Thursday, March 30, 2006

ADC-Global-Names and connecting to a NEW Active Directory

Greetings from California! I'm working on an Exchange 5.5 to Exchange 2003 migration. One of the sites had an Active Directory Connector installed and replicating data to a different Active Directory at one time. I knew this, but kinda spaced on it the first time I set up an Active Directory Connector Connection Agreement for that site. The mailboxes were not matching up with their correct user accounts in Active Directory.

I went in to Exchange 5.5 Administrator in raw mode (admin.exe /r) and found the ADC-Global-Names attributes were still populated from when an ADC had been used to replicate data to a different Active Directory. Ooopppss...

I had to clear this attribute for all user accounts in the AD. Knowledge Base article 319474 "How to Remove the ADC Global Names Attribute from Exchange 5.5 Server Recipients" has a good procedure for how to do this.

MAPI32.DLL error when installing Exchange 2003

I had a situation this week where I was helping a company do a complete re-install of Exchange 2003. They originally built a "green field" Exchange organization and were going to do inter-organization migration, but later decided to install Exchange 2003 servers in to their existing organization. Long story, but essentially the in-place migration was going to be much less painless.

So, Exchange 2003 SP2 had to be uninstalled from the Exchange servers and then re-installed in to the existing 5.5 organization. Not a big deal (I have another blog entry to do about the ADC, though!)

When the Exchange 2003 setup was almost complete, a pop-up error starting appearing indicating that the wrong version of MAPI32.DLL was in the \WINDOWS\SYSTEM32 folder. The error said:
Exchange detected that "C:\windows\system32\mapi32.dll" is not the correct version required to run Exchange System Manager or Exchange Server 2003. This may cause failures in Exchange System Manager, affect availability of your server, or both. For more information see Microsoft Knowledge Base article Q266418 at http://support.microsoft.com.

After the installation was complete, Exchange System Manager would not function properly and when I tried to upgrade to E2K3 SP2, choosing the "upgrade" option would tell me that Exchange 2003 had to be installed first.

I renamed the \windows\system32\mapi32.dll, took the MAPI32.DLL from the Exchange server CD-ROM (from the \setup\i386\exchange\bin folder) and copied it in to the \windows\system32 folder. That cleared up the problem. On the other servers that I had to re-install, I simply renamed the MAPI32.DLL file before starting the installation.

Tuesday, March 28, 2006

Notes Migraine is Complete!

One of my projects this month has been a Lotus Notes migraine (okay, maybe that should have said Lotus Notes Migration). I have helped move a 700 user organization from Notes to Exchange 2003 and Outlook 2003. On the whole, the user community is happy and they certainly like the web client and mobile options a lot better.

To migrate the calendar, contacts (Notes personal address books), and e-mail information, we used the Quest Migrator for Lotus Notes (formerly Wingra Notes Migrator). On the whole, I'm very happy with the results we got from Migrator; it did save us a lot of time and there are some good tricks you can use to tune it. We looked at using the latest Exchange tools, but were not happy with how the Calendar came across (as an SC2 file that the user had to manually migrate) and the personal address books did not come across at all. By the way, Quest has some of the best tech support in the industry. No hassles, no long queues or next-day call back times. I don't know if they are this way for all their products, but for Migrator for Lotus Notes, they were excellent.

We used the Lotus Notes Connector that comes with Exchange 2003 to do an initial directory sync. It creates mail-enabled contacts in the Active Directory; it does not match up attributes with existing users. I was not amused. However, Quest's Active Directory Object Merge Tool takes the mail-enabled contacts that were created by the Exchange connector's directory sync features and merges those with the corresponding user accounts. Of course, you have to create a mapping file (Users-to-Merge.TSV). I used the samaccountname as the search key and that worked fine.

For this customer, the user's personal address books (the names.nsf databases) were in each user's home directory. We relied on Migrator to scan the file system and match up the owner with the Tools->Preferences information or the names.nsf ACL information. It was not entirely accurate due to so many people being listed as Managers on those files. I strongly urge anyone in a similar situation to go ahead and include the direct path to each user's names.nsf file in the "Users-to-Migrate.TSV" file that you will build to do your migration.

I recommend also doing a FixUp and Compaction on each of the mail databases in order to reduce the possibility of mail database corruption. We had a lot of that.

We also had problems with encrypted messages. A lot of users would encrypt messages and not even realize it. Naturally, Notes does not know how to decrypt a user's encrypted messages. The IT staff here did not realize this until we had already started migration. Run a trial migration and see if this is the case. If so, see the IBM document "Removing encryption from all documents in a mail file" for more information on doing a "bulk decryption". Also, see "How to remove encryption from mail documents when converting licenses from North American to International" for additional information.

One of the challenges to this project was "scope creep". The scope changed frequently. This was partially because we were trying to figure out which applications (shared address books, shared calendars, discussion databases, etc...) needed to be moved in to Exchange and which needed to be moved to Sharepoint. We used a tool called the Proposion Portal Migrator to accomplish this. The tool did what it claimed to do and was pretty darned spiffy! We did not have all that many applications to migrate to Sharepoint, but the tool was still very valuable.

Another reason for "scope creep" was that most of the IT staff had never used Outlook and Exchange before. We had a 2-week pilot and that really was not long enough for the IT staff to get acquainted with Outlook 2003 and Exchange. In hindsight, the pilot should have been 6 - 8 weeks to give internal IT more time to figure out what the users need to be trained on and what they needed to know.

We decided early on in the process that only VIPs would get "all" of their mail. Everyone else would get only the last 4 months of mail and everything else would be available in a PST file for them. This was NOT a popular decision. Some departments make heavy use of their older mail (such as Accounting and Sales) so we had to go back and migrate their older data in to Exchange. This was simple to do with the Quest Migrator tool, but it was something we had to do "after the fact". Plus, a number of users immediately took to OWA and as such needed access to their older mail via OWA. So, some folks we had to import older mail on a case-by-case basis.

The user community is very decentralized and PST access across the company's WAN is also not desireable, so the Help Desk had to talk people through copying the PSTs to their local hard disks if they needed to access historical information. This has been a small fraction of the company, but still something that needed to be considered.

We jumped back and forth between having resource calendars (such as conference rooms) in Sharepoint and in Exchange. In the end, we could not get the level of integration with Outlook that we wanted with Sharepoint, so at the last minute the resource calendars came back in to Exchange. We used Simpler-Webb's Exchange Resource Manager for calendar management; it is cheap and easy to use.

In the Outlook training, I think it is important to let the users know that Outlook is NOT Notes. There are similarities, but often Notes does something one way and Outlook does it a completely different way. Outlook is different (and as an e-mail client, IMHO much better). Don't try to mutate / customize / change Outlook until it works like Notes. You will be disappointed.

For best results with the migration console, dedicate a FAST machine with fast local disks on the same network segment as the Notes and Exchange servers. We migrated a lot of the historical e-mail (all mail prior to a certain date) starting two weeks before the migration. That way, we only had a small amount of data that had to be migrated on cut-over day. On cut-over day is when I included in the Migrator's configuration that it should migrate also Contacts and Calendar information. We did not migrate that data in earlier passes of the Migrator tool.

Announcing Microsoft Exchange Server 2003 Advanced Administration

I'm pleased to announce the coming release of Exchange Server 2003 Advanced Administration. It will be available by May 1. This is NOT a new book, but it is the 2nd edition of Exchange Sever 2003 24seven. Sybex has been bought by Wiley and they decided to re-brand the 24seven series as Advanced Administration books. This book consists of a lot of minor changes, making a few corrections, and adding some new information on spam prevention, virus detection, enhancements in Exchange 2003 SP1 and SP2, and some additional experiences I have learned from since the release of the original book. If you don't have the 24seven book, you can pre-order the book from Amazon. Hint, hint..... :-)

Battlestar Galactica 2.0 (First part of season 2 is out!)

I really do try not to get hooked on too much television. But, I usually don't have to worry about that because there is not too much good television to get hooked on in the first place. I recently spent some time catching up on the first season of Battlestar Galactica and found it suprisingly good. Now, I'm hooked! And the first part of Season 2 is now available, which is great because I have not seen most of Season 2 yet. Highly recommended even if you are not in to SciFi, the stories are good. The first season DVD also includes the "new" 2-part TV mini-series. For laughs, after watching the new mini-series, go back and watch the original and see what a stark contrast the two different "visions" really are.




There are lots of special features. One of the things I found most interesting when the actors are talking is they talk about Edward James Olmos (an outstanding actor) and the refer to him as "Eddie". Somehow, I just can't see calling him Eddie. :-)

Monday, March 27, 2006

Exchange SMTP Virtual Server Smart Host configuration


Buried deep in the configuration of an Exchange 2000/2003 SMTP Virtual Server is the ability to configure a Smart Host. This is found on the Delivery Property page and by clicking the Advanced button.

Now, you may be wondering under what circumstance you would use this? After all, the SMTP Connector has a "smart host" feature also.

You would ONLY put a Smart Host on an SMTP Virtual Server that is an organization with only ONE Exchange server. If you ever add a second Exchange server you will NOT be able to send mail to it since the Smart Host is probably not smart enough to forward mail between two Exchange servers in the same Exchange organization.

I recommend using an SMTP Connector to forward mail to a smart host. The reason I'm blogging this is that I have recently found some smaller organizations that were doing the SMTP Virtual Server "smart host" option and they ended up with problems when the put a second Exchange server in to their organization. They wondered why the could not send mail to the mailboxes they had moved to the second server.

Why, by the way, would you have a "smart host"? If you have a separate SMTP system (such as virus inspection, content inspection, or an ISP SMTP server) that handles all of your outbound mail rather than letting the Exchange server deliver it directly. In all cases, using an SMTP Connector is better because by the time you add a 2nd Exchange server to your organization (say if you were upgrading your hardware), you will have forgotten about the SMTP Virtual Server smart host setting.

How to install root certificates on a Windows Mobile-based device - Updated KB 915840 article

It seems like everytime I'm playing with Windows Mobile devices and need to enable ActiveSync, I never can find the procedure for how to import "home grown" root server certificates on to a Windows Mobile device. I usually need this because almost always I'm messing with Mobile devices on test or lab servers and I'm too cheap to pay for a real certificate. :-) By the way, IMHO, using home-grown, untrusted certificates for OWA or ActiveSync is a bad practice. You don't want your users in the habit of ignoring "untrusted certificate" warnings. Just my opinion, though. But, hey GoDaddy.com is cheap, so you have no excuse for production stuff!

This may manifest itself on your mobile device with errors such as: INTERNET_45 or INTERNET_55. Microsoft just updated KB article 915840: "How to install root certificates on a Windows Mobile-based device" and I felt a link to this was blog-worthy. If nothing else, so it will make it easier for me to find.

Windows Mobile-based devices have the following trusted certificate authorities in their root certificate store already.
  • Class 2 Public Primary Certification Authority (VeriSign, Inc.)
  • Class 3 Public Primary Certification Authority (VeriSign, Inc.)
  • Entrust.net Certification Authority (2048)
  • Entrust.net Secure Server Certification Authority
  • Equifax Secure Certification Authority
  • GlobalSign Root CA
  • GTE CyberTrust Global Root
  • GTE CyberTrust Root
  • Secure Server Certification Authority (RSA)
  • Thawte Premium Server CA
  • Thawte Server CA
If you are going to implement ActiveSync to an Exchange Server 2003 mailbox, then you should use SSL and you must have trusted certificates on the Mobile device. If the certificate is not trusted, the device will not connect to the Exchange Server using ActiveSync.

See the KB article for instructions on where to download the SmartPhoneAddcert.exe utility and how to use it to install your certificate server's root certificate on to to your Windows Mobile device.

For Windows Mobile 2002 and Windows Mobile 2003, you can alterately use the DisableCertChk.EXE utility to simply stop the checking of the trusted certificate.

By the way, the Windows Mobile Team blogged this last fall in their blog entry: How can I add root certs to my Windows Mobile 5.0 device?

Sunday, March 26, 2006

Exchange 12 Beta 1 problems with MMC 3.0

I'm catching up on my blogging today. If you have signed up for the Exchange 12 Community Technology Preview (CTP) and tried to install Exchange 12 recently, you will notice that the prerequisite link for installing the Microsoft Management Console 3.0 never goes away on the main setup page. Even after installing the latest release of MMC 3.0 If you continue past this (or try to get sneaky and use the setup.exe command-line), it still informs you that you need MMC 3.0. You get an error like this:

Exchange Server '12' requires Microsoft Management Console 3.0.

This is because Exchange 12 Beta 1 is looking for an earlier release of the MMC 3.0 software and there is now a newer release. Nino Bilic blogged this recently on the Exchange Team blog and saved me from a number of hours of frustration. To fix this, you only need to create an empty Registry key to fix this. See Nino's blog entry "Resolving MMC 3.0 errors when installing Exchange 12 CTP release" for more information.

As for Beta 1, I'm under NDA (as are all people in the Beta 1 and CTP programs) and I take that seriously so I won't comment on anything that has not already been publicly disclosed by Microsoft. If you want to get a look at some of the new features such as LCR, CCR, Unified Messaging, Exchange Edge services (very cool!), the new server roles (Gateway, Bridgehead, Mailbox, Client Access), and, of course, Monad, then sign up for the Beta.

However, it is Beta code and thus is not as complete as a more refined and releasable version. If you are looking for something closer to the look and feel of the finished product, wait for Exchange 12 Beta 2 due out sometime in the summer. I have got 5 Exchange 12 servers running (in a VMWare environment) and have had some interesting fun, but I have not even tried running my home mailbox server (which only myself and my roommates use) yet with Exchange 12.

Wednesday, March 22, 2006

Am I the ONLY person in the world that is happy Windows Vista has been delayed?

[Please raise your "rant" shields]
I sure feel like the odd-man out when I read the "news" reporting that Windows Vista will be delayed a few more months. Forbes took the opportunity to knock Microsoft just in general. One "analyst" reported on Ziff-Davis' site that "This is not good for the whole industry..." IMHO, I will tell you what is not good for the PC industry, software that is not ready to be released. That hurts the consumer, the hardware manufacturers (that must support it), information technology, and even Microsoft.

If a product is not going to be ready to ship when ANY software vendor originally annouced, no one should be throwing stones. The vendor is under tremendous financial and customer pressure to get software releases out the door. Pressuring them to meet an "expected" release date makes things no better. I would really like to see some of these analysts manage 50,000,000 lines of code and produce a secure, stable, marketable, and usable product.

I am quick to criticize Microsoft when I think they are due. Usually when they release a product too soon or they cut features to make a ship date. I do, however, appreciate the complexity of software development (and am glad I don't do it for a living!) But no one should be criticizing a software company that is being up-front and saying "we need to work on this a little longer to make it 'People Ready'"
[Okay, you can shutdown your rant shield now.]

Exchange 9548 warnings getting you down?

[Update! This patch is only for E2K3 SP1. The KB article was not clear no this. An SP2 version is in the works.]
One "conventional wisdom" path when it comes to users that have left your company is that you should disable their Windows acccount for some period of time after they leave the company. That helps cover the "Oh shoot!" factor when someone needs tha mailbox or the user suddenly returns to their job and wonders what happened to their e-mail.

However, when you do this, it "disables" the mailbox, too. And you start getting event ID 9548 errors each time that mailbox is accessed or a message delivery to that mailbox is attempted.

The 9548 warning message may have the user's legacyExchagneDN attribute or it may their SMTP address such as the one shown below.

Event Type: Warning
Event Source: MSExchangeIS
Event Category: General
Event ID: 9548
Date: 3/22/2006
Time: 8:06:34 AM
User: N/A
Computer: CTAHNL1
Description:Disabled user mtownley@somorita.com does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account.

The behavior is by design and is supposed to let you know when a mailbox does not have a valid security principal. However, all it usually does is fill up the event logs with a lot of unnecessary warning messages. The good news is that Microsoft has gotten tired of hearing us whine and has released a hot fix to change the behavior.

See Microsoft KB 903158: "A hotfix is available to modify the way that Exchange Server 2003 handles a disabled Active Directory user account that is associated with an Exchange Server 2003 mailbox" for more information. You should be able to call your regional PSS center and ask for a hotfix without being charged, just let the call center know that you understand the that the fix has not been fully regression tested and that you will test it first. (You will test it, won't you?)

Thanks to Exchange MVP Ben Winzenz for pointing this new fix out!

Tuesday, March 21, 2006

New@Google Finance

Kinda cool. Google is moving to compete with Yahoo and Microsoft in the financial web page department with Google Finance. Nice clean, quick interface.

Thursday, March 16, 2006

Managing mailboxes in ADUC without Exchange System Manager

I finally got the right combination of DLL's that are required to manage Exchange mailboxes using Active Directory Users and Computers without having to install the Exchange System Manager. This is a hassle for Windows XP desktops or servers that don't have Exchange on them because ESM requires IIS components (IIS Admin, SMTP, and W3SVC).

From an Exchange 2003 server, copy the following DLLs from the \program files\exchsrvr\bin folder in to a common folder (preferably in the path) such as \windows\system32 on the machine on which you want to manage Exchange attributes:

address.dll
escprint.dll
exchmem.dll
glblname.dll
maildsmx.dll
pttrace.dll

Once these are copied on to that machine, run REGSVR32.EXE \windows\system32\maildsmx.dll to register that DLL. When you re-open Active Directory Users and Computers, the Exchange extensions will show up!

Thanks to Neo sharing the information about these DLLs. I just tested this procedure and it worked great for me.

Sunday, March 12, 2006

Purging SMTP or HTTP protocol logs


As anyone that has ever worked with me will attest, I like logging. Windows auditing, Exchange Diagnostics Logging, and Protocol Logging. I guess this comes from being the guy that helps set things up and troubleshoot them, but never being around for the performance problems or log management issues. :-) Setting up any type of logging (especially on Exchange) is a balance between logging the information you need and not hurting performance.

I tend to like to have SMTP and HTTP protocol logging enabled on my front-end / bridgehead servers for both troubleshooting as well as trend analysis. The problem with these logs is that they do not purge automatically. I found a script that will purge these logs if they are older than 30 days. The script is completely customizable, so you can specify alternate directories and a different maximum range if you want. I usually set these up and schedule a job to run these nightly.

To download these scripts, click here. These are provided without support.

Friday, March 10, 2006

Testing ActiveSync and SmartPhone features with Windows Mobile Emulator

Howdy from Los Angeles! I have just about spent more time in California and Seattle this year than I have at home. A couple of times over the past few months I have had the need to test ActiveSync or to demo SmartPhone functionality. Microsoft's Visual Studio .NET and 2005 both have built-in emulators to testing programs written for the Windows Mobile platform. As a non-developer, though, installing Visual Studio just for the emulator is a serious pain in the neck.

Microsoft is working on a neat new tool that does Windows Mobile emulation, but can be installed standalone (without requiring Visual Studio). I read about this initially at http://www.pocketpcfaq.com/faqs/5.0/emulator.htm but it has been discussed in some of the newsgroups. The emulator is called the Microsoft Device Emulator 1.0 Community Preview and it currently only supports Windows Mobile 2003, but I'm hoping as they polish it off, it will support Windows Mobile 2005 and the new Windows Mobile Feature Pack that works with Exchange 2003 SP2 ActiveSync features.

Sunday, March 05, 2006

Solving "e-mail address already exists in this organization" using LDAP query in ADUC

This dicussion was just in the newsgroups and I felt the solution was worthy of a blog post. A administrator is having a problem creating an SMTP proxy address for a mailbox. The message they get when they try to add snuffy@domain.com as an SMTP address is "This e-mail address already exists in this organization. ID no: c10312e7 Microsoft Active Directory - Exchange Extension".

The SMTP address the admin is trying to assign is already assigned to another mail-enabled object (mailbox, mail-enabled user, contact, or mail-enabled group.) I suggested doing an LDIFDE dump to LDF file of the entire directory and seaching through that file. Rich Matheisen suggested a better and far faster way.

Using the Windows 2003 Active Directory Users and Computers utility, right click on the domain, choose Find. In the Find: dropdown list, choose "Custom Search" and in the In: dropdown list, choose "Entire Directory". Click the Advanced property page and enter the following LDAP query (in my example, at least):

proxyaddresses=smtp:snuffy@domain.com

Click Find and you should find the object that already has that SMTP address. Thanks Rich!

Saturday, March 04, 2006

Exchange SP2 ActiveSync Direct Push and firewall HTTP connection timeouts

"Exchange SP2 ActiveSync Direct Push and firewall HTTP connection timeouts" Boy, does that sound like an exciting title to a blog entry or what?! And I wonder why I have not gotten the Blog Pulitzer yet. :-)

If you have installed Exchange 2003 SP2 and have been lucky enough to get a Windows Mobile 2005 FP1 update for your mobile device (from your device manufacturer, not Microsoft), then you may have been playing with the Direct Push feature. (This lets Exchange notify your device via a pre-established, pesistent HTTP or HTTPS connection that you have new mail to download.) However, if your firewall's HTTP timeout is set to less than about 8 minutes, the devices may not keep their persistent connection open. You will see errors such as this:

Event Type: Warning
Event Source: Server ActiveSync
Event Category: None
Event ID: 3033
Computer:HNLEX01
Description:The average of the most recent [200] heartbeat intervals used by clients is less than or equal to [9]. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed. For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, "Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology"

Microsoft recommends that the HTTP or HTTPS connection timeout value on your organization's firewall be set to no less than 30 minutes. The heartbeat value on the Exchange server can also be tweaked with the MinHeartbeatInterval and MaxHeartbeatInterval registry values defined in KB 905013.

Thursday, March 02, 2006

Low cost and free SSL certificates

If you are standing up an OWA server or a simple Web server to the Internet, you probably don't want to pay a couple of hundred dollars a year for an SSL certificate. Servers such as company intranet/extranet servers, mail servers, etc... don't need the same level of liability and assurance as Verisign and Thawte provide. A lot of reasonably priced CAs have emerged over the years. Most of these have very high browser recognition, so no warnings on the client side about an "untrusted" CA (ceritificate authority.)
  • GoDaddy sells their Turbo SSL cert for as little as $15.96 per year (for 10 years) - http://www.godaddy.com - I have used GoDaddy a number of times over the last few months and the are pretty easy to work with and have good telephone support.
  • Instant SSL / Comodo as low as $33 per year (for 3 years) - http://www.instantssl.com
  • Rapid SSL has certs starting at $69.00 per year - http://www.rapidssl.com

If you just need a certificate for testing, check out StartCom Free SSL (http://cert.startcom.org) for a freebie SSL certificate. Right now, though, the cert is untrusted, so your browser clients need to download their certificate server's certificate in order to keep from getting the warning message about an untrusted CA.

If anyone knows of some other good cheap/free CA's, let me know and I'll add them to the post.

Wednesday, March 01, 2006

Exchange 12 Beta 1 available as CTP

I just saw this on Paul Robichaux's blog. Exchange 12 will soon be available as a Community Technology Preview (CTP). I strongly urge all Exchange 5.5/2000/2003 administrators to download this Beta, put it in a TEST environment, and get familiar with the new features and functions. Don't get discouraged! It is somewhat different and there are some things that may take you by surprise. Beta 2 of Exchange 12 will be later in the year and should be public. By the way, there is a 32-bit version of E12 that you can use for testing, lab, and classroom environments, but you won't see some of the significant performance gains as you will with the official 64-bit version.

Word of warning. Do NOT under any circumstance install this in your production organization. Please, please, please do NOT install it in production. Lab and test environment ONLY.