Windows 2008, CCR Clustering, Symantec Enterprise Vault 2007, Exchange 2007 SP1 CAS Servers – Getting it to work…

Wow, yep I know that the title is a little bit of a mouthful, but today I have been working on getting my Enterprise Vault configuration to play nicely with my Windows 2008 based Exchange 2007 SP1 servers – and it has been a little bit of a job but now that it is pretty much playing as I would like which I thought that I would share the process that I used with you all.

Firstly let me give you a little bit of the background;

Within my environment prior to installing Exchange 2007 SP1 we were running Symantec Enterprise Vault version 6 (service pack 3) – this version obviously did not support Exchange 2007 in many aspects therefore we needed to upgrade to Enterprise Vault 2007 in order to support mailbox Journaling, Archiving and full .NET support for OWA 2007. The upgrade process involved firstly upgrading to Enterprise Vault 7.0 and then Enterprise Vault 2007 (known also as 7.5) – it is quite important to note that if you are a version 6.x user of EV you will need to upgrade to EV 7.0 BEFORE you can upgrade to 2007 (the actual upgrade process is beyond the scope of this article).

When we finally arrived at EV 2007 it was time to go away an build the foundations of my production Exchange 2007 SP1 organisation (which would run in interop mode along side Exchange 2003) which is made up of the following components:

x 2 CAS servers – NLB – running Windows 2008 x64

x 2 CCR Clusters – running Windows 2008 x64

x 2 Hub Transports (not relevant here)

Essentially the focus of my work would be the following objectives:

  • Add the Exchange 2007 SP1 CCR Clustered Mailbox Server into the EV site as an archive target
  • Install the EV OWA 2007 client Extensions on each of the CAS servers to provide access to archived items via OWA 2007 SP1
  • Test that archiving works via OWA 2007 (this would include adding to the vault and accessing items contained within the vault)

Adding your CCR Clustered Mailbox Server to the EV site:

There are a few steps to this process, all of which must be followed. I have found that generally speaking Enterprise Vault runs exceptionally well once it is up and running, therefore a lot of Exchange system admins tend to forget the day to day complexities of it – in favour of the more straight forward “day to day” tasks (creating archive, review journal) so when it comes to changing the configuration of the Site and indeed adding in an additional server it can be quite daunting.

Configure an archive account for your the mailbox archive task on your CCR cluster:

Each mailbox server within an Enterprise Vault site requires a mailbox which is used for the processing of archive item data, this mailbox can reside in any Storage Group / Database – however the following are some provisos that you should consider:

  • The mailbox can exist in any Storage Group / Database – however it should as best practice reside on the server where the archiving tasks will be run.
  • The mailbox should not (under normal operation) grow to large proportions – however you should exclude it from any Organisation sizing restrictions – this could cause issues with the archiving process.

Therefore the very first step is to the create a new mailbox user which will act as the archive account on the CCR Mailbox server that you wish to add into your KVS Site – when you have created this account you are ready to assign permissions to the KVS Service Account and the New Mailbox that you have created.

Configure Permissions for the EV Service account (VSA) on your Exchange 2007 SP 1 CCR Cluster:

During the installation of KVS you would have specified what is called the “KVS Service Account” AKA the VSA.

Essentially the service account is assigned full permissions to each mailbox server within your organisation, this allows KVS to perform its duties during Journaling and Archiving. In Exchange 2003 in order to assign the correct permissions to the KVS Service account you would need to ensure that you had the security tab enabled in the 2003 Exchange System Manager (see for an good overview of enabled the tab.

In principle when you had the tab available in Exchange 2003, you will then assign “Full Control” to the services account on each Exchange mailbox server (this would include the Send As and Receive As rights).

However in Exchange 2007 – the process of assigning the KVS Services account rights to your mailbox server has changed a little bit and now requires you to use ADSI edit.


This article is based around Exchange 2007 SP1 running on Windows 2008 being added into KVS – however, the same steps can equally be applied to Exchange 2007 (with or without SP1) running on Windows 2003 (the process can also be applied to non clustered Mailbox servers – although you need to be wary of running the CAS role on the Mailbox Server) – you should note that if you are running Windows 2003 you will need to install ADSI edit from the Windows 2003 support tools – if you are using Windows 2008 on your Exchange servers you will see that it is installed by default.

Open ADSI Edit [ START -> Programs -> Administrative Tools -> ADSI Edit ] then connect to the configuration partition of AD.

You will then need to navigate to [ Configuration -> Services -> Microsoft Exchange -> -> Administrative Groups -> Exchange Administrative Group (FYDIBOHF23SPDLT) -> Servers -> ]

Right click on the entry for your server and from the context menu that appears choose “Properties


From the dialog box (below) that appears choose the “Security” tab – then click on the “Add” button.


From the Select box (below) that appears either locate or type in the name of the KVS Service Account and then click on the “OK


You will then be returned to the Security dialog box – choose the KVS Services account, and then tick the “Full Control” option (below) and then click on the “Advanced” button.


From the dialog box that appears (below) sort the permission entries by name – then locate your KVS Services account, select it and then click on the “Edit” button:


From the permissions box that appears (below) under the “Applies to” section choose “This object and all descendant objects” or if using Windows 2003 “This object and all child objects” then click “OK” 3 times.


After domain replication has taken place you will have successfully applied the correct permissions to the CCR Mailbox Server for the KVS Services account (VSA).

It is also necessary to grant the KVS Services account (VSA) “Full Control” permissions on the Archive system mailbox that you created earlier:

  • Again open adsiedit.msc and open the Domain [] partition.
  • Locate the Archive mailbox account that you created earlier this is usually under CN=Users, however you may have placed elsewhere depending on your AD configuration.
  • When you have located the account object Right-click on it and from the context menu that appears choose “Properties”.
  • From the dialog box that appears choose the Security tab.
  • Add the KVS Services account (VSA) and then apply Full Control permissions to this account.
  • Click Apply.
  • Click OK

Adding your Clustered Mailbox Server to Enterprise Vault:

On your desired Enterprise Vault server open the Vault Administration tool [ START –> Programs -> Enterprise Vault -> Administration Console ] – see below;


When the administration console has loaded expand the following [ Enterprise Vault -> Directory on -> Targets -> Exchange -> -> Exchange Server ] right click on the Exchange Server node and from the context menu that appears choose NEW -> Exchange Server – see below;


You will then be presented with the “New Exchange Server” wizard – from the intro screen (below) click on the Next button;


From the screen that appears (see below) In the top most edit box enter in the name of the of the Exchange 2007 Mailbox Server that you wish to add, from the section entitled “Create Tasks for the Exchange Server” tick the tasks that you wish to be performed (for my example I only wish to setup a “Exchange Mailbox Task”).

When you are done from the section entitled “Create the tasks on this Enterprise Vault Server” choose the correct EV server in your environment which will take responsibilities for the Exchange 2007 Mailbox Server – then click on the “Next” button.


The wizard will change to display the “Choose Archiving System Mailbox” section (see below) – using the browse button locate the account that you created earlier on and then click on the “Next”.


You will then be presented with the task completion wizard (see below) – click on the “Finish” button.


You will be returned to the Enterprise Vault administration console – navigate to [ Enterprise Vault -> Directory on -> -> Enterprise Vault Servers -> -> Tasks ] – see below;


Review the task list you should now see a new task entry which corresponds to the server that you have just added – initially you will see the task in a “Stopped” state – if you wait the task will start automatically – see below;


Close down the Administration Console for Enterprise vault and then using Windows Explorer (or via My Computer) navigate to the folder on your Enterprise Vault server where the EV binaries have been placed – this is typically:

[ C:\Program Files\Enterprise Vault ]

When you have done this, locate and then open the text file entitled “Exchange Servers.txt” in Notepad (it might be an idea to take a copy before you proceed).

When opened you will see that this file contains a list of IP addresses for your existing Exchange Servers which are configured to work with Enterprise Vault – at the bottom of the file add in the IP addresses for the following Exchange 2007 servers (in your Infrastructure):

  • The CCR Cluster IP address for you mailbox server
  • The IP addresses of you CAS server(s)

When you have added the IP addresses save the file.

Below is an example of where the file is located.


When you have finished adding the IP addresses to the file – you will need to configure the OWA anonymous access account so that it has the relevant permissions on your Exchange 2007 Mailbox and / or CCR servers (which you should have added to the IP address file previously) – therefore in order to proceed you will need to ensure that you know the samAccountName and the Password for the OWA account for your EV installation – this should have been documented during the EV implementation – it should NOT be the same has the KVS Services (VSA).

When you have the OWA account name for KVS – open a command prompt and navigate to the Enterprise Vault directory on your EV server (typically cd “Program files\Enterprise vault”) and then type in the following command:

cscript.exe OWAUser.wsf /domain: /user: /password: /exch2003

So for example if my NETBIOS Domain was Trixy and my OWA samAccountName was OWAKVS with a password of “password” the command would be:

cscript.exe OWAUser.wsf /domain:trixy /user:OWAKVS /password:password /exch2003

Even through you are installing for Exchange 2007 and indeed using KVS 2007 you still need to use the /exch2003 switch at the end! – below is an example of the command and the correct output:


When the VBSCRIPT command has run correctly, go to [ START -> RUN ] and from the RUN Command type in “Services.msc” and then clock on “OK” – when the services management console has opened locate the “Enterprise Vault Admin Service” and right click on it. From the Context menu that appears choose the “Restart” command – during the Restart of the service confirm that you wish to restart all the dependant services – see below;


When the EV Services have restarted you will need to Open the Enterprise Vault Administration Console [ START –> Programs -> Enterprise Vault -> Administration Console ] then from within the console navigate to [ Enterprise Vault -> Directory on -> -> Enterprise Vault Servers -> -> Tasks ] – see below;


Locate the mailbox archival task for your new Exchange 2007 Mailbox Server then right click on the entry. From the Context menu that appears choose the “Properties” option. From the dialog box that appears choose the “Synchronization” tab and then from the “Update details of” section ensure that “All mailboxes” and all the tick boxes are Selected – then click on the “Synchronize” button – see below;


Installing the Enterprise Vault Client Extensions on your CAS Server:

Improved COM and installation my back side! – first things first do not install the Client Extensions from the KVS 7.5 media on a Exchange 2007 SP1 CAS server, they don’t work properly, instead I suggest that you go to the Symantec Web Site and down load the Extensions that are provided in this article

When you have downloaded the zip file – extract it to a convenient location on your CAS server, then run the EV_OWA2007_Extensions_x64.msi – see below;


When you have executed MSI file you will be presented with the following introduction screen – essentially here you can click on the “Next” button:


When you have click next the screen will change to display the EULA – click the “I Agree” box and then click on the “Next” button – see below;


The screen will then change to ask you where you like the EV binaries to be installed on your CAS – I would accept the default location and then click on the “Next” button – see below;


You will then be presented with the “Ready to Install” screen – click on the “Next” button to proceed – see below;


If you are installing the EV extensions on a CAS server which is installed on Windows 2008 SP1 you might during installation see the following error message;


You can safely click on the “Ignore” button.

When setup has completed you will be presented with the following dialog box – click on the “Finish” button.


If your CAS implementation is based around NLB you will need to install the EV Extensions on the other CAS servers which form the NLB.

When done, choose a “Test” mailbox which exists on your newly added Exchange 2007 Mailbox Server and run through the process of enabling it for Archiving – then access it via OWA 2007 and test the client experience.

That pretty much completes the process of adding in your 2007 SP1 mailbox server to Enterprise Vault and then installing the Client Extensions on your CAS servers – my next article will cover “Constrained Delegation” for EV and OWA 2007 SP1

Sharing is caring!:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.