer (VLB) for Exchange 2013 (this article)
How to Configure an L4 KEMP Virtual Load Balancer (VLB) for Exchange 2013
How to Restrict Exchange Admin Center Access From the Internet Using KEMP VLB

My first article explains the basics of load balancing and how to download a free copy of KEMP Virtual Load Master.

In the second article I showed you how to configure the general settings for the LoadMaster. This includes configuring Ethernet settings, the Web UI, time and DNS settings, and SSL certificates. These settings are common to all types of load balancing configurations. Now I'm ready to show you how to configure the VLB as a Layer 7 load balancer for Exchange 2013.

As a refresher, here's an explanation of the differences between Layer 7 and Layer 4 load balancing.

Layer 7 Load Balancing
L7 load balancing happens at the application layer. Health checks are performed on the applications (for example OWA, EWS, ActiveSync, etc.). The SSL connection must terminate on the load balancer, the content is inspected, and then re-encrypted back to the real servers. This requires that the L7 load balancer has to have an understanding of the applications being load balanced. It also usually involves some sort of persistence, such as cookie-based or source IP. Because of all this, L7 load balancing is more complex. Exchange 2010 required L7 load balancing due to the different ways that each application protocol handled persistence. Exchange 2013 does not require persistence even when using L7 load balancing.

Layer 4 Load Balancing
L4 load balancing happens at the network layer after routing is compete (Routing occurs at Layer 3). Health checks are performed on the servers, not the applications. Layer 4 load balancers do not decrypt, inspect, and re-encrypt SSL traffic. This means L4 load balancers have higher performance and are less complex, but the load balanced application must support it. Exchange 2013 CAS is designed for L4 load balancing, but also supports L7 load balancing.

Download and Install the Templates

Start by downloading the LoadMaster templates from the KEMP documentation website. Templates contain the preconfigured setups for common load balanced applications. For Microsoft products that includes Exchange 2010 / 2013, Lync 2013, ADFS 2.0, and Remote Desktop Services (RDS).

Expand Microsoft > Exchange 2013. You will see that the Exchange 2013 templates include Core Services, ESP Services, and Additional Services. Edge Security Pack (ESP) Services include security configurations for Internet facing applications, such as pre-authentication templates. The Additional Services template includes secondary client access protocols such as POP and IMAP, as well as SMTP.

Download the Core Services template to a folder on your local computer. This will be a single Exchange2013Core.tmpl file.

Log into the LoadMaster with the bal account and navigate to Virtual Services > Manage Templates. Click Choose File, browse to the Exchange2013Core.tmpl file, and click Add New Template. The LoadMaster will display the four templates you just installed.

Configure Layer 7 Load Balancing

Expand Virtual Services > Add New to begin adding a new virtual service for Exchange 2013. Enter the virtual address (VIP) for your load balanced set of Exchange 2013 CAS servers (which should be every Exchange 2013 server in the AD site - you are doing only multi-role servers, right?) If you configured a custom port (8443) in general settings, you can use the same IP address that you use to access the VLB management UI.

Select the Exchange 2013 HTTPS Reencrypted template from the dropdown list. This will automatically populate port, protocol and service name. Since I will be using SSL bridging, I changed the service name to Exchange 2013 HTTPS Bridged. Click Add this Virtual Service.

The LoadMaster will then take you to the configuration of the new service. Examine the Basic Properties. Note that here you can activate or deactivate the virtual service.

Standard Options shows that Transparency is Disabled, persistence is set to None, the load balancing method uses Round Robin, and Idle Connections timeout in 1800 seconds (30 minutes).

Expand SSL Properties and you will see the SSL certificate you installed in my General Settings article as an Available Certificate. Select that certificate and click the ">" button to move it to Assigned Certificates.

I recommend configuring the VLB to use only TLS 1.x since TLS 2.0 and TLS 3.0 connections have known vulnerabilities. Click the TLS 1.x Ciphers Only checkbox which removes all the TLS 2.0 and 3.0 ciphers, Select all the ciphers and click the ">" button to move them to Assigned Ciphers, then click the Set Ciphers button.

We will skip the Advanced Properties, WAF Options, and ESP Options since they are not used in this implementation.

Expand SubVSs and you will see each of the sub-virtual services that the template installed. There is one for each virtual service in Exchange 2013, including ActiveSync, Autodiscover, ECP, EWS, MAPI, OAB, PowerShell, and RPC.

Next we need to add the real servers for each SubVS. Click Modify for the Exchange 2013 HTTPS Bridged - ActiveSync SubVS. Click the Add New button under Real Servers.

Add the IP address of the real server to load balance and click the Add This Real Server button. Repeat for each real server you want to add to the load balanced set.

When you're done adding real servers for this SubVS click <-Back twice to return to the list of SubVSs. Repeat adding real servers for each SubVS.

Click Virtual Services > View/Modify Services. You will see two Virtual Services are published, one for HTTP redirection to HTTPS and the other that has all the SubVSs for Exchange 2013.

If any of the Real Servers virtual directories are listed in red, it's either because it's missing real servers or they are all down. Click Add New under Certificate Installed. Select the certificate we installed when we configured General Settings and click the ">" button to assign it. Click the Save Changes button.

I usually change the HTTP redirection service to pass-through because I favor doing this on the Exchange servers. Either way you'll need to add the real servers to this rule, as you did above.

If you want to do HTTP pass-through to the real servers click Modify for the redirect. Rename the service name to MAIL_HTTP_PassThrough and click Set Nickname. Expand Advanced Properties. Clear the Error Code and clear the Redirect URL. Expand Real Servers and select HTTP Protocol for the Real Server Check Parameters. Then configure HTTP redirection directly on the Exchange servers.

Congratulations! You have configured Layer 7 load balancing for Exchange 2013.

A Note About Home Routers and Multiple SSL Endpoints

If you're installing this setup behind a home or consumer-based router you probably have few options for port forwarding. Usually you can only configure the router to forward all HTTPS traffic to a single internal IP address, and that will usually be the VLB.

In this case, you can configure the VLB to decide which endpoint to direct SSL or any other traffic to by using a new SubVS. For example, my Hyper-V lab server hosts many VM servers including three Exchange servers and a Thycotic Secret Server. Both the load balanced Exchange servers and the Thycotic server use port 443, so we need to configure the router to send all HTTPS traffic to the VLB, and configure the VLB to handle multiple endpoints.

Configure Multiple Endpoints

Note: If you're only load balancing Exchange and don't need the load balancer to direct HTTPS traffic to other endpoints, you're done and you can skip this section.

To add another endpoint to the VLB, add a new SubVS from Virtual Services > View/Modify Services. Click the Add New button and click Modify. Then enter a name for the SubVS (i.e., SecretServer) and click Set NickName.

Enter a portion of the URL for the virtual directory on the new server (i.e., /SecretServer/Login.aspx) for the URL and click the Set URL button.

Click Add New to create the new SubVS. This will take you to the Real Server parameters page.
Enter the IP address of the real server and click Add This Real Server. Your config should look like this:

Now click <-Back to get back to the SubVSs page. You'll notice that the Rules for this new SubVS show None. We need to configure a rule for the new server.

Expand Rules & Checking > Content Rules and click the Create New button. Enter a name for the Rule, such as Secret_Server. Note that rule names cannot contain spaces.

Enter HOST for the Header Field and the FQDN of the server in the Match String field. Click the checkbox for Ignore Case and click Create Rule.

Go back to Virtual Services > View/Modify Services. Click the Modify button for Exchange 2013 HTTPS Bridged. Now click the red None button for the rule of the SecretServer SubVS. Select Secret_Server from the rules drop-down list and click the Add button.

Now the router sends all HTTPS traffic to the VLB and the VLB sends the traffic to the correct endpoint.

This concludes the Layer 7 setup for Exchange 2013. My next article will cover configuring the KEMP virtual LoadMaster as a Layer 4 load balancer. The last article will explain how to restrict Exchange Admin Center access from the Internet.

↧

KEMP Series: How to Configure an L4 KEMP Virtual Load Balancer (VLB) for Exchange 2013

February 7, 2015, 8:57 am

≫ Next: KEMP Series: How to Restrict Exchange Admin Center Access From the Internet Using KEMP VLB

≪ Previous: KEMP Series: How to Configure an L7 KEMP Virtual Load Balancer (VLB) for Exchange 2013

This is part four in a series of articles detailing load balancing for Exchange using the KEMP virtual load balancer (VLB). In this article we will be configuring the VLB as a Layer 4 load balancer for Exchange 2013.

The other articles in this series are:

Introduction to Load Balancing for Exchange and Other Workloads
How to Configure General Settings on the KEMP Virtual LoadMaster
How to Configure an L7 KEMP Virtual Load Balancer (VLB) for Exchange 2013
How to Configure an L4 KEMP Virtual Load Balancer (VLB) for Exchange 2013 (this article)
How to Restrict Exchange Admin Center Access From the Internet Using KEMP VLB

My first article explains the basics of load balancing and how to download a free copy of KEMP Virtual Load Master for your home lab. As a refresher, here's a brief explanation of the differences between Layer 7 and Layer 4 load balancing.

Layer 7 Load Balancing
L7 load balancing happens at the application layer. Health checks are performed on the applications (for example OWA, EWS, ActiveSync, etc.). The SSL connection must terminate on the load balancer, the content is inspected, and then re-encrypted back to the real servers. This requires that the L7 load balancer has to have an understanding of the applications being load balanced. It also usually involves some sort of persistence, such as cookie-based or source IP. Because of all this, L7 load balancing is more complex. Exchange 2010 required L7 load balancing due to the different ways that each application protocol handled persistence. Exchange 2013 does not require persistence even when using L7 load balancing.

Layer 4 Load Balancing
L4 load balancing happens at the network layer after routing is compete (Routing occurs at Layer 3). Health checks are performed on the servers, not the applications. Layer 4 load balancers do not decrypt, inspect, and re-encrypt SSL traffic. This means L4 load balancers have higher performance and are less complex, but the load balanced application must support it. Exchange 2013 CAS is designed for L4 load balancing, but also supports L7 load balancing.

In my second article I showed you how to configure the general settings for the LoadMaster. This includes configuring Ethernet settings, the Web UI, time and DNS settings, and SSL certificates. These settings are common to all types of load balancing configurations. Now I'm ready to show you how to configure the VLB as a Layer 4 load balancer for Exchange 2013. But first, I need to get some potentially confusing things out of the way.

When an incoming connection goes through a load balancer, the load balancer needs to NAT the connection to the real servers so that the reply comes back through the load balancer, otherwise the real servers will respond directly to the client and the session will break. For example, imagine you, Sally, and Tim are in the same room. You ask Sally a direct question, but Tim responds. You ignore Tim's response because it's out of order.

The computer above communicates with the VIP on the load balancer and expects the response to come from that same IP address. The only three ways to make this to happen are:

Use Network Address Translation (NAT) - The incoming client traffic is sent to the real server after performing address translation, which causes server to respond back to the load balancer. The load balancer then forwards the response back to the client.
Configure the load balancer as the Default Gateway on the real servers - This forces all outgoing traffic to external subnets back through the load balancer, but has many downsides. For example, you must size load balancer to account for all traffic for given server. While this configuration may be supported for Exchange, it isn't best practice.
Use Direct Server Return (DSR) - DSR is a complex load balancing method that has many drawbacks, including the inability to insert cookies or do port translation. It is not supported for Exchange or Lync deployments.

Of these options, only NAT is a viable option. In an interesting choice of wording, KEMP calls this an "L7 connection" to the load balancer. KEMP verbiage is referring to actual TCP layer functionality where the KEMP load balancer accepts the client’s TCP connection and creates a new TCP connection to the server. This is required in order to perform NAT.

While the term can be confusing, and I hope that KEMP is able to change it so it isn’t so, from an Exchange perspective this is still Layer 4 load balancing. The load balancer is not decrypting SSL connections, the client connections can still be configured to be distributed evenly in round robin fashion across the CAS servers with no affinity or persistence requirement, and the traffic is not inspected by the load balancer. As a matter of fact, the SSL certificate doesn't even need to be installed on the load balancer for this to work, which makes it truly "light weight" operation when compared to L7 load balancing which results in much higher resource requirements due to SSL decryption and re-encryption. I'm going to lengths to explain this because when you see "Force L7" in the LoadMaster configuration, I want you to understand why it doesn't translate to Layer 7 load balancing in the way Microsoft refers to it.

OK, so now that's done, let's start configuring the KEMP LoadMaster for Layer 4 load balancing Exchange 2013. There are basically two options for doing this. Option 1 configures a single VIP to load balance all virtual services for all the real servers. This is useful for home lab scenarios where you have a simple consumer-grade router and can only forward all SSL traffic to one IP address. Option 2 configures a different IP address for each virtual service on the real servers.

Note: Neither of these L4 options use the KEMP application templates. Those are only used in Layer 7 load balancing.

Option 1 - Use a Single VIP

Log into the LoadMaster with the bal account and navigate to Virtual Services > Add New. Enter the new virtual IP address, set the port to 443, and enter a Service Name. Then click the Add this Virtual Service button.

Under Standard Options, leave "Force L7" checked and uncheck "Transparency". Keep the default values for Persistence (None) and Scheduling Method (Round Robin).

Confirm that SSL Properties > SSL Acceleration is disabled (unchecked). Leave Advanced Properties and ESP Options with their default settings.

Expand Real Servers. Since we're doing L4 load balancing we cannot configure vSubs and you can only monitor one virtual server (OWA, ActiveSync, MAPI, etc.). In this example, I will monitor the OWA virtual server.

Enter /owa/healthcheck.htm for the URL to health check and click the Set URL button. Change the "HTTP Method" to GET and enter OK for the "Reply 200 Pattern". Then click the Set Pattern button.

Now it's time to add your real servers. Click the Add New button. Add the first real server's IP address and click the Add This Real Server button. Repeat for each of your real servers. When you're done click <-Back twice.

Now you will see the new Exchange 2013 virtual service that L4 load balances the real servers. Ignore the fact that it shows L7 for the Layer, as this is really only the connection type (see explanation above). Note that the SSL certificate is installed on the real servers, not the load balancer.

That's all there is for this configuration. As noted earlier, we're only monitoring the OWA virtual server on the real servers for health checks. If another virtual server, say ActiveSync, goes offline on one of the real servers the load balancer will still direct traffic to it. Likewise, if the OWA virtual server goes offline on one of the real servers that server will be marked as down and no traffic will be directed to it, even though other virtual servers may be healthy.

Option 2 - Use Separate VIPs for Each Virtual Server

This option requires nine separate VIPs on the load balancer, one for each Exchange 2013 virtual server. It also requires nine different names on the SAN certificate or use of a wildcard cert.

Log into the LoadMaster with the bal account and navigate to Virtual Services > Add New. Enter a new virtual IP address, set the port to 443, and enter a Service Name (i.e, EX2013 ActiveSync). Then click the Add this Virtual Service button.

Under Standard Options, leave "Force L7" checked and uncheck "Transparency". Keep the default values for Persistence (None) and Scheduling Method (Round Robin).

Confirm that SSL Properties > SSL Acceleration is disabled (unchecked). Leave Advanced Properties and ESP Options with their default settings.

Expand Real Servers. Enter /microsoft-server-activesync/healthcheck.htm for the URL to health check and click the Set URL button. Change the "HTTP Method" to GET. Enter OK for the "Reply 200 Pattern" and click the Set Pattern button.

Repeat for each Exchange 2013 virtual server: Autodiscover, ECP, EWS, MAPI, OAB, OWA, PowerShell, and RPC. Nine virtual services in all.

Thankfully you can make this easier on yourself by duplicating VIPs. Select a Virtual Service in View/Modify Services and click the Duplicate VIP button. Enter the new virtual IP address and click the Duplicate VIP button. Change the "Service Name" and click the Set NickName button, then change the health check URL and click the Set URL button. Rinse and repeat for each virtual server.

Note that the SSL certificate is installed on the real servers, not the load balancer.

With this configuration the load balancer will direct traffic to any available virtual server on any real server. The downside to this approach is that it requires your router to send traffic for each namespace to a different VIP and you have many more names to manage on your SSL certificates.

This concludes the Layer 4 setup options for Exchange 2013. My final article in the series will explain how to restrict Exchange Admin Center access from the Internet.

↧

KEMP Series: How to Restrict Exchange Admin Center Access From the Internet Using KEMP VLB

February 10, 2015, 11:51 am

≫ Next: How to Add Access to the Office 365 EOP Quarantine in Outlook and OWA

≪ Previous: KEMP Series: How to Configure an L4 KEMP Virtual Load Balancer (VLB) for Exchange 2013

This is part five in a series of articles detailing load balancing for Exchange using the KEMP virtual load balancer (VLB). In this article I will explain how to restrict Exchange Admin Center (EAC) access from the Internet using KEMP LoadMaster.

The other articles in this series are:

Introduction to Load Balancing for Exchange and Other Workloads
How to Configure General Settings on the KEMP Virtual LoadMaster
How to Configure an L7 KEMP Virtual Load Balancer (VLB) for Exchange 2013
How to Configure an L4 KEMP Virtual Load Balancer (VLB) for Exchange 2013
How to Restrict Exchange Admin Center Access From the Internet Using KEMP VLB (this article)

My first article explains the basics of load balancing and how to download a free copy of KEMP Virtual Load Master for your home lab. I'll assume you've already configured it for Layer 7 load balancing.

Note: Since the following procedures rely on SubVSs and traffic inspection, this configuration will only work with Layer 7 load balancing. Layer 4 load balancing cannot inspect traffic and therefore cannot be used to deny access to the EAC.

The Exchange Admin Center (EAC) is the web-based management console used to manage your Microsoft Exchange Server 2013 infrastructure. As such, some customers want to block EAC access from the Internet.

The EAC is part of the ECP virtual directory and is the same virtual directory used in OWA to manage user settings, such as Out of Office settings. If you were to disable or not publish the entire ECP virtual directory to the Internet in order to block EAC access, it would prevent external users from accessing many settings from OWA.

Currently, Microsoft's recommendation for blocking EAC access from the Internet is to disable EAC access on all Internet accessible CAS servers using the following cmdlet:

Set-ECPVirtualDirectory -Identity "CAS01\ecp (default web site)"-AdminEnabled $false

But if you do this you'll need another internal Exchange 2013 server solely for internal EAC access. This article explains how to restrict EAC access to your load balanced CAS servers while still allowing access internally. Let's get started.

Log into the LoadMaster with the bal account and navigate to Rules & Checking > Content Rules.

Add each of the following five rules. Be careful to copy and paste each rule entirely and name them "EAC_Block_1-5":

/^\/ecp/PhoneVoice*/|^\/ecp/PublicFolders*/|^\/ecp/Reporting*/|^\/ecp/Servers*/

/^\/ecp/UnifiedMessaging*/|^\/ecp/UsersGroups*/|^\/ecp/Organize/OrganizationRetentionPolicyTags*/

/^\/ecp/Organize/RetentionPolicies*/|^\/ecp/RulesEditor/JournalRules*/|^\/ecp/RulesEditor/TransportRules*/|^\/ecp/tools*/

/^\/ecp/.*Mgmt*/|^\/ecp/AcceptedDomain*/|^\/ecp/AddressList*/|^\/ecp/Antimalware*/|^\/ecp/DLPPolicy*/|^\/ecp/EmailAddressPolicy*/|^\/ecp/Federation*/

/^\/ecp/Hybrid*/|^\/ecp/Migration*/|^\/ecp/OwaMailboxPolicy*/|^\/ecp/Extension/OrgExtensions*/

To do this click the Create New button and enter the new rule name (i.e., EAC_Block_1). Paste the first rule string above into the Match String field and click the checkboxes for Ignore Case and Fail on Match. Then click the Create Rule button.

Repeat for each of the rules above. Your rule list should now look like this:

Now expand Virtual Services > View/Modify Services and click Modify for the Exchange 2013 virtual service. Click the Add New button under SubVSs. You will see a new SubVS at the bottom of the list. Click the rule None and add the EAC_Block_1 rule to the new SubVS. Be sure to click the Add button to add it. Repeat for each of the five EAC_Block rules.

Click <-Back and then click the Modify button for the new SubVS. Name the SubVS Block EAC and click the Set Nickname button.

Expand Advanced Properties and set the Error Code to 401 Unauthorized. There is no need to enter any real servers for this SubVS.

Click <-Back and then expand Advanced Properties for the Exchange 2013 virtual service. Click the Rule Precedence button for Content Switching. You will see a list of all the rules. Click the Promote buttons to move the five EAC_Block rules so they are at the top of the list.

Now when if you try to access the Exchange Admin Center using the KEMP load balancer VIP you will still be able to logon, but cannot access any of the EAC administration parts.

End users will still be able to access their ECP settings from OWA.

If you want to access the EAC internally, simply use the FQDN of one of your CAS servers to bypass the KEMP load balancer. Alternatively, you can configure another virtual service for internal load balancing that does not use the blocking rules.

This concludes my series on configuring the KEMP virtual LoadMaster. I hope you found these articles useful.

↧

How to Add Access to the Office 365 EOP Quarantine in Outlook and OWA

February 16, 2015, 8:37 am

≫ Next: Introducing New-ExchangeWebsite for Exchange 2013

≪ Previous: KEMP Series: How to Restrict Exchange Admin Center Access From the Internet Using KEMP VLB

Exchange Online Protection (EOP) in Office 365 offers a quarantine feature for administrators and end-users. Administrators can view and release messages that were caught as spam for all users. End-users can view and release their own messages.

The administrative quarantine is accessed from the Office 365 Exchange Admin Center > Protection > Quarantine. Here you will see all the quarantined items for all users in the org.

Administrative Quarantine in the Office 365 Portal

The administrative quarantine is always available to EOP admins. The end user quarantine must be enabled and configured by the admin from Office 365 Exchange Admin Center > Protection > Content Filter, then click the Configure end-user spam notifications link on the right.

When enabled, end-users will receive an email from EOP listing all the new messages held in quarantine since the last notification.

The URL to the end-user quarantine is https://admin.protection.outlook.com/quarantine. In a hybrid scenario, even users without Office 365 licenses can access the end-user quarantine.

End-User Quarantine

That's all pretty cool, but wouldn't it be nice to access the quarantine directly from Outlook? Here's how you configure it:

Open Outlook as the end-user.
Right-click the user mailbox and select New Folder.

Name the folder Quarantine or * Quarantine to have it placed higher in the folder list.
Right-click the new folder and select Properties.
Click the Home Page tab.
Enter https://admin.protection.outlook.com/quarantine in the Address field and then click the checkbox for Show home page by default for this folder. Click OK.

You will then see the sign on page for EOP within Outlook. After you sign in you can access your end-user archive.

End-User Quarantine within Outlook

Unfortunately you can't view the end-user quarantine using this method from OWA, but I have a work-around.

Send yourself an email with the subject of Quarantine and the link to https://admin.protection.outlook.com/quarantine in the body of the message.
Drag the message from your Inbox to the Quarantine folder you created.

Now you have easy access to the end-user Quarantine from Outlook, OWA, and even mobile devices!

↧

Introducing New-ExchangeWebsite for Exchange 2013

February 20, 2015, 4:56 pm

≫ Next: How to Update Certificates for AD FS 3.0

≪ Previous: How to Add Access to the Office 365 EOP Quarantine in Outlook and OWA

Microsoft recently announced support for adding additional virtual directories for OWA and ECP to Exchange 2013. I highly encourage you to read the blog post, Configuring Multiple OWA/ECP Virtual Directories on the Exchange 2013 Client Access Server Role, to understand when this is appropriate, what it entails, and associated caveats.

If you've already read that post, I'll summarize here. The reasons you may have for adding additional OWA/ECP virtual directories are:

You want to separate admin and user ECP access to prevent access to the Exchange Admin Center from the Internet.

You have different users within one organization who require a different OWA experience, such as a different Public/Private File Access or other policy or segmentation features.

The EHLO blog post does an excellent job explaining how you go about doing this. Basically, you add a secondary IP address to the Exchange 2013 server, create a new SSL website bound to that IP address, copy content from three different folders, set NTFS permissions, create new OWA and ECP virtual directories, and reconfigure the original OWA/ECP virtual directories to work as you want. Peesa cake. :)

Oh, - and this is very important - whenever you apply an Exchange cumulative update (CU) you need to completely undo everything you just did and reconfigure the settings all over again. Ugh. That's why I wrote the following PowerShell script to automate the process.

New-ExchangeWebsite.ps1 performs all the steps listed in the blog article in an automated fashion. If the script detects that an OWA_SECONDARY folder already exists, it removes that existing configuration before configuring the new website. Whenever you install the latest CU or replace the SSL certificate, all you need to do is run the script again with the proper parameters.

The script supports full PowerShell functionality just like a real cmdlet. For example, it supports Get-Help and -Verbose parameters.

Syntax:

New-ExchangeWebsite.ps1 [-NewWebsiteIP] <IPAddress> [-Thumbprint] <String> [[-DisableEacOnDefaultWebSite]<Boolean>] [[-DisableFbaOnDefaultWebSite] <Boolean>] [<CommonParameters>]

By default the script automatically disables Exchange Admin Center access and leaves Forms Based Authentication enabled on the Default Web Site.

-------------------------- EXAMPLE 1 --------------------------

PS C:\>New-ExchangeWebsite.ps1 -NewWebsiteIP 10.1.20.35 -Thumbprint 663F465DE17FD039979B8CE769118FA2A5AF157D

This command configures a new website named OWA_SECONDARY in IIS. It configures the website to use the IP address 10.1.20.35 and binds the SSL certificate with the specified thumbprint for HTTPS. It sets the necessary ACLs and copies all the required files and folders. Finally, it disables Exchange Admin Center access on the Default Web Site because that's the default setting and resets IIS.

-------------------------- EXAMPLE 2 --------------------------

PS C:\>New-ExchangeWebsite.ps1 -NewWebsiteIP 10.1.20.35 -Thumbprint 663F465DE17FD039979B8CE769118FA2A5AF157D -DisableFbaOnDefaultWebSite $true

This command is almost the same as the command in the previous example, except it also disables Forms Based Authentication on the Default Web Site.

-------------------------- EXAMPLE 3 --------------------------

PS C:\>New-ExchangeWebsite.ps1 -NewWebsiteIP 10.1.20.35 -Thumbprint 663F465DE17FD039979B8CE769118FA2A5AF157D -DisableFbaOnDefaultWebSite $true -DisableEacOnDefaultWebSite $true

This command is almost the same as the command in the previous example, except it does not disable Exchange Admin Center access on the Default Web Site.

Warning: Brain Must Be Engaged

Before you run the script, you must add a second IP address to the Exchange 2013 server and you must have a trusted SSL certificate installed with the correct FQDN for the new website (for example, eac.contoso.com or use a wildcard cert).

I wrote some basic error checking into the script. It must be run from EMS on an Exchange 2013 server, the IP address you specify must exist on the server and it must not be the only IP address, and the certificate thumbprint must be valid. If any of these conditions are not met, the script terminates. That said, you still need to be sure you specify the correct IP address for the new website and you must supply the correct SSL thumbprint (use the Get-ExchangeCertificate cmdlet for this).

If you decide to rename the folders or website after configuration all bets are off. Be smart, leave them alone.

You can download a ZIP copy of the script here. Comments? Questions? Leave them below.

↧

How to Update Certificates for AD FS 3.0

March 9, 2015, 3:30 pm

≫ Next: Announcing the 8th Annual UC Roundtable at Microsoft Ignite, Chicago!

≪ Previous: Introducing New-ExchangeWebsite for Exchange 2013

Active Directory Federation Services (AD FS) 3.0 is a server role included in Windows Server 2012 R2. There are several documents and guides for replacing SSL, token-signing, and token-encryption certificates available for AD FS 2.0, but I couldn't find one for AD FS 3.0 so here it is. :)

There are three certificates used by ADFS for SSO:

Service Communications -- This SSL cert is used to encrypt all client connectivity to the AD FS server.
Token-Signing -- This x.509 cert is used to sign the token sent to the relaying party to prove that it indeed came from AD FS.
Token-Decrypting -- This x.509 cert used to encrypt the payload of a SAML token before its encrypted again at the SSL transport layer. It is rarely used.

Replacing the Service Communications Certificate

Normally the Service Communications certificate comes from a trusted third-party CA, like DigiCert or GoDaddy. This is a traditional SSL cert like you would use in IIS for any secure web server. You may use a single-name, subject alternative name (SAN), or wildcard cert for this purpose as long as it's valid and trusted by internal and external AD FS clients.

If you have more than one AD FS server in your environment you will run the following procedures from the primary AD FS server. The changes will replicate to all other AD FS servers in the farm.

Request and install a new SSL certificate from a trusted third-party CA. Install this cert and private key in the local computer's Personal store on all AD FS servers in the farm.
Logon to the primary AD FS server and open an elevated PowerShell prompt to run the following commands:

dir cert:\LocalMachine\My

Copy the thumbprint for the new SSL certificate you wish to use, then run:

Set-AdfsSslCertificate -Thumbprint thumbprint

If you receive any errors from this cmdlet you either haven't installed the new SSL certificate on all AD FS servers in the farm or you haven't installed the private key for the cert.

Replacing the Service Communications Certificate on WAP Servers

If your organization uses Web Application Proxy (WAP) servers for your AD FS deployment, you'll want to update them with the same SSL certificate.

Install the new SSL certificate and private key in the local computer's Personal store on all WAP servers used by AD FS in your environment.
Run the following to get the new certificate's thumbprint:

dir cert:\LocalMachine\My

Copy the thumbprint and run:

Set-WebApplicationProxySslCertificate -Thumbprint thumbprint

Repeat for each WAP server.
PowerTip: Use the DigiCert SSL Installation Diagnostics Tool to confirm that the certificate and all intermediate certs are installed correctly, This tool works with any third-party CA certificate, not just DigiCert's.

Replacing the Token-Signing and Token-Decrypting Certificate

The Token-Signing and Token-Decrypting certificates are normally self-signed certificates good for one year, dated from the time the primary AD FS server was installed. The Office 365 portal will warn you when these certs are about to expire and that user access to all Office 365 services will fail.

Although you can use public certs for Token-Signing and Token-Decrypting, I don't recommend it because it's a waste of time and money. You also should not use the same SSL cert that you use for Service Communications for Token-Decrypting or Token-Signing. As mentioned earlier, the Token-Decrypting certificate is rarely used, but I include it here so that Office 365 doesn't warn about it.

NOTE: Be aware that there is an AD FS service outage incurred when the Token-Decrypting or Token-Signing certificates are updated because the relaying parties must update their configuration to expect the new certs. Do this work when users are least impacted by the outage.

Before you renew the Token-Signing and Token-Decrypting certificates I recommend that you increase the AD FS certificate lifetime for self-signed certs.

Logon to the primary AD FS server and open an elevated PowerShell prompt. Run the following to configure the AD FS server to generate self-sign Token-Signing and Token-Decrypting certificates that last 100 years and enable Auto Certificate Rollover:

Set-ADFSProperties -CertificateDuration 36500 -AutoCertificateRollover $true

These cmdlets will generate new self-signed Token-Signing and Token-Decrypting certificates which will be promoted immediately and then disable auto certificate rollover again. Relay partners will need to update their metadata to accept the new signed claims:

Update-AdfsCertificate -CertificateType Token-Decrypting -Urgent
Update-AdfsCertificate -CertificateType Token-Signing -Urgent
Set-ADFSProperties -AutoCertificateRollover $false

Update the Office 365 metadata using Windows Azure PowerShell:

Connect-MsolService
Update-MsolFederatedDomain -DomainName domain.com -SupportMultipleDomain

Remember that you'll need to update other relaying party metadata, if you use them. For example, Yammer on-prem (not Office 365) must be updated manually by Microsoft by opening a support ticket in the Office 365 portal. You will need to supply them with the Token-Signing and Token-Decrypting certificates (minus the private keys).

A Note About WAP Servers

If your organization uses Windows Application Proxy (WAP) servers for your AD FS deployment, there's nothing else you need to do regarding Token-Signing and Token-Decrypting certificates. WAP servers only use the Service Communications SSL cert.

↧

Announcing the 8th Annual UC Roundtable at Microsoft Ignite, Chicago!

March 19, 2015, 9:23 am

≫ Next: Congratulations 2015 Microsoft MVP!

≪ Previous: How to Update Certificates for AD FS 3.0

I'm pleased to announce the 8th Annual UC Roundtable at Microsoft Ignite 2015 in Chicago!

A one of a kind conference deserves a one of a kind chance to network with your peers.

The purpose of the UC Roundtable is to gather Exchange, Office 365, and Lync admins, MCMs, MVPs, Exchange product group members, architects, and experts for a free-flowing discussion about issues, questions, and experiences related to Exchange, Office 365, and Lync Server. If you work with Exchange, Office 365, or Skype for Business (Lync) you need to be here!

The details are still being worked out, but it will be held within walking distance or a short cab ride from the Ignite hotels. A big special thank you to my friends at F5 who will be hosting the event for the fourth year in a row!

Please RSVP to jeff@expta.com for event details and location. I will email you with the location details and date once they're set.

Help spread the word on Twitter and I hope you can join me! Also, I'm pleased to be the session moderator for "Experts Unplugged: Exchange Top Issues". Please join me there, too!

↧

Congratulations 2015 Microsoft MVP!

April 1, 2015, 8:47 am

≫ Next: Warning: Do Not Install Skype for Windows desktop 7.0 (KB2876229) if You're a Lync Customer

≪ Previous: Announcing the 8th Annual UC Roundtable at Microsoft Ignite, Chicago!

I'm very pleased to announce that I have been awarded the Microsoft MVP award for the seventh year in a row! Microsoft says, "This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Exchange Server technical communities during the past year."

I feel great!

↧

Warning: Do Not Install Skype for Windows desktop 7.0 (KB2876229) if You're a Lync Customer

April 1, 2015, 11:49 am

≫ Next: Coming soon! Office 365 for Exchange Professionals

≪ Previous: Congratulations 2015 Microsoft MVP!

Microsoft recently published KB2876229 Skype for Windows desktop 7.0 to Windows Update as an optional update. This is the consumer version of Skype for Windows - it is not the Skype for Business client or an update for your Lync client. Installing this update will cause confusion for your Lync or Skype for Business users and will hijack Lync or S4B functionality.

The Microsoft KB article says,

To make it simple and fast for Skype users to upgrade to the latest version of Skype for Windows, we have integrated Skype into Microsoft Update. If you have Skype installed on your PC already, either directly from www.skype.com (http://www.skype.com/) or through a preinstalled version on your PC, you will receive the latest version of Skype through Microsoft Update.

The thing is, it's being advertised to computers that have the business Lync or Skype for Business clients installed. Those users who run Windows Update configured to "Give me updates for other Microsoft products when I update Windows" will see the new Skype for Windows desktop client offered as an optional update.

If the update is installed it will run through a Skype setup wizard, which prompts you to start Skype when Windows starts, install Skype Click to Call, set Bing as your search engine and MSN as your homepage, and then asks you to sign in:

Here's where the confusion starts. What account do I use? If you select Skype Name and use your existing (personal/home) account it will configure the computer to use two identities - Skype for your personal account and Lync or Skype for Business for your work account. If you select Microsoft Account, it will create a new Live ID with your work email address - something you probably don't want to do.

Once you click I agree - join Skype you'll get an email from Skype welcoming you to Skype and a Windows firewall security alert to allow Skype to add exceptions to the firewall.

The rest of the setup has you create a profile picture and then, boom, you're running Skype. And Lync or Skype for Business. BOTH clients are running at the same time, and in my case, using the same SIP address. Adding to the confusion, the new Skype client is now the default client for SIP addresses and for Click to Call in Internet Explorer. If you click a phone number from a website it will open with the new Skype application.

IE prompts to enable the new Click to Call add-on

Clicked phone numbers now open in Skype

Here's how you can remove the Skype for Windows Desktop 7.0 client from Windows if any of your users installed it.

Remove Skype 7.x and Skype Click to Call from Programs and Features. The uninstallation does not require a restart.

To re-enable Lync or Skype for Business click to call functionality, open Internet Options in Internet Explorer and go to the Programs tab.
Click the Manage add-ons button.
Enable the Lync or Skype for Business Browser Helper add-on. This should also enable the Click to Call add-on automatically, otherwise enable it, and click Close.

↧

Coming soon! Office 365 for Exchange Professionals

April 16, 2015, 12:53 pm

≫ Next: New Skype for Business Visio Server Stencils

≪ Previous: Warning: Do Not Install Skype for Windows desktop 7.0 (KB2876229) if You're a Lync Customer

If you are considering moving to Office 365 or are in the process, you really need to get the new book, Office 365 for Exchange Professionals.

This new book is written by notable Exchange Server MVPs Tony Redmond, Paul Cunningham, and Michael Van Horenbeeck, with a foreward by Perry Clarke, Corporate Vice President for Microsoft Exchange. It will be released at Microsoft Ignite in Chicago and will be available for purchase as an eBook from ExchangeServerPro.com.

I'm proud to be associated with this book as the technical editor. I've been involved in over a dozen books and publications as an author, contributing writer, and technical editor. Office 365 for Exchange Professionals is one of my most satisfying publishing projects.

There's a tremendous amount of valuable cutting edge information here and since it's written by Exchange Server MVPs with an independent voice, it's peppered with real-world examples that will help you get the most out of your journey to the cloud.

Look for a formal announcement at Microsoft Ignite where Tony, Michael, and I will be speaking. Be sure to attend our MVPs Unplugged sessions:

"MVPs Unplugged: Real-World Microsoft Exchange Server Designs and Deployments", panelist with fellow Exchange MVPs Nicolas Blank, Siegfried Jagott, and Paul Robichaux
"MVPs Unplugged: The Journey to Microsoft Exchange Online", panelist with fellow Exchange MVPs Nicolas Blank, Michael Van Horenbeeck, and Tony Redmond

↧

New Skype for Business Visio Server Stencils

May 27, 2015, 6:19 pm

≫ Next: How to Create Dynamically Adjusting Exchange Retention Policies

≪ Previous: Coming soon! Office 365 for Exchange Professionals

Now you can download the latest Microsoft server stencils for Visio. These stencils contain more than 300 icons to help you create visual representations of Microsoft Office or Microsoft Office 365 deployments including Microsoft Skype for Business, Microsoft Exchange Server 2013, and Microsoft SharePoint Server 2013. The zip file now includes both stencil sets from 2012 and 2014.

The 2012 stencils include Lync Server and Exchange 2010 stencils, while the 2014 stencils include Skype for Business and Exchange 2013 stencils. Perfect for that next migration diagram!

↧

How to Create Dynamically Adjusting Exchange Retention Policies

May 29, 2015, 9:20 am

≫ Next: Lync or Skype for Business Missed Conversation Emails are Delayed

≪ Previous: New Skype for Business Visio Server Stencils

Exchange has supported message retention policies since Exchange 2010. Retention Policies are collections of Retention Tags that dictate how emails are retained in Exchange. Usually this is done to comply with business policies on data retention and/or used as a way to move data from the user's primary mailbox to an archive mailbox.

Retention Policies

The retention policy shown above includes several personal policy tags and one default policy tag that moves emails older than 6 months to the archive. You can customize or create new retention policies for your users based on your company's data retention policies. For example, you can create a retention policy to move all emails to the archive mailbox after 1 year and permanently delete all emails older than 5 years.

Only one mailbox retention policy can be assigned to a mailbox at a time. While you can easily change which retention policy is assigned to a mailbox using the the Exchange Management Shell or the Exchange Admin Center, this can be somewhat tedious.

Note that retention tags are time-based, not size-based. If you're trying to manage your mailbox storage with retention policies the same time-based retention policy may result in widely varying mailbox sizes within the Exchange database store, depending on the user. I developed the following process to dynamically adjust user's retention policy based on mailbox size. The larger the mailbox gets, the more aggressive the retention policy applied.

Start by creating multiple default archive and/or delete retention tags. Make sure to select "applied automatically to entire mailbox (default)" to ensure that it applies to all email items. For example,

Default one year move to archive
Default 6 months move to archive
Default 3 months move to archive
Default 7 year delete
Default 5 year delete
Default 3 year delete

Creating a Default retention tag

Next create multiple retention policies that include the default retention tags you created. For example,

High Retention - Default one year move to archive, Default 7 year delete
Medium Retention - Default 6 months move to archive, Default 5 year delete
Low Retention - Default 3 months move to archive, Default 3 year delete

Apply the High Retention policy to all mailboxes using the following EMS command:

Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetentionPolicy "High Retention"

Note that archive retention tags only apply if the mailbox has an archive mailbox, otherwise the archive tags are ignored.

Copy the following script and save it to one of your Exchange servers in the C:\Scripts folder as Apply-RetentionPolicies.ps1:

$mbx = Get-Mailbox -ResultSize unlimited
$mbx | ForEach-Object -Process {
$size = ( Get-MailboxStatistics $_.Alias ).TotalItemSize
If ( $size -gt "10GB" ) {
Set-Mailbox $_.Alias -RetentionPolicy "Low Retention Policy"
}
elseif ( $size -gt "8GB" ) {
Set-Mailbox $_.Alias -RetentionPolicy "Medium Retention Policy"
}
else {
Set-Mailbox $_.Alias -RetentionPolicy "High Retention Policy"
}
}

Adjust the mailbox sizes in the script to meet your company's retention needs. In the example script above mailboxes greater than 10GB get the Low Retention Policy, mailboxes between 8-10GB get the Medium Retention Policy, and everyone else gets the High Retention Policy.

Next, create a scheduled task that runs the Apply-RetentionPolicies.ps1 script once per day.

Set the "Program/Script" property to:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

And set the "Add arguments (optional)" to:

-NonInteractive -WindowStyle Hidden -command $ep = (Get-Item env:"ExchangeInstallPath").Value; . $ep\bin\RemoteExchange.ps1; Connect-ExchangeServer -auto; . C:\Scripts\Apply-RetentionPolicies.ps1

Creating a Basic Scheduled Task

The scheduled task must run using the credentials of an account with Organization Management rights.

With this process, as a mailbox gets smaller from a more aggressive retention policy it will automatically get a longer retention policy.

↧

Lync or Skype for Business Missed Conversation Emails are Delayed

June 24, 2015, 12:33 pm

≫ Next: Fix for "Service FIMSynchronizationService was not found on computer" when installing AADConnect

≪ Previous: How to Create Dynamically Adjusting Exchange Retention Policies

Working with our Skype for Business team today, I discovered some useful information about Missed Conversation emails.

Missed Conversation emails can be delayed if you are signed into Lync or Skype for Business from different clients at the same time. For example, if you're signed in from your desktop and another computer or the Lync Mobile client. This is known, but not expected, behavior. It might be due to IM toast popping up in one client when you are working from another client. Lync activity from the remote machine then "nudges" the email out.

Lync/S4B uses EWS to place the Missed Conversation or Missed Call emails directly in the Missed Conversation folder in your mailbox. Since it does not traverse Exchange transport, these messages will not show in message tracking and they will not include any header information.

↧

Fix for "Service FIMSynchronizationService was not found on computer" when installing AADConnect

July 2, 2015, 12:32 pm

≫ Next: EXPTA Gen 6 Lab Server Survey

≪ Previous: Lync or Skype for Business Missed Conversation Emails are Delayed

You may see the following error when installing or configuring the GA release of Microsoft Azure Active Directory Connect (AADConnect):

An error occurred while analyzing your current settings. Service FIMSynchronizationService was not found on computer '.'.

This can happen if the server where AADConnect is being installed on has remnants of a Windows Azure Active Directory Sync (DirSync) installation in the registry. This may happen even if DirSync has been uninstalled previously.

Open RegEdit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products
Delete the 0C3FB95F67119A143800F5C52A83CDC0 key if it exists

Delete the 3F1C9EE38DDCE34478C59E1C0FE14BA5 key if it exists

Close RegEdit and retry your configuration

Credit for making me discover this goes to my super-awesome boss, Tom Pacyk.

↧

EXPTA Gen 6 Lab Server Survey

July 4, 2015, 1:05 pm

≫ Next: How to Notify Users When an Email is Received by Another Mailbox

≪ Previous: Fix for "Service FIMSynchronizationService was not found on computer" when installing AADConnect

I have been posting instructions and parts lists for Hyper-V lab server builds since 2012. My latest Gen5 lab server build can be found here.

A number of readers have asked when I plan to make a new EXPTA Gen6 Hyper-V lab server build. Before I do, I'd like some information from you as to what type of changes you'd like to see. This information will directly affect the next server build.

POWr Poll

Thanks for taking the time to enter this survey! The poll will close on Friday, July 10, 2015.

↧

How to Notify Users When an Email is Received by Another Mailbox

July 9, 2015, 8:33 am

≫ Next: EXPTA Gen6 Home Lab Server Survey Results

≪ Previous: EXPTA Gen 6 Lab Server Survey

You may want to notify a user or group whenever an email is received by another mailbox, without forwarding the original email. This might be useful if you have an unmanned Shared Mailbox in Exchange or Office 365, for example help@contoso.com.

You can achieve this with a Transport Rule.

In the Exchange Admin Center go to Mail Flow | Rules
Create a new rule:

Give the rule a name.
Click "More Options" to expose additional actions for the rule.
Choose "Apply this rule if..." + "The recipient..." + "is this person". Select the correct recipient.
Choose "Do the following..." + "Generate incident report and send it to...". Select the user or group to notify and include any optional message properties you want to include, such as Sender, Subject, etc.
Set "Match sender address in message:" to "Header or envelope"
Click Save

An incident report like the following will be sent for every email received by the selected recipient(s). For example:

From: Microsoft Outlook
Sent: Wednesday, July 08, 2015 8:10 PM
To: Joe User
Subject: Test Message

This email was automatically generated by the Generate Incident Report action.
Message Id: <DB3RP04MB0842A9741DB21580B3F9DD06DC900@DB3PR04MB0842.eurprd04.prod.outlook.com>
Sender: Jeff Guillet, Jeff.Guillet@contoso.com
Subject: Test Message

↧

EXPTA Gen6 Home Lab Server Survey Results

July 11, 2015, 1:14 pm

≫ Next: EXPTA Gen6 Home Lab Server Builds and Parts Lists

≪ Previous: How to Notify Users When an Email is Received by Another Mailbox

I started providing parts lists and instructions for home lab server builds back in 2009. Since then, I've updated my Windows Hyper-V lab server five times - beginning with an AMD-based 16GB server with traditional hard drives to my Gen5 server with an Intel-based 32GB with SSDs for blistering fast performance and high capacity.

I've been asked to update my server build again with the latest hardware, and some have asked for a build with more RAM so they can host more VMs on the same server. That led me to create an EXPTA Gen 6 Lab Server Survey to find out what's most important to you, my readers. As you can imagine, there are competing desires. For example, more RAM translates to higher cost. Here are the results of the survey:

EXPTA Lab Server Survey Results

These survey results show that most respondents are looking to build their first lab server, but most do not need step-by-step instructions and screen shots to build it.

It's almost a tie between those who want a lower price server (~$1,000 USD) and those who want a higher RAM server that can host more VMs (~$1,700 USD). Noise and speed were also important criteria. A common comment from those in the low price camp was that it's easier to justify a $1K purchase to the family.

Almost everyone wants an Intel-based server. It's neck and neck between a lower priced Intel Core i5 4-core 32GB system and a super-fast Intel Core i7 6-core 64GB system. Somewhat surprisingly, only 11% of respondents are interested in a true server-class Intel Xeon E5 64GB system.

In the coming days, I plan to put together new Gen6 server builds. That's right, builds. Plural. Each build will use the best hardware for that solution. The focus will be on reliability and speed in each segment. All builds will use the same storage configuration - SSDs for the OS and running VMs, and a single high capacity hard drive for mass storage of ISOs and base images. This provides insanely fast speed and keeps the noise level to a minimum.

Stay tuned...

↧

EXPTA Gen6 Home Lab Server Builds and Parts Lists

July 19, 2015, 3:17 pm

≫ Next: Fix for Server Manager Error: "Online - Cannot get performance counter data"

≪ Previous: EXPTA Gen6 Home Lab Server Survey Results

Build your own blistering fast Windows Hyper-V lab server starting at $900!

I'm very pleased to provide you my latest EXPTA Gen6 home lab server builds. Advances in hardware and visualization technology have made it possible for IT Pros to build sophisticated systems that host more VMs than ever before. My Home Lab Server Survey results show that while there's still tremendous interest in 32GB entry-level servers at around $1,000, there's also a lot of interest in 64GB servers at the $1,700 price point.

Based on these survey results and for the fist time ever, I'm providing three different server builds:

Intel Core i5 quad-core, 32GB RAM, SSD, small form-factor for $900. I can finally break the $1,000 barrier without sacrificing quality! This makes it super-easy for IT Pros to build a blistering fast Windows Hyper-V server that can run many VMs.
Intel Core i7 hex-core, 64GB RAM, SSD, ATX form-factor for $1,725. This build is geared toward those who want double the VM density and outstanding performance.
Intel Xeon E5 hex-core, 64GB RAM, SSD, ATX form-factor for $1,835. This build uses true server hardware for the ultimate in reliability and scalability.

Each of the three server builds use components from the vendors' hardware compatibility lists to ensure the utmost in reliability. They will all run Windows Server 2012 R2 and should be "future-proof" to run the upcoming Windows Server 2016 release.

Each build uses the same storage format -- a 256GB SSD for the OS, a 500GB or 1TB SSD for regularly running high performance VMs, and a 1TB traditional hard drive for storing ISOs, software applications, and base images. Each server utilizes SATA III 6Gb/s drives and USB 3.0 ports for the fastest I/O performance.

Most survey respondents indicated that they did not need step-by-step installation guides. If you do need help, look back at my previous Gen4 and Gen5 server build articles for assistance.

As usual, I link to Amazon for components and prices. Amazon does a very good job of maintaining stock, has an excellent return policy, and most of these items are eligible for free two-day shipping via Amazon Prime. If you don't have Prime, you can sign up for a free trial here and cancel after you order the equipment if you want. Please note that it's normal for Amazon prices to fluctuate (usually down) over time.

Build #1 -- Intel Core i5 Quad-Core, 32GB RAM, SSD, Small Form-Factor, 191W for Around $900

Component	Description
	Intel Core i5-4690S Processor 3.9GHz Quad Core LGA 1150 - BX80646I54690S This is a 4th generation Intel Haswell-Refresh processor and includes Intel HD Graphics 4600, so no discrete video card is required. Runs at 3.9 GHz, but requires only 65W! Includes Intel aluminum heat sync and silent fan. 3 year limited warranty.
	Patriot Viper 3 Series Venom Red DDR3 16GB 1600MHz (PC3 12800) Memory Kit PV316G160C9KRD You'll need two of these. 1.5V 240-pin dual channel 1600MHz DDR3 SDRAM with built-in heat spreaders. Low 9-9-9-24 Cas latency. Great RAM at a great price. Each package contains 2x 8GB DIMMs (16GB). Lifetime warranty.
	Gigabyte Intel Z97 LGA 1150 Micro ATX Motherboard GA-Z97M-DS3H I chose this LGA 1150 Micro ATX motherboard because it supports up to 32GB RAM and has 6x SATA III 6Gb/s and 2x SATA 3Gb/s connectors. It uses the Intel Z97 Express chipset, has 1 x PCI Express x16 slot running at x16; 2 x PCI Express x1 slots, HDMI/DVI/VGA outputs, USB 3.0 and 2.0 ports, and a Realtek 8111F-VL LAN chip (not Intel, yay! See below). It also has a great UEFI BIOS. 3 year limited warranty.
	Samsung 850 EVO 250GB 2.5-Inch SATA III Internal SSD (MZ-75E250B/AM) 256GB SATA III 6Gb/s SSD used for the Windows Server operating system. Legendary Samsung quality. Delivers up to 100,000 IOPS 4KB random read / 90,000 IOPS 4KB random write speed. 3 year warranty.
	Samsung 850 EVO 500GB 2.5-Inch SATA III Internal SSD (MZ-75E500B/AM) 500GB SATA III 6Gb/s SSD used for active VMs (the VMs I normally have running, like a Domain Controller, Exchange servers, Lync servers, etc.). Enabling Windows Server disk deduplication provides even more storage capacity! Delivers up to 98K IOPS 4KB random read / 90K IOPS 4KB random write speed. Mwahaha!! 3 year limited warranty.
	WD Blue 1 TB Desktop Hard Drive: 3.5 Inch, 7200 RPM, SATA 6 Gb/s, 64 MB Cache - WD10EZEX Best selling 1TB Western Digital Caviar Blue SATA III 6Gb/s drive. Used for storing ISOs, seldom used VMs, base images, etc. I usually configure this drive to sleep after 10 minutes to save even more power. 2 year warranty.
	Samsung SH-224DB/RSBS 24X SATA DVD±RW Internal Drive Great quality 24x ±RW DVD burner. It's cheap, too. Even though it's SATA2, I connect this to one of the SATA3 ports on the motherboard for no particular reason. 1 year limited warranty.
	Sentey SS1-2423 Slim Micro ATX Computer Case Sleek Micro ATX case with full color LCD display and removable drive bay cage for easy access. 1x external 5.25" drive bay and 2x internal 3.5" drive bays. Includes front USB 3.0 and 2.0 and audio ports. Great build quality and cable management. 3 year limited warranty.
	FSP Group Mini ITX / Micro ATX / SFX 300W 80 Plus Certification Power Supply (FSP300-60GH) 300 Watt Micro ATX PSU with super quiet 80mm cooling fan system. 80 Plus Certified to reduce power consumption.
	StarTech 6in 4 Pin Molex to SATA Power Cable Adapter (SATAPOWADAP) The FSP 300W power supply has three SATA power connectors for drives, which is one short of what we need. Use this adapter to convert one of the two Molex power connectors to SATA.
	SABRENT 3.5-Inch to SSD / 2.5-Inch HDD Bay Drives Converter (BK-HDDH) Steel mounting bracket for 2.5" SSD drives. One mounting kit holds up to two SSD drives, stacked on top of each other.
	C&E CNE11445 SATA Data Cable (2pk.) We need 4x SATA cables for this build. The Gigabyte motherboard comes with two SATA cables, so we need two more. Flat (not L shaped) connectors work best for this build. FYI there's no technical difference between SATA2 and SATA3 cables.

Build #1 is pretty straight forward. Make sure you have everything you need and enough space to work. Most builds take about an hour and always seem to go smoother with a cold refreshing adult beverage nearby. Assemble the drive cage first, then install the PSU, motherboard, CPU and RAM to button it up. I always update the BIOS from the Internet before installing the OS. The Gigabyte BIOS allows you to do this directly from the BIOS. Nice! Once you install the OS, install and/or upgrade the drivers (especially the NIC) from the manufacturers' websites. Then install the Hyper-V role and you're off to the races!

You can host quite a few VMs on this system. As an example, my Gen5 32GB version of this server runs Windows Server 2012 R2 with the Exchange 2013 Edge Transport role and Hyper-V. This server has been running 24x7 for over a year with the following VMs:

1x Domain Controller (2GB dynamic RAM)
2x Exchange 2013 servers (4-6GB each)
1x Lync 2013 server (4GB)
1x Exchange 2010 server (4GB)
1x Application server (2GB)

I run these VMs off the 500GB SSD with Windows Server 2012 R2 disk deduplication enabled for Virtual Desktop Infrastructure (VDI). This allows me to put 669GB of data on this 500GB drive and I still have 145GB free space! See Windows Server 2012 Deduplication is Amazing! for information about configuring this.

Build #2 -- Intel Core i7 Hex-Core, 64GB RAM (8x8), SSD, ATX Form-Factor, 321W for Around $1,720

Component	Description
	Intel Core i7-5820K Processor 3.3GHz 0GT/s 15MB LGA 2011-v3 CPU w/o Fan, Retail (BX80648I75820K) 6-Core 22nm Haswell-E 140W CPU with 15MB L3 Cache and 6 x 256KB L2 Cache. Absolutely screams performance. It does run a bit hot, but we have a great CPU cooler and three quiet fans in the case. 3 year limited warranty.
	Cooler Master Hyper T4 CPU Cooler with 4 Direct Contact Heatpipes RR-T4-18PK-R1 Four Direct Contact heat pipes for seamless contact between the cooler and CPU. 120mm wide range PWM fan. RPM can be fine-tuned for maximum airflow or whisper quiet operation. Snap-on fan brackets to quickly and easily install, remove, clean, or replace the fan or heat sink. Includes a syringe of thermal compound.
	Crucial 8GB Single DDR4 2133 MT/s (PC4-17000) CL15 DR x8 Unbuffered DIMM 288-Pin Desktop Memory CT8G4DFD8213 These are single UDIMMS, so you'll need 8 of them for 64GB. 1.2V 288-pin dual channel 2133 MT/s DDR4 SDRAM. Cas Latency 15. Great RAM at a fantastic price. Each package contains 1x 8GB UDIMM. 100% tested and comes with a lifetime warranty.
	ASRock ATX DDR4 Motherboard X99 EXTREME4 I chose this LGA 2011-v3 ATX motherboard because it has the Intel X99 chipset and supports up to 128GB RAM. It has 10x SATA III 6Gb/s connectors and 6x USB 3.0 Ports (4 rear, 2 via header); 8x USB 2.0 Ports (4 rear, 4 via headers). It has 3x PCI-Express 3.0 x16 Slots (one runs at x8), 1x PCI-Express 2.0 x16 Slot (runs at x4), and 1x PCI-Express 2.0 x1 Slot. It also has a great UEFI BIOS. Includes 4x SATA cables. 3 year limited warranty.
	GIGABYTE GeForce 210 Silent 1GB DDR3 DVI-I / D-Sub / HDMI Low Profile Graphics Card, GV-N210SL-1GI Unlike Core i5 CPUs, Intel Core i7 and Xeon CPUs do not feature integrated graphics. This fan-less 1GB GeForce 210 video card features DVI-I, D-Sub, and HDMI outputs. Perfect for servers.
	Samsung 850 EVO 250GB 2.5-Inch SATA III Internal SSD (MZ-75E250B/AM) 256GB SATA III 6Gb/s SSD used for the Windows Server operating system. Legendary Samsung quality. Delivers up to 100,000 IOPS 4KB random read / 90,000 IOPS 4KB random write speed. 3 year warranty.
	Samsung 850 EVO 1 TB 2.5-Inch SATA III Internal SSD (MZ-75E1T0B/AM) 1TB SATA III 6Gb/s SSD used for active VMs (the VMs I normally have running, like a Domain Controller, Exchange servers, Skype servers, etc.). Enabling Windows Server disk deduplication provides even more storage capacity! Delivers up to 98K IOPS 4KB random read / 90K IOPS 4KB random write speed. Mwahaha!! 3 year limited warranty.
	WD Blue 1 TB Desktop Hard Drive: 3.5 Inch, 7200 RPM, SATA 6 Gb/s, 64 MB Cache - WD10EZEX Best selling 1TB Western Digital Caviar Blue SATA III 6Gb/s drive. Used for storing ISOs, seldom used VMs, base images, etc. I usually configure this drive to sleep after 10 minutes to save even more power. 2 year warranty.
	Samsung SATA 1.5 Gb-s Optical Drive, Black SH-224DB/BEBE Great quality 24x ±RW DVD burner. It's cheap, too. SATA 3 is backward compatible with SATA and SATA 2.
	Rosewill Black SECC Steel USB 3.0 Mid Tower Computer Case REDBONE U3 ATX mid tower case with 1 x Front 120mm Red LED Fan, 1 x Rear 120mm Fan, and 1 x Side 120mm Fan to keep everything nice and cool. 2 x USB 3.0 Ports, 1 x e-SATA, Audio In/Out (HD) ports, and Power / Reset buttons on top. PSU shock-proof pad. Great Rosewill quality and roomy enough to take that enormous Cooler Master CPU cooler.
	Corsair CX Series 430 Watt ATX/EPS Modular 80 PLUS Bronze ATX12V/EPS12V 384 Power Supply CX430M Modular cabling system lets you use only the cables you need. Universal AC input from 90-264V. Up to 85% energy efficiency means less heat generation and lower energy bills. Super quiet. A three year warranty and lifetime access to Corsair's legendary technical support and customer service.
	SABRENT 3.5-Inch to SSD / 2.5-Inch HDD Bay Drives Converter (BK-HDDH) Steel mounting bracket for 2.5" SSD drives. One mounting kit holds up to two SSD drives, stacked on top of each other.

This Core i7 build was requested almost as much as Build #1. It offers screaming performance and doubles the RAM for double the VM capacity. As you can see, I've traded out the 500GB SSD for a 1TB SSD to use for active VMs. This was cost prohibitive just 6 months ago. FTW!

You'll also notice that this motherboard is capable of supporting 128GB of RAM, but at the current time there are no 16GB DIMMS available to support this configuration. If you really want to build a 128GB server you'll need to go with Build #3, which uses 4x16GB ECC registered DIMMs and can scale out to 8x16GB.

Important Note: Both the Intel Core i7 and Xeon E5 server builds use the ASRock X99 Extreme4 motherboard, which uses an integrated Intel 218V gigabit NIC. I love this motherboard, but unfortunately Intel cripples their NIC drivers so they cannot be used with Windows Server operating systems. I detailed how to overcome this in my Gen5 server build (look toward the end of the article), There's another very good article here that also covers it. You'll need to go through these steps to install and/or upgrade the Intel NIC drivers for Builds #2 or #3.

Build #3 -- Intel Xeon E5 Hex-Core, 64GB RAM (4x16) Expandable to 128GB, SSD, ATX Form-Factor, 272W for Around $1,835

Component	Description
	Intel Xeon E5-2609 V3 Hexa-core [6 Core] 1.90 Ghz Processor 6-Core 22nm Haswell 85W CPU with 15MB L3 Cache and 6 x 256KB L2 Cache. Terrific performance and reliability. 3 year limited warranty.
	ARCTIC Freezer i11 CPU Cooler for Intel, 150W Cooling Capacity, 3 Direct Touch Heatpipes, Vibration-Dampened Fan, 23dBA Noise Three direct touch heat pipes for fast & efficient heat dissipation. 92mm PWM fan with fluid dynamic bearing. Includes syringe of MX-4 thermal compound.
	Crucial 64GB Kit (16GBx4) DDR4 2133 (PC4-2133) DR x4 ECC Registered 288-Pin Server Memory CT4K16G4RFD4213 / CT4C16G4RFD4213 1.2V 288-pin quad channel ECC 2133 MT/s DDR4 SDRAM. Cas Latency 15. Great RAM at a fantastic price. Each package contains 4x 16GB RDIMMs. 100% tested and comes with a lifetime warranty.
	ASRock ATX DDR4 Motherboard X99 EXTREME4 I chose this LGA 2011-v3 ATX motherboard because it has the Intel X99 chipset and supports up to 128GB RAM. It has 10x SATA III 6Gb/s connectors and 6x USB 3.0 Ports (4 rear, 2 via header); 8x USB 2.0 Ports (4 rear, 4 via headers). It has 3x PCI-Express 3.0 x16 Slots (one runs at x8), 1x PCI-Express 2.0 x16 Slot (runs at x4), and 1x PCI-Express 2.0 x1 Slot. It also has a great UEFI BIOS. Includes 4x SATA cables. 3 year limited warranty.
	GIGABYTE GeForce 210 Silent 1GB DDR3 DVI-I / D-Sub / HDMI Low Profile Graphics Card, GV-N210SL-1GI Unlike Core i5 CPUs, Intel Core i7 and Xeon CPUs do not feature integrated graphics. This fan-less 1GB GeForce 210 video card features DVI-I, D-Sub, and HDMI outputs. Perfect for servers.
	Samsung 850 EVO 250GB 2.5-Inch SATA III Internal SSD (MZ-75E250B/AM) 256GB SATA III 6Gb/s SSD used for the Windows Server operating system. Legendary Samsung quality. Delivers up to 100,000 IOPS 4KB random read / 90,000 IOPS 4KB random write speed. 3 year warranty.
	Samsung 850 EVO 1 TB 2.5-Inch SATA III Internal SSD (MZ-75E1T0B/AM) 1TB SATA III 6Gb/s SSD used for active VMs (the VMs I normally have running, like a Domain Controller, Exchange servers, Skype servers, etc.). Enabling Windows Server disk deduplication provides even more storage capacity! Delivers up to 98K IOPS 4KB random read / 90K IOPS 4KB random write speed. Mwahaha!! 3 year limited warranty.
	WD Blue 1 TB Desktop Hard Drive: 3.5 Inch, 7200 RPM, SATA 6 Gb/s, 64 MB Cache - WD10EZEX Best selling 1TB Western Digital Caviar Blue SATA III 6Gb/s drive. Used for storing ISOs, seldom used VMs, base images, etc. I usually configure this drive to sleep after 10 minutes to save even more power. 2 year warranty.
	Samsung SATA 1.5 Gb-s Optical Drive, Black SH-224DB/BEBE Great quality 24x ±RW DVD burner. It's cheap, too. SATA 3 is backward compatible with SATA and SATA 2.
	Rosewill Black SECC Steel USB 3.0 Mid Tower Computer Case REDBONE U3 ATX mid tower case with 1 x Front 120mm Red LED Fan, 1 x Rear 120mm Fan, and 1 x Side 120mm Fan to keep everything nice and cool. 2 x USB 3.0 Ports, 1 x e-SATA, Audio In/Out (HD) ports, and Power / Reset buttons on top. PSU shock-proof pad. Great Rosewill quality and roomy enough to take that enormous ARCTIC Freezer CPU cooler.
	Corsair CX Series 430 Watt ATX/EPS Modular 80 PLUS Bronze ATX12V/EPS12V 384 Power Supply CX430M Modular cabling system lets you use only the cables you need. Universal AC input from 90-264V. Up to 85% energy efficiency means less heat generation and lower energy bills. Super quiet. A three year warranty and lifetime access to Corsair's legendary technical support and customer service.
	SABRENT 3.5-Inch to SSD / 2.5-Inch HDD Bay Drives Converter (BK-HDDH) Steel mounting bracket for 2.5" SSD drives. One mounting kit holds up to two SSD drives, stacked on top of each other.

Build #3 delivers the ultimate in scalability and reliability. Since this server uses registered ECC RAM it can scale out to 128GB -- just buy two of the Crucial 4x16GB memory kits. Like Build #2, this server utilizes a 1TB drive for active VMs. With disk deduplication enabled I sincerely believe you can place all your active VMs there with no problem.

There are a number of options you can add to each of these builds. Here are some recommendations:

Server Build Options

Component	Description
	TP-LINK TG-3468 10/100/1000Mbps Gigabit PCI Express Network Adapter This PCI-e NIC will work in any of the three builds. The best practice for Hyper-V servers is to use a dedicated NIC for server management. This inexpensive option lets you do just that. You may also decide to use this NIC instead of monkeying around with the Intel 218V drivers on builds #2 and #3.
	Samsung 850 Pro 256GB 2.5-Inch SATA III Internal SSD (MZ-7KE256BW) Upgrade your 256GB SATA III 6Gb/s SSD to the 850 Pro version with 3D VNAND technology. Delivers up to 100,000 IOPS 4KB random read / 90,000 IOPS 4KB random write speed. 10 year warranty.
	Samsung 850 Pro 1 TB 2.5-Inch SATA III Internal SSD (MZ-7KE1T0BW) Upgrade your 1TB SATA III 6Gb/s SSD used for active VMs to the 850 Pro. Delivers up to 90K IOPS 4KB random read / 100K IOPS 4KB random write speed. 10 year limited warranty.
	Sabrent 74-In-1 3.5-Inch Internal Flash Media Card Reader/writer with USB Port (CR-USNT) Adds another USB 2.0 port to the front of the server. Supports 74 different types of memory cards. The 6 card reader slots include all formats of the following flash media types: M2, XD, SD/SDHC/SDXC/MMC, Micro SD/SDHC/SDXC (T-flash) CF/MD, MS
	Rosewill RDCR-11003 74-In-1 USB 3.0 3.5-Inch Internal Card Reader with USB Port (RDCR-11003) This is the same type of card reader, but includes a USB 3.0 port instead of USB 2.0 and is better quality.
	Cable Matters SuperSpeed USB 3.0 Type A Male to Female Extension Cable in Black 10 Feet I strongly recommend getting one of these. Plug the male end into the back of the server and feed the female end up to your workspace for a super-convenient USB 3.0 port where you need it.

I hope these builds give you the confidence to build your own home lab server. I'm interested to hear your experiences in the comments section below. Happy building!

↧

Fix for Server Manager Error: "Online - Cannot get performance counter data"

August 11, 2015, 10:00 pm

≫ Next: Either way, it's OWA

≪ Previous: EXPTA Gen6 Home Lab Server Builds and Parts Lists

One of the interesting things about having a home lab is you get to break things in ways that no one thought possible. I'll give a nickle to the next person who has this happen to them.

I have three Exchange servers running Windows Server 2012 R2. Performance counters have been started on all three servers (see https://technet.microsoft.com/en-us/library/hh831394.aspx). One server had two IP addresses configured for one NIC so I could do some testing. When I removed the second IP address from the single NIC and restarted the server Server Manager complained that it could not refresh that server.

When I clicked Manageability in Server Manager it showed "Online - Cannot get performance counter data." Re-adding the secondary IP and restarting the server doesn't help.

Lots of troubleshooting later (involving Perfmon, Bing-fu, and swearing) I discovered the following fix:

Open an elevated CMD prompt to C:\Windows
Run lodctr /R to rebuild the perf registry strings and info from scratch based on the current registry settings and backup INI files. If this works, you're done. In my case, it resulted with the error, "Error: Unable to rebuild performance counter setting from system backup store, error code is 2." Very helpful. :-|
Change to the C:\Windows\SysWOW64 folder and run lodctr /R again. This time I got "Info: Successfully rebuilt performance counter setting from system backup store"
Run winmgmt /resyncperf to register the system performance libraries with WMI and then refresh Server Manager to see that the problem is resolved.

One of the reasons I run this blog is to maintain a memory of esoteric things like this. I doubt I'll ever see it again.

↧

Either way, it's OWA

August 13, 2015, 10:51 am

≫ Next: Exchange 2013 Migration Batch Completes Successfully, But Mailbox is Not Moved

≪ Previous: Fix for Server Manager Error: "Online - Cannot get performance counter data"

<rant>

Way to kill off a well-known brand. According to this article on the Office Blog, Microsoft marketing has decided to rename the well known Outlook Web App (OWA) to Outlook on the web (Ootw). Note the small "w" in web - don't want to be accused of making the web a Microsoft brand. Ootw just rolls off the tongue, doesn’t it? Apparently Microsoft marketing gets paid by the consonant.

According to Scott Davis at Microsoft:

"The goal here is to simplify the branding and providing consistency across platforms. The brand is really just ‘Outlook’ – ‘on the web’ is simply a descriptor to help users understand which Outlook we are referring to. For example, we also have Outlook on iOS, Android and soon, Windows 10 Mobile. If you look in the App Store/Google Play, these apps are simply branded “Outlook”. In our marketing or help content, we may say Outlook on iOS, Outlook on Android, Outlook on the web, etc. But in each case, the brand is just Outlook. Most importantly, users in all cases will just see the Outlook brand when they are using the products."

With Outlook now being called just “Outlook” on Windows, iOS, Android, Windows modern app for Windows 10 (coming soon), look forward to many fun-filled support calls that go like this: “Are you running Outlook, Outlook, or Outlook?” “No, I’m running OUTLOOK.”

Utter #FAIL

</rant>

↧