Countdown to TechEd 2010 in New Orleans, LA: 2010-06-07 00:00:00 GMT-08:00

Thursday, January 21, 2010

How to Configure Change Password for OWA 2003/2007/2010 Mixed Environments

The Change Password feature in OWA will break when you reconfigure the environment to use Exchange 2007 or Exchange 2010 CAS servers as front-end servers for Exchange 2003 mailbox servers.  This is because the the CAS server don't have the necessary ASP pages installed that OWA 2003 links to.

telnetPORT25 wrote a great article explaining the step-by-step process, along with screenshots, to fix this problem.  I'm listing the high-level steps here (mainly to act as my long-term memory).
  • Logon to the Exchange 2007/2010 CAS server
  • Copy the %SystemRoot%\System32\inetsrv\iisadmpwd folder and files from the OWA 2003 FE server to the CAS server's %SystemRoot%\System32\inetsrv folder
  • Open IIS Manager and add a new Virtual Directory off the Default Web Site named IISADMPWD with a physical path of %SystemRoot%\System32\inetsrv\iisadmpwd
  • Right-click the new IISADMPWD virtual directory and select Convert to Application
  • Select the MSExchangeOWAAppPool
  • Restart IIS (iisreset /noforce or select the server in IIS Manager and click Restart)

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Monday, December 14, 2009

Is Microsoft Forefront Protection 2010 for Exchange Server x86 or x64?

After installing Forefront Protection 2010 for Exchange (FPE), I ran Task Manager to see what processes were running. I was surprised to see almost all of the Forefront processes are 32-bit. I asked Microsoft why this is, since Exchange 2007 and Exchange 2010 are 64-bit only applications.

It turns out that this is because the antivirus engines are still 32-bit. FPE uses up to five different scan engines from different vendors to scan emails (Authentium, Kaspersky, Microsoft, Norman, and VirusBuster). The AV vendors are working to create 64-bit versions of their scan engines, but there is no ETA at this time.

Each scan engine requires approximately 250 MB of memory. Less memory is required if Intelligent Engine Management (IEM) is not enabled and fewer than 5 engines are selected.

Considering that each scan engine is runs in its own discreet process, there may not be much of an advantage running 64-bit, anyway. 32-bit scan engines also mean that they can be used on the 32-bit non-production versions of Exchange for testing. Even so, I'd rather see the Forefront Team create a 32-bit version for testing and a 64-bit version for production once the AV vendors have 64-bit scan engines.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, November 11, 2009

Exchange 2007 WILL Be Coming to R2

Reversing an earlier decision to NOT support Exchange 2007 on top of Windows Server 2008 R2, Microsoft has reversed their reversal and announced they WILL develop support for putting Exchange 2007 on top of Windows 2008 R2 in an upcoming release…

Labels: ,

Subscribe in a reader Subscribe by Email

Tuesday, November 10, 2009

Exchange Server 2010 RTM Upgrade and Installation - Phase 3

This is the third and final phase of my Exchange 2010 / Windows Server 2008 R2 / Hyper-V migration. Phase 1 can be read here and phase 2 can be read here.

At this point, my Hyper-V host server is still running Windows Server 2008 SP2 and also functions as my Exchange Edge Transport server (currently Exchange 2007 SP2). It is hosting three VM guests: a Windows Server 2008 R2 domain controller/global catalog server; an Exchange 2007 SP2 server running the Hub/CAS/Mailbox roles; and a new Exchange 2010 server running the Hub/CAS/Mailbox roles. All mailboxes have been moved to the new E2010 server.

In phase 3, I will uninstalled the Exchange 2007 Edge Transport server role from the host, upgrade the host server to Windows Server 2008 R2, install the Exchange 2010 Edge Transport role, and decommission my last Exchange 2007 Hub/CAS/Mailbox server.

I began by uninstalling Forefront Security for Exchange Server from the Exchange 2007 Hub/CAS/Mailbox server. In order to do this, you must stop all the Exchange services and then uninstall the product using Programs and Features in Control Panel.

Next, I created a new Public Folder database on the Exchange 2010 Mailbox server and enabled replicas on the E2010 mailbox server using the Exchange 2010 Public Folder Management Console in the Exchange Management Console (EMC). I then removed all the Public Folder replicas from the Exchange 2007 Mailbox server role using the Exchange 2007 Public Folder Management Console in the EMC.

You cannot decommission an Exchange mailbox server that contains active mailboxes. They must be moved to another server or disabled. Since I had already moved all my user and resource mailboxes to the new Exchange 2010 server, all that was left was the system CAS mailbox which must be disabled (it cannot be deleted or moved). This is accomplished using the following command from the Exchange Management Shell (EMS):

Get-Mailbox -Database "EX\Mailbox Database" Disable-Mailbox

Now I'm finally ready to uninstall Exchange 2007 from the Hub/CAS/Mailbox server using Programs and Features in Control Panel. However, removal of the Mailbox role fails with the error, "Object is read only because it was created by a future version of Exchange: 0.10 ( Current supported version is 0.1 (8.0.535.0)." I also discover I get the same error if I try to delete the E2007 Public Folder database.

After some research, I found that the only way to delete the "upgraded" Exchange 2007 Public Folder store is using ADSIEdit. This is detailed here, but the basic steps are to navigate to the Public Folder store in ADSIEdit and delete it, which I've done here.

Once the Public Folder database was removed, I ran the uninstallation again, which then succeeded. After Exchange 2007 was uninstalled, I completed the decommissioning by dis-joining the Exchange 2007 server from the domain and turned it off. I then tested mailflow to ensure that inbound/outbound SMTP email is working properly.

Next, I began the operating system upgrade of the Hyper-V host server by uninstalling Forefront Security for Exchange Server and the Exchange 2007 Edge Transport role. This went very smoothly with no issues.

In preparation for my OS upgrade, I shutdown and exported my two Hyper-V VMs to a new folder, H:\Exports. Exporting an VM exports the VM configuration, which includes the hardware, drives, networks (and most importantly, MAC addresses) to an XML file. This allows you to import the VM into a new Hyper-V host server without further configuration.

My process for upgrading the host server was to perform an in-place installation, not an upgrade. This is performed by booting to the Windows Server 2008 R2 DVD and choosing a new installation. Setup will warn that there is already a copy of Windows installed and prompt to continue. When you continue, setup will copy all the old user folders (Documents and Settings), Program Files, and the Windows folders to a new folder named C:\Windows.old, which can be accessed later from the new operating system. When setup completed, I was left with a base Windows Server 2008 R2 server.

I then installed the Hyper-V role and imported the VMs from H:\Exports. I started them up and verified that everything was running properly. I was very pleased to see that the VMs performed faster, due to R2's improved handling and performance of dynamic VHDs.

Next, I installed the Exchange 2010 Edge Transport server role on the host server, reconfigured my anti-spam settings, and created a new Edgesync subscription. After importing the Edgesync subscription in the Exchange 2010 Hub Transport server, I tested Edgesync and mailflow, which worked as expected.

I hope this series helps some of you out!

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Friday, November 6, 2009

Fix for 'The server name is invalid' error when installing Exchange 2007 Management Tools

You may receive the following error when installing the Exchange 2007 management tools on a computer:

The server name is invalid. It contains characters other than 'A'-'Z', 'a'-'z', '0'-'9' and "-".

While the error indicates that the problem is with the server, it's actually with the name of the local computer where the Exchange 2007 management tools are being installed. The most common reason for this I've seen is when there's a underscore "_" in the local computer name.

The fix for this is to replace the exbpa.prereqs.xml file on the Exchange Server 2007 installation source with the RTM version of the file.  Here are the steps to do this:
  • Download the RTM version of exbpa.prereqs.xml from this blog (right-click the link and choose Save target as...) and save it to a temporary location
  • Disable automatic updating for Exchange 2007 setup. Otherwise, setup will automatically download the most recent version of the file and replace it. Run the following command at the CMD prompt:
reg add "HKCU\Software\Microsoft\Exchange\ExBPA" /v "VersionCheckAlways" /t REG_DWORD /d 0 /f
  • Copy the exbpa.prereqs.xml file you downloaded earlier to the \setup\serverroles\common\en folder on your Exchange 2007 installation media.
  • Now run setup and install the Management Tools, as usual.  You will still see the same error message, as shown above, but you will see an Install button instead of a Retry button.
When the installation is complete, remove the VersionCheckAlways registry key to reenable the automatic update feature using the following command:

reg delete "HKCU\Software\Microsoft\Exchange\ExBPA" /v "VersionCheckAlways" /f
Keep in mind that you may have to do this same procedure again in future update rollups and/or service pack updates.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, October 30, 2009

How to Backup Exchange 2010 RTM at Release Timeframe

As with any other major release of Exchange, there will be a gap in third-party vendor support for Exchange 2010 when it is released to general availability next month.

One of those gaps will be supported backup solutions for Exchange 2010.  Thankfully, Microsoft recognized this and added VSS backup support to the built-in Windows Server Backup feature in both Windows Server 2008 and Windows Server 2008 R2.  This capability has been introduced in Exchange 2007 SP2 and Exchange 2010 RTM, allowing you to backup Exchange 2007 SP2 and Exchange 2010 using a native VSS application provider.

Exchange automatically registers its application provider in VSS when Exchange 2010 is installed or when the Exchange 2007 server is upgraded to SP2.  This happens even if the Windows Server Backup feature isn't installed on the server yet.  You simply need to add the Windows Server Backup feature using Server Manager to your Exchange server to enable the Exchange aware VSS backup capability. 

Windows Server Backup (WSB) will allow you to perform Exchange aware backups, similar to NTBackup, with a few notible points:
  • Legacy (streaming) backups are not supported.
  • Since Windows Server Backup performs volume-only Volume Snapshot Service (VSS) backups, there is no specific "Exchange only" backup capability.  When you perform a backup of a volume that contains Exchange data (EDB and log files), WSB automatically performs an Exchange aware backup.  The only visual queue you will see is this, just before the data is backed up:
  • Once WSB notifies Exchange that the VSS Full Backup has completed successfully, Exchange will truncate the log files for all the Exchange 2010 databases or Exchange 2007 SP2 Storage Groups.
Note: The default behavior of WSB is to perform a VSS Copy Backup, which will not truncate the logs. To configure a VSS Full Backup you must configure a Custom backup (not Full Server), add the volumes that contain the Exchange data, click Advanced Settings, and select VSS Full Backup on the VSS Settings tab.
  • Backups must be run against the active node on Database Availability Groups (DAGs) or the active node in an Exchange 2007 CCR cluster.  When the backups complete successfully and the logs are truncated on the active node, the same operation will occur on the passive node.
  • You can backup either to a local hard drive or a network share
  • There is no remote server backup functionality. You must perform the backup from the Exchange server.
  • You can schedule the backups using WSB or install the WSB command line extensions to run a backup from the command line.
  • When restoring, you do not have to restore the whole backed up volume. You can choose to restore only Exchange application data by choosing to recover only the Exchange application, as shown:

And then select Exchange:

  • Recovery can be performed to the original location (overwriting the existing data) or to a new folder or location.  If you choose to recover to another location, WSB will copy just the application data, not recover the Exchange application itself.  You can then use this data in an Exchange 2010 Recovery Database (RDB) or an Exchange 2007 Recovery Storage Group (RSG).
  • You can redirect the restore of an Exchange application to another server.
  • Microsoft Data Protection Manager (DPM) 2010 is also in beta and is available for download.
In a future article, I will explain the process of using an Exchange 2010 Recovery Database (RDB) to recover data from a backup set.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, October 22, 2009

Exchange Server 2010 RTM Upgrade and Installation - Phase 2

These are my notes for phase 2 of my migration from Exchange 2007 SP2 to Exchange 2010 RTM. My notes for phase 1, where I introduced the first Exchange 2010 Hub/CAS/Mailbox server into my existing Exchange 2007 environment, can be read here.

Now in phase 2, I needed to configure the new 2010 server, test mailflow, move the mailboxes, and configure ActiveSync.

I decided to create a third phase, where I will decommission the Exchange 2007 Hub/CAS/Mailbox server, migrate the Windows Server 2008 SP2 Hyper-V host server to Windows Server 2008 R2, and install the Exchange 2010 Edge Transport role on it.

I configured the logging for each server and resubscribed my Edge Transport server. If you don't do this, you'll get the following warning in the Application event log of the 2010 Hub Transport server:
Log Name: Application

Source: MSExchange EdgeSync
Date: 10/22/2009 3:07:25 PM
Event ID: 1032
Task Category: Topology
Level: Warning
Keywords: Classic
User: N/A

Microsoft Exchange EdgeSync can't find the replication credential on to synchronize with Edge server This may happen if joined the current Active Directory site after subscription for was established. To have this Hub Transport server participate in EdgeSync, re-subscribe to the current Active Directory site.
There's no need to remove the old subscription. Just create a new subscription file using the New-EdgeSubscription cmdlet on the Edge Transport server and import it using the New Edge Subscription action in EMC on the 2010 Hub Transport server, as usual. It will update the existing Edge subscription for the new 2010 server.

Next, I reconfigured port forwarding for my Client SMTP Send Connector (TCP port 587) to be directed to the new 2010 server. I tested this using my iPhone, which is connected to my home email using IMAP4 and SMTP. In this configuration, the iPhone gets email from the Exchange 2007 server, but sends email through the Exchange 2010 server. Both incoming and outgoing emails tested fine.

Now I needed to move the mailboxes to the new 2010 server. This is accomplished using the Exchange 2010 Management Console to perform Local Move Requests to the database on the 2010 server. Once the move is completed, I cleared the Move Request in the console to complete the move.

Now it was time to move IMAP services to the new 2010 server. As in previous versions of Exchange, the Microsoft Exchange IMAP4 and Microsoft Exchange POP3 services are set to manual and stopped, by default. I changed the Microsoft Exchange IMAP4 service to automatic and started it. Then I reconfigured port forwarding for IMAP4 (TCP port 143) and IMAP4/TLS (TCP port 993) to be directed to the new server. I sync'd the iPhone using secure IMAP and it worked fine.

Note: I use self-signed certificates for Exchange 2007 and 2010. The iPhone will give a warning saying that the certificate may not be trusted. When you continue anyway, the certificate is automatically installed on the iPhone and you won't be prompted again. Cool!

Next, I used the Microsoft Exchange ActiveSync Connectivity Tests in the Microsoft Exchange Remote Connectivity Analyzer to test that ActiveSync is working properly. This tool allows you to remotely test several aspects of you Exchange infrastructure, including Outlook and ActiveSync AutoDiscover records, ActiveSync functionality, Outlook Anywhere, inbound / outbound SMTP email, and more from a Microsoft-hosted website. Very. Very. Cool. The Exchange team just recently updated the ExRCA to work with Exchange 2010.

Here, I ran into an unexpected problem. The ActiveSync tests were failing in ExRCA with the error, "Exchange ActiveSync returned an HTTP 500 response", as shown below.

Unfortunately, the "Tell me more about this issue and how to resolve it" link refers to a less than helpful article for Exchange 2003. I checked the event logs and found the following error in the Application event log:
Log Name: Application

Source: MSExchange ActiveSync
Date: 10/22/2009 9:18:03 PM
Event ID: 1053
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A

Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Keith Johnson,CN=Users,DC=expta,DC=com" container under Active Directory user "Active Directory operation failed on This error is not retriable. Additional information: Access is denied.

Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.
After a bit of research, I discovered that this happens when a user is a member of a Windows built-in group. In my case, the user was a member of Domain Admins. As you probably know, it's best practice to only use admin accounts for administrative functions and to not use them for regular user functions, such as ActiveSync.

To fix the problem, you must remove the user from the built-in group and reconfigure the user's security to apply inheritance (in ADUC, select the Security tab, Advanced, and check Include inheritable permissions from this object's parent). If you don't remove the user from the built-in group, Windows will deselect inheritance.

Once I did all this and retested the ActiveSync functionality using ExRCA, I was ready to configure ActiveSync for my most important user - my wife with her iPhone. It worked like a charm.

There's just a little bit of cleanup to do now. I need to move the Offline Address Book to the new 2010 server and then I can move on to phase 3, where I will decommission the Exchange 2007 server and upgrade the Hyper-V host and Edge Transport server.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, October 19, 2009

Exchange Server 2010 RTM Upgrade and Installation Notes

I installed Exchange 2010 RTM into my Exchange 2007 SP2 environment this weekend. This article explains the upgrade process, steps, issues, and resolution for those issues.

My environment consists of a single Windows Server 2008 SP2 Hyper-V host server, running the Exchange 2007 SP2 Edge Transport role. There are two VMs -- one Windows Server 2008 R2 DC/GC and one Exchange 2007 SP2 Hub/CAS/Mailbox server running on Windows Server 2008 SP2.

My upgrade will be in two stages, as shown above. Stage one is to remove the Exchange 2010 RC1 beta, introduce Exchange Server 2010 RTM into my existing Exchange 2007 environment, and to migrate all the mailboxes to it. Stage two is to upgrade my host server from Windows Server 2008 to Windows Server 2008 R2 and decommission the Exchange 2007 infrastructure.

Prior to stage one, I've already replaced my existing Windows 2008 SP2 DC/GC with a new Windows 2008 R2 DC/GC and installed Exchange Server 2007 SP2. Exchange 2007 SP2 extends the Active Directory schema to include all the new Exchange 2010 attributes and allows for interoperability between the two versions.

Removing the Exchange 2010 RC1 Beta
Before I began to install Exchange Server 2010 RTM, I wanted to completely remove Exchange 2010 RC1 (build 639.11) from my environment. As with any other version of Exchange, you need to move/remove all mailboxes from the E2010 RC1 server first.

The only mailboxes I had on Exchange 2010 RC1 were test accounts that I used when writing for the book, "Exchange 2010 Unleashed", so I simply deleted them with the following commands in the Exchange 2010 Management Shell (EMS):

[PS] C:\>Get-MailboxDatabase

Name Server Recovery ReplicationType
---- ------ -------- ---------------
Mailbox Database 0767927725 EX1 False None

[PS] C:\>Get-Mailbox -Database 'Mailbox Database 0767927725' | Remove-Mailbox
This will delete all the regular mailboxes in the specified database. Exchange 2010 also uses hidden arbitration mailboxes, which must be deleted before the mailbox server can be decommissioned. Chris Lehr wrote a great article explaining arbitration mailboxes, which I highly recommend reading. If you don't delete the arbitration mailboxes you will get the following error when you try to uninstall the Exchange 2010 mailbox role:

Uninstall cannot continue. Database 'Mailbox Database 0767927725': This mailbox database contains one or more mailboxes or arbitration mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database . To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database -Arbitration. Before you can remove this mailbox database, you must disable, move, or remove user mailboxes and move arbitration mailboxes.
Run the following command in EMS to delete the arbitration mailboxes:
Now you can uninstall all the Exchange 2010 RC1 roles and management tools using Control Panel > Programs and Features. This will also uninstall the Microsoft Full Text Indexing Engine for Exchange, also listed in Programs and Features. Once the uninstallation completes, restart the server.
[PS] C:\Get-Mailbox -Arbitration | Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed

Installing Exchange 2010 RTM
Installing Exchange 2010 RTM is very straight-forward and has very few prerequisites in Windows Server 2008 R2, since it already includes Powershell V2 and WSMan. Windows Server 2008 will require ManagementPlatformx64.msi to install these components.

Here are the steps I used for installation of Exchange 2010 RTM:

  • Extract Exchange2010-RC1-x64_639-21.exe to a destination folder and run Setup.exe
  • Select Step 3. Choose Exchange Language Option and Install only languages from the DVD
  • Select Step 4. Install Microsoft Exchange. The Exchange 2010 binaries will copy to a temporary folder for installation.
  • Click Next at the Introduction screen
  • Accept the license agreement and click Next
  • Enable automatic error reporting and click Next
  • Select Custom Exchange Server Installation and click Next
  • Select the Mailbox Role, Client Access Role, and Hub Transport Role. The Exchange 2010 Management Tools are installed automatically. Click Next.
  • Check The Client Access server role will be Internet-facing. Enter the FQDN for the CAS (i.e., and click Next.
  • Select the Customer Experience Improvement Program choice and click Next. The Exchange Readiness Checks will run.
  • The Readiness Checks said that the Hub Transport and Mailbox roles require the 2007 Office System Converter: Microsoft Filter Pack (
  • Download and install FilterPackx64.exe. Click Back and Next to re-run the Exchange Readiness Checks.
  • Click Install to install Exchange 2010 RTM. The installation ran without error in 9 minutes; 24 seconds on my Hyper-V VM.
  • Clear the Finalize installation in the Exchange Management Console checkbox and click Finish
  • Click Step 5: Get critical updates for Microsoft Exchange. Windows Update will run. If prompted, install and run the ActiveX component to install Microsoft Update for other products.
  • Click Check for new updates and install any needed updates. Restart if prompted.
  • Click Close in the Exchange 2010 setup program
  • Launch the Exchange Management Console and verify the Exchange 2010 version is build 639.21.
  • Restart the Exchange 2010 server if it was not restarted for the updates, just to ensure that all the services come up OK.
  • Create a test mailbox on the new server and test mailflow
This is where I'm at right now.  I still need to move my mailboxes from the Exchange 2007 mailbox server to Exchange 2010 before moving on to phase 2.  I'll post again when that's done.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, October 15, 2009

How to Convert Local and Global Groups to Universal Groups

As you may know, Exchange Server 2007 and Exchange Server 2010 force you to create all new distribution groups as universal distribution groups.

The reason for this is that Exchange 2007/2010 requires a local Global Catalog (GC) server in the Exchange site to query for group expansion. A GC can expand domain local, global, and universal groups. However, domain local groups (and sometimes global groups) can only be expanded within the domain local scope. If the GC is a member of the domain, it will be unable to expand a domain local group in the subdomain.

Universal groups can be used anywhere in the same Windows forest. A GC is able expand universal groups in any domain or subdomain in that forest, as long as the domain functional level (DFL) and forest functional level (FFL) are at least Windows Server 2003 Interim Level.

Obviously, the issue with group expansion only occurs in multi-domain "enterprise" environments, but Exchange 2007/2010 doesn't care. Distribution groups and mail-enabled security groups must still be universal groups, even in a single domain environment.
If you're moving from Exchange 2000/2003 to Exchange 2007 or Exchange 2010, you're going to want to convert all your domain local and global distribution and mail-enabled security groups to universal groups so they can be managed using the Exchange management tools.

You can change group types and group scope using Active Directory Users and Computers (ADUC), but you can only do one group at a time. When I first started writing this article I was convinced that Powershell was the best way to do this. But due to limitations in the way that Powershell accesses Active Directory, my scripts were getting quite large and complicated, even when using third party Powershell extensions like Quest's free ActiveRoles Management Shell for Active Directory. I started to look for other ways to perform bulk changes of distribution and security groups.

The most efficient way I found is to use the internal Windows dsquery and dsmod tools. These handy and oft-forgotten tools are installed with the operating system in Windows 2000 and later.

The following command will produce a list of all the groups in the domain and their scope (domain local, global, or universal) and whether the group is a security group. The output is redirected to the Groups.txt file:

This command can take a while to run if the domain contains a large number of groups. It took about a minute to process over 6,100 groups.
dsquery group -limit 0 | dsget group -samid -scope -secgrp > Groups.txt
The command to convert all domain local and global groups (both distribution and security groups) is:
dsquery group -limit 0 | dsmod group -c -q -scope u
The first part of this command uses dsquery to query AD for all groups and then pipes the collection to dsmod to convert each group to a universal group. The -c switch tells dsmod to output any errors and continue. The -q switch tells dsmod to run in quiet mode (suppress successful changes).

Note: Some groups cannot be converted to Universal groups. All of the Windows built-on groups are global and cannot be converted to a different group scope.

Also know that a global group cannot have a universal group as a member. When you see this error, it means that the group is a member of another group that cannot be converted to a universal group (for example, the built-in Account Operators group. Sometimes, this can be like chasing a rat down a hole. The groups may be so deeply nested that it's hard to find the group that is preventing the conversion.

Sometimes it helps to run the conversion command again. For example, dsmod may be unable to convert Group-A to a universal group because it contains the domain local group, Group-B. Later in the process, Group-B is converted from a local group to a universal group. If you run the conversion again, Group-A can now be converted.

Note: Exchange 2007 and Exchange 2010 will automatically convert universal distribution groups to universal security groups if the distribution group is used to apply security settings for a MAPI or Public Folder. My next article will cover this in more detail.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, August 25, 2009

How to Create Custom Error Notifications for IP Block List Providers in Exchange 2007

This doesn't seem to be documented anywhere in Microsoft TechNet, so I figured I'd write up a post about it.

IP Block List Providers in Exchange 2007 are a means to reduce spam from entering your organization. They are configured on the Edge Transport servers, which is detailed in TechNet here. This article explains how to use variables to create a custom error message when an email is rejected by an IP Block List filter.

In Exchange 2003, you can pass parameters to the custom error message using the %0, %1 and %2 variables.

  • %0 = IP address of the sending mail server
  • %1 = Rule name of the connection filter (Provider name)
  • %2 = The RBL provider (Lookup domain)

In Exchange 2007 the variables are the same, but the way you call the variables has changed.

  • {0} = IP address of the sending mail server
  • {1} = Rule name of the connection filter (Provider name)
  • {2} = The RBL provider (Lookup domain)

Using these variables we can craft more helpful error messages, in the event that a real person (not a spammer) is blocked by your block list (aka, RBL) provider.

In the custom error message example above, the following error message would be returned from blocked server

Host was blocked by Trend Micro Email Reputation Services (ERS). Please see

Labels: , ,

Subscribe in a reader Subscribe by Email

Wednesday, August 19, 2009

RAM Upgrade

I just doubled the RAM on my Hyper-V server to 16GB. This is the server that hosts this blog, as well as my other domains and Exchange 2007. Much faster!

Now I have more room to add another Windows Server 2008 R2 test domain and Exchange 2010. Good thing, too, since I just got an invitation email from Microsoft to take the beta exam 71-662: TS: Microsoft Exchange Server 2010, Configuring. I'll probably be taking that in September.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, July 30, 2009

Exchange 2007 won't be coming to R2

Microsoft Exchange Server 2007 is supported on Windows Server 2003 and Windows Server 2008 servers, but will not be supported on the upcoming Windows Server 2008 R2 operating system.

The reason, according to Michael Atalla, group product manager in the Unified Communications group at Microsoft, is lack of resources. "We are focusing our resources on getting Exchange Server 2010, which will be fully tested and supported on Windows Server 2008 and Windows Server 2008 R2, customer ready to be released later this year."

This means that if you're planning to do a complete operating system refresh when Windows Server 2008 R2 is released later this year, you'll have to move to Exchange 2010 as well. Not that I need any more reasons to do so, anyway. Exchange 2010 rocks!

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, July 24, 2009

How to Tell Which Version of PowerShell is Installed

One of the easiest ways I've found to determine which version of PowerShell is installed on a computer is to run the $host.version command.

The output will display the Major version, Minor version, Build, and Revision number. For example, here is the output from a computer with PowerShell V1 installed:

And here is the output from a Windows Server 2008 R2 beta computer, which has PowerShell V2 integrated into the operating system:

Note that the Build and Revision numbers are -1, indicating that the PowerShell V2 CTP (beta) is installed. Once PowerShell V2 RTW (Release to Web) is available, the Build and Revision numbers should both be zero.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, June 12, 2009

Failure of FSW Causes Cluster Group to Failover

The following information was written for Exchange 2007 CCR mailbox clusters, but it pertains to any clustering solution that uses the Windows Server 2008 Node and File Share Majority cluster quorum configuration.

How Does Node and File Share Majority Clustering Work?

Exchange 2007 CCR uses two clustered Exchange mailbox nodes, called a Clustered Mailbox Server (CMS). In order for Windows to know which node is active, it utilizes a File Share Witness (FSW) to maintain quorum. The FSW is a network share on a third computer (typically a Hub Transport server in the normally active node's physical site). The active node writes information to files in that share and locks them for writing, preventing the passive node from writing to the FSW and taking quorum. It always take two out of three votes to maintain quorum.

If the active node becomes unavailable, the passive node can write to the FSW and the cluster group fails over. In the case of a total site failure where both the active node and the FSW are offline, both the cluster group and the CMS will fail since there is no quorum (there's only one vote).

What Happens When the FSW Becomes Unavailable?

When the FSW fails, the active CMS node (Exchange) does not fail over because there are still two votes (the active and passive nodes). However, the Windows cluster group will fail over to the other node if the FSW does not come back online within 60 seconds. This is because File Share Witness resource in Windows Server 2008 is configured to fail over the cluster group when the FSW fails, as shown below.

Worse, the FSW resource will not come back online for another 60 minutes. During this time, a failure of either one of the nodes will cause the cluster to fail, even if the FSW is back online.

These default settings are provided so that the cluster event logs don't fill up with constant "Trying to start the resource", "The resource failed to start" events during a prolonged outage.

This is what happens when the FSW server is rebooted (during patch management, for example):

  • The server holding the FSW resource is rebooted.
  • The cluster tries to connect to the FSW one minute after failure is detected.
  • If the FSW is still unavailable (which usually happens - most servers take longer than 60 seconds to restart), the cluster group fails over to another node.
  • Wait one hour and try connecting to the FSW again. The FSW is finally brought online.
Note: This behavior only pertains to Windows Server 2008. Windows Server 2008 R2 does not have this issue.

It's important to know that even though the cluster group fails over, there really is no effect on Exchange, even with a geographically disbursed CCR cluster (geo-cluster). However, if you're like me, you like symmetry and order. The cluster group should be with the active CMS node.

Here's how to minimize the time that the cluster group is on the (normally) passive node:

  • Open the Failover Cluster Management console
  • Add the cluster name, if necessary, and select it
  • Double-click Cluster Core Resources in the middle pane to expand it
  • Right-click File Share Witness (\\servername\sharename) and select Properties
  • Click the Policies tab
  • For optimal restart performance, change "If all the restart attempts fail, begin restarting again after the specified period (hh:mm)" to 15 minutes, as shown below:

This configuration will cause the cluster service to attempt to bring the FSW resource to online once every 15 minutes, instead of an hour.

Next, logon to the server holding the FSW resource (typically a Hub Transport server in the active site and install the Failover Clustering Tools feature. You'll find it in Remote Server Administration Tools > Feature Administration Tools.

Now create a batch file called FSW_Online.bat. Enter the following two lines:

  • cluster EXCLUSTER1 res "File Share Witness (\\server\mns_fsw_excluster1)" /online
  • cluster EXCLUSTER1 group “Cluster Group” /

Note: Replace EXCLUSTER1 with your cluster name. Replace \\server\mns_fsw_excluster1 with the name of your FSW resource (enter "cluster res" at a command prompt to find it). Replace with the FQDN of the CMS node you want to keep the cluster group on.

Lastly, configure FSW_Online.bat to run at startup on the FSW resource server:

  • Open Local Group Policy Editor
  • Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Startup
  • Click Add and browse to the FSW_Online.bat file you created
  • Click OK twice and close Local Group Policy Editor

This is my current best practice for configuring the File Share Witness resource failure policy.

Special thanks go to Tim McMichael, Senior Support Escalation Engineer on the Exchange product support team, for assisting me with this article.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Friday, May 22, 2009

PowerShell Script to get Exchange Version, Build and Rollup

It's not easy to tell which version and build is installed on Exchange 2007.

I wanted to find a way to display the Exchange version, build number and which Update Rollup is installed on all servers in the organization. I found the perfect script written by Paul Faherty to do just that. I modified the script slightly to work better in Exchange 2003 / 2007 mixed environments.

Download Get-ExchangeServerVersion.ps1 here:

When you run it from the Exchange Management Shell prompt you will see output similar to the following screen:

The output displays the server name, Exchange roles installed, version (Standard or Enterprise), version number, and the Update Rollups installed and their installation dates.

For you code monkeys, here's the Powershell code:

#v1.1, 05/20/2009
#Written By Paul Flaherty,
#Modified by Jeff Guillet,

#Get a list of Exchange servers in the Org excluding Edge servers
$MsxServers = Get-ExchangeServer where {$_.ServerRole -ne "Edge"} sort Name
#Loop through each Exchange server that is found
ForEach ($MsxServer in $MsxServers)
#Get Exchange server version
$MsxVersion = $MsxServer.ExchangeVersion
#Create "header" string for output
# Servername [Role] [Edition] Version Number
$txt1 = $MsxServer.Name + " [" + $MsxServer.ServerRole + "] [" + $MsxServer.Edition + "] " + $MsxVersion.ExchangeBuild.toString()
write-host $txt1
#Connect to the Server's remote registry and enumerate all subkeys listed under "Patches"
$Srv = $MsxServer.Name
$key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\461C2B4266EDEF444B864AD6D9E5B613\Patches\"
$type = [Microsoft.Win32.RegistryHive]::LocalMachine
$regKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($type, $Srv)
$regKey = $regKey.OpenSubKey($key)
#Loop each of the subkeys (Patches) and gather the Installed date and Displayname of the Exchange 2007 patch
$ErrorActionPreference = "SilentlyContinue"
ForEach($sub in $regKey.GetSubKeyNames())
Write-Host "- " -nonewline
$SUBkey = $key + $Sub
$SUBregKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey($type, $Srv)
$SUBregKey = $SUBregKey.OpenSubKey($SUBkey)
ForEach($SubX in $SUBRegkey.GetValueNames())
# Display Installed date and Displayname of the Exchange 2007 patch
IF ($Subx -eq "Installed") {
$d = $SUBRegkey.GetValue($SubX)
$d = $d.substring(4,2) + "/" + $d.substring(4,2) + "/" + $d.substring(0,4)
write-Host $d -NoNewLine
IF ($Subx -eq "DisplayName") {write-Host ": "$SUBRegkey.GetValue($SubX)}
write-host ""

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, May 19, 2009

Exchange 2007 SP2 due Q3 2007

On May 11, Microsoft announced that Exchange Server 2007 Service Pack 2 will be released in the third quarter of this year. SP2 extends the feature set of Exchange 2007 to include more functionality and sets the foundation for migrating to Exchange 2010.

Key new features of Exchange Server 2007 SP2 include:
  • Enhanced Auditing - New Exchange auditing events and audit log repository enable Exchange administrators to more easily audit the activities occurring on their Exchange servers. It allows the right balance of granularity, performance, and easy access to audited events via a dedicated audit log repository. This simplifies the auditing process and makes review of audited events easier by segregating audited events in a dedicated location.
  • Exchange Volume Snapshot Backup Functionality - A new backup plug-in has been added to the product that will enable customers to create Exchange backups when a backup is invoked through the Windows Server 2008 Backup tool. Exchange Server 2007 didn't have this capability on Windows Server 2008 and additional solutions were required to perform this task.
  • Dynamic Active Directory Schema Update and Validation - The dynamic AD schema update and validation feature allows for future schema updates to be dynamic deployed as well as proactively preventing conflicts whenever a new property is added to the AD schema. Once this capability is deployed it will enable easier management of future schema updates and will prevent support issues when adding properties that don't exist in the AD schema.
  • Public Folder Quota Management - SP2 enables a consistent way to manage quotas by improving the current PowerShell cmdlets to perform quota management tasks.
    Centralized Organizational Settings - SP2 introduces new PowerShell option that enable centralized management of many of the Exchange organization settings.
  • Named Properties cmdlets - SP2 enables Exchange administrators to monitor their named property usage per database.
  • New User Interface for Managing Diagnostic Logging- SP2 enables Exchange administrators to easily configure and manage diagnostic logging from within the Exchange Management Console.

Exchange SP2 will be a free download to all Microsoft Exchange Server 2007 customers. It will be a requirement to migrate to Exchange Server 2010.

Labels: ,

Subscribe in a reader Subscribe by Email

Monday, April 20, 2009

Stop Spamming Yourself!, Part 2

Frequently, you may receive spam from the Internet that appear to come from your own domain name. This is a common tactic used by spammers to bypass spam filters.

In an earlier article, I showed how to configure Exchange 2007 to reject all SMTP emails from the Internet that supposedly come from your own domain name. We did this by adding your domain name to the Sender Filtering / Blocked Senders configuration on the Edge server.

While this works perfectly, it goes against a Microsoft best practice and doesn't provide for any exceptions. This article will show how to accomplish the same thing using an Edge Transport Rule, as well as how to configure an exception. Let's get started.
  • Logon to the Edge Transport server, open the Exchange Management Console, and navigate to Microsoft Exchange > Edge Transport > Transport Rules tab.
  • Click New Transport Rule in the Actions pane to open the New Transport Rule wizard.
  • Enter a name for the rule and any comments, as shown below, and click Next.

  • For the Conditions in Step 1, click "when the From address contains text patterns" and "from users inside or outside the organization"
  • In Step 2, click the words "text pattern" and add your domain name (i.e., Click the work "Inside" and change it to "Outside". Click Next

  • Now we will set the Action to take upon these messages. In Step 1, click "set the spam confidence level to value" and "reject the message with status code and response"
  • In Step 2, set the SCL to "-1". We do this so that the exceptions configured on the next page will not go to the users' Junk E-mail folders in Outlook. Click Next.

  • For the Exceptions in Step 1, click "except when the text specified words appear in a message header"
  • In Step 2, click "specific words" and add the domain of the sending server (i.e., is an online restaurant reservation system that emails invitations to people when a reservation is made. It spoofs the emailed invitation to looks like it came from the sender. Because of this, it would normally be rejected if it weren't for this exception.
  • Click "message header" and enter "Receive". Click Next.

  • Click New and Finish to create the new Transport Rule.

The rule will now reject all emails from the Internet that claim to be from your domain name, unless the SMTP Receive header contains the text "". It will also set the SCL so that the exception will not be classified as spam by Outlook.

The rule above can also be configured using the Exchange Management Shell using the following command:

new-TransportRule -Name 'Reject inbound emails from' -Comments 'Exception:' -Conditions
-Enabled $true -Priority '0'

The code above is meant to entered as one single line.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, April 8, 2009

How to Move Exchange 2007 Log Files on a CCR Cluster

You cannot move the Exchange 2007 transaction logs to a different location while the CCR cluster is running. You must suspend the cluster, move the transaction log configuration *only* using EMS, and then resume the cluster.

Here are the detailed steps to do this:

  • First, create the folders for the new location of the Exchange transaction logs. For this example, L:\ExchangeLogs\SG1. Make sure to do this on both nodes.

  • Open the Exchange Management Shell (EMS) and run the following commands:

Suspend-StorageGroupCopy -Identity "exchange1\First Storage Group" -SuspendComment "Moving transaction logs" -Confirm:$False

move-StorageGroupPath -Identity 'exchange1\First Storage Group' -LogFolderPath 'L:\ExchangeLogs\SG1' -SystemFolderPath 'L:\ExchangeLogs\SG1' -ConfigurationOnly

move [oldpath]\*.* [newpath]

Resume-StorageGroupCopy -Identity "exchange1\First Storage Group"

Where exchange1 is the name of your CCR cluster, First Storage Group is the name of the storage group logs you want to move, oldpath is the current path of the logs, and newpath is the new target path.

The first line suspends log shipping for the CCR cluster. The second line updates the Exchange configuration in Active Directory to use the new storage group path. The third line moves the existing log files from the old location to the new one. And finally, the fourth line resumes log shipping for the cluster.

Labels: ,

Subscribe in a reader Subscribe by Email

Friday, March 27, 2009

Exchange Server Remote Connectivity Analyzer

More Exchange 2007 goodness from the Microsoft Exchange Team!

Have you ever installed an Exchange server and wanted to verify your Internet facing services were setup and configured properly? Things like Exchange ActiveSync, AutoDiscover, Outlook Anywhere (RPC/HTTP), and inbound email. Sure there are cmdlets included in Exchange 2007 like test-ActivesyncConnectivity and test-OWAConnectivity, but these tests can only be run inside your network and effectively only test your internal network connectivity. Or what if you get a call or an escalation regarding one of these services not working? How do you verify if just this user or everyone has a problem? And if there is a problem, where do you start troubleshooting? Is it a DNS problem? Is it a certificate problem? Is a port not open on the firewall?

I'd like to introduce you to the Exchange Remote Connectivity Analyzer (ExRCA) tool which can be accessed at

In this version, the tool will allow you to remotely test the following client types and services:

Exchange ActiveSync

  • Windows Mobile 5, 3rd party devices

  • Windows Mobile 6.1+ with AutoDiscover

Outlook Anywhere (aka RPC/HTTP)

  • Outlook 2003

  • Outlook 2007 with AutoDiscover

Inbound SMTP

The tool will simulate the protocol logic used by the specific client and not only tell you if the scenario was successful, but if it fails, it will tell you exactly where in the process it failed as well as try to guide you to the problem resolution.

Read more about the tool and how it works here!

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, March 26, 2009

Breaking the Artificial Database Size Limit in Exchange 2007 Standard Edition

Exchange Server 2007 has a theoretically unlimited database storage capacity. In reality the limit is 16TB, and this limit is the same in both Standard and Enterprise editions. The storage differences between these two editions have to do with the maximum number of storage groups and databases that can be placed on each server.

Exchange 2007 Standard Edition:
Storage Group – up to 5, Database per SG – up to 5, Database limit – 16 TB.

Exchange 2007 Enterprise Edition:
Storage Group – up to 50, Database per SG – up to 50, Database limit – 16 TB.

Even though E2K7 Standard has a hard 16TB database size limit, there is an artificial limit imposed in the registry. The default cap in RTM is 50GB and the default cap in SP1 is 150GB. Here's how to change this artificial limit:

  • Open RegEdit and navigate to:

HKLM \ SYSTEM \ CurrentControlset \ Services \ MSexchangeIS \ servername \ Private-{respective-DB-GUID}

  • Create a new DWORD value "Database Size Limit in Gb"

  • Assign its decimal value (in GB). For example, enter decimal 200 for a 200GB artificial limit.

  • Restart the Microsoft Exchange Information Store service

Note: E2K7 Enterprise Edition does not have an artificial limit.

Note: If the Exchange Server Best Practices Analyzer (ExBPA) finds that the Database Size Limit in Gb value is present and configured, the Exchange Server Analyzer displays a non-default configuration message.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, January 22, 2009

Automating Exchange 2007 Prerequisites for Windows Server 2008

Each server role in Exchange 2007 requires Windows prerequisite software before the Exchange role can be installed on a Windows 2008 server.

All Exchange server roles require the Windows PowerShell feature. Other server roles and features are required, depending on the Exchange role(s) you are installing:

  • The Exchange Hub Transport role requires only the Windows PowerShell feature.
  • The Exchange Client Access role requires the Web Server role with the ISAPI Extensions, Web Metabase, IIS6 Management Console, Web Basic Authentication, Web Digest Authentication, Web Windows Authentication, and Web Dynamic Compression role services. It also needs the Windows PowerShell feature. If the CAS will support Outlook Anywhere clients, it will also need the RPC over HTTP Proxy feature.
  • The Exchange Edge Transport role requires the Active Directory Lightweight Directory Services role and the Windows PowerShell feature.
  • The Exchange Mailbox Server role requires the Web Server role with the ISAPI Extensions, Web Metabase, IIS6 Management Console, Web Basic Authentication, and Web Windows Authentication role services. It also needs the Windows PowerShell feature. If the mailbox server will be clustered, it will also need the Failover Clustering feature.
  • The Exchange Unified Messaging role requires the Windows PowerShell and Desktop Experience features.

These server roles and features can be added using the Server Manager UI, but this post focuses on automating the installation from the command line using the ServerManagerCmd utility.

I have created answer files to use with ServerManagerCmd for each Exchange server role:

Note that I have added the Active Directory Domain Services Tools feature to the All-in-One and Mailbox answer files, since most administrators usually install them with these roles. You can remove this from these answer files if you wish.

Also note that the all of these Exchange roles will work for the Hub Transport role, since the Hub role only requires PowerShell. It is common to combine the Hub and CAS roles on a single server. You only have to use the appropriate CAS answer file in this case.

To use these answer files, right-click the answer file above and save it to C:\ on the target Windows 2008 server. Open a Command Prompt and run the following command:

ServerManagerCmd -InputPath C:\answerfile.xml -WhatIf

This will test the answer file you specified and display what operation will do. Review the output and then run it again without the -WhatIf switch to actually perform the installation. Then install the appropriate Exchange 2007 server role from the DVD.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, January 12, 2009

How to Move the SMTP Queue in Exchange 2007

Unlike previous versions of Exchange, all SMTP queue activity in Exchange Server 2007 happens in a new ESE database.

By default, this database (and its logs) exists in the C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue folder. You may wish to move this database and its logs to a seperate physical volume for better performance. Here's how to do this:

To Change the Database Path:

1. Open the EdgeTransport.exe.config file in the C:\Program Files\Microsoft\Exchange Server\Bin folder using Notepad

2. Edit the value of the line containing add key="QueueDatabasePath" to reflect the new path. For example:

add key="QueueDatabasePath" value="D:\QueueDB"

To Change the Database Logs Path:

3. Edit the value of the line containing add key="QueueDatabaseLoggingPath" to reflect the new path. For example:

add key="QueueDatabaseLoggingPath" value="D:\QueueLogs"

4. Save the file and restart the Microsoft Exchange Transport service

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, December 1, 2008

Stop Spamming Yourself!

We all knew that the huge decrease in spam that occurred after was shutdown would be short-lived.

Recently, I've a seen large increase in the amount of spam to me apparently coming from me.

Note: Exchange 2003 and 2007 displays the "from" address
of these emails as the full SMTP address (i.e.,, rather than the resolved name (Jeff Guillet), to show that the email actually came from outside the company.
To stop spamming yourself, configure your SMTP gateway server to reject all external emails from your domain(s). Here's how to do this using the Exchange 2007 Edge Transport server:
  1. Open the Exchange Management Console (EMC) on the Exchange Edge Transport server

  2. Expand Microsoft Exchange and select Edge Transport

  3. Double-click Sender Filtering to open its properties

  4. Click the Blocked Senders tab and click Add

  5. Select Domain, enter your SMTP domain name, Include all subdomains, and click OK

  6. Click OK again to close the Sender Filtering Properties window

Now the Edge server will not accept non-authenticated emails from your domain to your domain. Note that this does not affect any external Windows Mobile or Outlook Express clients from sending email into your domain, as long as these users are authenticated.

You can use the following VB script to test the new settings:

'VBScript to test SMTP email

CONST mailServer = ""
CONST emailAddress = ""

Set objEmail = CreateObject("CDO.Message")
objEmail.From = emailAddress
objEmail.To = emailAddress
objEmail.Subject = "Test Message"
objEmail.Textbody = "This is a test message."
objEmail.Configuration.Fields.Item _
("") = 2
objEmail.Configuration.Fields.Item _
("") = mailServer
objEmail.Configuration.Fields.Item _
("") = 25
MsgBox "SMTP Email sent successfully to " & emailAddress, vbInformation, "TestSMTP"

Change the mailServer variable to use your Edge Transport server name and the emailAddress variable to use your internal SMTP address. The script will send SMTP email to the email address from the same email address.

Before Sender Filtering is enabled, the script will return a success message:

After Sender Filtering is enabled, the script will return a Sender Denied message:

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Saturday, October 25, 2008

Getting Windows Mobile to Work with Exchange 2007 Using POP3/IMAP4 and SMTP (Part 2)

This is part 2 of my series, where I show you how to configure Windows Mobile to send and receive email from Exchange 2007 using IMAP4 and SMTP.

Part 1, where we configured Exchange 2007, can be read here.

Now that Exchange 2007 is configured, we need to configure a new email account in Windows Mobile. How you do this depends on the version of Windows Mobile on your device, but the essential steps are as follows:

  • Enter your email address and password to access the new account

  • Select Internet e-mail from the dropdown box for Your e-mail provider

  • Enter your name as you want it to appear to recipients and choose an account display name on the device (i.e., IMAP Email)

  • Enter the FQDN for the Exchange 2007 server that holds the Client Access (CAS) role (i.e., for the Incoming mail server.

  • Choose IMAP4 as the Account Type

  • Enter your account logon (domain\username) for the User Name and enter the network password

  • Enter the FQDN for the Exchange 2007 server that holds the Hub Transport role, followed by :587 (i.e., for the Outgoing (SMTP) mail server. See the figure above. If you don't follow the FQDN with :587, the Windows Mobile device will use the standard port 25 for SMTP communication.

  • Select Outgoing server requires authentication

  • Under Advanced Settings, select both the Require SSL for Incoming e-mail and Require SSL for Outgoing e-mail checkboxes to encrypt the traffic between the Windows Mobile device and Exchange 2007

  • Configure your Automatic Send/Receive schedule

Important Note: You must enter the FQDN:587 correctly the first time for the Outgoing (SMTP) mail server field. You cannot edit it later once you've clicked off that field -- if you do, Windows Mobile will still use port 25. This seems to be a bug in Windows Mobile 6.1 and may happen in other versions, as well. If you don't enter it correctly the first time, you will either need to cancel the setup wizard and start over again or delete the email account and recreate it.

Now test your new settings by synchronizing the mail account and test sending
an email. If you get an error saying,

Message not sent. The message 'Test email' was not sent and has been moved to the Drafts folder. The server returned the following error message:

550 5.7.1 Unable to relay

It means that the Windows mobile device is trying to send SMTP email over port 25 through your Exchange server to a remote address, which is relaying. Delete the account you just created and do it again, making sure to enter :587 after the FQDN of the SMTP server.

I hope this two-part series helps you get IMAP and SMTP working properly between Exchange 2007 and your Windows Mobile device!

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, October 24, 2008

Getting Windows Mobile to Work with Exchange 2007 Using POP3/IMAP4 and SMTP (Part 1)

This is the first of a two-part article that describes how to enable Windows Mobile devices to receive email from Exchange 2007 using IMAP4 and send email using SMTP.

As you probably know, Windows Mobile can only have one connection agreement with Exchange at a time. That means that if you want to access additional email accounts you must use POP3 or IMAP4 for incoming email and SMTP for outgoing email on your device.

In part 1, I will describe how to set up IMAP4 and SMTP client email submission in Exchange 2007. Part 2 will describe how to configure the Windows Mobile client.

Configuring IMAP4 in Exchange 2007
POP3 offers simple email retrieval services from a user's Inbox in Exchange. IMAP4 offers a few more extensive features, including access to all the folders in the user's mailbox. Neither of these services are enabled in Exchange 2007 by default. To enable POP3 or IMAP4 (usually one or the other), simply change the appropriate service from Manual to Automatic on your Exchange 2007 Client Access server (CAS) and then start it. In this article I will be using IMAP4 for Windows Mobile access.

The next step is to configure the logon authentication mechanism for IMAP4. I strongly recommend using TLS to secure logons so that usernames and passwords are not transmitted in plain text.
  • Open the Exchange Management Console (EMC)
  • Navigate to Server Configuration, Client Access and view the POP3 and IMAP4 properties of the CAS
  • Double-click the IMAP4 protocol and select the Authentication tab
  • Select Secure Logon. A TLS connection is required for the client to authenticate to the server.
  • Select the appropriate X.509 certificate to use and click OK to close the properties window

Configuring SMTP Client Submissions in Exchange 2007
Now we need to configure the Exchange 2007 Hub Transport (HT) server to accept (receive)inbound SMTP connections from clients.

  • Open the Exchange Management Console (EMC)
  • Navigate to Server Configuration, Hub Transport and select the HT server
  • Click New Receive Connector from the Action pane
  • Give the new Receive Connector a name such as, "Mobile Clients"
  • Select Client as the intended use for this receive connector and click Next
  • Click Next to allow all remote networks to use this receive connector
  • Click New to create the new Receive Connector
  • Now open the properties of the Mobile Clients connector
  • Click the Network tab and notice that the port the connector uses is 587
  • Click the Authentication tab. Ensure that Transport Layer Security (TLS), Basic Authentication, Offer basic authentication only after starting TLS, and Integrated Windows Authentication are checked.
  • Click the Permissions Groups tab. Ensure that only Exchange users is checked and click OK to close the properties window.

Name Resolution and Port Forwarding
The FQDN of the CAS (i.e., and the HT server (i.e., must be resolvable from your Windows Mobile device on the Internet. The CAS must also accept IMAP4 requests and the HT must accept SMTP submissions from your Windows Mobile device. This may require you to configure port forwarding from your external firewall. You will need to forward TCP port 143 for IMAP4 to the CAS and port 587 for client SMTP message submission to the HT server.

Port 25 is fast becoming the port used exclusively for server to server SMTP traffic and port 587 is becoming the standard for client to server SMTP traffic.

So far, we have configured Exchange 2007 to allow secure IMAP4 and SMTP client access. In part 2 of this series I will discuss how to enable IMAP4 and SMTP access to Exchange from a Windows Mobile device.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, August 25, 2008

Exchange Server Virtualization Support Policy Summary

Microsoft released their Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments document this month. I reviewed the support document and summarized the salient facts here.
Exchange 2007 Virtualization

Host Requirements:
  • A hypervisor virtualization solution that has been validated by the Windows Server Virtualization Validation Program
  • Adequate storage space to accommodate the host OS and components, paging file, management software and crash recovery (dump) files
  • Storage space must be allocated for Hyper-V temporary memory storage (BIN) files, equal to the amount of RAM allocated to each guest
Guest Requirements:
  • Exchange 2007 SP1 (or later) deployed on Windows Server 2008
  • Cannot have the Unified Messaging Role installed
  • The total maximum number of virtual processors cannot exceed the twice the number of physical cores.Typically 2 virtual processors are required for each Exchange server guest, but use this as a baseline
  • Large mailboxes (1GB and larger) require the use of Cluster Continuous Replication (CCR)
  • CCR nodes must be hosted on separate physical host servers to provide true redundancy and high availability
  • Mixing physical and virtual nodes is supported for CCR and SCC environments
  • Exchange supported backups must be run from the guest
  • Both legacy backups (using ESE streaming APIs) and Exchange-aware software-based VSS backups (Data Protection Manager) are supported
  • VSS backups of the an Exchange guest is supported if the guest uses only VHDs (not pass-through disks)
Guest Storage Requirements:
  • Supports fixed size VHDs, SCSI pass-through and iSCSI storage
  • Storage must be dedicated to one guest machine. In other words, a pass-through disk must be dedicated to one, and only one, guest.
  • Guest OS must use a minimum fixed-size VHD of 15GB plus the size of virtual RAM allocated to the guest
  • VHD limit is 2,040GB (nearly 2TB) in Hyper-V
  • Hub and Edge Transport servers require sufficient storage for message queues and log files
  • Mailbox servers require sufficient storage for databases and log files
  • iSCSI storage using an iSCSI initiator within the guest is supported. This offers greater portability, but decreased performance
Not Supported:
  • Dynamically expanding VHDs are not supported
  • Snapshots or differencing disks are not supported
  • Virtualization high availability solutions, such as Hyper-V Quick Migrations, are not supported. Only Exchange aware HA solutions (SCC, LCR, CCR and SCR) are supported.
  • VSS backups of the Exchange guest machine's pass-through disk from the host are not supported
  • Storage should be hosted on separate disk spindles from the guest's OS
  • Use SCSI pass-through storage to host transport and mailbox databases and transaction logs
  • When using iSCSI storage, configure the iSCSI Initiator on the host and present it as a pass-through disk to the guest
  • Use dedicated NICs with jumbo frames and not bound to a Virtual Network Switch, Gigabyte Ethernet, and isolated networks for iSCSI storage
Exchange 2003 Virtualization

Host Requirements:
  • The hardware virtualization software is Microsoft Virtual Server 2005 R2 or any later version of Microsoft Virtual Server
Guest Requirements:
  • Exchange Server 2003 SP2 (or later)
  • Microsoft Virtual Server 2005 R2 Virtual Machine Additions must be installed on the guest operating system
  • Exchange Server 2003 is configured as a stand-alone server and not as part of a Windows failover cluster
  • Each guest must have only one CPU
Guest Storage Requirements:
  • The SCSI driver installed on the guest operating system is the Microsoft Virtual Machine PCI SCSI Controller driver
  • The virtual hard disk Undo feature is not enabled for the Exchange virtual machine
  • Consider adding a dedicated virtual network adaptor for Exchange Server backups
  • Create separate fixed-size VHDs for Exchange Server databases and log files and store them on separate physical drives on the host
  • Exchange Server performance should be validated before production by using the Exchange Server 2003 Performance Tools
  • Make sure that the host server is sized correctly to handle the number of virtual machines that you plan to deploy
  • Use a storage solution that enables fast disk access
  • Antivirus programs should be configured to not scan VHD files

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, August 21, 2008

Microsoft Exchange Virtualization and Licensing Announcements

Microsoft announced some significant changes to its licensing and support policies for applications in hardware virtualization environments. There are two key parts of the announcement worth highlighting for Exchange customers:
  • Microsoft now supports Exchange Server 2007 SP1 running Hyper-V or hypervisors validated under the Microsoft Server Virtualization Validation Program (SVVP).
  • Microsoft is waiving its 90-day license reassignment policy to enable customers who virtualize Exchange to move their licenses between servers within a data farm as often as necessary.

Microsoft has published a new whitepaper, Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments, which includes Microsoft's support policy and recommendations for running Exchange Server 2003 in a Microsoft Virtual Server 2005 R2 environment. This article is a must-read for anyone considering a virtualized Exchange environment.

See this article on the Exchange Team blog for more details.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, August 19, 2008

How to Configure the SCL in Exchange

Recently I was asked what the proper Spam Confidence Level (SCL) should be for an Exchange 2007 installation. The answer is the ever-popular, "it depends."

The SCL is a value that Exchange assigns to each incoming SMTP email and is based on Microsoft's SmartScreen technology. This score determines how likely Exchange thinks an email message is spam. A rating of 0 means the message is not likely spam and a rating of 9 means the message is most likely spam.

SmartScreen is a "black hole" technology -- meaning that the algorithms and heuristics it uses for scoring is not published by Microsoft, thereby making it more difficult for spammers to create messages that can score lower and pass the filter. The Exchange server downloads new heuristics from Microsoft periodically.

Exchange 2003 SP2 introduced the Internet Message Filter (IMF) to score emails with an SCL rating. Exchange 2007 uses Content Filtering on the Anti-spam tab of the Edge Transport server to score emails (as shown below). It can also be enabled on a Hub Transport server if Edge Transport servers are not used. See How to Enable Anti-Spam Functionality on a Hub Transport Server.

Selecting the right SCL filter level is not an exact science. You're trying to filter obvious spam without accidentally filtering legitimate messages. You can use the following method to determine the starting point for your filter.

Using Perfmon to Select the SCL Filter Level
The best way to determine the appropriate SCL filter level is to use perfmon and examine the MSExchange Content Filter Agent object. Over time, the "Messages with SCL x" counters will increment and begin to show a trend.

In the example below, the Messages with SCL 0 through 7 counters are in the lower half of the scale. Messages with SCL 8 is off the charts at 270 -- more than all the lower SCL levels combined. From this data we can infer that it is safe to filter messages with an SCL higher than 7.

Note that these counters reset to zero upon restart of the server. It may take a little while before the trend appears.

Keep in mind that this is only the filter to begin with. You may have to adjust your filter up or down for your specific environment, but this will give you an excellent starting point.

SmartScreen filtering is just one of the anti-spam solutions available for Microsoft Exchange Server 2007. Other solutions include Sender ID Framework, Outlook Junk E-Mail Filter, and Microsoft Exchange Hosted Filtering. See the Microsoft AntiSpam Technologies website for more details.

Labels: , , , , , ,

Subscribe in a reader Subscribe by Email

Thursday, July 31, 2008

It's Not Exchange 2007 Enterprise Until You Enter the Product Key

According to the Microsoft article, "Exchange Server 2007: Platforms, Editions, and Versions":

"When you install Exchange 2007, it is unlicensed and referred to as a Trial Edition. Unlicensed (Trial Edition) servers appear as Standard Edition, and they are not eligible for support from Microsoft Product Support Services. The Trial Edition expires 120 days after the date of installation."

This means that you will be unable to add additional storage groups, managed folders, or use any of the Exchange Enterprise features until you enter the Enterprise product key.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, June 20, 2008

Using Exchange 2007 Header Firewall

Each time an SMTP email is passed from one server to another, the receiving server records the hand-off in the SMTP headers of the email. This is usually recorded like this:
Received: from ( by ( with Microsoft SMTP Server id; Fri, 20 Jun 2008 15:17:46 -0700
Customers often do not like their internal email infrastructure exposed in the SMTP headers for security reasons. It displays private information, such as internal IP addresses and SMTP versions that can be used by bad guys for targeted attacks. In the example above, SMTP Server id tells me that at public IP is running Exchange Server 2007 SP1.

You can remove this information from the SMTP headers on Exchange 2007 using a concept called Header Firewall. This is done using the remove-adpermission cmdlet in the Exchange Management Shell. If you use Exchange 2007 Edge server(s), run the following one-liner:

Remove-ADPermission -id "EdgeSync - companyabc to Internet" -User "MS Exchange\Edge Transport Servers" -ExtendedRights Ms-Exch-Send-Headers-Routing

Note: Replace "EdgeSync - companyabc to Internet" with the name of the Internet bound send connector. You can run the Get-SendConnector cmdlet to display the names of all the Exchange send connectors.

For Exchange 2007 implementations that do not use Edge servers, use the following:

Remove-ADPermission -id "companyabc to Internet" -User "NT Authority\Anonymous Logon" -ExtendedRights Ms-Exch-Send-Headers-Routing
Again, replace "companyabc to Internet" with the name of the Internet bound send connector.

Essentially, you want to remove the rights of the last user account that will handle the outbound SMTP from reading the Ms-Exch-Send-Headers-Routing attribute in Active Directory. For Edge servers that will be the MS Exchange\Edge Transport Servers user account and for everything else it will be NT Authority\Anonymous Logon. Doing so will remove all the internal relay entries in the header before the last Exchange server, making the email appear like it originated from that last server.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, June 6, 2008

New Certifications

May 2008 was a busy month for me.

In addition to writing a book, I passed five exams in the first three weeks and earned my MCITP:Enterprise Messaging Administrator (the premier Exchange 2007 administrator certification) and three MCTS certifications (SCOM 2007, ForeFront and Exchange 2007).

That makes 34 exams in a row that I've passed without failing, including my CISSP. Yes!! The streak remains unbroken!

I've put together a certifications page that lists the current certifications that I hold, which I'm rather proud of.

Tomorrow I'm off to TechEd and I can't wait! I'll be blogging at least once a day while I'm there. Check my blog all week. If you're going to TechEd yourself, I might meet you at the TechEd Blogger Ultra Lounge. See you there!

Labels: , , , , , , , ,

Subscribe in a reader Subscribe by Email

Thursday, May 15, 2008

Microsoft Exchange Server 2007 Management Tools (32-Bit) Released

Microsoft has released a 32-bit version of the Microsoft Exchange Server 2007 Management Tools.

Exchange Server 2007 is a native 64-bit application that includes 64-bit management tools. You can use the management tools to administer your Exchange Server environment remotely. If your remote computer is running a 32-bit operating system, you will need to download the 32-bit management tools.

The Exchange management tools include the Exchange Management Console (EMC), the Exchange Management Shell (EMS), the Exchange Help file, the Microsoft Exchange Best Practices Analyzer Tool, and the Exchange Troubleshooting Assistant Tool.

Get the 32-bit Exchange management tools here.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, April 7, 2008

Getting Exchange 2007 to work with SBC Yahoo DSL

Update: Beginning yesterday, November 14, 2008, the email relay servers began NDRing emails sent from AT&T customers. Again, this information was not passed on to its customers.

I've updated the instructions below to use the servers, which are now accepting authenticated connections.

First, let me say that SBC Yahoo is less than helpful on any assistance with configuring Exchange (any version) to work with their SMTP gateways. Really, I can't blame them too much because of the potential to hammering of their systems with large quantities of email from businesses using a "home"level of service.
In any event, here's how to configure Exchange 2007 with Edge services to send email through SBC Yahoo's email servers.

Configure the outbound Send Connector
  • Logon to the server hosting the Hub Transport role
  • Open the Exchange Management Console (EMC)
  • Expand Microsoft Exchange\Organization Configuration\Hub Transport
  • Click the Send Connectors tab
  • Double-click your outbound SMTP connector to open its properties. Mine is named "EdgeSync - expta to the Internet"
  • Click the Network tab
  • Select "Route email through the following smart hosts" and click the Add button
  • Select "Fully qualified domain name (FQDN)" and enter as the smart host. Click OK
  • Select Basic Authentication (do not check Basic Authentication over TLS)
  • Enter your SBC username (i.e., and SBC password. Click OK

Configure the Edge server to use port 587
  • Yes, yes, I know that SBC's documentation says SSL port 469, but trust me, it's 587...
  • On the Hub Transport server, open the Exchange Management Shell (EMS)
  • Type Get-SendConnector and make note of the name of the send connector you just configured. Again, mine is "EdgeSync - expta to the Internet"
  • Type Set-SendConnector "EdgeSync - expta to the Internet" -port 587 to change the port. Obviously, change the name in quotes to the name of your Send Connector.
  • Type Start-EdgeSynchronization to force a sync with the Edge server

Force the Send Connetor to Retry
  • Open EMC on the Edge server and click Toolbox
  • Double-click Queue Viewer
  • On the Queues tab, select the outbound SMTP queue and click the Retry action

Notes: TLS is not the same thing as SSL. TLS creates a secure connection between servers, while SSL creates a secure connection between a client and a server. TLS is capable of reverting back to SSL 3.0 if TLS doesn't work, but this is not an RFC requirement. At the time of this writing, Microsoft's implementation of TLS does not revert to TLS.

You should also register your external email address with SBC Yahoo's email system. This will ensure that email from your external account won't be NDR'd back to you when you send it. See

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, March 27, 2008

How to Change the Outgoing SMTP Port in Exchange 2007

By default, Exchange Server 2007 uses port 25 to send SMTP email using Send Connectors. On occasion you may be required to configure an Exchange Send Connector to use a different port - For example, TCP port 465 is commonly used for SMTP over SSL for secure SMTP communication using the SSL protocol. Configuring the port is not exposed through the Exchange Management Console (EMC), it must be configured from the Exchange Management Shell (EMS).

To get a list of the Send Connector names configured in your organization, run:
Here's the one-liner that configures a Send Connector to use port 465:
Set-SendConnector "Your SMTP Send Connector" -Port 465
If you're using a Microsoft Edge server, you will need to configure this from any server that is not running the Edge role. You will also need to wait for an EdgeSync operation or force it manually:
No services need to be restarted for this change to go into effect.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, March 11, 2008

Windows Server 2008 Upgrade Complete

In a previous post I mentioned that I was going to upgrade my network to Windows Server 2008. Well, I've completed the upgrade and it ROCKS!

I now have a single W2K8 Enterprise server running Hyper-V RC0. This server hosts two guests, one x86 domain controller and one x64 Exchange 2007 server running ForeFront Security for Exchange Server. The host server is running this blog as well as Exchange 2007 Edge services. The performance is outstanding! Much better than my old x64 Windows 2003 host running VMware.

The Exchange Team posted a great article, Speeding up installation of Exchange Server 2007 SP1 Prerequisites on Windows Server 2008. It offers XML files that configure the Windows Server 2008 prerequisites for Exchange 2007 SP1. While it wasn't that difficult to install everything manually, it would have saved some time for me if I had this before my upgrade.

Last night I completed the upgrade and decommissioned the old W2K3 DC, Exchange and Edge servers.

Please let me know if you have any issues with the blog. The migration went very smooth and I don't anticipate any problems.

Labels: , , , , , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, March 5, 2008

How to Add SMTP Verb Commands to ISA Server 2006

If you have an ISA 2006 server between a Microsoft Exchange 2007 Edge server and the Exchange Hub Transport server, you may have a problem where messages queue on the Edge with 500 5.1.1 "unrecognized command" errors.

This Microsoft article partially explains how to resolve the problem. When the Edge Transport server tries to send mail through Microsoft Internet Security and Acceleration (ISA) Server 2006, with SMTP filtering or Secure SMTP (SMTPS) filtering enabled, the SMTP filter blocks the communication. You fix this by either disabling the SMTP filter on the ISA server or adding the verbs (and optionally their maximum length) to the SMTP filter.

What the article doesn't say is which verbs to add or their maximum length. Well, here they are:


  • DSN




  • AUTH





  • XEXCH50

  • SIZE

All the verbs have an empty maximum length except for possibly SIZE. That should be set to the maximum message size allowed in your org in bytes (for example, 10485760 for 10MB).

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Saturday, March 1, 2008

You can't get there from here...

This weekend I'm starting the migration of my production network from Windows 2003 servers running VMware for virtualization to Windows Server 2008 with Hyper-V.
I have it all planned out like this:
  • Clone my existing W2K3 VMware VMs (DC and E2K7) to a USB drive

  • Convert the VMware VMs to VHDs using System Center Virtual Machine Manager 2007

  • Mount the VMs on my new isolated W2K8 host; test

  • Create a new W2K8 DC VM to upgrade the domain

  • Create a new W2K8/E2K7 VM and migrate all the mailboxes to it

  • Decommission the W2K3 DC and E2K7 VMs

  • Test the new environment

  • Move my blog and websites to the new W2K8 host

  • Turn off my old W2K3 box and re-IP the W2K8 server with the W2K3 server's IP. This will put it into production.

  • Test the web, Exchange, OWA environment again

  • Drink a beer to celebrate. OK, there might be some pre-celebration drinking throughout the process...

By following this plan, I'll minimize downtime to a few minutes and I'll always be able to roll back to the old server simply by turning it back on.

Sounds like a good plan, but here's why it won't work -- the only tool that can convert VMware VMs to VHDs is Virtual Machine Manager 2007 (Hyper-V can't do this on its own), but VMM 2007 can't create or convert x64 VMs. Both my DC and E2K7 server are 64-bit, so at this time there's no way to get there from here. I only wish I'd have remembered this before I spent 4 hours configuring the VMM2007 server and domain. Doh!

By the way, the failure I got during the x64 VM conversion was on step 1.5, "Make operating system virtualizable." This happened right after the plug and play system reported it was "Installing Microsoft Virtual Server Storage devices."

Microsoft Virtual Machine Manager 2008 is expected to create and convert 64-bit guests, but the earliest bits whon't be available for it till around March.

So, my updated migration plan is this:

  • Clone my existing W2K3 VMware VMs (DC and E2K7) to a USB drive as backups

  • Build a new Windows Server 2008 Hyper-V host

  • Introduce a new W2K8 DC Hyper-V guest into the domain

  • Create a new W2K8/E2K7 Hyper-V guest

  • Configure a new Edge server on the W2K8 host

  • Migrate all the mailboxes from the old E2K7 server to the new one

  • Decommission the W2K3 DC and E2K7 VMs

  • Test the new environment

  • Move my blog and websites to the new W2K8 host

  • Turn off my old W2K3 box and re-IP the W2K8 server with the W2K3 server's IP. This will put it into production.

  • Test the web, Exchange, OWA environment again

  • Commence said beer drinking celebration

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Friday, February 29, 2008

Leap Year Error in Exchange 2007

Trouble with your Exchange 2007 list service failing to respond today? Go home and try again tomorrow - it's a leap year.

Users around the world are reporting in the Microsoft Exchange Server Admin forum that they are unable to create new email and domain acceptance policies today, February 29. When they advance the clock on the Exchange server to March 1, 2008 the policies work as expected.

The issue is preventing admins from moving mailboxes within their Exchange 2007 servers, getting the error:.

"The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error."

If you do decide to change your server time, be sure to stop and disable the Windows Time service on the Exchange server to prevent the time from resyncronizing with the Domain Controllers. Also be aware of other side effects, such as message tracking and log changes, etc.

Update: Nino Bilic from the Microsoft Exchange team has confirmed this problem on the Exchange Team Blog:

"After investigation of this problem we have learned that this problem would occur only if you have started or restarted the Microsoft Exchange System Attendant service between 12:00AM UTC , Feb 29, 2008 and 12:00AM UTC, Mar 1, 2008.

"If you are impacted by this, all that you have to do is restart the Microsoft Exchange System Attendant service after the midnight UTC, March 1, 2008. Restart of the System Attendant will not disrupt your Information Store service."

Labels: ,

Subscribe in a reader Subscribe by Email

Tuesday, February 26, 2008

Top Ten Reasons to Move to Exchange 2007

Here are some key features and technologies Exchange Server 2007 provides that make a good business case for its use:
  • Fault Tolerance -- Exchange 2007 offers several forms of fault tolerance, right out of the box:

    • Local Continuous Cluster (LCR) maintains a continuously updated copy of the active mailbox database on a different LUN to provide immediate failover capability if the active database becomes corrupt. The second copy is activated manually by the administrator.

    • Cluster Continuous Replication (CCR) is a local cluster model where each node maintains its own database and replication is performed using log shipping. In the event of failure of a service, the cluster services immediately failover to the passive node and continue servicing client requests, minimizing client downtime. CCR clusters can be stretched over distance, providing a geographically dispersed clusters.

    • Standby Continuous Replication (SCR) is similar to CCR, but the failover node resides in a different geographic location. It utilizes log shipping for replication and the Hub Transport servers "fill in the blanks" for messages that may not have replicated since the time the active node went offline.

  • Disaster Recovery -- Outlook 2003 and Outlook 2007, along with the fault tolerance technologies listed above, provide a quick and easy disaster recovery strategy for nearly any outage. Outlook Exchange cached mode is another key technology to making disaster recovery as seemless as possible.

  • Mailbox Server Consolidation -- As a 64-bit messaging platform, Exchange 2007 is able to accommodate much larger mailboxes and mailstore databases than ever before. This allows you to greatly consolidate the number of mailbox servers needed to support the same number of users.

  • Exchange Edge Server -- Edge Server for Exchange is a non-domain server that acts as the SMTP gateway between the Internet and SCIF's internal network. It replaces both the current SMTP gateway and Interscan servers, saving both hardware and software costs. It provides anti-spam and anti-virus services for the organization. EdgeSync is a process that synchronizes the email addresses in AD and the user Junk Mail safe lists/block lists with the Edge server to reduce spam at the network edge.

  • Better Integration with Outlook -- Suspected spam that is not blocked by the Edge server is delivered to Outlook's built-in Junk E-mail folder. Users can choose to block or allow emails from users or domains directly from Outlook without the need for third-party software.

  • Forefront Security for Exchange -- Forefront antivirus is included with the Exchange 2007 Enterprise CAL. Forefront allows you to choose up to five different antivirus engines (from a collection of nine) that all emails are scanned against. This provides more defense in depth than previously possible.

  • Corporate Manage Folders -- Managed folders allow administrators to configure common corporate folders that will display in users' Outlook and OWA that have specific retention periods. For example, a folder named Legal may have a seven year retention policy. Any items in this folder older that 7 years will automatically be purged to maintain the company's corporate retention policy.

  • Improved Outlook Web Access -- Outlook Web Access (OWA) has been improved to provide much better performance and usability. The Private computer security setting now allows you to stay logged in for up to 24 hours. Calendaring and scheduling has been greatly improved. OWA now provides the ability to open another user's mailbox (assuming you have the appropriate rights to do so). Public Folders now open in the same OWA window. Searching for an email items takes only seconds, no matter how large the mailbox is.

  • Remote Access to Network Shares -- OWA provides the ability to "translate" UNCs to internal network shares. For example, if you click a link for //hofs01/share/CIOMeeting.ppt, OWA will fetch the document from the internal network (assuming you have rights to the document) and deliver it to you in OWA. You can also open a Windows SharePoint Services or file share by typing the address of the share to open directly in OWA.

  • WebReady Document Viewing -- WebReady Document Viewing renders common document types for you to view within OWA, even if the application is not installed on that computer. For example, if you want to view an Excel attachment from a machine that does not have Excel installed, click the "View as web page" link next to the attachment. Exchange 2007 will convert the spreadsheet to a web page for you to review.

Labels: , , , , , ,

Subscribe in a reader Subscribe by Email

Friday, February 22, 2008

Troubleshooting Exchange 2007 9646 Errors

I client has users who have been migrated from Exchange 2003 to Exchange 2007 SP1, running on Windows Server 2003 SP2.

After a while, users are no longer able to connect via Outlook to Exchange - OWA continues to function, but Outlook (2K3 and 2K7) stops working.

This is because of a new feature in Windows 2003 SP2 that enables "Scalable Networking" - In short, it shuts down closed connections to the server, but it doesn't play well with Exchange. When Outlook connects over several MAPI sessions, the unused ones are shut down by Windows, but they aren't closed cleanly and Exchange still sees them as open sessions.

Once the user has 32 open sessions (a combination of valid and invalid ones) - Exchange cuts them off and event ID 9646 errors are seen on the mailbox server event log:
Mapi session "/O=BLATHER/OU=PACIFICA/cn=Recipients/cn=CooperH" exceeded the maximum of 32 objects of type "session".

A hotfix will be released in late March that addresses the issue, but the short term fix is to run the following command from the command line on all Exchange 2007 mailbox servers:

Netsh int ip set chimney DISABLED

The following articles discuss the technology and the issue:

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Saturday, February 9, 2008

Fix for Forefront Update Timeout Errors

I use Microsoft Forefront Security for Exchange Server on my Exchange 2007 Edge server.

Recently I noticed the following error in the Application Event log:

Event Type: Error
Event Source: GetEngineFiles
Event Category: Engine Error
Event ID: 6014
Date: 2/9/2008
Time: 10:08:43 AM
User: N/A
Computer: GATEWAY
Microsoft Forefront Server Security encountered an error while performing a scan engine update.
Scan Engine: Kaspersky5
Update Path:
Proxy Settings: Disabled
Error Code: 0xC0001F58
Description: The operation timed out.
Followed immediately by:

Event Type: Information
Event Source: GetEngineFiles
Event Category: General
Event ID: 2017
Date: 2/9/2008
Time: 10:08:43 AM
User: N/A
Computer: GATEWAY
Forefront Server Security has rolled back a scan engine.
Scan Engine: Kaspersky5
This was happening every 5 minutes after Event ID 2034, which reports that Microsoft Forefront Server Security is attempting a scan engine update of the Kaspersky5 scan engine.

To solve this error make the following change to the registry on the server running Forefront:
  • Open Regedit

  • Navigate to the following key:
HKLM\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server
  • Click New DWORD Value

  • Type EngineDownloadTimeout, and then press ENTER

  • Right-click the new value and select Modify

  • Select Decimal as the base, enter 600 in the Value data box, and then click OK. This setting causes the scan engine download process to time out after 600 seconds (10 minutes, instead of 5 minutes)

  • Exit Regedit

Note: You do not have to restart Forefront Server services or Exchange Server services after you change this registry entry.

Now perform a manual scanner update in Forefront:

  • Open Forefront Server Security Administrator

  • Click Scanner Updates under Settings

  • Select the appropriate scan engine that was previously timing out. In my case, Kaspersky Antivirus Technology

  • Click the Update Now button on the right side of the screen

Check the Application event log to ensure that the scan engine has updated properly (Event ID 2012).

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, January 21, 2008

EXPTA Server Upgrade

I ordered a new server this weekend to replace my existing Windows Server 2003 infrastructure. This new server will run the same roles as my existing server, but will have twice as much RAM and will be "green." It will utilize the new AMD Athlon X2 BE-2400 Brisbane 2.3GHz 45W Dual-Core CPU, less cooling (due to the low wattage CPU), and a smaller power supply. Should be fun. I haven't built my own hardware since the 90's. :)

I'll be building it with x64 Windows Server 2008 Enterprise edition and utilize Hyper-V for my virtual DC and Exchange 2007 servers, instead of VMware. The host server will function as my Exchange 2007 Edge server and host the blog on IIS 7.

The plan is to bring up the the new W2K8 server, build new virtual DC and Exchange servers, move the mailboxes to the new Exchange server, install the Exchange Edge role, and move the blog to the new server. Once I know everything is working properly I'll decommission the old Windows 2003 and Exchange 2007 servers.

Hopefully, there will be very little downtime. I only expect brief outages as I update my router configuration. As usual I'll post my experiences with the upgrade, as will as any troubleshooting tips and gotchas I discover along the way.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, January 18, 2008

Exchange ActiveSync Policies

Exchange Server 2007 provides ActiveSync mailbox policies to allow administrators to manage the Windows Mobile devices that attach to the network. This allows you to apply a common set of policy or security settings to a group of users or even an individual user.

Exchange 2007 RTM included 16 policy settings. That number climbs to 27 in Exchange 2007 SP1 for the Exchange 2007 Standard CAL. The SP1 Enterprise CAL offers an additional 16 settings. Settings that only exist in the Enterprise CAL, such as controlling POP and IMAP, Bluetooth, WiFi, the camera and text messaging, make that CAL a compelling choice for some customers.

The Exchange Team blog has an in-depth explanation of ActiveSync policies, as well as a great chart that shows the different policies for each version and CAL. Read What's New for Exchange ActiveSync Mailbox Policies in Exchange Server 2007 SP1? Microsoft also has a policy reference on MSDN, Understanding Exchange ActiveSync Mailbox Policies. Keep in mind that these settings only apply to devices that support them. Some only work on Windows Mobile 6 and some mobile device vendors may strip support for them from their mobile devices.

Another important change in SP1 is that it now publishes a default EAS policy, where RTM requires you to manually apply the default policy.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, December 12, 2007

How to Tell Which Users Have an ActiveSync Partnership

It's always good to know who is using the technology we support. I have a customer who needed to know which users were utilizing Windows Mobile devices to access their Exchange servers.

Here's a one-liner PowerShell command that reports which users have ActiveSync partnerships configured in Exchange 2007:

Get-CASMailbox WHERE {$_.HasActiveSyncDevicePartnership} SELECT identity
In Exchange 2003, it's not quite that simple. The ActiveSync partnership is stored in a hidden folder within the user's Exchange mailbox. This folder can be exposed using mfcmapi (the Microsoft Exchange Server MAPI Editor).

Mailboxes do not have the hidden Microsoft-Server-ActiveSync folder by default. Once an ActiveSync partnership has been configured from the user's Windows Mobile device, the following folder structure is created under the Root Container:

Note that PocketPC may show as SmartPhone, depending on the device used.

While mfcmapi can view the Root Container structure for an individual maibox, this is not feasible for a multi-user enterprise. I contacted Microsoft PSS for a solution, but they said there was no way to do this programmatically. Fortunately, I found this excellent vbscript written by Glen Scales that does exactly what I was looking for.

Here's an example of the output that the script produces:

Viola! Just what the doctor ordered!

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, November 29, 2007

Installation Notes for Exchange 2007 SP1 RTM

In an earlier post I documented my installation notes for installing Exchange 2007 Service Pack 1 RC1. Now that Exchange 2007 SP1 has been released, I'm including my notes from installing the RTM version.

A recommended prerequisite is to ensure that .NET Framework 2.0 SP1 is installed. Check my previous article to determine which SP version is installed.

Upgrade the Edge Server First

  • First, you must disable Forefront for Exchange according to KB929080. When I followed this, the Microsoft Exchange Transport and FSCController services could not be stopped. I used Task Manager to end task the MSExchangeTransport and FSCController *32 processes.

  • Run the following command to disable Forefront:
C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\fscutility /disableInstall SP1
  • Proceed with the installation of SP1. Here were my times:
  • UpgradePreparing Setup - 00:12
  • Removing Exchange Files - 01:33
  • Preparing Files - 00:01
  • Copy Exchange Files - 01:27
  • Edge Transport Server Role - 09:31
  • Management Tools - 00:30
  • Finalizing Setup - 00:15
  • Elapsed time: 13:32
  • Download and install Microsoft Forefront Security for Exchange Server with Service Pack 1. Be aware that this requires a restart at end of setup.

  • Restart the Edge Server

  • Stop all Microsoft Exchange services

  • Run the following command to enable Forefront again:

  • C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\fscutility /enable

    • Ensure that the Forefront services are set to Manual startup (FSCController, FSCMonitor, FSCStatisticsService, FDEMailPickup, and FSEIMC)

    • Start the FSCController service (all other Forefront services will start)

    • Start all Microsoft Exchange services and test mailflow

    Upgrade Mailbox/HT/CAS Server (in my case, these roles are all on the same server)

    • Proceed with the SP1 upgrade. Times were as follows:
  • Organization Preparation - 01:05
  • Preparing Setup - 01:37
  • Remove Exchange Files - 05:18
  • Preparing Files - 00:02
  • Copy Exchange Files - 05:32
  • Hub Transport Role - 11:53
  • Client Access Role - 03:27
  • Mailbox Role - 06:21
  • Management Tools - 00:46
  • Finalizing Setup - 02:05
  • Elapsed time: 38:12
    • Check that all services are started and test mailflow again
    • Restart all servers because I'm anal and test again.

    Hope your SP1 upgrade goes as smooth as mine!

    Labels: , , ,

    Subscribe in a reader Subscribe by Email

    Wednesday, November 28, 2007

    Exchange 2007 SP1 is coming!

    Get ready! Microsoft Exchange Server 2007 Service Pack 1 is due to be released on November 30.

    Check out the list of new features in SP1, including new deployment options, new features and improvements for each server role, improved integration with other applications, and the new Standby Continuous Replication (SCR). There are also general updates to almost all of the high availability topics for SP1, as well as significant updates in other content areas, such as those related to the Mailbox, Client Access, Hub Transport and Edge Transport, and the Unified Messaging server roles.
    You can find documentation on the new features by browsing or searching the Exchange Server TechCenter Library.

    Labels: ,

    Subscribe in a reader Subscribe by Email

    Tuesday, November 6, 2007

    Custom Address Lists in Exchange 2003/2007

    The following procedures describe how to create custom address lists in Exchange Server 2003.

    Custom address lists can be used to provide a filtered view of the Global Address List (GAL) based on an LDAP query, similar to the way Query Based Distribution Groups work. It leverages the same mechanism used for the built-in address lists provided by Exchange ("All Contacts", "All Users", etc.). Custom address lists are dynamic and are available to all users in the organization. Common custom address lists might be "All Resources", "All Pagers", etc.

    Microsoft article How to Create an Address List describes how to create a custom address list in Exchange 2003. The similarly titled, How to Create an Address List describes how to create one in Exchange 2007.

    Once you create the new address list, you must configure a filter. The following is an LDAP query example that will filter all contacts with the word "carpenter" in the Notes field in the Telephone tab in AD. It is written as a single line, but is wrapped here for clarity.

    (&(&(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=contact)) )))(objectCategory=user)(info=*carpenter*)))
    Note that objectClass could be changed from "contact" to "user" to filter user objects. The word "info" in this query is the AD attribute we're searching for. Any AD attribute can be used. Use ADSIEdit to view attribute names and values.

    The search string above is "*carpenter*, which uses wildcards and means "contains the word 'carpenter'". A search for "carpenter" (no wildcards) will match only the word. The string "carpenter*" (trailing *) means "begins with the word". The string "*carpenter" means "ends with the word". The search sting is not case sensitive, but it must be spelled correctly to match the filter.

    If you were to create two address lists, one for "All Plumbers" and another for "All Carpenters", and the Notes field for a contact contains "Plumber, Carpenter", the contact will be included in both custom address lists.

    As another example, this filter can be used for an address list for resource mailboxes, such as conference rooms. Just be sure to begin the display name for the resource mailboxes with "ZZ-".

    (&(&(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=user)) )))(objectCategory=user)(displayName=zz-*)))
    Note: Because custom address lists are dynamically created by Exchange, they are only available to users who are connected to an Exchange server. Users using Cached Exchange Mode who are working offline will not have access to the custom address lists since Outlook can only display one container (the OAB). All contacts will still show up in the OAB.

    I've used this process for many clients of all sizes and it works great, with no noticeable affect on AD or Exchange performance.

    Labels: , , ,

    Subscribe in a reader Subscribe by Email

    Wednesday, October 3, 2007

    Installing Exchange 2007 SP1: Notes from the field

    NOTE: These upgrade notes are for Exchange SP1 Beta 2. Many readers have found this useful in their RTM upgrades. Also please see my latest post that discusses the installation of SP1 RTM. - Jeff

    The following are my notes for installing Exchange Server 2007 Service Pack 1 Beta 2. As with most beta software, upgrades may not go as smoothly as they will in the final product. I came across some problems and solutions, which I'll share with you and will hopefully make your upgrade smoother.

    I'm not going into a lot of detail on each of these steps, so if you want more info please post your question and I'll do my best to answer.

    My setup is a single x64 dual-core host with 4GB RAM. It functions as my Microsoft Exchange 2007 Edge server and runs VMware Workstation 6.01. It runs two VMs, one Windows Server 2003 SP2 x64 Domain Controller and one Exchange 2007 x64 Hub Transport, CAS, Mailbox server running E2K7 Update 4. The Edge server is running Microsoft Forefront Security for Exchange RTM.

    The Exchange 2007 SP1 release notes say to update your Edge, Hub Transport and CAS servers before your mailbox servers. It also says that Forefront Security for Exchange RTM is incompatible with Exchange 2007 SP1. You have to use Microsoft Forefront Security
    for Exchange Server with Service Pack 1 Beta 2 (FSES SP1 Beta 2). You can download it here.

    Note: I was told by Microsoft, "Exchange SP1 Beta 2 requires FSES SP1 Beta 2 (installed before you install the Exchange Service Pack 1 Beta 2)."

    So, without further ado, here are my upgrade notes:

    • Took snapshots of DC and EX01 VMs

    • Make a backup of host/Edge server


    • Install ForeFront SP1 Beta 2

    • Follow to disable ForeFront before installing Exchange 2007 SP1

    • Restart and stop all Exchange services, except ADAM

    • Install. Be patient. Configuring common transport polices took 10 minutes by itself.

    • Install completed successfully

    • Re-enabled Forefront as per KB929080, above

    • Restarted the server, checked event logs, tested email inbound/outbound successfully


    • Begin installation

    • Installation failed about halfway through

    • Tried to run again, but got the error, "This installation is forbidden by system policy." Solved using the Local Security Settings tip from Tim Chad at the bottom of this page

    • Restarted installation, but got the error, "The Exchange files are not installed, but the backup settings registry key is present. Only build to build upgrade mode is available."

    • Ran /mode:upgrade from the command line to perform an unattended upgrade setup

    • Got the following output:

    Welcome to Microsoft Exchange Server 2007 Unattended Setup

    Preparing Exchange Setup

    The following server roles will be upgraded
    Hub Transport Role
    Client Access Role
    Mailbox Role

    Performing Microsoft Exchange Server Prerequisite Check

    Hub Transport Role Checks ......................... FAILED
    Setup cannot continue with upgrade because 'C:\Program Files\Microsoft\Exchange Server\bin\ExchHelp.chm' is open. Close the file and restart setup.

    Client Access Role Checks ......................... FAILED
    Unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is installed.

    The World Wide Web (W3SVC) service is either disabled or not installed on this computer. You must exit Setup, install the required component, then restart the Setup process.

    Setup cannot continue with upgrade because 'C:\Program Files\Microsoft\Exchange Server\bin\ExchHelp.chm' is open. Close the file and restart setup.

    Mailbox Role Checks ......................... FAILED
    Unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is installed.

    The World Wide Web (W3SVC) service is either disabled or not installed on this computer. You must exit Setup, install the required component, then restart the Setup process.

    Setup cannot continue with upgrade because 'C:\Program
    Files\Microsoft\Exchange Server\bin\ExchHelp.chm' is open. Close the file and restart setup.

    The Exchange Server setup operation did not complete.
    Visit and enter the Error ID to find more

    Exchange Server setup encountered an error.

    • Set the World Wide Web Publishing Service, IIS Admin Service, and HTTP SSL service to automatic and started (they were disabled)

    • Copy file ExchHelp.chm from \setup\serverroles\common of the setup media into the \Program Files\Microsoft\Exchange Server\Bin directory

    • Re-run /mode:upgrade

    • Success! Restart all servers. Test OWA and Outlook inbound/outbound successfully

    Good luck with your own upgrade. Now to test the new SP1 features!

    Labels: , , , ,

    Subscribe in a reader Subscribe by Email

    Thursday, September 13, 2007

    Upcoming Webcast for daylight saving time changes in 2007

    Of note to Systems Administrators (especially Exchange SAs)

    Available on Friday, September 14th at 9am PT:

    Preparing for Daylight Saving Time: This Webcast will provide an overview of information on Microsoft products and resources available to help businesses prepare for change to Daylight Saving Time.

    To see future Webcasts related to this subject please keep checking our "Webcasts for daylight saving time changes in 2007" page which you can find here.

    Labels: , ,

    Subscribe in a reader Subscribe by Email

    Sunday, September 9, 2007

    Don't put SharePoint Services 3.0 on an Exchange Edge Server

    Bad things happen and both products won't work. Just don't do it.

    Labels: , , ,

    Subscribe in a reader Subscribe by Email

    Friday, September 7, 2007

    Search results may take a long time to appear because Microsoft Search is unavailable

    A colleague of mine ran into a problem during an Exchange 2003 / migration. When some of the users tried to search their mailboxes, they receive a message saying, "Search results may take a long time to appear because Microsoft Search is unavailable. Results will not include matches in the e-mail body." (See the example above, from OWA)
    This will happen to all mailboxes on the same server if the Microsoft Exchange Search Indexer service is stopped, but in this case only some of the mailboxes on the same server were affected.

    I tested the same thing on my home server and found the same results. I had migrated all my accounts from my Exchange 2003 server months ago. When I ran the Get-Mailbox Test-ExchangeSearch PowerShell command I found that all my mailboxes except one (a service account) came back as True (enabled).

    The bad news is that there's no way to enable Exchange Search for an individual mailbox. However, the following PowerShell command worked for me to correct the problem:
    ResetSearchIndex -Force -All
    This command will stop the MSExchangeSearch service, remove the entire search database and restart the MSExchangeSearch service. The MSExchangeSearch will immediately begin crawling the database(s) and rebuild the index(s). It took about 3 minutes on my 550MB database in a VM. You can use Perfmon to watch the Full Crawl Mode Status counter in the MSExchange Search Indices performance object to monitor when it's done. The counter value will be 1 while it's rebuilding, 0 when it's done.

    Usage for the ResetSearchIndex PowerShell command:

    ResetSearchIndex.ps1 [-force] [] ...
    ResetSearchIndex.ps1 [-force] -all
    get-mailboxdatabase ResetSearchIndex.ps1 [-force]

    Labels: , , ,

    Subscribe in a reader Subscribe by Email

    Thursday, September 6, 2007

    How to Access Public Folders in OWA 2007

    Public Folders are not available in the RTM release of Exchange 2007 OWA, so I created a work-around:
    • Log into E2K7 OWA as usual
    • Right-click your name in the folder list and select "Create new folder"
    • Name the new folder "Public Folders"
    • Compose a new email to yourself with https://yourOWAserverURL/public in the body of the message and send it
    • Move the new email to the Public Folders folder you created

    To access Public Folders, open the Public Folders folder and click the link. Public Folders will open in a new window or tab in Internet Explorer.

    Look for REAL Public Folder access to arrive with Exchange Server 2007 SP1.

    Labels: , ,

    Subscribe in a reader Subscribe by Email

    Relaying SMTP Email Through Your ISP

    Most ISPs these days are blocking SMTP email (port 25) from their subscribers. This is a good thing, because it stops malware and infected hosts connected to the ISP network from propagating to other hosts on the network and the rest of the Internet.

    If your ISP blocks port 25 your Exchange server(s) will be unable to send SMTP email. This article explains how to work around this in Exchange 2007. Other versions of Exchange will be similar.

    If you have an Edge server, like I do, you cannot make the configuration changes directly on the Edge server. You have to make them on a Hub Transport, CAS or Mailbox server. The changes will then replicate out to the Edge server on the next EdgeSync.

    Here's what to do:

    • Open EMC and navigate to Hub Transport under Organization Configuration.

    • Select the Send Connectors tab and double-click the send connector for outbound email to the Internet.

    • Click the Network tab and select "Route mail through the following smart hosts".

    • Click Add to add your ISP's outbound SMTP server (i.e,

    • Click the Change button to configure Smart Host Authentication Settings.

    • Select Basic Authentication, and enter your ISP account's user name and password.

    • Click OK twice to close the dialog windows.
    Test outbound email. If you're using an Edge server, you need to wait for an EdgeSync event to run (or run Start-EdgeSynchronization from the Exchange Management Shell). If you're not using an Edge server, the changes go into affect immediately.

    Labels: ,

    Subscribe in a reader Subscribe by Email

    Friday, June 29, 2007

    Placing Server Certificates on Mobile Devices

    About the only thing that's difficult in setting up Exchange ActiveSync on a mobile device is getting the server certificate on it. Of course, this is a non-issue if you're using a trusted certification authority like Verisign, Thawte, GoDaddy, etc. I wrote these procedures for those of you who don't want the trouble or expense of buying an SSL cert and want to use the Exchange self-signed certificate.

    Export the Certificate

    • Log into the Exchange server with administrative rights and run IIS Manager
    • Expand Local Computer Web Sites
    • Right-click Default Web Site and select Properties
    • Click the Directory Security tab
    • Click View Certificate
    • On the Details tab click Copy to File..., Next, Next, Next
    • Enter the path and filename to use for the certificate export (i.e., C:\server.cer)
    • Click Finish to export the certificate
    How to Put the Certificate on the Phone

    Option 1, Using Windows ActiveSync

    Option 2, Using Email

    • If there is an alternate form of email on the device, email the cert to your device
    • Open the attachment and import it

    Option 3, Using a Website

    • Send server.cer to a compressed folder (zip file)
    • Put the zip file on a web server
    • Use Internet Explorer on the phone and navigate to the URL of the zip file to open it (i.e.,
    • Download, open and import it
    If you have an older Windows Mobile 2002 or 2003 device, check out the SPAddCert utility from Microsoft, documented at

    Labels: , , , , ,

    Subscribe in a reader Subscribe by Email

    Thursday, June 28, 2007

    Beware the iPhone

    The iPhone is a (very) expensive consumer device that has no place in the corporate environment. It has no security, cannot connect to enterprise email systems except using unsecured protocols (IMAP), and opens the company up to potential (extremely likely) copyright concerns.

    Most companies should have a corporate "Just say no" policy for the iPhone in place by now. That way when the CEO drops his new iPhone on the administrator's desk and says, "Make it work with my email", they'll have a response ready.

    On a side note, surveys have shown that people are really interested in three things about cell phones: Service quality (they want to be able to place or answer a call, not be dropped and be heard clearly), battery life, and ease of use (not having to use arcane menuing systems). Everything else is just gravy. When you add email to the mix, people want to be able to easily send and receive emails (tiny keypads and menuing systems inhibit this) and to a smaller degree expect fast delivery.

    It seems that cell phone companies are busily trying to create "the next big thing" by adding the last big thing to their already crowded and confusing devices. Most people don't use 1/4 of the features on the phones they already have.

    Labels: , , ,

    Subscribe in a reader Subscribe by Email

    Friday, June 22, 2007

    Granting Full Mailbox Access in E2K7

    Sometimes administrators need access to another user's mailbox (for example, resource mailboxes). The PowerShell one-liner for this is:
    Add-MailboxPermission SF-Conference -AccessRights FullAccess -user admin1234
    (where SF-Conference is the mailbox to assign rights to, and admin1234 is the user who gets the rights)

    And here's a one-liner that will do the same to all users in the Exchange organization:

    Get-Mailbox | Add-MailboxPermission -AccessRights FullAccess -user admin1234

    Labels: ,

    Subscribe in a reader Subscribe by Email

    Thursday, June 7, 2007

    Exchange 2007 High Availability Sessions

    Today was an "all Exchange, all the time" day. The sessions I attended dealt with Exchange 2007 high availability and disaster recovery.

    One was presented by Ayla Kol entitled, "High Availability in Microsoft Exchange Server 2007 and Exchange Server 2007 Service Pack 1". She did a good job explaining what's offered in E2K7 RTM for HA and went on to explain what's going to be new in SP1. Here are the highlights for RTM:
    • Windows 2003 needs KB921181 to enable File Share Witness (FSW)
    • Continuous Cluster Replication (CCR) is limited to 2 nodes
    • CCR requires hardware from the Geographically Dispersed Cluster category of the HCL
    • FSW should be on hub in primary site
    • CCR nodes must be in the same subnet. This poses a problem for geo-clustering
    • Best Practice to use a CNAME record for the FSW name. This provides easier failover
    • Best Practice to increase tolerance of heartbeat failures to 10
    • Log shipping to the passive node is a pull model. The Replication Service monitors logs
    • Divergence = loss of mailbox data. This is what happens in a "lossy" recovery. Normally, in CCR the hub's transport dumpster will backfill the recovered node with missing data.
    • LLR = lost log resilience. This is what the transport dumpster is for.
    • The transport dumpster works only with CCR in RTM. It will work with LCR in SP1
    • Recovery from transport dumpster is designed to backfill within 30 seconds
    • SP1 will have a GUI for cluster management (finally!)

    And now for what we've all been waiting for, Single Copy Replication (SCR)!

    • SCR will be included in SP1
    • Possible scenarios include: Standalone server to SCR, LCR to SCR, and CCR cluster to SCR
    • Designed for datacenters
    • CCR can use dissimilar hardware. This offers simplified hardware and storage requirements. Does not require hardware from the Geographically Dispersed Cluster category of the HCL
    • No subnet requirements! Can work across different subnets, unlike CCR
    • Only works with one database per storage group
    • Must be same paths

    In a future blog, I hope to write more about CCR and SCR. For now, we're off to the TechEd attendee party at Islands of Adventure. The kids are gonna have a blast!

    Labels: , ,

    Subscribe in a reader Subscribe by Email

    Wednesday, June 6, 2007

    Good Day Today

    Today was a good session day. I got to start and end it with Marcus Murray, who finished the day to a PACKED session in the TLC Library showing how easy it is to perform a buffer overrun exploit. Scary, scary stuff. The guy is a rockstar.

    Other sessions included Paul Robichaux, talking about Forefront Security for Exchange, and a good session on architecting and upgrading WSUS 3.0.

    I got to see our friends at Sam's Publishing in the vendor booth. Sams publishes the Microsoft "Unleashed" series, including Microsoft Exchange Server 2007 Unleashed and Microsoft Exchange Server 2003 Unleashed, both of which I am a cowriter of. Fellow CCO consultant, Michael Noel was there at the Sams booth on Tuesday. Be sure to check out his sessions on SharePoint 2007 here at TechEd!

    I'll post a summary of the items discussed at the WSUS session in a future blog. For now, I'm going to get ready for the Microsoft Influencer's Party at Margaritaville and the Double-Take party at the Hard Rock. Woo-hoo!

    Labels: , , , ,

    Subscribe in a reader Subscribe by Email

    Tuesday, June 5, 2007

    Exchange 2007 SP1

    Some of the details for Exchange Server 2007 Service Pack 1 were released at a session I attended yesterday. Here are some of the new and improved features:
    • Public Folders are available in OWA. I like the fact that they will display in the same OWA instance, rather than a new window like Exchange 2003 does.
    • Quota notifications in OWA. OWA will no display banner bars if you are approaching your mailbox size limit.
    • Web ready opens Office 2007 documents
    • Creation and manaement of server-side rules
    • S/MIME support
    • Ability to recover deleted items
    • Ability to permanently delete items from the dumpster
    • Confirmation of successful wipe of mobile device
    • Ability to add custom applications to OWA
    • Move-mail cmdlet can export to a Unicode PST file. No more 2GB limit!
    • Powershell syntax improvements
    • ESM adds pubic folder management tools
    • ESM adds cluster configuration tools
    • ESM adds POP/IMAP configuration
    • ESM adds "Send as" permissioning
    • ESM adds Delegate managment
    • ESM adds Folder level permissions
    • ID translation across Exchange orgs
    • SCR (Single Copy Replication)
    • IRM (Information Rights Management) prefetching to boost performance
    • IPV6 support

    E2K7 SP1 will require Windows SP2.

    Labels: ,

    Subscribe in a reader Subscribe by Email

    Friday, June 1, 2007

    Ontrack PowerControls Rocks!

    PowerControls allows you to open a raw Exchange MDB file and export the data from it. You can export to a PST or directly into a live Exchange database.

    I've used this utility to recover Exchange data for a couple of clients and it works perfectly. Does just what it needs to do and nothing more, which explains its lightweight size of only 16MB. Check it out at

    Labels: , ,

    Subscribe in a reader Subscribe by Email

    Friday, May 25, 2007

    "Do not deliver before" Behavior Doesn't Work as Expected in Outlook Cached Mode

    Users sometimes schedule delivery of an email for a later date or time.

    For Outlook 2000, there were two different options: Deferred Send (Outlook handles it) and Deferred Delivery (the Exchange server handles it). If a message is configured for Deferred Send, it will stay in the user's Outbox until the scheduled time. Outlook then submits the message to the Exchange Information Store and the message is delivered. If a message is configured for Deferred Delivery, Outlook will immediately submit the message to the Exchange Information Store and the Exchange server will hold the message until the scheduled time. With Deferred Send, Outlook must be running to send the message and the user can edit or remove the message before it's delivered. With Deferred Delivery, Outlook does not have to be running and the user cannot edit or remove the message before it's sent.

    Microsoft merged the two features together for Outlook 2003/2007. The only option available in these versions is "Do not deliver before". If this is configured the message will stay in the user's Outbox, but Outlook does not need to be running to deliver it. By keeping it in the Outbox, the user is able to edit or remove the message before it's sent. However, if the user is configured for Exchange Cached Mode, Outlook MUST be running for delivery of message to occur. says this behavior "by design".

    On a side note, the message will show as Received in the Inbox at the delayed send time (say, 8:00am today). When you open the message, the Sent time will be the time the sender clicked the Send button (say, 5:00pm yesterday). This prevents a user from scheduling an email the night before saying, "I'm in the office this morning like you requested, but I'm going home now."

    Labels: , , ,

    Subscribe in a reader Subscribe by Email

    Wednesday, May 9, 2007

    Exchange 2007 Update Rollup 2 Available

    Last month I wrote about the availability of Exchange 2007 Update Rollup 1. As I mentioned, the Exchange team was expecting to produce these rollups every 6-8 weeks, but Exchange 2007 Update Rollup 2 follows Update Rollup 1 by only 19 days.

    Microsoft has changed the product service strategy for Exchange 2007. Details can be read at http, but the short story is that Microsoft will no longer produce traditional updates that you download and patch Exchange. The Update Rollups are more like service packs, where it's a complete reinstallation of the product with the patches incorporated. The web article above explains why this is an improvement and provides a more stable environment.

    Now that we've all sipped the Kool-Aid, let me explain what this means in reality. Microsoft released Security Update for Exchange Server 2003 SP2 (KB931832), which is a critical security update that affects Exchange 2000, 2003 and 2007. The updates for E2K and E2K3 are 3.7MB. The Update Rollup 2 for E2K7 is 27-57MB, an increase of 730%-1,550% for the same patch. The size varies, depending on the roles installed. Keep in mind that you're going to have to download, distribute and deploy this to each E2K7 server, so plan your deployment and bandwidth accordingly.

    A few other items of note:
    1. Deployment on an E2K3 server takes 2 minutes, stops and starts Exchange related services. Deployment on an E2K7 server takes 9 minutes and requires a server restart.
      Computers running only the E2K7 management tools require the same 27-57MB update as a full Exchange server. In most environments, administrators load the Exchange management tools on their DCs to facilitate user provisioning. You must now be aware of DC unavailability caused by this issue.
    2. Updates that would normally not need a system restart in previous versions will need one in E2K7.
    3. You will no longer have the option of not deploying a specific update, since all Update Rollups are cumulative.

    Security Update for Exchange Server 2003 SP2 (KB931832) can be downloaded via Windows Update or from here.

    Labels: ,

    Subscribe in a reader Subscribe by Email

    Tuesday, April 24, 2007

    Exchange 2007 Update Rollup 1 Available

    Microsoft released Exchange 2007 Update Rollup 1 this month, available at The Exchange team said Rollups would appear every 6 to 8 weeks. Exchange 2007 Rollup 1 isn't quite a Service Pack -- meaning it doesn't include any new functionality. However, the quality and amount of testing is far superior to traditional hotfixes.

    This 29MB(!) package includes fixes for Public Folder replication and backups. The update fixed an issue I was having where my Exchange backups were failing because the VSS provider was taking too long.

    It's interesting to note that the update takes several minutes to prepare itself for installation, even after it offers to let you continue. The update itself took about 15 minutes to apply. Just be patient.

    Labels: ,

    Subscribe in a reader Subscribe by Email

    Tuesday, April 17, 2007

    Update for Outlook 2007 Performance Issues

    Microsoft just released an update for Outlook 2007 that addresses performance issues, especially for users with large OSTs. Several of my customers have installed the update and say their Outlook appears to be "snappier".

    Microsoft also provide general guidance on how to workaround performance issues for users with large PSTs or OSTs. Guidance ranges from "reduce the size of your mailbox" to "don't use cached mode". I love it. Aren't these the features being touted in Outlook and Exchange 2007?

    Labels: , ,

    Subscribe in a reader Subscribe by Email

    Log into OWA 2007 with a Default Domain

    Customers with Exchange in a single domain usually ask how to change OWA so users can log in using just a username instead of domain\username. This was problematic in Exchange 2003 because of the DS2MB background process, but simple to do in Exchange 2007.
    • Open Exchange Management Console
    • Expand Server Configuration
    • Select Client Access and click the Outlook Web Access tab
    • Select owa (Default Web Site) and click the Properties action
    • Click the Authentication tab
    • Under Use forms-based authentication, select User name only
    • Click Browse and select the domain name
    • Click OK
    • Run IISRESET /NOFORCE to restart IIS and enforce the change

    Or, even easier using PowerShell:

    Set-OWAVirtualDirectory -Identity "owa (default web site)" -LogonFormat username -DefaultDomain

    Then run IISRESET /NOFORCE to restart IIS and enforce the change.

    Note that this will automatically change the logon page to display the new logon requirements.

    Labels: , ,

    Subscribe in a reader Subscribe by Email

    Monday, April 16, 2007

    Eating My Own Dog Food

    This weekend I upgraded my home production domain from Windows 2003 R2 (x32) and Exchange 2003 to Windows 2003 R2 SP2 (x64) and Exchange 2007. My goal was to pretend I was at a customer site and had to migrate this environment successfully to the new hardware.

    My home production equipment consisted of a single Dell 4600 all-in-one box. It was a W2K3 R2 Enterprise domain controller with SP1, which also ran Exchange 2003 Enterprise SP2 and served as a DNS, WINS, WWW and file server. The server had a single Intel 2.8Ghz HT CPU, 2GB of RAM and a 160GB hard drive. My replacement server is a Dell E521 with an AMD Athlon 64 Dual-Core, 4GB of RAM and a 250GB hard drive.

    Since I am still limiting myself to a single physical server, I decided to use VMware to virtualize most of my environment. All servers will run Windows Server 2003 R2 (x64) with SP2. The host server (GATEWAY) will be a workgroup server running Exchange 2007 Edge Server and VMware Workstation. The two virtual servers are DC01, a domain controller/DNS/WINS server, and EX01, an Exchange 2007 server with the Hub Transport, Client Access, and Mailbox roles. My LAN is connected to the Internet via a Netgear wireless router/firewall, as per the following diagram.

    First I installed x64 Windows Server 2003 R2 Enterprise SP1 on GATEWAY and used the Microsoft Update site to install SP2, IE7, ADAM (required for Exchange Edge server) and all the critical updates. SP2 installs the Windows firewall by default, so I disabled it. Then I installed VMware Workstation 5.6. I chose Workstation since ESX will not recognize SATA drives and GSX only allows one snapshot per VM.

    Next I created a base image VM using x64 Windows Server 2003 R2 Enterprise, upgraded to SP2, IE7 and all the critical updates, and disabled the firewall. I use this image to base all my servers on, which makes provisioning future servers a breeze.

    I then created two new linked clone servers, DC01 and EX01 and joined them to the domain. I promoted DC01 to a domain controller and installed DNS and WINS. I installed IIS, .NET Framework 2.0 and 3.0, and the necessary patches on EX01 in preparation for Exchange 2007. I took a snapshot of both servers at this point and then began to install Exchange 2007.

    Here's where it gets interesting. The Exchange 2007 setup has a lot of logic and workflow built into it. You pretty much install the DVD, answer a few questions and let it run. Setup will check that the server meets the prerequisites and pre-qualifies the environment to ensure a smooth installation. In theory. The installation went happily along updating the schema, preparing the domain and installing the server roles. But as it was installing the Hub Transport role it errored, saying that the disk could not be read and to try setup again later. It did not offer a "retry" button. The trouble turned out to be a smear of what I can only guess was macaroni and cheese on the DVD. Kids. Gotta love 'em.

    So, I cleaned off the DVD and ran setup again. Now setup said that the Hub Transport role was not installed properly and to remove it first. Trouble is, neither setup or the Exchange Management Console (EMC) show that any roles have been installed, so I can't uninstall it. I'll spare you the gory details, but I tried uninstalling it using PowerShell, the switches in setup, and reverting to my snapshot. No good. I then removed the Exchange Administrative Group (FYDIBOHF23SPDLT) and Exchange Routing Group that setup automatically creates in a mixed mode environment using ADSI Edit. This let me run setup again, but now I got an error complaining that Exchange Administrative Group (FYDIBOHF23SPDLT) was missing. I recreated both the AG and RGC on the Exchange 2003 side (I had to use ADSI Edit again to rename the AG using the parentheses) and tried again. Success!

    After I ensured that I had mail flow between the E2K3 and E2K7 servers, I installed the Edge Server role and Microsoft ForeFront (antivirus/antispam) on GATEWAY. This created a new RGC to the Internet on GATEWAY. I then created an EdgeSync subscription and tested it. I moved the mailboxes to EX01 and successfully tested OWA and Outlook.

    Now to put it into production. I have one MX record published on the Internet for inbound email. My firewall allows SMTP port 25 and HTTP port 80 traffic to WWW (x.x.x.50). I reconfigured WWW to use a different address and configured GATEWAY to use x.x.x.50. I successfully tested inbound and outbound email and that my web pages worked properly from GATEWAY. I then reconfigured my firewall to forward SSL port 443 to EX01. Exchange setup automatically configures OWA on the CAS role to use SSL. I used to look back into my OWA and successfully tested email again.

    The final step was to decommission my old DC/Exchange 2003 server. There are a few steps I needed to do in Exchange 2007, such as re-home the OAB, replicate Public Folder content, etc. After that, it was simply a matter of deleting the RGCs to the Exchange 2003 AG, deleting the old AG itself, and uninstalling Exchange 2003. I'm pleased to say that the customer is very satisfied. :)

    I learned a lot through this entire process. Highlights are:
    • Dog food is delicious.
    • Ensure your media is OK. Keep sticky fingers and food away! I was surprised at this, since setup copies the binaries to the local hard drive and re-compiles them.
    • Microsoft put a lot of work into the install process, but it's not perfect. I would imagine I would have had the same problem if the DVD was ejected during setup.
    • Never give up. I could have always used exmerge and rebuilt my domain, but few customers would accept this.
    • 64-bit hardware, lots of RAM and VMware are "good things"
    • Giving 512MB to my virtual DC and 2GB to my virtual Exchange Server yields respectable performance
    • Since VM Workstation won't start as a service, I enabled auto-logon on GATEWAY and wrote a script that launches and runs my VM team
    • Microsoft Forefront is still a Sybari product with Microsoft stickers on it (needs work)

    Labels: , , , ,

    Subscribe in a reader Subscribe by Email