This is not hot news, but I thought I’d post it anyway. With EXRCA you can test various services, such as ActiveSync, Autodiscover and inbound SMTP from the Internet. It gives you detailed information regarding any setup issues, which will be a great help for you when troubleshooting. Future additions for the EXRCA will be OWA, POP, IMAP and EWS. For a more detailed description, please read the post at the MS Exchange Team
EXRCA website: https://www.TestExchangeConnectivity.com
http://msexchangeteam.com/archive/2009/03/25/450908.aspx
Monthly Archives: March 2009
Exchange Server Remote Connectivity Analyzer
0
Filed under Exchange 2007
Update Rollup 7 for Exchange Server 2007 Service Pack 1
Filed under Exchange 2007
Download the update here:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=2074fefd-fa1a-4c3e-bf72-94585e454150
Detailed information is available here: KB960384
Secure your AD objects from deletion with Windows Server 2008
Filed under Active Directory, Windows 2008
A nice feature introduced with Windows Server 2008 is the "Protect object from accidental deletion". If the checkmark is set, you will not be able to delete the object from AD manually or programmatically without first removing the checkmark.
When you try to delete the object with the checkmark set, you will be prompted with the following messages.
The permissions that are applied to the AD object when the checkmark is set are shown below
Please note that the functionality is only visible in the Windows Server 2008 Administration Tool. If you introduce a Windows Server 2008 Domain Controller into an environment where all the other DCs are Windows Server 2003 you will only be able to manage this functionality from the Windows Server 2008 Administration Tool.
Modifying AD attributes using Windows Server 2008
Filed under Active Directory, Windows 2008
ADSIEdit is no longer needed for modifying AD attributes within a Windows 2008 domain. The Attribute Editor tab gives you the ability to modify the attributes directly on the AD object.
You will still need to use e.g. ADSIEdit or ADExplorer to modify the Schema and Configuration partitions.
Forefront for Exchange 2007 SP1 Rollup 3 Installation Error
Filed under Forefront FSE
I ran into a problem while installing KB951629 (Forefront for Exchange 2007 SP1 Rollup 3) on a Hub Transport Server which is installed on Windows Server 2008. On Windows Server 2003 I have never seen this problem.
I got this error message shortly after starting the update.
The installer then tried to undo the install, but it failed with the same error message. I then looked through the installed updates and found it there, but when trying to uninstall it from there I got the exact same error.
The following information was logged:
17.660: DoInstllation: UpdSpCommitFileQueue for FileQueue failed: 0xd
17.707: The data is invalid.
23.744: Message displayed to the user: The data is invalid.
23.744: User Input: OK
23.744: KB951629 installation did not complete. Select ‘OK’ to undo the changes that have been made.
29.157: Message displayed to the user: KB951629 installation did not complete. Select ‘OK’ to undo the changes that have been made.
Solution
After troubleshooting this for a while I found the solution. Actually it is quite simple.
- Stop and disable the "Windows Management Instrumentation" service
- Uninstall the update
- Install the update
- Enable and start the service
That’s it.
How to change cluster IP address in Windows Server 2008
Filed under Windows 2008
In Windows Server 2003 it is possible to change the cluster IP address from the Cluadmin GUI. With Windows Server 2008 it is not possible to change the IP from within the GUI. You will have to use the cluster.exe command-line tool. Cluster.exe will show you more information, such as cluster groups and resources that are are not shown in the Failover Cluster Management Console.
C:\>Cluster.exe group
Listing status for all available resource groups:
Group Node Status
——————– ————— ——
Available Storage W2K8CCR2 Offline
Cluster Group W2K8CCR2 Online
MBX W2K8CCR1 Online
C:\>Cluster res
Listing status for all available resources:
Resource Group Node Status
——————– ————— ———— ——
CCR2/Mailbox Database (MBX) MBX W2K8CCR2 Online
Cluster IP Address Cluster Group W2K8CCR2 Online
Cluster Name Cluster Group W2K8CCR2 Online
Exchange Information Store Instance (MBX) MBX W2K8CCR2 Online
Exchange System Attendant Instance (MBX) MBX W2K8CCR2 Online
File Share Witness (\\W2K8CASHUB\FSM_MBX) Cluster Group W2K8CCR2 Online
First Storage Group/Mailbox Database (MBX) MBX W2K8CCR2 Online
IPv4 DHCP Address 1 (MBX) MBX W2K8CCR2 Online
Network Name (MBX) MBX W2K8CCR2 Online
Pub/Public (MBX) MBX W2K8CCR2 Online
C:\>Cluster.exe res "Cluster IP Address" /priv
Listing private properties for ‘Cluster IP Address’:
T Resource Name Value
– ——————– —————————— ———————-
FTR Cluster IP Address LeaseObtainedTime 1/1/1601 1:00:00 AM
FTR Cluster IP Address LeaseExpiresTime 1/1/1601 1:00:00 AM
SR Cluster IP Address DhcpServer 255.255.255.255
SR Cluster IP Address DhcpAddress 0.0.0.0
SR Cluster IP Address DhcpSubnetMask 255.0.0.0
S Cluster IP Address Network Public Network
S Cluster IP Address Address 10.225.12.12
S Cluster IP Address SubnetMask 255.255.254.0
D Cluster IP Address EnableNetBIOS 2 (0×2)
D Cluster IP Address OverrideAddressMatch 0 (0×0)
D Cluster IP Address EnableDhcp 0 (0×0)
To change the Cluster IP Address just use the following command.
C:\Cluster.exe res “Cluster IP Address” /priv address=10.225.12.13
Exchange 2007 Resource Mailboxes
Filed under Exchange 2007
Resource Mailbox Overview
Resource mailboxes are specific types of mailboxes that can represent meeting rooms or shared equipment and can be included as resources in meeting requests. The Active Directory user that is associated with a resource mailbox is a disabled account. The different types of resource mailboxes in Microsoft Exchange Server 2007 are:
- Room mailbox: a resource mailbox that is assigned to a meeting location, such as a conference room, auditorium, or training room. Room mailboxes can be included as resources in meeting requests.
- Equipment mailbox: a resource mailbox that is assigned to a non-location specific resource, such as a portable computer projector, microphone, or a company car. Equipment mailboxes can be included as resources in meeting requests.
- Shared mailbox: a mailbox that is not primarily associated with a single user and is generally configured to allow logon access for multiple users. After a shared mailbox is created (by using the Exchange Management Shell), you must grant permissions to all users that require access to the shared mailbox. Even if this is not a resource mailbox, I mention it here because companies commonly use that kind of mailbox for collaboration or business needs.
Murat Gunyar have posted a great article on the Exchange team blog about Resource mailboxes..
You can find it here: How to Create and configure a meeting room mailbox with Exchange Server 2007
Secure SMTP between Edge Transport and Hub Transport
Filed under Exchange 2007
One of the steps in connecting your Edge Transport Server is to export an Edge Subscription XML file once all your Edge Transport prerequisites are done. An explanation of these prerequisites is out of the scope of this article. There are many things that occur during XML export process and import process.
To export an XML, you would run the following command:
New-EdgeSubscription -FileName “C:\Edge.XML”
As stated, there are many things that happen during the export. Before running the above command, you want to ensure you have a certificate on your Edge Transport Server that is enabled for SMTP use. To check this, you can run the following command:
Get-ExchangeCertificate
You should see that your server has a self-signed certificate that lasts for one year and is enabled for SMTP.
When exporting our XML file, the private key is stored in the local computer store and the public key is written to the Edge Subscription file. Because of this, when you submit the XML file to the Hub Transport for importing, the Hub Transport will store a copy of this public key in Active directory. The Hub Transport will then use Active Directory as a Trusted Storage mechanism to validate the Edge Transport’s certificate. Vice Versa, when your Hub Transport and Edge Transport are now connected with each other, the Hub Transport will send a copy of its’ public key for an Edge Server to store in ADAM. It is because of this, both servers are allowed to take advantage of TLS communications for the secure transport of SMTP.
You don’t have to use a self-signed certificate. If you don’t want your certificate to expire in one year and have to mess with it, you can use your own PKI cert or even a certificate from a 3rd party vendor.
Now what happens when you are approaching your certificate expiration date. Well, even if your certificate expires, mail will still flow. This is because our Transport servers use something called Opportunistic TLS. If you look at the Authentication Tab of your Connector, only Transport Layer Security will be selected. This is called Opportunistic TLS which means that TLS will be accepted and is the preferred method for communication, but TLS will not be required. So even if your certificate expires, all that means is that mail will still flow, but less secure since TLS will not be able to be used.
As you can see, Transport Layer Security is selected. Opportunistic TLS means that any time a sending server attempts to issue a StartTLS, our Exchange server will accept TLS communications and encrypt the communications. By default, an Exchange 2007 Send Connector will attempt to issue StartTLS using the defined parameter IgnoreSTARTTLS which is set to 0 by default. In order to see the setting on your Exchange Servers, you can type the following command:
Get-SendConnector “SendConnectorName” | fl
If you look on your Hub Transport, you may think that you see a Send Connector there going to your Edge. This won’t be the case. A configuration object in Active Directory has a Site Association for an Edge Subscription. Because of this, mail flowing from a Hub Transport to an Edge Transport utilizes the hidden Intra-Organization Send Connectors.
You will however, see the connectors that live on the Edge Transport Server. In reality, these Send Connectors or the Edge Server were created on our Hub Transport and live in Active Directory. These Send Connectors get pushed out to the Edge Server via Edgesync replication. To force this replication, you can type the following command:
Start-EdgeSynchronization
You should then see your Send Connectors on your Edge Transport Server.
Now you can launch the Exchange Management Shell and run the Get-SendConnector command above on the connector which points to our Hub Transport Servers; which is the connector I highlighted. Run the following command:
Get-SendConnector “edgesync – inbound to default-first-site-name” | fl
As you can see, IgnoreSTARTTLS is set to false which means our Send Connector will allow Mutual TLS to take place if the Receive Connector advertises StartTLS; which it does by default. So as long as your IgnoreSTARTTLS settings are False, Opportunistic TLS is enabled, and your certificate is valid, Secure SMTP using TLS will work between your Hub Transport and Edge Transport Servers.
Now what happens when our certificate expires? Well, we can renew our certificate on our Server. There are some good instructions here. One difference you’ll want to do is instead of enabling the certificate for IIS, you’ll want to enable the certificate for SMTP.
Now don’t forget that earlier in this article, I talked about how the Edge Transport and Hub Transport trust each other’s certificates. Because we have a new certificate, we’ll have to re-subscribe our Edge Servers to our Hub Transport Servers. This way, our Hub Transport can receive our new certificate and store it in Active Directory for a Direct Trust.
If you ever introduce new Hub Transport servers, they’ll be able to send and receive mail securely due to the Intra-Org Send Connector and using Active Directory as a Trusted Storage Mechanism, but these new Hub Transport Servers will not be able to participate in Edgesync replication. In order to allow for this, your Edge Transport Servers will need to be re-subscribed, especially if you want the Edge Transport to be able to send mail securely to this new Hub Transport. That is because, as I stated before, part of the initial process of subscribing an Edge Transport is the Hub Transport placing its’ certificate into ADAM.
When you go to renew your Hub Transport certificates, a simple Start-EdgeSynhcronization will take the Hub Transport certificates and place them into ADAM so the Edge Transport Servers will trust your Hub Transport Servers.
This article was originally published by Elan Shudnow.
http://www.shudnow.net/2008/08/20/secure-smtp-between-edge-transport-and-hub-transport
Exchange 2007 Server Installation Guide Updates
Filed under Exchange 2007
The following updates were done to the installation guides: You can find all of the Installation Guides at http://technet.microsoft.com/en-us/library/cc533547.aspx.
The following changes has been added to the Transport Installation Guides:
Exchange 14 TAP program
Filed under Exchange 2010
Some of the features in the Exchange 14 RDP: Advancing the Outlook experience with a new threaded conversation view, filtering, integrated instant messaging, and new mobility features 
Exchange 14 is the next incarnation of Microsoft’s email system and it certainly seems to be yet another great leap forward, as 2007 was over 2003. Microsoft’s entrance into the world of Software+Services means that Exchange 14 has been designed with cloud services in mind, making it the most scalable to date.
For a live demo of Exchange 14, visit the TechNet Edge Blog