Friday, November 25, 2011

Calls cannot be established to UM for external users

I have faced a problem when integrating Lync with Exchange 2010 UM , where calls could not be established to UM for external users, whenever i call the susbscriber access from the Internet i get the following error:
"call failed due to network issues. try logging out of lync logging back in, or try again later"
After revewing the logs, i found the following entry in the event viewer on the Lync front-end server :

Event ID: 1400 Source: MSExchange Unified Messaging



The following UM IP gateways did not respond as expected to a SIP OPTIONS request.


Transport = TLS, Address = lyncfe.domain.com, Port = 5061, Response Code = 0, Message = This operation has timed out.
Solution:
Issue a certificate dedicated to UM, where the subject name is the FQDN of the UM server.


Sunday, November 13, 2011

Exchange 2010 - A server-side database availability group administrative operation failed. Error: Windows Failover Clustering timed out while trying to validate server 'exchange03'. If this is in a disjoint DNS namespace, the DNS suffixes for all servers in the database availability group must be present on every server.

I was adding amailbox server to a DAG, the mailbox server was in another site than the original DAG members, the wizard fails with the errror "A server-side database availability group administrative operation failed. Error: Windows Failover Clustering timed out while trying to validate server 'exchange03'. If this is in a disjoint DNS namespace, the DNS suffixes for all servers in the database availability group must be present on every server."

as in the screen shot below:


after googling a bit i found this very useful post (http://www.exchangemaster.net/index.php?option=com_content&task=view&id=143&Itemid=1&lang=en) thank you Dejan, you really saved my day.

The issue was that there was an ISA server separating the two sites , the solution was to turn off the option called "Enforce Strict RPC Compliance" in ISA server.

SOLUTION


Turn off the Enforce Strict RPC compliance option in ISA Server.



This option can be found in 2 places:

1) On the firewall rule properties.

2) In the ISA System Policy. This policy is applied to new rules when you create them.



1) To disable the Enforce Strict RPC Compliance option on the firewall rule, right click the firewall rule and selelct Configure RPC Protocol.

















Clear the Enforce Strict RPC compliance option.




2) To disable this option in ISA Server System Policy, select Edit System Policy from the task pane on the right, select Authentication Services, Active Directory. Clear the Enforce Strict RPC compliance.



Credits goes to : http://www.exchangemaster.net/

 

Update

I found also that one of the reasons for this error is if you have multiple AD sites and the computer for the DAG has not replicated  to the site where you are adding the mailbox server to the DAG.

Wednesday, October 26, 2011

Exchange 2010 - EMC "RBAC authorization returns Access Denied"

I was doing an Upgrade for Exchange 2003 to Exchange 2010 and after i installed the first CAS server and opened the EMC an error appeared that i have no permissions... while i was logged in with the setup account and it was a memeber of the Organization Managemnet Group.

and i founbd this in the Applicaiton Log
 "(Process w3wp.exe, PID 6716) "RBAC authorization returns Access Denied for user Udomain.Local/Users/AccountName. Reason: No role assignments associated with the specified user were found on Domain Controller XXXXX"
"
After alot of searches i was pulling my remaining hair out :)  I  found this post (http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/fc568cc6-8691-4127-b70b-bcc82f9b1f7f?prof=required)

The issue was with 2 things :
  1. Allow inheritable permissions check Box was not enabled on the Exchange  Microsoft Exchange Organzaiton container inside the Configuration partition.
  2. The value for the attributes msExchRoleLink and msExchUserLink attributes on CN=Role Management-Organization Management-Delegating,CN=Role Assignments,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=….  should be ""CN=Role Management,CN=Roles,CN=RBAC,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=…"" but in my case the msExchUserLink attribute had a value of CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=Domain,DC=Local
Solution:
  1. Check the allow inheritbale permission check Box
  2. Make Sure the value of msExchUserLink  is the same as msExchRoleLink