Countdown to TechEd 2010 in New Orleans, LA: 2010-06-07 00:00:00 GMT-08:00

Thursday, January 21, 2010

How to Configure Change Password for OWA 2003/2007/2010 Mixed Environments

The Change Password feature in OWA will break when you reconfigure the environment to use Exchange 2007 or Exchange 2010 CAS servers as front-end servers for Exchange 2003 mailbox servers.  This is because the the CAS server don't have the necessary ASP pages installed that OWA 2003 links to.

telnetPORT25 wrote a great article explaining the step-by-step process, along with screenshots, to fix this problem.  I'm listing the high-level steps here (mainly to act as my long-term memory).
  • Logon to the Exchange 2007/2010 CAS server
  • Copy the %SystemRoot%\System32\inetsrv\iisadmpwd folder and files from the OWA 2003 FE server to the CAS server's %SystemRoot%\System32\inetsrv folder
  • Open IIS Manager and add a new Virtual Directory off the Default Web Site named IISADMPWD with a physical path of %SystemRoot%\System32\inetsrv\iisadmpwd
  • Right-click the new IISADMPWD virtual directory and select Convert to Application
  • Select the MSExchangeOWAAppPool
  • Restart IIS (iisreset /noforce or select the server in IIS Manager and click Restart)

Labels: , , , , ,


Subscribe in a reader Subscribe by Email

Tuesday, December 22, 2009

Fix for Cannot Logon to OWA Using ISA 2004

A client had a problem where users could not logon to Outlook Web Access (AKA, OWA or Webmail) from the Internet. Users would get the logon page, but would be returned to the same logon page after entering their correct username and password.

Accessing OWA from the internal network would present the same logon page, but the user can successfully logon and access their mailbox. It turns out that the fact that they get the same logon page internally is a clue to the solution. Internal (non-ISA) users will only see the OWA logon page if Exchange is configured to use Forms Based Authentication (FBA). In order for ISA to work properly with OWA, Exchange should NOT be configured for FBA. It should only be configured on the ISA server.

Here's how the two systems should be configured:
  • Install the Exchange server's SSL certificate in the ISA computer's Personal certificate store
  • On the ISA server, configure a Mail Server Publishing firewall rule to allow External users to access the OWA server using HTTPS. Configure an OWA web Listener for HTTPS using the Exchange server's SSL certificate that you imported. Configure the Listener's authentication to use OWA Forms-Based. Ensure that ISA is redirecting requests to the SSL port 443 on the Bridging tab.
  • Ensure that the Exchange server is NOT using Forms Based Authentication. In Exchange System Manager, go to [OrgName] > Administrative Groups > [AdminGroup] > Servers > [ServerName] > Protocols > HTTP. View the properties of the Exchange Virtual Server. Clear the Enable Forms Based Authentication checkbox on the Settings tab.

The customer was using ISA 2004 in front of Exchange 2003, but I assume this problem/solution will also occur with ISA 2006.

Labels: , , , ,


Subscribe in a reader Subscribe by Email

Friday, May 22, 2009

PowerShell Script to get Exchange Version, Build and Rollup

It's not easy to tell which version and build is installed on Exchange 2007.

I wanted to find a way to display the Exchange version, build number and which Update Rollup is installed on all servers in the organization. I found the perfect script written by Paul Faherty to do just that. I modified the script slightly to work better in Exchange 2003 / 2007 mixed environments.

Download Get-ExchangeServerVersion.ps1 here: Get-ExchangeServerVersion.zip

When you run it from the Exchange Management Shell prompt you will see output similar to the following screen:

The output displays the server name, Exchange roles installed, version (Standard or Enterprise), version number, and the Update Rollups installed and their installation dates.

For you code monkeys, here's the Powershell code:

#Get-ExchangeServerPlus.ps1
#v1.1, 05/20/2009
#Written By Paul Flaherty, blogs.flaphead.com
#Modified by Jeff Guillet, www.expta.com

#Get a list of Exchange servers in the Org excluding Edge servers
$MsxServers = Get-ExchangeServer where {$_.ServerRole -ne "Edge"} sort Name
#Loop through each Exchange server that is found
ForEach ($MsxServer in $MsxServers)
{
#Get Exchange server version
$MsxVersion = $MsxServer.ExchangeVersion
#Create "header" string for output
# Servername [Role] [Edition] Version Number
$txt1 = $MsxServer.Name + " [" + $MsxServer.ServerRole + "] [" + $MsxServer.Edition + "] " + $MsxVersion.ExchangeBuild.toString()
write-host $txt1
#Connect to the Server's remote registry and enumerate all subkeys listed under "Patches"
$Srv = $MsxServer.Name
$key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\461C2B4266EDEF444B864AD6D9E5B613\Patches\"
$type = [Microsoft.Win32.RegistryHive]::LocalMachine
$regKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($type, $Srv)
$regKey = $regKey.OpenSubKey($key)
#Loop each of the subkeys (Patches) and gather the Installed date and Displayname of the Exchange 2007 patch
$ErrorActionPreference = "SilentlyContinue"
ForEach($sub in $regKey.GetSubKeyNames())
{
Write-Host "- " -nonewline
$SUBkey = $key + $Sub
$SUBregKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($type, $Srv)
$SUBregKey = $SUBregKey.OpenSubKey($SUBkey)
ForEach($SubX in $SUBRegkey.GetValueNames())
{
# Display Installed date and Displayname of the Exchange 2007 patch
IF ($Subx -eq "Installed") {
$d = $SUBRegkey.GetValue($SubX)
$d = $d.substring(4,2) + "/" + $d.substring(4,2) + "/" + $d.substring(0,4)
write-Host $d -NoNewLine
}
IF ($Subx -eq "DisplayName") {write-Host ": "$SUBRegkey.GetValue($SubX)}
}
}
write-host ""
}

Labels: , ,


Subscribe in a reader Subscribe by Email

Monday, August 25, 2008

Exchange Server Virtualization Support Policy Summary

Microsoft released their Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments document this month. I reviewed the support document and summarized the salient facts here.
Exchange 2007 Virtualization

Host Requirements:
  • A hypervisor virtualization solution that has been validated by the Windows Server Virtualization Validation Program
  • Adequate storage space to accommodate the host OS and components, paging file, management software and crash recovery (dump) files
  • Storage space must be allocated for Hyper-V temporary memory storage (BIN) files, equal to the amount of RAM allocated to each guest
Guest Requirements:
  • Exchange 2007 SP1 (or later) deployed on Windows Server 2008
  • Cannot have the Unified Messaging Role installed
  • The total maximum number of virtual processors cannot exceed the twice the number of physical cores.Typically 2 virtual processors are required for each Exchange server guest, but use this as a baseline
  • Large mailboxes (1GB and larger) require the use of Cluster Continuous Replication (CCR)
  • CCR nodes must be hosted on separate physical host servers to provide true redundancy and high availability
  • Mixing physical and virtual nodes is supported for CCR and SCC environments
  • Exchange supported backups must be run from the guest
  • Both legacy backups (using ESE streaming APIs) and Exchange-aware software-based VSS backups (Data Protection Manager) are supported
  • VSS backups of the an Exchange guest is supported if the guest uses only VHDs (not pass-through disks)
Guest Storage Requirements:
  • Supports fixed size VHDs, SCSI pass-through and iSCSI storage
  • Storage must be dedicated to one guest machine. In other words, a pass-through disk must be dedicated to one, and only one, guest.
  • Guest OS must use a minimum fixed-size VHD of 15GB plus the size of virtual RAM allocated to the guest
  • VHD limit is 2,040GB (nearly 2TB) in Hyper-V
  • Hub and Edge Transport servers require sufficient storage for message queues and log files
  • Mailbox servers require sufficient storage for databases and log files
  • iSCSI storage using an iSCSI initiator within the guest is supported. This offers greater portability, but decreased performance
Not Supported:
  • Dynamically expanding VHDs are not supported
  • Snapshots or differencing disks are not supported
  • Virtualization high availability solutions, such as Hyper-V Quick Migrations, are not supported. Only Exchange aware HA solutions (SCC, LCR, CCR and SCR) are supported.
  • VSS backups of the Exchange guest machine's pass-through disk from the host are not supported
Recommendations:
  • Storage should be hosted on separate disk spindles from the guest's OS
  • Use SCSI pass-through storage to host transport and mailbox databases and transaction logs
  • When using iSCSI storage, configure the iSCSI Initiator on the host and present it as a pass-through disk to the guest
  • Use dedicated NICs with jumbo frames and not bound to a Virtual Network Switch, Gigabyte Ethernet, and isolated networks for iSCSI storage
Exchange 2003 Virtualization

Host Requirements:
  • The hardware virtualization software is Microsoft Virtual Server 2005 R2 or any later version of Microsoft Virtual Server
Guest Requirements:
  • Exchange Server 2003 SP2 (or later)
  • Microsoft Virtual Server 2005 R2 Virtual Machine Additions must be installed on the guest operating system
  • Exchange Server 2003 is configured as a stand-alone server and not as part of a Windows failover cluster
  • Each guest must have only one CPU
Guest Storage Requirements:
  • The SCSI driver installed on the guest operating system is the Microsoft Virtual Machine PCI SCSI Controller driver
  • The virtual hard disk Undo feature is not enabled for the Exchange virtual machine
Recommendations:
  • Consider adding a dedicated virtual network adaptor for Exchange Server backups
  • Create separate fixed-size VHDs for Exchange Server databases and log files and store them on separate physical drives on the host
  • Exchange Server performance should be validated before production by using the Exchange Server 2003 Performance Tools
  • Make sure that the host server is sized correctly to handle the number of virtual machines that you plan to deploy
  • Use a storage solution that enables fast disk access
  • Antivirus programs should be configured to not scan VHD files

Labels: , , , ,


Subscribe in a reader Subscribe by Email

Tuesday, August 19, 2008

How to Configure the SCL in Exchange

Recently I was asked what the proper Spam Confidence Level (SCL) should be for an Exchange 2007 installation. The answer is the ever-popular, "it depends."

The SCL is a value that Exchange assigns to each incoming SMTP email and is based on Microsoft's SmartScreen technology. This score determines how likely Exchange thinks an email message is spam. A rating of 0 means the message is not likely spam and a rating of 9 means the message is most likely spam.

SmartScreen is a "black hole" technology -- meaning that the algorithms and heuristics it uses for scoring is not published by Microsoft, thereby making it more difficult for spammers to create messages that can score lower and pass the filter. The Exchange server downloads new heuristics from Microsoft periodically.

Exchange 2003 SP2 introduced the Internet Message Filter (IMF) to score emails with an SCL rating. Exchange 2007 uses Content Filtering on the Anti-spam tab of the Edge Transport server to score emails (as shown below). It can also be enabled on a Hub Transport server if Edge Transport servers are not used. See How to Enable Anti-Spam Functionality on a Hub Transport Server.

Selecting the right SCL filter level is not an exact science. You're trying to filter obvious spam without accidentally filtering legitimate messages. You can use the following method to determine the starting point for your filter.

Using Perfmon to Select the SCL Filter Level
The best way to determine the appropriate SCL filter level is to use perfmon and examine the MSExchange Content Filter Agent object. Over time, the "Messages with SCL x" counters will increment and begin to show a trend.

In the example below, the Messages with SCL 0 through 7 counters are in the lower half of the scale. Messages with SCL 8 is off the charts at 270 -- more than all the lower SCL levels combined. From this data we can infer that it is safe to filter messages with an SCL higher than 7.


Note that these counters reset to zero upon restart of the server. It may take a little while before the trend appears.

Keep in mind that this is only the filter to begin with. You may have to adjust your filter up or down for your specific environment, but this will give you an excellent starting point.

SmartScreen filtering is just one of the anti-spam solutions available for Microsoft Exchange Server 2007. Other solutions include Sender ID Framework, Outlook Junk E-Mail Filter, and Microsoft Exchange Hosted Filtering. See the Microsoft AntiSpam Technologies website for more details.

Labels: , , , , , ,


Subscribe in a reader Subscribe by Email

Thursday, July 24, 2008

Free/Busy Information in Exchange 2000/2003/2007


What is Free/Busy?
Users' availability information is stored in Exchange in a hidden system public folder. This information is used by Outlook and OWA to tell other users if they are free or busy (hence, the term Free/Busy information). Normally this information is displayed as color-coded blocked out areas in a user's calendar, as show above. If users have extended rights, they can right-click another user's blocked out time to view the subject of the busy time.

The Free/Busy information is posted as a single message that contains data for the entire Free/Busy duration. The default to publish is 2 month's worth of information, configurable in Outlook Options or via Group Policy. Every time the Free Busy information is updated, the message is overwritten.

Publishing Free/Busy Information
The way Free/Busy information is published to Exchange depends on the method used to update the user's calendar. The Outlook client is usually responsible for generating Free/Busy information. Outlook will read the calendar and generate Free/Busy every 15 minutes by default if the information has been changed. This schedule can be changed in Outlook options or via Group Policy. Outlook also republishes the Free/Busy information whenever Outlook is shut down.

So what happens when the user updates their calendar using Outlook Web Access (OWA) or some other non-MAPI client? In this case, Free/Busy information is updated by a background process called MSExchangeFBPublish (MadFB). This process runs under the System Attendant mailbox and updates Free/Busy every 5 minutes for OWA, OMA, and Entourage clients. When a change is made to the calendar, a Free/Busy message is submitted to the System Attendant mailbox on the mailbox server for the user. The MadFB process polls this mailbox and picks up that there has been a change. MadFB then publishes the user's full Free/Busy message to the Free/Busy folder overwriting the existing message.

Replicating Free/Busy Information
The short answer is don't do it. The only reason to replicate Free/Busy information is when you frequently have users accessing Free Busy information of users in another site, and those sites are separated by a slow or lossy network link. Replicating Free/Busy information introduces inherent latency and causes inaccuracy in the Free/Busy information. Users in one site may see information from a site that has not replicated yet.

Where is Free/Busy Information Stored?
As mentioned earlier, Free/Busy information is stored in a system public folder. You can view all the Free/Busy information in the org by opening the following URL in a web browser: "http(s)://ServerName/Public/Non_IPM_Subtree/SCHEDULE%2B%20FREE%20BUSY/".

Here, you will see a folder under SCHEDULE+ FREE BUSY for each Administrative Group in the format, "EX:/o=/OU=". Each folder contains messages for each user. These messages are the Free Busy information for the user. The messages are formatted as, "USER-/CN=RECIPIENTS/CN=".

Free/Busy message placement is based on the user's legacyExchangeDN attribute in AD. For example, if my legacyExchangeDN is /o=CompanyABC/ou=Paris/cn=Recipients/cn=jsguillet", my Free Busy information will be stored in the "USER-/CN=RECIPIENTS/CN=jsguillet" message in the "/EX:/o=CompanyABC/ou=Paris" folder.

You are unable to view the contents of the message, but you can delete it. Doing so will remove all Free Busy information from Exchange until it is republished using one of the methods explained above. If Free/Busy information is not available to other users, they will see black and white hash marks across your calendar and Outlook will say that Free/Busy information is not available for this user.

How to Republish Free/Busy Information
On occasion Free/Busy information may not be published correctly in Exchange. There are many reasons that this can occur. Examples include errors in Public Folder replication (if Free Busy is being replicated, another reason to not do this), network errors, and incorrect shutdown of Outlook or Windows.

So how do you republish Free/Busy information? The easiest way to do this for individual users is to have them run Outlook with the /CleanFreeBusy switch:

  • Close Outlook

  • Click Start, Run, enter "start outlook /cleanfreebusy" and click OK

  • Outlook will start, generate the Free/Busy information from the Outlook calendar and republish it to Exchange within 5 minutes. It will overwrite any existing Free/Busy message or publish a new one if it doesn't exist.

While this is easy to do for one or two users, it isn't a good solution for all users in the enterprise since it requires user intervention.

Microsoft KB article 294282 details how to use Updatefb.exe to regenerate Free/Busy information from the calendar information contained in each user's mailbox. You run this utility under the context of a user or service account that has full mailbox access to the affected users. It reads a comma delimited file containing the alias and home mailbox server of each user (i.e., alias, mailbox1) and logs in as that user using Collaboration Data Objects (CDO). It then creates a single appointment for the user for today at 11:00pm. This marks the Free/Busy information as "dirty". It then logs off the MAPI connection, causing the Free/Busy information to republish to Exchange. Note that Updatefb will be unable to open disabled user's or hidden mailboxes, so be sure to exclude them from the CSV input file.

Updatefb.exe is an unsupported utility written by Microsoft and is only available through Microsoft Product Support Services. There are two versions of the utility, Updatefb.exe is the GUI version and CPPCDO.exe is a command line version. I have used it in several environments with no issues.

What About Exchange 2007?
Exchange 2007 uses an entirely new and different way to manage Free/Busy information, so the above does not apply in a pure Exchange 2007/Outlook 2007 environment. When using Exchange 2007 with Outlook 2007 Free/Busy information will no longer come from a Public Folder, but will instead use the Microsoft Exchange 2007 Availability Service. This web service will provide a direct look at the user's Free/Busy information without the need of a client publishing any data. Outlook 2007 and Exchange 2007 can still use (and will still have) the Free/Busy public folder for backwards compatibility with older Outlook clients.

Labels: , , ,


Subscribe in a reader Subscribe by Email

Friday, February 22, 2008

Troubleshooting Exchange 2007 9646 Errors

I client has users who have been migrated from Exchange 2003 to Exchange 2007 SP1, running on Windows Server 2003 SP2.

After a while, users are no longer able to connect via Outlook to Exchange - OWA continues to function, but Outlook (2K3 and 2K7) stops working.

This is because of a new feature in Windows 2003 SP2 that enables "Scalable Networking" - In short, it shuts down closed connections to the server, but it doesn't play well with Exchange. When Outlook connects over several MAPI sessions, the unused ones are shut down by Windows, but they aren't closed cleanly and Exchange still sees them as open sessions.

Once the user has 32 open sessions (a combination of valid and invalid ones) - Exchange cuts them off and event ID 9646 errors are seen on the mailbox server event log:
Mapi session "/O=BLATHER/OU=PACIFICA/cn=Recipients/cn=CooperH" exceeded the maximum of 32 objects of type "session".

A hotfix will be released in late March that addresses the issue, but the short term fix is to run the following command from the command line on all Exchange 2007 mailbox servers:

Netsh int ip set chimney DISABLED

The following articles discuss the technology and the issue:

Labels: , , , ,


Subscribe in a reader Subscribe by Email

Wednesday, December 12, 2007

How to Tell Which Users Have an ActiveSync Partnership

It's always good to know who is using the technology we support. I have a customer who needed to know which users were utilizing Windows Mobile devices to access their Exchange servers.


Here's a one-liner PowerShell command that reports which users have ActiveSync partnerships configured in Exchange 2007:

Get-CASMailbox WHERE {$_.HasActiveSyncDevicePartnership} SELECT identity
In Exchange 2003, it's not quite that simple. The ActiveSync partnership is stored in a hidden folder within the user's Exchange mailbox. This folder can be exposed using mfcmapi (the Microsoft Exchange Server MAPI Editor).

Mailboxes do not have the hidden Microsoft-Server-ActiveSync folder by default. Once an ActiveSync partnership has been configured from the user's Windows Mobile device, the following folder structure is created under the Root Container:


Note that PocketPC may show as SmartPhone, depending on the device used.

While mfcmapi can view the Root Container structure for an individual maibox, this is not feasible for a multi-user enterprise. I contacted Microsoft PSS for a solution, but they said there was no way to do this programmatically. Fortunately, I found this excellent vbscript written by Glen Scales that does exactly what I was looking for.

Here's an example of the output that the script produces:

Viola! Just what the doctor ordered!

Labels: , , , ,


Subscribe in a reader Subscribe by Email

Tuesday, November 6, 2007

Custom Address Lists in Exchange 2003/2007

The following procedures describe how to create custom address lists in Exchange Server 2003.

Custom address lists can be used to provide a filtered view of the Global Address List (GAL) based on an LDAP query, similar to the way Query Based Distribution Groups work. It leverages the same mechanism used for the built-in address lists provided by Exchange ("All Contacts", "All Users", etc.). Custom address lists are dynamic and are available to all users in the organization. Common custom address lists might be "All Resources", "All Pagers", etc.

Microsoft article How to Create an Address List describes how to create a custom address list in Exchange 2003. The similarly titled, How to Create an Address List describes how to create one in Exchange 2007.

Once you create the new address list, you must configure a filter. The following is an LDAP query example that will filter all contacts with the word "carpenter" in the Notes field in the Telephone tab in AD. It is written as a single line, but is wrapped here for clarity.

(&(&(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=contact)) )))(objectCategory=user)(info=*carpenter*)))
Note that objectClass could be changed from "contact" to "user" to filter user objects. The word "info" in this query is the AD attribute we're searching for. Any AD attribute can be used. Use ADSIEdit to view attribute names and values.

The search string above is "*carpenter*, which uses wildcards and means "contains the word 'carpenter'". A search for "carpenter" (no wildcards) will match only the word. The string "carpenter*" (trailing *) means "begins with the word". The string "*carpenter" means "ends with the word". The search sting is not case sensitive, but it must be spelled correctly to match the filter.

If you were to create two address lists, one for "All Plumbers" and another for "All Carpenters", and the Notes field for a contact contains "Plumber, Carpenter", the contact will be included in both custom address lists.

As another example, this filter can be used for an address list for resource mailboxes, such as conference rooms. Just be sure to begin the display name for the resource mailboxes with "ZZ-".

(&(&(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=user)) )))(objectCategory=user)(displayName=zz-*)))
Note: Because custom address lists are dynamically created by Exchange, they are only available to users who are connected to an Exchange server. Users using Cached Exchange Mode who are working offline will not have access to the custom address lists since Outlook can only display one container (the OAB). All contacts will still show up in the OAB.

I've used this process for many clients of all sizes and it works great, with no noticeable affect on AD or Exchange performance.

Labels: , , ,


Subscribe in a reader Subscribe by Email

Thursday, September 13, 2007

Upcoming Webcast for daylight saving time changes in 2007



Of note to Systems Administrators (especially Exchange SAs)

Available on Friday, September 14th at 9am PT:

Preparing for Daylight Saving Time: This Webcast will provide an overview of information on Microsoft products and resources available to help businesses prepare for change to Daylight Saving Time.

https://www.livemeeting.com/cc/lmevents/join?id=msft091407sa&role=attend&pw=AGT732

To see future Webcasts related to this subject please keep checking our "Webcasts for daylight saving time changes in 2007" page which you can find here.


Labels: , ,


Subscribe in a reader Subscribe by Email

Friday, August 17, 2007

Deferred Delivery Behavior in Outlook and Exchange 2003

Over time I've fielded a lot of questions about deferred delivery behavior using Outlook and Exchange Server 2003. The purpose of this post is to try and clear up some of the confusion.

Users can defer delivery using Outlook 2003/2007 by selecting the "Do not deliver before" date and time in Delivery Options of a message. This is done from the View Options menu of the new message:


My example message was sent at 12:04pm and schedule to be delivered at 12:10pm. Once sent, the email will stay in the Outbox until 12:10pm. If the sender isn't using Cached Exchange Mode, the email actually resides on the Exchange server. This means you can close Outlook and the email will still be delivered at the scheduled time. If the sender is using Cached Exchange Mode, Outlook needs to be running for the email to be delivered at the scheduled time.

Once the email is sent, it shows in the sender's Sent Items folder as being sent when the user clicked the Send button (12:05pm instead of 12:10pm). Outlook rounds the seconds up or down, which accounts for the lost minute.


When the recipient receives the email at the scheduled time, it shows in the recipient's Inbox as received at 12:11pm. This is the time the Exchange server delivered the message to the recipient's Inbox. Again, the time is rounded up by Outlook to show that it was received at 12:11pm:


When the recipient opens the email, he will see the email was sent at 12:05pm. This is the time the user clicked the Send button.



If we track the message through the Exchange Message Tracking Center, we will only see when the message was actually in transport through the Information Store. Note that there is no indication in message tracking that this message was sent with deferred delivery:


Taking a look at the SMTP headers, we see that the email was sent at 12:04:52.



Microsoft Mail Internet Headers Version 2.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: binary
Subject: Email written at 12:04pm
Date: Thu, 16 Aug 2007 12:04:52 -0700
Message-ID: <7B569F3F3E4DF34A86878A85F5CB7B8F0124020E@hoem01.scif.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator: <7B569F3F3E4DF34A86878A85F5CB7B8F0124020E@hoem01.scif.com>
Thread-Topic: Email written at 12:04pm
Thread-Index: AcfgOE14IdGWt/ZvRTS3VBrfx1yACQ==
From: "Jeff Guillet" <jsguillet@sscif.com>
To: "Brian Peladeau" <BPeladeau@sscif.com>

Hopefully, this helps clear up some of the confusion about deferred delivery.

Labels: , , ,


Subscribe in a reader Subscribe by Email

Friday, June 29, 2007

Placing Server Certificates on Mobile Devices

About the only thing that's difficult in setting up Exchange ActiveSync on a mobile device is getting the server certificate on it. Of course, this is a non-issue if you're using a trusted certification authority like Verisign, Thawte, GoDaddy, etc. I wrote these procedures for those of you who don't want the trouble or expense of buying an SSL cert and want to use the Exchange self-signed certificate.


Export the Certificate



  • Log into the Exchange server with administrative rights and run IIS Manager
  • Expand Local Computer Web Sites
  • Right-click Default Web Site and select Properties
  • Click the Directory Security tab
  • Click View Certificate
  • On the Details tab click Copy to File..., Next, Next, Next
  • Enter the path and filename to use for the certificate export (i.e., C:\server.cer)
  • Click Finish to export the certificate
How to Put the Certificate on the Phone

Option 1, Using Windows ActiveSync



Option 2, Using Email


  • If there is an alternate form of email on the device, email the cert to your device
  • Open the attachment and import it

Option 3, Using a Website

  • Send server.cer to a compressed folder (zip file)
  • Put the zip file on a web server
  • Use Internet Explorer on the phone and navigate to the URL of the zip file to open it (i.e., http://www.myserver.com/cert.zip)
  • Download, open and import it
If you have an older Windows Mobile 2002 or 2003 device, check out the SPAddCert utility from Microsoft, documented at http://support.microsoft.com/kb/841060.



Labels: , , , , ,


Subscribe in a reader Subscribe by Email

Thursday, June 28, 2007

Beware the iPhone


The iPhone is a (very) expensive consumer device that has no place in the corporate environment. It has no security, cannot connect to enterprise email systems except using unsecured protocols (IMAP), and opens the company up to potential (extremely likely) copyright concerns.

Most companies should have a corporate "Just say no" policy for the iPhone in place by now. That way when the CEO drops his new iPhone on the administrator's desk and says, "Make it work with my email", they'll have a response ready.

On a side note, surveys have shown that people are really interested in three things about cell phones: Service quality (they want to be able to place or answer a call, not be dropped and be heard clearly), battery life, and ease of use (not having to use arcane menuing systems). Everything else is just gravy. When you add email to the mix, people want to be able to easily send and receive emails (tiny keypads and menuing systems inhibit this) and to a smaller degree expect fast delivery.

It seems that cell phone companies are busily trying to create "the next big thing" by adding the last big thing to their already crowded and confusing devices. Most people don't use 1/4 of the features on the phones they already have.

Labels: , , ,


Subscribe in a reader Subscribe by Email

Wednesday, June 13, 2007

Custom Address Lists in Exchange 2003

The following procedures describe how to create custom address lists in Exchange Server 2003.

Custom address lists can be used to provide a filtered view of the Global Address List (GAL) based on an LDAP query, similar to the way Query Based Distribution Groups work. It leverages the same mechanism used for the built-in address lists provided by Exchange ("All Contacts", "All Users", etc.). Custom address lists are dynamic and are available to all users in the organization. Common custom address lists might be "All Resources", "All Pagers", etc.

Microsoft article http://technet.microsoft.com/en-us/library/bb124660.aspx describes how to create a custom address list in Exchange 2003. The article http://technet.microsoft.com/en-us/library/bb124384.aspx describes how to create one in Exchange 2007.

Once you create the new address list, you must configure a filter. The following is an LDAP query example that will filter all contacts with the word "carpenter" in the Notes field in the Telephone tab in AD. It is written as a single line, but is wrapped here for clarity.

(&(&amp;(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=contact)) )))(objectCategory=user)(info=*carpenter*)))

Note that objectClass could be changed from "contact" to "user" to filter user objects. The word info in this query is the AD attribute we're searching for. Any AD attribute can be used. Use ADSIEdit to view attribute names and values.

The search string above is "*carpenter*, which uses wildcards and means "contains the word 'carpenter'". A search for "carpenter" (no wildcards) will match only the word. The string "carpenter*" (trailing *) means "begins with the word". The string "*carpenter" means "ends with the word". The search sting is not case sensitive, but it must be spelled correctly to match the filter.

If you were to create two address lists, one for "All Plumbers" and another for "All Carpenters", and the Notes field for a contact contains "Plumber, Carpenter", the contact will be included in both custom address lists.

As another example, this filter can be used for an address list for resource mailboxes, such as conference rooms. Just be sure to begin the display name for the resource mailboxes with "ZZ-".

(&(&(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=user)) )))(objectCategory=user)(displayName=zz-*)))

Note: Because custom address lists are dynamically created by Exchange, they are only available to users who are connected to an Exchange server. Users using Cached Exchange Mode who are working offline will not have access to the custom address lists since Outlook can only display one container (the OAB). All contacts will still show up in the OAB.

I've used this process for many clients of all sizes and it works great, with no noticeable affect on AD or Exchange performance.

Labels:


Subscribe in a reader Subscribe by Email

Friday, June 1, 2007

Ontrack PowerControls Rocks!

PowerControls allows you to open a raw Exchange MDB file and export the data from it. You can export to a PST or directly into a live Exchange database.

I've used this utility to recover Exchange data for a couple of clients and it works perfectly. Does just what it needs to do and nothing more, which explains its lightweight size of only 16MB. Check it out at http://www.ontrackpowercontrols.com/

Labels: , ,


Subscribe in a reader Subscribe by Email

Friday, May 25, 2007

"Do not deliver before" Behavior Doesn't Work as Expected in Outlook Cached Mode

Users sometimes schedule delivery of an email for a later date or time.

For Outlook 2000, there were two different options: Deferred Send (Outlook handles it) and Deferred Delivery (the Exchange server handles it). If a message is configured for Deferred Send, it will stay in the user's Outbox until the scheduled time. Outlook then submits the message to the Exchange Information Store and the message is delivered. If a message is configured for Deferred Delivery, Outlook will immediately submit the message to the Exchange Information Store and the Exchange server will hold the message until the scheduled time. With Deferred Send, Outlook must be running to send the message and the user can edit or remove the message before it's delivered. With Deferred Delivery, Outlook does not have to be running and the user cannot edit or remove the message before it's sent.

Microsoft merged the two features together for Outlook 2003/2007. The only option available in these versions is "Do not deliver before". If this is configured the message will stay in the user's Outbox, but Outlook does not need to be running to deliver it. By keeping it in the Outbox, the user is able to edit or remove the message before it's sent. However, if the user is configured for Exchange Cached Mode, Outlook MUST be running for delivery of message to occur. http://support.microsoft.com/?kbid=918824 says this behavior "by design".

On a side note, the message will show as Received in the Inbox at the delayed send time (say, 8:00am today). When you open the message, the Sent time will be the time the sender clicked the Send button (say, 5:00pm yesterday). This prevents a user from scheduling an email the night before saying, "I'm in the office this morning like you requested, but I'm going home now."

Labels: , , ,


Subscribe in a reader Subscribe by Email