Tuesday, December 20, 2016

Something About Rolling Out Kerberos ASA Credentials Between Exchange 2013 and 2016 Servers

Hi folks,

As you well know that Exchange 2013 and 2016 servers can co-exist with each other well behind the same load balancer. Furthermore, they can also share the same ASA credentials for Kerberos authentication. And this article speaks about it.

However, when it came to roll out credentials from Exchange 2013 CAS server to Exchange 2016 Mailbox server (yes, yes, this is not a mistake, as Exchange 2016 has only Mailbox role with CAS services integrated) I could not run RollAlternateServiceAccountPassword.ps1 to deploy credentials from one of my current Exchange 2013 CAS servers to Exchange 2016 Mailbox server.

When running it from Exchange 2013 server against Exchange 2016 server, I would encounter this error:
RecordErrors : Cannot convert value "SERVER01" to type "Microsoft.Exchange.Data.Directory.Management.ClientAccessServer"

This is because I tried to run from the older version of the server on the new one.

Then I attempted to run the same command on the Exchange 2016 server. It produced this error:

Now the trick is that CAS role doesn't exist any longer with Exchange 2016 and instead of *-ClientAccessServer cmdlets Microsoft has introduced *-ClientAccessService cmdlets to manage CAS services on Exchange 2016 Mailbox servers. However these cmdlets are not supported on Exchange 2013 and therefore when script attempts to remotely talk to an Exchange 2013 box and retrieve ASA creds from there, it fails because Get-ClientAccessService command is simply not supported by Exchange 2013. However, since *-ClientAccessServer commands are still supported (even though they warn you about future deprecation) they work just as on Exchange 2013. So, on my first Exchange 2016 server I have edited RollAlternateServiceAccountPassword.ps1 and replaced all the -ClientAccessService entries with -ClientAccessServer.

After this I have kicked off again:

RollAlternateServiceAccountPassword.ps1 -ToSpecificServers SERVER02.contoso.com -CopyFrom SERVER02.contoso.com

This time, despite cmdlet deprecation warning copy of credentials succeeded which I can clearly see by executing the following command:

Get-ClientAccessService Server01 -IncludeAlternateServiceAccountCredentialPassword |fl Na
me, AlternateServiceAccountConfiguration

Finally, after ASA creds have been deployed to the first Exchange 2016 server I can go to other Exchange 2016 boxes and copy credentials from the first server without editing RollAlternateServiceAccountPassword.ps1 and any error because now creds were copied from Exchange 2016 to Exchange 2016.

I hope you will find this article useful for your troubleshooting and configuration.

And a little bonus, if for some reason you will need to remove ASA creds from your server you will need one of these commands:

For Exchange 2010 and 2013:

Set-ClientAccessServer CAS-1 -RemoveAlternateServiceAccountCredentials

For Exchange 2016 and probably later versions:

Set-ClientAccessService CAS-1 -RemoveAlternateServiceAccountCredentials