MS Exchange Tips

Backup Exec attempted to back up an Exchange database according to the job settings. The database was not found in the Database Availability Group DAG

2011-11-14T08:13:00.000-08:00

When attempting to backup an Exchange 2010 DAG you recieve the following error:

V-79-57344-896 - Backup Exec attempted to back up an Exchange database according to the job settings. The database was not found in the Database Availability Group (DAG), however. Update the selection list and run the job again.

You have verified that the backup exec agent service is running with the LSA account and is in the Exchange org admin group. In this instance the issue was caused by renaming the database display name for example “MDB01 Tier1” to “MDB01 Tier 1 500GB”.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Calendar sharing is not available with the following entries because of permission settings on your network

2011-10-27T08:42:00.000-07:00

When attempting to share a calendar to another internal user using outlook 2010 you receive the error

Calendar sharing is not available with the following entries because of permission settings on your network

After deleting the nickname cache and choosing the name from the GAL you still receive this error. In this instance it was resolved using:

set-mailbox user1 -applymandatoryproperties

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

UAG Exchange 2010 OWA Error_Code=51 has resulted in too many redirects

2011-09-02T08:24:00.000-07:00

Summary: After rebooting UAG servers, you receive the following error in your browser when attemping to access owa.company.com

https://outlook.company.com/internalsite/internalerror.asp?site_name=trunk1&secure=1&error_code=51 has resulted in too many redirects.

Root cause: In this instance every time the UAG is rebooted (in our case montly windows patch) one UAG box failed to start the internal site in IIS. If you start the site or run "activate" in the UAG console, OWA will work.

What is happening is that UAG accepts the Outlook anywhere request, and does an internal redirect to its own “internal site”. This is normal, as the InternalSite, listening on port 6001, is UAG’s administrative engine (handles login, authentication, errors etc).

Root fix: There is an error event that comes up after we patch on UAG2 that doesn’t occur on UAG1 even though they are configured and patched exactly the same.

Event id 107
Report Server Windows Service (ISARS) cannot connect to the report server database.

Two services were stopped on UAG2 below. It appears one service is starting before the other “SQL Server Reporting Services (ISARS)” before “SQL Server (ISARS)”.

Set the dependency in the registry.

“SQL Server Reporting Services (ISARS)” Depend on service “SQL Server (ISARS)”

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010: Bulk Provision and Move Mailbox Import-csv

2011-07-20T17:03:00.001-07:00

Import-CSV "C:\ADMT\users.txt" | foreach {.\Prepare-MoveRequest.Ps1 -Identity $_.users -RemoteForestDomainController "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=FromILM,OU=GALSync,DC=corp,DC=dom" -UseLocalObject -overwritelocalobject}

Import-CSV "C:\ADMT\users.txt" | foreach {New-MoveRequest -Identity $_.users -RemoteLegacy -TargetDatabase "mdb06 tier3" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliveryDomain "corp.dom" -SuspendWhenReadyToComplete}

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Roadsync Sync Error: (-1002)

2011-06-09T13:50:00.000-07:00

When attemping to synch with corporate Exchange server 2010, the roadsync is unsucessful and produces error Sync Error: (-1002).

Sony Ericsson Xperia X8 Model E15A Firmway 2.1 update 1 build 2.1.1.A.0.6.

Resolution: Use the upn as the login name jsmith@domain.com. The upn you can find in the account tab of Active Directory Users and computer.

username: jsmith@domain.com
server: mail.company.com (didn't need to specify the https in the url)
company: domain (didn't need the FQDN)

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Bulk Modify Targetaddress Attribute

2011-03-10T12:06:00.000-08:00

Although there are multiple methods to bulk modify AD attributes the sample below shows how to use the the command line version of admodify to update the targetaddress.

C:\Admin\Tools\ADModify_2.1>admodcmd -dn OU=FromILM,OU=Galsync,DC=Corp,DC=dom -f
targetaddress=*@domain.local -custom targetaddress "%'mailNickName'%@domain.local

In this example AD modify will get all contacts in the specified OU with targetaddress of @domain.local and replace it with their alias@domain.local.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 Outlook OAB 0x8004010f Not Found

2011-02-18T09:28:00.000-08:00

When downloading the OAB from Outlook you recieve not found 0x8004010f. Although there are many issues that can cause this error mentioned in article below

Outlook clients receive error 0x8004010f when downloading the Offline Book Addresshttp://msexchangeteam.com/archive/2007/04/19/437902.aspx

Ensure that the DB has been configured to use the OAB.

Open EMC, Org Config, Mailbox, Database Management Tab.

Right click properties of each Database, Client Settings Tab. Offline Address Book, Browse and select your \Default Offline Address Book.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Microsoft Exchange RPC Client Access Service Fails to Start

2011-02-18T09:24:00.001-08:00

When starting the Microsoft Exchange RPC Client Access Service you receive the following error:

The Microsoft Exchange RPC Client Access Service on the local computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.

Verify if you have statically configured the RPC port and that it is a valid port in decimal and not hex format.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeRpc\ParametersSystem

TCP/IP Port

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 Public Folder Cannot expand the folder. Microsoft Exchange is not available

2011-02-18T09:19:00.000-08:00

When launching Outlook, you receive a login prompt. Email flow continues to work whether you login or not. However when you expand the public folder, you receive the error after you enter your credentials.

Cannot expand the folder. Microsoft Exchange is not available. Either there are network problems or the Exchange server is down for maintenance. (/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=Servername

From OWA public folder access works.

Ensure that the Microsoft Exchange RPC Client Access Service is running on your mailbox server.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Migrating BES 5.0 to new Forest Using Transporter Suite

2011-02-07T07:13:00.000-08:00

Coming soon.

The critical property 'LegacyExchangeDN' is missing in the MailUser object

2011-02-07T07:07:00.000-08:00

When performing a new-moverequest you receive the following error:

The critical property 'LegacyExchangeDN' is missing in the MailUser object 'migrateme3'.
+ CategoryInfo : InvalidArgument: (corp.dom/GALSync/FromILM/migrateme3:MailboxOrMailUser
IdParameter) [New
-MoveRequest], RecipientTaskException
+ FullyQualifiedErrorId : 9DC9C0BA,Microsoft.Exchange.Management.RecipientTasks
.NewMoveRequest

The issue is you used ADMT to migrate the user first then ran prepare-moverequest. The issue is that prepare-moverquest although says it is sucessful did not properly convert it into a mail enabled user. The script failed to stamp the legacyexchangeDN as well as the target address. If you manually add the legacyexchagneDN you then run into the error below:

Cannot find a recipient that has mailbox GUID 'f41a2905-8ea2-4ff3-a56f-4ed8739a2622'.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
+ FullyQualifiedErrorId : B5053E67,Microsoft.Exchange.Management.RecipientTasks.
NewMoveRequest

I'm still investigating this as prepare-moverequest is supposedly supported after Exchange 2010 SP1 with the overwritelocalobject parameter. The workaround in the meantime that I have if you want to use ADMT first:

1.Use ADMT to migrate all user accounts
2.Prepare-moverequest on all accounts (legacyexchangedn or targetaddress is still missing)
3.Use script to add targetaddress of mailnickname@company.com on all migrated accounts, I use admodify, but you can use powershell etc.
4.Update-recipient on all migrated accounts. This will stamp the legacyexchangedn
5.New-moverequest succeeds

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 Mailbox Move An error occurred while updating a user object after the move operation. --> The value 'HTTP§1§1§§§§§§' is already present

2011-01-31T14:44:00.000-08:00

When performing a cross forest mailbox move using the new-moverequest, the mailbox move fails at the completing stage when viewing in the move request in the EMC. When you open the move request for the user in the details tab you see the following error.

Error details: An error occurred while updating a user object after the move operation. --> The value 'HTTP§1§1§§§§§§' is already present in the collection.

Resolution: Delete the protocolsettings using adsiedit for both the source and target user.

1. Open adsiedit.msc from run command on source DC
2. Locate your user in the domain partition
3. Locate attribute protolsettings and delete all values
4. Repeat steps for target user in target domain
5. Resume the failed mailbox move

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

ActiveX component can't create object: 'ADMT.Migration'

2011-01-26T18:43:00.000-08:00

When attempting to set exclusions or add exclusions on ADMT you receive the following error:

C:\Admin\scripts\ADMTExclusion.vbs(1, 1) Microsoft VBScript runtime error: Activ
eX component can't create object: 'ADMT.Migration'

Resolution:

Run the command from the C:\Windows\SysWOW64> directory.

C:\Windows\SysWOW64>cscript c:\admin\scripts\admtexclusion.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 New Forest Migration Provisioning Distribution Lists

2011-01-26T18:34:00.001-08:00

Exchange 2007 and Exchange 2010 have the ability to provision mailbox enabled users. What about Exchange Distribution Lists? Previous options were to use a third party migration suite or powershell or even LDIFDE. As you noticed ADMT 3.2 by default does provision or create Exchange Distribution Lists. If you use ADMT 3.2 to migrate a Distribution List, it will get migrated to the target forest but as a flat AD group only. Exchange is unware of this group being a Distribution Group. In order for ADMT 3.2 to provision this as an AD group you have to prevent ADMT 3.2 from exluding Exchange attributes during the migration.

Create a new notepad file and name it ADMTexclusion.vbs and enter the lines below.
Set objMig = CreateObject("ADMT.Migration")
objMig.SystemPropertiesToExclude = ""

Then run the file on your ADMT server:

C:\Windows\SysWOW64>cscript c:\admin\scripts\admtexclusion.vbs

Caveats: ADMT excludes Exchange attributes by default to prevent issues with provisioning mailbox users prior to Exchange 2010 SP1. So ensure that you're on SP1. To get additional details read article below. Also note that even though you provision the DL with ADMT it will not bring over all the attributes such as send restrictions, hide from GAL etc.

Exchange 2010 Cross-Forest Mailbox Moves
http://msexchangeteam.com/archive/2010/08/10/455779.aspx

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

IIS7 Application Request Routing and Outlook Anywhere 2010?

2011-01-26T14:49:00.000-08:00

Is it possible to use IIS7 ARR as an alternative reverse proxy in lieu of UAG\TMG? From testing, I was able to get it to work but had to pan out some key issues.

After setting ARR up to point to my CAS servers, OA did not connect.

The issue was with IIS7 default 30MB HTTP request limit. The IIS trace logs show that Outlook is trying to send 1GB (1073741824 bytes) of data and getting 404.13 Content length too large. Note this is an empty mailbox. Once we up this to this value it works. The request is always sending exactly this much data which MS thinks it could actually an error code in the bytes field and not actually the bytes. 1073741824 also represents “unknown error condition” code. Highly unlikely it’s sending 1GB since the IIS logs on the Exchange server do not show this. Theory is that ARR is running into some error condition trying to process rpc over http requests.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange Powershell "Cannot save changes made to an item to store"

2011-01-25T20:19:00.001-08:00

When running the following powershell command you receive the "Cannot save changes made to an item to store"

[PS] C:\Windows\system32>Get-Mailbox -Server "dcexmailp02" |
Set-CalendarProcessing -ProcessExternalMeetingMessages $true
Cannot save changes made to an item to store.
+ CategoryInfo : NotSpecified: (14:Int32) [
Set-CalendarProcessing], QuotaExceededException
+ FullyQualifiedErrorId : DF365789,Microsoft.Exchange.Management.StoreTasks.
SetCalendarProcessing

In additional if you run:

[PS] C:\Program Files\Microsoft\Exchange Server\v14\Scripts>Get-Mailbox
| Set-CalendarProcessing -ProcessExternalMeetingMessages $true
Cannot save changes made to an item to store.
+ CategoryInfo : NotSpecified: (21:Int32)
[Set-CalendarProcessing], QuotaExceededException
+ FullyQualifiedErrorId : DEBD37F4,Microsoft.Exchange.Management.StoreTasks.
SetCalendarProcessing

Resolution: You have a mailbox that has a quota of 0 set. In this case, I had configured a mailbox with a 0 send\receive limit for users to use to check Freebusy times during migration coexistence and prohibited the account from sending\receiving email.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

5.4.6 Hop count exceeded - possible mail loop - Forest Migration

2011-01-24T13:57:00.000-08:00

After you perform a cross forest mailbox move, the user is able to send emails, but cannot receive. You receive the following NDR.

Delivery has failed to these recipients or groups:
Bob Smith (bsmith@company.com)
A problem occurred during the delivery of this message. Please try to resend the message later. If the problem continues, contact your helpdesk.
The following organization rejected your message: mail.company.com.

Diagnostic information for administrators:
Generating server: exchangeserver.corp.dom
bsmith@company
mail.company.com #554 5.4.6 Hop count exceeded - possible mail loop ##

Resolution: Disable the mailbox and reconnect.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Cannot create mail enabled user because an existing object with type already has the same proxy addresses/MasterAccountSid.

2011-01-18T13:40:00.000-08:00

When provisioning an MEU using the Prepare-MoveRequest.Ps1 script you receive the following error:

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\Prepare-MoveRequest.Ps1 -Identity "CN=mbperm1,OU=office,D
=ipcfcdom,DC=inphonic,DC=com" -RemoteForestDomainController "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $R
mote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=office,DC=corp
DC=dom" -uselocalobject -overwritelocalobject
The operation couldn't be performed because object 'corp.dom/Office/mbperm1' couldn't be found on 'EQDCP01.corp.dom'.
+ CategoryInfo : NotSpecified: (:) [Get-Recipient], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : 4A3D86A8,Microsoft.Exchange.Management.RecipientTasks.GetRecipient

C:\Program Files\Microsoft\Exchange Server\V14\Scripts\Prepare-MoveRequest.ps1 : Cannot create mail enabled user becaus
e an existing object with type already has the same proxy addresses/MasterAccountSid.
At line:1 char:26
+ .\Prepare-MoveRequest.Ps1 <<<< -Identity "CN=mbperm1,OU=office,DC=ipcfcdom,DC=inphonic,DC=com" -RemoteForestDomainCo
ntroller "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.do
m" -LocalForestCredential $Local -TargetMailUserOU "OU=office,DC=corp,DC=dom" -uselocalobject -overwritelocalobject
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Prepare-MoveRequest.ps1

The reason is you used ADMT and didn't exclude the necessary exchange attributes. Therefore prepare-moverequest fails to merge to the existing object brought over by ADMT. The provisioning script must match 3 attributes: Proxyaddresses, mail and mailnickname. You must have all 3 attributes set in order for the script to match and merge the MEU then excluse all other Exchange attributes.

You must script the move to stop the exclusion of some core exchange attributes. The link below shows a sample script. You would then need to append the following lines.

Create a new notepad file and name it ADMTexclusion.vbs and enter the lines below.
Set objMig = CreateObject("ADMT.Migration")

objMig.SystemPropertiesToExclude = "homeMDB, homeMTA, showInAddressBook, msExchHomeServerName, msExchRecipientTypeDetails, msexchrecipientdisplaytype msExchMailboxSecurityDescriptor, msExchMDBRulesQuota, msExchPoliciesIncluded, msExchUserAccountControl, msExchVersion, mdbusedefaults"

Then run the file on your ADMT server:

C:\Windows\SysWOW64>cscript c:\admin\scripts\admtexclusion.vbs

Migrating All User Accounts
http://technet.microsoft.com/en-us/library/cc974368(WS.10).aspx

Another option is to use ADMT to bulk move\seed them without any attributes, then use either powershell or old friend ADModify to bulk update the proxyaddresses, mail and mailnickname. Typically you would use %'samaccount'% as the variable to fill in these attributes.

Finally you can just provision the account using Prepare-MoveRequest.ps1 first then use ADMT.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

420 4.2.0 RESOLVER.ADR.Ambiguous; ambiguous address

2010-12-23T10:29:00.000-08:00

Error is caused by duplicate SMTP proxy addresses. In this instance Galsync created a contact during a sync to the target forest even though the user was already migrated to the target forest. Since the contact and user had the same SMTP address, messages to this user was queued.

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Preserve Cross Forest Free Busy When Migrating to New Forest Feasible?

2010-12-22T07:50:00.000-08:00

FreeBusy requires that both old and new Forest needs two unique SMTP domains @newdomain.com and @legacydomain.com. The issue is that since both orgs are also sharing @company.com with @company.com being the primary SMTP domain for both orgs we run into problems with Galsync.

Scenario: For newdomain.dom users to see legacydomian.com user’s FreeBusy

1. Add @legacydomain.com as another SMTP email address to userA in ipcfcdom forest
2. Galsync will create a contact in corp.dom for userA with @company.com being the primary email and @legacydomain.com being secondary
3. User in newdomain.com tries to look up FreeBusy for userA and fails. Although @legacydomain.com is in userA’s contact, userA’s primary email is still @company.com
4. To resolve; Galsync must change what’s known as the targetaddress (foreign email address) to @legacydomain.com on the contact. By default Galsync makes the targetaddress the same as the primary email address @company.com. This is the problem. According to MS you will need to do custom coding on the source code for the GALsync to change this default behavior.

What I implemented:

ForestA has @ADdomainA.com as authoratative accepted domain and Email address policy.
ForestB has @ADdomainB.dom as authoratative accepted domain and Email address policy.

Create respective SMTP send connectors to forward these SMTP domains to each respective HT servers shared SMTP mail flow.

Now internal mail flow between both forests will be based on these internal SMTP domains. FreeBusy will also be based on these internal domains.

Then follow doc
How to Configure the Availability Service for Cross-Forest Topologies
http://technet.microsoft.com/en-us/library/bb125182(EXCHG.80).aspx

You will need to export the SCP of each respective domain and configure the availability address space.

If you do still are not able to see the FreeBusy after you have configured everything, make sure that the Firewall is not blocking HTTPS between the CAS server in 2007 and CAS servers in 2010. HTTPS needs to be open for the respective CAS servers to query each others serviceBindingInformation.

https://outlook.company.com/autodiscover/autodiscover.xml
https://mail.company.com/autodiscover/autodiscover.xml

Then my GALsync contacts in ForestB (new forest) I will need to change the targetaddress to @ADdomainA.com. GALsync created contacts for MB users from FroestA to ForestB but sets the targetaddress on the contacts as the shared primary SMTP of @company.com.

What I did was use good old Admodify, and limit the scope to the OU where the GALsync contacts got created and do a cusom LDAP query for (targetaddress=*@company.com) The reason is I don't want to inadvertently modify the targetaddress for external contacts that may have actual external addresses say @yahoo.com. This query will search for all contacts that have the targetaddress of @company.com. Then I go into the custom tab and set the targetaddress to %'mailNickName'%@ADforestA.com.

Now when you migrate a user's mailbox from ForestA to ForestB, the MB user gets converted to a mail enabled user. You need to ensure that the targetaddress is set to @ADforestB.com. You can append this in the new-moverequest parameter.

New-MoveRequest -Identity "Distinguished name of User in Target Forest" -RemoteLegacy -TargetDatabase "E2K10 Mailbox Database Name" -RemoteGlobalCatalog "FQDN of Source DC" -RemoteCredential $Remote -TargetDeliveryDomain "ADforestB.com"

Note when you run GALsync again, it will overwrite the targetaddress of the contacts back to the shared SMTP namespace @company.com. This will break FreeBusy again. So your options are, don't run Galsync again or you will need to fix again using Admodify to update the targetaddress again.

Also GALsync will create a mail contact even if a matching mailbox enabled user exists on the target forest. Therefore after you migrate a mailbox user, you need to have GALsync exlude those accounts from being synced up. Two methods move the migrated users to a separate OU in the source domain and have Galsync ignore those OUs when it syncs. Or what I did was set up GALsync to ignore all accounts that have attributeextension15 with the work "migrated". You would set this on the attribute flow rule.

As far as autodiscover for externally connected, non domain joined clients for users who get migrated, you have no option. FreeBusy, OOF will not work. You will need to tell your migrated users to use OWA in during the coexistence. This is because externally connected clients will have to use DNS to find the autodiscover. Unless you are willing to publish and use two unique public SMTP namespace you have no other option.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 moving mailboxes back to source forest

2010-12-06T10:25:00.000-08:00

The following examples show moving a mailbox from a 2007 Exchange Forest to a new 2010 Exchange Forest then moving back to the 2007 Exchange Forest. When moving mailboxes cross forest, the source mailbox is deleted. For contingency planning you can export the mailboxes to a pst prior to moving or move the mailboxes back to the source Forest.

Moving the mailbox from the Exchange 2007 Forest to new Exchange 2010 Forest.

1. .\Prepare-MoveRequest.Ps1 -Identity "CN=migusr5,OU=Office,DC=ipcfcdom,DC=inphonic,DC=com" -RemoteForestDomainController "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=FromILM,OU=GALSync,DC=corp,DC=dom" -UseLocalObject

2. New-MoveRequest -Identity "CN=migusr5,OU=FromILM,OU=GALSync,DC=corp,DC=dom" -RemoteLegacy -TargetDatabase "mdb01 tier1" -RemoteGlobalCatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliveryDomain "simplexity.com"

Moving the mailbox back from Exchange 2010 Forest to Exchange 2007 Forest.

1. New-MoveRequest -Identity "migusr5@simplexity.com" -remotelegacy -RemoteTargetDatabase "DCEX01\Third Storage Group\Third Storage Group Mailbox Database 250MB Limit" -Remoteglobalcatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliveryDomain "simplexity.com"

Make sure to clear the move request log in EMC prior to moving the mailbox back.

Known issues:
It may take 2 hours for the mail to start working in the source domain. This is because the source Exchange server's information store caches the homemdb value. You either have to restart the IS service or wait. During this time the recipient will not receive any emails and will bounce back to the sender. As a temporary workaround, you can create a transport rule to redirect all emails sent to this moved user to another mailbox to save all emails and prevent bounces.

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

ILM 2007: Microsoft Identity Server has detected a Microsoft Exchange Version different from the one you have selected.

2010-12-06T07:35:00.001-08:00

When creating the GALsync MAs you receive the error:

Microsoft Identity Server has detected a Microsoft Exchange Version different from the one you have selected. Do you want to continue? If you believe this is an error, please re-enter forest credentials to run detection again.

This is an innocuous error and can be ignored according to MS tech. I have not seen any issues with functionality.

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

ILM 2007: It appears this forest is not exchange enabled

2010-12-06T07:29:00.000-08:00

When configuring ILM 2007 for GALsync you receive the following errors when configuring the Galsyn MA for the target forest.

"It appears this forest is not exchange enabled"

To resolve enter the credentials for the target MA in upn format.

domain: target.com
username: user@target.com
pass: password

If you delete the MA and recreate you do not have to use the UPN. Appears to be a bug.

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

MapiExceptionNetworkError: Unable to make connection to the server. (hr=0x80004005, ec=2423)

2010-11-30T11:47:00.000-08:00

When performing a new-moverequest you receive the error MapiExceptionNetworkError: Unable to make connection to the server. (hr=0x80004005, ec=2423)

New-MoveRequest -Identity "CN=miguser7,OU=FromILM,OU=GALSync,DC=corp,DC=dom" -RemoteLegacy -TargetDatabase "mdb01 tier1" -RemoteGlobalCatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliver
yDomain "company.com"

MapiExceptionNetworkError: Unable to make connection to the server. (hr=0x80004005, ec=2423)
Diagnostic context:
......
Lid: 15000 dwParam: 0x6BA Msg: EEInfo: prm[2]: Pointer val: 0x2910810A00000000
Lid: 16280 dwParam: 0x6BA Msg: EEInfo: ComputerName: n/a
Lid: 8600 dwParam: 0x6BA Msg: EEInfo: ProcessID: 3260
Lid: 12696 dwParam: 0x6BA Msg: EEInfo: Generation Time: 2010-11-16 19:40:52:880
Lid: 10648 dwParam: 0x6BA Msg: EEInfo: Generating component: 18
Lid: 14744 dwParam: 0x6BA Msg: EEInfo: Status: 10060
Lid: 9624 dwParam: 0x6BA Msg: EEInfo: Detection location: 318
Lid: 13720 dwParam: 0x6BA Msg: EEInfo: Flags: 0
Lid: 11672 dwParam: 0x6BA Msg: EEInfo: NumberOfParameters: 0
Lid: 45169 StoreEc: 0x977
Lid: 52465 StoreEc: 0x977
Lid: 60065
Lid: 33777 StoreEc: 0x977
Lid: 59805
Lid: 52209 StoreEc: 0x977
Lid: 19778
Lid: 27970 StoreEc: 0x977
Lid: 17730
Lid: 25922 StoreEc: 0x977
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemoteTransientException
+ FullyQualifiedErrorId : 9CEC0AD3,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

In this instance, the issue was that their was a firewall prevening the target forest communicating to the source forest for the required ports for mailbox move.

In addition if you are getting error code:

(hr=0x80040115, ec=-2147221227)

This may be due to ISA installed on or between the servers.

Port Protocol
808 (TCP) Mailbox Replication Service uses to communicate
53 (TCP) DNS
135 (TCP) RPC End Point
389 (TCP) LDAP
3268 LDAP
1024 > (65535) if mailbox store is not statically configured then 1024 higher ports need to be open. We don’t have static ports configured for 2007 only 2010 currently so we need this big port range.
88 (TCP) Kerberos
445 (TCP) Microsoft-DS Service
443 (TCP) Mailbox Replication Proxy service uses port 443 to communicate with other Exchange 2010 client access server via HTTPS.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Setup Wizard for Update Rollup 1 for Exchange Server 2010 (KB240702) ended prematurely because of an error. Your system has not been modified.

2010-11-12T07:26:00.000-08:00

When installing Roll up 1 for Exchange 2010 service pack 1 KB240702 you get the following error Setup Wizard for Update Rollup 1 for Exchange Server 2010 (KB240702) ended prematurely because of an error. Your system has not been modified.

Issue: you need to run with elevated priviledges. However since you do not have to right click and run as administrator as an option to run .msp files you can run them with elevated priveleges using powerhshell.

PowerShell:

ii Exchange2010-KB2407028-x64-en.msp

Lastly you can temporarily disable UAC. Go to msconfig, Tools, change UAC settings. Drag all the way to bottom and reboot. Re-enable after finishing installation.

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 The mailbox database "MDB01" cannot be deleted

2010-11-10T07:53:00.000-08:00

Summary: After deleting all mailboxes, you attempt to remove the database. However you are presented with the following error:

The mailbox database "MDB01" cannot be deleted

Error: This mailbox database contains one or more mailboxes or arbitration mailboxes. To get a list of all mailboxes in this database, run
the command Get-mailbox -. To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database -Arbitration

Cause: There are arbitration (System) mailboxes. To query the arbitration mailboxes:

[PS] C:\Windows\system32>get-mailbox -database mdb01 -arbitration

Name Alias ServerName ProhibitSendQuot
---- ----- ---------- ----------------
SystemMailbox{1f05a927... SystemMailbox{1f0... dcexmailp01 unlimited
SystemMailbox{e0dc1c29... SystemMailbox{e0d... dcexmailp01 unlimited
FederatedEmail.4c1f4d8... FederatedEmail.4c... dcexmailp01 1 MB (1,048,576

To delete the arbitration mailboxes on a particular database:

get-mailbox -arbitration -database mdb01 | remove-mailbox -arbitration

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Setup failed to install ADAM.\r\n

2010-10-28T10:58:00.000-07:00

When installing TMG\UAG you receive error Setup failed to install ADAM.\r\n. When you view the ISAADAM_INSTALL_XXX setup log file you see the error "The trust relationship between this workstation and the primary domain failed." In this case the issue was that the dynamic RPC port range was not allowed from the DMZ where TMG was installed to the DC's in the internal back office network.

Ensure you have the following ports open from UAG to the DC's in the internal network.

LDAP ports: 389, 636 (TCP)

Global catalog ports: 3268, 3269 (TCP)

RPC services: 1025-5000 (TCP) (I restricted the range on the DCs to range 49152 - 49407)

RPC portmapper listener: 135 (TCP)

RPC in NT 4.0: 139 (TCP)

Kerberos exchanges: 88 (TCP, UDP)

If firewall isn't an issue, it could be related to domain policy restrictions.

Troubleshooting ERROR: Setup failed to install ADAM.\r\n (0x80074e46) and 0x80070643 while trying to install TMG 2010

http://blogs.technet.com/b/isablog/archive/2010/07/07/troubleshooting-error-setup-failed-to-install-adam-r-n-0x80074e46-and-0x80070643-while-trying-to-install-tmg-2010.aspx

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

RDP Remote Desktop Configuring Remote Session UAG

2010-10-25T07:27:00.000-07:00

When remoting to a Windows 2008 box you get a login prompt but after supplying credentials you get stuck at Configuring Remote Session. You notice that logging in using a local account on the server works fine but Domain Accounts do not.

The issue was caused by two DNS records. If the server has multiple NICS such as proxy or UAG\TMG servers and all NICS register in DNS, RDP does not work. Ensure that you uncheck "Register this connection's addresses in DNS" in the NIC properties.

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: 501 5.1.3 Invalid address Short Name Rcpt SMTP address

2010-10-18T07:48:00.001-07:00

Summary: Application servers relaying through Exchange get NDR 501 5.1.3 Invalid address

When viewing the SMTP logs on the Exchange server or packet captures you see the short name being used instead of the fually qualified SMTP address.

mail from: applicationserver@company.com
rcpt to: user
invalid

Should be rcpt to: user@company.com

Servers should be specifying the fully qualified SMTP address, however it may not. Some applications such as scanners, listservs communigate pro.

Resolution: Set the defaultdomain parameter on the receive connector.

set-receiveconnector "nameofconnector) -defaultdomain company.com

This will append the domain when applications use the shortname rather than the fully qualified SMTP address.

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

ADMT 3.2 ERR2:7674 Unable to determine the local path for ADMIN share on the machine 'Computer1'. rc=-2147024891

2010-08-31T08:59:00.001-07:00

Summary: When attempting to translate security for profile on a client computer you receive the error ERR2:7674 Unable to determine the local path for ADMIN share on the machine 'Computer1'. rc=-2147024891

Resolution: The target (new domain) domain admins do not have administrator rights on the client machine. To add the target domain admins to the local administrator:

1. Log into computer1, open command prompt and type:

net localgroup "Administrators" "corp\domain admins" /ADD

To make a global push across all computers you can either use a startup script or GPO. I prefer using a the "Restricted Groups" GPO.

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

IIS7 Cannot read configuration file due to insufficient permissions web.config

2010-07-26T13:03:00.000-07:00

Summary: When launching website you receive error "Cannot read configuration file due to insufficient permissions" on web.config file. The web.config file may or may not actually reside in the path for example C:\inetpub\wwwroot\web.config. Placing the file in the directory has no effect nor does granting the IIS_IUSER read permissions to the web.config file or the applicationhost.config file.

Resolution: Ensure that the local group servername\users has read access to the inetpub directory or the entire drive. This is a default inherited setting.

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

TechNet Subscription Promotion Update!

2010-02-07T09:21:00.000-08:00

There has been an update to the TechNet Subscription Promotion code from TMSAM04 to TNITE01 valid from January 18, 2010 and March 31, 2010. For details go to Harold Wong's [MSFT] blog for details!

TechNet Subscription Promotion Update – 12 Months for $251.28 (28% Off)
http://blogs.technet.com/haroldwong/archive/2010/01/15/technet-subscription-promotion-update-12-months-for-251-28-28-off.aspx

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: One or more users cannot be added to the folder access list. Non-local users cannot be given rights on this server

2009-06-16T12:06:00.000-07:00

Summary: When attempting to add a user to a public folder permssion you receive the following error.

One or more users cannot be added to the folder access list. Non-local users cannot be given rights on this server

In addition when you look in the GAL the user has a red circle.

Cause: It appears to be because the user is a mailbox of type "Shared"

Solution: Convert the mailbox type to regular.

Set-mailbox user1 -type regular

If the mailbox is already set as type regular then you need to verify that the following properties are set correctly in adsiedit.

RecipientDisplayType = 1073741824
RecipientTypeDetails = 1

Exchange 2007 and Recipient Type Details
http://blogs.technet.com/b/benw/archive/2007/04/05/exchange-2007-and-recipient-type-details.aspx

James Chong (MVP)
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: Outlook Web Access did not initialize. An event has been logged so that the system administrator can resolve the issue.

2009-04-30T08:45:00.000-07:00

Summary: After the default 15 minute forms based authentication timeout, it does not default to FBA login page. Instead you get an HTTP error page:

Outlook Web Access did not initialize. An event has been logged so that the system administrator can resolve the issue. Please contact technical support for your organization

In addition you may also get Event ID 30

Event ID 30
There is an error in your Outlook Web Access configuration.
The authentication type specified on the OWA virtual directory is set to Anonymous. This check box must be cleared for Outlook Web Access to function properly.

Solution: In this instance, the permissions of the OWA virtual directory were not corrrect. The parent OWA was set correctly but the control subfolder\files were not.

OWA virtual directory permissions

OWA - Basic
8.1.240.5 - Enable anonymous access
8.1.263.0 - Enable anonymous access
8.1.291.1 - Enable anonymous access
8.1.311.2 - Enable anonymous access
auth - Enable anonymous access
Bin - Enable anonymous access
Current - Basic
forms - Basic
Help - Basic
smime - Basic
spell - Basic

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: The sequence of predicates is invalid

2009-04-21T08:12:00.000-07:00

Summary: When creating a transport rule I got the following error: "The sequence of predicates is invalid" In this case it appears that the order or predicate rules mattered.

In this example, I was creating a rule to silently drop all messsages coming in from an external address to an internal address.

$Condition = Get-TransportRulePredicate FromAddressContains
$Condition1 = Get-TransportRulePredicate SentTo
$Condition.words = @("externaluser1@gmail.com","externaluser2@gmail.com")
$Condition1.addresses = @(get-mailbox user1)
$Action = Get-TransportRuleAction DeleteMessage
New-TransportRule -Name "Deny Senders to Cellulardeals" -Condition @($Condition,$condition1) -Actions @($Action)

This would yield "The sequence of predicates is invalid" However after swapping the condition to put SentTo before FromAddressContains it works fine.

$Condition = Get-TransportRulePredicate SentTo
$Condition.addresses = @(get-mailbox user1)
$Condition1 = Get-TransportRulePredicate FromAddressContains
$Condition1.words = @("externaluser1@gmail.com","externaluser2@gmail.com")
$Action = Get-TransportRuleAction DeleteMessage
New-TransportRule -Name "Deny Senders to Cellulardeals" -Condition @($Condition,$condition1) -Actions @($Action)

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange: Find Disabled Accounts with Mailboxes Via PowerShell

2009-01-19T12:39:00.000-08:00

Summary: This article will go over how to search for disabled users with mailboxes. This is part 2. In part 1; this was done using ADUC.

Exchange: Find Disabled Accounts with Mailboxes
http://msexchangetips.blogspot.com/2007/06/exchange-find-disabled-accounts-with.html

This part will go over how to use powershell.

1. Download Quest powershell. http://www.quest.com/activeroles-server/arms.aspx

Run the following query. I like to export just the name, description and altrecipient to find out if the mailbox is doing any forwarding as well.

[PS] H:\>get-qaduser -includedproperties altrecipient, homeMDB -disabled | select-object -property "name", "description" , "altrecipient", "homeMDB" > c:\mailboxes.csv

Then sort by HomeMDB

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange: "One or more users currently use a mailbox store on this server"

2008-04-25T06:37:00.000-07:00

Summary: When uninstalling Exchange; you receive the following error message:

"One or more users currently use a mailbox store on this server"

This can occur for multiple reasons:

1. There was a user in which the mailbox was never created because it was not activated ie. user never logged in or no mail was sent to it.

2. There is a user who has Exchange attributes but no mailbox referencing this server.

Resolution:

1. Start ADUC; click find.

2. Click custom search in drop down

3. Click Advanced tab

4. In LDAP field type:

(msExchHomeServerName=/O=myexchangeorgname/
OU=myorgname/cn=Configuration/cn=Servers/cn=myexchangeserver)
(objectClass=User)

Substitue o=myexchangeorgname and OU=myorgname and cn=myexchangeserver with your values. To find these values you can open adsiedit and go to the properties of a user and find the msexchhomeservername property.

One thing to note; if the query comes back with no results; copy the query into notepad. Close out the ADUC search and re-open it and paste the search query. I've noticed that the query does not work when pasting even though you remove all spaces unless you restart ADUC search.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: Exception message: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) later

2008-04-24T07:16:00.000-07:00

Summary: When accessing OWA you receive error:

A problem occurred while trying to use your mailbox. Please contact technical support for your organization.

The Stack Trace shows:

Request
Url: https://mail.simplexity.com:443/owa/lang.owa
User host address: X.X.X.X

Exception
Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

Call stack

Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.
DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.
DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.
PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.
InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.
DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.
HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.
InvalidADObjectOperationException
Exception message: Property Languages cannot be set on
this object because it requires the object to have
version 0.1 (8.0.535.0) or later. Current version of
the object is 0.0 (6.5.6500.0).

Call stack

Microsoft.Exchange.Data.Directory.PropertyBag.set_Item
(PropertyDefinition key, Object value)
Microsoft.Exchange.Data.Directory.ADObject.set_Item
(PropertyDefinition propertyDefinition, Object value)
Microsoft.Exchange.Data.Directory.ADObject.
StampCachedCaculatedProperties(Boolean retireCachedValue)
Microsoft.Exchange.Data.Directory.ADObject.ValidateWrite(List`1 errors)
Microsoft.Exchange.Data.Directory.Recipient.ADRecipient.
ValidateWrite(List`1 errors)
Microsoft.Exchange.Data.Directory.Recipient.ADUser.
ValidateWrite(List`1 errors)
Microsoft.Exchange.Data.Directory.ADSession.Save
(ADObject instanceToSave, IEnumerable`1 properties)
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()

In this instance the issue is caused because the 2007 mailbox was created using the Exchange 2003 tools. Therefore the mailbox shows as a legacy mailbox in Exchange 2007EMC. You will need to convert this to "user mailbox" by applying mandatory properties.

1. Open Exchange 2007 Shell

[PS] C:\Documents and Settings\jchong\Desktop>set-mailbox Alias -applymandatoryproperties

You may also get other similar stack errors if so try the following:

1. Move the mailbox

2. Verify that inheritance is checked for the user in the security tab, advanced in Active Directory Users and Computers.

3. Try granting full mailbox rights for the user itself.

4. Remove any delegates or send on behalf rights. (you can later add back and should still work)

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: Transport Rule Journal Selective Domain

2008-04-09T09:00:00.000-07:00

Summary: This article will go over how to journal a selective domain using a custom transport rule. The following example shows how to use a custom transport rule to copy all emails from hotmail.com to a journal mailbox.

Open Exchange Shell and enter the following:

$Condition = Get-TransportRulePredicate FromAddressContains
$Condition.words = @("hotmail.com")
$Action = Get-TransportRuleAction Copyto
$Action.Addresses = @(get-mailbox "journal")
New-TransportRule -Name "copy messages to journal mailbox" -Conditions @($Condition) -Actions @($Action)

This rule sends a copy to ie. CC's the message to a journal mailbox. You can also opt to BCC by changing third line to:

$Action = Get-TransportRuleAction BlindCopyto

References:

How to Create a New Transport Rule
http://technet.microsoft.com/en-us/library/bb123927(EXCHG.80).aspx

Transport Rule Actions
http://technet.microsoft.com/en-us/library/aa998315(EXCHG.80).aspx

Transport Rule Predicates
http://technet.microsoft.com/en-us/library/aa995960(EXCHG.80).aspx

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2003: Event ID: 9167 MSExchangeSA

2008-04-08T12:26:00.000-07:00

Summary: Microsoft Exchange System Attendant fails to start and produces Event ID: 9167

"Microsoft Exchange System Attendant does not have sufficient rights to read Exchange configuration objects in Active Directory. Wait for replication to complete and then check to make sure the computer account is a member of the "Exchange Domain Servers" security group."

Subsequently you also see Event ID: 9188

"Microsoft Exchange System Attendant failed to read the membership of group 'cn=Exchange Domain Servers,cn=Users,dc=domain,dc=com'. Error code '80072030'."

You have verified that your Exchange server belongs in the Exchange Domain Servers Security Group.

Resolution: Move the Exchange Domain Servers and Exchange Enterprise Servers back to the USERS OU.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

BlackBerry Internet Service: An error occurred during email account validation

2008-02-01T05:28:00.000-08:00

Summary: User cannot provision account to corporate Exchange OWA using BlackBerry Internet Service. In this instance; the user had already been provisioned and was working correctly. However service broke after we did a domain name change. During this change we updated our OWA certificate to our new Domain name and redirected DNS to point old domain name mail.company.com to mail.newcompany.com.

Any attempts to reprovision his account on the ATT BlackBerry site would yeild "An error occurred during email account validation"

All URL combinations were tried: mail.newcompany.com; mail.newcompany.com\exchange; mail.newcompany.com\owa and mail.newcompany.com\owa\user@newcompany.com.

After viewing the HTTP logs during provisioning; you see:

W3SVC814732 X.X.X.X PROPFIND /owa/myuser/ - 443 myuser X.X.X.X Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+4.0) 501 0 0

The 501 (HTTP error 501) means not implemented. PROPFIND is a webdav verb and it seems that webdav was being blocked only for this user. Other users were working ok. I ran some individual webdav tests and was unable to connect to his account; although I was able to connect to others on Exchange 2007 or Exchange 2003. Enabling WEBDAV on Exchange 2007 did not work.

Resolution: This user's device was provisioned when he was on Exchange 2003. His mailbox was moved to Exchange 2007. Although his account was working for weeks on Exchange 2007; something broke. Possibly the domain name change or maybe a coincidence. After moving the user back to Exchange 2003; I was able to connect to his account using webdav test. The user was able to sucessfully provision his account. We plan on moving his account back to Exchange 2007 to see if it still works.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

BlackBerry: DB upgrade failed. Error Executing an sql statement

2008-01-28T09:06:00.000-08:00

Summary: When upgrading BES versions in this instance applying BES 4.1 Service Pack 4, you receive the following error "DB upgrade failed. Error Executing an sql statement" during database upgrade.

Resolution: In this instance; the cause was due to the MSDE database log file having exceeded it's default 50MB limit.

To verify the current size of the MSDE log file; go to C:\Program Files\Microsoft SQL Server\MSSQL\Data

Locate file BESMGMT.LDF. (Your database name may not be the same) Examine the file size to see if it has approached the 50MB limit.

To increase the limit:

1. Open a command prompt

2. OSQL -E

3. ALTER DATABASE BESMgmt MODIFY FILE(NAME=BESMgmt_log, SIZE=200MB)

Re-run the service pack or upgrade.

James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

IIS: Error Writing Encrypted Data to the Web Services Configuration Database

2008-01-23T12:14:00.000-08:00

Summary: When attempting to install or re-install IIS; you receive the following error:

"Error Writing Encrypted Data to the Web Services Configuration Database" The option gives you the ability to "write unencrypted data." However if you proceed; IIS installation stalls and does not proceed.

World Wide Publishing Service fails to start with

"The specified handle is invalid"

Resolution: Rename the MachinesKeys folder in the following directory to MachineKeysold.

%Windir%\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Once this has been renamed; in the IIS installation where you were prompted to choose "write uncrypted data" close out this dialog box by clicking the X (windows close button on top right corner"

IIS will complete the instllation and you will see a new MachineKeys directory. If you already closed out of the prompt box above; just uninstall and re-install IIS.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange: Bulk Remove X.400 Address Using Admodify

2008-01-22T06:44:00.000-08:00

Summary: This article will go over how to remove legacy X.400 addresses in bulk using Admodify. X.400 addresses were used in Exchange 5.5 and may not be required. However; removing the recipient policy for your X.400 address will not remove the addresses from your users.

To remove X.400 addresses in bulk:

1. Download Admodify

http://www.computerperformance.co.uk/w2k3/utilities/admodify.htm

2. Launch Admodify.exe

3. Modify Attributes

4. Domain List = Choose your domain; Domain Controller = Select your DC

5. Click the Green Arrow

6. Double click your domain in the white pane. This will expand your OU list. You can highlight just the OU you wish your query or highlight the domain to work with all objects in your domain.

7. Click Add to list. This will enumerate your users in the right pane. Click Select All and next.

8. Click the Custom Tab.

9. Check "Make a Customized Attribute Modification"

Attribute name: proxyAddresses
Attribute value: X400:c=US;a= ;p=mycompany;o=FC;s=%'sn'%;g=%'givenName'%;

Note: You need to substitute p=mycompany and o=FC with your own values by checking an existing x.400 address of your user.

10. Check Multivalued Remove and click Go.

11. Verify by checking a user or check the XML log that was produced in the same directory of your admodify.exe file.

Note: Do not forget to delete or uncheck your recipient policy for your x.400 address in ESM.

James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

Exchange: The format of the e-mail address is incorrect

2008-01-21T09:13:00.000-08:00

Summary: When sending to an internal user; you receive the following NDR:

Your message did not reach some or all of the intended recipients.

Subject: test ignore
Sent: 1/21/2008 11:50 AM

The following recipient(s) cannot be reached:

Joe Test on 1/21/2008 11:50 AM
The format of the e-mail address is incorrect. Check the address, look up the recipient in the Address Book, or contact the recipient directly to find out the correct address.

Resolution: A second SMTP proxy was added. However sending to this SMTP proxy would fail. The email address was correctly formatted without any special characters. A simple removing of the SMTP address and re-entering it in worked without issue. The cause could've have been pasting the address. Sometimes pasting can cause issues.

James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

Exchange 2007: Free Busy Not Available for 2003 Users

2008-01-10T11:33:00.000-08:00

Summary: Exchange 2007 users cannot view Free Busy for users on Exchange 2003

Resolution: Copy the Free Busy System from to Exchange 2007.

1. Open Exchange 2003 System Manager.
2. Scroll to Administrative Groups and Folders
3. Right click Public Folders - View System Folders
4. Expand Schedule + Free Busy
5. You should see Free Busy subfolders starting with EX: Right click each one properties, replication tab. Add your Exchange 2007 server.

Let it replicate and check 15-30 minutes.

James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

Exchange 2007: This Ca Root Certificate Is Not Trusted. To enable Trust, Install This Certificate In The Trusted Root Certification Authorities Store.

2007-11-14T10:11:00.000-08:00

Summary: Exchange 2007 CAS server uses a self signed cert. Depending on what services your CAS role plays you may get the following error:

"This Ca Root Certificate Is Not Trusted. To enable Trust, Install This Certificate In The Trusted Root Certification Authorities Store"

Cause: In this instance, I had my CAS server using a Self Signed Cert for the Address book distributin in the Default Web Site while using a Valid third party commercial Cert for OWA. This worked fine using the article below.

Exchange 2007 and SSL Certificates
http://www.sembee.co.uk/archive/2007/01/21/34.aspx

However when viewing FREE\Busy info, the Cert error would appear with the error:

"This Ca Root Certificate Is Not Trusted. To enable Trust, Install This Certificate In The Trusted Root Certification Authorities Store"

Solution:

1. Go to the Default Web Site in IIS and remove the Self Signed Cert. Right click the Default Web Site, Directory Security, Server Certificate, Next, and Remove the cert.

2. Open Certificates in MMC. Go to Run, MMC. File Add Remove Snap In, Add Certificates; Computer Account; Local Computer and Click OK.

3. Once your Certificates MMC is open Go to Personal Certificates. Right Click Request New Cert, Next, Friendly Name = Hostname of your Server and Next and Finish.

4. Copy the new cert to the Trusted Root Certification Authorities Certificates.

5. Go back to the Default Website in IIS, Properties, Diretory Security, Server Certificate. Assign an existing certificate and choose the new cert that was created.

6. Issue IISRESET from your command prompt.

James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

Active Directory: Convert Global Groups to Universal Groups Bulk

2007-11-14T08:20:00.000-08:00

Summary: There may come a time when you need to convert your Global Groups into Universal Groups such as if you're in a multi-domain Forest. This is because the Global Catalog server does not have a copy of Global Groups in other domains. This can cause a problem with Distribution list expansion.

Tip: To bulk change your Global Security or Distribution Groups into Universal Groups; you can use Admodify using the custom attribute tab of "groupType"

Download Admodify:

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify

1. Launch ADMODIFY.EXE
2. Click Modify Attributes
3. Domain List=Choose your Domain; Domain Controller=Choose your DC
4. Check only Groups; Check Advanced Features; Click Traverse Subcontainers
5. Click the Green Arrow and now highlight your Domain
6. Click Custom LDAP query.

Global Security Groups

(&(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=-2147483646))

7. Click Add to list and click OK
8. Select All and click next.
9. Click Custom Tab. Click Make a customized attribute modification

Attribute Name: groupType
Attribute Value: -2147483640

Click Ok. This will convert your Global Security Groups to Global Universal Groups.

Use the following Chart to convert your Global Distribution Groups.

[Group Scope] [Group Type] [groupType value] [sAMAccountType attribute]

[Universal] [Distribution] [8] [268435457]
[Universal] [Security] [-2147483640] [268435456]
[Global] [Distribution] [2] [268435457]
[Global] [Security] [-2147483646] [268435456]
[Domain Local] [Distribution] [4] [536870913]
[Domain Local] [Security] [-2147483644] [536870912]

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: Messages Not Received to Distribution Group

2007-11-08T07:31:00.000-08:00

Summary: After installing a CAS server; sending to particular distribution groups do not work. Adding yourself to the group; you do not received messages. No NDR messages are received as well.

When Telnetting and sending the message

Telnet: CASServer 25
Mail from:youraccount@yourdomain.com
Rcpt to:DLGroup
Data
.
.
Message Sucessfully Queued

Users do not receive messages that belong to the Distribution Group

Solution: Verify that the group is a Universal Group if you're in a multi-domain forest. There were no issues sending to the DL prior to the introduction of a 2007 CAS.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: POP3 ERR Command is not valid in this state

2007-11-07T16:28:00.000-08:00

Summary: POP applications report ERR "Command is not valid in this state" after supplying credentials. To verify you try telnetting to POP port 110 of your CAS server:

Telnet CASServer 110
User Myaccount
Pass Mypass
ERR Command is not valid in this state

Resolution: Open your Exchange Shell and enter:

Set-PopSettings -LoginType PlainTextLogin

Restart your POP3 service

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: ActiveSynch Does Not Work With Exchange 2003 Mailboxes

2007-11-07T07:41:00.000-08:00

Summary: Exchange 2007 ActiveSync does not with with mailboxes on Exchange 2003. When entering username and password; password keeps prompting.

To verify Activesync; go to
https://hostname/Microsoft-Server-ActiveSync on your CAS server. If you receive HTTP 501/HTTP 505 Activesync is working.

Resolution: Enable Integrated authentication on your Microsoft-Server-Activesync
Virtual Directory on all your BackEnd 2003 Servers

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007: Event ID 9589 Exceeded the max number of 6 Storage Groups on this server

2007-10-30T11:33:00.000-07:00

Summary: Exchange 2007 fails to mount additional databases after you've created 5 Storage Groups. In additional, you get Event ID:9589 "Exceeded the max number of 6 Storage Groups on this server."

You have verified that your Exchange 2007 Edition is Enterprise in the EMC GUI.

Resolution:

Re-enter your product key in the Shell and restart your information store.

[PS] H:\>set-exchangeserver -identity dcex01 -productkey XXXX-XXXX-XXXX-XXXX-XXXX

WARNING: The Exchange server "DCEX01" is already licensed.
WARNING: The product key has been validated and the product id has been
successfully created. Note: This change will not be complete until the store
has been restarted.

Cause: Unknown

James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

SMTP: No DATA command sent-rset

2007-08-22T11:51:00.000-07:00

Summary: Messages sent to a relay server (Surgemail) would often have messages not get delivered. Messages were being delivered through an ASP application. However some messages would go through. Performing a telnet session works fine. When checking the SMTP logs the client would issue a rset command after the RCPT TO: command. The SMTP server (surgemail) would reply with an recipient ok and would be received by the client.

Cause:

The cause was Symantec AntiVirus 10.0.0.359 running the Internet E-mail Auto Protect. Disable the feature.

James Chong (MVP)
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

Active Directory: Copy Distribution List Members to Another Distribution List

2007-08-07T11:20:00.000-07:00

Summary: In this example, we will copy all members from one Distribution Group to another Distribution Group.

Copy the contents below and save as copymembers.vbs to C: drive

Const ADS_GROUP_TYPE_GLOBAL_GROUP = &H2

Set objOU = GetObject("LDAP://OU=Security Groups, dc=company, dc=com")
Set objOldGroup = GetObject("LDAP://CN=mysourcegroup, ou=security groups, dc=company, dc=com")
Set objNewGroup = GetObject("LDAP://CN=mytargetgroup, ou=security groups, dc=company, dc=com")

On Error Resume Next
For Each objUser in objOldGroup.Member
objNewGroup.Add "LDAP://" & objUser
Next

Open Command prompt:

C:\>cscript copymembers.vbs

The script will copy all members in the "mysourcegroup" Distribution List to your "mytargetgroup" Distribution List.

Note: Some organizations like to use # in front of their Distribution List names so they appear together in the GAL. Because this is a special character it will need to be in double quotes to treat # as a literal.

Example:
("LDAP://""CN=mysourcegroup""

James Chong (MVP)MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Find Disabled Accounts with Mailboxes

2007-06-22T12:35:00.000-07:00

Summary: In this example we will use a customer AD query to search for disabled accounts with mailboxes.

Example 1.

In this example we will perform a custome AD search using Active Directory Users and Computers

1. Open Active Directory Users and Computers and click the find icon

2. In the "Find" drop down menu, select custom search and click the advanced tab

3. Paste the following in the white pane:

(&(UserAccountControl:1.2.840.113556.1.4.803:=2)(msExchHomeServerName=*)(objectClass=User))

This will enumerate all disabled accounts with mailboxes. From here you can delete all the mailboxes by selecting the first user and scolling down to the bottom of the list and selecting the last user by shift + left click. Then right click the list, Exchange tasks and delete mailbox.

To perform a search of a single server:

(&(UserAccountControl:1.2.840.113556.1.4.803:=2)(msExchHomeServerName=/O=Domain/OU=MyOU/cn=Configuration
/cn=Servers/cn=Exservername)(objectClass=User))

Click find.

To obtain the full dn of your msExchHomeServerName attribute, you can find this in ADSIEdit.

1. Go to start run, type adsiedit.msc (part of windows server support tools)

2. Expand Domain, this should resemble your OU structure. Locate a user, right click a user cn=my user and select properties.

3. Look for attribute msExchHomeServerName and double click. Copy this string and paste it in the above Ldap query.

Other tricks:

Find disabled accounts with mailboxes that are not hidden in the GAL.

(&(UserAccountControl:1.2.840.113556.1.4.803:=2)(msExchHomeServerName=*)(!msExchHideFromAddressLists=TRUE)(objectClass=User))

To export to txt file using LDIFDE from command prompt:

C:\>ldifde -f c:\exportlist.txt -r "(&(UserAccountControl:1.2.840.113556.1.4.803
:=2)(msExchHomeServerName=*)(!msExchHideFromAddressLists=TRUE)(objectClass=User)
)" -l "dn"

Best practices:

Ensure that you have deleted Mailbox retention configured to ensure that these mailboxes can be recovered in a swift manner. To configure mailbox retention, open Exchange System Manger, locate your mailbox store, properties limits tab.

James Chong (MVP)MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: DSQUERY Is Your Friend

2007-05-09T11:11:00.000-07:00

Summary: Dsquery is a powerful search command tool that can help you find users, or users with certain attributes. Below are some sample searches to give you an idea of how to use dsquery and it's syntax.

Example 1.

In this example, I want to find to export objects and who has ownership. For example, I want to find the owners of distribution lists that they can manage.

C:\Documents and Settings\JamesMVP>dsquery * -limit 200000 dc=corp,dc=mycompany,dc=com -filter "(&(objectclass=*)(objectcategory=*))" -attr displayname managedby > c:\managedby.txt

Example 2.

In this example, I want to list all users that are in a certain mailbox store using the homemdb attribute.

C:\Documents and Settings\JamesMVP>dsquery * dc=corp,dc=mycompany,dc=com -filter "(&(objectclass=user) (object category=person)(homemdb=CN=Mailbox Store (EX3),CN=First Storage Group,CN= InformationStore,CN=EX3,CN=Servers,CN=First Administrative Group,CN=Admini strative Groups,CN=DSTTEST,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC =corp,DC=company,DC=local))" -attr displayname > c:\mailboxes.txt

James Chong (MVP)
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com
ftp://ftp://ftp.smtp25.org//

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: BCP Planning Exchange 2003

2007-05-07T07:22:00.000-07:00

Summary: Business continuity planning for Exchange 2003 using standby server. Many users ask how to have a standby server in the event that their Exchange server fails. Other than using third party application replication software, the only method is to perform the empty mailbox method (dial tone) on your standby server. This basically involves moving your mailboxes to the standby server by changing serveral Exchange related attributes. Because your primary server is down, you cannot move the mailboxes using Exchange System Manager, therefore you will have to manually update the attributes which a move mailbox would perform. With Exchange 2007, this is easier with Log Shipping technology.

MS has an article "How to Re-Home Exchange Mailbox Account"
http://technet.microsoft.com/en-us/library/bb124766.aspx

While testing the steps in this article there were several issues that were noted. This article will go over these steps to test the re-homing of your mailboxes. This article will also go over using ADmodify to re-home mailboxes as well.

Note: After users have been re-homed to a test server, they must create a new profile. This is because their existing profile will continue to point to the down server and will not re-direct them to their new server. Users also have the option to work via OWA.

Method 1 Using LDIFDE

1. Open command prompt and export the following Exchange attributes from the users in the failed Exchange server. Replace homeMDB with the DN of the server that failed. You can retrieve the DN by going into adsiedit.msc

2. This must be performed for every database on the Exchange server that failed. If there are 8 databases, this will need to be run 8 times changing the homeMDB attribute to each individual database.

C:\>ldifde -f export.txt -d "dc=corp,dc=etradegrp,dc=com" -l msexchhomeservern
ame,homemdb,homemta -r "(&(objectclass=user)(homeMDB=CN=Mailbox Store 08 (ATL1EX11),CN=Third Storage Group,CN=InformationStore,
CN=ATL1EX11,CN=Servers,CN=UnitedStates,
CN=Administrative Groups,CN=MyOrgInc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,
DC=Mydomain,DC=com))"

3. Open the export.txt file and copy contents into MS word. Replace the following on the left column with the right column.

dn: [replacewith] -^pdn:
changetype: add [replacewith] changetype: add
homeMTA [replacwith] replace: homeMTA^phomeMTA
homeMDB [replacewith] -^preplace: homeMDB^phomeMDB
msExchHomeServerName [replacewith]
-^preplace: msExchHomeServerName^pmsExchHomeServerName

[name of original database] replacewith [name of new database]
[name of original storage group] replacewith [name of new storage group]
[name of original server] replacewith [name of new server]

Sample Input LDF File after replacing 8 objects above should resemble formatting below. (Ensure there is a line space from ending of one user object to beginning of new user object. Remove mailboxes for SMTP connector, System Attendant and System Mailbox prior to importing file in step 3. Replace the name of original db, storage group and original server with new names.

dn: CN=Chong\,MVP,OU=HQ,DC=Corp,DC=lab,DC=local
changetype: modify
replace: homeMTA
homeMTA:
CN=Microsoft MTA,CN=DEVEX2,CN=Servers,CN=First Administrative Group,CN=Admi

nistrative Groups,CN=DSTTest,CN=Microsoft Exchange,CN=Services,CN=Configuratio
n,DC=dsttest,DC=etrade,DC=local
-
replace: homeMDB
homeMDB:
CN=Mailbox Store (DEVEX2),CN=First Storage Group,CN=InformationStore,CN= DEVEX2,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=DS
TTest,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=lab,
DC=local
-
replace: msExchHomeServerName
msExchHomeServerName:
/o=DSTTest/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=DEV
EX2
-

dn: CN=adm-Chong\, James,OU=EnterpriseServices,DC=corp,DC=lab,DC=local
changetype: modify
replace: homeMTA
homeMTA:
CN=Microsoft MTA,CN=DEVEX2,CN=Servers,CN=First Administrative Group,
CN=Administrative Groups,CN=corp,CN=Microsoft Exchange,CN=Services,
N=Configuration,DC=corp,DC=lab,DC=local
-
replace: homeMDB
homeMDB:
CN=Mailbox Store (DEVEX2),CN=First Storage Group,CN=InformationStore,CN= DEVEX2,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=DS
TTest,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=lab,
DC=local
-
replace: msExchHomeServerName
msExchHomeServerName:
/o=DSTTest/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=DEV
EX2
-

4. Import File LDIFDE –I – F

5. Open ADUC, open an account for a user that resided on the down Exchange server. Click the Exchange General tab. Verify that the mailbox location now points to the new location.

6. Open user mailbox. Must create a new Outlook profile or choose to use OWA. Mailbox will not show in ESM until user has opened Mailbox in Outlook.

7. Once the original database has been restored to the original server, re-rerun the script to re-home the user’s mailboxes back to the original server.

8. Perform Exmerge on the temporary Exchange server to extract the .PST files. Re-run exmerge in merge mode to merge the new e-mails with the old mailbox.

Method 2 ADMODIFY Utility

Execute admodify. You can download this from MS. Ensure that the application is run with admin privileges

Proceed with the following instructions:

Modify Attributes

Domain List = DC=corp,DC=lab,DC=com

Domain Controller List = dc.corp.lab.com

Show Only = Users

Domain Tree List = Advanced Features, Show Containers Only

Click Custom Ldap Query

Click green arrow. You should now see corp in the white page, highlight this

LDAP Filter = (&(objectclass=user)(homeMDB=CN=Mailbox Store 08 (EXCH1),
CN=Third Storage Group,CN=InformationStore,CN=EXCH1,CN=Servers,
CN=UnitedStates, CN=Administrative Groups,CN=MyorgInc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=lab,DC=com))

Click Add to List. Will take about 3-5 minutes to generate query

Once items have been enumerated. Highlight all items while removing any system mailboxes, ie. SMTP mailbox. Click next

Click Exchange General Tab, check, set homeMDB drop down box. (Note select this option before Set homeMTA. There appears to be a bug in which the list will not enumerate if this option is chosen second) Choose the temporary Exchange server. No set homeMTA and choose the same temporary Exchange server and click Go button.

James Chong (MVP)MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com
ftp://ftp://ftp.smtp25.org//
How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: DST Patching Uncovered

2007-02-26T06:19:00.000-08:00

zSummary:

In order to minimize the impact the 2007 Daylight Savings Time changes, Microsoft has released several KB articles to address patching and best practices. Through extensive testing, I hope to shed some light on some best practices, issues uncovered, and the proper procedures. In order to adhere to the Daylight Savings Time changes for 2007, the following must be performed and considered.

1. Install all operatating system DST patches. Install the DST patch for all your Windows servers and XP clients. This includes patching your Exchange server's operating system.
http://support.microsoft.com/kb/931836/en-us

2. Install Exchange DST Patch. Microsoft has released two distinct patches for Exchange 2003. One for Exchange 2003 service pack 1 and one for Exchange 2003 service patch 2. Microsoft has not released Exchange 2000 DST patches. This is only available to customers with extended hotfix support. You can obtain this patch by calling MS. (approx $4,000 usd) The following links provide patches to Exchange 2003.

Exchange Service Pack 2
http://support.microsoft.com/kb/926666/en-us
Exchange Service Pack 1
http://support.microsoft.com/kb/931978/

Note: Both Exchange 2003 patches will update your store version greater than [store. exe 6.5.7233.51] Any store version greater than this will change the behavior of "Send As" functionality. What this means is that, prior to these versions, if you granted Bob full rights to Jim's mailbox, Bob can implicity "Send As" Jim even though Bob does not have "Send As" permission checked. Since Bob has full rights to Jim's mailbox this right is implicit. However, after patching, the implicit "Send As" rights are revoked and you will need to be cognizant as this can break services such as Blackberry. What I recommend is running Microsoft's script that will export all user's that have full mailbox rights on another user but does not have the "Send As" right. The script is pretty straight forward to run and can be obtained in this article.

Note: Be aware of article 932599 Information Store may not start after Exchange DST patching. This is due to duplicate SIDS for well known users or groups (ie. built in) or duplicate attribute values for objects. It is recommended to patch one server first to test since ACL are usually propagated at the Exchange Org\Admin Group level. If one is ok after patching it should be safe to patch others. If you want to be extra safe, you can use this same principal to install a new Exchange server in your org, mount a DB and patch it to see if breaks.

Information Store database does not mount with Event ID 9519 and 9518
http://support.microsoft.com/kb/932599

http://support.microsoft.com/kb/912918/

3. Run Calendar Update Utility. You must run the calendar update utility after patching your Exchange DST patching. This is separate from your Exchange DST patching in step 2. The utility must be run in order to fix any calendar appointments made during the extended DST time. There are two versions of the calendar update tool, an Outlook Client Tool and an Exchange Server Tool. I have tested both. Here are some considerations.

Exchange Calendar Update Tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=A9336886-4B28-4010-9416-36D38429438D&displaylang=en

Timezone Update Tool (Outlook)
http://www.microsoft.com/downloads/details.aspx?FamilyID=e343a233-b9c8-4652-9dd8-ae0f1af62568&DisplayLang=en

Exchange Calendar Update Tool (Server Side) - This utility first extracts the timezone information from all user's mailboxes into a text file. Once the text file is exported with this info, it actually uses the client side Timezone Update Tool to update the mailboxes using this file. Here are some considerations when running the Exchange Calendar Update Tool.

- Cannot run on an Exchange server

- You will need to install .Net Framework 2.0, Exchange Calendar Update Tool and the Outlook Timezone Update Tool. The reason you need the client Outlook Timezone Update Tool is because the Exchange Calendar Update Tool calls the executable for the Outlook Update Tool.

- Need to run with a mailbox that has full rights to other's mailboxes. Profile cannot be in cached mode. Also set profile to automatically start in that profile and not select from list.

- If you run utility more than once, any appointments made after you patched your Exchange server with Exchange DST patch will get messed up. This is because the utility will assume that the appointment was made prior to patching. It is recommended to run the utility soon after Exchange DST patching.

- Exchange Calendar Tool processes 6.13 mailboxes a minute and only one thread can be run at a time on one machine. However, you can run on multiple machines.

- If the Exchange DST patch was installed prior to running the Calendar Update Tool (Server or Client) recurring meetings created by OWA will not be updated. To correct, uninstall the DST patch, run the tool, re-install patch.

- Only calendar items in which you were the organizer will get times updated (moved 1hr back)

In large enterprise environments, running the Exchange Calendare Update Tool can take hours\days since it can only process 6.13\mailboxes a minute and only one instance can be running per machine. However, one option you can have is to push the client side Timezone Update Tool to all machines using something like SMS and then having it run the executable with the /q or/quiet switch. This will update the calendar items without user intervention. Works with Outlook open or closed.

Mobile Devices

If you are using mobile devices such as Blackberry consider the following:

1. Remember to update your CDO.dll from your Exchange server to your Blackberry Server
2. Blackberry Handhelds need to be patched. Refer to the following article.
http://www.blackberry.com/DST2007/patch/index2.shtml

References:

Prepare Outlook calendar items for daylight saving time changes in 2007
http://office.microsoft.com/en-us/outlook/HA102086071033.aspx?pid=CH100776851033#9

How to address daylight saving time by using the Exchange Calendar Update Tool
http://support.microsoft.com/kb/930879

MsexchangeTeam Step by Step run of Exchange Calendar Update Configuration Tool
http://msexchangeteam.com/archive/2007/02/14/435267.aspx

James Chong (MVP)
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com
ftp://ftp://ftp.smtp25.org//

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Identifying File Level Antivirus Exclusions For Exchange Server Installations

2006-09-16T11:41:00.000-07:00

Summary:

Protecting Exchange against malicious viruses is critical to ensure the health and availability of your messaging environment. However, it is also critical that some folders\files must be excluded from file level scanning. Scanning these critical folders\files can cause serious damage such as corruption, database not being able to mount, restore problems among other issues. According to Microsoft's recommendation, it is critical that you exclude the following directories.

1. Exclude all directories that include your Exchange database files (EDB STM) For example in a default installation, the Exchange database is placed in your \Exchsrvr\Mdbdata folder. Exclude this entire directory.

2. Exclude your Exchsrvr\Mtadata folder

3. Exclude all logs such as message tracking, SMTP. Exclude the directory Exchsrvr\server_name.log

4. Exclude your Exchange queue directory. Exchsrvr\Mailroot

5. Exclude your directory where your IFS creates the streaming .tmp files. The IFS creates these .tmp files when a large object is streamed into the store and the .stm file is too fragmented to have the entire object written in it. For example, a large object can be a message or a file. During normal operation, when the Microsoft Exchange services are stopped, these files are removed from the Temp folder. By defualt, this folder is in the Exchsrvr\Mdbdata directory. However, they can also be in your %SYSTEMROOT%\TEMP directory.

6. Exclude your Exchsrvr\Bin directory

7. Exclude your IIS system files directory %SYSTEMROOT%\System32\Inetsrv

8. Exclude your Gather logs if running search indexing services. These log files contain log information or catalog for the indexing service.

You may elect to just exclude the entire Exchsrvr directory, however the above configuration will give you the best protection.

If you have ever scanned your Exchange directory where your database or logs were stored, your database may be corrupted. The level of corruption cannot be directly quantified. For example the longer your AV was scanning these directories may lead to more corruption but may not be necessarily true. It may also depend on the AV application as well. However, symptoms of corruption may not be immediately visible and may arise further down the road. Therefore, it is best practice to create a fresh database and move your users to the new database.

References:

Lb*.tmp Files Are Created in the TEMP Folder and Are Not Deleted
http://support.microsoft.com/default.aspx?scid=kb;en-us;328583

Exchange lb*.tmp files in the Windows Temp folder cause ESE -2237 error
http://support.microsoft.com/default.aspx?scid=kb;en-us;294462

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com
ftp://ftp://ftp.smtp25.org//

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Invalid Window Handle ID no: 80040102 Exchange System Manager

2006-09-15T10:48:00.000-07:00

Summary:

When clicking on the Client Permissions button of a Public folder in Exchange System Manager, you immediately receive Invalid Window Handle ID no: 80040102 Exchange System Manager. Therefore, you are unable to set client permissions for any of your Public Folders.

Solution:

In this instance, the issue was caused by the Public Folder Hierarchy not having the msExchPFTreeType set. This attribute defines whether your Public Folder Hiearchy is MAPI based or a General Purpose Tree. In an Exchange Org, there can only be one MAPI based Public Folder Hiearchy. However, you can have multiple General Purpose Public Folder Hiearchies. General Purpose Public Folder Hiearchies cannot be accessed via MAPI but via OWA.

To define a MAPI Public Folder Hiearchy, set the msExchPFTreeType to 1.
To define a General Purpose Public Folder Hiearchy, set the msExchPFTreeType to 0.

To verify if your Public Folder Hiearchy is set to 1 follow the procedures below.

1. From your Exchange server or Domain Controller, go to Start, Run, ADSIEDIT.MSC Click Ok. (ADSIEDIT is part of your Windows 2000\2003 Support Tools found on the CD)

2. Expand the Configuration Container.

CN=Services
CN=Microsoft Exchange
CN=Your Exchange Org
CN=Administrative Group
CN=First Administrative Group

Highlight CN=Folder Hierarchies.

On the right pane, highlight CN=Public Folders and select properties. Scroll down to find the attribute, msExchPFTreeType. For the value, check if it is set. If not set, set to 1.

3. Go to services and restart your Microsoft Information store. When service has restarted, open Exchange System Manager, and verify that you can set the Client Permission.

References:

Description of public folder tree types in Exchange 2000 Server and in Exchange Server 2003
http://support.microsoft.com/kb/258509/en-us

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com
ftp.smtp25.org

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Search Network For PST Files

2006-09-15T09:05:00.000-07:00

Summary:

In this article, I will provide a script to search your network for .PST files. Microsoft provides a script to search your local computer for a .PST file which you can find here.

http://www.microsoft.com/technet/scriptcenter/resources
/qanda/apr05/hey0408.mspx

I have modified it to also include the computer name since it will be intended to search multiple computers and to write the output to a csv file.

Copy the contents below and save to notepad. Rename this file to searchpst.vbs and save to C: drive.

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colFiles = objWMIService.ExecQuery _

("Select * from CIM_DataFile Where Extension = 'pst'")

Set fso = CreateObject("Scripting.FileSystemObject")

set wfile = fso.opentextfile("c:\test.csv",2,true)

For Each objFile in colFiles

Wfile.writeline(strComputer & " " & objFile.Drive & " " & objFile.Path & " " & objFile.FileName & "." & objFile.Extension & " " & objFile.FileSize)

Next

Open your command prompt. Start, Run, CMD Ok. Ensure that you are at your your C:\>

Type the following

C:\>cscript searchpst.vbs

Once complete, go to your C: drive and locate text.csv. This csv file should include your computername, drive letter and path of your pst file, name of pst file and size.

Now if you wish to run this on multiple computers on the network you have couple options.

C:\>cscript searchpst.vbs computer1 computer2 computer3

Another option is to have this script read in the computer names from your computers OU in AD.

Copy the contents below to notepad. Save the file as searchpst1.vbs. Open your command prompt and type:

C:\>cscript searchpst1.vbs

Set colComputers = GetObject("LDAP://CN=Computers, DC=msexchange911, DC=net")
For Each objComputer in colComputers
strComputer = objComputer.CN
on error Resume next
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colFiles = objWMIService.ExecQuery _
("Select * from CIM_DataFile Where Extension = 'pst'")
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\test.csv",2,true)
For Each objFile in colFiles
Wfile.writeline(strComputer & " " & objFile.Drive & " " & objFile.Path & " " & objFile.FileName & "." & objFile.Extension & " " & objFile.FileSize)
next
next

References:

Running WMI Scripts on Multiple Computers
http://www.microsoft.com/technet/scriptcenter/resources
/tales/sg1102.mspx

How Do I Get a List of All PST Files on a Computer
http://www.microsoft.com/technet/scriptcenter/resources
/qanda/apr05/hey0408.mspx

James Chong
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Public Folder Fails To Mount c1041724

2006-09-12T17:42:00.000-07:00

Summary:

Public Folder fails to mount. Attempting to mount a Public Folder in Exchange System Manager produces error c1041724.

Cause:

Although there are multiple causes such as lack of permissions, disk space issues or corruption, in this instance the Public Folder database did not mount and produced c1041725 because the store did not point to a valid Public Folder Tree in Adsiedit.

Resolution:

To verify if your Public Folder Store is pointing to a valid Public Folder Heirarchy, perform the following steps.

Note: Use ADSIEDIT with caution, changes can be irreversible. Ensure you have good backups of your Exchange and System State for your Domain Controllers.

1. From your Exchange server or Domain controller, go to start, run, type adsiedit.msc click ok. (Adsiedit is part of your Windows 2000\2003 support tools)

2. Expand Configuration Container (DC hostname)

3. Expand to

CN=Services
CN=Microsoft Exchange
CN=Your Exchange Organization Name
CN=Administrative Groups
CN=First Administrative Groups
CN=Folder Hierarchies (Highlight this)

4. On the right pane, right click CN=Public Folders and select properties

5. You should see a list of attributes. Find the attribute "distinguishedName" The value should resemble similar to:

CN=Public Folders,CN=Folder Hierarchies,CN=First Administrative Group,CN=Administrative Groups,CN=MSexchange911,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Msexchange911,DC=net

Copy this to a notepad we will need to reference this value later.

6. Cancel out that windows. Back in Adsiedit on left pane, expand

CN=Servers
CN=YourExchangeServername
CN=Information Store
CN=YourStorageGroupName

Ensure you select the storage group that is hosting your public folder database.

7. On the right pane, select CN=YourPublicFolderStoreName, right click properties. Locate the attribute "msExchOwningPFTree" For the value, it should equal the value in step 5.

James Chong
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

ADMODIFY: You Receive Failed Changes When Using a Valid Attributte In the Custom Tab

2006-09-09T09:21:00.000-07:00

Summary: Admodify is a great utility to make bulk changes for Active Directory objects such as if you wanted to remove an email address for multiple people instead of having to go to each individual account to make the changes. With the latest version of Admodify you can create custom modifications if you know the LDAP attribute. However, when you enter this custom attribute and value into the custom tab you receive a dialog box "Operation Completed" but you receive "Failed Changes" You verify that the attribute name and value are correct.

Case Study:s

In this instance, I was trying to modify the "deliverAndRedirect" attribute. To see what this attribute does:

1. Open Active Directory Users and Computers.

2. Go to the properties of any user account.

3. Go to the Exchange General Tab,Delivery Options.

4. Locate the check box "Delivery Messages to Both Forwarding Address and Mailbox"

This checkbox corresponds to the following LDAP attribute "deliverAndRedirect"

5. I launch ADMODIFY, Modify Attributes. In the Domain List drop down box, select your domain. In your domain controllers list select you domain controller. If ytour Domain Controller does not appear, skip it, it will resume.

6. Uncheck Groups, Contacts and Public Folders and click the Green Arrow.

7. Highlight your Domain and click Add to List at the bottom. Click Ok at the dialog box to enumerate your list of users.

8. In the right pane, highlight a user or multple users and click next. Click the custom tab.

9. Click "Make a customized attribute modification"

Attribute Name: deliverAndRedirect
AttributeValue: True

You click OK. However you get failed changes.

Cause: The attributes Values are case sensitive. In this case True should be set to TRUE.

Attribute Name: deliverAndRedirect
AttributeValue: TRUE

James Chong
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Default Permissions on Exchange Organization

2006-09-05T20:23:00.000-07:00

Summary:

The following lists the default permissions on the Exchange Organization on the root of ESM. For Exchange to perform correctly the following permissions are required. Not having the correct permissions can cause issues with Recipient Update Service not running, security vulnerabilities in which unauthorized users have access to mailboxes other than their own and a variety of other issues.

1. Open ESM, right click your Exchange Org name at the root, and select properties. Select the security tab. If you do not see the security tab. Close ESM. Go to Start, Run, type Regedit. Navigate to:

HKEY_Current_User\Software\Microsoft\Exchange\Exadmin.

Create a new DWORD. Name this ShowSecurityPage and give it a value of 1 (Decimal) Close Registry.

2. In ESM, right click your Exchange Org name at the root and select properties and click security tab.

- You should see Exchange Domain Servers for each domain that you host. This group contains Exchange servers from each domain and gives access to the Exchange Configuration container in AD. The Exchange Domain Servers should also be a member of the Exchange Enterprise Servers Domain local security group.

- Authenticated Users should have special permissions (Read Properties and List Object)

- Everyone should have Create Named Properties in Information Store, Create Public Folder, Read, Execute, Read Permissions, List Contents, Read Properties, List Object

Note: By default all Users and Groups listed should have deny set for Send As and Receive as rights except for Exchange Domain Servers.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Outlook: Demystifying Outlook Cached Mode

2006-09-05T20:07:00.000-07:00

Summary:

Outlook 2003 provides a neat feature called Cached Mode. When running Outlook 2003 in Cached Mode, you have the option to download all messages to a local .OST file (similar to a .PST). Thus most of your Outlook tasks is performed locally rather than from your MB that's stored on the server side. This reduces server load and network bandwidth. The following provides list provides an overall picture of running Outlook in Cached Mode.

1. Reduce server load and network bandwidth since tasks/operations are performed locally.

2. You have the option to download all messages when starting Cached Mode or to download only headers such as in IMAP

3. If network connectivity is lost, you still have access to existing content.

4. Some features are still performed on the server side such as Out of Office messages and processing of Outlook rules

5. A common issue user's experience is not getting a real time Global Address List. For example, if a new user is created, a user in Cached Mode may not see this new user in the Global Address Book. This is because when in Cached Mode, you download a copy of the GAL once a day which is by default. You can force to re-download the GAL through Outlook Send\Receive settings. Another option is to use a registry hack

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\Cached Mode

Value name: ANR Include Online GAL
Value type: REG_DWORD
Value: 1 (1=enabled, 0=disabled)

Additional Resources with GAL and OAB

How to configure how the Offline Address Book is downloaded when you use Outlook 2003 in Cached Exchange Mode
http://support.microsoft.com/kb/823580

Administering the Offline Address Book in Outlook 2003
http://support.microsoft.com/kb/823580

6. Outlook Cached Mode works best with MB's less than 1GB in size.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Exporting and Querying Message Tracking Logs Using Log Parser

2006-09-03T14:25:00.000-07:00

Summary:

Exchange Message Tracking utility is a great feature which enables administrators to track message flow for troubleshooting or verification. To enable message tracking, you must go into the properties of the server in Exchange System Manager. In ESM (Exchange System Manager) expand your administrative group, servers, highlight your server, right click properties. Here, you see the option to enable message tracking. In Exchange 2003 you can specify the directory on this pane as to where you want to store these message tracking log files. For 2000 these logs are stored in your Program Files\Exchsrvr\ExServer1.log directory. If you wish to change the location, follow the KB article at the end of this article. When using this tool from ESM, the information is gathered from these message tracking logs. If you were to open these log files, you can see that it is very difficult to read and the message tracking tool in ESM does not give you the option to pipe the results in a file. This article will go over how to export the contents of the message tracking log file to a more friendly text file using Log Parser utility.

Export Exchange Message Tracking Log to a CSV File using Log Parser

1. Download LogParser 2.2

http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Note: You can also use the Log Parser GUI but is very limited. You can download the GUI version from: http://www.logparser.com/simpleLPview00.zip

If you wish to use the GUI version, copy all DLLs and EXE files to the your system32 folder and run the LPview00.exe from the system32 folder. (The following steps below assume that you are working with the CLI version.

2. Once you have download Logparser 2.2, go to Start Menu, Programs, Log Parser 2.2, Log Parser 2.2. This will launch a command prompt.

3. Now you can run SQL statements against the message tracking log file. The example below will query any entry where the recipient address is user1@company.com and export it to a text file called export.txt

C:\Program Files\Log Parser 2.2>logparser -q -i:w3c "SELECT* FROM c:\temp2\log.log
WHERE Recipient-Address like `user1@company'" > c:\export.txt

I will have more sample SQL queries soon so check back! If you wish to request a specific SQL query, you can email from.

References:

LogParser References
www.logparser.com
http://www.securityfocus.com/infocus/1712.

How to change the location of the message tracking logs in Exchange 2000 Server
http://support.microsoft.com/kb/317700/

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Perfmon Exchange Counters Missing

2006-09-02T17:50:00.000-07:00

Summary:

When launching Windows Performance Monitor and scrolling through the Performance Object list, no MS Exchange counters are present. In this instance there are two common issues. One, the Exchange performance counter respository has been disabled and is just not viewable. Second, the performance counter may be corrupted, missing and just needs to be re-built. The Exchange performance counters are in the .ini files within the Exchange Bin directory. To correct the issue start with resolution 1. If this does not correct the issue, rebuild the repository in resolution 2.

Resolution 1.

In some instances, performance counters are just disabled from view. In order to check the status to see if the counter is enabled or disabled, you can use EXCtrlst from the Windows 2000 Resource Kit.

Download Resource Kit
http://www.dynawell.com/support/ResKit/winnt.asp

ExCtrLst - Extensible Performance Counter List
This tool provides information on the Extensible Performance Counter DLLs that have been installed on a computer running Windows 2000\2003, listing the services and applications that provide performance information via the Windows 2000 registry.

1. Save the ExCtrlst to your C:\ drive. Double click the file Exctrlst.exe

2. This will launch the Extensible Counter List Window

3. Scroll through the list until you see your Program Files\Exchsrvr\Bin directory. This will list all the Exchange counters. Highlight it and towards the bottom, see if the performance counter enabled is checked.

4. If the counters are already enabled, then procedure to resolution 2.

Resolution 2

This procedure will go over rebuilding the Exchange performance counter libraries.

1. Go to your command prompt, Start Run, CMD, Ok.

2. C:\>lodctr.exe /r (This will rebuild all performance counters. Wait a few mins for it to rebuild and close and re-open Performance Monitor. If the Exchange counters do not appear go to step 3.

3. Try to rebuild each Exchange counter manually. For example, if you want to rebuild the imap counters

C:\>lodctr.exe imap4ctrs.ini

You can view all the counter ini file names by going to your Program Files\Exchsrvr\Bin directory.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Export SMTP Relay List

2006-09-01T16:46:00.000-07:00

Summary:

There may come a time where you wish to export your allowed relay list in your SMTP virtual server. There is nothing in the SMTP Virtual server that can export the list. This can become encumbersome if your organization maintains a long list of relay hosts. I first approached this by trying to perform an LDIFDE query for the SMTP VS object in ADSIEDIT.

CN=1,CN=SMTP,CN=Protocols,CN=EXC03,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=MSexchange911,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Msexchange911,DC=net

However after reviewing the output and viewing the msExchSMTPRelayIPList I noticed that the output was in octet format.

msExchSmtpRelayIpList::
GAAAgCAAAIA8AACARAAAgAEAAABMAAAAAAAAAAAAAAAB
AAAAAQAAAAIAAAACAAAABAAAAAAAAABMAA
CAAAAAAAAAAAAAAAAAAAAAAP////8CAgIC

After doing some research, I came across the following KB article which converts different string formats.

SAMPLE: ARRAYCONVERT.EXE Variant Conversion Functions
http://support.microsoft.com/kb/q250344/

After some testing, I could not get this to work. I came across another utility from the Exchange 2000 resource kit called IPSec.vbs. This script has a wide variety of functions to manage your IP Security settings including exporting your relay list. To export the relay list using IPSec.vbs:

1. Download IPSec.vbs

ftp://ftp.smtp25.org/[ James Chong Scripts ]

Download the entire folder ExIPSecurity and save it to your C:
2. Open command prompt and go to your ExIPSecurity directory.

3. C:\ExIPSecurity>regsvr32 exipsec.dll

4. C:\ExIPSecurity>cscript ipsec.vbs -s Exchangeserver -o e -r relay -d DCServername > c:\ExIPSecurity\relaylist.txt

This will export the relay list to a relaylist.txt file.

Other useful tips using IPsec.vbs

Examples:
Ipsec.vbs -d dc1 -o e -r connection
Ipsec.vbs -d dc1 -o a -r relay -v 127.0.0.1
Ipsec.vbs -d dc1 -o a -r accept -v 123.123.123.0 -m 255.255.255.0
Ipsec.vbs -d dc1 -s server1 -o d -r connection -t domain -v domain1
Ipsec.vbs -d dc1 -s server1 -o c -r deny
Ipsec.vbs -d dc1 -i 2 -o s -r relay -g grant

Note that options '-o s' and '-t domain' are not allowed in global accept/deny lists.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Event Monitoring Via WMI (Backup Report)

2006-09-01T09:47:00.000-07:00

Summary:

In this article, I will provide a sample script to monitor event IDs and email the event to the specified email address. This sample code implements the use of WMI quering the Win32_NTLogEvent class for event ID 213. Event ID Source ESE 213 indicates the completion of Exchange Backups. If you do not see Event ID 213, you may be using a third party backup application that does not use the Exchange backup API. If this is the case, you will need to identify the event ID that your third party application uses.

The script will email out so you will need to specify your SMTP server in this script.

Note: You can use built in Windows command eventcreate.exe to simulate event to test.

Event ID 213
Information Store (4168) TEST.NET: The backup procedure has been successfully completed.

1. Modify the portion of the script to specify the source and destination email addresses to send from and to.

2. Copy the contents below and name the file eventmon.vbs

3. Double Click the file. It will continously monitor for the event 213. Therefore you will see wscript process running in task manager process tab. To terminate the job, click end task.

Note: You can download this file from ftp://ftp.smtp25.org/[ James Chong Scripts ]

set objEmail = CreateObject("CDO.Message")

'strComputer=Inputbox("Enter the computer name you want to monitor")
'if strcomputer="" then
strComputer = "."
'end if

set objwmiservice=getobject("winmgmts://" &strcomputer &"/root/cimv2")

strwql="select * " & _
"from __instancecreationevent " & _
"where targetinstance isa 'Win32_NTLogEvent' " & _
"and targetinstance.eventcode = '213' "

set objeventsource=objwmiservice.execnotificationquery(strwql)

wscript.echo "waiting for an event to happen on " &strcomputer

While True
set objeventobject=objeventsource.nextevent()
objEmail.Subject = objEventobject.TargetInstance.ComputerName & _
objEventobject.TargetInstance.logfile & "\" & _
objEventobject.TargetInstance.sourcename
objEmail.From = "admin@mydomain.com"
objEmail.To = "admins@mydomain.com"

objEmail.Textbody = "Computer Name: " & _
objEventobject.TargetInstance.ComputerName & _
"Notification E-Mail from Automated windows event monitoring script." & vbcrlf _
& " Event Type: " & objEventobject.TargetInstance.type & vbcrlf _
& " Event ID: " & objEventobject.TargetInstance.eventcode &vbcrlf _
& " Event source: " & objEventobject.TargetInstance.sourcename & vbcrlf _
& " Event Log: " & objEventobject.TargetInstance.logfile & vbcrlf _
& " Event Time: " & objEventobject.TargetInstance.timewritten & vbcrlf _
& "The Event Err details are :- " & vbcrlf _
& objEventobject.TargetInstance.Message

'==This section provides the configuration information for the remote SMTP server.
'==Normally you will only change the server name or IP.
objemail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

'Name or IP of Remote SMTP Server
objemail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mail.mydomain.com"

'Server port (typically 25)
objemail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25

objemail.Configuration.Fields.Update

'==End remote SMTP server configuration section==

objEmail.Send

Wend

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Blackberry: Optimizing Blackberry For Enterprise Class Environments

2006-08-31T20:16:00.000-07:00

Summary:

Blackberry has become a very popular application providing mobile messaging services. In this article, I will go over how to design and optimize your Blackberry environment in conjunction with Exchange.

Blackberry is a very time sensitive application. Each second of latency from your BES (Blackberry Enterprise Server) to your Exchange server has an exponential affect in delivery times for messages. Therefore it is critical that your BES server and Exchange server are in close proximity (LAN) with ping response times of less than 35ms. In BES environments, the following holds true, "One bad apple ruins the bunch." What this means is that if your BES server communicates with multiple Exchange servers and one of those Exchange servers is on a high latency link above 35ms, then everyone suffers the latency affect. Therefore; follow the best practices below.

1. Configure your BES servers to communicate with the fewest number of Exchange servers as possible. For example, if you have 3 BES servers and 3 Exchange servers, configure BES1 to only host users on EX1, BES2 to EX2 and BES3 to EX3, rather than a full mesh environment.

2. What about if you hosts many Exchange servers which are geographically dispersed? Ideally you want to host your BES server in the same LAN as the Exchange server it hosts. However, if your organization hosts all it's BES servers in one location say HQ, and has Exchange servers geographically dispersed, design your BES according to the following:

Classify your Exchange servers in 3 tiers based on ping times from the BES servers. Classify your low latency Exchange servers <35ms in tier1, >35 to <60ms tier2, >60ms tier3. Now you want to follow the "One bad apple ruins the bunch" approach. Therefore, have one of your BES only hosts tier1 Exchange servers, another BES only host tier2 Exchange servers and another BES host tier3 users.

Depending on the size of your environment, number of BES servers and Exchange servers, you can classify the tiers anyway that suits your environment as long as you follow the "One bad apple ruins the bunch" approach.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: How To View All Registered Event Sinks

2006-08-31T18:02:00.000-07:00

Summary:

In this article, I will go over how to view all registered event sinks within Exchange. Event sinks are basically a sub-routine that is fired at specific points in the message flow such as during transport. Most event sinks fire just before the message categorizer and right after. However, there are also sinks that run during message transfer. Many Exchange aware AV products register event sinks within Exchange. For example, before a message is sent to the categorizer, it is sent to the pre-submission queue where it is scanned for viruses or verified against the GAL. Other types of event sinks could be email disclaimers that are attached to say all outbound e-email or custom sinks that are fired based on rules you specify.

There may come a time where you need to view all registered event sinks. For example, you may have inherited an Exchange Server and which a previous admin may have registered custom event sinks that you are unaware of. In other circumstances, I've seen where products specifically AV software, in which the application was removed but the event sink was still registered and caused mail flow issues in which messages were stuck in the pre-submission queued.

To view all registered event sinks, follow the procedure below:

1. You need to download the smtpreg.vbs which you can get from the link below. I have heard that this file is also included in the Exchange SDK, but did not appear to be when I installed the SDK. You can also download the smtpreg.vbs from:

ftp://ftp.smtp25.org/Scripts/

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/smtpevt/html/6b7a017e-981e-45a1-8690-17ff26682bc7.asp

1. Once you have the smtpreg.vbs file, copy it to the root of your C:
2. Open command prompt, start run, cmd.

3. Type the following: C:\cscript smtpreg.vbs /enum

To pipe to a text file to easy viewing type:

C:\cscript smtpreg.vbs /enum > c:\file.txt

4. To remove the event sink. Go to your command prompt.

C:\cscript smtpreg.vbs /remove 1 sinkclass sinkname

1 = SMTP Virtual Service

Note: Sometimes duplicate sinks are registered. In this event, you will need to run this more than once. Re-run step 3 and verify the sink has been removed.

Another Method to view all event sinks is to download the Exchange SDK and launch Exchange Explorer.

Exchange SDK
http://www.microsoft.com/downloads/details.aspx?FamilyId=4AFE3504-C209-4A73-AC5D-FF2A4A3B48B7&displaylang=en

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Export GAL Using CSVDE

2006-08-30T09:45:00.000-07:00

Summary:

One common request is "How do I export the contents of the GAL?" Unfortunately there are no native tools that simply export the contents without some work. There are some third party tools such as IMI GAL Exporter ver.3 which you can purchase for a few bucks. I have tested their trial version is appears to be a very neat utility. The other option is to use LDIFDE and CSVDE. Unfortunately, you have to know all the attributes listed in the GAL so you can export them out. I have provided the following CSVDE command to export most if not all the attributes in the GAL.

From a command prompt type the following command.Substitute the following string

"dc=corp,dc=company,dc=net" with your Fully Qualified Domain Name. Use Excel to open the file when complete.

C:\>csvde -r "(objectClass=user)" -d "dc=corp,dc=company,dc=net" -l disp
layname,title,description,company,department,assistant,
physicaldeliveryofficename,telephoneNumber,othertelephone,
mail,streetaddress,postofficebox,l,st,postalcode,co,homephone,
otherhomephone,pager,otherpager,mobile,othermobile,
facsimileTelephoneNumber,info,manager,memberOf -f c:\gal.csv

Connecting to "DC1.corp.company.net"
Logging in as current user using SSPI
Exporting directory to file c:\gal.csv
Searching for entries...
Writing out entries.............................................................

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Blackberry + Large MBs = Recipe for Latency

2006-08-29T16:24:00.000-07:00

Summary:

Blackberry is a very resource intensive application and is known to be a very "chatty" application. I've heard BES (Blackberry Enterprise Server) is known to produce 5-6 times as much MAPI traffic as an average client, but never came across any documentation as to how this was figure was formulated. However, I have seen BES in conjunction with large mailboxes (1GB+) cause an exponential affect as far as performance degradation. Take the following case scenario below.

Case Scenario:

In this scenario, users were reporting "Outlook is requesting data" pop ups frequently. This would occur for BES users as well as non BES users. Now to give you the specifics of the hardware platform:

Hardware:
Proliant BL20P G2 (Backended to a SAN)
2 Quad Proc 2Ghz
4GB RAM

OS:
Windows 2003 Ent
Exchange 2003 Ent

This server hosted approximately 350 users and was originally sized to support 3,000 users. However, users were already complaining about Outlook latency.

Exchange Performance Analyzer, reported high RPC activity which was the source of the latency. No other bottlenecks were reported. We investigated disk I\O, memory, CPU and everything reported normal.

We consulted with our Microsoft ASE. The culprit was our BES users in which this server hosted approximately 186 with about half of them having mailboxes at 1GB and over. However, the size of the mailbox is not what causes the latency but specifically the number of items in your Outlook folders. This is because the more items you have, the more likelyhood that these items are stored in mutiple tables and pages within the database. Therefore, Exchange has to traverse this tree in order to link and process operations such as categorized views. Now large mailboxes in conjunction with BES, which is a very resource intensive application was a perfect "RECIPE FOR LATENCY" I've also seen desktop search engines also cause a similar affect in which 20 users running Google Desktop Search Engine caused the Exchange Store.exe process jump from a 2%cpu baseline to 17%cpu baseline.

What we ended up doing was to export the item count for all users on this server user PFDavadmin, (I have a blog on this referenced at bottom) and then filtered for users who had more than 10000 items. (Choose the figure that you want to work with) We then had users clean out their mailboxes.

References:

Outlook users experience poor performance when they work with a folder that contains many items on a server that is running Exchange Server 2003 or Exchange 2000 Server
http://support.microsoft.com/?id=905803

Exchange: Exporting Mailbox Properties Using PfdavAdmin
http://msexchangetips.blogspot.com/2006_08_01_msexchangetips
_archive.html

Microsoft Exchange Analyzers
http://www.microsoft.com/technet/prodtechnol/exchange
/downloads/2003/analyzers/default.mspx

Exchange 2000 Server and Exchange Server 2003 performance may be affected when desktop search engine software is running on Outlook or other MAPI client computers
http://support.microsoft.com/?id=905184

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Exporting SMTP Proxies Part 2

2006-08-28T16:05:00.000-07:00

Summary:

The following script will export SMTP proxies from the specific OU's that you designate rather than exporting the entire domain.

You can also download this file from our ftp site at:

ftp://ftp.smtp25.org/[ James Chong Scripts ]

Dim x, zz
Set objRoot = GetObject("LDAP://RootDSE")
Set fso = CreateObject("Scripting.FileSystemObject")
Set txtstream = fso.CreateTextFile("c:\testfile.txt", True)
strDNC = objRoot.Get("DefaultNamingContext")
Set objOU = GetObject("LDAP://cn=users,dc=corp,dc=company,dc=net")
Call enummembers(objOU)
Set objOU = GetObject("LDAP://cn=builtin,dc=corp,dc=company,dc=net")
Call enummembers(objOU)

Call enummembers(objOU)
Sub enumMembers(objOU)
On Error Resume Next
Dim Secondary(20) ' Variable to store the Array of 2ndary email alias's
For Each objMember In objOU ' go through the collection

If ObjMember.Class = "user" Then ' if not User object, move on.

' I set AD properties to variables so if needed you could do Null checks or add if/then's to this code
' this was done so the script could be modified easier.

EmailAddr = objMember.mail

zz = 1 ' Counter for array of 2ndary email addresses
For each email in ObjMember.proxyAddresses
If Left (email,5) = "SMTP:" Then
Primary = Mid (email,6) ' if SMTP is all caps, then it's the Primary
ElseIf Left (email,5) = "smtp:" Then
Secondary(zz) = Mid (email,6) ' load the list of 2ndary SMTP emails into Array.
zz = zz + 1
End If
Next

txtstream.write Primary & vbcrlf

' Write out the Array for the 2ndary email addresses.
For ll = 1 To 20

txtstream.write Secondary(ll) & vbcrlf

Next
' Blank out Variables in case the next object doesn't have a value for the property

Primary = "-"
For ll = 1 To 20
Secondary(ll) = ""
Next
End If

' If the AD enumeration runs into an OU object, call the Sub again to itinerate

If objMember.Class = "organizationalUnit" or OBjMember.Class = "container" Then
enumMembers (objMember)
End If

Next
End Sub

txtstream.close

Const ForReading = 1
Const ForWriting = 2

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\Testfile.txt", ForReading)

Do Until objFile.AtEndOfStream
strLine = objFile.Readline
strLine = Trim(strLine)
If Len(strLine) > 0 Then
strNewContents = strNewContents & strLine & vbCrLf
End If
Loop

objFile.Close

Set objFile = objFSO.OpenTextFile("C:\Testfile.txt", ForWriting)
objFile.Write strNewContents
objFile.Close

MsgBox "Done" ' show that script is complete

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: LDIFDE Export Members of Distribution List

2006-08-28T15:25:00.000-07:00

Summary:

This article will go over how to export members of a distribution list using LDIFDE.

There is MS KB article: http://support.microsoft.com/?kbid=555365
How to export the members of a distribution group in Exchange 2000/2003 using LDIFDE
which provides a sample of an LDIFDE command to export the properties.

ldifde -f export.ldf -d "cn=\Partners,ou=users,dc=microsoft,dc=com" -l member -s DC01

However, when you run the command, you receive no entries found:

Connecting to "DC01"
Logging in as current user using SSPI
Exporting directory to file export.ldf
Searching for entries...
Writing out entries
No Entries found

Cause:

Remove the slash in "cn=\"

In order to exporting any property for this user, you need to get the full DN. In order to get the full DN. Perform the following steps.

1. Start, Run, Adsiedit.msc (Part of Windows Server Support Tools)
2. Expand your Domain. This should mimic your OU structure.
3. Expand through your OU tree until you locate your group.
4. Once you have located your group CN=Group Name, right click properties.
5. Locate the attribute DistinguisedName and double click.
6. Copy the entire string which should be in the following format:
CN=My Group Name,CN=Users,DC=corp,DC=domain,DC=net
7. Enter in the following LDIFDE command.

C:\Documents and Settings\user>ldifde -f exportgroup.ldf -s MYDC -d
"cn=my group,cn=users,dc=corp,dc=redcross,dc=net" -l "member"

Note: if you would like to get more information other than group membership here is an example command:

C:\Documents and Settings\user>ldifde -f exportgroup.ldf -s MYDC -d
"cn=my group,cn=users,dc=corp,dc=redcross,dc=net" -l "dn, givenname, department, member"

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Attachments Gets Converted to ATT###.txt

2006-08-23T20:00:00.000-07:00

Summary:

A user in your organization reports that attachments sent to him from an external party, is coming in as ATT###.txt

Cause:

In this scenario, a user called in stating that an attachment that was sent from an external party Excite.com is coming in as ATT###.txt. What we found out in this scenario is that the external contact was not composing a new message in Excite, but he was actually fowarding a message that he received in his Excite account to our internal user. When the external user composed a new message from his Excite account with an attachment, the internal user was able to receive the message. However, if the Excite user was to foward a message with an attachment to our internal user it would come in the format as ATT###.txt.

The way an existing mail with attachment is encoded by the messaging Server at Excite, causes the attachment to lose format. This may be caused by several other domains other than Excite.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Exmon Tracelog -stop "Exchange Event Trace" Produces Invalid option given: Event

2006-08-23T19:35:00.000-07:00

Summary:

When launching Exmon you receive "Unknown StartTrace error (183) This occurs because Exmon continues to collect data in an .ETL file although Exmon is not running. This file caps at 512MB. Once this is capped, Exmon cannot start because it cannot log any more data.

You perfmon the following task to stop the trace

From your resourcekit directory you type in the following command:

C:\Programfiles\resourcekit> Tracelog -stop “Exchange Event Trace”

You immediately receive:

Invalid option given: Event

You then enter the following command:

C:\Programfiles\resourcekit> Tracelog -l

The output shows that the "Exchange Event Trace" is running

Solution:

This occurs because you pasted Tracelog -stop “Exchange Event Trace” into your command prompt. Re-type the command and it should terminate the trace.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Query Mailbox Creation Timestamp

2006-08-23T10:05:00.000-07:00

Summary:

Unlike user creation timestamp which could be queried in ADSIEDIT, mailbox creation time is not stored in AD. To query mailbox creation time you need to query the MAPI properties of the Mailbox. In the MAPI property of the Mailbox, you will see a property "PR_Creation_Time" This property shows the date the mailbox was created. However, if the mailbox was moved, this time will not reflect the original creation time but rather the last mailbox move. This is because a mailbox move essentially creates a new mailbox. There is a method to get the original mailbox timestamp by looking at PR_NTSDModificationTime property the root of the IPM_Subtree in your mailbox. This property is the last modification time of the security descriptor. This timestamp does not change because it is at the root and the user will not see this folder. However, if you were able to view this property say for your inbox, the time may not be the same depending on whether or not you chagned permissions on your inbox such as giving another user rights or delegation to that folder.

This information can be useful in instances where you need to restore a mailbox from backup to determine if the user resided in the server where you need to restore the tape to. This article will go over how to manually view these properties using MFCMAPI and secondly how using a script to query this out for all users on an Exchange server. I would like to thanks Glen Scales (Exchange MVP Developer) for helping to creating this script.

Download all scritps from:
ftp://ftp.smtp25.org/

Manually Checking the Mailbox Creation Date.

1. Download MFCMAPI, also known as MAPI Editor. http://www.microsoft.com/downloads/details.aspx?FamilyID=55FDFFD7-1878-4637-9808-1E21ABB3AE37&displaylang=en

2. Launch MFCMAPI application. Click OK at the Microsoft Exchange Server MAPI Editor window. Click Session, and select Logon and Display Store Table.

3. You will now be prompted to create a profile. Note, you must be logged in with an account and mailbox profile that has full rights to your Exchange server, otherwise you will receive the following error message below when we open the temp table.

Error:
Code: MAPI_E_FAILONEPROVIDER === 0x8004011D
Function
File f:\df7830\extest\src\mfmapi\mapistorefunctions.cpp

4. Once logged in, go to MDB menu, Open Other User's Mailbox. Select the Mailbox you wish to open from the GAL and click ok and click ok at the prompt.

5. You will see a new dialog box with your mailbox name at the top. Highlight the root container. On the right pane, look for the following property

Property: 0x3FD60040

This is your orginal mailbox creation date.

Now to get last mailbox creation time such as when the mailbox was last moved to another store.

6. Highlight TOP of Information Store. On the right pane locate the following property:

PR_Creation_Time

----------------------------------------------------------------------------------

Now to script the original mailbox creation time by querying the PR_NTSDModificationTime at the root of the IPM_Subtree copy and paste the contents below into a text file and name that text file mborigtime.vbs. Save to C: drive.

servername = wscript.arguments(0)
PR_NTSDModificationTime = &H3FD60040
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\admin\mbCreationTime.csv",2,true)
wfile.writeline("Mailbox,CreationTime")
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
svcQuery = "Com.ActiveConnection = Conn
Com.CommandText = svcQuery
Set Rs = Com.Execute
while not rs.eof
GALQueryFilter = "(&(&(&(& (mailnickname=*)(!msExchHideFromAddressLists=TRUE)( (&(objectCategory=person)(objectClass=user)(msExchHomeServerName=" & rs.fields("legacyExchangeDN") & ")) )))))"
strQuery = " com.Properties("Page Size") = 100
Com.CommandText = strQuery
Set Rs1 = Com.Execute
while not Rs1.eof
call procmailboxes(servername,rs1.fields("mail"))
wscript.echo rs1.fields("mail")
rs1.movenext
wend
rs.movenext
wend
rs.close
wfile.close
set fso = nothing
set conn = nothing
set com = nothing
wscript.echo "Done"

sub procmailboxes(servername,MailboxAlias)

Set msMapiSession = CreateObject("MAPI.Session")
on error Resume next
msMapiSession.Logon "","",False,True,True,True,Servername & vbLF & MailboxAlias
if err.number = 0 then
on error goto 0
Set objInbox = msMapiSession.Inbox
Set objInfostore = msMapiSession.GetInfoStore(objInbox.StoreID)
Set objRootFolder = objInfostore.Rootfolder
Set Non_IPM_rootFolder = msMapiSession.GetFolder(objRootfolder.fields.item(&h0E090102),objInfoStore.ID)

Wscript.echo Non_IPM_rootFolder.fields.item(PR_NTSDModificationTime)
wfile.writeline(mailboxAlias & "," & Non_IPM_rootFolder.fields.item(PR_NTSDModificationTime))

else
wscript.echo = "Error Opening Mailbox"
wfile.writeline(mailboxAlias & "," & "Error Opening Mailbox")
end if
Set msMapiSession = Nothing
Set mrMailboxRules = Nothing

End Sub

7. Now open a command prompt. Go to:

C:\>mborigtime.vbs exservername

This will query all the orginal mailbox creation time for your exchange server and put the results to

C:\admin\mbCreationTime.csv

----------------------------------------------------------------------------------

Now to script the last time the mailbox was moved to another store by querying the PR_Creation_Time at the root of the IPM_Subtree copy and paste the contents below into a text file and name that text file lastmborigtime.vbs. Save to C: drive.

servername = wscript.arguments(0)
PR_Creation_Time = &H30070040
Set fso = CreateObject("Scripting.FileSystemObject")
set wfile = fso.opentextfile("c:\admin\lastmbCreationTime.csv",2,true)
wfile.writeline("Mailbox,CreationTime")
set conn = createobject("ADODB.Connection")
set com = createobject("ADODB.Command")
Set iAdRootDSE = GetObject("LDAP://RootDSE")
strNameingContext = iAdRootDSE.Get("configurationNamingContext")
strDefaultNamingContext = iAdRootDSE.Get("defaultNamingContext")
Conn.Provider = "ADsDSOObject"
Conn.Open "ADs Provider"
svcQuery = "Com.ActiveConnection = Conn
Com.CommandText = svcQuery
Set Rs = Com.Execute
while not rs.eof
GALQueryFilter = "(&(&(&(& (mailnickname=*)(!msExchHideFromAddressLists=TRUE)( (&(objectCategory=person)(objectClass=user)(msExchHomeServerName=" & rs.fields("legacyExchangeDN") & ")) )))))"
strQuery = " com.Properties("Page Size") = 100
Com.CommandText = strQuery
Set Rs1 = Com.Execute
while not Rs1.eof
call procmailboxes(servername,rs1.fields("mail"))
wscript.echo rs1.fields("mail")
rs1.movenext
wend
rs.movenext
wend
rs.close
wfile.close
set fso = nothing
set conn = nothing
set com = nothing
wscript.echo "Done"

sub procmailboxes(servername,MailboxAlias)

Set msMapiSession = CreateObject("MAPI.Session")
on error Resume next
msMapiSession.Logon "","",False,True,True,True,Servername & vbLF & MailboxAlias
if err.number = 0 then
on error goto 0
Set objInbox = msMapiSession.Inbox
Set objInfostore = msMapiSession.GetInfoStore(objInbox.StoreID)
Set objRootFolder = objInfostore.Rootfolder
Set Non_IPM_rootFolder = msMapiSession.GetFolder(objRootfolder.fields.item(&h0E090102),objInfoStore.ID)

Wscript.echo Non_IPM_rootFolder.fields.item(PR_Creation_Time)
wfile.writeline(mailboxAlias & "," & Non_IPM_rootFolder.fields.item(PR_Creation_Time))

else
wscript.echo = "Error Opening Mailbox"
wfile.writeline(mailboxAlias & "," & "Error Opening Mailbox")
end if
Set msMapiSession = Nothing
Set mrMailboxRules = Nothing

End Sub

Now open a command prompt. Go to:

C:\>lastmbcreationtime.vbs exservername

This will query all the orginal mailbox creation time for your exchange server and put the results to

C:\admin\lastmbCreationTime.csv

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Block Host IP From Sending E-Mail

2006-08-22T20:01:00.000-07:00

Summary:

You identify a malicious host IP and wish to block all messages orginating from this host. For example Host A is sending a large volume of emails to your Exchange server. You want to block A's email IP address. If A resides in your Exchange
Organization, A and your recipients will be MAPI clients. If A is a remote host from Internet, your recipients will be POP3 or IMAP4 clients.

Circumstance One
===============
If A is an internal client which resides in the same LAN, and you set
Routing Group Connector to allow mail flow between two different sites,
A will send email via the corresponding RGC. At this circumstance, you
need to restrict the RGC to prevent A from sending email. If you set a
SMTP Connector but not RGC, A will send email via the corresponding SMTP
Virtual Server. At this circumstance, you need to restrict the SMTPVS to
prevent A from sending email.

Circumstance Two
===============
If A is an external client which comes from Internet, and you set SMTP
Virtual Server to allow mail flow between your Exchange Organization and
Internet, A will establish a SMTP session to your SMTPVS in order to
send emails to your Exchange Server. At this circumstance, you need to
set the connection control on your SMTPVS to prevent A from sending
email.

Note: You should disable the opening relay first.

Understanding the above information, we can perform the following steps
to block A's email IP address:

Circumstance with RGC, let's set the connection restriction on
RGC:
------------------------------------------------------------------------
1. Open ESM, locate to Administrative Group\First Administrative
Group\Routing Groups\First Routing Group\Connectors.

2. In the right pane, right-click on a RGC, and open the "Properties"
page.

3. Click the "General" tab, and then choose "These servers can send
mail over this connector".

4. Click Add button, and then select your Exchange server with
"Default SMTP Virtual Server".

5. Click OK to add the server into the list.

6. Click OK to save the changes.

7. Configure the Connection Control on your SMTP Virtual Server to block User "A"

8. Restart the SMTP service and Exchange Routing Engine service.

Circumstance with SMTP Connector, let's set the connection
restriction on SMTP Connector:
------------------------------------------------------------------------

1. Open ESM, locate to Administrative Group\First Administrative
Group\Routing Groups\First Routing Group\Connectors.

2. In the right pane, right-click on a SMTPC, and open the
"Properties" page.

3. On the "General" page, click "Add" button to add your Exchange
server with "Default SMTP Virtual Server" as a Local Bridgehead.

4. Click OK to save the changes.

5. Configure the Connection Control on your SMTP Virtual Server as I
mentioned in my previous email.

6. Restart the SMTP service and Exchange Routing Engine service.

To Circumstance with SMTP Virtual Server, let's just set the
connection restriction on SMTPVS:
------------------------------------------------------------------------

1. Open ESM, locate to Administrative Group\First Administrative
Group\Servers\Protocols\SMTP.

2. Right-click "Default SMTP Virtual Server", and open the
"Properties" page.

3. Choose the "Access" tab, and then click "Connection" button of the
"Connection control" box.

4. Select "All except the list below", click Add button.

5. Select "Single computer", and then put the host IP address in the
"IP address" blank.

6. Click OK to save the changes.

7. Restart the SMTP service and Exchange Routing Engine service.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Outlook: Calendar Overlay

2006-08-22T19:44:00.000-07:00

Summary:

Calendaring has become an integral feature for many organizations. One request that I hear often is "Can Outlook create an overlay view of multiple calendars rather than side by side view?"

Answer:

Unfortunately, Outlook (all versions, including Professional, Standar and Premier) does not provide the customized view based on different folder, but only single folder view. For this reason, two calendar, originates from two calendar folders, can not be overlayed. To obtain the overlayed effect, the only way is to manually export one calendar to a .pst and then merge it into another calendar. Otherwise, to acquire this feature, we must modifiy the source forms on which the calendar is based. For example, we must supplement the attributes that distinguish the items from different calendar. This feature is by design in Outlook.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Transaction Log Files Growing Rapidly; Case Scenarios

2006-08-22T18:35:00.000-07:00

Summary:

An Exchange admins worst nightmare is to come into work one morning to find out your partition housing your transaction log files has been filled up with an abundant amount of log files. You continue to monitor your disk space which is filling up at a rapid pace. What to do? In this article I will share my experience in dealing with these situations.

Note: If you are currently experiencing rapid log file growth and your partition housing your log files is running low on disk space, enable circular logging immediately. This will flush all log files as they are committed to your database. This will prevent your partition housing your log files from filling up and causing your store to dismount.

XADM: How to Modify the Circular Logging Setting
http://support.microsoft.com/kb/258470/

Case Scenario #1 Script Gone Haywire

In this scenario, I came into work to find out that the log files have grown tremendously and eating up disk space at rate of almost 1-2GB an hour. Because of the rate at which the logs being generated, users were complaining about messages being delayed. This is because the rate at which the log files were being committed to the database could not keep up with the rate that they were being generated in additional to a high store.exe process.

The root cause analyses was a script that an employee wrote which was part of our ticketing system. I ran MS Netmon which is a packet sniffer to determine if I could find the source of where the traffic was being generated from, which helped me to pinpoint it to our ticketing system.

You can download Netmon from ftp://ftp.microsoft.com/PSS/Tools/ The file is zipped and contains a password. The unzip password is "trace"

Case Scenario #1 Routing Loop (Migration)

In this scenario, I also experienced rapid log file growth. This scenario occured during a migration from 5.5 to 2003. The root cause analyses for this situation was more of how the organization's mail topology was configured.

This organization used a Sendmail server as it's frontend and thus hosted the MX record for the organization say abc.com. It then forwarded to the Exchange backend using an alias table. The Exchange backend environment thus hosted an internal MX record say xyz.local. The recipient policy of the Exchange org was configured as:

Primary: abc.com
Secondary: xyz.local

Internet mail would arrive to user@abc.com, the Sendmail server would lookup the alias table and forward to user@xyz.local which would deliver to the Exchange Org. Now because our Exchange Org did not host all users for for the recipient policy of abc.com, the SMTP Virtual Server was configured to "Send all unknown recipients to" another Sendmail smarthost.

The loop was caused because the alias table on the Sendmail server was not maintained. Therefore, when an email arrived at the frontend Sendmail server destined to user@abc.com, it would look up the alias table and see it mapped to user@xyz.local and forward it to the Exchange Org. The Exchange Org did not have this recipient and would foward it out to a Smarthost because "Send all unknown recipients to" was configured. This Smarthost would then send it back to the frontend Smarthost causing a loop.

Resolution was to enable "Filter Recipients who are not in the directory" in the Global Settings in Exchange System Manager in addition to having a procedure to maintain a current alias table.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Forwarding Copy of User's Email or Public Folder to Another Account Via Event Sink

2006-08-21T21:00:00.000-07:00

Summary:

Exchange offers Journaling which allows you to designate a mailbox to receive all emails sent and received from a particular store that you designate. However, Exchange does not give you the granularity to journal only one mailbox. In order to achieve this you will need to install a custom event sink provided below. Before I delve into the implementation of the event sink. I'll go over what event sinks are what they do.

Event sinks are basically a sub-routine that is fired at specific points in the message flow such as during transport. Most event sinks fire just before the message categorizer and right after. However, there are also sinks that run during message transfer. Many Exchange aware AV products register event sinks within Exchange. For example, before a message is sent to the categorizer, it is sent to the pre-submission queue where it is scanned for viruses or verified against the GAL.

Registering The Per User Journaling Event Sink. This event sink provided will forward a copy of all messages sent to your designated recipient to another mailbox such as your admin.

All files are available for download with instructions by going to homepage msexchangetips.blogspot.com go to "Chong Man's Resources" under links which will take you to my ftp site. Go to James Chong Scripts directory and you will find the 2 files included to run this process.

ftp://ftp://ftp.smtp25.org//[ James Chong Scripts ]

1. SMTPReg.vbs
2. smtpjrnl.vbs

1. Create a directory on your C: drive called Journal. (Or anywhere you wish)

2. You will need the SMTPReg.vbs. Although I downloaded the Exchange SDK, this file was not included. However, I was able to locate it here. In the link, you will need to copy all the code in the [smtpreg.vbs Event Management Script] and paste it into notepad. Name this file as smtpreg.vbs and paste it into your C:\Journal directory.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/smtpevt/html/6b7a017e-981e-45a1-8690-17ff26682bc7.asp

3. Open notepad and copy the entire contents below and name this file smtpjrnl.vbs

script language="VBScript"

Sub ISMTPOnArrival_OnArrival(ByVal Msg, EventStatus ) on error resume next Dim RecpList recplist = LCase(Msg.EnvelopeFields("http://schemas.microsoft.com/cdo/smtpenvelope/recipientlist")) recplist = recplist & "SMTP:admin@yourdomain.com;" Msg.EnvelopeFields("http://schemas.microsoft.com/cdo/smtpenvelope/recipientlist") = recplist Msg.EnvelopeFields.update

End Sub

/script

4. In the recplist = recplist & "SMTP:admin@yourdomain.com;"
Enter the SMTP address in which you would like all of the forwarded emails to go to. (Include the quotes)

5. Open command prompt. Go to Start --> Run, type cmd, ok
CD CD journal

cscript smtpreg.vbs /add 1 onarrival smtpjrnl CDO.SS_SMTPOnArrivalSink "Rcpt to=internaluser@yourdomain.com"

(Note: This will forward any emails sent to your internal user or public folder SMTP address here to the SMTP address you specified in step 4)

6. If you wish to customize it so that mail from a particular domain say anything from hotmail sent to internaluser@yourdomain gets forwarded to admin@yourdomain.com, change the code in step 5 to: "Rcpt to:internaluser@yourdomain mail from:user@hotmail.com")

Now you will need to associate smtpreg.vbs to your smtpjrnl.vbs sinkcscript. Type the following command below in your command prompt.

smtpreg.vbs /setprop 1 onarrival smtpjrnl Sink ScriptName c:\journal\smtpjrnl.vbs

Note: If you receive Binding Dispaly Name Specified: smtpjrnlFailed to find binding with dispaly name: smtpjrnl, re-enter the command below. Note the smtpjrnl.vbs in the first line. It appears that there is a bug, sometimes it registers with out the .vbs other times it doesn't.

cscript smtpreg.vbs /setprop 1 onarrival smtpjrnl.vbs Sink ScriptName c:\journal\smtpjrnl.vbs

7. Test by emailing to internaluser@domain.com from an outside account. It should be forwarded to admin@yourdomain.com. There is a limitation to this. When sending internally, if the internaluser@domain.com and admin@yourdomain.com exists on the same Exchange server, it will not work even with public folders. This is by design. You can circumvent this if you use a frontend server that handles all your inbound mail and forwards to your backend Exchange servers.

8. To remove the event sink. Go to your command prompt. From your C:\Journal directory type the following command:

cscript smtpreg.vbs /remove 1 onarrival smtpjrnl

1 = SMTP Virtual Service
onarrival = sink class
smtpjrnl = sink name

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Is a Windows Disk Level Defrag Required?

2006-08-20T15:51:00.000-07:00

Summary:

In some instances, I've seen a partition in which Windows reported the partition as severely fragmented. The partition only contained the Exchange database and no other files. So the question is, do we and can we perform a Windows file level defrag?

Answer:

This answer is directly from Microsoft PSS.

"Based on your inquiry, I understand that you need to know if it is recommended to do a disk level defrag on an Exchange server. If I have misunderstood your concerns, please let me know.

According to your question, I'd like to point out that you can perform a disk level defrag on an Exchange server. However, if the disk holds only Exchange Server databases, it is not necessary to do disk-defragment because Exchange can do it internally. You may want to defrag the disk in order to improve the performance, but you may not see the result that you expected. Exchange uses and releases pages inside the database directly regardless the disk fragmentation. Exchange defragment is a file level defrag. Exchange online defragment will rearrange the data but not release the fragmentation space. Exchange offline defragment will rearrange the data and then release the free space. Therefore, the Exchange offline defragment is recommended. Anyway, you can do a disk level defrag after Exchange defragment if you want to do."

Best Regards,

Support Professional
Microsoft Professional Technical Support

Here is another article on MSExchangeteam blog that goes over this as well. I would consider reading this article as well, as it goes over some caveats when performing disk level defrags.

http://msexchangeteam.com/archive/2004/10/25/247342.aspx

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Windows: Audit Changes Made to File Folders or Registry

2006-08-20T15:42:00.000-07:00

Summary: This article will delve into auditing changes such as: Changing attributes, writing to, deleting, moving so it can be traced back to a process or user...

To track a Process or User that may be making modifications to a File Folders and Registry, perform the task below.

Caution: This degree of auditing will put a performance hit on the box.

To set up the local policy to Audit Process Tracking:
=====================================
1) Click Start then Run then type
"gpedit.msc" (without the quotes)
2) This will execute the Group Policy Object
3) Expand the following:
+Computer Configuration
+Windows Settings
+Security Settings
+Local Policies
+Audit Process Tracking
4) Under 'Audit these attempts' place a check on
- Failure
- Success
5) Once the policy has been set, run the following command to apply the policy
For Windows 2000: Secedit /refreshpolicy
For Windows XP or 2003: Gpupdate.exe

To set up the local policy to Audit Object access:
=====================================
1) Click Start then Run then type
"gpedit.msc" (without the quotes)
2) This will execute the Group Policy Object
3) Expand the following:
+Computer Configuration
+Windows Settings
+Security Settings
+Local Policies
+Audit Policy
4) Under 'Audit Policy' doubleclick 'Audit Object Access'
5) Under 'Audit these attempts" place a check on
- Failure
- Success

Auditing the registry
=====================================
1) Call up Regedt32 and browse to the key you want to audit
2) Windows 2000: Click the 'Security' menu and select 'Permissions'
Windows 2003/XP Click the 'Edit' menu and select 'Permissions'
3) Click the 'Advanced' button
4) Select the 'Auditing' tab and click the 'Add' button
5) Add the 'Everyone' group and click 'OK'
6) The resulting "Auditing Entry for " dialog box appears
7) In the "Apply onto" drop menu, select "This key and subkeys"
8) Choose the actions you want to audit for... commonly we want to track
changes to the registry... so we'll want to place a check on the following:
'Set Value' Successful and Failed
'Create Subkey' Successful and Failed
'Delete' Successful and Failed
9) Click OK
10) Clear the checkbox on "Allow inheritable auditing entries from parent to propagate to this object"
11) Click OK then OK again to exit
Auditing files or folders

=====================================
1) In Explorer.exe browse to the file or folder you want to audit
2) Click the 'Security' menu
3) Click the 'Advanced' button
4) Select the 'Auditing' tab and click the 'Add' button
5) Add the 'Everyone' group and click 'OK'
6) The resulting "Auditing Entry for " dialog box appears
7) In the "Apply onto" drop menu, select "This folder, subfolders and files"
8) Choose the actions you want to audit for...
For example, if attributes are being changed or files are being deleted
Place check marks under the following:
'Write Attributes' Successful
'Write Extended Attributes' Successful
'Delete Subfolders and Files' Successful
'Delete' Successful
'Change Permissions' Successful
9) Click OK
10) Clear the checkbox on "Allow inheritable auditing entries from parent to propagate to this object"
11) Click OK then OK again to exit

The Security Event log will reflect the following:
=====================================
Event ID of 560 and 562 detailing User audits
Event ID of 592 and 593 detailing Process audits

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: NDR 571 - MAIL REFUSED - Reverse DNS failed; cannot resolve the domain in the HELO command

2006-08-20T15:17:00.000-07:00

Summary:

You receive the following NDR when sending to a third party domain:

Your message has encountered delivery problems
to the following recipient(s):

user@externaldomain.com
Delivery failed
571 - MAIL REFUSED - Reverse DNS failed; cannot resolve the (yourmailserverhostname.domain.com) domain in the HELO command.

You verify that your domain does indeed have a Reverse DNS Record.

Cause:

The third party domain is performing HELO lookups, also known as forward DNS lookup. When initiating a SMTP session with a third party domain, the domain validates your domain name by performing a forward check, Domain to IP rather than IP to Domain in reverse DNS lookups. If you designed your DNS namespace for Active Directory and chose a namespace different than your public domain name ie. company.local, your Exchange server by default will advertise as HELO I'm hostname.company.local. The third party domain will attempt to lookup company.local in DNS and will fail and thus reject your E-Mail.

Resolution:

1. Open Exchagne System Manager. Navigate to Administrative Groups, Site, Servers, Servername, Protocols, SMTP, Default SMTP Virtual Server,

2. Highlight Default SMTP Virtual Server, right click properties.

3. Go to the Delivery Tab, and click Advanced Button.

4. In the "Fully-qualified domain name: field, enter your fully qualified external domain name. Click Check DNS to verify that it resolves.

5. Restart SMTP service.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Your message has been delayed I/O error encountered

2006-08-20T15:09:00.000-07:00

Summary:

Users are receiving the following Non Deliverable Message (NDR)when sending to third party domains:

Your message has been delayed and is still awaiting delivery to the following recipient(s):

Users@externaldomain.com
Message delayed

I/O error encountered

Cause:

In this instance, users were reporting that messages sent to Gmail were being delayed anywhere from hours to days. When telneting to Gmail's mail servers, sometimes it would accept the connection and would allow our server to send mail. However, other times I would receive "Connection lost" immediately. The issue at hand was that this organization sends bulk email to many third party domains.(Not SPAM) Gmail has a specific policy on bulk E-mailing. Therefore, Gmail will temporarily block your domain from sending too much bulk E-mail.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Understanding the Checkpoint File

2006-08-19T20:37:00.000-07:00

Summary:

Before I delve into the importance of the Exchange checkpoint file, I'll begin with a real life scenario that will elaborate the importance of the checkpoint file within Exchange. Company ABC implemented a new Exchange server and was put into production. However the database was lost for reasons beyond the scope of this article. Since this was just put into production and backups had not been performed yet, there was no way to restore the database.

Solution:

This is where the Exchange log files and checkpoint file come into play. Exchange log files records all transactions before they are written to the Exchange database. Transactions could be new messages, mailbox moves or any other type of data manipulation. So how can we restore the database? This is where the checkpoint file comes in. The checkpoint file keeps track of what how much data from the logs have been written to the database. These files are in the format E01.chk. Therefore to restore the database, you want delete the checkpoint files. When you mount a new database, the database will replay all the log files. Since there is no checkpoint, the Exchange database has no way of knowing where it last left off so it is forced to replay all the log files again.

For more information about Exchange logfiles and checkpoint file refer to KB article:

http://www.microsoft.com/technet/prodtechnol/exchange/guides
/UseE2k3RecStorGrps/d42ef860-170b-44fe-94c3-ec68e3b0e0ff.mspx?mfr=true

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: How to Configure Bulk Message Restrictions on DL's Using Admodify

2006-08-19T17:46:00.000-07:00

Summary:

Restricting who has access to send to distribution lists or a particular user is a neat feature. For example, this comes in handy where you need to restrict who can send to a large distribution list or who can send to say a VP. However there is no native tools if you wish to configure restrictions on multiple Distribution lists or users at once. This can be accomplished by using ADMODIFY.

1. Download ADMODIFY

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/

2. Run Admodify and select all your DL's that you wish to perform restrictions on.

3. Once you have selected your DL's go to the custom tab. Select "Make a
Customized Attribute Modification" Attribute Name = Authorig,
Value= DN of user (Example:
CN=last\, first(Consultant),OU=Contractors,OU=Contractors,DC=HQ,
DC=Company,DC=net)

4. Open your DL's in ADUC and verify that the restrictions have been set.

The attribute for "From Authenticated Users Only" is msExchRequireAuthtoSendTo. If you would like to use this, enter this attribute in step 3 instead of Authorig.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Semaphore Timeout Period Has Expired

2006-08-19T17:36:00.000-07:00

Summary:

Messages are queued and in retry state to another Exchange server. When highlighting the queue in ESM, the queue information area reports Semaphore timeout period has expired.

Case 1:

Although there are multiple reasons that can cause this issue. My experience with this was that Mailguard was enabled on the PIX firewall between these Exchange servers. Enabling Mailguard on PIX will cause the remote Exchange server to not produce a valid SMTP banner. When telneting to the remote Exchange server, it produces something similar to the output below:

220******************************************************
*0*2******0***********************2002*******2***0*00

To correct this issue, consult the KB Article:

Cannot send or receive e-mail messages behind a Cisco PIX firewall
http://support.microsoft.com/?kbid=919091

Case 2:

I've also seen experienced this when on a system running Norton AV 9.X. Messages sent to another Exchange server running AV 9.X gets queued. When you perform a telnet session to the destination Exchange server running Norton AV 9.X, the message does not arrive at the destination Exchange server. To fix this issue, disable the Internet E-mail Auto-Protect scanner feature.

Outgoing e-mail to other internal Exchange servers is queued, and you receive an error message in Exchange Server 2003
http://support.microsoft.com/?kbid=919091

Case 3:

This may also be caused by black hole routers. On a TCP/IP-based wide area network (WAN), communication over some routes may fail if an intermediate network segment has a maximum packet size that is smaller than the maximum packet size of the communicating hosts--and if the router does not send an appropriate Internet Control Message Protocol (ICMP) response to this condition or if a firewall on the path drops such a response. Such a router is sometimes known as a "black hole" router.

How to Troubleshoot Black Hole Router Issues
http://support.microsoft.com/kb/314825/

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

BlackBerry: Users Cannot Send or Reply From Handheld

2006-08-19T15:15:00.000-07:00

Summary:

Blackberry users are able to receive messages to handheld but are not able to send or reply. When sending or replying to a message from the device, it produces an "X"

Cause:

In order to send or reply to messages using a Blackberry device, the BlackBerry service account must have "Send As" rights to the objects. If the user is unable to send or reply to messages, verify in ADUC that the BlackBerry service account has this right. In ADUC, find the user in question, and go to the security tab of this object. Verify that the BlackBerry service account has "Send As" right. In addition, if you recently applied Hotfix: 327825, this hotfix revokes any object that has "Send As" rights to objects that belong to any of the protected security groups.

• Administrators
• Account Operators
• Server Operators
• Print Operators
• Backup Operators
• Domain Admins
• Schema Admins
• Enterprise Admins
• Cert Publishers

Therefore, if your BlackBerry user is a member of any of these protected groups, your user will not be able to send or reply to messages using the device. To cirumvent this, it is recommended that you create separate accounts for your admins when performing administrative tasks. For example, use a convention such as ZZ-jdoe for their administrative account. For more information, consult the following KB article: http://support.microsoft.com/kb/907434/en-us

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Managing SMTP and IIS Log Files via Script

2006-08-19T07:55:00.000-07:00

Summary:

Exchange can can log a number of transactions such as SMTP, IIS, or Message Tracking. These logs play an important role in troubleshooting, trending as well as a number of other things. However, Exchange or IIS does not provide an option to automatically purge SMTP or IIS logs. In this article, I will provide an example to manage these log files.

Procedure:

Since you want to always keep a copy of your log files, for example 30 days worth before purging them, what this script will do is first move all log files from the directory you specify to another partition E:\logs that are older than 30 days, then delete any log files older than 60 days from E:\logs.

1. Create a folder in C:\scripts (Or anywhere you want to designate)

2. Download WaRmZip from SoureForge. http://sourceforge.net/project/showfiles.php?group_id=88417&package_id=99571 Download file to C:\scripts

3. Open notepad and enter the following:

:: movelogs.bat
:: moves log files from the directory you specify below
::
@ECHO OFF

C:
CD\scripts\waRmZip16

waRmZip.wsf /r /q "C:\logs" /ma:30 /md:E:\Logs_Old

This script will move any log files older than 30 days from C:\logs to E:\logs_old folder. You will need to modify this line to point to where your SMTP or IIS logs are and your destination path. Save this file as movelogs.bat

4. Open notepad and copy the following:

:: deletelogs.bat
:: Delete logs older than 60 days to run every 60 days.
::
@ECHO OFF

C:
CD\scripts

waRmZip.wsf /r "E:\Logs_Old" /da:60 /df /q

Save this file as deletelogs.bat

5. Now go to scheduled tasks and schedule movelogs.bat to run monthly and deletelogs.bat to run every 60 days.

Note: Ensure you test this using test directories before implementing them into production. I have also provided these files on "Chong Man"s Exchange Resources" under links.

James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

PFDAVAdmin: Using Custom Bulk Operation

2006-08-15T12:30:00.000-07:00

Summary:

PDAVAdmin 2.6 introduces a new feature which allows you perform bulk customizations on Public Folders using LDAP filters. I ran into a scenario in which an environment had created a Public Folder infrastructure in which all folders were created at the root level. This makes it difficult to choose a top level folder to propagate permissions. For example, if you wanted to add a user to have rights to all folders, you would have to perform this individually because there there no root folder to propagate down from. In this scenario, I was able to use PFDAVAdmin 2.6 to perform a bulk operation on the virtual Public Folder tree to add this user and propagate the permissions to all Public Folders.

To be safe, I would recommend exporting your permissions so that you will have a backup.

1. Download PFDavAdmin utility.

49e3-ada4-e2422c0ab424&DisplayLang=en>

2. Launch PFDAVAdmin by double clicking on the file; PFDavAdmin.exe

3. On the File menu, select Connect.

The "Connect" dialog will now appear as shown below.

a. In the Connect dialog box, enter the name of the Exchange
server the mailboxes reside on.

b. Check the "Authenticate as currently logged on user"
checkbox.

c. Select "Public Folders" under Connection and click OK.

4. Make sure Public Folders is highlighted at the root. On the Tools menu, select Options. Check the "Enable logging to file" checkbox and click OK.

The "Options" dialog box will now appear as shown below.

Make sure that the box labeled; "Enable logging to file", is
checked.

Make sure that the box labeled; "Enable extended logging",
is unchecked.

If you wish to backup your permissions first, go to Tools, menu, select export permissions, select all Public Folders, and choose XML as your format. You can use this file to import back in, in the event that your permissions get corrupted.

5. On the Tools menu, select Custom Bulk Operation.

a. Base Folder: Public Folder

b. Overall Filter: (&)(This default settings selects everything)

c. Operations: Click Add. Select Folder Permissions and click Ok.
Action set to merge. Select Permissions now, click Select button.
You will be prompted with a dialog "You will be presented will a
permissions diaglog you can use to configure permissions" Click Ok.

d. Click Add. Enter user name in the field and click search. Click Ok.
Give the user the appropriate permissions. Click Ok. You will be
presented with with a dialog "You will not be presented with a
permissions dialog to selecte entities that will be removed" If you
wish to remove users, you can from this procedure. Click Ok. If you
do not wish to remove anyone, Click ok. Click Ok once more. This user
that you added will now be propaged to all Public Folders.

James Chong
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Free/Busy Not Available After Mailbox Move

2006-08-10T19:12:00.000-07:00

Summary:

After migrating mailboxes to another Exchange server, Free/Busy information may not be available. Viewing this user's Free/Busy, produces slashes with no information.

Solution:

Try running Outlook.exe /cleanfreebusy first. If you moved the mailbox across administrative groups, you will need to use the Exchange Profile Update Tool which you can download here http://support.microsoft.com/?kbid=873214. If you are also trying to query free/busy information from users across sites, try putting a local replica of that site's free/busy. If all fails, try deleting the PR_FREEBUSY_ENTRYIDS for the affected users MB using MFCMAPI.

Download MFCMAPI

1. Download MFCMAPI, also known as MAPI Editor. http://www.microsoft.com/downloa
ds/details.aspx?FamilyID=55FDFFD7-1878-4637-9808-1E21ABB3AE37&displaylang=en

2. Launch MFCMAPI application. Click OK at the Microsoft Exchange Server MAPI
Editor window. Click Session, and select Logon and Display Store Table.

3. You will now be prompted to create a profile. Note, you must be logged in
with an account that has full rights to your Exchange server, otherwise you will
receive the following error message below when we open the temp table.

Error:
Code: MAPI_E_FAILONEPROVIDER === 0x8004011D
Function
File f:df7830extestsrcmfmapimapistorefunctions.cpp

4. Once logged in, click MDB, and select Get Mailbox Table. A new window display
opens "Server Mailbox Table" From here, you can select the server name you wish
to work with. Select default settings and click OK.

5. You will now see all mailboxes enumerated. You will need to locate the user
that whos Free/Busy is not available.

6. Once you have double clicked the mailbox, highlight Root Container.

7. In the right pane, locate PR_FREEBUSY_ENTRYIDS, right click and select
Delete Property.

8. Expand Top of Information and highlight Inbox.

9. In the right window, if there is a property name of PR_FREEBUSY_ENTRYIDS,
right click on it and choose Delete Property

10. Exit out of MAPI Editor.

11. Go to start run, Outlook.exe /cleanfreebusy on the mailbox

James Chong
MCSE |M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Exporting Mailbox Properties Using PfdavAdmin

2006-08-10T18:50:00.000-07:00

Summary:

Microsoft's Pfdavadmin utility is a popular utility used to facilitate migrating public folder replicas or saving permissions. However, Pfdavadmin offers several other features. For example, Pfadavadmin can be used to export mailbox attributes and properties. One useful scenario I came across was to export total item counts for user's mailbox. It is well known that MAPI client experience is dictated by the total number of items within a mailbox rather than the mailbox size. A large item count can cause user's to receive, "Outlook is requesting data." Although this utility can be used to export many attributes or properties, this article will show an example of export user's total item count.

To get a listing of the number of mail items for each folder within each
mailbox, follow the steps below:

1. Download PFDavAdmin utility.

49e3-ada4-e2422c0ab424&DisplayLang=en>

2. Launch PFDAVAdmin by double clicking on the file; PFDavAdmin.exe

3. On the File menu, select Connect.

The "Connect" dialog will now appear as shown below.

a. In the Connect dialog box, enter the name of the Exchange
server the mailboxes reside on. You do not have to specify GC.

b. Check the "Authenticate as currently logged on user"
checkbox.

c. Select "All mailboxes" under Connection and click OK.

4. On the Tools menu, select Options. Check the "Enable logging to file"
checkbox and click OK.

The "Options" dialog box will now appear as shown below.

Make sure that the box labeled; "Enable logging to file", is
checked.

Make sure that the box labeled; "Enable extended logging",
is unchecked.

5. On the Tools menu, select Export Properties.

The "PropertyExportForm" will now appear as shown below.

a. Select "All folders".

b. Create an Output File such as c:\ItemCount.txt by
clicking on the Ellipse button, "..."

The "Save As" dialog box will now appear as shown below.

Browse to the folder where you want to save the file.

Enter the file name, "itemcount" and select "Text file
(*.csv)" as the "Save as type".

Finally click on the Save button to create the export file.

c. Check the following Properties to export:

PR_CONTENT_COUNT : 0x36020003

PR_DISPLAY_NAME : 0x3001001E

PR_FOLDER_PATHNAME : 0x66B5001E

6. Click on the button labeled, "OK".

PFDavAdmin will start to process all of the folders within the mailbox
and will display a progress bar.

When the Export Properties process completes you will see the screen
below;

Simply close this dialog box and exit out of the PFDavAdmin utility.

James Chong
MCSE | M+, S+, MCTS, Security+
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Using MFCMAPI To Delete Exchange Temp Table

2006-08-09T19:52:00.000-07:00

Summary:

Duplicate messages are not only a nuisance but can be difficult to troubleshoot. Although there are several reasons why duplicate messages can occur, one known issue is caused by messages that are stuck within the temp table within the Exchange store. Temp tables are temporarily holding places within the Exchange store where messages are constructed. This can be caused by several reasons such as your AV application. This article will discuss how to delete the temp table so that duplicate messages are not re-generated. The process below will delete the temp table and create a new one.

Evan Dodds (Exchange MVP) does a great job explaining in depth about the temp table.
http://blogs.technet.com/evand/archive/2004/12/27/332752.aspx

You can also find additional info from MS Technet. http://www.microsoft.com/technet/prodtechnol/exchange/2003
/insider/Special_Mailboxes.mspx

When troubleshooting duplicate messages, note the message ID. This is critical in determining whether the original message is duplicating itself or if a client is possibly re-sending messages possibly due to a virus infection. Therefore, examine the headers at least two duplicate messages to examine the message ID. This article is assuming the message ID is the same and is stuck within the Exchange temp table. Note that deleting the temp table will delete any messages yet to be processed or queued. Therefore, perform this during non production hours.

Resolution:

1. Download MFCMAPI, also known as MAPI Editor. http://www.microsoft.com/downloads/details.aspx?
FamilyID=55FDFFD7-1878-4637-9808-1E21ABB3AE37&displaylang=en

2. Launch MFCMAPI application. Click OK at the Microsoft Exchange Server MAPI Editor window. Click Session, and select Logon and Display Store Table.

3. You will now be prompted to create a profile. Note, you must be logged in with an account that has full rights to your Exchange server, otherwise you will receive the following error message below when we open the temp table.

Error:
Code: MAPI_E_FAILONEPROVIDER === 0x8004011D
Function
File f:\df7830\extest\src\mfmapi\mapistorefunctions.cpp

4. Once logged in, click MDB, and select Get Mailbox Table. A new window display opens "Server Mailbox Table" From here, you can select the server name you wish to work with. Select default settings and click OK.

5. You will now see all mailboxes enumerated. You will need to locate the SMTP(Servername --GUID) mailbox. Note there can be more than one depending on how many stores you have. Therefore you will need to perform step 6 on the remainding SMTP (Servernam --GUID) mailboxes.

6. Once you have double clicked the mailbox, expand Root Container. You will see TempTable#. Highlight this, go to Actions menu and select delete folder. In the Deleted Selected Folder Window, check "Hard Deletion" and click OK. Right click your Root Container and select Refresh View. Your TempTable# should not appear. Repeat this step for all SMTP (Servername --Guid) mailboxes you have. Once complete, restart your IIS server. This will re-create your TempTable#.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

BlackBerry Enterprise Server: Users Not Receiving Messages to Handheld After Mailbox Moves

2006-08-07T11:47:00.000-07:00

Summary:

BlackBerry server maps user mailboxes by using a process called worker treads. Each worker tread is cable of handling multiple mailboxes. Each BES server is capable of handling 100 worker treads and up to 2000 users. Blackberry version [4.0.4.5], is capable of mapping worker treads back to a user mailboxes when a mailbox gets moved to a different store by scanning the GAL for changes in the Server DN.BES users may not receive messages to their handheld device after a mailbox move if the MAPI32.DLL version is not consistent on your BES servers and Exchange servers.

Note:

Mailbox moves within the same server are not updated by BES and thus messages will not be received by handheld until BES services are restarted. This is because BES scans users mailboxes for changes in the Server DN. Since mailboxes are moved within the same server, BES is unware of the mailbox move. This is by design.

Cause:

BES servers must have the same DLL versions for the following files as your Exchange server otherwise BES will not be able to reflect the mailbox move and users will not receive messages to their handheld device. In addition, your Exchange server will also experience a memory leak if your Emsmdb32.dll version is also not consistent with your BES and Exchange server.

MAPI32.DLL
Emsmdb32.DLL
CDO.DLL

Resolution:

Update the following files on all your BES servers to match that of your Exchange server. Do not copy and paste these files, you must apply the entire service pack.

MAPI32.DLL
Emsmdb32.DLL
CDO.DLL

Additional References:

Support - Memory leak causes ERR_RESOURCE_ALLOC error and truncated device message

Last Updated: 10 April 2006
Article Number: KB-03665

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Active Directory: Scavenging Best Practices

2006-08-07T11:05:00.000-07:00

Summary:

I recently came across an environment in which an Exchange Bridgehead were queueing Email to remote sites. ESM queue would report, "Could not connecto to destination server in DNS." When performing nslookup on the remote servername name it would fail to produce the record. After manually adding the record, mail flow would resume.

Cause:

In this instance, records were being scavenged. This was caused by multiple servers in the Domain having scavenging configured and replication delays and possibly unreliable links possibly causing the record to purged.

Resolution:

Scavenging best practices includes only setting scavenging on one server in the domain, otherwise, you can end up with many underlying issues including Active Directory replication problems. In addition, set your servers to be static hosts so that they are not eligible to be scavenged.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: ESM Missing Public Folder Tree

2006-08-06T20:13:00.000-07:00

Summary:

When expanding ESM, your public folder tree is missing, however users can navigate through the public folder tree in Outlook.

Cause:

You are missing your "msexchpftree" attribute in your configuration partition in Active Directory. Verify that CN=Public Folders exists in the following path:

From ADSI edit,
CN=Services,CN=Microsoft Exchange,CN=ORGANIZATION,CN=Administrative
Groups,CN=administrative_group,CN=Folder Hierarchies, (CN=Public Folders should exist)

Resolution:

From ADSI edit, navigate to CN=Services,CN=Microsoft Exchange,CN=ORGANIZATION,CN=Administrative
Groups,CN=administrative_group,CN=Folder Hierarchies. What you need to do is right click your CN=Folder Heirarchies and click new object and select msexchpftree. Enter Public Folders as the CN name, click next and click more attributes. Enter the Distinguished name CN=Public Folders,CN=Folder Hierarchies,CN=First Administrative
Group,CN=Administrative Groups,CN=MSexchange911,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=Domain,DC=net
Copy this distinguished name as you will need to paste it into another attribute. Click OK. Now you will need to locate your public folder store in ADSIEDIT.

Microsoft Exchange -> Org name -> Administrative Groups ->
First Administrative Group -> Servers ->
Server
name -> Information Store -> First Storage Group
On the right pane, go to the properties of the "public folder store". Select the property to view: "msExchOwningPFTree" and paste that DN from earlier, click OK. Verify that the public folder tree is now visible in ESM.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com
How useful was this article? Want to see a tip not listed? Please leave a comment.

Using Outlook Redemption to By Pass "A Program is trying to automatically send e-mail on your behalf"

2006-08-01T19:54:00.000-07:00

Summary:

In Outlook SP2 and later versions, any application that tries to send e-mail is blocked to prevent the malicious propagation of viruses and worms. This article will provide a sample code using Outlook Redemption to bypass this security warning. This article will use Glen Scales "Message Tracking Logs Reports Script" as a sample in which mailbox reports is emailed using an Access Macro. First and foremost, I would like to thank and credit Glen Scales for this terrific script as it has come to be useful in my instances.

The first portion of this script is using Glen's Message Tracking Log Reports, which imports Exchange's Message Tracking logs into an Access Database. From here, I will use one of the custom Access queries included to email the report out while bypassing the "A Program is trying to automatically send e-mail on your behalf" warning message produced by Outlook.

Download Glen's Message Tracking Log Reports from:

http://www.outlookexchange.com/articles/glenscales/mtrackrs.asp

In this instance I have modified his script to only pull two user accounts from the message tracking log rather than the entire log file. Therefore I have edited this portion of the script:

size1 = objExchange_MessageTrackingEntry.size
If (RecipientAddress1 = "User1@mydomain.com") Or (RecipientAddress1 = "user2@mydomain.com") Then

wtowrite = "('" & condate(odate) & "','" & formatdatetime(odate,4) & "','" & ClientIP & "','" & EntryType & "','" & RecipientCount & "','" & replace(SenderAddress,"'","") & "','" & replace(RecipientAddress1,"'","") & "','" & left(replace(subject,"'"," "),254) & "','" & size1 & "')"
sqlstate1 = "INSERT INTO TrackingLogRaw ( [Date], [Time], [client-ip], [Event-ID], NoRecipients, [Sender-Address], [Recipient-Address], [Message-Subject], [total-bytes] ) values " & wtowrite
Cnxn1.Execute(sqlstate1)
End If
next
Next

Cnxn1.close

If you wish to pull all records use his orginal script in the link provided above.

1. Follow the instruction on Glen's site to implement the script.
2. Once you have implemented the script and is running,(verify that your trackinglograw has been populated) download Outlook Redemption.
http://www.dimastr.com/redemption/ Outlook Redemption provides extended objects to bypass the Outlook security warning.
3. Once you have installed Outlook Redemption, we will create a new module in Access. Click Module and select new. Paste the following code:

Option Compare Database

'------------------------------------------------------------
' Macro24
'
'------------------------------------------------------------
Function Command400_Click()
DoCmd.OutputTo acQuery, "Display-time-use", "HTML(*.html)", "C:\track" & Format(Date, "yymmdd") & ".html", False, "", 0
Set SafeItem = CreateObject("Redemption.SafeMailItem")
' create the Outlook session
Set objOutlook = CreateObject("Outlook.Application")
Set objNS = objOutlook.GetNamespace("MAPI")
objNS.Logon
' create the Message
Set objOutlookMsg = objOutlook.CreateItem(olMailItem)
SafeItem.Item = objOutlookMsg
With SafeItem
.to = "emailadmin@mydomain.com"
.Subject = "track"
.Body = "trackbody"
.Attachments.Add "C:\track" & Format(Date, "yymmdd") & ".html"
.Importance = 2 'High =2 low = 1
'.Display
.Save
.Send
End With

Set objOutlookMsg = Nothing
Set objNS = Nothing
Set objOutlook = Nothing
Set SafeItem = Nothing

End Function

4. This module runs the "Display-time-use" query in Access and saves it to C:\Track directory while appending current date, then emails the this file as an HTML attachment to the recipint specified in the .to field. Click the save icon and close.
5. In Access, go to Macros and click new. In the action drop down, select run code. In the Function Name towards the bottom, enter Command400_Click() File Save as Macro1. This Macro calls the Module created in step 4, so that the Macro can be scheduled as a task. Modules cannot be schedule and thus requires a Macro.
6. Now you can schedule a batch file to call this Macro. Create a batch file and enter the following:

CD C:\Program Files\Microsoft Office\OFFICE11msaccess.exe c:\Trackinglog.mdb /x macro1
exit

7. Run this batch file to test.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

How useful was this article? Want to see a tip not listed? Please leave a comment.

Exchange: Event ID 508 "Information Store A request to write took an abnormally long time"

2006-07-08T10:20:00.000-07:00

Summary:

Event ID: 503 Application ESE. Information Store (8260) EX3-SG4: A request to write to the file "P:\EX3-SG4-MB1\EX3-SG4-MB1.edb" at offset 336986112 (0x0000000014160000) for 4096 (0x00001000) bytes succeeded, but took an abnormally long time (66 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem. For more information, click http://www.microsoft.com/contentredirect.asp

Cause #1

This is likely due to excessive disk checking on a hard drive.

Resolution: Examine your hardware vendor's Event log to check for excessive disk checking and replace disk according to vendor's specification.

Cause #2

In some instances this is due to eseutil running during backup process to verify integrity of the backup. I've seen this on an Exchange server that was running Veritas to snapshot the Exchange database and this would occur when Veritas would perform eseutil to verify the integity of the database which is a very disk I\O intensive.

Resolution: Run performance baseline to check out disk I\O

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com