Exchange Geek's Weblog

I'm a Geek!

Posts Tagged ‘Exchange 2010’

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 3

Posted by Milind Naphade on 15/07/2010

In last two posts of this series I posted about basic configurations needed on AD RMS cluster and Exchange 2010 server. In this post I will show how to test the configured features using an application that has an RMS client.

So, to test the configuration we need to have at least one client computer installed Microsoft Office. I have used Microsoft Office 2010 RTM on a Windows 7 Ultimate computer for demonstration purposes.As we are discussing IRM in terms of its use with Exchange I have limited the scope of client to Outlook 2010 only.

24. Logon to the computer with a user account with a valid mailbox and launch outlook. Point to new message and select New Message. Select the Options tab on the new message window and click the drop down menu on the Permissions button, and select Manage Credentials as shown in the below picture.


25. Select Use a Microsoft Windows account option on the Select Service dialog box and click OK


26. After you selected the correct option the built in RMS client in outlook will retrieve the SCP from Active Directory and will find out the server name of your AD RMS cluster. You must provide your credentials in order to access your rights.


27. Select your user name from the list that appears in the list after you provide the credentials. In case you have been given more than one credentials you can manage those credentials in the following way. Click OK. Now your client knows where to look for the rights you have been assigned in the AD RMS database.


28. Now time to send a protected content in the form of an email. Again, follow step 24 and select Do not Forward from the drop down before you click send. The moment you select Do not Forward from the drop down, outlook shows a message in the windows and lets the user know that recipients of this email will not be able forward this email.


29. Let’s see how it looks like on the recipient end. Again, the recipient is also notified about the restriction that is on the content.


30. If this message is opened by the recipient, the email options for forwarding are disabled automatically.


31. One can also view the permissions that he or she has on a restricted email that they received by clicking on the information bar highlighted in step 29.


Now if you see the last figure correctly the recipient has permissions like saving the file and editing the file. In some cases even these additional permissions may be dangerous. In the next post I will show how to configure additional templates and assign them to specific group of people so that these permissions can be used correctly.

Related Posts:

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 1

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 2

Posted in Active Directory, Exchange 2010 | Tagged: , | 1 Comment »

Exchange 2010 CAS Role and High Availability

Posted by Milind Naphade on 21/03/2010

I am working on a Exchange 2010 design these days. The design needs to be in a way so that the maximum availability can be achieved. For Exchange 2010 mailbox server roles I didn’t worry much because a DAG dispersed across the sites can take care of it very well. However, it is a little challenging job to design HA for CAS and HT servers.

If my primary site fails due to catastrophic conditions the Exchange DAG will of course failover to another site where passive copies of my databases exist but what about my CAS and HT server roles. I am least bothered about the HT server roles either because they  have their built in logic to load balance themselves and keep working with just a little modification in my MX records on internet (if at all I have multiple records which are pointing to another server in another site then there is very little left that I need to worry about, so this functionality eliminates the need of Exchange 2010 HT failover or high availability. Needless to say; this is the perfect solution in case I have already setup my internal settings correctly). Now, let’s think of CAS server role. CAS does not have any built in logic to load balance between themselves unless they are a part of a CAS array and/or NLB. If one server fails the other server can still work using the NLB. Yet the question remains unanswered, how do I achieve maximum availability to configure HA between my CAS server roles in case of a complete site failure?

As I mentioned above, they don’t have any built in logic for this but of course, there are ways around to configure it with a little additional efforts. So what do in this case? A simple DNS modification would serve the purpose.

Let’s us say I have two sites involved in this scenario. Site A and Site B, Site A is my primary site. Where:

  1. MAIL.COMPAY.COM is the name of my CAS Array in Site A.
  2. MAIL.COMPANY.COM is an internet facing site.
  3. INTERNAL.COMPANY.COM is the name of CAS array in another site.

Due to some reasons the whole of Site A goes down and CAS servers are totally inaccessible then I change followings:

  1. Change the IP address of to point to the new IP address of INTERNAL.COMPANY.COM on internal and external DNS servers both. Revert these changes when your site is back online.
  2. Configure Outlook to “on fast network, connect via RPC, on slow network, connect via HTTPS” – This way outlook uses Outlook Anywhere if it connects to discover the RPC endpoints. This works perfect with Outlook 2003 and Outlook 2007 in cached mode.

In this solution the only drawback is, it needs the time to replicate the changes across the globe (on both internal and external DNS servers). If you have SCOM then it makes your life much easier to handle this situation.

Bottomline, for CAS servers in Exchange 2010, using the CAS Array capabilities of Exchange 2010 will allow you to create a CAS Array in each Exchange site and then configure the system to major an array object in your primary site resolve to a CAS Array in your secondary site until the primary site is back up and running.

Please do let me know if you think I have missed on anything in above. I would be glad to learn if you can think of any better solution than it 🙂

EDIT: Elan Shudnow has two excellent articles covering the considerations related to CAS HA. Read more here:

Posted in CAS, Exchange 2010 | Tagged: , | 3 Comments »

Missing Private Key on Exchange Certificate

Posted by Milind Naphade on 27/01/2010

Today I was playing around with Exchange 2010 Certificates in my labs. My lab contains simple setup as below:

Server Operating System Role
ExchangeDC Windows Server 2003 SP1 DC,GC, CA
Exchange2003 Windows Server 2003 SP1 Exchange 2003 SP2
Exchange2010 Windows Server 2008 R2 Exchange 2010 RTM

In above setup the domain controller is also an Enterprise Root CA. I requested a new certificate from my internal CA and wanted to import it and then enable it for services on my Exchange server 2010 box. Something was going wrong and the certificate didn’t have a private key. After downloading the certificate the certificate had that “You have a private key that corresponds to this certificate.” missing from certificate. Just as shown below


Now the trouble was the pending request in EMC could yet import this certificate but didn’t let me assign it to the services. After spending good 2 hours at my own I found a solution at

So here is the simplest way to overcome this problem.

  • Download the certificate and store it at some place on the server.
  • Click Start –> Run and then type MMC, press Enter.
  • In the MMC Snap In click File Menu and then select Add/Remove Snap-in…
  • Select Certificates.
  • Click Add button.
  • Select Computer account from the popped up dialog box.
  • Click Finish and click OK
  • Expand Certificates –> Personal –> Certificates


  • Right click in the right hand side pane of the MMC Snap-in and select All Tasks –> Import…


  • Specify the file path in the wizard that will pop up and Finish the wizard.
  • You should see the certificate that has the little golden key icon missing. The other certificate you may see is the self-signed certificate generated during exchange installation.


  • Now double click on the newly imported certificate and select the Details tab.
  • Click Serial Number and write down this value or simply copy and paste it into a notepad file. Please note that you will not be allowed to copy using mouse. You can use Ctrl+C instead.


  • Open command prompt and type certutil –repairstore my “serial number of certificate” and press enter.


  • Now, refresh the Certificates MMC and you should see the private key paired with the certificate.


  • In Certificates MMC right click on the same certificate and select All Tasks –> Export…


  • Export this certificate into a .pfx file with below options selected during the export wizard.
  • Yes, Export the private key on Export Private Key page.
  • Include all certificates in certification path if possible on Export File Format page.
  • Export all extended properties on Export File Format page.
  • Enter the password.
  • Select the path where the pfx file will be stored and complete the wizard.
  • Now open EMS and and run the following cmdlet.
  • [PS] C:\>Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\Users\Administrator.EXCHANGE\Desktop\exchangecert.pfx" -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

    The credentials prompt will pop up. Enter the credentials as the currently logged on user and the password that was specified for the pfx file during export. If the credentials are correct the output should be as below:


    Next, you can enable this certificate for the services you want to use it for. Again, simply open the EMS and run Enable-ExchangeCertificate -Server ‘EXCHANGE2010’ -Services ‘IMAP, POP, IIS, SMTP’ -Thumbprint ‘E7DD3356F1DC4359D9AAFD18BC7E36C06C7FC418’

    Posted in Active Directory, Exchange 2010 | Tagged: | 8 Comments »

    HP Sizer Tool for Exchange 2010

    Posted by Milind Naphade on 11/01/2010

    While designing a new exchange organization it is really tough to do the proper capacity planning. Most of the times it is really hard to decide how to choose correct hardware configurations. HP has developed a tool for exchange 2010 sizing problems. I found this tool really cool to be used as a help for your capacity planning and related stuff.

    You can download this tool from HP’s website directly. Here is the download location: HP Sizer for Microsoft Exchange Server 2010

    To read the primary documentation and introduction of the tool you can also logon to

    Posted in Exchange 2010, News | Tagged: | Comments Off on HP Sizer Tool for Exchange 2010