Exchange 2010

All posts tagged Exchange 2010

Exchange 2010 SP3 available soon

Posted by Johan Veldhuis on 12-02-2013
Posted in: Blog. Tagged: , . Leave a Comment

It looks like we can expect Exchange 2010 SP3 very soon. There are a lot of rumors on going on Twitter and Facebook the Microsoft Downloads already contains the Exchange 2010 SP3 UM Language Pack.

A question by Exchange fan Hakim Taoussi that it has been announced but not available:

 

Hakim_Taoussi

 

Was answered by Bharat Suneja from the MsExchange team with the following tweet:

 

Bharat_Suneja

So for those who have been waiting till they can migrate to Exchange 2013 from Exchange 2010 you should be able soon. If it is wise to do it, well read the several blog posts from Exchange guys and then rethink your decission again.

Let the rollups role

Posted by Johan Veldhuis on 12-02-2013
Posted in: Exchange 2007, Exchange 2010. Tagged: , , . 2 comments

Today it is Microsoft Rollup day. Both for Exchange 2010 SP2 and Exchange 2007 SP3 new rollups have been released. The rollup for Exchange 2010 SP2 contains a lot of fixes. For Exchange 2007 SP3 it is the 10nd rollup which has been released although the fixes contained in the rollup are not as large as for Exchange 2010. The rollup for Exchange 2007 contains a security fix and one issue for a problem with OWA.

An overview of the fixes included on the rollups can be found below:

Exchange 2010 SP2 Rollup 6:

  • 2489941 The “legacyExchangeDN” value is shown in the “From” field instead of the “Simple Display Name” in an email message in an Exchange Server 2010 environment
  • 2717453 You cannot move or delete a folder by using Outlook in online mode in an Exchange Server 2010 environment
  • 2733608 Corrupted Japanese DBCS characters when you send a meeting request or post a reply to a posted item in a public folder in an Exchange Server 2010 environment
  • 2734635 Folder-associated information (FAI) items are deleted when you run the New-InboxRule cmdlet or change Inbox rules in an Exchange Server 2010 environment
  • 2737046 AutoPreview feature does not work when you use Outlook in online mode in an Exchange Server 2010 environment
  • 2741117 High CPU utilization by Microsoft Exchange Replication service on Client Access servers in an Exchange Server 2010 environment
  • 2746030 Incorrect ExternalURL value for EWS is returned by an Exchange Server 2010 Client Access server
  • 2750188 Exchange Service Host service crashes when you start the service on an Exchange 2010 server
  • 2751417 Synchronization fails if you sync an external device to a mailbox through EAS in an Exchange Server 2010 environment
  • 2751581 OAB generation fails with event IDs 9126, 9330, and either 9338 or 9339 in an Exchange Server 2010 environment
  • 2760999 ”The signup domain ‘org’ derived from ‘<TenantDomainName>.org’ is not a valid domain” error message when you use the Hybrid Configuration wizard in an Exchange Server
  • 2776259 Msftefd.exe process crashes if an email attachment has an unexpected file name extension or no file name extension in an Exchange Server 2010 environment
  • 2779387 Duplicated email messages are displayed in the Sent Items folder in a EWS-based application that accesses an Exchange Server 2010 Mailbox server
  • 2783586 Name order of a contact is displayed incorrectly after you edit the contact in an Exchange Server 2010 environment
  • 2783631 User-Agent field is empty when you run the Get-ActiveSyncDeviceStatistics cmdlet in an Exchange Server 2010 SP2 environment
  • 2783633 You cannot move or delete an email message that is larger than the maximum receive or send size in an Exchange Server 2010 environment
  • 2783649 Private appointment is visible to a delegate in an Exchange Server 2010 environment
  • 2783771 Mailbox on a mobile device is not updated when EAS is configured in an Exchange Server 2010 environment
  • 2783772 Edgetransport.exe process crashes after a journal recipient receives an NDR message in an Exchange Server 2010 environment
  • 2783776 You cannot perform a cross-premises search in a mailbox in an Exchange Server 2010 hybrid environment
  • 2783782 Error message when you use Scanpst.exe on a .pst file in an Exchange Server 2010 environment
  • 2784081 Store.exe process crashes if you add certain registry keys to an Exchange Server 2010 Mailbox server
  • 2784083 Week numbers in the Outlook Web App and Outlook calendars are mismatched in an Exchange Server 2010 environment
  • 2784093 SCOM alerts and event ID 4 in an Exchange Server 2010 SP2 organization that has Update Rollup 1 or later
  • 2784566 Exchange RPC Client Access service crashes on an Exchange Server 2010 Mailbox server
  • 2787023 Exchange Mailbox Assistants service crashes when you try to change a recurring calendar item or publish free/busy data in an Exchange Server 2010 environment
  • 2793274 A new option is available that disables the PermanentlyDelete retention action in an Exchange Server 2010 organization
  • 2793278 You cannot use the search function to search for mailbox items in an Exchange Server 2010 environment
  • 2793279 Exchange Server 2010 does not restart when the Microsoft Exchange Replication service freezes
  • 2793488 Internet Explorer freezes when you connect to the OWA several times in an Exchange Server 2010 environment
  • 2810616 Email message delivery is delayed on a Blackberry mobile device after you install Update Rollup 4 for Exchange Server 2010 SP2

download

Exchange 2007 SP3 Rollup 

2783779 A hidden user is still displayed in the Organization information of Address Book in OWA in an Exchange Server 2007 environment

download

Microsoft release Exchange 2010 SP2 Rollup 5

Posted by Johan Veldhuis on 14-11-2012
Posted in: Exchange 2010. Tagged: , . 5 comments

Microsoft has release Rollup 5 for Exchange 2010 SP2 yesterday. This rollup contains fixes for the following issues:

  • 2275156
    The inline contents disposition is removed when you send a “Content-Disposition: inline” email message by using EWS in an Exchange Server 2010 environment
  • 2499044
    You cannot save attachments in an email message by using OWA if the subject line contains special characters in an Exchange Server 2010 environment
  • 2509306 

    Journal reports are expired or lost when the Microsoft Exchange Transport service is restarted in an Exchange Server 2010 environment

  • 2514766A RBAC role assignee can unexpectedly run the Add-ADPermission command on an Exchange Server 2010 server that is outside the role assignment scope
  • 2529715Slow network or replication issues after you change the number of virus scanning API threads in Microsoft Exchange Server 2010
  • 2536704
    Mailbox users who are migrated by using ILM 2007 cannot use the Options menu in OWA in an Exchange Server 2010 environment
  • 2537094French translation errors occur when you edit a response to a meeting request by using OWA in an Exchange Server 2010 SP1 environment
  • 2555800 

    You cannot use the GetItem operation in EWS to retrieve properties of an email message in an Exchange Server 2010 environment

  • 2555850
    You cannot delete a mailbox folder that starts with a special character in its name by using Outlook in an Exchange Server 2010 environment
  • 2556096
    The columns in the .csv logging file are not lined up correctly when you perform a discovery search on a mailbox in an Exchange Server 2010 environment
  • 2556107
    The columns in the .csv logging file are not lined up correctly when you perform a discovery search on a mailbox in an Exchange Server 2010 environment
  • 2556133
    A device that uses Exchange ActiveSync cannot access mailboxes in an Exchange Server 2010 environment
  • 2556156
    Extra.exe crashes when it performs RPC activity checks against an Exchange Server 2010 server
  • 2556352
    “ChangeKey is required for this operation” error message in Outlook for Mac 2011 in an Exchange Server 2010 environment
  • 2556407
    Certain client-only message rules do not take effect on email messages that are saved as drafts in an Exchange Server 2010 environment
  • 2559926
    “There are no items to show in this view.” error message when you try to view a folder by using Outlook in an Exchange Server 2010 environment
  • 2572958
    The “Test-OutlookConnectivity -Protocol HTTP” command fails with an HTTP 401 error in an Exchange Server 2010 environment

The rollup can be downloaded via the site below:

download

Microsoft releases v2 of the latest Exchange 2010 Rollups

Posted by Johan Veldhuis on 09-10-2012
Posted in: Exchange 2010. Tagged: , . Leave a Comment

Microsoft has just released version 2 of the latest Exchange 2010 SP1 and SP2 rollups. At this moment you can’t find a lot of information about it. The only reference which can be found on the dowload pages of both rollups is a reference to security bulletin MS12-058. In this security bulletin an issue is described about a vulnerability in the Web Ready Document Viewing functionality of Exchange 2010 in the Oracle Outside In Libraries

The updates can be downloaded via the links below:

Exchange 2010 SP1 Rollup 7 v2: http://www.microsoft.com/en-us/download/details.aspx?id=34957

Exchange 2010 SP2 Rollup 4 v2: http://www.microsoft.com/en-us/download/details.aspx?id=34956

More information about the vulnerability can be found on the page below:

Security Bulletin MS12-058: http://technet.microsoft.com/en-us/security/Bulletin/MS12-058

Update: this updates rollup has been released because of the expiration of the signatures which are used to sign the code. The advice is to install the v2 of the rollup despite it was already a part of the v1 of this update.

The risks of publishing EWS

Posted by Johan Veldhuis on 10-08-2012
Posted in: Exchange 2010. Tagged: , . 2 comments

Starting from Exchange 2007 several functionalities are offered via web services also known as Exchange Web Services (EWS). Functionalities offered by EWS are for example free/busy and Out Of Office.

Several clients can benefit from EWS among them Outlook 2007 and higher, Entourage with EWS extension and Outlook 2011. The last two clients are only available for Mac and don’t use MAPI to send/receive e-mail but do use EWS to do this. Another Mac related product is Apple Mail which works the same as Entourage and Outlook 2011.

On your local network this will not be the issue in most cases but if you are publishing your Exchange environment to the internet you might see some unwanted traffic. The reason why? Well if you are publishing EWS with the default authentication methods users can login using their username and password. Let’s give a short example:

Your company only wants to allow users to use ActiveSync and OWA for e-mail access. Outlook Anywhere is not enabled since you only allow full Outlook access when users are connected via VPN.

Now comes the fun when using Entourage, Outlook 2011 or Apple Mail your users will be able to send/receive their mail. This because they are using EWS and EWS is published either directly or more secure via a reverse proxy. This because you can use to reverse proxy to prevent the publishing of EWS. Although this may not be an option as we will see later in this blog.

How to solve this? Well it depends if you are not having Entourage and Outlook 2011 client on your local network you can choose to block both clients.

To configure this on your Exchange server run the following cmdlet:

Set-OrganizationConfig –EWSAllowEntourage $false –EWSAllowMacOutlook $false –EWSAllowApplicationAccessPolicy: EnforceAllowList

Let’s explain the parameters used:

  • EWSAllowEntourage: specifies if Entourage is allowed or not
  • EWSAllowMacOutlook: specifies if Outlook 2011  is allowed or not
  • EWSAllowApplicationAccessPolicy: specifies if other applications are allowed to use EWS by using either allow (EnForceAllowList) or block (EnForceBlockList) specific applications/services

The last parameter is a little bit tricky since this will also block other applications/services that want to use EWS. This due to the fact that we not used the AllowList parameter.  A few examples of these applications/services are: OCS/Lync clients and BlackBerry Server.

To allow those applications we will need to find out which client is trying to connect EWS does use the user agent string. The user string can be found by searching in the IIS log for example:

2012-08-03 12:07:40 192.168.1.2 POST /EWS/Exchange.asmx – 443 – 192.168.1.10 Microsoft+Office/12.0+(Windows+NT+5.1;+Microsoft+Office+Outlook+12.0.6425;+Pro)

2012-08-03 00:03:14 192.168.1.2 GET /autodiscover/autodiscover.xml – 443– 192.168.1.10 OC/4.0.7577.4051+(Microsoft+Lync+2010) 200 0 0 0

Below a list of user agent strings used by some popular programs:

  • BlackBerry Servers: Mozilla/4.0+
  • Microsoft OCS 2007 R2: OC/3.5.*.*
  • Microsoft Lync 2010: OC/4.*.*.*
  • Microsoft Lync Web App: CWA/4.*.*.*
  • Microsoft Lync Phone Edition: OCPhone/4.*.*.*

Let’s change the earlier scenario a little bit:

Your company only wants to allow users to use ActiveSync and OWA for e-mail access. Outlook Anywhere is not enabled since you only allow full Outlook access when users are connected via VPN. The company decides to implement Microsoft Lync 2010 and wants to use all options including the Outlook integration options. Lync is allowed to be used without setting up a VPN connection.

In this case we will need to exclude the Lync 2010 client from being blocked if it tries to use EWS:

Set-OrganizationConfig –EWSAllowEntourage $false –EWSAllowMacOutlook $false –EWSAllowApplicationAccessPolicy: EnforceAllowList –AllowList {“*OC*”}

By using the above cmdlet we will only allow the OCS 2007 R2 and Lync 2010 client to use the EWS functionality.

Another way to block the EWS access is using your F5 appliance, if you have one of course. A good description on how to configure your F5 to support this can be found here written by fellow MVP Tom Pacyk.

Provisioning mailbox rules

Posted by Johan Veldhuis on 31-07-2012
Posted in: Exchange 2010. Tagged: , . Leave a Comment

You may not see it in every organization but in a lot of organizations Outlook rules are used to automate some tasks such as: moving item to another folder, auto reply on messages, etc.

In this blog we will have a look at how to provision Outlook rules for a user so they won’t have to create them. But first have a look at the rules. As you may know you can configure both server and client side rules in Outlook. But what’s the difference between them?

  • Server side rules: are executed at the server side and so they are always running;
  • Client side rules: are execute at the client side and will only work when Outlook or OWA is running;

Most of the rules you can configure are client side rules and only a few of them are server side rules. One example of a server side rule is auto replying with a message on a new arrived e-mail.

To provision Outlook rules you can use the New-InboxRule cmdlet this cmdlet will give you the ability to create inbox rules for every user. So let’s have a look at an example.

New-InboxRule ‘Spam Summary’ -Mailbox johan -From antispam@domain.com -SubjectContainsWord “Spam Summary“ -MoveToFolder ’ johan:\ Spam Summary’

The rule above will be applied to all messages which are sent to my mailbox and are sent from antispam@domain.com and have as subject Spam Summary. The rule will move the specific message to the folder Spam Summary. One remark must be made about the folder. The folder must exist if not you will get a warning.

So wouldn’t it be nice to automate the complete process when a new mailbox is created? If this is what you want cmdlet extensions are the answer. With cmdlet extensions you can extend cmdlets by executing additional cmdlets after the first cmdlet has been executed.

In this example we would only like to create the new folder and the Outlook rule after a new mailbox is created. So the cmdlet which needs to be extended is New-Mailbox.

The first step in the process will be to modify the ScriptingAgentConfig.xml.sample. This file can be found here: \V14\Bin\CmdletExtensionAgents. First make a backup of the original XML before making any changes. Once the backup is rename the file and remove the .sample extension and open it in an editor, for example Notepad.

if($succeeded) {
$newmailbox = $provisioningHandler.UserSpecifiedParameters["Name"]
$newfolder= $newmailbox + :\Spam Summary
New-MailboxFolder -Parent $newmailbox -Name Spam Summary
New-InboxRule ’Spam Summary’ -Mailbox $newmailbox -From antispam@domain.com -
SubjectContainsWord ’Spam Summary’ -MoveToFolder $newfolder }

We are using two parameters:

  • $newmailbox: contains the name of the created mailbox
  • $newfolder: the name of the folder we want to create in the mailbox

After the parameters have been defined we will first create the new folder using the New-MailboxFolder cmdlet and then use create the new rule using New-InboxRule cmdlet.

Now save this file and copy it to each Exchange server in your environment. The next step is to enable the scripting agent. If you don’t do it the script simply won’t be executed.

To enable the scripting agent open the Exchange Management Shell (EMS) and run the following cmdlet:

Enable-CmdletExtensionAgent “Scripting Agent”

Repeat this step on every Exchange server in your environment.

Now we configured everything it’s time to see if it really works. Create a new mailbox via either the Exchange Management Console or Shell. After the mailbox is created verify if a new folder and rule are created successfully by logging into OWA or by using Outlook.

So let’s verify if it really works. In this example we just created a user called provisioned_user:

new-mailbox -name provisioned_user -alias provisioned_user -UserPrincipalName provisioned_user@corp.local

When running the cmdlet with the –verbose parameter you will see that the Cmdlet Extension Agent is executed after the mailbox has been created:

Now the mailbox has been created let’s verify if the new folder and inbox rule have been created. We will use OWA to verify if both have been created. When logging in to OWA you will see that the folder has been created:

When opening the Exchange Control Panel (ECP) and select the Organize E-mail option in the left menu you will see that an inbox rule has been created:

So as you can see you can provision the anti-spam folder and rule for new mailboxes using the cmdlet extensions. Besides doing this kind of things several other options can be configured using this option. Some examples are:

  • Disable POP3
  • Disable IMAP
  • Set the Regional Configuration/Language

For more information you can have a look at the following pages:

  • Using Cmdlet Extension Agents to cause automatic events to occur in Exchange 2010 – life just got simpler!: open
  • Cmdlet Extension Agents Part 1: Automatic archive creation: open

Lync integration doesn’t work with OWA

Posted by Johan Veldhuis on 27-07-2012
Posted in: Exchange 2010. Tagged: , . Leave a Comment

During an implementation of Lync 2010 I had an issue with the integration of Lync in OWA. This worked on all CAS servers except one. This despite all the needed software prerequisits had been installed:

And the configuration on both the CAS and Front End Server was completed.

After removing the software and reinstalling it again the issue wasn’t solved either. In the application log the following warning was displayed:

An exception was thrown while attempting to load the IM provider .dll file.
File: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OWA\bin\Microsoft.Rtc.UCWeb.dll
Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

For some reason the dll couldn’t be loaded correctly. The solution was pretty wasu just reset IIS using  IISReset /noforce.

After running the command the IM integration worked without any issues.

Turn Off Exchange Store Time-Out Detection

Posted by Johan Veldhuis on 24-06-2012
Posted in: Exchange 2010. Tagged: , . Leave a Comment

In my last blog we discussed the functionality of quarantining a mailbox if:

  • Thread doing work for a mailbox fails
  • More than five threads in a mailbox that haven’t made progress for a long time (more than 60 seconds)

In some cases this might cause a situation which is not acceptable if this issue occurs multiple times within one week or maybe multiple times a day. In my last blog we talked about how to see that a mailbox is quarantined. But wouldn’t it be nice to monitor it to prevent mailboxes from being quarantined?

When one of the earlier issues occurs the following events will be logged in the application log:

  • Event 10025: Reports a time-out on the Exchange server
  • Event 10026: Reports a time-out on the database
  • Event 10027: Reports a time-out on an individual mailbox

All the events will have the same source MsExchangeIS. Besides the event logs you might decide to use the performance counters to monitor the environment for this specific kind of issue. In this case add the following counters to the Performance Monitor:

  • RPC Request Timeout Detected on Mailbox
  • RPC Request Timeout Detected on Database
  • RPC Request Timeout Detected on Server

The performance counters can be found under the context MsExchangeIS.

But what if you see that this issue happens many times and you want to disable the quarantine functionality? First of all I would not recommend doing this and try to find the source of the issue. This because a large amount of threads will have an impact on your complete environment. But as discussed earlier the quarantining may have a negative impact on the business and so you may lose money. So after reading this think twice discuss this with some colleagues and your manager. If everybody agrees with taking the risks perform the following steps to turn off the quarantine feature:

  • Open Regedit
  • Browse to the following location: HKLM\System\CurrentControlSet\Services\MsExchangeIS\
  • Create a new DWORD (32-bit)called DisableTimeoutDetection
  • Set the value to 1

Although not mentioned in the help files of Microsoft it might be wise to restart the Information Store service after making the change. In this case make sure you dismount all databases or *over them to another DAG node if applicable.

If you want to have more information about this topic visit the page below:

Technet: Turn Off Exchange Store Time-Out Detection open

Redmond my mailbox is quarantined

Posted by Johan Veldhuis on 20-06-2012
Posted in: Exchange 2010. Tagged: , . Leave a Comment

As you may know Exchange 2010 contains several built-in security features to prevent issues with your server. Think of the back pressure mechanism which protects your Hub Transport from being brought down due to lack of resources.

Another security feature can be found on the Mailbox Server and then specifically in the Information Store process. For those who don’t know what the responsibilities are of the Information Store: almost everything which is database related. For example if the Information Store is down you won’t be able to mount both mailbox and public folder databases.

The feature I am talking about is quarantining a mailbox. But why does Exchange performs this action on mailboxes? Well there are a few reasons why Exchange can decide to place a mailbox in quarantine:

  • Thread doing work for a mailbox fails
  • More than five threads in a mailbox that haven’t made progress for a long time (more than 60 seconds)

As you have seen it all has to do with threads on a mailbox which fail. Every time one of the issues occurs a counter is raised. This counter is stored in the registry. Besides the counter the Information Store keeps the timestamp information about when the issue occurred with the specific mailbox also called the poison mailbox.

You may think why is this setting stored in the registry? Well the reason for this is that the information stored here will be replicated by the cluster database if you are running a high availability environment.  The following registry path is created used to store the keys:

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\\Private-{db guid}\QuarantinedMailboxes\{mailbox guid}

In this path the following keys will be created:

  • CrashCount: the amount of crashes detected
  • LastCrashTime: the timestamp of the last occurance of a crash
  • QuarantineState: is a mailbox quarantined or not
  • QuarantineTime: the time the mailbox is placed in quarantine

If the issue doesn’t occur again in two hours the registry key used to store the counter is deleted. The 2 hours is a value which can’t be changed. But there are two other interesting keys:

  • MailboxQuarantineCrashThreshold: how many issue may occur before a mailbox is put in quarantine
  • MailboxQuarantineDurationInSeconds: how long is the mailbox placed in quarantine

By default when three issues occur a mailbox is placed in quarantine. The mailbox will be kept in quarantine for 6 hours (21600 seconds). After the 6 hours are expired the mailbox is removed from quarantine.

Both keys can be found here:

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\\Private-{db guid}\QuarantinedMailboxes

But what happens to a mailbox put in quarantine? Well the answer is quit short: it isn’t accessible for any end-user. Even background processes such as content indexing and the mailbox assistant can’t access the mailbox. This is because these processes, just like end-users, don’t pass the OPEN_AS_ADMIN  flag. This special flag checks if a user who tries to connects passes the OPEN_AS_ADMIN flag, if true the user will be able to access the mailbox. If a mailbox is placed in quarantine an event is stored with event id 10018.

Besides the automatic release of the mailbox from quarantine it is possible to manually release it from quarantine. But before doing this it is highly recommended to find the cause of the issue. This since a mailbox is not placed in quarantine because it works but it can cause serious issues for the other mailboxes in your environment.

Another reason why to investigate the issue is if you decide to release it manually but the issue still occurs the mailbox will be put in quarantine again.

To manually release the mailbox you will first need to know the GUID of the mailbox. You can lookup the GUID by using the get-mailboxstatistics cmdlet just like this:

Get-Mailbox support |select name, GUID

Once you have found the GUID you will need to find the corresponding registry path. As discussed earlier each poisoned mailbox has the key MailboxQuarantineDurationInSeconds modify the value to for example 0 or 1. After you’ve made the registry key change perform one of the following tasks:

  • Dismount/mount the database
  • Restart the Information Store
  • Reboot your server

Although this last one is a little bit overkill.

Here ends the blog about quarantining mailboxes. Hope it doesn’t happen to much in your environment else you got some serious trouble.

More information about this topic can be found on the site below.

Technet – Understanding the Exchange 2010 Store open

The impact of Bring Your Own Device on Exchange – mobile devices

Posted by Johan Veldhuis on 07-06-2012
Posted in: Exchange 2010. Tagged: , . Leave a Comment

Using ActiveSync or BlackBerry you can give users the ability to sync the content of their mailbox to their mobile device. When BYOD will be introduced in a company you might see an explosion of the number of ActiveSync/BlackBerry devices that connect to your Exchange environment.

So before allowing BYOD mobile devices you should do some investigation. There are two parameters which will be affected:

  • IOPS
  • Megacycles

IOPS

Let’s start with looking at the impact a mobile device has on the IOPS Exchange needs to deliver.

Both Activesync and BlackBerry devices will generate additional IOPS per device. RIM did publish a nice document which describes the impact on the IOPS, which depends on the mailbox profile.

Email messages sent or received per mailbox per day Estimated IOPS per BlackBerry device

50

0.06

100

0.12

150

0.18

200

0.24

250

0.30

300

0.35

The numbers above are applicable on an active mailbox copy (DAG) or standalone mailbox copy. The strange thing although is that when you use the HP Sizer for Microsoft Exchange Server 2010 it will multiply the needed IOPS with 2. So it looks like HP did build in some reserves or is using previous values from an earlier Performance Bench Guide from RIM. This because RIM did made some improvements which dramatically decrease the needed IOPS.

I’ve searched for a table which describes the needed IOPS for ActiveSync devices but as far as I know Microsoft did not publish one. When looking at the available sizing tools, for example the HP Sizer for Microsoft Exchange Server 2010, you will see that it multiplies the amount of IOPS with 2. The Exchange 2010 Mailbox Role Requirements calculator will not provide an easy option such as the HP Sizer. The tool from Microsoft does have an option to use a multiplication factor to influence the needed IOPS.

Megacycles

As discussed before the second parameter will be the amount of megacycles needed. In the document mentioned earlier RIM did also publish the megacycles per BlackBerry device which are needed.

Email messages sent or received per mailbox per day Estimated megacycles per BlackBerry device

50

1.5

100

3.0

150

4.5

200

6.0

250

7.5

300

9.0

As you can see the needed megacycles will depend on the amount of messages send/received per day. Compared to the IOPS it has a greater impact. RIM does mention in their document that if you use the sizing recommendations of Microsoft it shouldn’t have a big impact on the CAS Servers. The recommendations RIM points to can be found on this page.

Microsoft also did perform some tests to see the impact on the megacycles when ActiveSync is used. In this case they only did some testing with a specific user mailbox profile.

Client Access

Hub Transport

Mailbox

CPU(MHz/user)

1,60

0,22

1,25

As you can see Microsoft did divide it per Exchange Role. If you use the Exchange 2010 Mailbox Role Requirements calculator you will need the value as listed in the Mailbox column and use the megacycles multiplication factor to increase the megacycles to an additional 1,25 megacycles per mailbox .

What if users will use multiple mobile devices?

Well the answer is quite easy although it is hard to estimate in advance how many users will use multiple devices. When allowing BYOD mobile devices people may use both their mobile phone and their tablet to sync their mailbox content. But it is not limited to two devices.

Throttling policy

Exchange 2010 will allow a maximum of 10 devices which sync via ActiveSync per user. So in worst case users can setup 10 partnerships with devices to your Exchange environment.

The 10 devices limit may be a little bit high. 3 or 4 devices is a reasonable amount. But what if you want to limit the maximum allowed ActiveSync devices per user?

If you want to limit the amount of ActiveSync devices per user you will need to modify the throttling policy settings. Depending on your environment you might decide to create additional throttling policies which will allow more ActiveSync devices for example for the management.

To modify the throttling policy you will need to use the Exchange Management Shell (EMS). The output below is the result of the Get-ThrottlingPolicy:

As you can see the EASMaxDevices is the parameter which will need to be modified to limit the amount of ActiveSync devices which can be used.

To do this you will need to run the Set-ThrottlingPolicy cmdlet:

Set-ThrottlingPolicy Default* -EASMaxDevices 1

The example above will limit the maximum amount of ActiveSync devices to one per user.

Quarantine new devices

By default new users will be allowed to connect to Exchange using ActiveSync. Excluded are users which are a member of a protected group such as administrators. To prevent this you can set the action to quarantine new devices.

Using this option all new devices will be placed in quarantine till an administrator approves the device.

There are two ways to place a device in quarantine:

  • Create a rule for each family
  • Modify the default

Create a rule for each family:

The option can be found in the Exchange Control Panel (ECP) in the Phone & Voice section:

On the ActiveSync Access page scroll down till you see the Device Access Rules and klik on New to create a new rule:

Using the Browse buttons select a family and/or model and select the Quarantine – Let me decide to block or allow later option

Unknown devices

The disadvantage of the rule per family is that not all devices may hit this rule. In this case the default settings are used. These can be changed by pressing the Edit button on top of the page:

This will bring up a new window which gives you the following options:

  • What is the default action taken when an unknown device tries to connect
  • Which user or distribution group must be notified when an unknown device is quarantined
  • Which text needs to be send to the user which tries to connect with an unknown device

How about BlackBerry can this be limited also?

Well in most organizations a BlackBerry Express/Enterprise server is installed which is connected to Exchange. Since the BlackBerry server doesn’t use ActiveSync to sync the EASMaxDevices changed earlier doesn’t have any effect.

A user will need an activation password to connect their device to the BES environment. Administrators will have the option to configure the time a password is valid using the password expiration. Since the password is only valid to activate one device it will prevent the user from connecting multiple devices.  If they want to connect another device they will need to ask their administrator for another activation code.

Monitoring the ActiveSync usage

When allowing BYOD mobile devices to sync with your Exchange environment it might be usefull to perform some kind of monitoring. Using the monitoring features you can see how many ActiveSync devices are syncing with your Exchange environment.

Since the mobile devices will connect to an HTTPS service offered by the CAS most things are logged in the IIS logs.

By default all Exchange related HTTP/HTTPS traffic is logged in the same IIS log. This will cause ActiveSync, EWS, OWA and Powershell traffic to be logged in the same IIS log.

The cause of this is that the default setting is to only have one log file per site:

Since all virtual directories of Exchange are created in the default web site by default all this setting will be applied to these virtual directories to. So reading the log is a little bit difficult although it is possible.

To filter out only the ActiveSync related things you will have to use Export-ActiveSyncLog cmdlet, for example:

Export-ActiveSyncLog –FileName “C:\Windows\System32\LogFiles\W2SVC1\ex12607.log” –UseGMT:$true –OutputPath “C:\ActiveSync Report

This will create a separate file containing only the ActiveSync related stuff.  The example above will only work for one log. If you want to search all the logs for ActiveSync use this:

Get-ChildItem “C:\Windows\System32\LogFiles\W3SVC1″ | Export-ActiveSyncLog –UseGMT:$true –OutputPath “C:\Temp\EASReports

There are some useful scripts that can be found on the internet to perform some additional actions on the logs:

Here ends my blog about the impact BYOD mobile device can have on your Exchange environment. More information about the specific cmdlets can be found on the following sites:

Technet: Export-ActiveSyncLog open
Technet: Set-ThrottlingPolicy open