Category Archives: 13959

Windows Server 2008 R2 and Windows 7 SP1 Releases to Manufacturing Today

The Microsoft Windows Server Team announced today that Service Pack 1 for Windows Server 2008 R2 and Windows 7 was released to manufacturing (RTM) today.  Along with numerous bug fixes and security improvements, SP1 offers two significant new features: Dynamic Memory and RemoteFX.

Dynamic Memory pools all the memory available on a physical host and then dynamically distributes available memory, as it is needed, to virtual machines running on that host.  With Dynamic Memory Balancing, virtual machines will be able to receive new memory allocations, based on changes in workload, without a service interruption.  This is particularly useful in VDI implementations.

RemoteFX lets you virtualize the Graphical Processing Unit (GPU) on the server side and deliver  rich media and 3D user experiences for VDI clients.

Service Pack1 for Windows Server 2008 R2 and Windows 7 will be available to current customers of the Windows Volume Licensing program, as well as MSDN and TechNet subscribers on February 16, 2011.  On February 22, both will be available to all customers through Windows Update and will also come preinstalled on new servers ordered.

Replacing a Federation Trust Certificate When the Original Certificate is Missing

Exchange 2010 federation allows organizations to share calendar free/busy information (also known as calendar availability) and contact information with external recipients, vendors, partners, and customers.  This is accomplished by creating a trust with Microsoft’s Federation Gateway.  This cloud-based service offered by Microsoft acts as the trust broker between your on-premises Exchange 2010 organization and other federated Exchange 2010 organizations.  For more information about Exchange federation, see Understanding Federation.

To configure federation you install an Exchange certificate, enable the certificate for Federation, and create a federation trust with Microsoft Federation Gateway.  Eventually you will need to replace this certificate, either for business reasons or when the certificate expires.  The usual way of doing this is to install a new Exchange certificate and configure it as the “Next Certificate” in the Manage Federation Certificate wizard, as shown below.

When you’re ready to replace the current federation certificate you simply run the Manage Federation wizard, select the “Roll certificate to make the next certificate as the current certificate” check box, and complete the wizard.  What was the Next Certificate becomes the Current Certificate, and the Current Certificate becomes the Previous Certificate.

I ran into an interesting issue where the process above did not work.  The customer deleted the Current Certificate from the computer’s local certificate store, rather than roll the Next Certificate into the current certificate’s place.  This causes the Manage Federation wizard t break because it can’t locate the Current Certificate.  I was also unable to use the Set-FederationTrust cmdlet in EMS – it would give the same error:

[PS] C:\>Set-FederationTrust -Identity “Microsoft Federation Gateway” -PublishFederationCertificate
Federation certificate with the thumbprint “29FD8FFF241A4317ABAAF326226BC209F682C2F3” cannot be found.
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], FederationCertificateInvalidException
    + FullyQualifiedErrorId : 906B427C,Microsoft.Exchange.Management.SystemConfigurationTasks.SetFederationTrust

To fix this, you’ll need to do it using ADSIEdit.

  • Log into a computer with administrator rights and run ADSIEdit.msc
  • Connect to the Configuration naming context
  • Navigate to CN=Federation Trusts,CN=OrgName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
  • Right-click CN=Microsoft Federation Gateway in the work pane and select Properties
  • Edit the msExchFedOrgNextCertificate property (which contains the thumbprint of the Next Certificate) and copy the entire value.  Close the msExchFedOrgNextCertificate property.
  • Edit the msExchFedOrgPrivCertificate property (which contains the thumbprint of the Current Certificate, which was removed) and paste the value.  Click OK to set the value.
  • Wait for the change to replicate throughout your AD infrastructure.
  • From the Exchange Management Console, run the Manage Federation Wizard.  You will now notice that the Current Certificate and the Next Certificate are the same.
  • Check Roll certificate to make the next certificate as the current certificate and complete the wizard.

Don’t forget to test your configuration with the Test-Federation cmdlet.

How to Integrate Lync Server 2010 with Exchange 2010 SP1 OWA

Lync Server 2010 can be integrated with Exchange 2010 SP1, so that Exchange Outlook Web App can also act as a Lync web client.  Once integrated, users will automatically log into Lync when they log into OWA.  The OWA interface changes to include the following new features:

  • Sign In and Sign Out – Users can sign in or sign out of instant messaging from OWA.  Once signed in, the user will automatically sign into IM every time they sign into OWA.
  • Presence – User presence information is available for Lync users, showing a colored chicklet indicating their availability.
  • Contact List – The user’s Lync IM contact list is made available in the OWA folder pane.  Users can be added and removed, and contact groups can be managed directly from OWA.
  • Instant Messaging – Lync users can chat with other Lync users using instant messaging directly from OWA.
  • Right-Click Functionality – Right-click menus and actions are updated to include new Lync features.  For example, right-click an email address to chat with the user or add them to an IM contact list.

All of these new OWA features can be seen in the screenshot below:

An instant messaging chat session can be started from OWA by double-clicking a contact in the Contact List or right-clicking an email address and choosing Chat.

This article explains how to configure Lync Server 2010 RC integration with Exchange 2010 SP1.  I will assume that you have functional Lync Server 2010 RC and Exchange Server 2010 SP1 servers already set up.  Let’s get started.
Download and install the Microsoft Office Communications Server 2007 R2 Web Service Provider from on your Client Access Server.  This MSI package contains the installation programs to the local hard drive.  Normally it will put them in C:\Web Service Provider Installer Package, but I’ve also seen it install to a different drive.  Make note of the location it uses during installation.
The package will install the following files:
Next, download and save the OCS 2007 R2 Web Service Provider Hotfix KB 981256 from to the same C:\Web Service Provider Installer Package folder.
Download and save the Unified Communications Managed API 2.0 Redist (64 Bit) Hotfix KB 2400399 from to the same C:\Web Service Provider Installer Package folder.
If your CAS server is running Exchange 2010 SP1 on Windows Server 2008 R2, you need to download and save the UcmaRedist.msp patch in Microsoft Office Communications Server 2007 R2 Hotfix KB 968802 from  The tricky part here is that the file name (UcmaRedist.msp) is the same as the Communications Managed API 2.0 Redist (64 Bit) Hotfix KB 2400399 you just downloaded.  Just rename this file name to something like UcmaRedist-R2.msp.
Now install the following files as Adminstrator in this order:
  1. vcredit_x64.exe
  2. UcmaRedist.msi
  3. UcmaRedist.msp
  4. UcmaRedist-R2.msp, if your CAS is running on Windows Server 2008 R2
  5. CWAOWASSP.msi
  6. CWAOWASSP.msp
  7. dotnetfx35setup.exe, if the .NET Framework 3.5 is not installed on Windows Server 2008.  For Windows Server 2008 R2, install the .NET Framework 3.5.1 feature from Server Manager.
Note that the MSI and MSP packages have a limited GUI during setup and don’t indicate that they’ve installed successfully.
Next we need to configure the Exchange 2010 SP1 Client Access Server for Lync Server integration.  Run the following two commands from the Exchange Management Shell on the CAS:

$cert = (Get-ExchangeCertificate |  Where {$_.Services -ilike “*IIS*}).Thumbprint

Get-OWAVirtualDirectory | Set-OWAVirtualDirectory -InstantMessagingType OCS -InstantMessagingEnabled:$true -InstantMessagingCertificateThumbprint $cert -InstantMessagingServerName

Be sure to change the InstantMessagingServerName value in the command above to the FQDN of your Lync Server pool.

Now we need to configure the Lync 2010 RC server.  Use the Lync Server Topology Builder to add a new Trusted Application Pool, as follows:
  • Open the existing topology.
  • Expand your Lync Server 2010 (RC) > your sitename.
  • Right-click Trusted application servers and select New Trusted Application Pool.
  • Enter your CAS server or CAS array’s FQDN in the Pool FQDN field, select Single Computer Pool and click Next.
  • Select the Front End Pool for the Trusted Application Pool.
  • Click Finish.
  • Right-click the new Trusted Application Server and select Edit Properties.
  • Clear the checkbox for Enable replication of configuration data to this pool and click OK.
  • Publish the new topology.
The final step is to create a new CsTrustedApplication using the Lync Server Management Shell on the Lync 2010 RC server.  Run the following command from the management shell:

New-CsTrustedApplication -ApplicationID ExchangeOutlookWebApp -TrustedApplicationPoolFqdn -Port 9999


Be sure to change the TrustedApplicationPoolFqdn value in the command above to the FQDN of your CAS server or CAS array.

Now login to Outlook Web App and enjoy the new Lync Server goodness!

Fix for Event ID 2937 MSExchange ADAccess in Exchange 2010 SP1

I have noticed the following event on Exchange 2010 servers after upgrading Exchange 2010 RTM to Exchange 2010 Service Pack 1:

Log Name:      Application

Source:        MSExchange ADAccess
Date:          9/26/2010 9:12:29 AM
Event ID:      2937
Task Category: Validation
Level:         Warning
Keywords:      Classic
User:          N/A
Process w3wp.exe () (PID=1960). Object [CN=Jeff Guillet,CN=Users,DC=companyabc,DC=com]. Property [HomeMTA] is set to value [ Objects/Microsoft MTA
DEL:0a05fe00-f8ce-4016-bba8-dce98cfe6b93], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible.

The process in the event varies, but I’ve seen:

  • EdgeTransport.exe
  • ExSetupUI.exe (when installing Exchange)
  • Microsoft.Exchange.RpcClientAccess.Service.exe
  • Microsoft.Exchange.ServiceHost.exe
  • MSExchangeMailboxAssistants.exe (when moving a mailbox)
  • powershell.exe (when a user launches the Exchange 2010 management tools)
  • w3wp.exe (when the user accesses OWA)

The event in the example above is most commonly seen, and is caused when the user’s homeMTA attribute is pointing to a deleted object in AD.  To fix this for a specific user, run the following command from the Exchange Management Shell (EMS) on the server:

Get-Mailbox jeff | Update-Recipient

Or for all user mailboxes use:

Get-Mailbox | Update-Recipient

To correct the arbitration mailboxes use:

Get-Mailbox -Arbitration | Update-Recipient

These commands will update the user’s homeMTA value to the correct value.

I’ve also seen this warning for the Edge Transport routing group property, as shown below.

Log Name:      Application
Source:        MSExchange ADAccess
Date:          7/12/2010 8:52:23 AM
Event ID:      2937
Task Category: Validation
Level:         Warning
Keywords:      Classic
User:          N/A
Process edgetransport.exe () (PID=3500). Object [Exchange Routing Group (DWBGZMFD01QNBJR)]. Property [RoutingMasterDN] is set to value [mailgate
DEL:b2bbdba9-71e4-46ff-a50b-fbea9a6c4534], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible

To correct this error:

  • Open ADSIEdit and navigate to CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=companyabc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=companyabc,DC=com.
  • Right-click the Edge Transport server and copy the distinguishedName value.
  • Navigate to CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=companyabc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=companyabc,DC=com and open its properties
  • Paste the copied DN value to the msExchangeRoutingMasterDN attribute

Dynamic Memory and RemoteFX in Windows Server 2008 R2 SP1

When I was at TechEd in New Orleans I got a chance to talk with Vijay Tewari, Principal Program Manager for the Microsoft Virtualization Team, about Dynamic Memory in the upcoming Service Pack 1 for Windows Server 2008 R2. 

In case you’re not familiar with Dynamic Memory, this allows you to specify a minimum and maximum amount of RAM that a Hyper-V guest can use.  The VM will start with the minimum amount of RAM you sepcify and the host server will automatically reallocate additional RAM to the VM as needed, up to the maximum amount you have specified.  Dynamic Memory will also automatically reduce the RAM allocated when it is no longer needed.  Pretty sweet!  This provides higher density of VMs on a Hyper-V host since memory can be oversubscribed.  Keep in mind, though, that memory oversubscription can have a big performance impact if Hyper-V is forced to page RAM out to the pagefile.  Still, this has big advantages especially for VDI deployments.

The other “big thing” in Windows Server 2008 R2 SP1 is RemoteFX.  This technology came ito being when Microsoft purchased Calista Technologies in 2008.  RemoteFX allows the VMs on a Hyper-V host to access the host’s Graphics Processor Unit (GPU) for superior video output in the guest. This allows remote workers to enjoy the same rich user experience over a network as with a locally executing desktop.  Remote clients only need to support the color depth required to view the output, so you can provide advanced GPU capabilities to all your remote clients using a single GPU on the Hyper-V host.

RemoteFX is a feature that you enable on the Hyper-V host, not the VMs.  Once the RemoteFX feature has been installed a new option to enable the RemoteFX is available within the settings of the guest VM.  This means that even though you’ve enabled RemoteFX on the host, resources are only allocated for the guests you choose.

RemoteFX will require a new RDP client that supports the new capabilities, which should be available in the same release timeframe.  RemoteFX will also work with Remote Desktop Gateway deployments.  Microsoft recommends 200MB of graphics RAM per VM that uses RemoteFX.

The public beta for Windows Server 2008 R2 SP1 is expected to be released by the end of July 2010.  The same service pack is used for both Windows Server 2008 R2 and Windows 7, simplifying deployment.