Review Trend Micro Scanmail 10

In this article we will have a look at Trend Micro Scanmail (SMEX) 10. This is the latest version of Trend Micro’s antivirus/antispam solution for Microsoft Exchange Server.

The product can be used with Exchange 2003, 2007 and the most current version of 2010. Let’s start with having a look at the new features of SMEX 10.

New features

Just like Exchange 2010 Trend Micro has also introduced the Role Based access. Using this method of assigning permissions it will let you create templates and assign those templates to users.

Another nice addition to the product is the ability to use AD objects in the policies you configure. This will give you the ability to create policy for a specific AD group. For example, you have got a group of developers in your company. These developers must have the ability to receive specific file types which are blocked by the default policy. In this scenario you can exclude the developers group from the default policy and apply the custom created policy.

SMEX 10 contains two types of reputation services:

  • Web reputation (WRS), which will check all url’s in a message
  • E-mail reputation (ERS), which checks the IP-address of the sending mail server

Especially the last option can decrease the amount of spam/viruses messages which will have to be processed by the policy or arriving at the end users mailbox.

The Web Reputation Services (WRS)  feature included in SMEX will check every e-mail for malicious URL’s. By enabling WRS you will add an extra detection layer on top of the Anti-spam/Anti-virus technology which is already used by the product. WRS can detect “0-Day” attack, as well as recently new type of spam and phishing attack like “Here you are “ spam and spear phishing.

If you are having a Trend Micro SmartScan server deployed you can configure SMEX 10 to use it. The advantage of using the smartScan method compared to the conventional scanning method is that the footprint on the server is smaller. This is caused by the fact that the pattern files are a lot smaller. Another advantage is better detection.  Cloud side (Trend file reputation service) always deploys latest anti-malware knowledge which is ahead of conventional anti-malware pattern. 

In the picture below you see how the process works:

As last major change, besides the optimization of the product, is integration of Data Leakage Prevention (DLP) Policies. Using these default DLP policies you can prevent data being leaked via e-mail from your company to the outside world.
The installation of SMEX 10 is pretty easy. But before starting the installation add the CGI component to the IIS server. Once this is done the setup can be launched. One of the first steps in the setup will ask you which Exchange version you have deployed. If deploying it on an Exchange 2007 or 2010 Server you must specify if you are installing it on an Edge or on a Hub Transport/Mailbox Server.Depending on the roles installed on your server a set of scan methods are available. For example on a mailbox server a mail store scan can be performed. While on a Hub Transport server scanning can be done during transport.

In the next step you will need to add one or multiple servers. This can either be done by adding a server manually or via the browse option. In this last scenario make sure you enable the Computer Browser service which might be disabled by default depending on your OS.

Next step is to provide the credentials of an account which is a member of the Organization Management Exchange security group. If you are planning to use the End User Quarantine option this account also needs to have domain admin permissions.

By default the installation will be performed on the C drive of the server. Scanmail will need to install a web application for management purposes. By default an additional website will be created in IIS for this purpose. Another option is to place it in the default website. My recommendation is to install it in a separate site. The reason for this is that Exchange uses the default website by default for all Exchange Web Services.

Optionally you can select the option to enable SSL. When enabling this option a self-signed certificate will be installed for the website.

The next step will verify if all prerequisites have been met. If this is not the case you will be warned and you will need to solve these issues before you can continue.

Because Scanmail will retrieve its updates from the internet you may need to provide a proxy server. If this is not the case leave the option unselected. After providing the activation key you get the option to participate in the World Virus Tracking Program. This program will gather real time data for the Virus Map of Trend Micro.

As already mentioned Scanmail will have the option to place spam messages in a specific folder. Scanmail will give you to options:

  • Integrate with Outlook Junk Mail
  • Integrate with EUQ which is a separate folder created by Scanmail

Personally I prefer the Outlook Junk Mail as this will provide users with one location where they can find they’re quarantined messages.

If you are having multiple Trend Micro solutions you might have implemented Trend Micro Control Manager. This program will give you the ability to manage all Trend Micro products via one interface.

Because of the Active Directory integration the setup will give you the option to select an Active Directory group which has access permissions to the Access Console.

Before starting the installation you will get a short summary. If you are satisfied with the settings then continue and start the installation.

Note:

One thing you should keep in mind is that the setup will install a SQL Express 2005 instance on your Exchange server. If you don’t want this prepare the database on an external SQL server and specify this SQL server during the setup.

After the installation has been completed make sure you install the latest service pack and patches available.

Configuration

Now SMEX has been installed let’s have a look at the configuration part. By default only the following antispam/antivirus components are enabled:

  • Security Risk Scan, which scans messages for viruses and spyware both on transport and store level;
  • Web reputation, which scans all messages for malicious URL’s;
  • Content Scanning, which is part of the Spam prevention option and scans messages for undesirable content. For example sensitive info and unprofessional info;

Because each environment is unique it might be necessary to adjust the default configuration settings. For example, you might want to scan all messages for all spyware/grayware. By default SMEX only scans for spyware and adware.

But how does the web reputation service work? Every url is checked against a database which contains a rate for the url. The Web Reputation rating is based on a number of factors including domain profiling, malware behavior related to the site, site content scanning, site categorization and correlation with phishing and spam intelligence among other things. To configure which ratings should be blocked you will need to configure the security level. SMEX does contain three security levels:

  • High, blocks a greater number of Web threats, each url with a rating of 80 or lower. Change of false positives increases.
  • Medium, blocks most Web threats and limits the amount of false positives. Each url with a rating of 65 or lower
  • Low, blocks fewer Web threats and decreases the amount of false positives. Each url with a rating of 50 or lower

In the diagram below you can see a diagram of the complete process:

When a message arrives the following steps are performed:

  • A message arrives at the Edge or Hub Transport server which contains SMEX 10;
  • SMEX detects a url in the message and sends it to the WRS Cloud service;
  • WRS checks the url and returns the rating to SMEX 10;
  • If the rating is passes the threshold the message will be either delivered using a modified subject or placed in quarantine;

Additionally you might want to enable some extra components. For example block all attachments which have program/scripting extensions such as bat, cmd and wsh or just block specific file types.

A second option which you might want to enable is the content filtering component. This component contains some predefined policies. These policies can be split up in:

  • Specific word categories: such as profanity, hoaxes and chainmail;
  • DLP, default DLP policies for specific countries/continents;

As already explained every environment requires different policies. For example you might receive a lot of spam which is not detected by other filters. In this case create a custom policy which filters specifically those words.

The second component I would highly recommend is the E-mail Reputation Service (ERS) which is part of the Spam Prevention part of SMEX. ERS works just like a black list is an IP address found then the connection is dropped. The advantage of ERS compared to blacklists is that you can configure them using a web portal provided by Trend Micro. For example, if you don’t want to block messages from a specific country even if they are listed make the configuration change in the ERS web portal.

As you can see in the screenshot above you can also add specific ISP’s and ip addresses to the approved list. Besides approving it’s also possible to block a country, ISP or ip address using this website.

One important note about the ERS is that there must be no other MTA between the sending server and Exchange. This will cause ERS not be able to work correctly because it only checks the last MTA’s ip address.

Once you are satisfied with the configuration you can replicate the configuration to other servers. This option is very useful if you are having multiple SMEX instances but want to keep the configuration the same on all of them.

By selecting the Server Management option you will get an overview of all SMEX instances:

Select the server(s) to which you would like to replicate and press the replicate button. The next step is to select which configuration settings will need to be replicated. By default all settings will be replicated. In this case you would like to replicate only a subset select only those features which you would like to replicate.

Reporting and logging

In addition to the real time monitoring of the traffic SMEX has the option to generate reports. These reports can either be created manually or automatically via a schedule.

In the screenshot below you can see an example of which content you can add to a report. A scheduled report can be created daily, weekly or monthly. As you can see you can add a lot of content to the report. Using these reports you might see some trends for example one specific user is receiving a lot of spam. Or you just want to know how much traffic passes the SMEX solution.

Compared to a manual report a scheduled report also has the option to send the report to one or multiple e-mail addresses. Which might be very useful if you do not want to login to the admin console daily.

But how does a report looks like? Well in the screenshot below a small part of the report being generated. In this example you can see the Spam Prevention statistics. It starts with a summary which gives you a quick overview. Because you might want to distribute this report to the management it might be nice to also include the graph. The graph will display the percentage of spam messages compare to the complete amount of messages.

Below the graph an overview of the top 5 spam senders will be displayed. Due to privacy I haven’t included them in the screenshot above.

In addition to the reports you may also consult the log files available. The logs are divided in a few types:

  • Security risk scan, gives an overview of messages  which did break the security risks configured;
  • Attachment blocking, gives an overview of attachments blocked;
  • Content filtering, gives an overview of messages which are tagged by the content filter;
  • Update, an overview of the update process, here you will find if an update has succeeded or failed;
  • Scan event, an overview of manual and scheduled scan tasks;
  • Backup for security risk, information about the files that the Security Risk Scan moved to the backup folder;
  • Backup for content filter, information about the files that Content Filtering moved to the backup folder;
  • Unscannable message parts, gives an overview of messages which couldn’t be scanned partitially;
  • Event tracking, gives an overview of administrative tasks performed, for example log in/outs, configuration changes made or messages released from quarantine;
  • Web reputation, gives an overview of web reputation checks performed;

In the screenshot below a part is displayed of the Content filtering log. As you can see a lot of information is displayed:

But this is not all information when scrolling to the right you will find the most interesting information:

In this piece of the logging you can see detailed information about:

  • which policy did get applied to the message;
  • which action has been taken;
  • which matching keyword(s) where found;

So as you can see a lot of information is stored in the logs which might be very useful during troubleshooting.

Conclusion

Here ends my article about Trend Micro’s Scanmail for Exchange 10. Trend Micro did include a lot of nice new features.  By default the antispam and antivirus settings might require you to make some modifications. For example Email Reputation is disabled by default; it might be worth to enable the option if possible. Enabling this option will prevent a lot of spam arriving in the end users mailbox but also saves a lot of processing time from Scanmail.

To fine tune your solution you might consider creating a custom content filter. By using this custom filter you can block specific messages which pass the other filters. This will result in less spam arriving at the end users mailbox. If you are finding it a little bit tricky to just delete the message use the quarantine option. This will place the message in the junk mail folder or EUQ folder from the user. If a user misses a message he or she can retrieve the message easily.

At this moment the beta for SMEX 10.2 will almost start I am very curious which new features will be added.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb

Exchange 2010 SP1 Rollup 4 released

Microsoft has released Rollup 4 for Exchange Server 2010 SP1. This rollup will fix the following issues:

  • 2537099 (http://support.microsoft.com/kb/2537099/ ) “80040154” error message when you try to configure external Client Access namespaces on an Exchange Server 2010 server
  • 2536700 (http://support.microsoft.com/kb/2536700/ ) Outlook stops responding when you try to copy a folder to its subfolder by using Outlook in online mode in an Exchange Server 2010 SP1 environment
  • 2536517 (http://support.microsoft.com/kb/2536517/ ) The Microsoft Exchange RPC Client Access service crashes intermittently on an Exchange Server 2010 server
  • 2536494 (http://support.microsoft.com/kb/2536494/ ) It takes a long time to return results when you perform an Advanced Find search on a mailbox by using Outlook in online mode in an Exchange Server 2010 SP1 environment
  • 2535648 (http://support.microsoft.com/kb/2535648/ ) The EMC takes a long time to open in an Exchange Server 2010 environment
  • 2535130 (http://support.microsoft.com/kb/2535130/ ) Performance in Outlook or in OWA decreases when you use IMAP4 to access the contacts folder in an Exchange Server 2010 environment
  • 2535105 (http://support.microsoft.com/kb/2535105/ ) There is no option to disable the Availability service in an Exchange Server 2010 environment
  • 2533543 (http://support.microsoft.com/kb/2533543/ ) Event ID 2153 is logged on each database availability group member in an Exchange Server 2010 environment
  • 2533538 (http://support.microsoft.com/kb/2533538/ ) You cannot look up the free/busy information of a user who is located on an Exchange Server 2010 organization from another Exchange Server 2010 organization
  • 2533451 (http://support.microsoft.com/kb/2533451/ ) A RBAC role assignee can unexpectedly run the “Update-FileDistributionService” command on an Exchange Server 2010 server that is outside the role assignment scope
  • 2519359 (http://support.microsoft.com/kb/2519359/ ) “Changes to the rule cannot be saved.” error message when you try to create a reply rule by using Outlook in an Exchange Server 2010 environment
  • 2518850 (http://support.microsoft.com/kb/2518850/ ) You cannot receive email messages on a mobile phone by using ActiveSync in an Exchange Server 2010 environment
  • 2517088 (http://support.microsoft.com/kb/2517088/ ) Public folder conflict resolution does not work as usual in an Exchange Server 2010 environment
  • 2515259 (http://support.microsoft.com/kb/2515259/ ) “The items could not be copied.” error message when you run the Get-MailboxSearch cmdlet in an Exchange Server 2010 SP1 environment
  • 2514709 (http://support.microsoft.com/kb/2514709/ ) Event ID 1001 after you successfully the install Exchange Server 2010 Unified Messaging server role
  • 2514574 (http://support.microsoft.com/kb/2514574/ ) The Exchange RPC Client Access service crashes in an Exchange Server 2010 environment
  • 2513723 (http://support.microsoft.com/kb/2513723/ ) The “New-MailboxImportRequest” cmdlet does not import all messages in a .pst file in the ANSI format in an Exchange Server 2010 environment
  • 2512023 (http://support.microsoft.com/kb/2512023/ ) “GetUserOofSettings”, “SetUserOofSettings” and “GetUserAvailability” operations do not support Exchange Impersonation on the Exchange Server 2010 SP1 schema
  • 2511897 (http://support.microsoft.com/kb/2511897/ ) You cannot send an email message to a mailbox for a brief period when you move the mailbox by using online move in an Exchange Server 2010 environment
  • 2507463 (http://support.microsoft.com/kb/2507463/ ) You cannot move a mailbox that contains a corrupted Search Folder in an Exchange Server 2010 environment
  • 2506820 (http://support.microsoft.com/kb/2506820/ ) The free/busy information does not display of a user whose mailbox is located on an Exchange Server 2003 server
  • 2506049 (http://support.microsoft.com/kb/2506049/ ) The hierarchy of a new public folder database on an Exchange Server 2010 SP1 server is not replicated
  • 2505968 (http://support.microsoft.com/kb/2505968/ ) The EdgeTransport.exe process crashes when you apply a rule that contains a bad email address in an Exchange Server 2010 environment
  • 2504453 (http://support.microsoft.com/kb/2504453/ ) You cannot retrieve statistical information about a public folder by using the “Get-PublicFolderStatistics” cmdlet in an Exchange Server 2010 SP1 environment
  • 2503337 (http://support.microsoft.com/kb/2503337/ ) Comments of your meeting response message is missing when you decline a meeting request in an Exchange Server 2010 environment
  • 2501070 (http://support.microsoft.com/kb/2501070/ ) A RBAC role assignee can stop queue processing on an Exchange Server 2010 Hub Transport server or an Exchange Server 2010 Edge Transport server that is outside the role assignment scope
  • 2500903 (http://support.microsoft.com/kb/2500903/ ) A space is missing in the subject line of a “Tentative” meeting response in an Exchange Server 2010 environment
  • 2500648 (http://support.microsoft.com/kb/2500648/ ) “There are no items to show in this view.” error message when you try to view a folder in Outlook in an Exchange Server 2010 environment
  • 2495167 (http://support.microsoft.com/kb/2495167/ ) You cannot recover a deleted public folder by using Outlook or MFCMAPI in an Exchange Server 2010 environment
  • 2495010 (http://support.microsoft.com/kb/2495010/ ) The EdgeTransport.exe process consumes 100% CPU usage on an Exchange Server 2010 Edge Transport server or an Exchange Server 2007 Edge Transport server
  • 2493393 (http://support.microsoft.com/kb/2493393/ ) You cannot use ECP to perform a wipe on a mobile phone in an Exchange Server 2010 SP1 environment
  • 2492068 (http://support.microsoft.com/kb/2492068/ ) “The item cannot be saved to this folder.” error message when try to post an item to a mail-disabled public folder in an Exchange Server 2010 SP1 environment
  • 2491354 (http://support.microsoft.com/kb/2491354/ ) You cannot view the free/busy information of users in a mixed Exchange Server 2007 and Exchange Server 2010 environment
  • 2490134 (http://support.microsoft.com/kb/2490134/ ) A deferred delivery email message is not delivered by using Outlook 2007 in online mode in an Exchange Server 2010 environment
  • 2489964 (http://support.microsoft.com/kb/2489964/ ) An update enables range 0x-0x1F characters in the display name of an Exchange Server 2010 user account
  • 2489938 (http://support.microsoft.com/kb/2489938/ ) The “Connect-ExchangeServer” function does not change the target Exchange server in Exchange Server 2010
  • 2489130 (http://support.microsoft.com/kb/2489130/ ) A RBAC role assignee can unexpectedly change mailbox properties that are outside the management role group scope in an Exchange Server 2010 environment
  • 2488643 (http://support.microsoft.com/kb/2488643/ ) Outlook downloads duplicated POP3 email messages in an Exchange Server 2010 environment
  • 2479188 (http://support.microsoft.com/kb/2479188/ ) The iCal parts of an email message contain invalid entries when they are sent from an Exchange Server 2003 mailbox to an Exchange Server 2010 mailbox
  • 2477273 (http://support.microsoft.com/kb/2477273/ ) The DomainController parameter does not work when you use the “MoveMailbox.ps1″ script to move mailboxes in an Exchange Server 2010 environment
  • 2471964 (http://support.microsoft.com/kb/2471964/ ) A NDR is sent to the sender when you move an email message to a personal folder file in an Exchange Server 2010 SP1 or a later version environment
  • 2467619 (http://support.microsoft.com/kb/2467619/ ) A user who manages a distribution group cannot remove another user whose mailbox is disabled in an Exchange Server 2010 environment
  • 2465292 (http://support.microsoft.com/kb/2465292/ ) “MAPI_E_FAILONEPROVIDER (0x8004011D)” error message when you access an Exchange Server 2010 mailbox by using a MAPI application
  • 2446908 (http://support.microsoft.com/kb/2446908/ ) ESE event descriptions are missing in Event Viewer when the Eseutil utility is called on an Exchange Server 2010 SP1 server
  • 2394554 (http://support.microsoft.com/kb/2394554/ ) An email message is not delivered if it contains unsupported encoded characters in the subject line in an Exchange Server 2010 environment
  • 2491951 (http://support.microsoft.com/kb/2491951/ ) You cannot install Exchange Server 2010 SP1 if the NetBIOS domain name of the domain controller contains an ampersand (&) character
  • 2507066 (http://support.microsoft.com/kb/2507066/ ) Administrator audit logging is disabled unexpectedly during an Exchange Server 2010 SP1 installation

The rollup can be downloaded from the site below:

Update Rollup 4 for Exchange Server 2010 SP1 open

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb

Can’t remove the Exchange Virtual Server

During the removal of an Exchange 2003 cluster I had the issue that I couldn’t remove the Exchange Virtual Server from the Cluster Administrator.

In the event log nothing special was logged so it was time to dig into the log files which are created during this process. Since the removal of Exchange Virtual Server is a cluster related task the cluster log file was needed. This is located in the c:\windows\cluster directory.

When having a look at the log you will see that several settings are checked before the Exchange Virtual Server is removed.

[11:21:42] Leaving ScTestAceOnObject
[11:21:42] ANONYMOUS LOGON does have READ permissions for MDB objects on the organization
[11:21:42] Checking to see whether the Exchange Domain Servers group has been DENIED Receive-As permissions on the Servers container(s)
[11:21:42] Checking the ACL on the Servers container in the admin group “First Administrative Group”
[11:21:42] Entering ScTestAceOnObject
[11:21:42] Attempting to get DOB for DN “/dc=LOCAL/dc=Corp/cn=Configuration/cn=Services/cn=Microsoft Exchange/cn=Corp/cn=Administrative Groups/cn=First Administrative Group/cn=Servers”
[11:21:42] Attempting to read security descriptor from DOB
[11:21:42] Attempting to initialize CAce object
[11:21:42] Testing to see if given ACE is present
[11:21:42] Test succeeded; fACLPresent = TRUE, fExtraRights = FALSE
[11:21:42] The ACE tested for is present in the ACL of this object
[11:21:42] Leaving ScTestAceOnObject
[11:21:42] The Exchange Domain Servers group has been DENIED Receive-As permissions on the Servers container(s)
[11:21:42] The required permissions have already been set
[11:21:42] Leaving ScDetermineIfLocalDomainServerGroupHasAlreadyBeenACLedOnExchangeCT
[11:21:42] Entering ScFindRoutingGroupThatContainsServer
[11:21:42] Leaving ScFindRoutingGroupThatContainsServer
[11:21:42] ScPRQ_ServerIsNotHomeServerForPostmasterOfNonEmptyOrg (f:\tisp2\admin\src\udog\excommon\prereq.cxx:2981)
Error code 0X80072030 (8240): There is no such object on the server.
[11:21:42] CCompServer::ScCheckEVSPrerequisites (f:\tisp2\admin\src\udog\exsetdata\components\server\compserver.cxx:1405)
Error code 0X80072030 (8240): There is no such object on the server.
[11:21:42] ScSetupExchangeVirtualServer (f:\tisp2\admin\src\udog\exsetdata\exsetds.cxx:1541)
Error code 0XC103FC97 (64663): Setup encountered an error while checking prerequisites for the component “Microsoft Exchange Server”: 0X80072030 (8240): There is no such object on the server.
[11:21:42] Leaving ScSetupExchangeVirtualServer

For example several ACL’s are verified. Besides the ACL checks the removal process will verify if the postmaster mailbox is homed on this server. By default the account used for installing Exchange 2003 will automatically be the postmaster. If the mailbox can’t be found, because it’s deleted, the process will be aborted.

But how can you solve it? Well first and easiest method maybe to restore the account and mailbox from the backup. If this is not possible you might decide to re-assign the postmaster mailbox to another account.

To re-assign the mailbox to another account you must use ADSIEDIT. Before making any changes with ADSIEDIT make sure you have a correct and recent back-up of your Active Directory.

Once you have confirmed this it’s time to make the change. Open the Configuration partition of Active Directory and expand the following nodes:

  • CN=Services
  • CN=Microsoft Exchange
  • CN=Organization Name, for example Corp

Get the properties of CN=Global Settings and search for the attribute called MsExchAdminMailbox. You will see the value of this attribute has been a deleted object:

In this case the attribute has the value CN=Exchadmin\0ADEL:bbf20ca9-7def-4e0f-bdd9-f9107c1643d6,CN=Deleted Objects,DC=Corp,DC=local. The DEL means the object doesn´t exist anymore. To solve this issue replace the value with a value of an existing user, for example CN=Postmaster,DN=ServiceAccounts,DC=Corp,DC=local.

 After AD replication has occurred you should be able to remove the Exchange Virtual Server using the Cluster Administrator tool.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb

During the removal of an Exchange 2003 cluster I found an issue after the removal of Trend Micro Scanmail (SMEX) 8.0. After the deinstallation was completed the Cluster Administrator started with an error. Once of the things I expected to cause the issue was the resource object from SMEX which was still there. This could be solved easily by removing the default procedure for removing cluster resources.

Despite removing the resource the Cluster Administrator kept prompting with and error. After some research I discovered that the issue was caused by a resource type clusRDLL which was still their.

To cleanup this resource type you will need to use the cluster command:

cluster restype clusRDLL /delete /type

After this command was executed the error did dissapear and I could remove the Exchange 2003 Virtual Server.

Trend Micro has published a knowledge article about this issue:

Uninstalling Scanmail for Exchange (SMEX) 8.0 from cluster servers open

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb

Starting from Exchange 2010 SP1 a scheduled task called Database One Copy Alert will be configured automatically on each mailbox server. This script will be executed every hour and will check if multiple copies are available inside the DAG. Besides this the status of the copy will be checked. This because a copy which is not healthy may lead to data lost during a failover.

The scheduled task will execute theCheckDatabaseRedundancy.ps1 script which can be found in the scripts directory of your Exchange installation. But what if you don’t have a DAG in you Exchange environment? In this case no alert will be send.

Besides running the script automatically it’s also possible to run it manually.

In the screenshot above you will see what the output is of a script ran on an Exchange server which is not a member of a DAG.  In this case no check will be performed. As you can see it’s possible to send an alert via e-mail.

When having a DAG a lot of information will be displayed. For example are there multiple database copies but also what’s the status of the database.

An event generated by the script can have two levels:

  • red, there are not enough copies available from the database, or the copy of the database does not have the status healthy. In this case an event will be logged with event ID 4113
  • green, there are multiple copies of a database and the copy has the status healthy. In this case an event will be logged with event ID 4114

In the first case this requires some action. There is one remark which must be made about the red level. This level will be assigned only if the issues still exists after 20 minutes. When a problem is detected the script will perform an itteration several times. One itteration is done every minute, if after 20 minutes the level is still red an event will be written to the event log. Once this has been done an event will be written in the event log every 15 minutes till the level is green again. But before a level is changed back to green the script will wait 10 itterations (10 minutes). If you would like to receive the status per mail when the alert level has changed to red for one of the databases you will need to modify the scheduled task

By default the scheduled task will be executed using the following parameters:

-NonInteractive -WindowStyle Hidden -command “& ‘C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1′ -MonitoringContext -ShowDetailedErrors -ErrorAction:Continue”

When you change this to:

-NonInteractive -WindowStyle Hidden -command “& ‘C:\Program Files\Microsoft\Exchange Server\V14\Scripts\CheckDatabaseRedundancy.ps1′ -MonitoringContext -ShowDetailedErrors -ErrorAction:Continue -SummaryMailFrom:’exchange02.corp.local’-SendSummaryMailTos:@(‘administrator@corp.local’)”

The script will send an e-mail with detailed information once there is an issue.

In the example above you will see that there is an issue with the database in our DAG. There is only one copy of the specific database which will result in no mailbox access after the server fails.

When adding an additional database copy and rerunning the script you will see the status has changed from red to green. If the copy with the preference of 1 fails then the database with preference 2 will be actived.

The script can be executed using some parameters. In the table below an overview is displayed of these parameters and a description of them:

ParameterDescription
-vVerbose mode, will give you detailed logging of what happens during the execution of the script
-SummaryMailFromThe sender address used for sending the summary of the log
-SendSummaryMailTosThe recipient address usied for receiving the summary of the log
-ShowDetailedErrorsGives additional details per database copy per server

For more information you can have a look at the page below. One remark should be made that the mentioned page describes the script which could be used in Exchange 2010 RTM. Starting from Exchange 2010 SP1 the script is installed during the Exchange installation by default:

The Exchange Team Blog: RELEASED: Exchange 2010 Database Redundancy Check Script: open

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb

ActiveSync doesn’t work for specific devices

A while ago Microsoft announced the Exchange ActiveSync Logo program. Using this program Microsoft will test the compatability of devices with ActiveSync.

One of the reasons for this is the problems which you may experience with some devices and ActiveSync. As administrator/consultant it is sometimes hard to explain why synchronization doesn’t work to an end user or customer.

At this moment the following devices are certified:

  • Windows Phone 7
  • Windows Phone 6.5
  • Nokia’s using Mail for Exchange 3.0.50
  • Nokia E7
  • Apple devices using iOS 4

When a device doesn’t meet the requirements it may cause issues. One of the issues you may experience is that a device doesn’t synchronize at all. This maybe the case after a mailbox is migrated from Exchange 2003 to Exchange 2010. This last one is an example of one of the issues I experienced myself.

To investigate this issue you will have to use the IIS logs. In the case of the Nokia devices the following could be found in the IIS logs:

2011-05-06 11:29:50 192.168.1.41 OPTIONS /Microsoft-Server-ActiveSync/default.eas User=XXXXXX&DeviceId=IMEIXXXXXXXXXXX&DeviceType=NokiaEmail&Log=V0_LdapC9_LdapL16_Mbx:
MB.DOMAIN.LOCAL_Dc:DC.DOMAIN.LOCAL_Throttle0_Budget:(A)Conn%3a0%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f0%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F3006a3a1-0211-447a-99f5-6c0ab8e33c84%2cNorm_ 443 DOMAIN\Username 192.168.100.201 NokiaE721/2.02(0)MailforExchange+3gpp-gba 200 0 0 140

2011-05-06 11:30:11 192.168.1.41 POST /Microsoft-Server-ActiveSync/default.eas User=Username&DeviceId=IMEIXXXXXXXX&DeviceType=NokiaEmail&Cmd=Settings&Log=
V121_Ssnf:T_LdapC4_LdapL16_RpcC45_RpcL125_Ers1_Cpo19781_Fet19999_Pk0_Error:
DeviceNotProvisioned_As:BlockedP_Mbx:MB.DOMAIN.LOCAL_Dc:DC.DOMAIN.LOCAL_Throttle0_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f1%25%2cCAS%3a%24null%2f%24null%2f1%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f1%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F3006a3a1-0211-447a-99f5-6c0ab8e33c84%2cNorm%5bResources%3a(Mdb)MBDB01(Health%3a-1%25%2cHistLoad%3a0)%2c(DC.LOCAL(Health%3a-1%25%2cHistLoad%3a0)%2c(DC)DOMAIN.LOCAL(Health%3a-1%25%2cHistLoad%3a0)%2c%5d_ 443 DOMAIN\Username192.168.100.201 NokiaE721/2.02(0)MailforExchange+3gpp-gba 449 0 0 19999

The rules above are just two rules of the logging. In the first rule you can see that the user will authenticate and the webserver reponds with a 200. In the next step you see that something goes wrong during the provisioning process. When searching on the internet you will find out that Nokia devices are not the only devices who cause problems. Also some Andriod based devices may cause issues with ActiveSync. The problem is caused by the fact that these devices won’t work with the ActiveSync policy. Using this policy administrators can specify for example the security settings for a device.

When a user logs in via the Exchange Control Panel (ECP) en visits the Phone page he will see the device is visible their. But when getting the properties of the device the following will be displayed:

Access state:
Access Denied
Access set by: Security Policy Application

In some cases this may lead to unwanted scenarios. Most end-users will not be very happy when synchronization stops working, although the reasons for this may be a device issue.

Because it is difficult to make an inventory of which devices are active in your organization it might be wise to implement a workaround. This workaround is only needed temporarily till all devices have been upgraded to the recommended version.

The workaround for this issue is to disable the default ActiveSync policy during a migration. By default this policy will be applied to every user. To do this you will need to use the Exchange Management Shell (EMC):

Set-ActiveSyncMailboxPolicy -Identity:Default -IsDefaultPolicy:$false

When you will reconfigure the device, although this might not be necessary, you will see it works. Because this creates an unwanted situation it is recommended to solve the real issue.

Beside updating the client it might be necessary to update the firmware of the device. In case of the Nokia devices ActiveSync didn’t work after the upgrade to Mail-for-Exchange 3.0.50.

When all devices are upgraded it is recommended to enable the ActiveSync policy again:

Set-ActiveSyncMailboxPolicy -Identity:Default -IsDefaultPolicy:$true

For more information about ActiveSync policies you can visit the page below:

Technet: Understanding Exchange ActiveSync Mailbox Policies open

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb

How to reprocess messages from a queue

This week I received a question via e-mail about an Exchange 2010 environment. In this environment some big problems did occur which caused a large amount of messages to be placed in the Unreachable queue. Messages will be placed in the queue when Exchange can’t deliver the messages. This can be both messages which need to be sent to external mailservers or internal Exchange servers.

The queues can be viewed via two methods:

  • via the queue viewer
  • via the Powershell cmdlet get-queue

Using the first method you can also view specific messages which are located in a queue. By default some attributes will be registered from each message among them:

  • sender
  • receiver
  • subject
  • date and time

You might chose to export the messages and import them again to a queue. But in most cases this will not be a suitable solution when hunderds or maybe thousands of messages are located in a queue.

In this kind of scenarios you can better use the Retry-Queue cmdlet. Using this cmdlet messages are resubmitted to the categorizer. Two things this component is responsible for is searching the address of the recipient and route messages. To route a message correctly a message is placed in a queue which is used to deliver the message to the recipient. When you are having a look in the queue viewer you will see several queues among them a queue for each mailbox database. Besides this, queues can be found which are used to deliver messages to the internet. When using a smarthost only one queue will be seen here which is used to deliver messages to the internet.

When messages can’t be delivered in a specific time range messages will be placed in the Unreachable queue. This can for example happen when the mailbox server is not reachable.

To resubmit this messages you will need to use the following cmdlet:

Retry-Queue -Identity <servername>\Unreachable -Confirm -Resubmit $true

For example:

Retry-Queue -Identity HUB01\Unreachable -Confirm -Resubmit $true

In the example above all messages from the Unreachable queue on the server HUB01 will be resubmitted.

After running the cmdlet the messages will be delivered. Depending on the amount of messages this may take some time.

For more information have a look at the page below.:

Technet: Resubmit Messages in Queues open

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb

Both the Exchange Management Console (EMC) and Exchange Management Shell (EMS) are making a connection to Powershell using a remote session. During the session a connection will me made to the virtual directory Powershell which can be found in the IIS Management Console. This virtual directory can only be accessed by using port 80 by default.

To authenticate users Kerberos is used. During the Exchange setup a seperate dll has been installed.

In case of a remove and re-install of Exchange on another volume this may lead to problems. Of course this is a scenarion which you won’t see a lot.

After Exchange is completely re-installed on the new location you won’t be able to start the EMC anymore. In the event log you will see a lot of errors just like the one above.

Because IIS is used some configuration settings are stored in. These files can be found on the following location c:\windows\system32\inetsrv\config\ for example the applicationhost.config.

In the section globalmodules several modules such as the authentication methods, redirection and the other modules are listed here. This is done by refering to the dll which is required.

Because the kerbauth.dll is a native module this dll is also listed and the location specified is the Exchange installation directory. In some cases this rule is not deleted or updated and keeps pointing to the old location. The result: the DLL can’t be found.

The problem can be solved very easily by correcting the path and ensure that it points to the correct location. This can be done by using the variable ExchangeInstallPath (Exchange 2007 only).

For more troubleshooting tips you can visit the page below. Here you will find several issues and the solution for these issues.

Technet: Powershell Virtual Directory issue causes problems with EMS open

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb

EMC can’t be closed after IE 9 is installed

Update 1-5-2010: this issue only occurs if opening one of the items which are located in the organizational management folder

On several fora messages are posted about problems with closing the Exchange Management Console (EMC). This issue was caused after the installation of Internet Explorer 9 which resulted in the following error:

The problem was reported using both the EMC for Exchange 2007 and Exchange 2010 which run on Windows 2007, Windows 2008 and Windows 2008 R2. Including the ones fully updated to Service Pack 1.

The solution is pretty simply: remove Internet Explorer 9.

Because I was curious if I would get the same error I installed a clean Windows 2008 R2 with Exchange 2010 SP1. Unfortunatly the problem couldn’t be reproduced on this machine. Even after the installation of SP1 the problem was still not reproducible

But since this is a clean install it’s not a nice comparison. If you find issues with the EMC in combination with IE 9 please let me know.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb

After the installation of Exchange 2010 SP1 on a server which only contains the Mailbox Server role you might get a lot of errors in the event log.

When looking specificaly at the errors you will see that they are caused by the Performance Counters. A reference is made to the following registry keyHKLM\Software\Microsoft\ExchangeServer\v14\Transport which can’t be opened.

When you open regedit and search for the specific registry key you won’t find it. Really strange because the RPC Client Access Service will be installed on a Mailbox Server.

When having a look at the following Knowledge Base article you shouldn’t have to worry about the events because it doesn’t have effect on the performance of the Mailbox Server.  Personally I would don’t like errors in the event log, so how can you solve this issue?

Pretty simple:

  • Open the Exchange Management Shell
  • Run the following cmd: add-pssnapin Microsoft.Exchange.Management.PowerShell.Setup
  • Run the following cmd: new-perfcounters –definitionfilename “C:\Program Files\Microsoft\Exchange Server\V14\Setup\Perf\RpcClientAccessPerformanceCounters.xml”

By running these cmds we will install the Performance Counters needed for the RPC Client Access Service. Once installed the error won’t be displayed anymore.

If you like to have more information about removing or reloading the Performance Counters have a look at the site below:

open

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • Webnews
  • Y!GG
  • Ask
  • Live-MSN
  • Technorati
  • YahooMyWeb