2012 has arrived, but what has happened in the past year with Exchange 2010? In this blog we will have a look at some of the high lights of the news about Exchange 2010 in 2011.

If we summarize this year you could use the following words:

January

In the begin of January Exchange was awarded as InfoWorld’s Technology of the Year award for the best mail server 2011.

Microsoft published a statement on GAL Segmentation on the 27th of January which was till this moment still not supported in Exchange 2010. The whitepaper which was available for Exchange 2007 would not be updated for Exchange 2010. They announced another solution would be available in Exchange 2010 SP2, this feature got a name a few months later Address Book Policies.

One day after the statement Kevin Allison announced that UDP notifications would be reintroduced in Exchange 2010. This due to the fact that many customers asked for it. The functionality would be available after installing Rollup 3. The result of reintroducing the feature was that the release date of the Rollup would be rescheduled.

February

The Windows Server team released SP1 for Windows 2008 R2. But what does this mean for Exchange 2010? On the 11th of February the MsExchange Team came with an answer. Both Exchange 2010 RTM and Exchange 2010 SP1 will be supported with this SP. For Exchange 2010 SP1 the seperate hotfixes 979744, 983440, 979099, 982867 and 977020 are not required anymore. This hotfixes are included in the Service Pack for Windows 2008 R2.

March

On the 7th of March Microsoft released Rollup 3 for Exchange 2010 SP1. Everyone was curious about the UDP notifications feature which became available with this Rollup. But short after the release the fora did contain a lot of messages about Exchange 2010 i.c.w. BlackBerry devices. Messages would be send twice which of course could have a big impact for some companies.

On the 14th of March Microsoft published the following message on the MsExchangeTeam blog:

We have received notification of an issue impacting some customers which have
RIM BlackBerry devices connecting to an Exchange 2010 SP1 RU3 environment. At
this stage we are actively working with RIM to identify the exact scenarios in
which customers are reporting this issue in order to narrow down the root cause
of the problem and identify a suitable resolution for it.

As a precautionary measure we have deactivated the download page for Exchange
2010 SP1 RU3 until we can identify the appropriate next steps.

Rollup 3 was removed the update from the download center.

April

OWA Automobile Edition, Twitter-Ready Mail, Boss OOFs, Email Etiquette Enforcement (EEE) Agent, Automatic Randomized MRM (ARM) Assistant, Active Inbox Rules (AIR) Agent, Mobile Read Receipts and Exchange Configuration. All new features which were announced on the 1ste of April. All these features where one big April foul which caused a lot of nice reactions from some people.

In March Rollup 3 was removed, on the 6th of April Rollup 3v3 was released. This release fixe the BlackBerry issue and contained the original fixes which where included in Rollup 3.

On the 13th of April Microsoft announced the Exchange ActiveSync Logo Program. This certification program for ActiveSync devices was created by Micrsoft together with an external lab. Devices should support the following features to be certified for the program:

• Direct Push email, contacts & calendar
• Accept, Decline & Tentatively Accept meetings
• Rich formatted email (HTML)
• Reply/Forward state on email
• GAL Lookup
• Autodiscover
• ABQ strings (device type and device model) provided
• Remote Wipe
• Password Required
• Minimum Password Length
• Timeout without User Input
• Number of Failed Attempts

Microsoft did release the program to give enterprises a way to improve the support they can give to their users which are using several kinds of mobile devices.

On the 15th of April a new recommendation was published on the MsExchange Team blog: Enable Kerberos authenication for clients. One of the reasons is because NTLM might cause a bottleneck. Before Exchange 2010 SP1 Kerberos was not really an option. In SP1 Microsoft did introduce a functionality which made it possible to use an  alternate service account (ASA). This account needs to be assigned to all CAS Servers in the Array and needs to contain the correct service principale names (SPN’s).

To simplify the configuration Microsoft released a script called: RollAlternateServiceAccountPassword.ps1. Using this script it was possible to configure the ASA on all CAS Array members. Besides this the script contained an option to create a scheduled task which changes the password on pre-defined frequency.

Besides the new recommendation a .NET update caused some issues. By installing the update on an Exchange 2010 Server which has Windows 2008 SP2 of Windows 2008 R2 RTM as OS the following issues might occur:

• Exchange Management Shell does not start
• Exchange Management Console does not start
• There might be a crash in Exchange Mailbox Replication Service (it is not
  clear yet if this is related)
• Event Viewer might have trouble opening

On the 20th of April Microsoft did release an update to fix this issue.

May

On the 16th of May an announcement was made about changes which are made to in the hardware virtualization support for Exchange 2010. These changes were only applicable for Exchange 2010 SP1:

• The Unified Messaging server role is supported in a virtualized environment.
• Combining Exchange 2010 high availability solutions (database availability
  groups (DAGs)) with hypervisor-based clustering, high availability, or migration
  solutions that will move or automatically failover mailbox servers that are
  members of a DAG between clustered root servers, is now supported.

The day after Kevin Allison announced SP2 on TechEd Atlanta. SP2 would contain a lot of fixes for issues customers reported and a few new features:

• Outlook Web App (OWA) Mini
• Cross-Site Silent Redirection for Outlook Web App
• Hybrid Configuration Wizard
• Address Book Policies

On TechEd Atlanta the new features were included in a presentation of  Greg Taylor. SP2 would be available in the second half of 2011.

June

On the 22 of June it was time for Rollup 4. First everything looked OK. But on the 13th of July Microsoft did publish a post which had as title Exchange 2010 SP1 RU4 Removed from Download Center.

Rollup 4 introduced some issues when moving or copying folders. The subfolders and content would be deleted from these folders. But the items could recover the items by using the Recoverable Item folder.

It took 2 weeks before Rollup4v2 was released on the 27th of July.

July

On the 5th of July Microsoft did announce a new tool: the PST Capture tool. This tool could be used to search the network for PST files and import them in Exchange 2010. The tool was planned for in 2011.

August

On the 23rd of August Rollup 5 was released. Of cource a lot of people did hold back after the issues in the previous two Rollups. But Rollup 5 did not contain a lot of big issues.

In March of this year the Internet Explorer team did release the new version of Internet Explorer, IE 9. After a few days some issues where reported about IE 9 i.c.w. the Exchange Management Console (EMC). When closing the EMC the following message was displayed:

In August the Exchange Team published a statement about the issue. The Exchange Team did investigate the issue together with the MMC and Internet Explorer Team for a solution. Finally a special hotfix was released which solved the issue. In december 2011 this hotfix was included in a security update for IE 9(KB 2618444).

October

Rollup 6 was the latest Rollup which was release for Exchange 2010 SP1 in 2011. This Rollup was released by Microsoft on the 27th of October.

On the 11th of October the support ended for Exchange 2010 RTM. Starting from this date only support will be given on Exchange 2010 environment which are running SP1.

In Exchange 2010 SP1 the /hosting parameter was introduced. By using this parameter to install Exchange it was possible to create a multi-tenant Exchange 2010 environment. The solution offerered delivered a small set of functions to end users compared to an on-premise Exchange 2010 environment. Besides this it doesn’t contain any automation tools for example for creating users.

In October Microsoft announced that the /hosting parameter would not be futher developed. Hosting parties who already implemented Exchange this way will still be supported by Microsoft according to the Exchange Support Cycle.

November

On DevConnections, begin November, it was time for some new about SP2.  Kevin Allison announced that SP2 would be released at the end of November/begin December.

December

Eventually on the 12th of December Microsoft did publish the following message on the MsExchangeTeam blog:

I had previously mentioned that Exchange 2010 Service Pack 2 would be coming this year – and it’s here! I’m pleased to announce the availability of Exchange Server 2010 Service Pack 2 which is ready to download.

Gepost in Exchange 2010 ~ Geen Reactie

Earlier this year a blog on the Exchange Team site was poste by Ross Smith IV. In this blog he encouraged to use Kerberos as authentication method for Outlook clients.

In a lot of Exchange environments you will see that it is implemented. When you are using a CAS Array you will need to create an alternate service account (ASA) for this. This can be done by using the  RollAlternateserviceAccountPassword.ps1 script. Keep in mind that when using the CreateScheduledTask parameter the scheduled task will run as the account who created the scheduled task.

After registering the correct SPN’s on the ASA account Kerberos will work in most cases. In some scenario’s a typo is made which results in incorrect SPN’s being registered. When this is the case you can solve it by using setspn or AdsiEdit.

But what if Kerberos sometimes works and sometimes not, or does only work for specific users?  If it doesn’t work a user will not be able to access his/her mailbox.

The easiest way to figure out if Kerberos is to change the Outlook profile.

On the security tab of the account you will need to change the value of Logon network security to NTLM. If the user can access his/her mailbox after this you know that Kerberos is causing the issue.

Besides this an event will be logged in the system event log. Because a small set of logging is enabled on the Windows Servers you won’t see the Kerberos issue on that side. To enabled the logging you will need to make a change in the registry:

• start regedit
• browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
• create a Dword called LogLevel
• change the value of the Dword to 0×1

Logging is directly enabled after creating the registry key and after a refresh you will see several Kerberos errors in the log.

Another option is to create a network trace using Wireshark or Netmon. In both cases you will see the following message in the trace:

0xD – KDC_ERR_BADOPTION: KDC cannot accommodate requested option

When you will search the internet for this error you will see you are not the only one. But let’s start from the begin instead of going to directly to the solution.

One of the first things you will need to do is run SetSPN -L “ASA account”  to verify that all correct SPN’s are registered. The SPN’s should be unique. Despite I have seen environments where the domain controllers also contain two SPN’s named ExchangeAB followed by the netbios and fqdn. To verify if the SPN’s are unique you can use SetSPN -Q “SPN VALUE” , for example SetSPN -Q ExchangeAB/*.

As displayed in the screenshot above you will see ExchangeAB will be found four times. Two times on the Exchange Server and two times on the DC.

As fas as we can see at this moment everything looks OK. Time to continue troubleshooting. But with which step can you continue when you have the error above? Klist.exe or Kerbtray.exe will not help a lot because in most cases renewing the tickets won’t solve the issue.

After some research together with a customer we found the root cause of the issue.

Microsoft did change the UDP packet size starting from Windows 2003. In Windows XP the UDP packet size was set to 2000, starting from 2003 it has been set to 1465. I think you know what will happen when Kerberos will send a package. Kerberos will use UDP by default . This will result in incompleted packages which will arrive at servers containing Windows 2003 or above as OS.

But why does the issue only happens for some users? This depends on the Kerberos ticket size. The size of a Kerberos ticket is determind by:

• length of the password
• membership of groups
• do the groups contain other nested groups

To solve this issue you will need to make a registry change:

• start regedit
• browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
• create a Dword called MaxPacketSize
• change the value of the Dword to 1

By making this change all Kerberos packages which are bigger then 1K will be send by using Kerberos over TCP.

Restart the computer and change the Outlook profile to Negotiate Authentication. Verify if you can access the mailbox. Using klist.exe or kerbtray.exe verify of the tickets will be created correctly. Both tools are part of the resource kit for Windows 2003. In Windows 7 and 2008 klist is a part of the OS.

In this screenshot two Kerberos tickets are listed which are being used by Exchange. If all authentication is performed by using Kerberos you will see the following Kerberos tickets:

• exchangeMDB
• exchangeRFR
• exchangeAB
• http

When you will look in the event log of the client you won’t find any Kerberos messages.

Microsoft has published a complete document about troubleshooting Kerberos authentication issues. You can find the document here.

Gepost in Blog ~ Geen Reactie

 In a lot of Exchange environments you will see that a hardware load balancer is used to load balance the traffic to the Client Access Servers (CAS) and Hub Transport Servers (HUB).

In this article we will have a look at the Barracuda Load Balancers and specifically the two-armed setup. In this two-armed setup solution the Barracuda has two separate IP-addresses one on the WAN interface and one on the LAN interface.

System configuration

This is the first pitfall which isn’t mentioned in the whitepaper Barracuda published for Exchange 2010. You will need to place Exchange in a separate VLAN/Subnet for this. Why? If you don’t do it there are a few thinks which don’t work:

• Servers/applications which connect via RPC won’t be able to connect
• The Enable Client Impersonation option can’t be used for the other protocols: SMTP/IMAP etc.

So for example if your company network contains two VLAN’s create another one which does contain Exchange.

The second thing is the gateway. Once of the requirements for the load balancer in a two-armed configuration is that the network configuration is modified so all traffic outside the subnet will be send to the load balancer.

In normal situations this is not a big issue but in a co-existence phase with for example Exchange 2003 it might be an issue. To solve this issue create a persistent route temporarily and remove it once Exchange 2003 has been removed.

Rules

The rule part described in the whitepaper will described only the RPC and HTTP(s) part of the load balancer. But as probably a lot of organizations does are not the only two protocols who are used.

Most organizations also will use SMTP and IMAP, and some even POP3. In all cases it might be interesting to load balance those three protocols also.

But let’s start with having a look at HTTP because you can fine tune the parameters of this rule also. As discussed earlier the option Enable Client Impersonation is disabled by default. This will make it harder to troubleshoot because every client IP is replaced by the VIP of the Load Balancer. So change this option to enabled to ensure that the real client IP is written to the IIS log.

Both SMTP and IMAP can be published by using the service type TCP Proxy. Using this service type you also have the option to Enable Client Impersonation just like HTTP, which is published using the Layer 7 – HTTPS service type.

In the whitepaper you will find persistence time and session time-out. Both values are very important to configure correctly. Using values which are too high may cause a service to fail.

So what are the correct values to use? Well there are a few options. Let’s first have a look at the persistence time. Using this parameter we can configure the persistence time of a connection. Persistence is used to ensure a client will setup a connection to the same real server if it connects within the configured persistence time period. If you configure this value to high the following could happen. An application is using SMTP to send messages. The real server used by the client fails. But since the persistence time is not expired the client will be redirected to this server by the load balancer until the time has expired. This results in messages queuing up on the application server.

To prevent this kind of issues either configure no persistence or configure a low persistence time (for example 5 seconds). The first method is recommended.

The second parameter session time-out, how long does a session need to be kept before a connection is closed. In most cases a low value, or even a zero value, is the way to go. This since as long traffic is send across the connection it won’t be terminated.

At the end of this blog a complete overview is displayed which contains all necessary settings for the Exchange rules.

SSL Offloading

One of the benefits of a load balancer is that you can use it to perform SSL Offloading. Using this feature you can move the encryption and decryption tasks from the Client Access Servers to the hardware load balancer. This has as advantage that the CPU of the Client Access Server will not have to do these tasks which are both CPU intensive.

The SSL Offloading configuration can be split in three parts:

• Import the certificate
• Configure the rules
• Exchange configuration

Import the certificate

Importing the certificate on the load balancer is pretty straight forward. Before you start ensure that you’ve got a copy of the certificate including the private key and if applicable the intermediate certificates.

Once you’ve gathered all the stuff you can install it on the load balancer by going to the certificate page. On the certificate page provide the following information:

• Name: an identifier for the certificate
• Password: the password which is used to secure the certificate
• Signed certificate: the location of the PFX file

Press Upload to store the certificate on the load balancer and your ready to continue with the next step.

Configure the rules

SSL Offloading can only be performed on the rule that is used to load balance the web services, for example Outlook Web App, Exchange Control Panel, Autodiscover, Exchange Web Services and the Offline Address Book (optional).

Edit the rule which is created for load balancing the web services and go to the SSL Offloading section.

The load balancer side has now been configured for SSL offloading. Now it’s time for the Exchange side.

Exchange configuration

The Exchange configuration part is explained very well on this Wiki page:

Exchange Wiki Load Balancing

For this reason I won’t explain the steps you will have to take. Although I recommend to use the script below which can also be found on the Wiki page:

Set-OutlookAnywhere –Identity “$($env:COMPUTERNAME)\RPC (Default Web Site)” -SSLOffloading $true

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA’ -Name SSLOffloaded -Value 1 -PropertyType DWORD

Import-Module webadministration
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/OWA”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/ECP”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/OAB”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/EWS”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/Microsoft-Server-ActiveSync”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/Autodiscover”

iisreset /noforce

(source: http://social.technet.microsoft.com/wiki/contents/articles/how-to-configure-ssl-offloading-in-exchange-2010.aspx)

Test is everything works

The most important step if everything is configured is test if everything works. But how can you test all the services?

There are multiple options to test these services. All these tests can be run from a client so you don’t have to install the Exchange Management Tools on your machine.

Using Outlook

The easiest way is to use Outlook. Perform the following tasks to confirm Outlook can still function correctly:

• Check if you can connect to your mailbox and if applicable the public folders
• Force a complete download of the Offline Address Book
• Check if you can enable/disable Out of Office
• Check if you can view the free/busy information
• Use the Test E-mail Autoconfiguration to confirm the autodiscover functionality still works

The only two things which can’t be tested using Outlook are Outlook Web App (OWA) and the Exchange Control Panel (ECP) if using Outlook 2007. If you are using Outlook 2010 you can test the ECP by for example going getting the message tracking info of a message.

Using Internet Explorer

The other method, although not comparable with Outlook, is using Internet Explorer. Using Internet Explorer you can only test the web services offered by Exchange:

• Autodiscover: https://autodiscover.domain.com/autodiscover/autodiscover.xml
  This will give an Invalid Request 600 error
• Exchange Web Services: https://mail.domain.com/EWS/Exchange.asmx
  Will give an XML output with several settings
• Offline Address Book: https://mail.domain.com/OAB/guid/oab.xml
  Will give an XML output with references to the OAB files
• Outlook Web App: https://owa.domain.com/owa

Will show you the Outlook Web App login page

• Exchange Control Panel: https://owa.domain.com/ecp

Will show you the Exchange Control panel login

Using the Exchange Management Shell

As final option you could test it using the Exchange Management Shell. One important remark has to be made. You can’t perform the test cmdlet’s anymore from the servers this because the traffic won’t be accepted because it will create a loop in your network.

So to test the services you will need to perform them from a client which contains the Exchange Management Tools.

The following cmdlets can be used:

• Autodiscover: Test-OutlookWebServices
• Exchange Web Services: Test-WebServicesConnectivity
• Exchange Control Panel connectivity: Test-EcpConnectivity
• Outlook Web Apps: Test-OwaConnectivity
• Test RPC connection: Test-OutlookConnectivity

Here ends the article about how to use the Barracuda Load Balancer in combination with Exchange 2010. As promised earlier below you will find the rules which you need to configure in the load balancer:

RPC

Web Services

SMTP

IMAP

POP3

Special thanks to GianPaolo Corona for providing the screenshots and assisting in getting this configuration working.

If you have some other config suggestions don’t hesitate to contact me.

Gepost in Exchange 2010 ~ 2 Reacties

Microsoft has released Rollup 6 for Exchange Server 2010 SP1. This rollup will fix the following issues:

• 2431609 (http://support.microsoft.com/kb/2431609/ ) An update is available that updates the message of a retention policy in OWA for Exchange Server 2010
• 2449266 (http://support.microsoft.com/kb/2449266/ ) EWS drops the TCP connection to the EWS client application without any error message in a Microsoft Exchange Server 2010 environment
• 2480474 (http://support.microsoft.com/kb/2480474/ ) A Users do not receive quota warning messages after applying SP1 for Exchange 2010
• 2514820 (http://support.microsoft.com/kb/2514820/ ) An incoming fax message is not delivered to the recipient in an Exchange Server 2010 SP1 environment
• 2521927 (http://support.microsoft.com/kb/2521927/ ) Disabling the Exchange ActiveSync Integration feature for OWA does not take effect in OWA Premium clients in an Exchange Server 2010 environment
• 2528854 (http://support.microsoft.com/kb/2528854/ ) The Microsoft Exchange Mailbox Replication service crashes on a computer that has Exchange Server 2010 SP1 installed
• 2535289 (http://support.microsoft.com/kb/2535289/ ) The Microsoft Exchange Information Store service crashes occasionally when you run an antivirus application on an Exchange Server 2010 Mailbox server
• 2536313 (http://support.microsoft.com/kb/2536313/ ) Slow message delivery and mailbox access for journaling mailboxes on an Exchange Server 2010 server
• 2544246 (http://support.microsoft.com/kb/2544246/ ) You receive a NRN of a meeting request 120 days later after the recipient accepted the request in an Exchange Server 2010 SP1 environment
• 2548246 (http://support.microsoft.com/kb/2548246/ ) The Microsoft Exchange Information Store service crashes occasionally when a folder view is corrupted on an Exchange Server 2010 mailbox server
• 2549183 (http://support.microsoft.com/kb/2549183/ ) “There are no objects to select” message when you try to use the EMC to specify a server to connect to in an Exchange Server 2010 SP1 environment
• 2549289 (http://support.microsoft.com/kb/2549289/ ) A RBAC role assignee can unexpectedly run the Add-MailboxPermission command or the Remove-MailboxPermission command on an Exchange Server 2010 server that is outside the role assignment scope
• 2555851 (http://support.microsoft.com/kb/2555851/ ) A mailbox does not appear in certain address lists after you run commands on the mailbox in an Exchange Server 2010 SP1 environment
• 2559814 (http://support.microsoft.com/kb/2559814/ ) A user cannot add or remove delegates from a mailbox by using Outlook in an Exchange Server 2010 environment
• 2561514 (http://support.microsoft.com/kb/2561514/ ) Exchange Server 2003 user cannot view the free/busy information of a user in a different federated organization
• 2563860 (http://support.microsoft.com/kb/2563860/ ) You cannot create a new mailbox database if you already have 1000 mailbox databases in an Exchange Server 2010 environment
• 2567409 (http://support.microsoft.com/kb/2567409/ ) Certain free/busy messages are not replicated from an Exchange Server 2010 server to an Exchange Server 2003 server
• 2571791 (http://support.microsoft.com/kb/2571791/ ) Retention policies are applied to Contact items unexpectedly in an Exchange Server 2010 environment
• 2572052 (http://support.microsoft.com/kb/2572052/ ) Certain properties of a recurring meeting request from external email accounts are missing in an Exchange Server 2010 SP1 environment
• 2575005 (http://support.microsoft.com/kb/2575005/ ) You cannot start the EMC or the EMS in an Exchange Server 2010 Service Pack 1 environment
• 2578631 (http://support.microsoft.com/kb/2578631/ ) Certain users cannot send email messages to a mail-enabled public folder in an Exchange Server 2010 environment
• 2579172 (http://support.microsoft.com/kb/2579172/ ) Items that are deleted or moved still appear in the original folder when you use Office Outlook in online mode to access an Exchange Server 2010 mailbox
• 2579671 (http://support.microsoft.com/kb/2579671/ ) No results returned when you use the ExpandGroup method in EWS to retrieve a list of members of a Dynamic Distribution Group in an Exchange Server 2010 environment
• 2582095 (http://support.microsoft.com/kb/2582095/ ) The SmtpMaxMessagesPerConnection property of a send connector is not replicated to the subscribed Edge Transport server in an Exchange Server 2010 environment
• 2600835 (http://support.microsoft.com/kb/2600835/ ) The RPC Client Access service crashes when you delete an attachment of an item by using Outlook in online mode in an Exchange Server 2010 SP1 environment
• 2601701 (http://support.microsoft.com/kb/2601701/ ) The memory usage of the MSExchangeRepl.exe process keeps increasing when you perform a VSS backup on Exchange Server 2010 databases
• 2616127 (http://support.microsoft.com/kb/2616127/ ) “0×80041606″ error code when you use Outlook in online mode to search for a keyword against a mailbox in an Exchange Server 2010 environment
• 2617126 (http://support.microsoft.com/kb/2617126/ ) The Store.exe process crashes when you send an email message that has attachments in an Exchange Server 2010 SP1 environment
• 2627769 (http://support.microsoft.com/kb/2627769/ ) Some time zones in OWA are not synchronized with Windows in an Exchange Server 2010 environment

The rollup can be downloaded from the site below:

Update Rollup 6 for Exchange Server 2010 SP1 open

Gepost in Exchange 2010 ~ Geen Reactie

 As you may know Exchange by default has one Offline Address Book (OAB) and one Global Address List (GAL). The GAL contains all objects for which Exchange attributes are configured. For example groups, userobjects and contacts.

The OAB will be generated once a day by the generation server. Within an Exchange environment only one server is responsible for generating the OAB. This is always a server which contains the Mailbox Role.

To find out which server is responsible for generating the OAB you can use two methods:

Exchange Management Console (EMC)

• Open Organization Management
• Select the Mailbox object
• Select the tab Offline Address Book

Exchange Management Shell (EMS)

• Run the following cmdlet get-offlineaddressbook | select name,server

On the generation server you will find the ExchangeOAB directory inside the Exchange directory. In this directory another folder is created. The name of this directory is the GUID from the OAB. Inside this directory several files are stored:

• lzx, the addressbook files
• oab.xml, the index which points to the addressbook files. Without the oab.xml file the client will not be able to find and download the addressbook files.

The OAB can be distributed via two methods:

• Public Folders
• Web

The Public Folders may be configured to have additional replica’s. This ensures that the OAB files are stored in multiple Public Folder databases. But how are the OAB files distributed to the Client Access Servers (CAS)?

To distribute the OAB to the configured CAS Servers the File Distribution service is used. This service runs on all CAS Servers and will check if a new OAB is available every 8 hours.

Sometimes this can has as effect that the users who are using Outlook in Online Mode and Outlook Web App can see new users earlier. This is sometimes very anoying.

To change this process you must change the pollinterval via EMS. This can be done by using the set-oabvirtualdirectory cmdlet:

Set-OabVirtualDirectory -identity “servername\OAB (Default Web Site)” -pollinterval 120

Using the example above we will reconfigure the CAS Servers to check every 2 hours for an update. But keep in mind that the GAL will only be generated once per day. If you wish to update an object perform the following steps:

• update the object
• wait for AD replication
• run the following cmdlet Update-GlobalAddressList “Default Global Address List”
• run the following cmdlet Update-OfflineAddressBook “servername\OAB (Default Web Site)”
• run cmdlet Update-FileDistributionService

If you only want to distribute the OAB to the CAS Servers run the following cmdlet Update-FileDistributionService. This will ensure that the CAS Servers will check if an update is available for the OAB.

If there are still issues you will need to enable logging. The logging needs to be enabled on the CAS Servers which are responsible for distributing the OAB:

Set-EventLog -Identity “MsExchangeFDS\General -Level Expert
Set-EventLog -Identity “MsExchangeFDS\FileReplication -Level Expert

Force a replication using the File Replication service to verify if an update is available:

Update-FileDistributionService -identity servername

Once the cmdlet is executed check the application event log to verify the replication has occured.

In the screenshot above you can see the data synchronisation has started. In this case the Web distribution has just been enabled but the CAS server doesn’t have a copy.

Once the OAB has been synchronized succesfully you will see the message above in the event log. When you browse to the directory X:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB zal you will find a directory which contains both the oab.xml and addressbook files.

Don’t forget to reset the logging level back to the original level once ready with troubleshooting:

Set-EventLog -Identity “MsExchangeFDS\General -Level Lowest
Set-EventLog -Identity “MsExchangeFDS\FileReplication -Level Lowest

Here ends the blog about how the OAB is distributed to the CAS Servers. If you would like to have more information about the cmdlet’s have a look at the sites below:

Technet: Update-FileDistributionService open
Technet: Update-GlobalAddresslist: open
Technet: Update-OfflineAddressBook: open

Gepost in Exchange 2010 ~ Geen Reactie

Starting from Exchange 2010 it is possible to import pst files using the New-MailboxImportRequest cmdlet. By default this cmdlet can’t be executed. This is caused by the fact that the New-MailboxImportRequest cmdlet is not a part of the default RBAC groups.

RBAC
To create a new group you can use the Exchange Management Shell. This to prevent that specific permissions are assigned per user:

New-RoleGroup “Mailbox import and export Rights”

Using the cmdlet above we will create a new RBAC group called Mailbox import and export rights. The next step is to add the cmdlet to the RBAC group:

new-ManagementRoleAssignment -Role “Mailbox Import Export” -SecurityGroup “Mailbox import and export Rights”

Using the above cmdlet we will add the role Mailbox Import Export to the earlier created RBAC group.

Add-RoleGroupMember “Mailbox import and export Rights” -Member Administrator

As last cmdlet we will add the user administrator to the RBAC group Mailbox import and export Rights. When the cmdlet has been executed you will need to restart the Exchange Management Shell.

NewMailboxImportRequest
Before you can import a PST there is one other important prerequisit. The group Exchange Trusted subsystem needs to have permissions to access the share which contains the PST files. When this is not possible you will get the following error Couldn’t connect to target mailbox.

When the last step has been performed we can submit a new import request:

New-MailboxImportRequest -Mailbox Johan -FilePath \\File01\PST\johan.pst

In the example above we will import the PST file called johan.pst from the PST share on the server called File01. The content of the PST will be imported in the mailbox called Johan.

To monitor the process we can use the following cmdlets:

• Get-MailboxImportRequest
• Get-MailboxImportRequestStatistics

Get-MailboxImportRequest
This cmdlet will give a default overview of the Mailbox Import Requests which are submitted to Exchange.

For example:

Get-MailboxImportRequest -Identity “Johan\MailboxImport”

In this case the identity exists of two parts: the name of the mailbox combined with the name of the import request. Using the cmdlet above we will retrieve the status of the import request which has as jobname MailboxImport. The data will be imported in the mailbox called johan.

Get-MailboxImportRequestStatistics
Gives a detailed overview of the Mailbox Import Request. This cmdlet can be used in combination with the Get-MailboxImportRequest cmdlet:

Get-MailboxImportRequest | Get-MailboxImportRequestStatistics

When executing the above example you will get a overview of the currently submitted Mailbox Import Requests with additional information. But when needing very detailed information,  for example the item count, percentage etc. then you will need to add|FL to the example above:

Get-MailboxImportRequest | Get-MailboxImportRequestStatistics | FL

Couldn’t connect to target mailbox
As mentioned earlier the error message Couldn’t connect to target mailbox can occur. To troubleshoot this problem you will need to add the -v parameter to the New-MailboxImportRequest cmdlet. In the screenshot below an example can be seen:

In this example both the share permissions and firewall settings where not causing the issue. When searching on the internet you will find several people who are having this issue.

The cause of this issue is: the CAS Array. To solve this problem temporarily you could choose to change the RpcClientAccessServer value temporarily. An other option which might be a easier to use is to create a temporary database and move the mailbox to it. Don’t forget to modify the RpcClientAccessServer value in this case also.

To change the RpcClientAccessServer value we will need to use the following cmdlet:

set-MailboxDatabase MBDBTEMP -RpcClientAccessServer cas01.corp.local

In the example above we will change the RpcClientAccessServer temporarily to one of the CAS Servers.

Don’t forget to restore the old configuration once completed:

set-MailboxDatabase MBDBTEMP -RpcClientAccessServer casarray.corp.local

Remove-MailboxImportRequest
Just like a move request an import request won’t be removed automatically.  An import request needs to be cleaned up manually. This can be done by using the cmdlet Remove-MailboxImportRequest:

remove-MailboxImportRequest -identity johan\MailboxImport

Using the exampel above we will remove the earlier create import request. When you would like to cleanup multiple import requests use the following cmdlet:

get-MailboxImportRequest | where {$_.status -eq “completed”} | remove-MailboxImportRequest

Using the example above we will first retrieve all mailbox import requests that are having the status completed. Once found we will remove all those requests.

Gepost in Exchange 2010 ~ 1 Reactie

In the First blog we had a look at the Set-OrganizationConfig cmdlet and specifically at the parameters for distribution groups. In this second blog we will have a look at the parameters for Mailtips and Exchange Recipient.

Mailtips

Using Mailtips it is possible to inform users before they will send a message. A few examples are:

• the recipiënt has enabled Out-Of-Office;
• the message send to the person has a large attachment;
• the mailbox of the recipiënt is full;
• the recipiënt is external;
• the distributionlist contains external users;

To use Mailtips you will need to have Outlook 2010 or Outlook Web App (OWA) as client.

To configure the Mailtip functionality on organization level there are 5 parameters available:

• MailTipAllTipsEnabled
• MailTipsExternalRecipientsEnabled
• MailTipsMailboxSourcedTipsEnabled
• MailTipsGroupMetricsEnabled
• MailTipsLargeAudienceTreshold

The Mailtip functionality is enabled by default. If you would like to disable this option the parameter MailTipsAllTipsEnabled will need to be set to false:

Set-OrganizationConfig –MailTipsAllTipsEnabled $false

Mailtips won’t be enabled when a message is send to external contacts. In case this is a requirement of the company you will need to configure the MailTipsExternalRecipientsTipsEnabled parameter and change the value to true:

Set-OrganizationConfig –MailTipsExternalRecipientsTipsEnabled $true

The last two parameters MailTipsGroupMetricsEnabled and MailTipsLargeAudienceTreshold need to be used in combination.

On the server which generates the address book a process runs every night to count the amount of members in a Group. The results will be stored in a folder called GroupMetrics. In this folder three files will be created:

• GroupMetrics-dateTtime.bin, contains the members of all distribution groups in the organization;
• GroupMetricsservername.xml, contains the configuration information of the mailbox server which is responsible for generating the data;
• ChangedGroups.txt, contains a list of groups which have changed since the last update;

The content of the folder will be distributed to the Client Access Servers through the File Distribution Service of Exchange. Besides this the data will be distributed every 8 hours to all Mailbox servers which are enabled for generating Group Metric data.

When the MailTipsGroupMetricsEnabled parameter has been configured with the value true, which is the default value, all Mailtips will use the Group Metric data. Depending on the value of the MailTipsLargeAudienceTreshold a Mailtip will be displayed. The default value of this parameter is 25. When a distributiongroup contains more than 25 members a Mailtip will be displayed.

Set-OrganizationConfig –MailTipsLargeAudienceTreshold 50

By using the above parameter we will configure that a Mailtip will only be displayed when mail is sent to a distribution Group which contains more than 50 members.

Microsoft Exchange Recipient

The second parameter we will have a look are the MicrosoftExchangeRecipient parameters. Exchange 2010 contains four parameters:

• MicrosoftExchangeRecipientEmailAddresses
• MicrosoftExchangeRecipientPrimarySmtpAddress
• MicrosoftExchangeRecipientEmailAddressPolicyEnabled
• MicrosoftExchangeRecipientReplyRecipient

As the name already tells you all these parameters are related to recipients from Exchange.

When having a look at the value of the MicrosoftExchangeRecipientEmailAddresses parameter you will see it´s equal to the e-mail addresses which are applied by the Default E-mail Address Policy. All addresses are split by a “;” if an address is added here the Default E-mail Address Policy will be updated.

But it’s not recommended by doing it this way. When having a look at the addresses you will see every address starts with MicrosoftExchange329e7.

Using the second parameter MicrosoftExchangeRecipientPrimarySmtpAddress we can configure which address needs to be set as the SMTP address. This value can only be used when the parameter MicrosoftExchangeRecipientEmailAddressPolicyEnabled is disabled. Otherwise the value will be ignored. If the value of this parameter will be changed to an address which does not exist in the Default Recipient Policy it will be automatically added.

One important thing to keep in mind is that if the Default E-mail Address Policy is disabled the  MicrosoftExchangeRecipientPrimarySmtpAddress parameter must contain a value. Several services among them the Exchange UM service must have a valid e-mail address. If the Default E-mail Address Policy is disabled and MicrosoftExchangeRecipientPrimarySmtpAddress doesn’t have a value the service will not get an e-mail address. The result will be that Exchange will not accept messages from the service.

Using the last parameter MicrosoftExchangeRecipientReplyRecipient you can configure if the Microsoft Exchange recipiënt can receive e-mail. This account is used to send DSN messages to internal users. When you will allow users to reply to this mailbox make sure this mailbox will be monitored. You can configure the parameter as follows:

Set-OrganizationConfig –MicrosoftExchangeRecipientReplyRecipient dsn@domain.com

Using the above cmdlet we have configured that if a user replies to a message of the Microsoft Exchange recipient mailbox this message will be delivered to the following e-mail address dsn@domain.com.

Here ends part two of the serie of hidden features of Exchange 2010. In  the next log we will have a look at the Set-ExchangeAssistanceConfig cmdlet.

Gepost in Exchange 2010 ~ Geen Reactie

When you have worked with Exchange 2010 you might know that some things only can be configured by using the Exchange Management Shell (EMS). A few examples are:

• configuring relaying on a receive connector
• enable logging for IMAP and POP3

Gepost in Exchange 2010 ~ Geen Reactie

During a migration you may encounter the issue that incorrect aliasses are used, for exampe spaces or incorrect characters in the alias. Microsoft has published a nice script fix-alias.ps1. There are some limitations when using this script. Because of this I modified the script a bit and added the following features:

• option to provide multiple search criteria;
• option to provide a replacement per criteria;
• option to check and fix the alias of Public Folders;

If you have additional whishes please let me know by leaving a comment or by contacting me via the contactform.

download fix-alias.ps1 (original version)
download fix-aliasv20.ps1

Gepost in Scripts ~ 1 Reactie

Some times it can be very usefull to automate things by creating a script. Of course you will first have to think if it is usefull to automate it or just decide to do it manually. Which option you chose is really hard to say but let’s say if you have to modify more then 50 items becomes very interested to use a script.

Exchange 2010 contains a few scripts, for example a script which let’s you configure Public Folder replica’s during a migration. All scripts can be found in the scripts directory. This directory can be found in the Exchange installation directory, for example  c:\Program Files\Microsoft\Exchange Server\V14\Scripts.

When you have opened the Exchange Management Shell (EMS) you can browse to it by typing cd $exscripts.

Here you will find a lot of scripts among them:

Besides these scripts a lot of ready-to-use scripts are offered by Microsoft and other bloggers. Personally I like the following two scripts:

• fix-alias.ps1
• ConvertFrom-LdapFilter.ps1

Gepost in Exchange 2010 ~ Geen Reactie