Microsoft KB Archive/929081

From BetaArchive Wiki

Article ID: 929081

Article Last Modified on 12/22/2006


  • Microsoft Forefront Security for Exchange Server
  • Microsoft Exchange Server 2007 Enterprise Edition


This article contains guidelines about how to install and to uninstall Microsoft Forefront Security for Exchange Server on a Microsoft Exchange Server 2007 cluster continuous replication (CCR) cluster.


CCR is a clustered solution that uses built-in asynchronous log shipping to create and maintain a storage group replica on a second server. CCR provides both high availability and site resilience because it is designed to be either a one-datacenter or a two-datacenter solution.

To install Forefront Security on an Exchange 2007 CCR cluster

  • You must install Forefront Security on the active node before you install Forefront Security on the passive node. This is true for the first installation of a CCR cluster node. However, if a node fails and a new installation will be performed, you should perform the installation on the passive node so that the passive node replicates the known-good data from the active node. If you perform the installation on the active node, the known-good data will be overwritten.
  • Do not fail over a CCR cluster node that has Forefront Security installed to another node that does not have Forefront Security installed.
  • You cannot perform a remote installation of a CCR cluster. Use a terminal server session instead.
  • Use the Cluster Administrator to check that the Exchange Cluster Resources are online on the active node before you install Forefront Security. If the Exchange Cluster Resources are not online before you install Forefront Security, the node will be detected as passive.
  • When you install Forefront Security on a CCR cluster, the installation path must be the same for both nodes.

Note The terms “Exchange Virtual Server” and "EVS" are used in the documentation and in the installation screens. The correct terms are “Clustered Mailbox Server” and “CMS.”

To uninstall Forefront Security on an Exchange 2007 CCR cluster

  • You must first uninstall the active node.
  • We recommend that you uninstall Forefront Security from the cluster node in the state in which it was installed. That is, if you installed the node as passive, uninstall it as passive. Exchange 2007 will not start if you do not follow this recommendation. If Exchange 2007 will not start, follow these steps to uninstall Forefront Security:

    Note You must do the following on each node on which Exchange 2007 does not start.
    1. From the command line, execute the following commands to remove the checkpoints:

      cluster res "Exchange Information Store Instance (Cluster_Name)" /removecheck:”SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan”

      cluster res "Exchange Information Store Instance (Cluster_Name)" /removecheck: “SOFTWARE\Microsoft\Forefront Server Security\Exchange Server”

    2. Delete the following registry key:


  • After you uninstall Forefront Security, the CMS must be restarted manually.

    Note Do not restart any computer until Forefront Security is uninstalled on all nodes. Do not restart even if the uninstaller prompts you to restart the computer. If an active node is restarted, the CMS that is running on that node may move to a passive node before the passive node can be uninstalled successfully. Do not manually move any CMS until Forefront Security has been uninstalled on all nodes.

Additional guidelines

  • On a CCR cluster system, the Redistribution Server option is automatically selected in the General Options Panel. This option is required for successful engine updates on the cluster. Do not cancel this selection. If this selection has been canceled, you can click to select the check box again to restore engine updates. Each engine will require a new update before it will be replicated correctly again.
  • The following is a list of items that are replicated:
    • FileScanners.fdb
    • Filterlists.fdb
    • Notifications.fdb
    • ScanJobs.fdb
    • Template.fdb
  • The following is a list of items that are not replicated:
    • Statistics.fdb
    • Forefront Pickup Folder
    • HR Log
    • Program Log
    • Statistics.xml
    • Incidents and Quarantine databases

      Note To access these files on the passive node, use the computer name to connect directly to the passive node that has the admin client. We recommend that you include a note as a reminder that configuration changes should not be made on the passive node.
  • Never connect directly to the passive node of a CCR cluster to change the configuration of Forefront Security. You may connect directly to view settings and incidents or to release items from quarantine. We recommend that you do not change the configuration of Forefront Security because the incidents and quarantine databases are not replicated.
  • After you save the configuration changes on the active node, you must give time for a replication cycle to complete before you fail over to the passive node. The default replication cycle is 30 seconds for configuration files and five minutes for engines.
  • If you must convert an existing CCR cluster node to a stand-alone server, Forefront Security must be uninstalled and reinstalled on that node.
  • The Forefront Security replication service creates backup files when you start Forefront Security and when a transition from active node to passive node occurs. These backup files can be used for recovery if current configuration data is accidentally overwritten with older configuration data.
  • After you install the passive node, the following message is logged in the Application log for the FSECCRService:

    Forefront Server Security CCR Replication service initial replication 'seeding' complete.

    This message indicates that all required settings have been replicated correctly.
  • Forefront Security configures a checkpoint for the following two registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\Exchange Server


    When you uninstall Forefront Security from a cluster, it is important to follow the instructions exactly. If the instructions were not followed correctly, the registry checkpoint settings that were configured by the Forefront Security installation may still be active. In this scenario, you must use the cluster command to remove the checkpoint. The syntax for the cluster command is as follows:

    cluster [[/cluster:]Cluster_Name] /Resource_Name /REMOVECHECK[POINTS]:key[Registry_Subkey][,Registry_Subkey[Registry_Subkey]Registry_Subkey]

    To view the list of registry checkpoints, execute the following command:

    cluster RES /CHECK

    To remove the checkpoint, use the following commands:'

    cluster res "Exchange Information Store Instance ([Cluster_Name])" /removecheck:"SOFTWARE\Microsoft\Forefront Server Security\Exchange Server"

    cluster res "Exchange Information Store Instance ([Cluster_Name])" /removecheck:"SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan"

    For more information about the cluster command and the switches that can be used with Cluster.exe, visit the following Microsoft Web site:

Minimum system requirements

  • A computer that is running an x64-based version of Microsoft Windows Server 2003 or Microsoft Windows XP Professional x64 Edition and that has one of the following:
    • An Intel Xeon processor or an Intel Pentium family processor that supports Intel Extended Memory 64 Technology (Intel EM64T)
    • AMD Opteron or an AMD Athlon 64-bit processor that supports the AMD64 platform
  • Exchange 2007
  • 512 megabytes (MB) of available RAM. 1 gigabyte (GB) is recommended.

Note Each additional licensed scan engine requires more memory for each scanning process.

  • 300 MB of available disk space

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Keywords: kbexchcluster kbexch2007prev kbhowto kbinfo KB929081