Wow, yep I know that the title is a little bit of a mouthful, but today I have been working on getting my Enterprise Vault configuration to play nicely with my Windows 2008 based Exchange 2007 SP1 servers – and it has been a little bit of a job but now that it is pretty much playing as I would like which I thought that I would share the process that I used with you all.
Firstly let me give you a little bit of the background;
Within my environment prior to installing Exchange 2007 SP1 we were running Symantec Enterprise Vault version 6 (service pack 3) – this version obviously did not support Exchange 2007 in many aspects therefore we needed to upgrade to Enterprise Vault 2007 in order to support mailbox Journaling, Archiving and full .NET support for OWA 2007. The upgrade process involved firstly upgrading to Enterprise Vault 7.0 and then Enterprise Vault 2007 (known also as 7.5) – it is quite important to note that if you are a version 6.x user of EV you will need to upgrade to EV 7.0 BEFORE you can upgrade to 2007 (the actual upgrade process is beyond the scope of this article).
When we finally arrived at EV 2007 it was time to go away an build the foundations of my production Exchange 2007 SP1 organisation (which would run in interop mode along side Exchange 2003) which is made up of the following components:
x 2 CAS servers – NLB – running Windows 2008 x64
x 2 CCR Clusters – running Windows 2008 x64
x 2 Hub Transports (not relevant here)
Essentially the focus of my work would be the following objectives:
- Add the Exchange 2007 SP1 CCR Clustered Mailbox Server into the EV site as an archive target
- Install the EV OWA 2007 client Extensions on each of the CAS servers to provide access to archived items via OWA 2007 SP1
- Test that archiving works via OWA 2007 (this would include adding to the vault and accessing items contained within the vault)
Adding your CCR Clustered Mailbox Server to the EV site:
There are a few steps to this process, all of which must be followed. I have found that generally speaking Enterprise Vault runs exceptionally well once it is up and running, therefore a lot of Exchange system admins tend to forget the day to day complexities of it – in favour of the more straight forward “day to day” tasks (creating archive, review journal) so when it comes to changing the configuration of the Site and indeed adding in an additional server it can be quite daunting.
Configure an archive account for your the mailbox archive task on your CCR cluster:
Each mailbox server within an Enterprise Vault site requires a mailbox which is used for the processing of archive item data, this mailbox can reside in any Storage Group / Database – however the following are some provisos that you should consider:
- The mailbox can exist in any Storage Group / Database – however it should as best practice reside on the server where the archiving tasks will be run.
- The mailbox should not (under normal operation) grow to large proportions – however you should exclude it from any Organisation sizing restrictions – this could cause issues with the archiving process.
Therefore the very first step is to the create a new mailbox user which will act as the archive account on the CCR Mailbox server that you wish to add into your KVS Site – when you have created this account you are ready to assign permissions to the KVS Service Account and the New Mailbox that you have created.
Configure Permissions for the EV Service account (VSA) on your Exchange 2007 SP 1 CCR Cluster:
During the installation of KVS you would have specified what is called the “KVS Service Account” AKA the VSA.
Essentially the service account is assigned full permissions to each mailbox server within your organisation, this allows KVS to perform its duties during Journaling and Archiving. In Exchange 2003 in order to assign the correct permissions to the KVS Service account you would need to ensure that you had the security tab enabled in the 2003 Exchange System Manager (see http://exchangepedia.com/blog/2004/12/how-to-view-security-tab-in-exchange.html) for an good overview of enabled the tab.
In principle when you had the tab available in Exchange 2003, you will then assign “Full Control” to the services account on each Exchange mailbox server (this would include the Send As and Receive As rights).
However in Exchange 2007 – the process of assigning the KVS Services account rights to your mailbox server has changed a little bit and now requires you to use ADSI edit.
Note:
This article is based around Exchange 2007 SP1 running on Windows 2008 being added into KVS – however, the same steps can equally be applied to Exchange 2007 (with or without SP1) running on Windows 2003 (the process can also be applied to non clustered Mailbox servers – although you need to be wary of running the CAS role on the Mailbox Server) – you should note that if you are running Windows 2003 you will need to install ADSI edit from the Windows 2003 support tools – if you are using Windows 2008 on your Exchange servers you will see that it is installed by default.
Open ADSI Edit [ START -> Programs -> Administrative Tools -> ADSI Edit ] then connect to the configuration partition of AD.
You will then need to navigate to [ Configuration -> Services -> Microsoft Exchange -> <Your Org > -> Administrative Groups -> Exchange Administrative Group (FYDIBOHF23SPDLT) -> Servers -> <Your CCR Server> ]
Right click on the entry for your server and from the context menu that appears choose “Properties”
From the dialog box (below) that appears choose the “Security” tab – then click on the “Add” button.
From the Select box (below) that appears either locate or type in the name of the KVS Service Account and then click on the “OK”
You will then be returned to the Security dialog box – choose the KVS Services account, and then tick the “Full Control” option (below) and then click on the “Advanced” button.
From the dialog box that appears (below) sort the permission entries by name – then locate your KVS Services account, select it and then click on the “Edit” button:
From the permissions box that appears (below) under the “Applies to” section choose “This object and all descendant objects” or if using Windows 2003 “This object and all child objects” then click “OK” 3 times.
After domain replication has taken place you will have successfully applied the correct permissions to the CCR Mailbox Server for the KVS Services account (VSA).
It is also necessary to grant the KVS Services account (VSA) “Full Control” permissions on the Archive system mailbox that you created earlier:
- Again open adsiedit.msc and open the Domain [<your Domain>] partition.
- Locate the Archive mailbox account that you created earlier this is usually under CN=Users, however you may have placed elsewhere depending on your AD configuration.
- When you have located the account object Right-click on it and from the context menu that appears choose “Properties”.
- From the dialog box that appears choose the Security tab.
- Add the KVS Services account (VSA) and then apply Full Control permissions to this account.
- Click Apply.
- Click OK
Adding your Clustered Mailbox Server to Enterprise Vault:
On your desired Enterprise Vault server open the Vault Administration tool [ START –> Programs -> Enterprise Vault -> Administration Console ] – see below;
When the administration console has loaded expand the following [ Enterprise Vault -> Directory on <Server Name> -> <Your Vault Site> -> Targets -> Exchange -> <Your Domain> -> Exchange Server ] right click on the Exchange Server node and from the context menu that appears choose NEW -> Exchange Server – see below;
You will then be presented with the “New Exchange Server” wizard – from the intro screen (below) click on the Next button;
From the screen that appears (see below) In the top most edit box enter in the name of the of the Exchange 2007 Mailbox Server that you wish to add, from the section entitled “Create Tasks for the Exchange Server” tick the tasks that you wish to be performed (for my example I only wish to setup a “Exchange Mailbox Task”).
When you are done from the section entitled “Create the tasks on this Enterprise Vault Server” choose the correct EV server in your environment which will take responsibilities for the Exchange 2007 Mailbox Server – then click on the “Next” button.
The wizard will change to display the “Choose Archiving System Mailbox” section (see below) – using the browse button locate the account that you created earlier on and then click on the “Next”.
You will then be presented with the task completion wizard (see below) – click on the “Finish” button.
You will be returned to the Enterprise Vault administration console – navigate to [ Enterprise Vault -> Directory on <Server Name> -> <Your Vault Site> -> Enterprise Vault Servers -> <your site> -> Tasks ] – see below;
Review the task list you should now see a new task entry which corresponds to the server that you have just added – initially you will see the task in a “Stopped” state – if you wait the task will start automatically – see below;
Close down the Administration Console for Enterprise vault and then using Windows Explorer (or via My Computer) navigate to the folder on your Enterprise Vault server where the EV binaries have been placed – this is typically:
[ C:\Program Files\Enterprise Vault ]
When you have done this, locate and then open the text file entitled “Exchange Servers.txt” in Notepad (it might be an idea to take a copy before you proceed).
When opened you will see that this file contains a list of IP addresses for your existing Exchange Servers which are configured to work with Enterprise Vault – at the bottom of the file add in the IP addresses for the following Exchange 2007 servers (in your Infrastructure):
- The CCR Cluster IP address for you mailbox server
- The IP addresses of you CAS server(s)
When you have added the IP addresses save the file.
Below is an example of where the file is located.
When you have finished adding the IP addresses to the file – you will need to configure the OWA anonymous access account so that it has the relevant permissions on your Exchange 2007 Mailbox and / or CCR servers (which you should have added to the IP address file previously) – therefore in order to proceed you will need to ensure that you know the samAccountName and the Password for the OWA account for your EV installation – this should have been documented during the EV implementation – it should NOT be the same has the KVS Services (VSA).
When you have the OWA account name for KVS – open a command prompt and navigate to the Enterprise Vault directory on your EV server (typically cd “Program files\Enterprise vault”) and then type in the following command:
cscript.exe OWAUser.wsf /domain:<Default NETBIOS DOMAIN> /user:<KVS OWA ANNON ACCOUNT> /password:<Password> /exch2003
So for example if my NETBIOS Domain was Trixy and my OWA samAccountName was OWAKVS with a password of “password” the command would be:
cscript.exe OWAUser.wsf /domain:trixy /user:OWAKVS /password:password /exch2003
Even through you are installing for Exchange 2007 and indeed using KVS 2007 you still need to use the /exch2003 switch at the end! – below is an example of the command and the correct output:
When the VBSCRIPT command has run correctly, go to [ START -> RUN ] and from the RUN Command type in “Services.msc” and then clock on “OK” – when the services management console has opened locate the “Enterprise Vault Admin Service” and right click on it. From the Context menu that appears choose the “Restart” command – during the Restart of the service confirm that you wish to restart all the dependant services – see below;
When the EV Services have restarted you will need to Open the Enterprise Vault Administration Console [ START –> Programs -> Enterprise Vault -> Administration Console ] then from within the console navigate to [ Enterprise Vault -> Directory on <Server Name> -> <Your Vault Site> -> Enterprise Vault Servers -> <your site> -> Tasks ] – see below;
Locate the mailbox archival task for your new Exchange 2007 Mailbox Server then right click on the entry. From the Context menu that appears choose the “Properties” option. From the dialog box that appears choose the “Synchronization” tab and then from the “Update details of” section ensure that “All mailboxes” and all the tick boxes are Selected – then click on the “Synchronize” button – see below;
Installing the Enterprise Vault Client Extensions on your CAS Server:
Improved COM and installation my back side! – first things first do not install the Client Extensions from the KVS 7.5 media on a Exchange 2007 SP1 CAS server, they don’t work properly, instead I suggest that you go to the Symantec Web Site and down load the Extensions that are provided in this article http://seer.entsupport.symantec.com/docs/300400.htm
When you have downloaded the zip file – extract it to a convenient location on your CAS server, then run the EV_OWA2007_Extensions_x64.msi – see below;
When you have executed MSI file you will be presented with the following introduction screen – essentially here you can click on the “Next” button:
When you have click next the screen will change to display the EULA – click the “I Agree” box and then click on the “Next” button – see below;
The screen will then change to ask you where you like the EV binaries to be installed on your CAS – I would accept the default location and then click on the “Next” button – see below;
You will then be presented with the “Ready to Install” screen – click on the “Next” button to proceed – see below;
If you are installing the EV extensions on a CAS server which is installed on Windows 2008 SP1 you might during installation see the following error message;
You can safely click on the “Ignore” button.
When setup has completed you will be presented with the following dialog box – click on the “Finish” button.
If your CAS implementation is based around NLB you will need to install the EV Extensions on the other CAS servers which form the NLB.
When done, choose a “Test” mailbox which exists on your newly added Exchange 2007 Mailbox Server and run through the process of enabling it for Archiving – then access it via OWA 2007 and test the client experience.
That pretty much completes the process of adding in your 2007 SP1 mailbox server to Enterprise Vault and then installing the Client Extensions on your CAS servers – my next article will cover “Constrained Delegation” for EV and OWA 2007 SP1.
[...] Read the rest here: Windows 2008, CCR Clustering, Symantec Enterprise Vault 2007 … [...]
By: Windows 2008, CCR Clustering, Symantec Enterprise Vault 2007 … | Windows 2008 Security on April 17, 2008
at 10:24 pm
[...] Windows 2008, CCR Clustering, Symantec Enterprise Vault 2007, Exchange 2007 SP1 CAS Servers – Gettin… [...]
By: Weekend reading - subject: exchange on April 20, 2008
at 10:22 pm
[...] KVS when connected to their Exchange 2007 mailboxes which are located on the new CCR clusters (see http://telnetport25.wordpress.com/2008/04/13/windows-2008-ccr-clustering-symantec-enterprise-vault-2... for information on this process). Full KVS functionality MUST also be maintained to mailboxes still [...]
By: Exchange 2003, Exchange 2007 CAS servers, Enterprise Vault and Constrained Delegation… « telnet 127.0.0.1 25 on April 27, 2008
at 7:14 pm
Please note: Enterprise Vault does not yet support Windows 2008 (vault server or Exchange server). Symantec are apparently testing but full support is not available until the next version, which is due for release in December 2008.
By: Roy Atkins on August 4, 2008
at 12:01 am
It is true that EV is not supported on Windows 2008 (at least true of the core components) – however what should also be taken into account here is that the EV software that is installed on the 2008 servers is the Client Extensions only – the main components of EV should still remain on a Windows 2003 platform.
From my perspective – Symantec took a long time to released a version of EV that was FULLY compatible with Exchange 2007 and only reached compatibility for OWA 2007 in release 7.5 where they also finally released x64 Client extensions.
For Symantec to now say (as I have read the compatibility guide) that they will not support Windows 2008 until the next major release is unacceptable IMHO – as it prevents people from adopting the latest technologies for their Exchange installations – people whom have EV 7.5 and wish to migrate to Exchange 2007 using Windows 2008 are stuffed (bearing in mind that Exchange 2007 has been out of a long time now and Windows 2008 has been available to SKU’s for ages for testing).
I have been using the EV client extensions in production for a while now and they do function correctly – however Roy is correct to point out that it is unsupported – but I would urge people whom do not wish to take the risk to lobby Symantec over this issue.
In order to adopt Exchange 2007 where I work I had to upgrade from EV 6 to 7 then 7.5 – the prospect of another upgrade just to use Exchange on Windows 2008 is disgusting
Sorry Roy this was not aimed in any way shape or form at you, I am amazed that Symantec has this bizarre stance on support.
By: Andy Grogan on August 5, 2008
at 5:39 pm
[...] http://telnetport25.wordpress.com/2008/04/13/windows-2008-ccr-clustering-symantec-enterprise-vault-2... [...]
By: unix86.org » Windows Server clustering on October 21, 2008
at 4:12 am
Roy,
You are my HERO! You made a task that I have been dreading for weeks SO simple! I followed this guide exactly and it worked perfectly.
If you guys out there have a similar configuration, this is what you need. Follow it and you will be successful.
I just got my Exchange 2007 SP1 Org setup this week and I was seriously dreading the EV integration because we had a lot of problems getting everything to work with Exchange 2003. I am so happy that this worked as easy as it did. It literally took me 15 minutes to get this done.
Thanks you SO much, Roy!
Greg
By: Greg Fisher on April 10, 2009
at 3:38 am
Erm – do you mean Roy – or me?
I wrote the article.
By: Andy Grogan on April 10, 2009
at 4:26 pm
Aw man, I apologize. I dont know where I got Roy from..
You rock man!
By: Greg Fisher on April 10, 2009
at 4:28 pm
No problem
By: Andy Grogan on April 11, 2009
at 10:33 am
Thanks a lot for the article.
We are facing a issue, I don’t know if you have any suggetions, we have the exchange 2007 in a different forest and we have a two way trust. I read I can use a different service account for the new exchange server. But when I try setup the Exchange archive task wizard fails to select the system archive mail box. When we browse for mail box it gives error “No mail box found”. EV server is in Domain A and new exchange in domain B. I can’t add the ev service account from domain A as exchange admin in Domain B. We will appreciate if you have any suggetions. Symantec consultant says I have to add the service account from domain A as exchange admin in domain B.
By: Chandran on May 15, 2009
at 12:08 pm
Hi Andy,
Thanks for this great article. I do have one question, though:
Is MSMQ supported on Windows 2008 geo-clustering?
The details are:
I’ve got two W2K8 nodes setup in a cluster, spread across 2 sites (with 2 different subnets). Because of this, the cluster is setup as a Majority Node Set with FSW (there are NO shared disks in this cluster… each node has access to it’s own local SAN).
The only thing on the cluster is an application (or “group”, in W2K3 terminology). This fails over between nodes without problem.
The issue arises when I try to add MSMQ to the cluster group (it’s required by EV). MSMQ has 2 dependencies: hostname and DISK RESOURCE!!
I’m stumped! I have no cluster disk resource to give to MSMQ!
HELP!? (and thanks in advance)
- Anthony
By: Anthony on June 18, 2009
at 4:40 pm
Hiya chap,
What are you trying to do? Are you using EV 7.x?
The MSMQ service should be on the same box as the EV server – EV at version 7.x is not supported on Windows 2008 (and doesn’t work) – however the client Extensions do work?
Can you give me a little more information – cheers
A
By: Andy Grogan on June 18, 2009
at 7:20 pm