Announcement

Collapse
No announcement yet.

Converting from Single Server to FE/2BE

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Converting from Single Server to FE/2BE

    I'm in the process of adding another Exchange 2003 Standard server to our infrastructure to support branch office and split the stores up. I've created a second backend server, a new frontend server, and converted the existing single server to a backend.

    I've installed the SSL certificate on the new FE and changed my firewall NAT to point to it. I've set up a second publishing point for mobile access according to the directions on this site, so I can maintain forms-based auth for web access.

    I have moved my own mailbox to the new backend server, and am able to access it via OWA. I am unable to access it via ActiveSync on my phone, log reports a 501 error. Log is also reporting 501 errors for activesync access by our mac users using Entourage. OWA access for all users on the old single server is returning an error that looks like bad credentials. OWA failures aren't showing up in the frontend log. Activesync failures return:

    Unexpected Exchange mailbox Server error: Server: [mail.domain.com] User: [[email protected]] HTTP status code: [501]. Verify that the Exchange mailbox Server is working correctly.


    What have I missed?

  • #2
    Re: Converting from Single Server to FE/2BE

    This is a complete shot in the dark, but when we moved from a single Exchange Standard server to Exchange Standard FE/ Exchange Enterprise BE, we needed to go through each machine and change the Exchange server name to the new name of the BE server in order to actually access the mailboxes. What server name are you using when you try to access the mailboxes via ActiveSync or Outlook?

    Thanks!
    Don't fool yourself. If you truly feel passionate about something, you will do whatever it takes. If you don't, you'd better get busy pursuing happiness, because it's all you've got.

    Comment


    • #3
      Re: Converting from Single Server to FE/2BE

      Not sure I follow you ...

      Our exchange backends are exchange02 and exchange03, frontend is cc-exfe. Access from the internet is exchange.domain.org, and I simply redirected the NAT from exchange03 (our original single server) to cc-exfe, and made them members of the RPC-HTTP topology. Is there something else I need to do to actually point it at those servers? I thought exchange was already aware of the other servers in its farm.

      Comment


      • #4
        Re: Converting from Single Server to FE/2BE

        The other interesting part is that if I go to the FE and /oma and log in, it tells me the account is not enabled for wireless access, despite it being enabled.

        Now I'm REALLY puzzled.

        Comment


        • #5
          Re: Converting from Single Server to FE/2BE

          If you moved the mailboxes between servers using move mailbox then you should not have needed to touch any Outlook clients. Outlook would redirect you automatically, as long as both the old and the new server were alive with Exchange running.

          The errors you are seeing are usually down to an authentication issue.
          Reset the virtual directories:
          http://support.microsoft.com/default.aspx?kbid=883380

          Ensure that there are no SSL certificates on the backend servers and that require SSL is not set.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Converting from Single Server to FE/2BE

            Correct, Outlook is working fine, as is OWA - it's just OMA/ActiveSync that seem to be cranky.

            Comment


            • #7
              Re: Converting from Single Server to FE/2BE

              After resetting the virtual directories, connecting to /oma still gives me "Your user account has not been enabled for wireless access. Please contact your system administrator for additional assistance".

              Event log on FE server throws a 1508 error. No errors on BE server. OWA works great.

              Sync from a Windows Mobile device returns "Error Synchronizing" on the device, both with and without SSL.

              Comment


              • #8
                Re: Converting from Single Server to FE/2BE

                OK, interesting.. connecting with my WiMo device via direct IP and no SSL does work. Turning on SSL predictably breaks because the SSL certificate is not valid for that IP.

                Looks like part of the issue from my WiMo device may be stale DNS cache on my mobile carrier.

                Comment


                • #9
                  Re: Converting from Single Server to FE/2BE

                  I changed the DNS servers in my mobile device to 4.2.2.1 and 4.2.2.2 after verifying they resolve correctly to mail.domain.org (where I'm putting this test infrastructure). Works fine with name resolution now, but only on non-SSL connections. As soon as I enable SSL, it fails, with no errors on the server end.

                  The certificate I'm using is a GoDaddy UCC cert with exchange.domain.org and mail.domain.org listed.

                  Attemtping to browse to https://mail.domain.org/oma from the mobile device returns a certificate error "the certificate was issued by a company you have not chosen to trust". Upon login, I still get the error about the account not being enabled for wireless access.

                  Do I need to update root certificates on my mobile devices?

                  Comment


                  • #10
                    Re: Converting from Single Server to FE/2BE

                    I should also add that my current exchange server (exchange.domain.org) and activesync users are using this same UCC certificate without issue.

                    Browsing to it from a different device works OK in opera Mobile, but not in Mobile IE, or on fruitPhone.

                    Comment


                    • #11
                      Re: Converting from Single Server to FE/2BE

                      If you are getting certificate errors then that will cause things to stop working, as ActiveSync cannot cope with the certificate prompt.
                      It could be that your device doesn't have the GoDaddy certificates in its trusted root store, or that you have installed the certificates incorrectly. Windows Mobile is a lot more sensitive to the certificates than Internet Explorer on the desktop.

                      Simon.
                      --
                      Simon Butler
                      Exchange MVP

                      Blog: http://blog.sembee.co.uk/
                      More Exchange Content: http://exchange.sembee.info/
                      Exchange Resources List: http://exbpa.com/
                      In the UK? Hire me: http://www.sembee.co.uk/

                      Sembee is a registered trademark, used here with permission.

                      Comment


                      • #12
                        Re: Converting from Single Server to FE/2BE

                        Finding that moving my mobile users to the new BE server makes them work just fine, so it doesn't appear to be a certificate problem. Something must be seriously screwy with the old single server. At this point, I'm about to the point of spinning up another new server and decommissioning the old single.

                        Comment


                        • #13
                          Re: Converting from Single Server to FE/2BE

                          Originally posted by CyberneticEntomologist View Post
                          Not sure I follow you ...

                          Our exchange backends are exchange02 and exchange03, frontend is cc-exfe. Access from the internet is exchange.domain.org, and I simply redirected the NAT from exchange03 (our original single server) to cc-exfe, and made them members of the RPC-HTTP topology. Is there something else I need to do to actually point it at those servers? I thought exchange was already aware of the other servers in its farm.

                          ===================
                          This might help you.
                          http://technet.microsoft.com/en-us/l.../aa996980.aspx

                          Comment


                          • #14
                            Re: Converting from Single Server to FE/2BE

                            Hi Cybernetic (and others)..

                            Just wondering.. did you get this issue fixed..!? I am about to convert my single server Exch 2003 Ent into a FE / BE config also in a few days. The FE server is already setup with a new SSL cert (we decided to change our OWA access URL to make it more "readable"; the old one will be moved to a second FE temporarily for a few days/weeks until all users start using the new OWA URL).

                            The FE server now just has to be designated as FE to create the FE/BE config. I guess I will be following KB883380 somewhere along the process.

                            Also, I would like to turn On FBA in the new arhictecture. Currently, users login with the OWA login window; I am doing away with this. I will also be making the OWA access URL "simpler", by not having to type the /exchange in the URL.. according to http://technet.microsoft.com/en-us/l.../aa998359.aspx.

                            I am, however, afraid about what will appen to our iPhones. Will iPhone/Entourage syncing break because of the simpler access URL. Anyone know anything about this..!?

                            Also, I read everywhere that SSL should NOT be set to "required". Is this limitation only in a single server scenario, or also in FE/BE config?

                            Basically once my FE/BE is configured, how do I ensure that our iPhones/Entourage users are not affected?

                            Any ideas/suggestions are greatly appreciated

                            Thanks much,
                            VS.

                            Comment

                            Working...
                            X