Apache 2 Brainbench Certification

This is my newest cert.

SSH Public Key Authentication

SSH Public Key Authentication

Putty and Pageant
see also http://docs.google.com/Doc?id=dfxjbxcc_12hc8k38

-----------------------------------------------------------------------------------
On the SSH Server
Verify that the following settings are defined in /etc/ssh/sshd_config

#Protocol 2,1
Protocol 2
#AddressFamily any
ListenAddress 192.168.0.10 # substitute correct IP here

HostKey /etc/ssh/id_dsa # Defines your private key name

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3

RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

MaxStartups 5

# no default banner path
Banner /etc/ssh/banner

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
--------------------------------------------------------------------------------

Verify that there are no settings in /etc/ssh/ssh_config that prevent PubkeyAuthentication:

i.e. you should not see
PubkeyAuthentication no in the file anywhere

--------------------------------------------------------------------------------

On Windows - Use puttygen to generate a SSH-2 DSA key and save the public and private keys.

YOU must then copy the public key directly from the puttygen key window and paste it directly into file called ~/.ssh/authorized_keys on the remote linux box (There can be no extra white space or newline characters in the file!)

chown user.user authorized_keys
chmod 755 .ssh
chmod 644 authorized_keys

On Unix

$ ssh-keygen -t dsa -b 1024 -f /home/bb/.ssh/id_dsa

### note that you can change the properties ############

# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa So you could add something like ~/.ssh/servername_dsa
#### in /etc/ssh/ssh_config ########################
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): leave blank
Enter same passphrase again: leave blank
Your identification has been saved in /home/localuser/cron/id_dsa.
Your public key has been saved in /home/localuser/cron/id_dsa.pub.
The key fingerprint is:
2e:28:d9:ec:85:21:e7:ff:73:df:2e:07:78:f0:d0:a0 localuser@localhost

Now we have a key in the two files mentioned above. Make sure that no other unauthorized user can read the private key file (the one without the '.pub' extension). Chmod 600 on the id_dsa file.

This key will not work until we put the public portion (id_dsa.pub) into the 'authorized_keys' file on remotehost, specifically the one for remoteuser:

/home/remoteuser/.ssh/authorized_keys

chmod 644 on authorized_keys

Use scp to copy the file to the remotehost:

$ scp /home/localuser/cron/id_dsa.pub remoteuser@remotehost:/home/remoteuser/

SSH to the remotehost:

$ ssh remoteuser@remotehost

Make sure the necessary directory and files exist to authorize connections with this key:

$ if [ ! -d .ssh ]; then mkdir .ssh ; chmod 755 .ssh ; fi
$ mv localhost-rsync-key.pub .ssh/
$ cd .ssh/
$ if [ ! -f authorized_keys ]; then touch authorized_keys ; chmod 644 authorized_keys ; fi
$ cat localhost-rsync-key.pub >> authorized_keys



DenyHosts

DenyHosts Install DenyHosts from Sourceforge rpm download or tar.gz i.e.: rpm -Uvh Deny*.rpm copy /usr/share/denyhosts/denyhosts.cfg-dist to /usr/share/denyhosts/denyhosts.cfg Edit the options in denyhosts.cfg i.e. admin email etc.... Add denyhosts to init.d for automatic startup and shutdown: copy daemon-control-dist to /etc/init.d/name-of-your-choice chkconfig --levels 345 name-of-your-choice on To start the daemon: service daemon-control-dist start # to start the daemon which will monitor, notify, and update hosts.deny file

RSYNC Setup and RSYNC with SSH Setup

RSYNC no SSH /etc/rsyncd.conf looks like the following: use chroot = yes hosts allow = 10.0.0.1 [mysql] path = /apps/data/mysql uid = mysql gid = mysql read only = false comment = MySQL backup (make sure 'hosts allow' is set to the secondary network interface of the opposite system). If you invoke the following command on the primary system,
/usr/bin/rsync -auv --delete /apps/data/mysql/ 10.0.0.2::mysql/
you should see a copy of all the mysql files on the secondary in /apps/data/mysql. If not, then your rsync installation isn't correct yet. RSYNC WITH SSH requirements:
  • rsync
  • openssh
  • cron (or vixie-cron)

Make sure that a remoteuser has read permissions to a /remote/dir/ on a remotehost, and that a local user has write permissions to /local/dir/ on localhost. Also, 'rsync' and 'ssh' should be in the local user's path (use "which ssh" and "which rsync"), 'rsync' should also be in remoteuser's path, and 'sshd' should be running on the remotehost. Test rsync with ssh with: $ rsync -avz -e ssh remoteuser@remotehost:/remote/dir /local/dir/ Generate a private/public pair of keys to allow a 'ssh' connection without asking for a password. This may sound insecure, and it is, but it is better than storing a user password (or key password) as clear text in the script. Furthermore, I can put some limitations on what connections made with this key may do. Anyway, I generate the key I will use on localhost as localuser with: $ ssh-keygen -t dsa -b 1024 -f /home/localuser/cron/id_dsa Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): leave blank Enter same passphrase again: leave blank Your identification has been saved in /home/localuser/cron/id_dsa. Your public key has been saved in /home/localuser/cron/id_dsa.pub. The key fingerprint is: 2e:28:d9:ec:85:21:e7:ff:73:df:2e:07:78:f0:d0:a0 localuser@localhost Now we have a key in the two files mentioned above. Make sure that no other unauthorized user can read the private key file (the one without the '.pub' extension). Chmod 600 on the localhost-rsync-key file. This key will not work until we put the public portion (id_dsa.pub) into the 'authorized_keys' file on remotehost, specifically the one for remoteuser: /home/remoteuser/.ssh/authorized_keys

chmod 755 on authorized_keys Use scp to copy the file to the remotehost: $ scp /home/localuser/cron/id_dsa.pub remoteuser@remotehost:/home/remoteuser/ SSH to the remotehost: $ ssh remoteuser@remotehost Make sure the necessary directory and files exist to authorize connections with this key: $ if [ ! -d .ssh ]; then mkdir .ssh ; chmod 755 .ssh ; fi $ mv localhost-rsync-key.pub .ssh/ $ cd .ssh/ $ if [ ! -f authorized_keys ]; then touch authorized_keys ; chmod 600 authorized_keys ; fi $ cat localhost-rsync-key.pub >> authorized_keys Now the key can be used to make connections to localhost, but these connections can be from anywhere (that the ssh daemon on remotehost allows connections from) and they can do anything (that remoteuser can do). To provide better security edit the 'authorized_keys' file (with vi) and modify the line with 'localhost-rsync-key.pub' information on it. Just add a few things in front of what is already there, changing the line from this: ssh-dss AAAAB3NzaC1kc3MAAAEBAKYJenaYvMG3nHwWxKwlWLjHb77CT2hXwmC8Ap............................ to this: from="10.1.1.1",command="/home/remoteuser/cron/validate-rsync" ssh-dss AAAAB.............................. where "10.1.1.1" is the IP address of localhost, and "/home/remoteuser/cron/validate-rsync" is a script similar to: #!/bin/sh case "$SSH_ORIGINAL_COMMAND" in *&*) echo "Rejected" ;; *(*) echo "Rejected" ;; *{*) echo "Rejected" ;; *;*) echo "Rejected" ;; *<*) echo "Rejected" ;; *`*) echo "Rejected" ;; rsync --server*) $SSH_ORIGINAL_COMMAND ;; *) echo "Rejected" ;; esac Make certain that the 'validate-rsync' script is executable by remoteuser on remotehost and test it. Now that the key is in place and configured, test it out before putting it in a cron job. Exit from the ssh session to remotehost and try: $ rsync -avz -e "ssh -i /home/localuser/cron/localhost-rsync-key" remoteuser@remotehost:/remote/dir /local/dir/ Finally, create a cron script like" #!/bin/sh RSYNC=/usr/bin/rsync SSH=/usr/bin/ssh KEY=/home/localuser/cron/localhost-rsync-key RUSER=remoteuser RHOST=remotehost RPATH=/remote/dir LPATH=/local/dir/ $RSYNC -az -e "$SSH -i $KEY" $RUSER@$RHOST:$RPATH $LPATH Then save the script as something like "rsync-remotehost-bak" Use 'crontab -e' to insert a line for this new cron job that with run at 2AM every day: 0 2 * * * /home/localuser/cron/rsync-remotehost-bak

IPTABLES SETTINGS to Allow Tivoli

# Tivoli Ports to accept from any
iptables -A INPUT -p tcp -m tcp –sport 9494:9495 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 9494:9495 -j ACCEPT


# Tivoli Ports limited by TIVOLI chain
iptables -A INPUT -p tcp -m tcp –sport 9494:9495 -j TIVOLI
iptables -A INPUT -p tcp -m tcp –dport 9494:9495 -j TIVOLI

iptables -A TIVOLI -s src-tiv-IP -j ACCEPT
iptables -A TIVOLI -d dst-tiv-IP -j ACCEPT
iptables -A TIVOLI -j REJECT -- reject-with icmp-port-unreachable

Netbackup Tips

Stopping Netbackup

  • /etc/init.d/netbackup stop --> graceful shutdown
  • /usr/openv/netbackup/bin/bpps -a --> check for any remaining processes
  • /usr/openv/netbackup/bin/goodies/bp.kill_all ---> kills all remaining netbackup processes, not necessarily graceful
  • /usr/openv/netbackup/bin/bpps -a --> check for any remaining processes
  • kill -9 <pid> for any remaining. NOTE: unkillable processes may require a reboot

Starting Netbackup

  • /etc/init.d/netbackup start --> after bp.kill_all, to restart

Common Tasks

Starting the Administration GUI

  • java from the windows client
  • java from the server - /usr/openv/java/jnbSA &

Checking Backup Status

  • Activity Monitor or
  • /usr/openv/netbackup/bin/admincmd/bpdbjobs -report

Cleaning a tape manually

  • Identify the drive name to be cleaned
    • tpclean -L
  • Manually clean the drive:
    • tpclean -C <drive name>

Determining what tapes were used for a backup

  • GUI
    • Backup and Restore --> Find the file system --> Preview Media Button
  • CLI
    • Find the correct backup images
      • bpimagelist -U -client <CLIENT> -d <STARTDATE> -e <ENDDATE>
    • Find the media used for those images
      • bpimagelist -U -client <CLIENT> -d <STARTDATE> -e <ENDDATE> -media

Listing the files in a backup

bpflist --help --> undocumented netbackup command to list files from a binary .f file



Inventory the Robot

  • Inventory Robot --> /opt/openv/volmgr/bin/vmcheckxxx -rt tld -rn <robot_number> -list
  • Inventory Robot and Update Configuration --> /opt/openv/volmgr/bin/vmupdate -rt tld -rn <robot_number> -list

Listing Properties of the Volume Pools

  • vmpool -listall

Scratch Tapes

  • Count scratch tapes: /usr/openv/volmgr/bin/vmquery -pn Scratch | grep -c "robot slot"
  • Moving tapes to the scratch pool
    • If Needed - Expire the tape
      • bpexpdate -ev <TAPE ID> -d 0 -force -host <Media Manager>
    • Move the tape
      • vmchange -p 2 -m <TAPE ID>

Checking Drive Usage

  • /usr/openv/volmgr/bin/vmoprcmd -d

Taking a drive down or up

  • /usr/openv/volmgr/vmoprcmd -down <drive index>
  • /usr/openv/volmgr/vmoprcmd -up <drive index>


Performing a Restore

  • From the GUI
    • user backup & restore --> configuration --> client
    • user backup & restore --> configuration --> client to restore
    • directory to search
    • directory depth
    • date range
    • file --> browse backups for restore

Adding New Tapes to the Library

  • Using the GUI
    • Media Management --> Actions --> New --> Single Volume . . -->
    • Media Type (ie DLT)
    • Robot Type (ie TLD)
    • Media ID (from Inventory)
    • Slot Number (from Inventory)
    • Robot Number (ie 0)
    • Volume Group
    • Volume Pool (ie Scratch)
  • Using the CLI
    • vmadd -m <media id> -mt <tape type> -verbose -rt tld -b <barcode> -rn <robot number> -rc1 <slot> -p <pool number> -mm <max mounts>
      • vmpool -listall --> lists all pools, both name and number
    • For example: vmadd -m Q100L1 -mt hcart -verbose -rt tld -b ECQ100L1 -rn 0 -rc1 8 -p 2 -mm 0

Re-using Tapes from other systems or older Netbackups

  • Expire the media
    • bpexpdate -ev MEDIA_ID -d 0 -force -host HOST
  • Deassign the media
    • vmquery -deassignbyid MEDIA_ID 4 0
  • Move to the scratch pool
    • vmchange -m MEDIA_ID -p POOL#
  • Relabel the media
    • bplabel -ev EVA019 -d 8mm -p Scratch

Changing the attributes of media

  • Changing the barcode
    • vmchange -barcode CYM100D -m CYM100
  • Changing the Volume Pool
    • vmchange -m MEDIA_ID -p POOL#


To expire media

  • bpexpdate -ev <medai id> -d 0 -force -host <media server>

To unfreeze media

  • List the frozen media
    • /usr/openv/netbackup/bin/goodies/available_media | grep -i FROZEN
  • Unfreeze the media
    • bpmedia -unfreeze -ev <media id> -h <media server>

To relabel a tape

  • bplabel -ev <media id> -d <tape density> -p <pool name>
  • bplabel -ev 000687 -d hcart -p TriVrgt_OFFSITE

To remove media from the Netbackup database

  • Verify that there are no images on the tape
    • bpimmedia -mediaid 000687 -L
  • Expire the tape
    • bpexpdate -ev 000687 -d 0 -host scorpius -force
  • Get the status and pool number of the tape
    • vmquery -m 000687
  • Deassign the tape
    • vmquery -deassignbyid <media id> <pool number> <status code from vmquery -m>
    • vmquery -deassignbyid 000687 4 0x0
  • Delete the tape
    • vmdelete -m 000687


Installing the Netbackup Client

  • /update_clients -ForceInstall -ClientList /tmp/clients.lst
    • requires that TMPDIR and TEMPDIR be set correctly

Excludng files from backup on a client

  • Create /usr/openv/netbackup/exclude_list
  • Put the file specifications of the files/directories to be excluded
    • /mnt/directory/*

Displaying Information about a Tape

  • vmquery -m <media id> --> Displays attributes about a particular tape
  • bpmedialist -U -mcontents -ev 000687 --> Displays media contents
  • bpmedialist -U -mlist --> List of all media
  • bpmedialist -U -mlist -ev CYM966 --> Listing of a particular media id
  • bpimmedia -mediaid 000687 -L --> Listing of images on a tape

Robtest Commands

  • Starting robtest
    • robtest
    • 1 --> to select TLD 0
  • Getting help
    • ?
  • Looking at contents of the tape drives
    • s d
  • Looking at the contents of the library
    • s s
  • Moving a tape from a drive to a library slot
    • s d --> to identify drive number that has tape (Contains Cartridge = yes, Barcode=XXXXXX)
    • s s --> to identify an empty slot in the tape library (Netbackup will need to be re-inventoried)
    • m d# s# --> from from drive # to slot #
    • s d --> verify the tape drive is empty
    • s s --> verify the library slot has the tape

Configuration Files

/usr/openv/netbackup/bp.conf

  • configuration file, sets backup server and backup clients
  • force statement must be correct
  • client to browse from
  • client to restore to

/usr/openv/volmgr/vmconf

Logfiles

To utilize logfiles, create the corresponding directory in /usr/openv/netbackup/logs

Server Logfile directories:

  • admin - adminstrative commands
  • bpbrm - backup and restore manager
  • bpcd - client daemon
  • bpdbjobs - database manager program process
  • bpdm - disk manager process
  • bpjava-msvc - Java application server authentication service
  • bpjava-usvc - process that services Java requests
  • bprd - request daemon process
  • bpsched - scheduler process that runs on master servers
  • bptm - tape/optical media management process
  • user-ops - required directory for use by Java programs
  • xbpadm - X based administration utility
  • xbpmon - X based job monitor process

Client Logfile directories:

  • bp - client user interface process
  • bparchive - archive program
  • bpbackup - backup program
  • bpbkar - program that generates golden images
  • bpcd - client daemon
  • bpjava-msvc - Java application server authentication service
  • bpjava-usvc - process that services Java requests
  • bplist - program that lists backed up and archived files
  • bpmount - program that determines local mountpoints and wildcard expansion for multiple streams
  • bphdb - Oracle database backup program start process
  • db_log - database specific extension log
  • tar - tar process log during restores
  • user_ops

Media Manager logging automatically goes to the system log using syslogd logging facility

.Logging will only occur if these directories are created. These directories will generate a lot of data and should be deleted when no longer necessary.

To increase the amount of logging information set VERBOSE=2 in /usr/open/netbackup/bp.conf (default is VERBOSE=1)

Processes

ltid
acsd
vmd

Useful Commands

bpcllist - list classes
bpclinfo <class> -L --> displays info about a class
vmpool - volume pools
vmpool -listall
vmpool -listscratch
bplabel -ev <media id> -d hcart
bpbackup db --> backs up the catalog
bpclclients <policy> --> lists the clients for a particular policy (class)

Troubleshooting

bperror -statuscode <-- displays information about the netbackup error.

No Backups are running:

  • Check system log file for error messages
  • Stop and restart all the netbackup processes
  • Look for a downed drive
    • /usr/openv/volmgr/bin/vmoprcmd -d
    • /usr/openv/volmgr/bin/vmoprcmd -up 0 --> this will bring up drive 0 if it's control shows as down
  • Look for pending requests
    • /usr/openv/volmgr/bin/vmoprcmd –d or gui --> device management
    • If there is a pending request either re-assign it to a drive, or deny the request

Downed drive does not come back up or does not stay up

  • Check for a hardware problem by looking for messages on the tape library
  • Make sure there is not a tape stuck in the drive
    • Use robtest (described above) to look at the drives
      • If there is a tape stuck in the drive, try to remove it using robtest
      • If robtest fails, then you must manually remove it.

Verify the Client is communicating properly:

  • bpclncmd -ip <ip address> --> from both client and server
  • bpclntcmd -hn <hostname> --> from both client and server
  • bpclntcmd -pn --> from client only

Device Actions

Device Management --> info about tape drives

  • 8mm
  • hcart (LTO)


Netbackup Client

To check things out do this:

It could be a couple things. Mostly DNS, bp.conf, or something stupid. On
the client run this command

/usr/openv/netbackup/bin/bpclntcmd -pn

/usr/openv/netbackup/bin/bpclntcmd -server "server name"

/usr/openv/netbackup/bin/bpclntcmd ip "ip_address"


One of these usually fails and your able to fix it right off


1074 ./bpclntcmd -hn corpbu1
1075 ./bpclntcmd -ip 10.194.1.129
1076 ping 10.194.1.129
1077 ./bpclntcmd -hn corpldv1
1078 ./bpclntcmd -hn corpbu1.corporate.vox.net
1079 ping corpldv1
1080 ./bpclntcmd -ip 10.194.1.120


Must be able to resolve correctly from the master server and the client or it will not work!!!

Netapp Putty and RemoteShare

pavsan01 Filer view pavsan01> vol options evs08_vmp3 nosnap=on, nosnapdir=off, minra=off, no_atime_update=on, nvfail=off, ignore_inconsistent=off, snapmirrored=off, create_ucode=on, convert_ucode=on, maxdirsize=167690, schedsnapname=ordinal, fs_size_fixed=off, guarantee=volume, svo_enable=off, svo_checksum=off, svo_allow_rman=off, svo_reject_errors=off, no_i2p=off, fractional_reserve=100, extent=off, try_first=volume_grow pavsan01> vol options evs_cluster2_vol1 no_atime_update on

remote share

C:Documents and Settingsmsxgdt>rmtshare \pavsan01

Share name Resource Remark

----------------------------------------------------------------------

--------- IPC$ Remote IPC ETC$ C:etc Remote Administration HOME C:volvol0home Default Share C$ C: Remote Administration vol0$ C:volvol0 Remote Administration vol0bu$ C:volvol0 Backup Administrative

Share evs01_log_vol1$ C:volevs01_log_vol1 MS Exchange Logs

evs02_log_vol1$ C:volevs02_log_vol1 MS Exchange Logs

evs01_log_qtree1$ C:volevs01_log_vol1evs01_... MS Exchange Logs

paveasp1_ea_vol1$ C:volpaveasp1_ea_vol1 MS EMail Archive

paveasp1_ea_qtree1$ C:volpaveasp1_ea_vol1pave... MS EMail Archive

pavmvs01$ C:volpavmvs01 pavMVS01 Test LUN pavmvs01_disk$ C:volpavmvs01pavmvs01_disk pavMVS01 Test LUN

pavmvs01_qtree$ C:volpavmvs01pavmvs01_qtree pavMVS01 Test LUN

evs03_log_vol1$ C:volevs03_log_vol1 MS Exchange Logs

evs02_log_qtree1$ C:volevs02_log_vol1evs02_... MS Exchange Logs

evs03_log_qtree1$ C:volevs03_log_vol1evs03_... MS Exchange Logs

evs01_db_vol1$ C:volevs01_db_vol1 MS Exchange Storage

Group 1

evs01_db_qtree1$ C:volevs01_db_vol1evs01_d... MS Exchange Storage

Group 1

evs03_db_vol1$ C:volevs03_db_vol1 MS Exchange Storage

Group 3

evs03_db_qtree1$ C:volevs03_db_vol1evs03_d... MS Exchange Storage

Group 3

evs06_vmp$ C:volevs06_vmp3 Exchange EVS06

Transaction Log ... evs08_vmp$ C:volevs08_vmp3 Exchange EVS08

Transaction Log ... evs07_vmp$ C:volevs07_vmp3 Exchange EVS07

Transaction Log ...

The command completed successfully.

C:Documents and Settingsmsxgdt>rmtshare \pavsan01evs06_vmp$ Share name \pavsan01evs06_vmp$ Path C:volevs06_vmp3 Remark Exchange EVS06 Transaction Log Volume Maximum users No limit Users 0 Permissions: Everyone : FULL CONTROL

The command completed successfully.

C:Documents and Settingsmsxgdt>rmtshare \pavsan01evs06_vmp$ /d

The command completed successfully.

C:Documents and Settingsmsxgdt>rmtshare

\pavsan01evs06_vmp3$=C:volevs06_vmp 3 /remark:"Exchange EVS06 Transaction Log Volume"

The command completed successfully.

C:Documents and Settingsmsxgdt>rmtshare \pavsan01evs07_vmp$ /d

The command completed successfully.

C:Documents and Settingsmsxgdt>rmtshare \pavsan01evs08_vmp$ /d

The command completed successfully.

C:Documents and Settingsmsxgdt>rmtshare

\pavsan01evs07_vmp3$=C:volevs07_vmp 3 /remark:"Exchange EVS07 Transaction Log Volume"

The command completed successfully.

C:Documents and Settingsmsxgdt>rmtshare

\pavsan01evs08_vmp3$=C:volevs08_vmp 3 /remark:"Exchange EVS08 Transaction Log Volume"

The command completed successfully.

C:Documents and Settingsmsxgdt>

############################################################

Trend Scanmail 7.0 Install for Clusters

1. Steps

Log into the cluster node that owns the Quorum to install Scanmail

1. From Cluster admin stop the System attendant on each virtual server – the install will “see” all nodes for any node that is part of the cluster

2. Stop the IIS Admin Service on all servers!

3. Run setup.exe and click Yes to the warning prompt

a. Select Next

b. Select Install/Upgrade

c. Select Accept

d. SMEX 7.0

i. SM-6AHJ-PBPXG-JQEX9-XKHGF-8FD8T-N3F4D

e. Type in the Server names instead of browsing i.e. PAVMSGPP06, PAVMSGPP07, PAVMSGPP08, PAVMSGPP09, PAVEVS06, PAVEVS07, and PAVEVS08

f. Use Pvalentinomsxgdt and change default installation location to E:Trend MicroSMEX and leave share as C$

g. Leave the default of enable SMTP scanning

h. Leave the default IIS selected

i. Change web server information to

i. Virtual Web Site – and the Port will go to 8080

j. Leave it selected on

i. Specify an Existing Active Directory account

k. Use msxgdt for the web console admin account (don’t use domain)

l. Uncheck use proxy server to connect to Internet. (Server is already behind a firewall)

m. Select “No, I don’t want to participate”

n. Leave the defaults check.

o. Verify the all active, passive and virtual servers are listed and checked as available to install, if not services must still be running on individual nodes or the IP and network names resource are not running for the virtual servers

p. Scanmail will then install – watch progress and use details button

5. Move to Trend CM Installation

Trend CM Installation -(This must be done to each individual Node)

1. copy Public Key – E2EPublic.dat from

\PAVnas05srvappsmediaServerTrendmicroScanmailv70SmexSMEXUpdatePublic Folder Key to e:trend microsmexPublic Folder Key

2. Run setup under \PAVnas05srvappsmediaservertrendmicroscanmailv70smexsmexupdateCMAgent_1057

3. Each step is a screen.

a. Select Next

b. Enter trendcm

c. Leave defaults

d. Click Import and select the location for the public folder key e:trend microsmexPublic Folder Keykeyfilename

3. TrendCM Agent will install

4. Move to next server in the cluster (active nodes can be done live and not effect Exchange )

5. Move to Patch4 Install

Patch4 Install for cluster

This install is done only on a passive node, take offline and move all resources hosted on server to another node before installing the patch

1. Stop Exchange System Attendant from cluster admin

2. Pause Node

3. exit cluster admin

4. stop iis admin

5. stop cluster service

6. run patch4 update from:

c. \PAVnas05srvappsmediaServerTrendmicroScanmailv70SmexPatch 4 cluster

d. The file will cluster at the end

7. Watch the patch4 install progress bar for any errors

8. IIS Admin Service will restart on its own

9. Resume the Node in cluadmin

10. Cluster service will restart on its own

11. Bring all resources online and move to correct servers.

We will Re-create the EVS SMEX Resource: see the Screen Capture below as Reference.

Points to Look at from the capture:

1. When creating the EVS SMEX Resource, choose root drive letter F: or G: as one of the dependencies. Also add Exchange IS and Network Name as dependencies.

2. Then for the Scanmail data path, specify only evsXX_smtp_vmpSMEX and remove affect the group from properties advanced tab

On the IIS:

1.For SMEX Website, make sure the report-<EVSName> virtual directory is pointing to the correct SMEX path (<evs06_smtp_vmp>SMEXdatareport).

2. Make sure all the nodes have the correct path.

3. Restart the IIS and Scanmail services and delete the SMEX folder from root drive f: or g:

4. And When SMEX Master Service was started, make sure that on the F: evs06_smtp_vmp>SMEXdata you should have a pairing of

Conf.mdb and Conf.ldb

Log.mdb and log.ldb

After reboot:

1. Verify 3 Scanmail services are running

2. Unpause the node from cluadmin

3. failover a Exchange virtual server to the node

4. Log into the Scanmail Management Console from a workstation – NOT THE SERVER (Web based – use msxgdt) by going to http://PAVevs08:8080/smex

5. Verify engine and dat files are up to date, if not run update

6. Verify realtime scan window is showing mail flow

Start the process again from the patch4 point for each node in the cluster as it becomes the passive node

Exchange 2003 Cluster Installation

1. Configure operating System

    1. Make sure the OS is configured properly and all necessary OS patches are installed.

    2. Perform Windows Update for Critical updates only and (deselected IE7 2/15/07)

    3. Boot.ini add /3GB /userva=3030 to end of line

    1. In Windows Explorer, navigate to the system partition. This is the partition that holds hardware specific Windows files such as Boot.ini and NtlDR.

    2. If you cannot see the Boot.ini file, it could be because the folder options are set to hide protected operating system files. If this is the case, in the Explorer window, click Tools, Folder Options, and then click View. Clear the Hide protected operating system files (Recommended) check box. When prompted, click Yes.

    3. Right click the Boot.ini file and select properties and deselect Read Only checkbox.

    4. After the Boot.ini file is visible in Explorer, right-click the file, click Open With, and then click Notepad to open the file.

    5. Add the /3GB and /userva=3030 switches to the end of the line starting with "multi" under the [Operating Systems] section.

    6. Save the changes and close Notepad.

    7. Restart the computer for the change to take effect.

    1. Change boot.ini timeout values for system startup: set 1 node to 10seconds and all other nodes to 90 seconds.

    1. At the command prompt, type: bootcfg /timeout# Where # specifies the time in seconds after which default operating system will be loaded.

    1. If disks are not already partitioned as below go to Computer Management > Disk Management > and create partitions

    2. C: 12GB - Under Properties verify it is named Boot

    3. D: 40.32GB - Under Properties verify it is named Exchanged

    4. E: 16384MB or 16G – Under Properties verify that it is named Pagefile, Trend, Temp

    5. Adjust Pagefile by right clicking My Computer – selecting properties > Advanced > Performance > Settings button – go to Advanced Tab > Virtual Memory > Change button and set C: 512 min 512 max Pagefile on E: 4096 min 4096 max for 4GB

    6. Application Event log increased to 40MB or 40960KB by going to Computer Management > Event Viewer > right-click Application > select Properties and update Maximum Log Size value.

    7. Set Security and System Event Log to Maximum Log Size of 16384KB

    8. Install Windows 2003 sp1 Resource Kit and Support Tools

2. Install SnapDrive 4.1

Install Emulex storport driver 1.20a3 if required

  1. First check Start > Programs > Emulex – if it does not exist then install driver below

  2. Run distribution file at netappstorportminiportkit_1.-20a3-1g.exe 2007.1.23.1139 or newer then Extract to c:program filesemulex.

  3. Run AutoPilot Installer at conclusion of distribution file extraction

  4. Select correct version number as the driver to upgrade to

  5. Click Next and installation begins

  6. When complete, go to Device Manager – SCSI and RAID Controllers and check if HBA is now at the correct version

Reboot if prompted

Install new FCP HAK 3.0

        1. Double-click ntap_windows_fcp_3.0_setup_x86.exe file

        2. Click Next and accept all defaults

        3. Install directory should be c:program filesnetappwak

        4. Select Complete Installation method

        5. Select Install to begin installation

Install Snapdrive 4.1

  1. Double-click snapdrive4.1.exe file

  2. Select all default options

Snap Drive

SDR-MPIO

VYZMIQINJVBTEE

SDR-WIN LUN

JMOFBEWOJFHEYA

SME2K3

EQZKPWA

User Account

msxpv

  1. If SnapDrive must be uninstalled for any reason ALWAYS use the snapdrive4.1exe to do so and select the option to remove MPIO drivers when prompted.

  2. If you cannot see the initiators when trying to create a LUN do the following:

  3. Stop the SnapDrive service from services.msc (DO NOT USE COMPUTER MANAGEMENTSERVICES)

  4. Remove or rename the old HBAAPI.dll (version 2.2.1.0) in the SnapDrive directory (by default, c:Program FilesNetAppSnapDrive), then Start the SnapDrive service

Install Snapdrive 4.2.1

Install Data ONTAP DSM 3.0 for Windows

  1. Double-click ntap_win_mpio_3.0_setup_i386.exe

  2. Select Single Instance Image Mode (cfmode=single_image)

  3. Snap Drive

SDR-MPIO

DZFUPANSZYHXCF

  1. Double-click snapdrive4.2.1 exe

  2. Select all default options

Snap Drive

SDR-WIN

VKCOHUMRBFAAAA

SME2K3

HTFNBGOGJNDCMA

User Account

msxpv

  1. If you cannot see the initiators when trying to create a LUN do the following:

  2. Stop the SnapDrive service from services.msc (DO NOT USE COMPUTER MANAGEMENTSERVICES)

  3. Remove or rename the old HBAAPI.dll (version 2.2.1.0) in the SnapDrive directory (by default, c:Program FilesNetAppSnapDrive), then Start the SnapDrive service

3. Create the Cluster

See section 5 for LUN and drive letter details (PUT IN SCREEN SHOTS)

  1. Create the evs_cluster_vol1/evs_cluster_qtree1/evs_cluster_quorum.lun first on node 1 (pvmsgpp06) according to table below

evs_cluster_vol1/evs_cluster_qtree1/evs_quorum.lun

500

  1. If you cannot see the initiators when trying to create a LUN see end of section 2 above.

  2. Create the \pvsanpp02evs_cluster_qtree1evs_ quorum.lun LUN for the Quorum on node 1

  3. DO NOT PERFORM THESE STEPS ON SUBSEQUENT NODES

Setup Cluster Services

  1. Verify that NICs have been assigned appropriate IP’s on all Nodes

  2. NIC1 for pvmsgpp02 = 132.189.91.102 pvmsgpp03 = .103 pvmsgpp04= .104

GW= 32.189.91.254, SM= 255.255.255.0, DNS=132.189.91.10 and 132.189.8.28

  1. ClassC

  1. Heartbeat Nic SM=255.255.255.192 GW=

pvMSGPP02 = 10.0.36.2

pvMSGPP03 = 10.0.36.3

pvMSGPP04 = 10.0.36.4

Cluster IP 132.189.91.121 SM=255.255.255.0

MSDTC 132.189.91.122 SM=255.255.255.0

EVS02 132.189.91.123

EVS03 132.189.91.124

  1. Rename the network connections Production Network Port (1) and Cluster Heartbeat Port (1)

  2. Right click the cluster Heartbeat Port connection properties, select TCP/IP, click properties, click Advanced, click DNS tab.

Remove the checkbox “Register this connection’s address in DNS”

Click WINS tab and select “Disable NETBIOS over TCP/IP”

  1. Open Network Connections, on the Advanced menu, click Advanced settings.

On the “Adapter and Bindings” move the production network port to the top.

On the “Provider” tab move the “Microsoft Windows Network” to the top.

  1. Run cluadmin on first node evs01

  2. Select File > Create new cluster (FIRST NODE ONLY)

Enter the IP address for the cluster

  1. Make sure Q: is the quorum

If there are any issues with Cluster you can remove and cleanup by removing nodes then running c:cluster node pvmsgpp02 /forcecleanup and starting over by running Create New Cluster option

  1. Verify that console:i:1 is added to first line of RDP connection shortcut via Wordpad (required to see QUORUM on nodes 2 and 3) or use mstsc /console

  2. Connect Quorum Drive on subsequent nodes pvMSGPP03 and 04 in Cluster

  3. In SnapDrive right-click Disks and select connect

  4. Enter full path to Quorum LUN \pvsanpp02evs_cluster_vol1$evs_cluster_qtree1evs_quorum.lun

  1. Add subsequent nodes to cluster – in cluadmin go to File > New > Node

Click add and then select Advanced and chose minimal configuration and continue selecting next through all warnings and finish

Finish the wizard.

  1. After node is added do a move group command and verify that Q: is available from Windows Explorer

  2. Move Group back to the passive node

  3. Perform steps k – r on the remaining nodes

  4. Open the cluster administrator and right click on the cluster name (pvMSGC1) properties, click Network Priority tab and move the cluster heartbeat port up. Click properties of the cluster heartbeat port and select “Internal cluster communications only”

Create the MSDTC

  1. Create MSDTC Drive on pvMSGPP04 in Cluster

  2. In SnapDrive right-click Disks and select create

  3. Enter full path to MSDTC LUN \pvsanpp02evs_cluster_vol1$evs_cluster_qtree1evs_MSDTC.lun

  1. Click Next, select Shared (Microsoft Cluster Services Only)

  1. Select each server and add the initiators and click Next

  1. Create a new group for MSDTC and click Next

  1. Click Finish.

  2. Open cluster Administrator and go to MSDTC group.

  3. Add IP Address, Network and DTC resources. Click add new resource.

Right click and bring MSTDC resource online

Right click and bring the resource online

Right click and bring the resource online.

  1. Remove “Affect Group” from the DTC advanced properties.

4. Create the Volume Mount Point

Create the Volume Mount Point Root LUNS

  1. First create VMP root LUNs according to table below.

  2. In SnapDrive right-click on disks and select Create Disk

  3. Enter Virtual disk path. \pvsanpp01evs_cluster_vmp_roots$evs_cluster_vmp_roots_qtree1

  4. Enter a lun name. evs01_root_f.lun

  5. Select “No under snapshot”

  6. Size 32MB

  7. Select Shared

  8. Create a Cluster Services Group, VMP-Roots

  9. Finish the wizard

  10. Repeat steps a thru I for creating remaining root luns based upon pv_exchange_NetApp_config.xls spreadsheet

Create the database LUNs

  1. In SnapDrive right-click on disks and select Create Disk

  2. Enter Virtual disk path.

\pvsanpp01evs01_vmp1$evs01_sg1_db1_qtree1

  1. Enter a lun name. evs01_sg1_db1.lun

  2. Select “Yes under snapshot”

  3. Size 65700 MB

  4. Select Shared

  5. Select Use Volume Mount Point and enter a name i.e. F:evs01_sg1_db1_vmp as in this example

  1. Finish the wizard

  2. Repeat steps a thru h for creating the other database LUNs, change the highlighted values. See the table below for the details about the virtual disk path and LUN names.

Database Virtual Disk Path

Database LUN

Mount Points-65700MB

\pvsanpp01evs01_vmp1/evs01_sg1_db1_qtree1

evs01_sg1_db1.lun

F:evs01_sg1_db1_vmp

\pvsanpp01evs01_vmp1/evs01_sg1_db2_qtree1

evs01_sg1_db2.lun

F:evs01_sg1_db2_vmp

\pvsanpp01evs01_vmp1/evs01_sg1_db3_qtree1

evs01_sg1_db3.lun

F:evs01_sg1_db3_vmp

\pvsanpp01evs01_vmp1/evs01_sg1_db4_qtree1

evs01_sg1_db4.lun

F:evs01_sg1_db4_vmp

\pvsanpp01evs01_vmp1/evs01_sg2_db1_qtree1

evs01_sg2_db1.lun

F:evs01_sg2_db1_vmp

\pvsanpp01evs01_vmp1/evs01_sg2_db2_qtree1

evs01_sg2_db2.lun

F:evs01_sg2_db2_vmp

\pvsanpp01evs01_vmp1/evs01_sg2_db3_qtree1

evs01_sg2_db3.lun

F:evs01_sg2_db3_vmp

\pvsanpp01evs01_vmp1/evs01_sg2_db4_qtree1

evs01_sg2_db4.lun

F:evs01_sg2_db4_vmp

\pvsanpp02evs01_vmp2/evs01_sg3_db1_qtree1

evs01_sg3_db1.lun

F:evs01_sg3_db1_vmp

\pvsanpp02evs01_vmp2/evs01_sg3_db2_qtree1

evs01_sg3_db2.lun

F:evs01_sg3_db2_vmp

\pvsanpp02evs01_vmp2/evs01_sg3_db3_qtree1

evs01_sg3_db3.lun

F:evs01_sg3_db3_vmp

\pvsanpp02evs01_vmp2/evs01_sg3_db4_qtree1

evs01_sg3_db4.lun

F:evs01_sg3_db4_vmp

\pvsanpp02evs01_vmp2/evs01_sg4_db1_qtree1

evs01_sg4_db1.lun

F:evs01_sg4_db1_vmp

\pvsanpp02evs01_vmp2/evs01_sg4_db2_qtree1

evs01_sg4_db2.lun

F:evs01_sg4_db2_vmp

\pvsanpp02evs01_vmp2/evs01_sg4_db3_qtree1

evs01_sg4_db3.lun

F:evs01_sg4_db3_vmp

\pvsanpp02evs01_vmp2/evs01_sg4_db4_qtree1

evs01_sg4_db4.lun

F:evs01_sg4_db4_vmp

\pvsanpp01evs02_vmp1/evs02_sg1_db1_qtree1

evs02_sg1_db1.lun

G:evs02_sg1_db1_vmp

\pvsanpp01evs02_vmp1/evs02_sg1_db2_qtree1

evs02_sg1_db2.lun

G:evs02_sg1_db2_vmp

\pvsanpp01evs02_vmp1/evs02_sg1_db3_qtree1

evs02_sg1_db3.lun

G:evs02_sg1_db3_vmp

\pvsanpp01evs02_vmp1/evs02_sg1_db4_qtree1

evs02_sg1_db4.lun

G:evs02_sg1_db4_vmp

\pvsanpp01evs02_vmp1/evs02_sg2_db1_qtree1

evs02_sg2_db1.lun

G:evs02_sg2_db1_vmp

\pvsanpp01evs02_vmp1/evs02_sg2_db2_qtree1

evs02_sg2_db2.lun

G:evs02_sg2_db2_vmp

\pvsanpp01evs02_vmp1/evs02_sg2_db3_qtree1

evs02_sg2_db3.lun

G:evs02_sg2_db3_vmp

\pvsanpp01evs02_vmp1/evs02_sg2_db4_qtree1

evs02_sg2_db4.lun

G:evs02_sg2_db4_vmp

\pvsanpp02evs02_vmp2/evs02_sg3_db1_qtree1

evs02_sg3_db1.lun

G:evs02_sg3_db1_vmp

\pvsanpp02evs02_vmp2/evs02_sg3_db2_qtree1

evs02_sg3_db2.lun

G:evs02_sg3_db2_vmp

\pvsanpp02evs02_vmp2/evs02_sg3_db3_qtree1

evs02_sg3_db3.lun

G:evs02_sg3_db3_vmp

\pvsanpp02evs02_vmp2/evs02_sg3_db4_qtree1

evs02_sg3_db4.lun

G:evs02_sg3_db4_vmp

\pvsanpp02evs02_vmp2/evs02_sg4_db1_qtree1

evs02_sg4_db1.lun

G:evs02_sg4_db1_vmp

\pvsanpp02evs02_vmp2/evs02_sg4_db2_qtree1

evs02_sg4_db2.lun

G:evs02_sg4_db2_vmp

\pvsanpp02evs02_vmp2/evs02_sg4_db3_qtree1

evs02_sg4_db3.lun

G:evs02_sg4_db3_vmp

\pvsanpp02evs02_vmp2/evs02_sg4_db4_qtree1

evs02_sg4_db4.lun

G:evs02_sg4_db4_vmp

Create the Transaction Log LUNs

  1. In SnapDrive right-click on disks and select Create Disk

  2. Enter Virtual disk path.

  3. \pvsanpp01evs01_vmp3$evs01_sg1_tl_qtree1

  4. Enter a lun name. evs01_sg1_tl.lun

  5. Select “Yes under snapshot”

  6. Size 23760 MB

  7. Select Shared

  8. Select Use Volume Mount Point and enter a name i.e. T:evs01_sg1_tl_vmp as in this example

  9. Finish the wizard

  10. Repeat steps a thru I for creating the other database LUNs, change the highlighted values. See the table below for the details about the virtual disk path and LUN names.

tl Virtual Disk Path

tl LUN

Mount Points 23760MB

\pvsanpp01evs01_vmp3/evs01_sg1_tl_qtree1

evs01_sg1_tl.lun

F:evs01_sg1_tl_vmp

\pvsanpp01evs01_vmp3/evs01_sg2_tl_qtree1

evs01_sg2_tl.lun

F:evs01_sg2_tl_vmp

\pvsanpp01evs01_vmp3/evs01_sg3_tl_qtree1

evs01_sg3_tl.lun

F:evs01_sg3_tl_vmp

\pvsanpp01evs01_vmp3/evs01_sg4_tl_qtree1

evs01_sg4_tl.lun

F:evs01_sg4_tl_vmp

\pvsanpp01evs02_vmp3/evs02_sg1_tl_qtree1

evs02_sg1_tl.lun

G:evs02_sg1_tl_vmp

\pvsanpp01evs02_vmp3/evs02_sg2_tl_qtree1

evs02_sg2_tl.lun

G:evs02_sg2_tl_vmp

\pvsanpp01evs02_vmp3/evs02_sg3_tl_qtree1

evs02_sg3_tl.lun

G:evs02_sg3_tl_vmp

\pvsanpp01evs02_vmp3/evs02_sg4_tl_qtree1

evs02_sg4_tl.lun

G:evs02_sg4_tl_vmp

Create the SMTP LUNs

  1. In SnapDrive right-click on disks and select Create Disk

  2. Enter Virtual disk path.

  3. \pvsanpp01evs01_vmp3$evs01_smtp_qtree1

  4. Enter a lun name. evs01_smtp.lun

  5. Select “No under snapshot”

  6. Size 4096 MB

  7. Select Shared

  8. Select Use Volume Mount Point and enter a name i.e. S:evs01_smtp_vmp as in this example

  9. Finish the wizard

  10. Repeat steps a thru I for creating the other database LUNs, change the highlighted values. See the table below for the details about the virtual disk path and LUN names.

SMTP Virtual Paths

SMTP LUNs

Mount Points 4GB

\pvsanpp01evs01_vmp3/evs01_smtp_qtree1

evs01_smtp.lun

F:evs01_smtp_vmp

\pvsanpp01evs02_vmp3/evs02_smtp_qtree1

evs02_smtp.lun

G:evs02_smtp_vmp

Maintenance LUNs on SAN01 aggregate 1

evs_cluster_mnt_vol2/evs_cluster_mnt_qtree1/evs_cluster_mnt1.lun

400000

5. Install Exchange Server 2003 on Each Node

Installing and Enabling Required Windows Services

Exchange Server 2003 Setup requires that the following components and services be installed

and enabled on the server:

  1. .NET Framework

  2. ASP.NET - verify that this is set to Auto Start

  3. Internet Information Services (IIS)

  4. World Wide Web Publishing Service

  5. Simple Mail Transfer Protocol (SMTP) service

  6. Network News Transfer Protocol (NNTP) service

Install Exchange Server 2003 on all cluster nodes

  1. Make sure that the Cluster service is running on each node.

  2. Install and enable the required Windows services.

  3. Install Microsoft Distributed Transaction Coordinator (MSDTC).

  4. Run Exchange Server 2003 Enterprise Setup.

  5. Ignore error stating there is a compatibility issue with this version of windows.

  6. Create D:Exchsrvr on all nodes

  7. Change Path of installation to D:Exchsrvr and chose typical install on all nodes.

  8. Install SP2 on all nodes

  9. Run Windows Update on all nodes

Post-deployment steps – Tuning Parameters

  1. Set the system pages to 0 (DWORD)

HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerMemory ManagementSystemPages = 0

  1. Set HeapDeCommit Threshold to 262144 (decimal) (DWORD)

HKLMSystemCurrentControlSetControlSession Manager HeapDeCommitFreeBlockThreshold = value of 262144 (decimal)

  1. Set Guid-Replid Caching to 0 (DWORD)

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeIS"server name""each private database"

  1. Set the MinUserDC set to number GCs – the PDC emulator = 6 (in the current environment). (DWORD)(Decimal)

  2. HKLMSystemCurrentControlSetServicesMSExchangeDSAccessProfilesDefault

  3. Set the msExchESEParamLogBuffers

Go to ADSIEDIT.msc and set the value to 9000

  1. Start ADSI Edit.

  2. Double-click the Configuration container, expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=<ExchangeOrganizationName>.

  3. Expand CN=Administrative Groups, expand CN=<AdministrativeGroupName>, and then expand CN=Servers.

  4. Expand CN=<ServerName>, expand CN=InformationStore, right-click CN=<StorageGroupName>, and then click Properties.

  5. In the Attribute Editor, click the msExchESEParamLogBuffers attribute, and then click Edit.

  6. In the Edit Attribute box, set the value to 512 for Exchange 2000 Server or 9000 (for example, clear the value) for Exchange Server 2003.

  7. Click Apply, and then click OK.

  8. Close ADSI Edit and then restart the Microsoft Exchange Information Store service for the change to take effect.

2) PagedPoolSize = DWORD value of FFFFFFFF

hklm-system-currentcontrolset-control-session manager-memory management

3) DynamicMemory = Add DWORD value of 1

hklm-system-currentcontrolset-control-session manager-memory management

4) PoolUsageMaximum = Add DWORD value of 40

hklm-system-currentcontrolset-control-session manager-memory management

5) MsExchAgingKeepTime = value of 345600 ???? (May be do not need this) (default is 40 days)

set at each DB in ADSIEdit

6) msExchMaxCachedViews = value of 20 (default is 11)

set at each DB in ADSIEdit

http://www.microsoft.com/technet/prodtechnol/exchange/Analyzer/2c732be4-eb00-4cde-8c90-f5f1427575eb.mspx?mfr=true

7) SkipWildcardSearchInGC = value of 1

HKLMSoftwareTrendMicroScanMail for ExchangeCurrentVersion

8) QuerySender = value of 0

HKLMSoftwareTrendMicroScanMail for ExchangeRealTimeScan

9) ScanningThreads = should be twice the number of processors plus one

HKLMSystemCurrentControlSetServicesMSExchangeISVirusScan

10) MaxMessageCount = value of 500

HKLMSoftwareTrendMicroScanMail for ExchangeCurrentVersion

11) MaxScanningThreadCount = value of 25

HKLMSoftwareTrendMicroScanMail for ExchangeRealTimeScanScanOption

12) ScanningThreadPoolCount = value of 25

HKLMSoftwareTrendMicroScanMail for ExchangeRealTimeScanScanOption

13) TempFileThreshld = value of 102400 (or max message size)

HKLMSoftwareTrendMicroScanMail for ExchangeRealTimeScanScanOption

6. Creating the Exchange Virtual Servers

  1. Create the IP Address and Network Name resources for all Virtual Servers EVS01 and 02

  2. Create System Attendant Resource

Make sure you select the LUN where you want to the SMTP/MTA to reside. Exchange will create a mailbox store and public store in the same LUN. Move the mailbox store and delete the public folder store.

  1. If an error occurs then move the computer account from the computers OU to Saint PaulServers OU in AD. Make sure the computers are in the correct OU.

  2. Remove the “affect the group” setting on all resources except network name, IP address, Information Store and System Attendant resources on each virtual server.

  3. Change the Threshold to 1 and the Period to 120 on the advanced tab for Information Store and System Attendant resources.

  4. Change the value of Threshold to 1 on Exchange system attendant and information store on all virtual servers.

  5. Disable EventLogReplication on each virtual server

Cluster.exe /prop EnableEventLogReplication = 0

  1. Add the MsgHandleThreshold registry key on all the nodes.

http://technet.microsoft.com/en-us/library/aa998105.aspx

  1. Disable the MTA service on all nodes and set the following registry keys to disable MTA events for each database

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeISServerNameGateway In Threads – (DWORD) (0)

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeISServerNameGateway Out Threads – (DWORD) (0)

Securing Clusters

http://technet.microsoft.com/en-us/library/bb123629.aspx

http://technet.microsoft.com/en-us/library/bb124140.aspx

7. Create Storage groups and databases.

Each Exchange virtual server has 4 storage groups and 4 databases. The first two databases are journaled in each storage group. None of the servers will contain any public folder stores. Delete any default public folder stores using the following steps.

  1. Start ADSI Edit.

  2. Double-click the Configuration container, expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=<ExchangeOrganizationName>.

  3. Expand CN=Administrative Groups, expand CN=<AdministrativeGroupName>, expand CN=Servers, expand CN=<ServerName>, expand CN = InformationStore, and then expand CN=<Storage Group Name>

  4. Right-click CN=<Public Folder Store Name> and then click Delete.

  5. Double-click the Configuration container, expand CN=Services, expand CN=Microsoft Exchange, and then expand CN=<ExchangeOrganizationName>.

  6. Expand CN=Administrative Groups, expand CN=<AdministrativeGroupName>, expand CN= Folder Hierarchies

  7. Right-click CN=<Public Folders> and then click Properties.

  8. In the Attribute Editor, click the msExchOwningPFTreeBL attribute, and then click Edit.

  9. In the Edit Attribute box, make sure the public folder store is not listed

  10. Click Apply, and then click OK.

  11. Close ADSI Edit and then restart the Microsoft Exchange Information Store service for the change to take effect.

Install and Configure Snap Manager for Exchange 3.2

Permissions for Blackberry Enterprise Server

Setting the required permissions in Exchange for the BES Service accounts on the new mail servers which will be hosting BlackBerry-enabled accounts.

These permissions must be applied at the Storage Group or Server Level!

The required permissions are:

  • Administer Information Store

  • View Information Store

  • Receive As

  • Send As (Probably no longer a requirement due to how permissions are evaluated, but this would keep us consistent with other servers).

I would recommend adding all BES Service accounts for now, then removing the old management accounts at a later date, once all migrations have been completed.