Code Authority recently implemented hosted Exchange services based on the HMC 3.5 Solution Consolidated Server platform and learned a few lessons in the process. I thought it would likely benefit someone if I documented the problems I ran into and discoveries I made.

I will assume the reader is already familiar with the SPLA, Microsoft Hosting program, and the HMC Solution 3.5 in general.

The rest of this document is separated into two sections, Planning, and Implementation.

Planning

First, I would like to give my suggested step-by-step process for preparing and actually implementing the reference architecture. We are kind of meticulous around here, you may not need to do all of this.

Step 1. Order SPLA Media

Assuming you are already active in the SLPA program, and received your SPLA VLKs. Order the Windows 2003 R2 Standard and Enterprise Edition Media from your SPLA licensing channel vendor. Also get the Outlook 2003/2007 Media for your customers.

We had assumed the MSDN Universal Subscription ISOs were used for installation but the VLKs you will be assigned by the SPLA program do not work with those ISOs. Ordering the media now will save you some time, as it caused us about a 5 day delay in getting started.

Step 2. Prepare Your HMC Bible

Print out the Consolidated Platform PDFs and put them in a large three ring binder. This binder will be your hosted exchange bible. (In case you or someone else has to know how you configured the environment years from now, when something goes wrong!).

We found this helpful to prevent us from accidentally skipping a step and also we took notes in the margin which became invaluable months later.

Step 4. Document Logical Network Design.

You will need to conceptually understand the reference network architecture within the HMC 3.5 consolidated server solution. You need to know this before you make your hardware decisions because some of your servers will need dual NICs. I found a great post within the ASP.NET Forums threaded discussion groups which discussed this topic in great detail. After reviewing that thread, copy the network diagram image from the solution and customize it using the tool of your preference, print out the final version with your network addresses, and put it in your new HMC binder. You will be referring to it constantly during the solution implementation process. We put this diagram on the outside cover because we referred to it so frequently.

Step 5. Purchase / Allocate Hardware

Once you know just how much of the reference solution you are going to deploy, you can plan out your hardware, disk sizes, partitions, and RAID configurations. Eventually we decided to deploy the whole solution, including the optional components. Meaning we needed 6 boxes. In my opinion you really don’t need the 6^th ISA box. It does nothing whatsoever but the firewall role. If you have a lot of firewall experience on some other firewall platform and/or don’t want to learn ISA server, I would recommend you just leave ISA Server out of your implementation.

Step 6. Define your implementation specific equivalents to the five organizations and respective domains, to the HMC 3.5 Solution examples below. Print this and put it in the bible.

Originally we had misunderstood what “reseller” meant. While it is meant to represent a down level partner who is reselling hosted exchange subscriptions, it does not have to be a separate organization. If your organization is going to sell subscriptions I would suggest you use your public branded hosted exchange domain in place of “consolidatedmessenger”. Consider fabrikam.com your internal system control domain, and your branded domain the equivalent of consolidatedmessenger.com, and do not assume the “reseller” has to be some other organization.

Here is a link to a thread containing a good explanation of the types of “Organizations” and “Users” within the solution.

http://agramont.net/forums/permalink/159/160/ShowThread.aspx#160. (You will find a wealth of good blog entries on the subject of HMC 3.5 on Conrad’s site).

One other important distinction is that Litware.com is a catchall container for all your individual ‘consumer’ users. These are users which are standalone, exist as siblings within the AD hierarchy, but do not see each other as Contacts, and may each have “vanity domains”.

Note this excerpt from the solution hierarchy “Hosted Messaging and Collaboration Services / Hosted Exchange / Run Hosted Exchange”:

Internet Service Provider

consolidatedmessenger (consolidatedmessenger.com)

Business Customer:

alpineskihouse (alpineskihouse.com)

Consumer Service

litwareinc (litwareinc.com)

Consumer Service Vanity Domain

wingtiptoys (wingtiptoys.com)

At this point you should be ready to get started.

Implementing the Solution

While following the many hundreds of steps, there were a few that confused me initially for one reason or another. The remainder of the Implementation section is a breakdown of those steps which caused me trouble and my solutions. I believe some of these issues were related to my environment being Windows Server 2003 R2 (the solutions target environment is SP1).

DWSPV.37-39

The solution directs you to ignore these steps. However there is a step which occurs later, which directs you to test the website on FE01 which these steps install. It makes sense for this website to exist on FE01, therefore I went back and executed these steps anyway on FE01.

DCS.12 Step 4

There is a typo here. “Enabled” should be “Automatic”.

DLC.11 Step 11

After this step you may be presented with a dialog about new certificates being detected. The solution does not mention this. Click YES or you will not be able to continue with the next step (12).

DLC.11 Step 22

When I got to step 12 ‘Certificate Services’ was not yet installed on AD01. Therefore I could not complete the step. Use ‘Add and Remove windows components’ to add Certificate Services, and the Bare Minimum of IIS, and ASP, and configure the Enterprise Root CA before continuing.

DLC.36, DLC.40, DLC.41

It looks like these steps should be highlighted in the binder, because it appears to me they will have to be undertaken with each new customer that subscribes to live communication server 2005 services. I’m writing this at the time I’m implementing the solution, so maybe I’m wrong and the provisioning tool will do it?

DLC.42

Refers to “LCSAP01” but for the consolidated platform, this should be FE01.

DLC.52

In this procedure all three computers AD01, BE01, and FE01 already appeared to have the Agent installed on them, and no computers appeared in the ‘unmanaged list’ so there was nothing to do.

RHE.8

I am not sure if this is a problem, or if I skipped something setting up ISA Server. After I sent an outgoing email using Outlook configured to connect to a test account the POP3 method, the email would never arrive (if the destination was external). I was able to see the connections being denied by ISA Server and could see the outgoing messages stuck in queue. It was very simple to add an Access rule allowing SMTP from internal to any external address, which quickly alleviated this problem.

RHE.43

Similar to the previous problem. I think something was left out of the ISA setup in the consolidated plan. There was no rule allowing web traffic to access to the Outlook client configuration website tool running on FE01. You need to add an additional path to the access rule which does exist. This path is “/rpchttpconfig/*”.

Once again, a slight modification to the ISA policy “Sharepoint Publishing” was required before Sharepoint sites would work normally. Turn off "Verify Normalization" at the HTTP level to get certain sharepoint site functionality to work (such as uploading a document to the document library). You only need to apply this HTTP change to the Sharepoint publishing policy.

Conclusion

The solution went more smoothly than we had expected. Although there were a few problems, most of the time we were able to work them out as we became more familiar with the programmable interfaces and other technologies that were new to us. We are looking forward to upgrading to the HMC 4.0 consolidated server platform solution some time in 2007 and will certainly blog that undertaking as well.