• When I use the move-mailbox command will my Outlook clients need to recreate their .OST files?

    Posted over 4 years ago
    by Dan Kenyon-smith}

    I’ve had the same question come up a few times recently so thought I'd blog about it as i assumed this is a FAQ.

    When migrating from Exchange 2003 to 2007 will Outlook need to regenerate the .OST file?

    The short answer is…no, it doesn't need to be created, the move is transparent as far as the user is concerned.

    The long-ish answer is…when you use the move-mailbox command the mailbox GUID stays the same across the migration. The Outlook profile is tied to the mailbox GUID, so since the GUID moves with the migration the Outlook profile does not need to be recreated nor does the .OST associated with the profile!

     

    Written by Daniel Kenyon-Smith

  • Forefront Protection 2010 for Exchange Server Capacity Planning Tool

    Posted over 4 years ago
    by Dan Kenyon-smith}

    Take a look at the PFE 2010 capacity planning tool to ensure you  have correct capacity (memory and CPU) by specifying your PFE protection settings

     

    It can be downloaded here

     

    Written by Daniel Kenyon-Smith

  • The Name on the security certificate is invalid or does not match the name of the site - PART 2

    Posted over 4 years ago
    by Dan Kenyon-smith}

    Once the cert has been installed you will need to enable the cert, you can run the following command to enable the certificate

    Enable-ExchangeCertificate -Thumbprint 59 5e a4 7c f0 c0 4f 64 dc 3d 6d 29 95 f7 c4 b1 72 ca 0f 92 -Services "SMTP, IIS"

    Note: The thumbprint needs to match the cert you have just installed, use either the get-certificate command or use the MMC, select the cert, click the details page and click on thumbprint or use the command specified in PART 1 to find the correct thumbprint

    For each CAS server that is installed a Service Connection Point (SCP) record is created for the autodiscover service for internal clients

    When i go into Outlook i get the following error:-

    image

     

    This is because i’m connecting to services using the NetBIOS name of mbx1 which does not match the name on the certificate. If i run Get-ClientAccessServer -Identity mbx1 | FL i’ll see that the AutoDiscoverServiceInternalUri says https://MBX1/Autodiscover/Autodiscover.xml, this does not match the certificate. I can also check the other services and see that i get the same results for OAB, EWS, Outlook Anywhere (OA) and Exchange Active Sync (EAS). So i need to update all theses internal url’s to match the name on the cert.

    • Set-ClientAccessServer -Identity "mbx1" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml

     

    • Set-WebServicesVirtualDirectory -Identity "mbx1\EWS (Default Web Site)" –InternalUrl  https://nlb.nwtraders.msft/EWS/Exchange.asmx

     

    • Set-OABVirtualDirectory -Identity “mbx1\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB

     

    • Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”

     

    • Set-ActiveSyncVirtualDirectory -Identity “mbx1\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync

     

    Note: If your customer does decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.

    In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the url is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-

    • Outlook 2007 or higher
    • Vista SP1

     

    Then when you open Outlook you should not longer get the cert error!

     

    Written by Daniel Kenyon-Smith

  • The Name on the security certificate is invalid or does not match the name of the site - PART 1

    Posted over 4 years ago
    by Dan Kenyon-smith}

    Whilst building a test environment for a customer i came across this error ‘The Name on the certificate is invalid or does not match the name of the site’ so thought I'd write up how I resolved it.

    The environment was Exchange 2007 SP1 and I was configuring certificates and Outlook Anywhere. For the purposes of the lab I was using an internal certificate authority, but in live the customer is going to use 3rd party certs on the exchange servers, not an internal PKI. The goal here was to try and reduce the number of names in the certificate due to cost.

     

    The first thing to do was to generate the certificate

     

    The certificate I created didn't have any names in the SAN field of the certificate. Here’s an example of the command i ran:-

    New-ExchangeCertificate -GenerateRequest -Path c:\CompanyA.csr -KeySize 2048 -SubjectName "c=GB, s=London, l=London, o=Nwtraders, cn=nlb.nwtraders.msft.com"  -PrivateKeyExportable $True

    This generated the .csr file, which i then uploaded into the internal PKI cert auth (note for live the cert would be generated by a 3rd party cert auth).

    In order to generate the cert i connected to the PKI server as shown below

    image

    Then selected request a certificate

    image

    The selected advanced certificate request

    image

    Then selected Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

    I then pasted the cert requested that i generated earlier (C:\CompanyA.csr) into the field shown below. I also selected Web Server under certificate template and clicked submit

    image

    Then selected Download certificate

    image

    Then download .cer file and imported into the local certificate store by running the following PowerShell command:-

    Import-ExchangeCertificate -Path c:\certnew.cer -Password:(Get-Credential).password

    Note: C:\certnew.cer is the cert that we have just downloaded in the previous steps

    You can verify the cert has been installed 2 ways, run the following exchange PowerShell command to list the certs installed on that server:-

    Get-exchangecertificate | fl

    Output from the command for the cert i just installed:-

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {nlb.nwtraders.msft}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=nwtraders-WIN-63IFOLRGUIP-CA, DC=nwtraders, DC=msft
    NotAfter           : 04/05/2012 11:40:33
    NotBefore          : 05/05/2010 11:40:33
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 6175BFDA000000000007
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            : CN=nlb.nwtraders.msft, OU=nwtraders, O=nwtraders, L=nwtrad
                         ers, S=UK, C=GB
    Thumbprint         : 595EA47CF0C04F64DC3D6D2995F7C4B172CA0F92

    The 2nd way is using the MMC to add the local computer cert store

    image

    See part 2 for enabling the cert and configuring Exchange to use the CN name in the cert you have generated

    Written by Daniel Kenyon-Smith