POW #10 – Exchange Server 2007 SP2 (Part 1)

As many of you probably know, Service Pack 2 for Exchange Server 2007 is one of the prerequisites for introducing Exchange Server 2010 into existing Exchange organization.

Beside many fixes, Service Pack 2 for Exchange Server 2007 also includes some cool new features:

• Enhanced Auditing: New Exchange auditing events and audit log repository enable Exchange administrators to more easily audit the activities occurring on their Exchange servers. It allows the right balance of granularity, performance, and easy access to audited events via a dedicated audit log repository. This simplifies the auditing process and makes review of audited events easier by segregating audited events in a dedicated location.
• Exchange Volume Snapshot Backup Functionality: A new backup plug-in has been added to the product that will enable customers to create Exchange backups when a backup is invoked through the Windows Server 2008 Backup tool. Exchange Server 2007 didn’t have this capability on Windows Server 2008 and additional solutions were required to perform this task.
• Dynamic Active Directory Schema Update and Validation: The dynamic AD schema update and validation feature allows for future schema updates to be dynamic deployed as well as proactively preventing conflicts whenever a new property is added to the AD schema. Once this capability is deployed it will enable easier management of future schema updates and will prevent support issues when adding properties that don’t exist in the AD schema.
• Public Folder Quota Management: SP2 enables a consistent way to manage quotas by improving the current PowerShell cmdlets to perform quota management tasks.
• Centralized Organizational Settings: SP2 introduces new PowerShell option that enable centralized management of many of the Exchange organization settings.
• Named Properties cmdlets: SP2 enables Exchange administrators to monitor their named property usage per database.
• New User Interface for Managing Diagnostic Logging: SP2 enables Exchange administrators to easily configure and manage diagnostic logging from within the Exchange Management Console.

Update your server(s)!

I strongly recommend that you install latest Service Packs and hotfixes for your operating system and installed software. Please note that Exchange Server 2007 (SP2) is only supported on Windows Server 2003, Windows Server 2003 R2 and on Windows Server 2008. Windows Server 2008 R2 is not supported!

Windows Installer 4.5

You need to deploy Windows Installer 4.5 on all target Exchange Server 2007 servers prior installing Service Pack 2.

Download Windows Installer 4.5 for Windows Server 2003 SP1, Windows Vista SP1 and Windows Server 2008 RTM from Microsoft Download:

Download: Windows Installer 4.5 Redistributable

Please note that Windows Installer 4.5 is already included in Windows Server 2008 SP2 and Windows Vista SP2.

Backup Active Directory and Exchange!

Please backup Active Directory and Exchange (especially Databases) before Active Directory preparation and Exchange Server 2007 SP1 installation. You should consider reading my previous blog post named Importance of good backups.

Prepare Active Directory

Not all steps are necessary in simple Active Directory setup (single domain forest). So here are necessary steps to prepare Active Directory for Exchange Server 2007 Service Pack 2. The advantage of running steps separately is that you can use account which has minimum permissions necessary for task.

• Run  setup /PrepareSchema – You need to run this with domain account that is member of Schema Admins and Enterprise Admins security groups. Make sure that you run this commands from server that is in the same Active Directory Site as Schema Master DC. (Note: You must not run this command in a forest in which you do not plan to run setup /PrepareAD. If you do, the forest will be configured incorrectly, and you will not be able to read some attributes on user objects.).
• Run setup /PrepareAD – You need to run this with domain account that is member of Enterprise Admins security group. Make sure that you run this commands from server that is in the same Active Directory Site as Schema Master DC. In order to support the new Role Based Access Control (RBAC) model in Exchange Server 2010, a new security group is created inside Microsoft Exchange Security Groups OU named Exchange Trusted Subsystem.

  

• Run setup /PrepareDomain to prepare local domain, run setup /PrepareDomain:exlab.exchange.pri to prepare specific domain, run setup /PrepareAllDomains to prepare all domains in forest. Please note that /PrepareAD prepares current (local) domain during process. If you have single domain Active Directory forrest, running /PrepareDomain is not needed. PrepareDomain in Exchange Server 2007 SP2 does not include ACEs introduced by Exchange Server 2010.

After you run each command, you should wait for the changes to replicate across your Exchange Organization. It can take a while in large Active Directory site topology. You can always force replication via Active Directory Sites and Services MMC.

 

How do you verify successful preparation of Active Directory?

Setup.com /PrepareSchema sets value of rangeUpper attribute of ms-Exch-Schema-Version-Pt to 14622 after successful finish.

 

Setup.com /PrepareAD sets value of objectVersion attribute of <Organization Name> container to 11222 after successful finish.

 

Installation order

There is nothing specific in the installation order of Exchange Server 2007 Service Pack 2. You should stick with standard installation order for Exchange Server 2007:

1. Upgrade all Client Access Servers
2. Upgrade all HUB Transport Servers
3. Upgrade all EDGE Transport Servers (can be upgraded later but not before HUB Transport Servers)
4. Upgrade all Mailbox Servers
5. Upgrade all Unified Messaging Servers

In multi site environment upgrade site by site in the above order (not for example all Client Access Server across multiple sites! and than next role). Upgrade internet facing site(s) first.

 

Links:

• Download Exchange Server 2007 Service Pack 2

Action Required by Dec. 1, 2009: Keep your Protection Current!

This post is from ForeFront Server Blog:

As we announced on July 1, 2009, Microsoft is revising its engine mix on Dec. 1, 2009 for the Forefront and Antigen products.  This change will allow customers to utilize a set of engines that help optimize detection, while also allowing us to invest in new areas for increasing overall protection for customers. 

Antimalware Protection

The AhnLab, CA, and Sophos engines will be retired on Dec. 1, 2009.  After December 1^st, customers will not receive any updates for these retired engines. In order to make sure your Antigen and Forefront products continue to scan efficiently and effectively for malware, any customers running the AhnLab, CA, or Sophos engines must DISABLE these engines before Dec. 1, 2009 and select from the new set of five engines – Authentium, Kaspersky, Microsoft, Norman, and VirusBuster.

SPECIAL NOTE: Antigen for SharePoint 8.0 and Antigen for Instant Messaging 8.0 customers – In order to gain access to the new engine set and provide optimal protection for your messaging and collaboration environments, please download the Service Pack 1 releases of these products on the MVLS or VLSC site prior to Dec. 1, 2009.  The updates for the new engine set will use a new update infrastructure as of Dec. 31, 2009 – the Service Pack 1 releases will allow you to continue to receive updates correctly from their new location.

For more information about Service Pack 1 for Antigen for SharePoint and Antigen for IM, see the following KB article:

http://support.microsoft.com/kb/975850/

– SPECIAL NOTE: Antigen for Exchange 8.0 and Antigen for SMTP Gateways 8.0 customers –These products will end of life on Dec. 31, 2009. Customers must upgrade to Antigen 9.0 SP2 for Exchange before this date, as the product will no longer continue to receive anti-malware updates starting Jan. 1, 2010. With the retirement of the CA, Sophos, and AhnLab engines on Dec. 1, customers running Antigen for Exchange 8.0 or Antigen SMTP Gateways 8.0 will only be protected by the Norman engine. For customers who need to continue using this product between Dec. 1, 2009 and the end-of-life date of Dec. 31, 2009, please contact Forefront Contract Administration for access to the revised engine set.

For more information on upgrading your Antigen for Exchange 8.0 or Antigen for SMTP Gateways 8.0 to Antigen 9.0, see the following KB article:

http://support.microsoft.com/kb/932396/

Antispam Protection

One of the most important changes in our engine revision strategy is moving to the Cloudmark antispam engine*, which provides 99%+ detection rate and less than 1 in 250,000 false positives (West Coast Labs).

The Mail-Filters SpamCure antispam engine will be retired on Dec. 1, 2009. Customers using Antigen products for antispam protection must upgrade to the latest service pack releases listed below BEFORE DEC. 1, 2009 to maintain their antispam defenses.  This is the only way to gain access to the new Cloudmark engine.  The service packs can be accessed on the Microsoft MVLS and VLSC sites:

– Antigen for Exchange Server with Antigen Spam Manager 9.0 with SP2

– Antigen for SMTP Gateways with Antigen Spam Manager 9.0 with SP2

For more information on the engine revision strategy, see the Antimalware Engine Notifications and Developments Web page or contact Forefront Contract Administration .  Again, we strongly urge all customers to update to the newest service packs before Dec. 1, 2009 to get the full protection benefits of the Forefront and Antigen server products. 

*Please note:  Customers using Forefront Security for Exchange Server will get access to the Cloudmark engine in the next version release – Forefront Protection 2010 for Exchange Server – scheduled to be available in Q4 CY09.

 

Source: Microsoft ForeFront Server Blog – Action Required by Dec. 1, 2009: Keep your Protection Current!