Friday, 3 April 2009

The Big Stuff: Exchange, ISA, Sharepoint, Terminal Server

It so happens that last year we had a bit of a change of scenery at our school. Our faithful volunteer Linux sysadmin, who happens to be the system architect of a well known software development platform, decided to bow out because all his kids have gone through school. This set the scene for us to complete our transition to the Evil Empire and become an all-Microsoft site. But alas, our quest for World Domination was thwarted last month when someone bought a Mac :)

Anyway, we decided that the Next Big Thing at our school was to get a new server with the four aforementioned applications on it, at least that was the plan of the time. Subsequent experience has proved that:

  • ISA 2006 can only run on 32 bit Windows Server 2003, while Exchange 2007 requires 64 bit Windows
  • Sharepoint and Exchange Outlook Web Access conflict with each other
  • And of course, as we already know from early testing, trying to get PHP installed on a DC is troublesome. This is not strictly relevant but there is an indication of just how many web applications can conflict with each other and how difficult it is to try to nail down the cause.

These two situations have forced a rethink and the need for an additional server to run the ISA firewall. While this could be virtualised, I don’t think Hyper-V is mature enough yet, and I prefer a hardware server to run the firewall as it is easier to configure than virtual networking interfaces. So the old Linux mailserver will be pressed back into action as the firewall box. But this will mean a delay in getting that firewall up and running until after the mail has been transferred over to the Exchange server.

Sharepoint is a new technology in our site and the extent of its utilisation is unclear. I am setting it up on one of our DCs for the time being and if things develop we will look at options. The DC installation caused its own little drama when the config wizard failed at step 5 with “An exception of type System.Runtime.InteropServices.COMException was thrown. Additional exception information: Class not registered”. To resolve it, permissions need to be modified on C drive according to this blog post:

  • On C:\
        • Local Service account: Read & Execute, List Folder Contents, Read
        • Network Service account: Modify, Read & Execute, List Folder Contents, Read, Write
        • WSS_Admin_WPG account: Full Control
  • On C:\Windows\Temp:
        • Network Service account: Full Control
        • WSS_Admin_WPG account: Full Control
        • WSS_WPG account: Read & Execute, List Folder Contents, Read

In our case the second lot of settings were already in place especially as some are inherited. It was a relief to find that blog after a lot of searching because, as he says, Microsoft doesn’t seem to be able to help solve the problem. For me it is another example of, like the PHP problem, like the Vista mandatory profile problem, how frustrating permissions issues can get on a server. Phew! that one fixed the problem and now Sharepoint is on its third server and finally one where I can leave it for a while without all the hassles that the other servers have caused us.

Once I had got the Sharepoint installation off GW01 I then had some extra work to get OWA going, as it should work right out of the box with a Client Access role installed in ES2007SP1. I found this article on the MSKB telling me that I should reinstall ISA and the Client Access Role of Exchange. Well, being of course of a mind not to go through the hassle of reinstalling Exchange again (which I have already had to do once), I decided just to skip to Step 4 and recreate the virtual directories in the EMS. These commands had to be run on the Exchange box rather than my desktop. Then I went to IIS and started the default web site. Once this got running, OWA worked. At last :)

The next bit is to get Terminal Services Gateway Server, at least, tested to see if there is a problem running it on the same box as Exchange. I don’t think this will be such a problem as Sharepoint, which practically takes over IIS. It’s no real wonder then that there was that problem, but also it’s disappointing that there is no documentation from MS for it. Not everyone can afford to fork out $$$ for a new box and licenses to run every little thing on its own server. So hopefully it will work, and then we get the professionals in to set up the HTTPS side of things (OWA, TSGS) as well as what is needed to get the SMTP server running. But it won’t be switched over until I’ve got everyone’s Exchange accounts set up, and then I have to transfer all their mail over before we turn the old server off. That’s another term away…

UPDATE: I put in the link to the MSKB article that tells you how to recreate the virtual directories using the Exchange Management Shell. On the page, this is Step 4 of the section that is specifically for Exchange 2007. One of the reasons why I want Sharepoint on another server is that Microsoft doesn’t make it at all easy to manage your disk space if you have multiple disks; they simply do not provide any setup options at all that allow you to choose where Sharepoint stores its stuff (like the database) and I don’t want it on a limited C drive partition where it can fill up and interfere with the basic server operations.