Tag Archives: IIS

With Exchange 2013, you’re on your own

Many, many years ago I had a domain controller installed on a rather naughty IBM server.  This server, as it turned out later, had some bad firmware on the drives which would cause occasional system oddities such as blue screening, hanging on boot, etc.  I let it go for too long, but the issues were vague and infrequent; many a techie know the rut one can get into when it’s safer to leave well enough alone.  That line of thinking is always a catch-22 and the server’s issues finally came to a head when it crashed the right files and my domain controller no longer thought that it was a domain controller.

What about backups you say?  Well we had our handy-dandy untested disaster recovery backup from Arcserve, which turned out to require a special boot disk that needed to be made from the server in question before the disaster (this later turned out to be bogus anyway as I later found that even under the best lab circumstances I couldn’t get their worthless product to work).  I was in a pinch so I called Microsoft support and somehow, over the course of the night, they were able to get the trashed Active Directory operational again.  The call spanned between two shifts so the guy I talked to at the end of the call was not the same one from the beginning.

Compare that experience to my recent experience with my Exchange 2013 setup where, it appears, no one in the eastern hemisphere was given proper training on the issues that this product is prone to having.  No one calls back in time, despite the use of cut-rate help, and if your support rep has an end of shift they may abadon you until the next morning.  Don’t bother with web/phone support unless you’ve exhausted the list below.

  • First and foremost, Exchange 2013 as released was a beta product.  Cumulative update 1, made it seem like it was usable, but please be sure to install CU2 if you want a product that comes close to behaving!  Before installing CU2 the ‘RPC over HTTP’ function was sketchy and I would get prompted for authentication when making a new profile, external users would work while internal ones would not, and running tests would result in ‘500 http’ web server errors in OWA and ‘X-CasErrorCode: ServerLocatorError’ when running the connectivity tester.
  • After installing cumulative update 2 on two different servers, it failed to start both the transport service and the frontend transport service (while making sure to start ‘manual’ processes that we don’t use like unified messaging).
  • The new Exchange control panel is a marvel to behold, and crap at the same time (much like Microsoft’s whole product portfolio at this point in time).  If everything works it’s great, but when it comes time to set ‘internaluri’ and whatnot to the virtual directories it’s best to get familiar with the get/set functions for these in Powershell.
  • Please make a note that the ‘Microsoft Exchange Service Host’ service has a nasty habit of resetting/changing the RPC folder settings in IIS.  On one server it would change the backend RPC to point to the frontend folder and on another it would turn off all the SSL on the RPC folders.  Why does it do this?  No one knows, though Microsoft did tell me that this can be effectively managed if you go to the registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeServiceHost\RpcHttpConfigurator’ and set ‘PeriodicPollingMinutes’ to zero.  However, if the server reboots, be sure to double check these settings again.
  • Amateur mistake, but remember when migrating mailboxes keep in mind that it will eat up double the disk space of the source mailboxes until a backup can roll the logs off.  Please note that backing up with DPM 2010 apparently does not count as a backup.  (Also note that, for whatever reason, mailboxes get a 5-10% size boost when going from Exchange 2010 to 2013).
  • Setup will make the proper ‘receive’ connectors, but not the send connector.  When making it through the Exchange control panel, I had to uncheck ‘‘ so that my send connector would work properly.
  • Another note is that within IIS, if you are not able to access Exchange properly through Outlook (but Outlook Web Access works), then it might also be that you are missing the ‘Negotiate’ provider for Windows Authentication.  Just add/check it by right clicking on Windows Authentication under the virtual directories->Authentication applet and clicking advanced.
  • One site had issues with Outlook hanging on the new message notification and a general slowness in trying to do anything else.  Were it not for the niggling issues from the migration I might have turned on to the culprit sooner: Kaspersky.
  • Of course I wonder how many places still run their single Exchange server in-house.  I’d imagine that it’s getting to be a pretty lonely existence.  If this is your situation: migrating a single Exchange 2007/2010 server to Exchange 2013, I should point out an issue with the SSL certificate.  Chances are if you have one Exchange server, you have one, simple commercial SSL certificate as well, though even if you cheap out and use self-signing this issue still might apply.  The issue is that once the users are migrated, and you then migrate the certificate, the Outlook profiles will need to be rebuilt – for every user.  I am guessing that there are at least two possible work-arounds, though I haven’t tested them.  One is to get a certificate with a different name, this way Outlook knows that it’s a different server and to re-do it’s security settings.  Another idea is that it might be possible to migrate everyone to the new server, let Outlook catch the settings change (this part does work) and then move the certificate later (sketchy on how Outlook will behave here).  The main issue with this is remote e-mail support since the old server cannot proxy to the new one (I believe?).  Otherwise, without changing the profiles, end users will just get logon/credential prompts and not be able to access their e-mail.

Obscure IIS 7 Issue

On my WSUS implementations on my Windows 2008 servers I’ve an issue on two occasions where clients become unable to download the wuident.cab file.  Attempting to manually download the file results in a “403-Forbidden: Access is denied” error.  The first time I was getting the error I had an update to the Windows Update Service that I had been putting off, and after installing it the error cleared up.  The second time it came up only one of my update servers had the issue and I was befuddled as (just like the first time) the server was working fine and then began getting the issue seemingly out of the blue (more than likely due to an update of some sort?  The DPM install on the same server?).  One caveat though was that it all worked fine locally.

After hunting through the GUI and checking permissions I finally tracked down this web link.  For some reason the ‘<location path=”Default Web Site/SimpleAuthWebService”>’ section of the applicationhost.config file was getting set to all the ‘NoRemote’ settings.  After setting the handler section to “<handlers accessPolicy=”Read, Script” />” the WSUS began functioning properly again.

I’m not a total gluten for the GUI, but it would be nice to know where it’s purview ended and the text based editing began (maybe an embedded link in the GUI?).  It could also be that I’m not quite familiar enough with it as well since I’m constantly having to switch between the 6 and 7 interfaces.

SharePoint upgrade with a side of Metabase

After upgrading from SharePoint 2 to 3 our content came up, but no changes could be made and when trying to sign on (via the “Sign In” link) I was getting an error of “Server Application Unavailable” and an event 1062 on the server with the text:

It is not possible to run two different versions of ASP.NET in the same IIS process. Please use the IIS Administration Tool to reconfigure your server to run the application in a separate process.

What was aggravating on this count was that everything looked to be ASP ‘2’ (2.0.50727), but while digging I discovered that the ‘images’ and ‘inc’ virtual directories under ‘_layouts’ were set to ‘1.1’ (v1.1.4322).  The ‘inc’ path didn’t even exist and after creating it, it stuck to the ASP.net setting of 2.  The ‘images’ virtual directory was a different story as it kept reverting back to 1.1.  I finally recalled from a certification test that if nothing else the metabase.xml file for IIS contains all the settings for the web server and it can be edited by hand.  After looking into the file I discovered that the ‘images’ virtual directory had two entries, one with 2 and one with 1.1.  I deleted the 1.1 and the settings stuck to 2 when IIS was cycled; but unfortunately the error persisted.

It turned out that, even though it couldn’t be changed in the GUI, the ‘_layouts’ directory was set to 1.1.  I manually changed it in the metabase.xml file by copying the settings over from the ‘inc’ section and after cycling IIS the sign-in function worked and the error was gone!

Now to fix all the permissions on our custom web parts that got copied by the upgrade process and were set to the default folder permissions.