PointBridge Exchange Server Blogs

Migrating 5000 mailboxes to BPOS over a weekend and still have pilots - an option to consider

Erik Enger — 2010-08-04 15:10:00

Background

Let me explain what this means first and set some criteria for a statement like this. In the majority of cases this would involve moving little to no data which is usually the recommended approach for such a large cutover (a.k.a. flash cutover). Coexistence between on-premise mail systems and BPOS can be problematic and confusing for users as well as administrators. Shortening or eliminating this coexistence period is usually a pretty high priority goal for any mail migration project. We try to urge most customers to go with "green field" or minimal data such as calendars and contacts and maybe a few days' worth of email. While this might not seem like a lot of data it can still take several hours or days to move this data over given the number of seats involved and depending on the migration tools you're using.

Normally migrating this many users over a weekend doesn't just involve simple mail migration. There are also related requirements that need to be in place like:

Deploying the SSO and Outlook clients
Possible (re-)training for users and admins
BlackBerry devices need to be re-provisioned in BPOS, Windows Mobile/ActiveSync devices need to be updated to point to BPOS
Application integration testing and re-tooling to work with current workflows including email
Running a pilot or two
Testing all the above and more

There's also that dreaded post-migration support call barrage you just know is coming even though you've communicated How-To and FAQ docs and trained your staff so they're a lean, mean supporting team. Even will all of these challenges it still can be accomplished with a lot of proper planning and testing.

Back to the question at hand: How can you flash cutover 5000 users over a weekend, especially if you want to do a pilot or two ahead of time (without rolling them back)? You might also ask, what is the big problem here? Let's say you have registered your BPOS SMTP domains as external relay. This means that email sent from other activated BPOS users will be attempted to deliver locally to a BPOS mailbox first, then to your on-premise mail system via the MX records. The problem begins once you activate a BPOS user and you don't migrate them, meaning, they aren't treating it as their primary mailbox and mail is not forwarding to their BPOS mailbox. Once this activation occurs, mail flow back to the on-premise mailbox is broken, simply because there is already a valid local mailbox ready to receive messages. You end up with dual mailboxes for some folks with mail sent from other BPOS users ending up in the BPOS mailbox and mail sent from the on-premise system in their local mailbox. Unless the user is set up to connect to both mailboxes, they might never know they are missing mail.

The Strategy

Ok, I understand the problem. How do I fix it and still do pilots and a flash cutover?

Well, you simply set up mail forwarding in BPOS to forward mail back to the on-premise mailbox. Normally for on-premise to on-premise migrations the administrators can take care of all of this usually with whatever migration tool they're using or even a script. With BPOS, at least for now, you need to work with the BPOS support team to accomplish the same task. As of this writing, there are no BPOS PowerShell cmdlets available to set forwarding, although it's quite possible they will be available in the next major release of BPOS (a.k.a. Wave 14). Normally in Exchange we would use the targetAddress field to control where mail gets routed. For BPOS we establish forwarding through use of contacts.

Here's how it works at a high level:

You establish your directory sync between AD and BPOS.
You create a matching contact in AD/Exchange for each user participating in the flash cutover and pilot
You sync these contacts to BPOS
You mass activate the BPOS accounts
You submit a request to BPOS support that you need to establish email forwarding for the list of mailboxes and contacts you'll provide them in CSV format. You only need to include the mailbox's SMTP address and the contact's SMTP address in the file. They will run a script that will establish the forwarding. Be sure to request whether or not the mail sent to the mailbox will be stored and forwarded or just forwarded.
After you receive confirmation that the forwarding is in place, you'll want to hide these contacts in your local AD by setting the msExchHideFromAddressLists attribute to TRUE or you can use a utility like AD Modify to perform a bulk operation and set this value.
Run another dirsync and the contacts will be hidden in BPOS. The key here is you want BPOS users to send mail directly to the mailbox and not the contact.
Test forwarding from BPOS to the on-premise mailbox. If you're satisfied with the results, you're ready to proceed with pre-staging data and piloting.

Here's what the mail flow looks like during this period:

What You Need

For this option you'll need the following:

Local SMTP domain – one that your on-premise mail system can receive mail as (i.e. MX record points to on-premise mail system) and is also NOT registered in BPOS.
BPOS directory sync tool
AD with schema extensions for Exchange 200x

Ok. Now fast forward to the flash cutover weekend. Aside from migrating any last remaining data you'll need to break the forwarding on the BPOS accounts. Gladly, this part is under your control. Simply delete the local contacts in AD and run a directory sync with BPOS which removes the contacts along with the forwarding. Now, if required as part of your migration strategy, set forwarding on the local mailbox to forward mail to the cloud mailboxes. This is usually accomplished through the migration toolset. Yes, we're reversing the flow here. Since you now have a new primary mailbox hosted by BPOS you'll want to make sure new mail that ends up in the old mail system gets forwarded to the BPOS mailbox.

In Summary

Benefits/drawbacks of this solution:

Benefit – you can mass activate all your users and still have coexistence and run pilots.
Benefit – you can pre-stage data well in advance of the cutover weekend allowing you more time if more data is needed.
Drawback – pre-staging data can be problematic in that usually data is migrated as a snapshot of what the on-premise mailbox looks like at the time you migrated that particular user. Any subsequent changes might not end up in the same folder or status the user has it in when they get cutover. You might end up with a lot of calls about this so proper and frequent communication with the users is necessary.

Using ISA 2006 / TMG to Publish Exchange 2007 and 2010

Matthew McGillen — 2010-06-25 14:08:22

We've recently assisted a number of clients in Exchange 2007 à 2010 upgrades. In each case, they've been using ISA or TMG to publish external Exchange services. For the most part, it's been easy to find information on the subject: the MS Exchange team has a really nice write up on the ISA configurations for 2010 upgrade; ISAserver.org has a good write-up in general on ISA and Exchange; Elan Shudnow has a post or two on the subject; and there's always technet. All the info is helpful, however my issue was that there are 1,000,000 ways to configure these services with ISA and Exchange: Basic? NTLM? Prompts? Web listeners? Pre-Authentication? So many different routes has led to some confusion in setup.

Practically speaking, it turned out that most customers really wanted a simple setup:

a single name (mail.company.com)
Never prompted users for credentials in Outlook. Ever!

If this is sounds like you (or your customers), then I've got a condensed guide to make life easy. Below assumes that you have all users coming through ISA/TMG and going to the CAS 2010 servers. This also assumes that you have Exchange 2007 and 2010 mailboxes co-existing.

Use a single name for Exchange 2010: mail.company.com
Use a single name for Exchange 2007: legacymail.company.com
Set up URL redirection for 2007 users. This article is really important as it outlines exactly how to transition from CAS 2007 to 2010.
Use only one web listener with Forms Based Authentication turned on.
1. Make sure that in the "advanced" box, you uncheck "all users must authenticate" and that you put in your AD domain for Basic Authentication
2. Ensure you have "single sign-on" enabled on your web listener. This is required especially for OW 2007 and 2010 co-existence. See below for details on why this is.
Use separate web publishing rules, all bound to your one listener, for each service:
1. Outlook Anywhere 2010
  1. Authentication delegation: "no delegation, but client may access directly"
  2. Users: "All users" - note: do not use "all authenticated users"; this will cause Outlook Anywhere clients to never connect to Exchange. See below for details.
  3. Destination: Exchange 2010 CAS (or CAS farm)
2. Outlook Web Access 2010
  1. Authentication delegation: Basic
  2. Users: "all authenticated users"
  3. Destination: Exchange 2010 CAS (or CAS farm)
3. Active Sync 2010
  1. Authentication delegation: Basic
  2. Users: "all authenticated users"
  3. Destination: Exchange 2010 CAS (or CAS farm)
4. Outlook Anywhere 2007
  1. Authentication delegation: "no delegation, but client may access directly"
  2. Users: "All users" - note: do not use "all authenticated users"; this will cause Outlook Anywhere clients to never connect to Exchange.
  3. Destination: Exchange 2007 CAS (or CAS farm)
5. Outlook Web Access 2007
  1. Authentication delegation: Basic
  2. Users: "all authenticated users"
  3. Destination: Exchange 2007 CAS (or CAS farm)
6. Active Sync 2007
  1. Authentication delegation: Basic
  2. Users: "all authenticated users"
  3. Destination: Exchange 2007 CAS (or CAS farm)
Exchange server 2010 authentication:
1. Outlook Anywhere: NTLM only
2. Outlook Web Access: NTLM/Basic (no forms-based authentication)
3. Active Sync: Basic
Exchange server 2007 authentication:
1. Outlook Anywhere: NTLM only
2. Outlook Web Access: NTLM/Basic (no forms-based authentication)
3. Active Sync: NTLM only
Outlook 2007 / 2010 Authentication
1. Set to NTLM

Q: Why should I only use one web listener / enable SSO?

The main reason why you should use one web listener for all 2007 and 2010 rules is due to single-sign on in OWA.

When you have an Exchange 2010 user coming through ISA and being connected to an Exchange 2010 CAS server for OWA, ISA will use forms-based authentication to authenticate the user & pass the user right on to the 2010 CAS. That's all great.

But when a user whose mailbox is still on Exchange 2007 connects to mail.company.com for OWA, ISA will handle the request, pass the request on to Exchange 2010 CAS. Exchange 2010 CAS will realize that the user is an Exchange 2007 user and it will send a client-side redirect to the user's browser for "legacymail.company.com", which is also being published by ISA. (assuming you've set this up properly). When the client's browser gets the redirect, you don't want the user to connect to legacymail.company.com and get prompted AGAIN.

You can do this – but it requires using a single web listener for both OWA publishing rules. The reason is that ISA doesn't support Single Sign-on (SSO) across multiple web listeners. So if you have the mail.company.com rule bound to the same listener as legacymail.company.com listener – the user will not get prompted when Exchange redirects him/her to the legacymail OWA page.

If you're using separate listeners, the redirection to legacymail will cause the user to get re-prompted.

Q: Why do I need to set the Outlook Anywhere rule to use "All Users"

Your main web listener is set to use Forms Based Authentication. This is what you'll need to make OWA work. But as you can imagine, Outlook Anywhere and Active Sync are not going to work with FBA. That's ok- if a client tries to connect to an FBA-enabled listener and it's unable to handle the form, ISA will fall back to Basic authentication.

Active Sync is cool with this; you've already entered your user name and password into your Active Sync device. This is good enough to get you through ISA.

Outlook Anywhere, however, is not cool with this. Since you've set your Outlook Anywhere authentication method to NTLM (step 7 above) it's not going to authenticate to a web listener that's looking for Basic. If you change Outlook Anywhere to use Basic authentication, this will work… but your end users will be prompted for username and password. Which you probably don't want.

So how best to fix it? Just set your Outlook Anywhere web publishing rule to allow "all users". So even though ISA is falling back to Basic authentication on the web listener, your rule is now saying: "I don't care if they're authenticated or not, just send them through". This allows anyone from the outside to at least make it through ISA without having ISA authenticate you. And since you've set the Outlook Anywhere rule to "no delegation, but allow client to authenticate directly" the Outlook client will just pass right through ISA and authenticate directly to the CAS server. The Outlook client is set to NTLM and now it's hitting the CAS server directly – so it's important to have the CAS server's authentication for Outlook Anywhere set to NTLM (step 5a above).

Q: Is it a bad idea to bypass ISA pre-authentication for Outlook Anywhere?

I personally don't think it's a big deal. Elan Shudnow's post has more to say about that, however.

If you are totally opposed to this concept, then you're going to need to live with either:

A separate name for Outlook Anywhere (outlook.company.com) with its own cert and web listener. OR
Use Basic authentication and force your users to be prompted for username and password.

Outlook Profile Configuration without the MSOL Client

Jeff Schertz — 2010-02-07 11:10:00

There are a few scenarios where you may want to use Outlook to access an Exchange Online mailbox but cannot use the Microsoft Online Services Sign-In client. This could be due to installation or operating requirements of the client (some OS versions are unsupported) or maybe users don’t have the required permissions to install software but can at least modify Outlook profiles.

Take note that this is a completely unsupported approach and might not even work on some platforms. The intent is for accessing the mailbox in temporary situations and not for long-term deployment solutions. Not using the sign-in client can impact more than just single-sign-in user experience. It is a ‘best practice’ approach to deploy the client to end-users on supported platforms.

Additionally it was pointed out by a Microsoft Support Engineer that not using the Services Sign-In client prevents certificate downloads from BPOS which is required to support AutoDiscover. Thus Outlook clients will not be able to download the Offline Address Book or see any Free/Busy and Out of Office information.

The instructions in this article are simply a reverse-engineered look at what it is required to configure an Outlook profile to work with a mailbox hosted on Exchange Online/BPOS. This approach was tested using Outlook 2003, 2007, and 2010 against a mailbox hosted in the North American datacenters. I assume the same process would also work for other regions of the world with the correct URLs (red002 for EMEA and red003 for APAC).

The two main issues that can prevent administrators from successfully configuring profiles are related to (a) the order in which the profile is configured and (b) the confusing nature of the Exchange mailbox server names. But using the correct approach to the first issue takes care of the second.

Create New Outlook Profile

Start by creating a new Outlook profile using the Mail control panel applet. (In Windows 7 this can be found by searching for ‘mail’ in the Control Panel window.)

Open the Mail (or "’Mail 32-bit’) Control Panel applet.
Click Show Profiles…
Click Add…
Enter a unique, descriptive name for the new profile (e.g. jeff@contoso.com)
Depending on the version of Outlook used select the available choice to create a new profile:
1. Outlook 2003: Add a new e-mail account
2. Outlook 2007/2010: Manually configure server settings or additional server types
Select Microsoft Exchange (Server).

Now the first important step has been reached, as a valid server name will need to be supplied, but the odd thing is that internal, non-resolvable FQDNs are used by for the Exchange Online mailbox servers. If you have ever looked at a profile configured automatically by the sign-in client you would have noticed that the server names were typically in a REDxxx.local domain. So clearly a normal connection cannot be made to that server over the Internet as .local is not a publically supported DNS suffix. But Outlook Anywhere (aka RPC over HTTP) can be configured for the initial connection to the mailbox. This approach also works for all on-premise Exchange clients as well when trying to configure a profile to use Outlook Anywhere when Autodiscover is either not configured or supported.

There is a long list of possible Exchange mailbox server names that may change at any point as since this is an unsupported process Microsoft could modify them at any point during server upgrades/replacements. The name used in this example the may not work so I would recommend looking at the profile setting of another mailbox (or even the same mailbox) which was configured properly through the normal client procedure. If that mailbox server name resolves but is not the server which actually hosts this specific mailbox account the profile will still work as Exchange will redirect Outlook to the correct mailbox server in the organization. This can be verified by seeing that the server name changes to a different value after the profile is initially setup.

Enter VA3DIAXVS101.RED001.local in the Microsoft Exchange server field. Verify that Use Cached Exchange Mode is selected.
Enter the username of the desired mailbox, e.g. jeff@contoso.com or jeff@contoso.microsoftonline.com, whichever format is the configured username of the online account.
Click More Settings…
An error message will appear stating “The action cannot be completed. The connection to Microsoft Exchange in unavailable. Outlook must be online or connected to complete this action.” Click OK.
Another settings window labeled Microsoft Exchange will appear. Click OK again.

Note: If you attempt to use the Check Name button in the previous window the process will always fail as the .local server name is not yet resolvable. Ignore that button.

At this point the profile settings window should be displayed as seen in the image below, allowing the remainder of the configuration to be completed manually. This allows for the RPC over HTTP settings to be configured so that the once unresolvable .local server name will now be valid.

Configure Profile Settings

Enter and confirm the following settings across the various properties tabs. All steps beginning with ‘Verify’ or ‘Confirm’ indicate that the default value is the desired setting. Steps labeled as ‘Select’ or ‘Enable’ indicate a change in the default profile setting.

General Tab

Enter a descriptive account name (e.g. Exchange Online).
Select Automatically detect connection state.

Advanced Tab

Verify that Used Cached Exchange Mode and Download shared folders are enabled.

Security Tab

Verify that Encrypt data between Microsoft Office Outlook and Microsoft Exchange is enabled.
Verify that Negotiate authentication is the selected Logon network security setting.

Connection Tab

Enable Connect to Microsoft Exchange using HTTP.
Click Exchange Proxy Settings…

Exchange Proxy Settings

In the Use this URL to connect to my proxy server for Exchange field, enter red001.mail.microsoftonline.com for mailboxes stored in North America datacenters. Substitute red002 or red003 for other regions.
Enable the Only connect… or Mutually authenticate… setting (depending on the version of Outlook).
Enter the proxy server value of msstd:*.mail.microsoftonline.com in the field below.
Enable the setting On fast networks connect using HTTP first, then connect using TCP/IP.
Verify the setting is enabled for On fast networks connect using HTTP first, then connect using TCP/IP.
Verify that NTLM Authentication is the selected Proxy authentication setting.

Once completed with the steps above click OK to close and save the profile window, returning back to the original account creation wizard.

Click the Check Name button next to the User Name field and an authentication prompt should appear. Enter the password for the online account.

After a few seconds the Microsoft Exchange settings page on the wizard should have updated the information by updating the correct home mailbox server name as well as converting the username to the Display Name value. The underlined text format in both fields indicates a successful connection to the online mailbox, and thus the profile configuration is complete.

Click Next and Finish to complete the wizard.

Back at the original Mail applet window make sure that the Prompt for a profile to be used setting is enabled if there are now multiple Outlook Profiles configured on the same Windows user profile.

Exchange 2010 Voice Mail with the iPhone

Jeff Schertz — 2010-01-05 16:26:04

Although the new Voice Mail Preview feature in Exchange 2010 has (rightfully) grabbed most of the spotlight in terms of neat new features in the product, there is another change in 2010 that is equally as important to anyone who is using an iPhone with Exchange ActiveSync.

Previously when my corporate mailbox was on an Exchange 2007 mailbox server I was not able to hear Unified Messaging Voice Mail messages directly on my phone, not at least without dialing into Outlook Voice Access to retrieve the message. In Exchange 2007 the embedded audio file was displayed on the iPhone as an attached .WMA file, which is an audio codec the device cannot natively handle. This is one of the major disadvantages to no longer using a Windows Mobile device: a depreciated mobile messaging experience with Exchange Server.

But once we moved my mailbox over to an Exchange 2010 server and upgraded the Unified Messaging Server then the first voice mail message I received showed two important changes. First, I already know about the Voice Mail Preview feature which performs speech-to-text conversion on the message, and I was happy to know that I could then at least read the preview on my iPhone. But what I didn’t expect is that the audio file itself would now be playable on my phone. I could immediately tell from the Quicktime icon that the attached file was now in a format the phone could natively understand.

The Exchange Server 2010 documentation states the new default codec for message created by a UM Dial Plan is MP3. Among the other supported codecs WMA is still a configurable option, but by moving to the MP3 format as the default then a more compatible range of devices and systems are supported.

Exchange 2010 Play-on-Phone

Erik Enger — 2009-12-28 23:35:17

This is just a quick heads up on the Play-on-Phone feature in Exchange 2010. I was testing several of the new UM features in my lab and one that had me scratching my head was Play-on-Phone which allows a UM user to play messages at their internal extension or any number they choose, providing the dialing rules and policies are in place to allow that. This is a useful feature for connections that might not provide audio functions, such as a kiosk or corporate desktop. This is also useful when privacy is needed. Users can simply click on the button and dial their internal or external extension and have the messages played over the phone.

In Exchange 2007 OWA, for example, you would normally see the Play-on-Phone button located at the top of the preview pane and would simply click on this button to initiate dialing a number. Well, in Exchange 2010 things have changed slightly. Aside from the virtual UnifiedMessaging directory being deprecated in 2010 in lieu of the EWS virtual directory, the Play-on-Phone feature only seems to be available when you open the message instead of just previewing it. I confirmed this with another professional who also saw this behavior in their lab. This seems to only affect OWA clients. The fat Outlook client still displays the Play-on-Phone in the preview window.

In the OWA preview pane there is no more Play-on-Phone button available.

Opening the message in OWA reveals the Play-on-Phone button.

I don’t know how many people may be used to this particular feature but I thought it might be useful to know that administrators and support staff may need to update their instructions and notify users of this cosmetic change for OWA users. I’m not quite sure why MS decided to make this change but perhaps this was by popular demand as do some of their feature enhancements that make their way into final release of the product.

There are quite a few great new features in Exchange 2010 UM like call answering rules, rights management for voicemail messages and voicemail message preview. One note about voicemail preview is that if the voice connection isn’t clear or Exchange doesn’t quite understand the words spoken in the message, the preview text can be incorrect and potentially confusing or even embarrassing. My test message in the voicemail sample above was supposed to read, “Hi Ryan, it’s Erik. Give me a call.” Not a major problem considering this was a test but far from the message I left.

Exchange 2010 Federation (well, half-way there for now)

Erik Enger — 2009-12-17 10:11:48

Federation is certainly a welcome and interesting feature in Exchange 2010. Being able to share calendar information with other organizations will greatly improve collaboration efforts, especially with shops leveraging both on-premise and Exchange Online services for their information workers. There is a modest amount of information on this feature and how to set it up in the form of TechNet articles, blogs and even a webcast. I read through the available material and webcast set out to try and demo this feature for this blog but ran into a roadblock.

The roadblock I’m referring to has to do with certificates. After reading through the TechNet article you’ll find a link to the CAs you can use for Federation.

CA Certificate Friendly Name	Thumbprint
Comodo	NA
Digicert Global Root CA	083B:E056:9042:46B1:A175:6AC9:5991:C74A
Digicert High Assurance EV Root CA	91 8d a5 e4 99 c1 5f 7c 62 75 b1 24 fe de 53 35 7c 34 bd 36
Entrust.net CA (2048)	801D 62D0 7B44 9D5C 5C03 5C98 EA61 FA44 3C2A 58FE
Entrust Secure Server CA	99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539
Go Daddy Secure Certification Authority	‎7c46 56c3 061f 7f4c 0d67 b319 a855 f60e bc11 fc44

After going through the steps in the articles to get this set up I was hit with this error in the New Federation Trust wizard.

“InvalidManagementCertificate: Certificate not valid for this operation”

I was baffled by this one. Everything checked out with my certificate according to the information below. What was wrong?

Certificate Requirements for Federation

To establish a federation trust, you must procure and install an X.509 certificate on the Exchange 2010 server used to create the trust. The certificate is used only to sign and encrypt delegation tokens. The certificate must meet the following requirements:

Trusted certification authority The certificate must be signed by a trusted certification authority (CA). For a list of trusted CAs, see Trusted Root Certification Authorities for Federation Trusts.
Subject key identifier The certificate must have a subject key identifier field. Most X.509 certificates issued by commercial certification authorities have a subject key identifier.
CryptoAPI cryptographic service provider (CSP) The certificate must use a CryptoAPI CSP. Certificates that use Cryptography Next Generation (CNG) providers aren't supported for federation. If you use Exchange to create a certificate request, a CryptoAPI provider is used. For more information, see Cryptography.
RSA signature algorithm The certificate must use RSA as the signature algorithm.
Exportable private key The private key used to generate the certificate must be exportable. You can specify that the private key of a certificate be exportable when you create the certificate request using the New Certificate wizard in the EMC, or the New-ExchangeCertificate cmdlet in the Shell.
Current certificate The certificate must be current. You can't use an expired or revoked certificate to create a federation trust.
Enhanced key usage The certificate must include the enhanced key usage (EKU) type Client Authentication (1.3.6.1.5.5.7.3.2). This usage type is intended for the purpose of proving your identity to a remote computer. If you use Exchange tools to generate the certificate request, this usage type is included by default.

I tried a couple other things thinking it was something wrong with my Exchange setup, firewall, etc. Finally I started searching for similar issues on blogs and forums. There was nothing so I decided to post on the Exchange 2010 forum hoping someone has seen this. I did get a rather quick response and after a couple of exchanges I was presented with this list of CAs that can be used for federation posted on the MSDN site.

CA Certificate Friendly Name	Issued To
Entrust	Entrust.net Secure Server Certification Authority
Go Daddy	Go Daddy Class 2 Certification Authority
Network Solutions	Network Solutions Certification Authority
VeriSign	Class 3 Public Primary Certification Authority
VeriSign	VeriSign Trust Network
VeriSign	VeriSign Class 3 Public Primary Certification Authority - G5

As you can see, quite different. I decided to take a chance and purchased one of the certs from a CA on the MSDN list. This worked! Although I had to go to the time and expense of getting another cert I was at least able to establish federation with the MFG (Microsoft Federation Gateway). This is frustrating to find out this was the problem all along due to some contradictory information posted by Microsoft. My hope, however, is that more CAs will be added to the working list so customers like me don’t have to purchase new ones just to prove a point.

So now, you’ve been warned! :-)

Exchange 2010 Multi-Mailbox Searching

Erik Enger — 2009-12-15 16:36:00

One of the improved features in Exchange 2010 is multi-mailbox searching. While you could do this to a degree in Exchange 2007 it usually required too many rights to delegate it to a compliance officer and the searches had to be run from PowerShell so it was often problematic for the user to perform these searches on their own and too burdensome for the administrator to do it on behalf of the user. The normal Exchange search you’re used to doing is still available in case of other requirements like removing an email from everyone’s mailbox (i.e. virus, inappropriate content, etc). This blog focuses on the e-discovery aspect in Exchange 2010.

In 2010 things are much improved when it comes to e-discovery. With Microsoft’s use of RBAC in 2010 you can delegate this control rather easily. Adding someone to the new Discovery Management group is all it takes to get started.

You also want to think about the target mailbox for these searches. Typically you’ll want to dedicate this type of activity to dedicated mailboxes and even databases if you’re a large company. A copy of each message matching your search criteria will end up in this mailbox even if it’s temporary so make sure you have enough resources available to store this data. For this example I’ll be using the default search mailbox that’s created when installing Exchange 2010. You’ll want to delegate control of this mailbox to the compliance officer so they will be able to open the mailbox and view the collected data.

Accessing the multi-mailbox search by the delegated individual is done by opening OWA and clicking on the Options button in the upper right corner.

This brings up the new Exchange Control Panel (ecp) in which you can perform a host of operations previously unavailable in 2007. For now we’ll focus on the e-discovery stuff. Once in the control panel, select the “My Organization” from the “Select what to manage” drop-down box.

This brings up another set up tabs for managing users, groups and reporting. For now, select the Reporting tab and click New… to create a new search.

This pops up another window allowing you to define your search criteria. At a minimum you’ll need to define your search name, mailbox scope and target mailbox. Actually you are going to want to narrow your search considerably to avoid unnecessarily long searches which might not give you what you want in addition to overburdening the system. For my test I entered some keywords to look for in the emails. I also turned on logging and the option to send you an email for additional information. Once you’re happy with the search, click on Save.

The search immediately begins and you can see the progress in the search window.

When your search has completed, you’ll receive an email similar to this one. Notice that the search partially succeeded. This is due to some of the mailboxes being on an Exchange 2007 database. If you click on the hyperlink in the message it will open the target discovery mailbox in an OWA window. You could also open the target mailbox in Outlook if that is preferred.

From here you’ll be able to view the messages collected. Expand the folders to drill down and view the messages found in your search. You’ll be able to act on these messages to further filter, categorize and narrow down your search to end up with only the ones you want.

When you’re finished with your search and want to remove it from your saved searches, please note that this will also remove the collected messages from the target discovery search mailbox. You will receive this warning if you attempt this.

While the e-discovery search feature in Exchange 2010 may not be as robust as some third party products it is still a nice alternative to having nothing at all and it’s much better than it was in 2007.

Mass password resets in BPOS

Erik Enger — 2009-11-21 09:26:36

Following on from mass BPOS account activations you can now perform mass password resets with the latest Microsoft Online Services Migration Tools. The PowerShell script below will read in a list of BPOS accounts and reset the password. The two fields you need in the CSV file are the email address and desired password. See the BPOS password requirements before establishing a new password. In the script below you can choose not to force the user to change the password you assign to them by changing the value of “-ChangePasswordOnNextLogon:$true” to “-ChangePasswordOnNextLogon:$false”.

To run this you must have admin privileges in BPOS and you must have the MSOL Migration Tools installed locally. Save this text with a PowerShell extension (i.e. massPwdChg.ps1) and open a Migration Command Shell and run the command by typing “.\massPwdChg.ps1”. Make sure the paths in the script exist or change them to suit your needs (i.e. “C:\Migration” and “C:\Migration\ScriptLogs”). The input file is assumed to be massPwdChg.csv.

Here’s a sample CSV file format:

name,mail,passwd
”Test Account”,Testaccount@contoso.com,P@ssw0rd

# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2009

# NAME: massPwdChg.ps1

# AUTHOR: Erik Enger , PointBridge

# DATE  : 11/03/2009

# COMMENT: Use this script to perform a mass password change of BPOS accounts

# Note: This script requires the Microsoft Exchange Transporter snapin

# Modify the default PowerShell profile to add the Quest Snap-In

#        c:\windows\system32\windowspowershell\v1.0\profile.ps1

#        add-pssnapin Microsoft.Exchange.Transporter

# ==============================================================================================

cls

# Get the login ID for the BPOS admin account

write-host 'Enter the username for the MS Exchange Online admin (i.e. admin@contoso.com): '

$bposlogin = Read-Host

# Get the password for the BPOS admin account in a secure fashion (display * for password)

write-host 'Enter the password for the MS Exchange Online admin (i.e. admin@contoso.com): ' -foregroundcolor yellow -BackgroundColor darkmagenta

$bpospwd = read-host -assecurestring

Write-Host

# Form the BPOS encrypted credential information and store it in a variable to be passed to upcoming commands

$bposcred = new-object -typename System.Management.Automation.PSCredential -argumentlist $bposlogin, $bpospwd

Write-Host

write-host "`n`n`n"

"************************************************************************************************"

import-csv c:\migration\massPwdChg.csv | foreach {

## Start a Transcript

$file="C:\Migration\ScriptLogs\"

$file+= $_.name +"-massPwdChg.log"

"************************************************************************************************"

Start-Transcript -Path $file -NoClobber:$false

Write-Host "Resetting BPOS password for:" $_.name

Date

"************************************************************************************************"

# Set the password and prompt for change on next logon

Set-MSOnlineUserPassword -Identity $_.mail -Password $_.passwd -ChangePasswordOnNextLogon:$true -Credential $bposcred -Verbose

## Stop the log

Date

Stop-Transcript

"************************************************************************************************"

Write-Host `n`n`n

Mass account activations in BPOS

Erik Enger — 2009-11-18 12:39:00

Bulk account activations are now available with the latest Microsoft Online Services Migration Tools. If you're like me performing this in the past was a pain since you had to activate the accounts through the web portal which allowed you to activate only a handful of accounts at a time and collecting the passwords for delivery to the users was excruciating too. We now have a solution!

The PowerShell script below will read in a list of BPOS accounts and activate them in BPOS. The fields you need in the CSV file are the email address, desired password, location and mailbox size. See the BPOS password requirements before establishing a password.

To run this you must have admin privileges in BPOS and you must have the MSOL Migration Tools installed locally. Save this text with a PowerShell extension (i.e. massActivate.ps1) and open a Migration Command Shell and run the command by typing “.\massActivate.ps1”. Make sure the paths in the script exist or change them to suit your needs (i.e. “C:\Migration” and “C:\Migration\ScriptLogs”). The input file is assumed to be massActivate.csv. Also, replace the parameter SubscriptionIDs with the value of your BPOS subscription. You can find this value by running this cmdlet:

Get-MSOnlineSubscription

The script might take a while to complete, depending on the number of accounts you are activating so please be patient.

Here’s a sample CSV file format:

name,mail,passwd,location,mbxsize

TestAccount,Testaccount@contoso.com,P@ssw0rd,US,5368709120

# ==============================================================================================
#
# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2009
#
# NAME: massActivate.ps1
#
# AUTHOR: Erik Enger , PointBridge
# DATE : 11/03/2009
#
# COMMENT: Use this script to mass activate BPOS accounts
#
# Note: This script requires the Microsoft Exchange Transporter snapin
# Modify the default PowerShell profile to add the Quest Snap-In
#
# c:\windows\system32\windowspowershell\v1.0\profile.ps1
#
# add-pssnapin Microsoft.Exchange.Transporter
# ==============================================================================================

# Get the login ID for the BPOS admin account
write-host 'Enter the username for the MS Exchange Online admin (i.e. admin@contoso.com): '
$bposlogin = Read-Host

# Get the password for the BPOS admin account in a secure fashion (display * for password)
cls
write-host 'Enter the password for the MS Exchange Online admin (admin@contoso.com): ' -foregroundcolor yellow -BackgroundColor darkmagenta
$bpospwd = read-host -assecurestring
Write-Host

# Form the BPOS encrypted credential information and store it in a variable to be passed to upcoming commands
$bposcred = new-object -typename System.Management.Automation.PSCredential -argumentlist $bposlogin, $bpospwd
Write-Host

write-host "`n`n`n"

# Get number of available licenses
$totalseats=Get-MSOnlineSubscription -Credential $bposcred
$usedseats=Get-MSOnlineSubscription -Credential $bposcred
$freeseats=$totalseats.TotalSeats-$usedseats.UsedSeats
Write-Host "The number of availble seats in your BPOS subscription is: " $freeseats

# Count number of accounts you're trying to activate in BPOS
$nCount=import-csv c:\migration\massActivate.csv
$licenseCount=$nCount.count
Write-Host "You are trying to activate " $licenseCount " new accounts."
$nCount=""
Write-Host `n`n

if($licenseCount -gt $freeseats) {
Write-Host "You do not have enough free licenses to activate all of the objects in your input file. Please purchase additional licenses or remove objects from the activation list. This script will now exit." -foregroundcolor red -BackgroundColor darkmagenta
exit
}

# If there are enough free BPOS licenses, prompt the user to continue with activation process
# Create choices list
$yes = new-Object System.Management.Automation.Host.ChoiceDescription "&Yes",""
$no = new-Object System.Management.Automation.Host.ChoiceDescription "&No",""
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no)

#Now to prompt the user and get a result
$caption = "Proceed with mass activation..."
$message = "Do you wish to proceed activating these new accounts?"

$result = $host.ui.PromptForChoice($caption,$message,$choices,0)

if($result -eq 0) {
Write-Host "You answered YES. Proceeding with mass activation. You will be notified when it's complete."
"************************************************************************************************"

import-csv c:\migration\massActivate.csv | foreach {

## Start a Transcript
$file="C:\Migration\ScriptLogs\"
$file+= $_.name +"-massActivate.log"
"************************************************************************************************"
Start-Transcript -Path $file -NoClobber:$false
Write-Host "Starting a Migration for:" $_.name
Date
"************************************************************************************************"
Enable-MSOnlineUser -Identity $_.mail -Password $_.passwd -SubscriptionIDs "abcd1234-123a-456b-c789-d123ef0f12e3" -UserLocation $_.location -MailboxQuotaSize:$_.mbxsize -Credential $bposcred -Verbose
## Stop the log
Date
Stop-Transcript
"************************************************************************************************"
write-host `n`n`n
}

# Get final number of available licenses
$totalseats=Get-MSOnlineSubscription -Credential $bposcred
$usedseats=Get-MSOnlineSubscription -Credential $bposcred
$freeseats=$totalseats.TotalSeats-$usedseats.UsedSeats
Write-Host "Now the number of available seats in your BPOS subscription is: " $freeseats

}
if($result -eq 1) {
Write-Host "You answered NO. Exiting script now."
exit
}

Five Reasons to use ISA 2006 to Publish Your Web Applications

Travis Nielsen — 2009-05-01 13:34:57

I work with ISA 2006 on a on and off basis. Its one of those products we don't necessarily focus on, but we often run into cases where customers need additional security and authentication functionality beyond that which can be (easily) provided in their applications. More often than not, we find that ISA 2006 turns out to be a great solution to meet these kinds of needs.

That being said, I’ve come to learn in my conversations with customers that there is a general lack of knowledge of the capabilities and benefits ISA 2006 provides, so I thought it would be useful to briefly articulate why one should consider using ISA 2006 to publish any application that requires external access.

1. Authenticated and Authorized Traffic Only. ISA 2006 can authenticate web traffic before sending anything to published servers. Additionally, authenticated connections can be associated to different groups, which in turn can be applied to ISA rules to dictate what the authenticated user can and cannot do. Again, this is applied before traffic even hits the application. Ensuring that only authenticated and authorized traffic even gets to your application in the first place adds a great deal of additional security and helps reduce the amount of authentication work your web servers are performing. In ISA 2006, this is typically (but not necessarily) implemented using a logon form, which can be customized (branded) to meet a certain look and feel. If desired, the logon form can even be enhanced to allow for “forgot password” or “new user sign-up” functionality. By the way, after successfully authenticating, the users’ browser gets a cookie, which is used to link the user’s identity to the session. This cookie can be configured to be either persistent or have a certain lifetime.

2. Single Sign-On (SSO). Many people don’t realize it, but ISA 2006 is a great tool for SSO. In many cases, solutions based on SharePoint consist of multiple, distributed applications and web services like SQL Server Reporting Services, each requiring some kind of authentication. Often, this is presented to the browser using an IFrame or something similar. More often than not, this results in external users being prompted to authenticate repeatedly. Not good. Fortunately, ISA 2006 provides Single Sign On (SSO) functionality to ensure users only need authenticate once using the aforementioned logon form. Subsequent authentication requests from published applications are handled by ISA on behalf of the user via a process known as Delegated Authentication. From the published servers’ perspective, it appears the user is connected to the internal LAN. Oh, by the way. You say your application requires Kerberos? No problem. ISA 2006 fully supports Kerberos constrained delegation. We recently set up SSO for a customer using ISA to publish a portal consisting of both SharePoint and a 3rd party dashboard application (single portal – multiple servers) and it worked great.

3. Link Translation. This will be a short, but important one. ISA 2006 has built-in support for SharePoint Alternate Access Mapping (AAM) and many more capabilities to provide customized link translation. Last year, I blogged about some of these capabilities. This functionality offers application designers a high amount of control over what end users see in their browsers and offers more opportunities for custom branding.

4. Its a Darn Good Application Layer Firewall. In the past, there’s been a fair amount of bias against ISA out there in the networking community, partially (I suspect) due to Microsoft’s past track record with security. However, I’ve been noticing this trend has diminished greatly. The truth is that ISA 2006, when properly configured, is a very high quality application layer firewall. In fact, if you look ISA 2006 up on Secunia, you’ll find a grand total of ONE (1) advisories for ISA 2006. Both vulnerabilities were disclosed in 2009 and patches were available at the same time as the announcement. Compare that with Cisco PIX 7.x and Cisco PIX 8.x. Now, I’m not foolish enough to claim ISA 2006 is “more secure” than other products like PIX / ASA. My point is that ISA 2006 is proven to be a trustworthy component of an overall security infrastructure. And because its an application layer firewall, it provides unique functionality to protect Microsoft products like SharePoint and Exchange server from potential application-specific vulnerabilities. This is critical when you consider that recent studies show that around 70% of attacks today are targeting applications, not operating systems. For example, on its own SharePoint can’t defend itself against things like HTTP Distributed Denial of Service attacks. And that’s just one example. By inspecting HTTP (and even HTTPS) traffic, ISA 2006 ensures HTTP connections are legitimate, correctly formed, and fit within safe parameters. This translates to higher availability and better performance for your end-users. Of course, a full listing of the security features included with ISA 2006 is available on TechNet.

5. High Availability (and Scalability). I don’t think many folks out there realize that ISA 2006 can be installed and configured in a load balanced array. We’ve done this a couple of times and have always found it to work quite well. If you don’t have a hardware load balancing solution available or don’t want to mess with that stuff, its actually fairly straightforward to set up two or three servers and distribute traffic between them. This way, a failure (or scheduled downtime) on one ISA server won’t impact the availability of your published web servers to end-users. This load balancing capability thus provides high availability, better performance, and scalability. Additionally, a load-balanced ISA array can in turn publish internal web servers in a round-robin fashion. And connections can be configured to be “sticky” to support those highly dynamic, interactive web based apps we all know and love. All this allows you to accomplish more with less.

So there are my top five reasons. I can already think of a few more…..cost and ease-of-use come to mind. Anyhow, a few quick Google (ahem) Microsoft Live searches will reveal a very passionate and dynamic community out there for this product. If you’re developing any sort of custom web application, particularly one based on the Microsoft collaboration platform,I highly recommend you check it out. And as always let me know if you have any questions.

Exchange 2010 Beta First Looks: E-mail Moderation

Erik Enger — 2009-04-25 14:31:00

The next release of Exchange will include e-mail moderation, whereby you can "ask" for approval to send messages to certain individuals or domains. I think this is pretty neat and beneficial for firms looking to apply compliance controls or build ethical firewalls to avoid any potential legal issues.

As in my earlier blog on e-mail disclaimers we're back again using Hub Transport rules to achieve this and once again, it's really easy to set this up. Probably the more difficult aspect would be in determining which messages get flagged for moderation. I mean, what manager would want to approve potentially hundreds of emails before they left the company? I think with some creative rules and exceptions you could minimize this. In my example there is a contract negotiation going on between Contoso and NWTraders which is sensitive in nature so the boss(es) want to be extra careful given this situation so they want their staff to seek approval for any email they send the client. That's pretty rough, huh? :)

Here's the rule configuration to pull this off. Remember we want all email sent to nwtraders.com to be flagged for moderation but the two bosses.

Select your conditions:

Here we want to add '@nwtraders.com' as search criteria so the HT (hub transport) grabs the messages and processes them appropriately.

Now we want the HT to forward these messages to the bosses for approval. What I noticed is that while you may have multiple people on the moderation list, any one of these people may approve or reject the message. This may help when people moderating messages are out of the office and are being covered by someone else.

Here's the summarized rule.

Now let's compose a simple message and see how this works. I prepared a message with two people from NWTraders, one listed as a contact in the GAL and another I added manually.

After sending the message, the Administrator and Boss Person receive it. Here's what it looks like in OWA 2010. When it shows up in Outlook 2007, it shows up with voting buttons at the top but operates normally.

We're going to decline this message.

And so I receive the Administrator's message back which shows up in the conversation thread.

As you can see, this is a pretty powerful feature. Companies in delicate relationships or under compliance restrictions might consider this to be a very useful tool.

Exchange 2010 Beta First Looks: New E-Mail Disclaimer Feature

Erik Enger — 2009-04-25 14:01:00

Now that the Exchange 2010 Beta is here I thought I'd take a closer look into some of the new features. While the list of proposed improvements is vast and sorely needed, there are a few little ones that most will appreciate, like being able to add AD attributes to disclaimer messages. I know, it's not earth-shattering, but it's one of the many improvements that you might appreciate now or in the future. Some customers have had to purchase third party products to achieve the same goal, so this might save you a few dollars.

Here's a quick example of how to set this up. It's really easy and is basically a standard Hub Transport rule for an e-mail disclaimer with some minor tweaks. So, go ahead a create a normal Hub Tranport rule for an email disclaimer, like the one shown below then add your AD attributes surrounded by '%%' on both ends and let Exchange do the rest. You can get really creative with this, however, you need to be relatively sure that the attributes you're placing into your disclaimer are present and what you'd expect. It could be potentially embarrassing for the sender or company if inappropriate or unintended content was included in your emails.

If you are using a identity management product like MIIS/ILM you will probably have better control over the content in these attributes.

Add your disclaimer text. Since you can use HTML code in the content, you can be pretty creative. This example is pretty basic. Another thing to keep in mind when creating your disclaimers, especially with HTML code in them is that there is a risk that some anti-spam software may flag the email as being spam so I would suggest using it sparingly.

%%DisplayName%% 
%%title%% 
%%Company%% 
%%streetAddress%% 
%%Phone%% 

<code>IMPORTANT NOTICE: This e-mail message is intended to be received only by persons entitled to receive the confidential information it may contain. E-mail messages to clients of Contoso may contain information that is confidential and legally privileged. Please do not read, copy, forward, or store this message unless you are an intended recipient of it. If you have received this message in error, please forward it to the sender and delete it completely from your computer system. Contoso LTD, Suite# 1, AnyStreet, AnyTown, USA, www.contoso.com </code>

This will produce the following results when delivered to the recipient:

I'm interested in running some more tests to see to what level this new feature can be used.

Quest MSDE Null Out Field Value

Erik Enger — 2009-03-24 18:04:00

Disclaimer:

***Although the steps outlined in this blog will work, it is NOT supported by Quest. Use at your own risk and be prepared to recreate your database if something goes wrong.***

This article is intended for those familiar with Quest's migration products but will work in general for any SQL table in which you want to set a field back to NULL. Quest uses MSDE or SQL to store its migration database and there are many tables and relationships within the database to track and execute the migrations. The tables are always being updated by the migration processes but one of the things that doesn't happen automatically is clearing values in a field that has already been populated. This is by design to prevent you from accidentally destroying your database, however, if you know what you're doing you can safely remove values by running an update directly against the SQL table.

For example, I have an MSDE 2005 database and I installed the SQL Server Management Studio Express Edition (SSMSEE) so I could manage the local instance of my server.

After opening the SSMSEE and navigating to the table which contains the data I want to clear I create this update routine which will select the data I'm interested in and set the value back to NULL.

Here's a look at the database without any filters. Note the ExchangeMailboxStore value. Let's run a query to make sure we're isolating just the fields with a value in it.

I performed a quick query to make sure I'm selecting the data I wish to update. For my example, I wanted to clear the ExchangeMailboxStore field. Here's the query.

Now to perform the actual update you simply paste this SQL Query into the query window and execute it (!). In a couple of seconds it will update your data. Refresh the table and you should see NULL in the field you chose.

UPDATE    T_NMEObjects
SET       ExchangeMailboxStore = NULL
WHERE     (ExchangeMailboxStore IS NOT NULL)

Now you should see a popup indicating how many rows were affected by your update and you should see your fields and their new null value. That's it. As I indicated at the beginning of this blog, this procedure is not supported by Quest per se, but it's good to know it will work in a pinch if you have no other recourse.

Mail-enabled SharePoint Libraries and Winmail.dat issue

Erik Enger — 2009-03-24 16:19:00

While I have never professed to be a SharePoint or web anything, I was able to help one of my peers get mail delivery between Exchange and SharePoint working in a lab. The SharePoint person was looking at a published article and wanted to see it in action in our lab. I was tasked with the Exchange pieces of the setup so I followed the doc and we were successful in getting mail flow to work.

However, a day later when they were testing in earnest, I was informed that they would receive the messages and could see them appear in the "Drop" folder on the MOSS SMTP server but there was no attachment. After looking into it a little further and sending several tests of my own, I concurred that they were not coming across even though the message size was right on target. I used Outlook Express on the MOSS SMTP server to take a closer look and noticed the "winmail.dat" signature in the header. Well, I've seen this before so I knew what to do and created the appropriate remote domain on the Exchange 2007 server to deal with this. It worked as expected and they were now able to receive and process mail messages and their attachments.

Here's what I saw in a sample message indicating the problem.

And the header looked like this:

Now, after seeing this I created a remote domain and turned off RTF as seen in this image.

After creating the remote domain and sending test messages through, the problem went away.

PowerShell Add ProxyAddresses Script

Erik Enger — 2009-03-24 15:21:00

I do a lot of email migration work so I'm always looking for new ways (and hopefully better ways) to do some common tasks. For example, I regularly have to add new aliases from the old mail system to the new mailboxes. Normally I would use the migration tool to perform this task, but once in a while you might not be able to do this for a variety of reasons. Nevertheless, you still need a way to quickly and safely do this.

I have used VBScripts to perform this task in the past but I wanted to find an easier way to do the same thing using PowerShell. So here's an example of using PowerShell to parse through a CSV file, split up a string of SMTP addresses and add them to an existing mailbox. Oh, and did I mention that I'm also a big fan of looping through CSV files? :)

Here's what our input file (AddProxy.csv) looks like:

Alias,TargetAlias

taccount1,taccount1@nwtraders.com%taccount1@nwtraders.org%taccount1@nwtraders.info

taccount2,taccount2@nwtraders.com%taccount2@nwtraders.org%taccount2@nwtraders.info

# ======================================================================
#
# NAME: addproxy.ps1
#
# AUTHOR: Erik Enger , PointBridge
# DATE : 3/08/2009
#
# COMMENT: Used to add proxyAddresses read in from a CSV file.
#
# Note: This script requires the Exchange Management Shell Snapin to function. Add this snapin to the Windows PowerShell default profile first.
#
# The c:\windows\system32\windowspowershell\v1.0\profile.ps1 file should contain this line:
#
# add-pssnapin Microsoft.Exchange.Management.PowerShell.Admin
#
# ======================================================================

Write-Host "Beginning proxyAddress addition..." -foregroundcolor red -BackgroundColor darkmagenta
Write-Host `n

Import-CSV "c:\migration\AddProxy.csv" | ForEach {

## Start a Transcript
$file="C:\migration\ScriptLogs\"
$file+= $_.DisplayName +"-addproxy.log"
Start-Transcript $file -append

# Read in TargetAlias field from import file
$newproxy=$_.TargetAlias.Split('%')

# Connect to Exchange mailbox
$user=Get-Mailbox -Identity $_.Alias -DomainController dc1.contoso.com
Write-Host "Processing user " $user.Name -foregroundcolor yellow -BackgroundColor darkmagenta

# List existing proxyAddresses
Write-Host "Existing proxyAddresses:" $user.EmailAddresses
Write-Host `n

# Begin looping through import file and adding any proxyAddresses that are missing
for($i=0;$i -le $newproxy.Count-1;$i++)
{
$newaddr=$newproxy[$i]
if ($user.EmailAddresses -notcontains $newaddr)
{
Write-Host "Adding new proxyAddress: " $newaddr
$user.EmailAddresses.Add("smtp:"+$newaddr)}
else
{Write-Host "Duplicate SMTP address found (" $newaddr ") Skipping addition..."}
}

Set-Mailbox -Instance $user -DomainController dc1.contoso.com

# Reset variables
$newaddr=""
Write-Host `n
### Stop the log for the current object
Date
Stop-Transcript
}
Write-Host "ProxyAddress additions complete." -foregroundcolor red -BackgroundColor darkmagenta
Write-Host `n`n`n

Running this will add any new SMTP addresses found in the import file to the respective user accounts. If an existing value is found it will be skipped. You could also reconfigure this script to remove addresses too. The "transcript" function captures the PowerShell console output and stores it in a log file for each user.

*************************

I'm adding this example of a VBScript that performs a similar function. It doesn't have all the same logic as the PowerShell version the primary purpose was to add a new SMTP address to an existing list of proxyAddresses.

Hi. Here's a sample VBScript I used before that read data from a spreadsheet and appended an SMTP address to the current list of proxyAddresses. While it's not exactly the same method I'm using for the PowerShell script, it should show a comparison of the coding differences. I hope this helps.

'==========================================================================
'
' VBScript Source File -- Created with SAPIEN Technologies PrimalScript 4.0
'
' NAME: Add proxy address(es) to existing mailbox enable objects
'
' AUTHOR: Erik Enger, PointBridge, LLC
' DATE : 9/2/2005
'
' COMMENT: This script is designed to add proxy addresses from a spreasdsheet
' to an existing mailbox enabled object
'
'==========================================================================

' Explicitly declaring 3 types of variables

Option Explicit

' Objects declared :
Dim objUser, objContainer
Dim objExcel, objSheet, objRootLDAP

' Strings declared :
Dim strOUContainer, strDN, strObjectClass
Dim strPathExcel, strPath, strObjCN
Dim strDomain, strOU, strProxy, strMailbox, strNick
Dim arrProxyAddresses

' Integers declared :
Dim intNumusers, intRunError, intRow, intCol

' Where is your spreadsheet?

' PLEASE ALTER Path to your spreadsheet
strPathExcel = "d:\migration\scripts\update-metadir.xls"

' Connect and Open the Spreadsheet

' Connect to spreadsheet where users are stored
Set objExcel = CreateObject("Excel.Application")

' Open the Speadsheet (Error Handling Section).
On Error Resume Next
Err.Clear
objExcel.Workbooks.Open strPathExcel
If Err.Number <> 0 Then
Err.Clear
On Error GoTo 0
WScript.Echo "Edit the path to YOUR spreadsheet " & strPathExcel
Wscript.Quit
End If
On Error GoTo 0
Set objSheet = objExcel.ActiveWorkbook.Worksheets(1)

' DO ... LOOP Until Reading the spreadsheet

' Second row in spreadsheet has attributes so start at row 3
' Check intRow offset numbers
intRow = 2

' Do - Read each row in spreadsheet until reach a blank row
' For each row, create user and set attribute values.
' Loop until Empty cell

' Read values from spreadsheet for this user.
strDN = Trim(objSheet.Cells(intRow, 1).Value)
strProxy = Trim(objSheet.Cells(intRow, 7).Value)

On Error Resume Next

' Section to bind to Active Directory
Set objRootLDAP = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & strOU _
& objRootLDAP.Get("DefaultNamingContext"))

' Modify attributes of mailboxes
Set objUser = GetObject("LDAP://"& strDN & ",ou=migrated users,dc=contoso,dc=com")

' Save the user's proxy addresses to an Array
arrProxyAddresses = objUser.proxyAddresses
WScript.Echo "Adding Uniform proxy address: " & strProxy & " to: " & strDN
WScript.Echo

' Extend the array and insert the proxy address
ReDim Preserve arrProxyAddresses(UBound(arrProxyAddresses) + 1)
arrProxyAddresses(UBound(arrProxyAddresses)) = "smtp:" & strProxy

' Clear the existing list of proxy addresses from the user object
objUser.Put "proxyAddresses", ""

' Assign the new list of proxy addresses to the user object
objUser.Put "proxyAddresses", arrProxyAddresses

'Commit changes to AD
objUser.SetInfo

' Increment to next user.
intRow = intRow + 1
intNumusers = intNumusers + 1

Loop Until objSheet.Cells(intRow, 1).Value = ""

' Echo confirmation Message
WScript.Echo intNumusers & " proxy addresses added."

' Tidy up Reset objects to nothing

objExcel.ActiveWorkbook.Close
objExcel.Application.Quit
Set objUser = Nothing
Set objContainer = Nothing
Set objSheet = Nothing
Set objExcel = Nothing
Set objRootLDAP = Nothing

Excel VLOOKUP to the Rescue

Erik Enger — 2009-03-24 13:57:00

While I am no Excel expert, I do have to use this application a lot for my job. My wife laughs when I suggest using technology to resolve her problems in her job as a journalist and insists on doing things longhand. Anyway, I'll keep trying. Most of my time is spent migrating various mail platforms to Exchange or BPOS so I'm constantly building migration databases to stay organized.

When I usually have several different data sources to deal with I use Access to tie them all together. This has worked great for me and I still use it. Although I knew about the various lookups in Excel, I never thought they were all that helpful or powerful until I needed a quick and somewhat simple way for me to lookup two possible matches for a given field.

So my scenario starts like this. My migration application would update the user's email address to the new migrated one within its database. There was mailbox size data associated to this email address. In my migration database (Excel spreadsheet) I had some lookup columns that were pretty straightforward but I realized I had a snag when the migration application changed this key field. Suddenly the logic in my lookup made no sense and returned zero matches for some users. Once I identified what was happening I needed a simple way to lookups that might contain one of two possible values, like two different email addresses.

Trying to Google my scenario was difficult. I couldn't think of the right keywords to search for. After some poking around with Excel's online help and Googling some resources I ended up just using Excel's built-in help. It gave me a starting point and I went through every logical and lookup and reference until I was able to piece together what I needed. Needless to say it took me several trials before I got the results I wanted.

My workbook looked like this. This example is significantly trimmed down to make it more clear. I had the main view of my database with all the names and fields I wanted. I also had data from my migration application which contained the mailbox size information. These can be seen on the two tabs in my workbook.

Here’s the data from the Migration Database sheet. We have the account information and the old and new email addresses. The last three columns contain the lookup formula that pulls data from the Mailbox Stats sheet.

Here’s the data from the Mailbox Stats sheet. Notice the mixture of addresses and even one that doesn’t match up with either the old or new address for ‘taccount5’.

And now on to the formula. As I said earlier it took me several tries to get the formula to return the results I wanted. Here’s the formula:

=IFERROR(IF(ISERROR(VLOOKUP('Migration Database'!C2,'Mailbox Stats'!A:D,2,FALSE)),VLOOKUP('Migration Database'!D2,'Mailbox Stats'!A:D,2,FALSE),VLOOKUP('Migration Database'!C2,'Mailbox Stats'!A:D,2,FALSE)),"")

Pretty confusing, huh? Well, looking at a long formula with lots of commas, parentheses, exclamation points, etc. is very confusing at times. Luckily Excel makes this easier by highlighting the sections within the formula that go together.

Let’s breakdown the formula. First, I had to determine the root of what I was looking for. I wanted to match up one of two possible values for the email address and then perform a lookup on the Mailbox Stats sheet and return the result. Also, if there were any errors in matching up the values, I wanted to return blank values instead of the errors like these (#N/A, #VALUE!, #REF!, #DIV/0!, #NUM!, #NAME?, or #NULL!). At first I thought an OR logical function is what I needed but I chose a simple IF function instead. I’m sure there are a few different ways to achieve the same result however but this was simple and worked for me. So the first part of the IF function is to perform the logical test, in other words, if something returns a true or false. I did this by using the ISERROR function and tested whether or not looking up my new email address triggered a failure or error as described above.

Let’s step back a minute and look at our IF function. First, there’s the test, then depending on the result (TRUE or FALSE) you can perform different calculations. You can nest these and other functions to provide more granular information. For me this is like trying to code a complex script on one line. It’s easier if you can break up the logic into smaller chunks.

IF(logical_test, value_if_true, [value_if_false])

This next part of the formula performs the test. We look up the value in C2 on the Migration Database sheet in the Mailbox Stats sheet and if we have a match it returns a FALSE value. Conversely, we return TRUE if there is no match.

ISERROR(VLOOKUP('Migration Database'!C2,'Mailbox Stats'!A:D,2,FALSE))

Once we have our test result we perform either the value_if_true or value_if_false part. In my example, I look up the new email address first and if that returns an error, I look up the old email address and return the values from the Mailbox Stats sheet I’m looking for. So in looking at the entire IF function this satisfies our goal.

IF(ISERROR(VLOOKUP('Migration Database'!C2,'Mailbox Stats'!A:D,2,FALSE)),VLOOKUP('Migration Database'!D2,'Mailbox Stats'!A:D,2,FALSE),VLOOKUP('Migration Database'!C2,'Mailbox Stats'!A:D,2,FALSE))

The last piece of the puzzle has to do with cleaning up the data in the event of a total failure in our lookup, meaning neither the old or new email address are found. That’s where the IFERROR function comes into play.

IFERROR(value,value_if_error)

So basically with this wrapped around the IF function we are saying that if we receive an error to return some value. This could be another calculation or simple text that’s nicer than one of these (#N/A, #VALUE!, #REF!, #DIV/0!, #NUM!, #NAME?, or #NULL!). In my formula, I just wanted to return a blank so hence the double quotes (“”) at the end.

I hope this article saves someone some time looking for the same logic or spurs further investigation into some of these powerful Excel functions.

Useful Exchange PowerShell One-Liners

Erik Enger — 2008-12-17 18:02:00

After working on various Exchange-related projects you start to accumulate some useful scripts and tools. For me, PowerShell has proven to be an invaluable tool and although I usually can't find enough time to develop ellaborate scripts, I do occassionally come across some common but useful one-liners in some situations.

Here's a few of these that you might find useful:

Show mailbox statistics (excluding system mailboxes)
Get-MailboxStatistics -server mbxserver1 | where {$_.ObjectClass -NotMatch '(SystemAttendantMailbox|ExOleDbSystemMailbox)'}|sort-object TotalItemSize -Descending | format-table DisplayName, ItemCount,@{expression={$_.TotalItemSize.Value.ToMB()};label="TotalItemSize(MB)"}, Database -autosize

List your permissions on all mailbox databases
Get-MailboxDatabase|Get-ADPermission -User jdoe

Remove your permissions on all mailbox databases (you inadvertently added receive-as for the wrong account to all databases)
Get-MailboxDatabase|Remove-ADPermission -User jdoe -ExtendedRights Receive-As

Bulk creation of mailbox accounts
import-csv import.csv | foreach {$pswd = ConvertTo-SecureString $_.Password -asplaintext -force; new-mailbox -alias $_.alias -name $_.name -userprincipalname $_.upn -database $_.database -org employees -Password $pswd -displayname $_.name -firstname $_.firstname -lastname $_.lastname -samaccountname $_.samaccountname}

The import.csv looks like this:
firstname,lastname,initials,alias,password,database,userprincipalname,displayname,samaccountname,name
John,Smith,S,JSmith,P@ssw0rd,MBX1\Mailbox Database,JSmith@contoso.com,John Smith,JSmith,John Smith

Report on mailbox quotas
get-mailbox -resultsize unlimited | select displayname,alias,issuewarningquota,prohibitsendquota,prohibitsendreceivequota |sort displayname | ft -autosize

Determine which mail users have mismatched "mail" attributes and primary SMTP address (the OAB generator won't create these accounts in the address book unless these are the same)
Get-Mailbox -resultsize unlimited -ignoredefaultscope:$true | select-object displayname,alias,recipienttype,windowsemailaddress,primarysmtpaddress,externalemailaddress | where {$_.windowsemailaddress -notmatch $_.primarysmtpaddress}| Export-CSV c:\mailrpt.csv -NoClobber:$false -NoTypeInformation

Override database limits and set user’s mailbox limits
Set-Mailbox jsmith -UseDatabaseQuotaDefaults:$false -IssueWarningQuota:250MB -ProhibitSendQuota:300MB -ProhibitSendReceiveQuota:unlimited

Configure a custom email address policy
Set-EmailAddressPolicy -Identity "Default Policy" -EnabledEmailAddressTemplates smtp:%g.%s@contoso.com,smtp:%m@contoso.com,SMTP:%g.%i.%s@contoso.com

Get mailbox folder size (in MB) for a particular user
get-mailboxfolderstatistics jsmith | ft FolderPath, ItemsInFolder, @{Label="FolderSize(MB)";expression={$_.FolderSize.ToMB()} } -auto

You can find and piece together your own one-liners by examining the issue or task you may be facing with Exchange and start with the TechNet site for a particular command you have in mind. The "power" really comes when you start stringing several of these commands together. I know I will keep adding to my personal collection of useful one-liners and hopefully I can also find the time to start creating more complex PS scripts.

Exchange 2007 certificate request with special characters

Erik Enger — 2008-12-10 14:49:00

Hopefully this blog will help someone avoid spending time scratching their head wondering why their cert request is not working when submitting it to a CA. Some of you may have already figured this out but for some reason this problem never reared its head until recently. The problem and solution are pretty simple. The premise of the problem lies in generating a public certificate request for a CAS server with special or reserved characters in the company name or other field you need to populate in the certificate.

What I mean by special characters are those like commas, slashes, etc. The one that through a wrench in the works for me was a simple comma. When using the Exchange Management Shell to create the request, we ran into a problem whereby a comma in the company name (i.e. "Contoso, Ltd") caused the cert request to fail when submitted to the CA. As you know there are many commas in the subject name and various fields to populate (http://technet.microsoft.com/en-us/library/aa998840.aspx) The CA required the comma to be there. At first, we thought it was a simple thing to fix but after many iterations of the request we finally came up with the correct syntax. What we were missing is double quotes around the "entire" company name. We obviously tried everything else we could think of before this and felt kinda dumb for not trying it sooner. Even researching this on the web proved to be futile. We had some hints of things to try but none of them panned out.

Anyway, here's the short simple answer that will hopefully save someone else from our pitfall. We'll use our sample company name, Contoso, Ltd as the example:

New-ExchangeCertificate -GenerateRequest -Path c:\owa_contoso_com.csr -KeySize 2048 -SubjectName "c=US, s=Illinois, l=Chicago, o=""Contoso, Ltd"", ou=Messaging, cn=owa.contoso.com" -DomainName owa.contoso.com,autodiscover.contoso.com,cas.contoso.com,cas -PrivateKeyExportable $True

Connecting Entourage 2008 to Exchange 2007

Erik Enger — 2008-11-26 10:34:00

The purpose of this post is to hopefully help someone who is experiencing difficulty connecting an Entourage 2008 client to Exchange 2007, more specifically, with Exchange hosted on Windows Server 2008.

When the platform was Windows Server 2003 connecting an Entourage client was as easy as enabling WebDAV in IIS 6.0. With 2008 and IIS 7.0 WebDAV is not integrated into IIS anymore so it's not as simple as setting the security to 'Allowed'. So I went through the new process of downloading, installing and configuring WebDAV on my 2008 server. This proved to be a futile attempt and my Entourage client could never connect. I scoured the web for anything I could find regarding my problem. I tried many of the suggestions but the forum posting that caught my eye was one saying you didn't even need WebDAV to connect the client. I made a few simple changes to my CAS server's Exchange and Exchweb sites and voila, it worked.

Below are the changes made to the CAS server and settings for the Entourage client. I hope this helps someone else having trouble getting connected.

First, on the CAS server you'll need to make sure the Exchange and Exchweb sites are configured for forms-based authentication and the logon format is UPN.

Then make sure the Mailbox server's sites have Basic and Windows Authentication enabled.

And finally, on the Entourage client...

Forwarding a Voicemail via Outlook

Matthew McGillen — 2008-10-17 16:38:41

I've been using Exchange 2007 UM for quite a while now. It's been great. I have had one qualm though: it drives me nuts that when I receive a forwarded VM from a co-worker, I can only open it with Windows Media Player because it's like a regular e-mail with the WMA attached. It doesn't have the built in media player control and the "Play on Phone" option is missing. Until now! Here comes the science…

Here's what a message looks like when it's forwarded normally:

All I can do is click on the WMA file. Which is okay but I want it to be treated more like a regular VM. I saw a post in the technet forums from one of the MS gurus & he said that this was "by design" – which made me sad. So I goofed around with ideas and finally came up with this one:

Forward the message, with the original message attached. The keyboard shortcut in outlook is "CTRL+ALT+F".

I tested it out and here's the result:

Now you see it embedded. Cool! Here's what happens when you click on the attached VM:

WAAAAY better. Got the "Play on Phone" and the embedded player.

The one minor drawback still is that it doesn't show up as a "voicemail" when I dial into Outlook Voice Access. But I can live with that for now.

Migrating from GroupWise to Exchange 2007, over SMTP – Flat Forwarding

David Greve — 2008-09-22 23:00:00

One of the challenges I had more recently with a migration from GroupWise to Exchange was specifically with users existing in GroupWise and users that have been migrated from GroupWise to Exchange. The scenario is, when users still exist in GroupWise, how do they email users already migrated to Exchange? The best approach, with minimal impact to the users is to continue utilizing the GroupWise address book and to also not lose frequent contacts historical information.

The challenge with maintaining the existing address book is how we represent the users and how messages flow forward to Exchange. If you have experience with the GroupWise connector for Exchange 2003, you know that contacts appear within GroupWise for migrated users. Those contacts send all messages to the API gateway, created for this connector. Well, in Exchange 2007 (without Exchange 2003 coexistence) SMTP mail delivery is the most optimal approach, between coexisting environments.

Because we are using SMTP mail delivery, we wanted to forward all messages going to the old GroupWise mailbox, to the new Exchange mailbox. However, when this occurs, the message does forward to the Exchange mailbox, but appears as an attachment from that person’s mailbox. (Example, GroupWise UserA sends to migrated GroupWise mailbox UserB. UserB receives the email in Exchange, but looks like it came from themselves UserB.) GroupWise is unlike Exchange, in which you cannot setup forwarding on the mailbox, without it looking like a forwarded message.

We found a solution to work around this problem. Our solution was to use a “Flat Forwarding” option with GroupWise. Flat forwarding is supported on a GroupWise Internet Agent (GWIA), but not necessarily (easily) on a per user basis. Our initial thought on flat forwarding was to direct each Domain/PO to the flat forwarding GWIA, when the users were migrated. However, that wouldn’t work because we couldn’t always plan for everyone to be migrated in a single Domain/PO. So our work-around for this was to setup flat forwarding on a specific GWIA and to direct each mailbox to that PO, by adding the GWIA address to their forwarding address. As an example: in the GroupWise client, normally forwarding would be setup as such: forward to UserB@exchange.smtpdomain.com. To support flat forwarding, we added the following to the SMTP address: GWDomain.FFGWIA:UserB@exchange.smtpdomain.com. The GWDomain.FFGWIA is the domain in which the GWIA exists, followed by the Flat Forwarding GWIA connector.

SCR Copy Status – Storage Group Copy Status showing “Failed”

David Greve — 2008-09-22 22:59:00

While implementing a couple SCR solutions, I noticed a common error I have seen while reviewing the copy status of a SCR source and target Exchange 2007 server. I noticed this problem while monitoring the health of a SCR configuration, as an example, run the following command:

Ø Get-StorageGroupCopyStatus –Identity <SourceServer\StorageGroup> –StandByMachine <TargetServer> | FL

If you see storage group copy status showing “Failed” instead of “Healthy”, and SCR was functioning properly in the past, check to ensure all services are running properly on both servers. I’ve seen this problem a couple times and every time I have reviewed this problem it appeared to be the replication service not running or needed to be restarted. Our most recent experience has been with Exchange 2007 SP1 - Rollup 3, in which the services would not start and a work-around needed to be applied to start these services. This work-around can be located at: Exchange Server 2007 managed code services do not start after you install an update rollup for Exchange Server 2007

SCR Copy Status – Storage Group Copy Status showing “Initializing”

David Greve — 2008-09-22 22:59:00

Ø Get-StorageGroupCopyStatus –Identity <SourceServer\StorageGroup> –StandByMachine <TargetServer> | FL

If you see storage group copy status showing “Initializing” instead of “Healthy”, check to ensure all services are running properly on both servers. You may want to consider restarting the Information Store and Replication service on both servers, if you continue to see this problem. Worst case scenario, you may have to recreate the SCR configuration for that storage group. Here is an example of how to perform those tasks:

Start by disabling SCR for the Storage Group in question:

Ø Disable-StorageGroupCopy <source server>\<SG in Question> –StandbyMachine <target server>

Recreate SCR for that Storage Group

Starting replication from the source server:

Ø Enable-StorageGroupCopy <source server>\<SG in Question> -StandbyMachine <target server> -ReplayLagTime 0.0:0:0 -TruncationLagTime 0.0:0:0

(*Note, set the replay and truncation lag time with the delay you previously defined.)

Ø Suspend-StorageGroupCopy <source server>\<SG in Question> –StandbyMachine <target server>

(*Note, the replication service may not respond, causing the command to not run successfully. You may have to wait five minutes before running this command.)

Seeding the target server:

Ø Update-StorageGroupCopy <source server>\<SG in Question> –StandbyMachine <target server>

Finalizing replication on the source server:

Ø Resume-StorageGroupCopy <source server>\<SG in Question> –StandbyMachine <target server>

Exchange 2007 OAB – NTLM problem with Server 2008

David Greve — 2008-09-22 22:59:00

We have been deploying Exchange 2007 for a while now, on Windows Server 2003. Most recently, I have deployed Exchange 2007 on Windows Server 2008 machines. The one noticeable problem, while setting up the Client Access Server role on server 2008 was that the Offline Address Book(OAB) URL was not functioning properly. You could access the OAB directory, only after IIS has been restarted or after the server restarts. However, after a couple minutes, the site becomes inaccessible, with a permission error. This also presents a problem to the end-users, as it asks them to authenticate to the OAB URL over and over again, but never actually accepts their credentials. My initial work-around for this problem was to setup Basic Authentication with SSL. (which actually fixes the problem.)

I was not very satisfied with this work-around as NTLM should work with Exchange 2007 and Windows Server 2008. After working with one of my colleagues Erik Enger, who stayed in touch with Microsoft, we discovered what the root cause of this problem was. The problem seems to be related to Kernel-mode authentication. When it is not enabled, the problem with the OAB IIS folder seems to go away. We also applied these same settings to AutoDiscover and EWS folder. This resolved our OAB and Outlook Anywhere authentication issues, using NTLM. Before considering these settings for your environment; please review the security and performance implications in your environment, before accepting such changes.

Using the Microsoft Notes Connector to Synchronize with Mail-Enabled Objects

Jeff Schertz — 2008-08-19 16:37:54

In a previous blog entry I covered how to use object filtering with the Microsoft Notes Connector. There was a reason I ran into that situation in the first place which was planning a migration from Notes to Exchange using the Notes Connector, but with a catch: I had already created new accounts in the target forest for the users in the migration scope. These accounts needed to be pre-deployed before any directory synchronization was configured so that employees in the newly acquired company could authenticate to the parent company's AD forest and access the intranet site, among other resources. This is why I needed to limit the migration scope to the exact set of user accounts that had already been deployed in the target forest via a CSVDE import.

Normally this would not cause a problem as the directory synchronization portion of the Notes Connector can be configured to create new Contact objects instead of new User objects. Then when the mail migration tasks are performed, native or third-party tools (like Quest's Notes Migrator or Binary Tree's CMT Universal) can identify matching user accounts and contacts objects, merge the mail attributes into the user account, mailbox-enable it, and then delete the contact from AD. Notice I said normally. Sigh.

Introduce catch #2: The new user accounts I created in the target forest were mail-enabled. They needed to have their mail attribute (among a few others) populated with their legacy email address so that SharePoint services would import that attribute into their profile for use in the intranet site's company directory. These items were also already acting a mail-forwarding objects and messing with them can start to open a can of worms related to X.400 addresses. When the accounts were imported in bulk, many of the legacy mail attributes were also brought it; mail-disabling them was simply not an option. This obviously presents a problem to the Connector's directory synchronization, as it will not be able to use those in-use mail attributes since they are already entered in the user accounts, so new contacts would be created with incorrect SMTP address. That could muck-up a Global Address List in short order.

After researching the documentation and contacting Microsoft Product Support I learned that there was no native way to configure the Connector's directory synchronization to identify the existing user objects and 'merge' the imported information with them. When researching a solution for this, Travis Nielsen mentioned that he had run across something similar few years prior and figured out a way to move some attributes off of the contacts created by the directory sync and stamp them onto the pre-existing objects, effectively fooling the Connector.

Knowing this, I set off to dissect how the Connector worked so that I could understand exactly what could be modified to get the end result I was looking for.

Under the Hood

In a test lab I have a target Windows 2003 forest with a separate Exchange 2003 server, and a source Windows 2003 forest with another member server running Notes/Domino 6.5.4. The Notes Connector is configured and I've already synchronized a handful of objects. I also have the DirSync options on the Connector set to create new Contact objects. So let's go ahead and create a brand new user in the Notes directory to watch how directory synchronization works.

I've created a new user (CRusso) in the Notes directory. I'm current filtering objects with the Connector by setting the field carLicense = 'Sync' so then stamped that value on there, otherwise the directory sync would ignore the new user.

From the DirSync Options tab on the Connector for Lotus Notes object in the ESM, I kicked off an Immediate update from Notes to Exchange.

Checking the interactive service window on the Domino Server will show the creation of the new user, as well as the connection from the Exchange Connector:

Because an Immediate update was run, only new objects not yet identified by the Connector will be processed, hence the Documents read: 1 summary. If an Immediate Full Reload was run then all objects included in the filter scope would be read.

Flipping back to the Exchange server, the Application event log shows some recent events that tell us what the DirSync process did:

The most recent Notes Directory Synchronization event mirrors what we saw on the Domino server console:

Event Type:      Information
Event Source:    MSExchangeNOTES
Event Category: Notes Directory Synchronization
Event ID:        60378

Description:     Directory Synchronization Export is complete. MS.DXANOTES successfully exported 1 entries, and had problems exporting 0 entries.

In addition, the two Proxy Generation events describe the stamping of mail attributes on the new contact in AD. I've snipped down the description to just the import part, which proxies were applied to the object.

Event Type:      Information
Event Source:    MSExchangeSA
Event Category: Proxy Generation
Event ID:        3006
Description:
Policy provider instance processing recipient.
Recipient DN: CN=Chris Russo,OU=Import,OU=DirSync,DC=contoso,DC=com
Proxies written to recipient:
    X400:c=US;a= ;p=Contoso;o=Exchange;s=Russo;g=Chris;
    SMTP:CRusso@contoso.com
    notes:UID=1913cc8-3c223412-862574a6-54b234
    NOTES:Chris Russo/nwtraders@nwtraders

Now we have a new contact object in the defined Import OU in Active Directory. A quick look at the E-mail Addresses tab in ADUC and we can see that we see the typical X.400 and SMTP addresses created by the RUS, as well as two Notes proxy addresses. The default (NOTES) is the address that will be used by Exchange to route email sent to this contact over the connector to the Notes directory for foreign delivery. The secondary proxy (notes) is apparently some kind of unique identifier. This attribute value will play a key role later on ;)

But if I run through the same exact process as above, only for a user which already has a user account in AD then a couple things can happen. If the user object exists in the same OU that DirSync is configured to import to, then the Connector will notice the conflict. But if the user object is in a different OU, outside what DirSync is configured to look at, then the conflict will be discovered when Exchange 2003 generates the proxy addresses on the object. Here we can see that the SMTP alias was automatically stamped with a '2' suffix since the intended address is not unique.

So this is exactly the behavior we want to avoid, and ultimately have only the single user account in AD. Let's turn our attention to the imported objects AD attributes to see what we can find.

After looking through the raw attributes of these contacts and comparing them to others, I noticed one attribute in particular that was stamped on only the contact objects created by the Connector: importedFrom. And every object had the same exact value, which is actually a unique identifier which indicates what created these objects: the Connector for Lotus Notes.

This that one of half of the puzzle, while the other half is that notes proxy address I mentioned earlier. Each AD object created by the Connector has it's own unique value for that proxy address and I discovered it's actually the the Person Document's UNID in Notes.

This can be viewed in the Domino Administrator by looking at the Document Properties and clicking on the far-right tab. The first two lines make up the UNID:

When you look at the secondary notes proxy address in Active Directory on a contact object created by the Connector, we see the same UNID, but stored in a slightly different format than in Notes:

The 'OF' and 'ON' prefixes are omitted, as well as and preceding zeros, and the colons are replaced by hyphens.

UNID Notes Format: OF733DCF3E:D9716911:ON862574A6:00522990
UNID AD Format: 733DCF3E-D9716911- 862574A6- 522990

Unfortunately that Notes document properties tab only displays the string, you cannot highlight and copy text from it. For a simpler way to get the UNID without typing it in manually, switch to the <+> tab and look at the end of the Identifier field, the UNID is also stored there as an alpha-numeric string:

The portion after the last forward slash is the UNID:

Notes://LAB3NOTES/86257420007522B9/77B3DCF1F48F935485256B49007DC700/733DCF3ED9716911862574A600522990

The Workaround

So to test the process I deleted the new contact object for CRusso and manually created a new user account in AD. I mail-enabled the object and set a legacy SMTP address of crusso@nwtraders.com to match the Notes account's SMTP address. Then I manually set the importedFrom attribute, as well as added the secondary Notes proxy address. (Note that the secondary proxy address for the UNID cannot be entered in ADUC as the format is deemed invalid by the tool, it must be entered in the attribute using a raw editor, like ADSIedit.) I also updated the value in the Company Name field on the Notes Person document to have another piece of information to verify directory synchronization.

After issuing a full immediate reload on the connector I found that the primary NOTES proxy address had been added to the mail-enabled user object and the company field was also updated to reflect the change in the Notes database. Now any successive manual or scheduled directory synchronization processes will update this object as they have been associated together.

In order to complete this task at a larger scale, you would just need to export the UNID fields and NOTES mail addresses for all in-scope Notes accounts, and then use a CSV or LDIF import to create the new account in the target domain with the required information to set the foundation up for the Connector to link.

It's also important to note that the import Container scope on the Notes Connector is able to see and search the location of any proposed targets for object matching. If you stamp the required attributes on an account stored in an OU that Connector is not configured to look at, then the matching will not work and the default action will be chosen (Create a Windows Contact object in the import container.)

Of course after I reverse engineered this process I eventually ran across a discussion online that confirmed the behavior I saw: Connector for Lotus Notes Directory Synchronization: Part 3 - Frequently Asked Questions.

Also, It's probably worth noting that both the Notes Connector and the Calendar Connector were just updated the other day.

Exchange 2007 and Unified Messaging Retention Policies

Matthew McGillen — 2008-08-06 18:52:00

By now, most people are used to thinking of e-mail as "discoverable" material for audits; whether the audits are Sarbanes-Oxley, HIPPA, SEC, or any other type of regulatory audit. And most companies that are bound by such regulation, as well as many who choose to self-regulate, have a stated policy about e-mail retention.

But there is a new twist to auditing and compliance: Voicemail. Historically, voicemail has been a separate appliance with recorded messages stored on the appliance itself and not subjected to the same regulations that e-mail is. I'm no compliance expert, so I can't speak with any real authority on the subject. But I did find this excellent whitepaper on the MS site that talks about compliance and voicemail as it relates to Exchange and UM. To get an idea of what good info the whitepaper has, I'll provide an exceprt:

For the securities industry, the SEC requires regulated companies to retain business-related communications, but it has indicated in a related context that although "blast" voice mail messages are treated as electronic communications, individual voice mail messages are not.

This paper is full of great info that is a must-read for people considering Exchange Unified Messaging or Unified Messaging of any sort. I won't rehash what's already in there, but I did think that it was worth providing some real-world info about how to construct and enforce retention policies for Voicemail with Exchange UM.

The first step is to take a look at Managed Folders. Here's a screenshot of the Exchange 2007 console and where to find managed folders

To set a retention policy on the inbox, Right-click on the inbox and choose "New Managed Content Settings"

When the wizard appears:

Enter a name such as "VM Retention Policy"
Choose "VoiceMail" from the drop-down list of message types
Check the "Length of retention period" box and enter the number of days you want to keep the messages
Choose when the retention period should start (usually "When Delivered")
Choose what to do with the messages once the retention period has ended

Click next to continue.

IF you want to send copies of this type of message somewhere, choose that.

Otherwise, click next.

Review the settings and click "New".

This will apply the new VoiceMail retention setting.

Conclusion: I really highly suggest exploring the Managed Content Settings feature of Exchange. It's a very flexible and powerful new way of handling compliance and archiving issues from within Exchange itself.

Object Filtering with the Microsoft Notes Connector

Jeff Schertz — 2008-05-22 12:04:00

Although I might be one of just a few currently working on the bleeding-edge technology of synchronizing Lotus Domino/Notes directories with Microsoft Active Directory via Exchange 2003, I figure I'd share this little tidbit of information. According to Microsoft Product Support this is not documented anywhere in TechNet and I had to open a ticket just to find this information out.

After successfully establishing Directory Synchronization with a Notes 6.5 directory, the default behavior of the native Notes Connector is to synchronize every known object in the Domino directory. From what I understand this behavior can not be modified for contacts and distribution lists, but it can be controlled for user objects. In a particular migration I only wanted to bring a certain number of objects into AD and had already narrowed that scope down to a specific list of probably 75% of the total number of people in Notes. I discovered there are two ways to filter out the unwanted objects and have the Notes Connector ignore these: either by setting the Notes Directory to exempt those objects from participation in any foreign directory synchronization, or by configuring the Connector itself to look for a specific attribute match and either filter in what I want, or filter out what I don't.

Disable Foreign Directory Sync

To simply exempt a user from participating in any foreign directory sync, hence making it invisible to the Notes Connector, just edit a specific user in Domino Administrator and on the Administration tab change the value of the "Allow foreign directory synchronization" setting to No. (Yes, I see the irony in my test Notes Domain name).

This first option would have been the easiest to implement, but if the source Notes directory was already synchronizing with other foreign directories (e.g. MIIS), changing that setting could have a negative impact on the source organization's current processes.

Attribute Filtering Rules

Here's a list of Microsoft TechNet articles which cover how to configure the Notes Connector to either include or exclude objects by specific attribute matching rules. The main problem is take a look at the dates and applicable products; most reference Exchange 5.5 and are dated far older than anything I have in my refrigerator. My contact at MS Product Support said that these articles still apply to the current version of the Connector for Exchange 2003, but I was unable to get any kind of filtering to work correctly.

XFOR: Filter Rules for Lotus Notes and Exchange Server Directory Synchronization

Exchange Connector for Lotus Notes extracts filter rule incorrectly

XFOR: DocErr: Filter Rules Only Support EQ and NE Operators

After a number of unsuccessful attempts to filter out any objects I noticed a line in the first article that stated to "modify the Exchconn.ini file located in the Exchsrvr\Connect\Exchconn folder" but the problem was this file did not exist on the Exchange server were I installed the Connector. I previously found that the there were two instances of that exchconn.ini file, one located in the Exchsrvr\bin folder and another in Exchsrvr\conndata\tables. When I added a filtering rule as per the instructions to either file, it would not work. I even experimented with moving a duplicate of the INI file into the path referenced above by the article but still no luck.

After triple-checking everything I ended up contacting MS Product Support as I could not find any further documentation on the functionality of this feature. After I walked through the entire configuration with someone from the mail connector team we decided that everything was correct and it 'should' have worked. After he did some research on his end he can back and found that the same behavior can also be configured via the registry and not just the INI file. As a test I reverted the INI file to it's original configuration, made one simple change to the registry, and voila; it worked as expected. I had set a filter to match only for objects which had a CompanyName field equal to "Sync" and had previously entered that string into the Company field in roughly half of the Notes people in the directory. All previous tests created a new object in AD for all Notes people after an Immediate Full Reload from Notes to Exchange, but this time only the people with their Company set to "Sync" were created in AD. Success.

After a little more testing we decided that the INI file settings should have worked, but filtering was now working as expected via the registry change, so that was good enough for me.

Here is the setting required to enable object filtering via attribute matching in the registry:

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LME-NOTES\Parameters
Name: DXANOTES_<UniqueFilterName>
Value: <NotesFieldName>,EQ,<FieldData>
Type: REG_SZ

<UniqueFilterName> can be any text string as long as it is unique, it is only used to identify the filter entry. I know you can have multiple filters but I have not experimented with how the order may be applied in the case of any conflicts. The suggested naming scheme of Filter1, Filter2, etc in the documentation leads me to believe it might be top-down alphabetical, but that is just a guess.

<NotesFieldName> can be any valid field name in the Notes directory, regardless as to how the Connector is configured. Even if an attribute value is not being migrated or matched via the Connector configuration it still can be used for filtering as the connector looks at the Notes objects data and searches for the field name supplied, and then attempts to match the value to the filter string.

EQ means to only include objects that match this rule (as in Equal) , and NE means to exclude any matches (as in Not Equal).

<FieldData> should include the actual string begin searched for in the Notes directory.

Below is a specific example of the registry setting in action:

Location:    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LME-NOTES\Parameters
Name:        DXANOTES_Filter1
Value:       CompanyName,EQ,Sync
Type:        REG_SZ

Clearly using a common attribute like CompanyName would not be a good idea for controlling the scope of directory synchronization as if any administrators changed that value on any objects then some users would stop synching and other unwanted accounts might appear in AD. I poked around in the Notes directory to look for a better field selection: one that was both unpopulated and hidden from the standard Notes Administrator view.

To take a look at the field names in Notes, right-click and choose Document Properties on a Notes User in the Domino Administrator. Select the second tab (with the icon of the right-triangle) and scroll down the list to view fields and values. I chose the inconspicuous carLicense field as it was not being used for storing any information and it's not visible (nor modifiable) in the user's properties.

In order to test using this field I needed to add a value to it. The simplest way I've found was to create an Agent in the domino Administrator to stamp (And another to null) the desired string. From the Domino Administrator, do the following on the People & Groups tab.

Select Create > Agent...
Enter any descriptive name, like "Set carLicense field to Sync".
Close that properties window and then select Formula from the actions drop-down menu.
Insert the cursor in the blank-window and add the following text:

field carLicense := "Sync"
select @All

Save the changes and close the current tab. Now select any people in the directory by highlighting or ticking the checkmark, and then choose the new agent in from the Actions menu. Afterwards look at the document properties for a selected user and verify the field has been correctly populated.

I then created a second agent to reverse the change to that field. Just perform the same steps as above but select a unique name for the agent, but change the "Sync" to simply "" and the field value will be removed when executing this agent.

In order to update the Notes Connector to now use this field and string for filtering, the DXANOTES registry setting was modified.

The end result is a clean, definitive way to control the exact scope of user objects to be synchronized from Notes into Exchange. Too bad the same can't be performed on groups and contacts, but the useful life of the Notes Connector for Exchange 2003 is ticking down. As more and more migrations will target Exchange 2007, the more flexible Transporter can be used.

Converting a Mail-Enabled User into Mailbox-Enabled

Jeff Schertz — 2008-05-20 15:16:00

I recently needed to create few thousand mail-enabled users in Active Directory for a project in which the original plan was to use a third-party mail migration product to later mailbox-enable and then migrate data in from another directory. But as plans changed I found that we were going to need to manually convert a good number of these objects into mailbox-enabled accounts. At the time I thought, "No problem, I'll just filter out the specific users and select the Exchange Task to Create a New Mailbox. Well, I was surprised to notice that is not an option in the Exchange System Manager for Exchange 2003; I guess I've never needed to do that before. Some searching through TechNet articles and discussion forums led me to believe that it was not possible to do this, and the recommended solution was to execute the Exchange task to remove the email addresses and then run the task to create a new mailbox. I didn't like that idea very much, as not only is that a pain to do for hundreds of users, I'd have to export and re-import the current attributes as some changes had been made since originally creating those user accounts. For example, I had added a middle initial to all the accounts via an LDIF import after they were already mail-enabled, so that would cause the RUS to stamp different X400 address if it was run again on newly enabled objects. Because I already had all the attributes the way we needed them, I figured there had to be a way to retain the existing account state and force a conversion into mailbox-enabled status.

There are already some of good articles out there outlining the differences between a mail-enabled and a mailbox-enabled object in AD, like this one from MSExchange.org, but I was looking for even more detail regarding the stamping of attributes and exactly what Exchange does to determine the difference, so I started working backwards in my lab and it turned out to actually be pretty simple. If we modify just the right attributes, then the RUS will do the rest of the work for us.

The Process

Although these steps are unnecessary for the solution, I'm going to start out with reviewing how to increase diagnostic logging so that we can watch Application events and follow along with the RUS while it locates and stamps the attributes we desire.

First, we need to find out which Exchange Server is currently running the RUS for the specific domain in which we will be working. Also make note of the associated domain controller so that we can look for the changes immediately and not have to wait on, or force any AD replication. In this lab there is only a single domain controller (LAB2DC) and a single Exchange 2003 server (LAB2EXCH).

Then on the Exchange server (LAB2EXCH) we want to turn up diagnostic logging for a couple categories:

Service	Category	Logging Level
MSExchangeAL	Address List Synchronization	Maximum
MSExchangeSA	Proxy Generation	Maximum

Create a new user account in Active Directory, but do not create an Exchange mailbox. After the wizard is completed select the new object and choose Exchange Tasks and select Establish an E-mail Address. Add a new SMTP address for a foreign domain for this user. After a few minutes have passed, open the Application Event Log on the same Exchange server and look for event ID 3006 to appear, which shows what proxy addresses were added to the object:

Event Type:      Information
Event Source:    MSExchangeSA
Event Category: Proxy Generation
Event ID:        3006

Description:
Policy provider instance processing recipient.
Recipient DN: CN=Mucci\, Tony,OU=Users,OU=Contoso Corp,DC=contoso,DC=com
Current recipient proxies:
Applicable policies:
    CN=Default Policy,CN=Recipient Policies,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
Chosen policy: CN=Default Policy,CN=Recipient Policies,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
Proxies of chosen policy:
    X400:c=US;a= ;p=Contoso;o=Exchange;
    SMTP:@contoso.com
Proxies in change list:
Proxies to generate:
    X400:c=US;a= ;p=Contoso;o=Exchange;
    SMTP:@contoso.com
Conflicts during generation:
Proxies generated:
    X400:c=US;a= ;p=Contoso;o=Exchange;s=Mucci;g=Tony;
    SMTP:tony@nwtraders.com
Proxies written to recipient:
    X400:c=US;a= ;p=Contoso;o=Exchange;s=Mucci;g=Tony;
    SMTP:tony@nwtraders.com

The Address List Synchronization events which immediately follow that event detail the steps that the RUS is taking to identify the type of objects (Mail-Enabled or Mailbox-Enabled) so that it properly stamps the required missing attributes. Take a minute to read through each of those events.

In this case the object was determined to be Mail-Enabled as denoted by event 8130:

Event Type:      Information
Event Source:    MSExchangeAL
Event Category: Address List Synchronization
Event ID:        8130

Description:
'CN=Mail Enable Recipient,CN=System Policies,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com' added to 'CN=Mucci\, Tony,OU=Users,OU=Contoso Corp,DC=contoso,DC=com'. DC=contoso,DC=com

As documented in Microsoft TechNet article 253838, if the Recipient Update Service determines that an object contains a populated mailNickName attribute, then the RUS checks additional attributes to determine if the object is mail-enabled or mailbox-enabled. The trigger is if any of these three attributes are populated (msExchHomeServerName, homeMDB, or homeMTA) then the object is treated as mailbox-enabled, but if they are all blank (but mailNickName is still populated) then it is mail-enabled, and the RUS will attempt to fill in all the other attributes associated with the chosen type.

The Solution

Following that logic, and some trial-and-error, I determined that I only needed to make two simple changes to a mail-enabled account in order to allow the Recipient Update Service to then see the modified object as mailbox-enabled: add a value to the homeMDB attribute, and then erase the value of the targetAddress attribute.

Since the homeMDB attribute is the most specific of the three requirements for a mailbox-enabled account, the RUS will automatically populate the other two with the correct values, as well as adding the msExchMailboxGUID and all of the other required attributes. Although it is technically possible to set a value for the targetAddress attribute on a mailbox-enabled account later (for contact-less forwarding), if that attribute is not null at the time the RUS checks it then the object is still treated as mail-enabled.

So let's use ADSIedit to modify those two attributes. First locate an existing mailbox-enabled user account in the same mailbox store as we want this user to be stored in, and copy the homeMDB attribute value:

CN=Mailbox Store (LAB2EXCH),CN=First Storage Group,CN=InformationStore,CN=LAB2EXCH,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com

Paste the string into the homeMDB attribute on our new user account, and then clear the targetAddress attribute value. After a few minutes check the Application log again for the associated event ID 3006, and then find the next occurrence of ID 8130:

Event Type:      Information
Event Source:    MSExchangeAL
Event Category: Address List Synchronization
Event ID:        8130

Description:
'CN=Mailbox Enable User,CN=System Policies,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com' added to 'CN=Mucci\, Tony,OU=Users,OU=Contoso Corp,DC=contoso,DC=com'. DC=contoso,DC=com

We can see that the RUS has now identified our user as mailbox-enabled and if we look at the account's attributes we'll find all of the other required attributes are populated:

Scripting Bulk Changes

Since we now know what to change, it's simple to create an LDIF import file to make these changes to many accounts in bulk. This also lets us decide which mailbox store each account should be assigned to, so using a CSVDE export and Excel it would be pretty simple to create a working spreadsheet to list our object's current DN and desired homeMDB values. Using my colleague Derek's blog on how to convert CSV files to LDIF format we should end up with a single import file that would convert any number of mail-enabled users into mailbox-enabled.

The LDIFDE import file would look something like this:

dn: CN=Mucci\, Tony,OU=Users,OU=Contoso Corp,DC=contoso,DC=com
changetype: modify
replace: homeMTA
homeMTA: CN=Mailbox Store (LAB2EXCH),CN=First Storage Group,CN=InformationStore,CN=LAB2EXCH,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
-
delete: targetAddress
-

One final note is that since a mail-enabled object should have a foreign SMTP address while a mailbox-enabled object would typically require an Exchange-owned SMTP address, we'd probably want to stamp a new primary SMTP address depending on the specific scenario. This can easily be accomplished via another LDIF import to modify the proxyAddresses and mail attributes, or using a tool like ADModify.NET.

Does this work in Exchange 2007?

In a native Exchange 2007 organization the RUS has been eliminated, so I started to poke around in my 2007 lab to see how this process might differ, or if it is even at all possible. The biggest difference is how Exchange 2003 determines an objects 'mail type' by looking at a range of attributes and their values (or if they even have any), while Exchange 2007 actually has some new attributes which are used to define the objects type. More can be read on these new attributes in this TechNet blog by BenW. I hacked around with a similar approach, but Exchange would continually bark at me about not liking the object type when attempted to mailbox-enable via a cmdlet or the console.

I'm going to keep exploring and researching this to see if it's even possible to perform the same 'trick' in Exchange 2007, or if it ends up being more work than just simply exporting the attributes, mail-disabling the objects, and then re-importing the desired attributes back in. But that's for another day...

OAB Generation in Exchange 2007 Reminder

Erik Enger — 2008-05-08 15:14:00

This blog is basically a heads up for those deciding to split up roles across many servers when upgrading from Exchange 2003. One of the processes you need to move over is the OAB generation. While this is pretty straightforward I ran into a minor quirk in the new 2007 environment.

The documentation for this process is pretty sparse and lacking detail but may end up taking some of your valuable time better spent doing other things. Anyway, we had a new 2007 environment with all the bells and whistles (CCR, SCR, UM, ISA, etc) and ran into a little snag when decommissioning the 2003 servers. As part of the transition to 2007 we moved over the OAB generation to our mailbox server (CCR). We also had Public Folders sitting on a couple of servers that were pulling double duty as Hub Transport server. The majority of the clients were still on Outlook 2003 so we couldn't just use web distribution for OAB. So we configured the OAB for web and public folder distribution.

The problem started when we ran our moveallreplicas script to move all public folders off the 2003 servers. Later the next morning we started seeing 9331/9335 errors in the event log on the mailbox cluster. Those basically meant that the public store was not online. We knew all stores were online though/ That was odd and a little alarming so I researched the events further but everything checked out from what I could see and test. I even looked in ADSI edit and the only thing I found out of place was the siteFolderServer was still pointing to a 2003 server on the Administrative Group for 2007 and on the Offline Address book we published. I contacted MS and they agreed that this should be changed. We stopped and started the stores on all the servers, yet the problem remained. The MS engineer and I tried some different things from recreating the OAB to changes in replcation. On a follow up call the engineer had me move the OAB generation server to another machine, one of our PF servers.

We made some progress doing that and didn't get the 9331/9335 errors. Now we got two new warnings, 9386/9399. These were similar to the previous errors in that they claimed the public folder for version 2, 3 and 4 were not online. Once again this was not true. Finally the engineer suggested creating a local mailbox store on the PF server. That did it!

So the moral of this story is to ensure you have both a mailbox and public folder store on the same machine running your OAB generation. Since we were running a CCR cluster and wanted some resiliency for PFs we opted not to add that database to the cluster and on the PF server we did not have a mailbox database since we had not planned on homing any users there. So this series of events led us to the conclusion that we needed both databases locally to make OAB happy. I hope this helps someone prevent this from happening in your environment. I've been told a KB article may come out about this but one would only hope this type of issue gets published somewhere.

Publishing Outlook Anywhere using NTLM Authentication on ISA 2006

Erik Enger — 2008-05-08 13:56:00

The title of this blog sounds familiar, right? Maybe. Well, when I went searching for a way to do this I hit dead end after dead end. I searched everywhere (ISAServer.org, MSExchange.org, TechNet, blogs, forums, etc) and came up empty. It sounded like an obvious thing to want in order to minimize the impact on the users and eliminate getting prompted for a password each time they took their laptop offsite.

After all, these machines were joined to the domain and were under corporate control so they should be trusted. Well all I could find was how to publish Outlook Anywhere using Basic Authentication. This was the defacto standard I have used in the past and never had any complaints about the login prompt per session. So I tried a few things on the ISA server rule to get this to work but I couldn't get anything to work. I even called MS PSS and got the same answer, use Basic.

I was determined to figure out a way so I ran through several iterations in my lab and came up with a solution after watching ISA disconnect or repeatedly prompt for authentication on every iteration I tried. I ended up having to modify two of the Exchange 2007 rules, one for Outlook Anywhere and the one for Autodiscover.

Since ISA 2006 currently doesn't support SAN certificates I had to use two listeners and two certs. I hear this is fixed in the upcoming service pack though. Finally! Anyway, so I used the standard Exchange 2007 publishing wizard in ISA to create my rules. To get NTLM authentication to work I had to first set the CAS server for NTLM authentication by modifying the Outlook Anywhere settings:

Then I modified the Outlook Anywhere and Autodiscover rules to match this. There were basically two things I had to do for both of these rules. First, I had to set the user set to 'All Users' and secondly I had to set the Authentication Delegation to 'no delegation, but client may authenticate directly'. I did this for both rules, published it and I was able to take a domain joined machine with Outlook 2003/2007 configured for RPC/HTTP with NTLM authentication and connect remotely using my Windows (domain cached credentials) login ID and open Outlook and connect without getting prompted.

Custom Outlook Forms Issue: Reporting on and resetting message classes for public folder data

Erik Enger — 2008-05-08 13:19:00

Recently I came across an issue that was new to me. I don't have a lot of experience working with Outlook forms because I've always been in the infrastructure world and frankly never had a need or admittedly a desire to design any forms.

Anyway, to my point, a user came to me and wanted to know why the nice form he created for the data stored in a public folder was not displaying properly. The content was based on the contacts message class and the user had created a nice form and assigned it to the public folder, so anyone creating or opening data from that folder would see the form. He showed me what was happening (or not in this instance) and sure enough, each item he opened displayed in the standard contact form.

So I silently scratched my head and said I would look into it for him. I proceeded to research the issue and tried to get creative with my Google searches in hopes of finding some matches of other users having the same issue. It was a laborious process and information pertinent to the issue was hard to find. I looked at every aspect I could stemming from things that might be going on the Exchange server to something at the client level. I looked into the EFORMS Registry system folder,

I finally came across a KB article (MS KB 290659) with a few words which sparked my curiousity and looked like it was what I was looking for:

"A property of the item called message class determines the form the item uses. You cannot change the message class of an item manually. However, you can write Visual Basic Scripting Edition (VBScript) or Visual Basic Automation code to change the message class for all items in a folder.

When you create and publish a custom form, the form is assigned a message class. This message class determines which form is associated with an item. The format of the name is "IPM.FormType.FormName", where FormType is the type of form (Contact, Task, and such) and FormName is the name of the custom form. For example, if you create a new contact form, name it Revised, and then publish it to your Contacts folder, the message class is IPM.Contact.Revised."

Okay, so I had a little more information which might point me to the problem but I still didn't know what the problem was. I needed some way to find out if what I just read fit our situation.

MS offered three options to resolve the issue. Being a VBScripting fan, I opted for that process. MS provides a simple, yet powerful little script to change en masse your message classes on whatever folder you point it at. Of course I wasn't looking for that yet. I wanted to report on my findings first, then if that confirmed what I thought was the problem we could move on and actually change the classes.

So I took the base code MS provided and tweaked it a bit to first report on the existing message classes and then I would use the same code to make the changes. Here's the script I used to spit out the current message classes to a simple text file so I could review them in Excel.

Sub Item_Open
Dim objFSO, objFile, wrongClass
Const ForWriting = 2
Const ForAppending = 8

wrongClass=0

' Create log file
' You may change the name and path of this log file in the following line
LogFile = "C:\get-message-class.log"
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FileExists(LogFile) Then
 Set objFile = objFSO.OpenTextFile(LogFile, ForAppending)
 objfile.WriteLine
 objFile.Writeline "Beginning message class reporting session " & Now
 objFile.Writeline "Item #" & vbtab & "Description" & vbtab & "Message Class"
Else
 Set objFile = objFSO.CreateTextFile(LogFile)
 objFile.Close
 Set objFile = objFSO.OpenTextFile(LogFile, ForWriting)
 objfile.Writeline "Beginning message class reporting session " & Now
 objFile.Writeline "Item #" & vbtab & "Description" & vbtab & "Message Class"
End If

 ' Change the following line to your new Message Class
 NewMC = "IPM.Contact.Test"

 Set CurFolder = Application.ActiveExplorer.CurrentFolder
 Set AllItems = CurFolder.Items
 NumItems = CurFolder.Items.Count

 ' Loop through all of the items in the folder
 For I = 1 to NumItems

 Set CurItem = AllItems.Item(I)

objFile.writeline I & vbtab & CurItem & vbtab & CurItem.MessageClass

 ' Test to see if the Message Class needs to be changed
 If CurItem.MessageClass <> NewMC Then
 'MsgBox "Item: " & CurItem & vbtab & "Current message class: " & CurItem.MessageClass
 wrongClass=wrongClass+1

 ' Change the Message Class
 'CurItem.MessageClass = NewMC

 ' Save the changed item
 'CurItem.Save

 End If

 Next

 MsgBox "Done."

objFile.writeline "Number of items with correct message class: " & NumItems - wrongClass
objFile.writeline "Number of items with incorrect message class: " & wrongClass
objFile.writeline "Ending message class reporting session " & Now
objFile.close
wrongClass=0
End Sub

One of the things I added was the output file )get-message-class.log) because I wanted a report I could show the user the message classes first. I also had to remark out the lines that actually make the change (CurItem.MessageClass=NewMC and CurItem.Save). I also remarked out the first MsgBox line which would have resulted in hundreds of dialog box popups. This may be fine for a few objects but can be very annoying and time consuming clicking OK every two seconds.

The name of our form was IPM.Contact.Test which was a simple form based on the Contact form template. Basically this script is designed to read all of the items in a public folder and report on the message class of each item and count the number of items that match and don't match our form.

So, following the steps MS described I ran this in my lab with some test data and got my nice little report clearly showing which items were not set correctly. I then ran this report for the client and showed him that about 15 of the 300 entries had the wrong message classification. To fix the issue we just removed the comments from the two CurItem lines listed above and re-ran the script. Voila! Now the user was able to view the existing data in his custom form again.

Now the million dollar answer is how did they get that way if he assigned the form to the public folder? Unfortunately we don't really know. It could have been something at the client or server level preventing the correct form from being read when creating new entries. The form could have been unlinked from the public folder for a period of time too. The bottom line is that we were able to report on and fix the issue and make the customer happy.

Exchange 2003 Public Folder Replication Failures

Jeff Schertz — 2008-04-25 15:39:18

On a recent project I ran into a unique problem regarding replication of public folder information in an Exchange 2003 organization. The problem was recently discovered after the migration of an acquisition into the existing organization when users noticed that Free/Busy information for mailboxes was not displaying between mailboxes in the existing offices and the new office. After an exhaustive search and a few dead-ends I was able to finally resolve the issue, but the lack of information I found online made this a good topic for review.

To setup the scenario, we have a multiple-server Exchange 2003 organization with a single routing group and single administrative group. No public folders were using replication, but a few system folders were configured to replicate between 4 mailbox servers. A new company was acquired and their current Exchange 2000 information was migrated (via Quest Migration Manager) onto a new Exchange 2003 mailbox server which was located in a new administrative group.

After the migration was completed it was reported that users on mailbox servers in Administrative Group 1 (AG1) could not view Free/Busy information for any users in Administrative Group 2 (AG2), and vice versa. All other mail flow worked correctly and all Exchange servers were allowed to communicate with each other across all ports between any firewalls.

The first thing I looked at was the replication settings for the SCHEDULE+ FREE BUSY system folder, as that is the where all mailbox free/busy information is stored in Exchange 2003. On Exchange servers in the first administrative group I only saw a single subfolder for that administrative group, and the new server only contained a subfolder for the second administrative group. I quickly compared the public folder hierarchy between servers in each administrative group and saw that they did not match. It turned out that users in each group saw only their 'local' folders, which from a user standpoint caused no issues. Corporate users saw no change in the folder hierarchy and migrated users from the new company still saw only their migrated folder structure as it appeared before. But now that existing users were trying to schedule meetings with attendees from the newly acquired company did the underlying issue of a segmented public folder hierarchy become apparent.

To begin troubleshooting public folder replication problems, logging needs to be enabled so that individual messages can be tracked. This Microsoft TechNet article (KB842273) explains how to enable logging on the correct sources and which application event logs correlate to specific events. After some message tracking it was clear that outbound replication messages from a server in AG1 was reaching all servers in the same group, but not the new server in AG2. I also verified that replication messages outbound from the new server were not reaching any server in the AG1. After verifying that firewalls between both sites were not causing any problems I kept on searching for the root cause.

Coincidentally this related MSExchange.org tutorial mentions that one possible cause might be missing a SMTP address on a Public Store, which would prevent the server from sending and receiving SMTP-based PF replication messages. Sure enough, the proxyAddresses attribute on the new server's Public Folder Store was completely blank. This was the problem.

My first concern was that although I could manually stamp this attribute and probably resolve the replication issues quickly, what caused this mis-configuration in the first place? The Enterprise Recipient Update Service is responsible for stamping that address on the PF store in the first place, so that is where I turned my attention. Using TechNet article 822794 is a guide I ran through a couple cycles of both the Update and Rebuild All commands, but after verifying (via USN) that the targeted object was processed the attributes continued to remain blank. I checked the gatewayProxy attribute on the Enterprise RUS itself, to see if the 'queue' was jammed up (as described in TechNet article 821743) but it was clear.

At this point I shifted focus back to getting the replication issue resolved and would save the root cause troubleshooting for later. I manually stamped the proxyAddresses attribute with SMTP and X400 addresses, using the formats SMTP:SERVERNAME-IS@domain.com and duplicated the X400 address from another server, updating the Administrative Group name in the path. After some time passed I still didn't see any replication messages flowing in or out of that server. I finally located Microsoft documentation related to this specific issue, under the Storage section of the Best Practice Analyzer articles, entitled Public Folder store does not have an email-address. I found that both the mail and textEncodedORAddress attributes where also blank, so I populated them and double-checked ALL mail-related attributes on the same Public Folder Store object using ADSIedit.

Finally, within an hour, I was finding multiple replication messages in the tracking logs being delivered successfully to and from the new server. Yet, strangely, I still didn't see the SCHEDULE+ child folder for the other Administrative Groups appearing on servers in either group. I manually triggered Public Folder Hierarchy replication and at last, I began to see Hierarchy, and Folder Content Backfill Response messages:

By this point the entire hierarchy trued up between all servers and both folders and content began to populate between all Exchange servers.

With the immediate problem of SMTP mail flow into the public store resolved, I set off to discover the root cause of the issue. I knew that the Enterprise RUS was not stamping those attributes like it was supposed to, but nothing in the error logs was helping. Shortly after, the client deployed another Exchange mailbox server and noticed the same problem with missing mail attributes on the public folder store. When they cranked up diagnostic logging on the server holding the Enterprise RUS service they noticed something that we hadn't seen when troubleshooting the issue with the previous server. There were permissions-related errors (IDs 8317 and 8270) appearing under the ExchangeAL service in the LDAP Operations category, basically reporting that the server running the ERUS was trying to stamp those objects, but was unable. Scenario 3 in TechNet article 254030 matched the specific errors we were seeing.

The client immediately linked this to an undocumented customization of their environment where the default security permissions had been altered way back when Exchange 2003 was originally deployed. As a practice, whenever a new server was built they manually added the other Exchange server objects to the new server's Security tab, granting Full Control rights. This configuration was unknown to the migration team and has since been added to the server deployment documentation as a required build step.

Routing Calls Directly to VoiceMail with CallManager and Exchange Unified Messaging

Matthew McGillen — 2008-03-19 13:39:50

This is a common scenario: someone calls you, and wants to speak to a co-worker of yours. Since you know that the co-worker is not in, you would like to transfer the caller to your co-worker's VoiceMail. But you don't want to transfer, have it ring 4 times, then go to VM. You want to transfer directly into VM. It would be great to be able to do this:

Hit transfer
Dial * then the 4 digit extension of the user you are trying to transfer to
Hit transfer to put the caller through to the VM box

Here's the good news: it can be done!

Below is how to set it up in CallManager and Exchange UM (well, it's really just a function of CallManager… this works with CallManager and Unity, too).

Note: in the following, I am assuming that you aren't already using * for anything in CCM.

First, go to call manager and create a new voicemail profile:

Note:

Give it a handy name like "Direct2VM"
Pick the VM pilot that your normal VM users use
Make the VM mask XXXX (4 Xs)
Do not check "make this the default profile" – you will be very sad if you do this
Save it

Next, go to call manager and create a new CTI route point like this:

Make sure to give the route point the same calling search space that you give your normal users' phones.

Then add a line (line 1) to the route point like this:

Notice that

the Directory number is an asterisk (*) followed by XXXX.
Also note that it is in the same partition as all your user's extensions.
I've assigned my new "Direct to VM" profile
And, VERY IMPORTANT, make sure that you check the "forward all" box to send calls directly to VoiceMail.

That should be it.

You can test by picking up your phone, dialing * then your extension. It should go right to your own VM. Next, test it by having someone call you. Hit transfer, dial *1234 (where 1234 is someone's extension), then hit transfer again.

Exchange Server, Free System Page Table Entries, and the 3GB and USERVA switches

Jeff Schertz — 2008-03-12 13:26:18

In a recent migration project I needed to move nearly 2TB of mailbox data between Exchange 2003 servers in the same organization, to the tune of 100-200GB per day. The first couple days went fine, with excellent performance, but as more mailboxes were moved to the target server and mail delivery processes and user connections increased, move-performance began to degrade to the point that mailbox moves started to spit out generic MAPI errors and failed.

After a quick check of the application log I found a never-ending string of PerfOS 2012 errors:

Event Type:    Warning
Event Source: PerfOS
Event ID:      2012
Description:   Unable to get system process information from system. The status code returned is in
               the first DWORD in the data section.

I found very little information online regarding this error, but what I did see was typically related to memory-leaking processes. It's quote possible that the massive mailbox moves were eating up resources and not allowing the system to reclaim them, as a reboot of the server temporarily resolved the issue. But after moving a large amount of data the same error would return, forcing an almost daily cycle of the server to 'refresh' it's resources.

Since the target server was built with 16GB of RAM and Server 2003 Enterprise Edition, the /3GB and /USERVA boot.ini switches were used. There are a handful of articles covering the usage and importance of this configuration:

http://support.microsoft.com/kb/823440
http://support.microsoft.com/kb/328882
http://technet.microsoft.com/en-us/library/bb124810.aspx

The first article specifically talks about monitoring Free System Page Table Entries which is found in the Memory performance object in Performance Monitor. Throughout the next set of scheduled moves I tracked the value of this counter and observed the same behavioral pattern: starting MSExchangeIS would typically reduce the counter value by 1 third, and then mailbox moves would continually lower the value over time, until it would drop around 600-1000. Around this time the PerfOS messages would reappear in the application log and it was only a matter of time before mailbox moves started to fail.

By manually restarting the Exchange Information Store once per day I was able to raise the Free System Page Table Entries to a higher level, but new instances of the PerfOS errors were still appearing in the Application Log. Simply rebooting the server resolved the issue temporarily, but the mass movement of mailbox data was just expediting the same low resources issue that would eventually re-appear under normal operations.

While reviewing MS KB article 316739 I discovered that the recommended /USERVA value of 3030 is only really suggested as a starting point, and the server was only showing about 2000 free system page table entries after the MSExchangeIS service was started, which would decline to nearly 900 before this error would appear in the System log, requiring a reboot.

Event Type:    Error
Event Source: Application Popup
Event ID:      333
Description:   An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read
               in, or write out, or flush, one of the files that contain the system's image of the registry.

By decreasing the USERVA setting by the recommended 64MB increments I was able to increase the observed PTE value above the 24,000 range. So, after a little experimenting I found that a setting of 2900 addressed nearly 35,000 free system PTEs and the server has been stable ever since.

Review of Windows 2008 Failover Clustering

Travis Nielsen — 2008-02-18 20:46:00

In keeping with the Windows Server 2008 theme, I'm posting my second PointCast, which covers some of the new features in failover clustering. It includes a demo in which I fail over an active node of a CCR cluster to a passive one located on a different IP subnet. This is something I wish we had years ago! All in all, I've been very impressed with clustering on Windows Server 2008. It's come a long way since the good 'ol days of Windows 2000.

NOTE: All demo material that you see has been performed on RTM builds.

The PointCast lasts about 15 minutes. [ web / iPod (18,761 KB) ]