Monday, December 6, 2010

Exchange 2010 in a Secure Environment

I'm performing a new installation of Exchange 2010 for a large organization this week and ran into a couple of security related issues that were interesting.

This organization limits the processes that can run on computers and when performing the installation, we are domain admins, but not the "Administrator" account. Because we are not the "Administrator" account, UAC applies.

Issue #1
Installation failed because the ngen.exe service was disabled. Ngen.exe is used to compile .NET code to make it run faster. This service was disabled as per the security rules. This prevented the original installation and likely would have prevented installing the rollup update as it spent a lot of time compiling .NET code.

I'm not sure if this is an issue only when not using Administrator. Obviously in production, I'm not going to test all the possible permutations.

The relevant part of the exchange setup log is here:

[12/01/2010 21:52:06.0346] [2] Active Directory session settings for 'precompile-ManagedBinary' are: View Entire Forest: 'True', Configuration Domain Controller: 'dc.nowhere.com', Preferred Global Catalog: 'dc.nowhere.com', Preferred Domain Controllers: '{ dc.nowhere.com }'
[12/01/2010 21:52:06.0346] [2] Beginning processing precompile-ManagedBinary -BinaryName:'C:\Program Files\Microsoft\Exchange Server\V14\bin\microsoft.Exchange.PowerShell.configuration.dll'
[12/01/2010 21:52:06.0361] [2] Starting: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe with arguments: install "C:\Program Files\Microsoft\Exchange Server\V14\bin\microsoft.Exchange.PowerShell.configuration.dll" /queue /nologo /verbose
[12/01/2010 21:52:06.0517] [2] Process standard output: Installing assembly C:\Program Files\Microsoft\Exchange Server\V14\bin\microsoft.Exchange.PowerShell.configuration.dll
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (Exception from HRESULT: 0x80070422)

[12/01/2010 21:52:06.0517] [2] Process standard error:
[12/01/2010 21:52:06.0517] [2] [ERROR] Unexpected Error
[12/01/2010 21:52:06.0517] [2] [ERROR] Process execution failed with exit code -1.
[12/01/2010 21:52:06.0517] [2] Ending processing precompile-ManagedBinary
[12/01/2010 21:52:06.0517] [1] The following 1 error(s) occurred during task execution:
[12/01/2010 21:52:06.0517] [1] 0. ErrorRecord: Process execution failed with exit code -1.
[12/01/2010 21:52:06.0517] [1] 0. ErrorRecord: Microsoft.Exchange.Configuration.Tasks.TaskException: Process execution failed with exit code -1.
[12/01/2010 21:52:06.0517] [1] [ERROR] The following error was generated when "$error.Clear();
$fullPath = [System.IO.Path]::Combine($RoleInstallPath, "bin\microsoft.Exchange.PowerShell.configuration.dll");
precompile-ManagedBinary -BinaryName $fullPath;
" was run: "Process execution failed with exit code -1.".
[12/01/2010 21:52:06.0517] [1] [ERROR] Process execution failed with exit code -1.
[12/01/2010 21:52:06.0517] [1] [ERROR-REFERENCE] Id=AllRolesPrecompileManagementBinaries___922e3423e7724c0e8892fe798af5ca08 Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[12/01/2010 21:52:06.0517] [1] Setup is stopping now because of one or more critical errors.
[12/01/2010 21:52:06.0517] [1] Finished executing component tasks.
[12/01/2010 21:52:06.0580] [1] Ending processing Install-Bridgehead

Issue #2
The rollup update for Exchange 2010 SP1 was not UAC aware. So, when we ran it, it failed. Quick and easy fix. Go to a command prompt elevated to administrator and run manaully, just like you'd run an exe file.

1 comment: