Exchange 2003, Exchange 2007 CAS servers, Enterprise Vault and Constrained Delegation…

by Andy Grogan on December 3, 2008 · 0 comments

in Enterprise Vault, Exchange 2007 (3rd Party), Exchange 2007 (General)

You may have noticed that I have done a number of articles recently which cover both Exchange 2007 (SP1), Windows 2008 and Symantec Enterprise Vault.

The main reason for this is that the biggest hold up of my current migration it terms of moving forward has been getting EV to work properly within an Interop environment where the CAS servers are in a position to provide OWA connectivity to both Mailboxes located on Exchange 2003 and Exchange 2007 – whilst also providing access to mail items contained within the vault.

I can truthfully tell you that it has been a nightmare – and due to this fact I wish to share with you all the processes that I went through to get both KVS and Exchange 2007 SP1 working together as I have lost many weeks on the project due to these problems.

The following have been the objectives that I needed to comply with in order to proceed with the migration:

Note: You will see in the following passage references to FULL KVS FUNCTIONALITY – from my organisational perspective this consists of the following requirements:

  • People can still Archive Mail from within the specified client (OWA or Outlook)
  • They need to be able to CANCEL archiving on an item
  • They should be able to see and access their archived items
  • They should be able to search their archives – and review items using the “Search Archive” function.

 The following is a basic diagram of the desired functionality of EV within an Exchange Interop Environment whilst using an Exchange 2007 SP1 CAS server as the primary means of accessing OWA.

Desired-CASFunctionality-UsingEV-InteropMode

Outlook 200x Clients;

Users MUST be able to use the full functionality of KVS when connected to their Exchange 2007 mailboxes which are located on the new CCR clusters (see http://telnetport25.wordpress.com/2008/04/13/windows-2008-ccr-clustering-symantec-enterprise-vault-2007-exchange-2007-sp1-cas-servers-getting-it-to-work/ for information on this process). Full KVS functionality MUST also be maintained to mailboxes still located on the Exchange 2003 Servers.

OWA 2003 – via the Exchange 2007 NLB Client Access Servers;

As you will know, Exchange 2007 CAS servers can proxy requests to Exchange 2003 Mailbox servers (via the http:///exchange) route – however I needed to ensure that FULL KVS functionality is maintained for users whom still get redirected to legacy Exchange 2003 mailboxes even though they are using the CAS.

OWA 2007 – via the Exchange 2007 NLB Client Access Servers;

People whom have been migrated across to the new Exchange 2007 SP1 servers need to be able to have full KVS Functionality within their OWA 2007 Mailboxes.

Right, you might be looking at the requirements above and thinking “Easy” – well can assure you that it is far from simple.

You see, when I began this migration our Enterprise Vault installation was based on version 6 – if you wish to achieve all the above objectives (and have them work) you MUST and I really mean MUST be running Enterprise Vault 2007 SP2 with the CAS servers running the following Enterprise Vault SP2 OWA Extensions http://seer.entsupport.symantec.com/docs/300400.htm – without this combination of software you will experience problems (and all this is before you have to make some configuration changes in AD) – I could bore you at this point with all the compatibility matrices, and indeed the fact that KVS 2007 was compatible with Exchange 2007 RTM but not with SP1 but take my word for it – EV SP2 with the latest OWA client updates are should be the only way forward if you are in Interop and using Exchange 2007 SP1.

So assuming that you are also running version 6.0 of EV and wish to migrate to Exchange 2007 SP1 you will need to do the following with you Enterprise Vault installation:

  • Upgrade to Version 7.0
  • Upgrade to Version 2007 (also known as 7.5)
  • Upgrade to EV SP 2
  • Install the OWA 2003 EV extensions on all Exchange 2003 Front End and Back End Servers
  • Install the OWA 2007 extensions referenced in the above article (http://seer.entsupport.symantec.com/docs/300400.htm)

 You should note that the Enterprise Vault 6.0 OUTLOOK client extensions will REMAIN compatible with EV 2007 SP2 – so you do not have a major problem in terms of having to upgrade all your clients in a short space of time – but, you should ensure that the most up to date Outlook client extensions are deployed soon after the upgrades to take advantage of enhanced functionality and updates.

All of the above is a project in itself. After which you will need to add your Exchange 2007 SP1 server into your EV site (this is described in the following article http://telnetport25.wordpress.com/2008/04/13/windows-2008-ccr-clustering-symantec-enterprise-vault-2007-exchange-2007-sp1-cas-servers-getting-it-to-work/).

OK, I have done all of the above – EV is still not working in OWA 2007 SP1?

Ok, this is where we will need to make those modifications in Active Directory that I spoke about earlier.

What you may have noticed is that after bringing your EV installation up to date and you install the OWA 2007 extensions on your CAS SP1 server – user whom have Exchange Mailboxes based on Exchange 2003 server will receive the following error message when clicking on the “Search Archives” option in OWA 2003 – see below;

OWABar

You will be presented with the following error;

AccessArchiveSearch

Users whom have mailboxes homed on Exchange 2007 SP1 Mailbox servers can make use of the features with no problems.

In order to fix the problems above you need to apply “Constrained Delegation” to your CAS servers.

Essentially as you will know you CAS server operates as a “proxy” to your Exchange backend servers (if they are 2007 servers it uses RPC if they are 2003 servers it uses HTTP) – in either sense the CAS needs to supply a set of credentials to the backend server in order for data to be accessed.

In the sense of your Exchange 2003 mailbox servers – the CAS needs to submit a set of credentials to the EVProxy Service – which in turn is presented to the Vault server which will allow for the correct vault to be searched in OWA (I said it was complicated). These credentials need to be presented to the EVProxy via Integrated Windows Authentication.

In order to configure the above you need to use a process called “Constrained Delegation” which – before you begin requires your “Domain Functional Level” to be set at “Windows Server 2003 or higher” (again I said that this was a pain).

Configuring Constrained Delegation:

Open Active Directory Users and Computers and navigate to the OU or Container which contains your CAS server(s) computer account, right click on the account and from the context menu that appears choose “Properties” – see below;

ADUC-COMP-Acct

From the properties dialog that appears choose the “Delegation” tab – then select the “Trust this computer for delegation to specified services only” and then choose the “Use any authentication protocol” – then click on the “Add” button – see below;

ADUC-DELEG-1

When you click on the “Add” button you will be presented with the dialog box displayed below – click on the “Users and Computers” button, where you will be required to type in the names of the Exchange 2003 and Exchange 2007 MAILBOX Servers that you would like to delegate to – you should note that if your mailbox servers are CLUSTERED you should enter in the CLUSTER NAME not the NODE name of the servers.

ADUC-DELEG-2

When you have done this, the “Add Services” dialog box will change to reflect the list of services on each server that you have chosen which can be delegated – scroll down to “HTTP” and then choose your servers (you can use CTRL-CLICK to select multiple servers) – when you have highlighted your servers (as per the example below) click on the “OK” button:

ADUC-DELEG-3

You will then be returned to the main server properties dialog box which will have changed to reflect your choices – see below;

ADUC-DELEG-4

Click on the “Apply” and then “OK” button – then close ADUC, if you have more than one domain you will need to await for domain replication to take affect.

You should repeat this process for any CAS servers which are part of a NLB cluster.

You should now have full EV functionality within OWA 2003 and OWA 2007 from your CAS servers.

If you would like to read more on the above topic I recommend the following links;

http://seer.entsupport.symantec.com/docs/300407.htm

http://msexchangeteam.com/archive/2007/09/04/446918.aspx

{ 0 comments… add one now }

Leave a Comment

*

Previous post:

Next post: