Category: life

  • Exchange 2007 after Windows 2008 Upgrade Part 2

    Well, I’ve got the new Exchange box up and running.  However, I can’t move the mailbox from one machine to the other.  Thankfully, I’m not the only one having this problem today.  It appears as though because it is the 29th of February (leap year), there is a bug in Exchange 2007 preventing certain things from completing.  There’s a nice TechNet thread on it, and it appears by setting your date to tomorrow fixes it.  I think I’ll just wait to move the mailboxes till tomorrow or later then šŸ™‚

  • Exchange 2007 after Windows 2008 Upgrade

    I know it has been well documented that you cannot upgrade Windows 2003 to Windows 2008 with Exchange 2007 installed and expect Exchange 2007 to keep functioning.  However, letā€™s say you may have accidentally done the upgrade on a standalone Exchange 2007 box you have, you know, just in case it were to happen (like it did to me).

    Prior to doing the upgrade, you’ll notice a few things.  First of all, you’ll be prompted that you need to uninstall Powershell.  However, no where does the compatibility checker say anything about needing to uninstall Exchange 2007 prior to upgrading.  I found this hilarious (in a sad, pissed off way) because I had tried to upgrade my WSUS virtual machine first, and it had told me that I would need to uninstall Powershell and WSUS prior to upgrading.  I’m so glad that I wasn’t told anything about Exchange in a similar fashion.  Ugh.  By the way, I was running Exchange 2007 with SP1 prior to the upgrade…of death!

    The first stumbling block, which should have caused me to stop the upgrade process, was uninstalling Powershell.  Since I had installed it prior to installing SP2, uninstalling it becomes a pain.  This is because Powershell is a windows update and if you install a service pack you can’t uninstall any updates prior to the service pack.  Lovely.  Well, in another unsupported way you can uninstall it.  You have to browse to %windir%$ntuninstallkb926139$spuninstall and run the spuninstall.exe.  Now, this may or may not be on your machine anymore either.  On some of my virtual machines it was there, but on my Exchange server it was not, so I copied it over and ran it.

    Ok, so now I can upgrade, yay!  Windows does its thing and upgrades everything and restarts successfully.  I was actually fairly impressed when it booted up.  It looked like it actually worked.  However, then I went into the services snap-in.  I usually do this with this machine because it is slightly RAM starved and sometimes all the Exchange services don’t start.  Sure enough, they hadn’t all started.  So I went through and tried to start them all.  All started but the information store and the system attendant service because of a dependent service.  Crap, of course it’s the important ones.

    Well, first thing I tried was to reinstall Exchange 2007 SP1, just to see if that would work.  Of course this required me to reinstall Powershell, since that’s a pre-req.  No big deal, installed that easily.  Then when I tried to actually install SP1 it just bombed saying it couldn’t upgrade.  Looking through the eventlogs it was because it was trying to spin up those two services.  Great.

    Well, doing some quick registry editing, I found that the service it was dependent on was NtlmSsp.  Needless to say, this service does not exist on Windows 2008, hence the issue.  Two seconds later, I removed that dependency from within the registry and restarted the machine.  The machine reboots, and low and behold all of the services start.  And all the email that was in the queue on my Edge Transport machine left the queue and made it into Exchange.  Downside is that I was doing this all remotely and OWA still didn’t work.

    Honestly, I wasn’t that worried about OWA.  I mean, as long as I can get my emails back and then do the correct upgrade (aka, no upgrade at all) I’d be a happy camper.  Heck, even after installing Powershell back on it, I was able to open up Exchange System Manager.  Really, if I didn’t know all about the services and didn’t use OWA, I would’ve never known it wasn’t working.  Oh, well, maybe the exceedingly high CPU utilization, but oh well.

    When I got home, I had to test to see if I would be able to access my email.  Sure enough, Outlook worked like a charm.  I received all the queued email that had been sitting there for a day, and I was even able to send an email.  Pure craziness. 

    What makes this even better is that the Exchange team actually decided (well, they actually went into it knowing what they were getting into) to try this same thing too.  However, they weren’t able to get things working.  I think the large mess-up was re-installing SP1.  I’m glad I didn’t decide to go down that path, especially since mine worked.  Needless to say I’m working on building a new VM with Windows 2008 and then going to add it t the ORG and move the mailboxes over to the new one.  However, in the meantime, at least my email is functioning šŸ™‚

    I’ll be sure to post again on if I ran into any more issues with the mailbox move.  Worst case I suppose I could just do an ExMerge (actually Export-Mailbox for 2007) on the mailboxes or dump the email out of outlook to a PST.  I’d rather not do that, but if that’s what it takes…

  • Commerce Server 2007

    I swear, could the Commerce Server 2007 documentation be any more cryptic? You really need to know what you’re doing to even get the Starter Site up and running (thankfully I’m fairly well versed in 2002 so it wasn’t that bad). Oh, but then getting the starter site load balanced is fun too. Nothing like the encryption they setup automatically, only there’s no encryption key stored anywhere. Thankfully we realized this early on as we have to re-key everything, and since we don’t have the original key file, that means we basically start from scratch for profiles.

    Fun!

  • Champaign Weekend

    After going downtown on Friday to go look at the stores (and hordes of people) with my family, I headed downtown for a wedding (congrats Bree and Eric!!).  The wedding and reception were great and they did an awesome job on both.  I can’t believe how far away I am from going through all that now.  Anyways, I was staying at a friend from work’s Mom’s place both Friday and Saturday night.  After the reception (sometime after 12), I almost decided to drive all the say back to Chicago (and yes, I was sober since I had been taking pictures all night).  Let’s just say my mood was less than stellar. 

    However, it’s a good thing I didn’t because today, my friend, the men from his family, and I went down to Oakland, IL to shoot some clays.  There’s a shooting range right off the highway, and we did a round of 100 Sporting Clays.  It was amazingly a lot of fun.  For both my friend and I, both residing in the Chicago area, this was the first time.  In fact, neither of us had shot a gun since we were both under 10. 

    To both of our suprise, we did quite well.  He got a 47/100 and I got a 36/100.  Not too shabby for the first time around in the cold drizzle.  While I don’t see myself doing this on a regular occasion (that could get expensive really quick), it is definitely something that I’d do again.  Oh, and damn those rabbits are hard.

  • Turkey Day

    Wow, I haven’t posted here in about, oh forever.  Regardless I hope everyone had a wonderful Turkey Day with friends and/or family.  This year it was at my place.  It was tight, but we made do.  šŸ™‚

  • City Life

    When I first moved up here, I was very excited about living in the city.  I think the excitement has started to wear off.  That’s not to say that I want to move out to the suburbs or anything drastic like that.  I think it’s more than I’d rather move somplace where I can do more outdoor things that I’m in to.  After going on vacation to Canada and Montana, I realized that I like it out there a lot more than here. 

    The ability to go climbing, hiking, biking, skiing, etc really has its benefits.  Stuff that’s a lot more difficult to do in and around the city.  There’s only so many times I can take the same paths or the same indoor climbing gym.  That’s not to say that I haven’t been walking about everywhere again, but at the same point, the city streets are a little bit different than the rockies… 

  • The Internet

    I love buying things on the internet.  For a lot of things, it doesn’t make sense, and for others you have to take a bit of extra time.  However, you usually always find a better deal online.  Plus there’s the challenge of finding that better deal, and still try to use a somewhat reputable retailer.

    Oh internet, I love you so.

  • DAS vs NAS vs SAN

    Something that is making me very angry with the current project I’m on is the difference between DAS, NAS, and SAN technologies.  The worst is that I’m working with these people on a specific thing not related to storage infrastructure, but instead development architecture and the people that are dealing with the storage infrastructure are the people that don’t know what the hell their talking about.  In particular, the hosting provider that does all of the storage infrastructure work for us doesn’t know what the differences are.  Oh, and don’t get me started on a VMware paper that we had that didn’t know the difference either.  It just drives me nuts. 

    For those of you keeping score, I’m going to outline this out.

    DAS = Direct Attached Storage.  These are disks that are physically located in your host machine.

    NAS = Network Attached Storage.  NAS is file based.  For example a CIFS or NFS share.  This is typically TCP/IP based access.  The NAS device “owns” the data on it.  That is, the NAS device administers the data.  For example, you connect to a NAS device from a windows machine by accessing servernameshare.

    SAN = Storage Area Network.  SAN is block based.  This is when LUNs (logical unit numbers) are involved on a host.  The host “owns” the data.  The host is in charge of the partition, formating, and access to the LUN.  You can access a SAN via two protocols: iSCSI (TCP/IP) and/or Fiber Channel (FC). 

    I’m so sick of seeing people talk about iSCSI NAS.  There’s no such thing because in a NAS scenario you are sending CIFS or NFS protocols over TCP/IP while in a SAN solution you’re sending SCSI protocols over TCP/IP.  Huge difference.

    And yes, you can have a device that serves both NAS and SAN from one filer.  This is called Unified Storage.  All NetApp devices can do this.

    Are we clear now?!

  • Blinds Are Up

    And they look great!  I’d hate to think how much it would’ve cost me to have them “professionally” installed.  It took me all of 30 minutes last night.  Awesome.  Now for the couch which has been scheduled to be delivered on the 14th.

  • More ISA Site-to-Site IPSec VPN Configuration

    The last two months, traffic on this site has increased by almost 50%.Ā  Honestly, I donā€™t know specifically what itā€™s related to, but my number one search item is ā€œISAā€ followed by #4 which is ā€œ2006ā€.Ā  Therefore, I thought Iā€™d post a little bit more, since there are still some issues that I had run into.

    First thing is the issue I discussed last time, which was about IPsec not creating the filters it needed to.Ā  I think I may have found the solution to that, but I havenā€™t verified it (which I may do this week while Iā€™m on the bench, in between various training).Ā  Now because of the fact that ISA relies on Windows 2003 IPsec, there are some pretty awful problems.Ā  The first being ā€œadjacent rangesā€ in your IPsec rules.Ā  Windows IPsec does not allow you to have two adjacent IPSec policies.Ā  Instead it believes it should be one continuous policy.Ā  When you attempt to create an adjacent policy in ISA 2006 you will recieve the error message below.

    As an example, letā€™s say that you need access to the individual hosts 10.10.10.150 and 10.10.10.151 at the remote site (or two ranges like 10.10.10.0/24 and 10.10.11.0/24).Ā  Now, if the remote site happened to have a Cisco Concentrator, they would be able to publish each of those hosts (or subnets) as separate IPsec policies.Ā  However, with ISA, they have to be in the same remote networks range.

    Many times, there isnā€™t a problem, especially with a small number of hosts or ranges like this.Ā  However, the problem comes into play with subnetting.Ā  Typically hosts are designated with a 32 bit mask (255.255.255.255).Ā  However, since weā€™ve now created a range, we may see a different mask (255.255.255.254).Ā  Itā€™s when the different, unexpected mask comes into play, that we have issues.Ā  If the mask is wrong, Phase II negotiations fail, and youā€™ll not be able to create a Phase II tunnel.Ā  However, if you donā€™t put the the hosts into the range and ignore the warning that ISA gives, the IPsec policies wonā€™t be created, and youā€™ll have to manually create them whenever the IPsec service restarts (specifically if/when the machine restarts).

    Finally, thereā€™s yet another IPsec issue with Windows 2003, that again manifests itself with ISA.Ā  There are multiple ways you may see this.Ā  One way is that no matter what you set as your Phase II timeout policy from within ISA, youā€™re seeing Phase II rekeying happen about every 300 seconds.Ā  Another way is that you IPsec Site-to-Site VPN connections drop a lot and in the logs you see the error ā€œ0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPEDā€.

    The first thing I tried was to disable IP Spoof Detection.Ā  However, that didnā€™t seem to fix it, plus, since this is an external firewall, I wanted to keep the spoof features on to do application filtering.Ā  The part that was really frustrating was that rekeying was happening every 300 seconds, instead of the 3600 I had specified in ISA.

    Well, it turns out itā€™s a bug with ISA and/or Windows 2003 IPsec.Ā  This was actually a bug with ISA 2004, but apparently it wasnā€™t deemed big enough to fix with 2006, since thereā€™s a workaround that works well.Ā  Microsoft KB article 917025 goes over exactly what to do, but the gist of it is, is that you need to edit the SAIdleTime registry key and change it to 3600 (default is 300).Ā  The downside is that 3600 is the max (trust me, Iā€™ve tried to set it higher, it doesnā€™t work at all), so plan your IPsec Site-to-Site VPNs accordingly (let your peer know that the max will be 3600 seconds).

    Hopefully those two nuggets will help anyone having other issues.Ā  Iā€™m sure Iā€™ll post more things too, as they come up.