Microsoft Supportability e-Newsletter

Companies of all sizes are turning toward mobile devices as a way to help their employees work more effectively and productively. The Microsoft Exchange Server product family includes integrated support for a wide range of mobile devices, providing Exchange customers with a low-cost, easy-to-manage mobile messaging solution as part of their Exchange deployments.

Shortly after the release of Microsoft Exchange Server 2007, the newest version of Windows Mobile – Windows Mobile 6 was released. Formerly codenamed Crossbow, this release contains a number of enterprise ready features designed to work natively with Exchange Server 2007 to provide a robust mobile experience. We have a blog post providing an overview of the features available when using Exchange 2007 and Windows Mobile 6.0.  Check it out here for more details.

Back pressure is a system resource monitoring feature of the Exchange Transport service that exists on computers that are running Exchange Server 2007 that have the Hub Transport server role or Edge Transport server role installed.

When a monitored system resource, such has hard disk drive utilization or memory utilization, exceeds the specified threshold, the Exchange transport server stops accepting new connections and messages, and concentrates on delivering existing messages. This prevents the system resources from being completely overwhelmed and enables the Exchange server to deliver the existing messages. When the utilization of the monitored system resources returns to normal levels, the Exchange transport server accepts new connections and messages.

For each monitored system resource on a Hub Transport server or Edge Transport server, the three levels (Normal, Medium and High) of resource utilization are applied.

For example, by default, the message queue database is stored at <drive letter>:\Program Files\Microsoft\ExchangeServer\TransportRoles\data\Queue. By default, the high level of hard disk drive space utilization is calculated by using the following formula: 100*(hard disk drive size - 4 GB) / hard disk drive size. As the available free hard disk drive space decreases, the hard disk drive utilization increases. So, we require at least 4GB free space on the hard disk drive containing message queue database. Otherwise, the hard disk drive space utilization will reach the high level and Exchange stops accepting any new connections and messages.

People who are not aware of this new back pressure feature can be surprised when they find that the mail flow stops their servers.

For more information about and better understanding the back pressure feature, please view the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/bb201658.aspx

Recently, we have been seeing a number of issues where public folders cannot be replicated to Exchange 2007. The symptoms are:

1.       Exchange 2007 Mailboxes are not able to view Exchange 2003 Public Folders through Outlook client.

2.       On Exchange 2003 Server, the public folder replication messages are queued in the Messages with an unreachable destination queue.

3.       On Exchange 2003 Server, you may find event below:

Event Type:    Warning

Event Source:         MSExchangeTransport

Event Category:     Routing Engine/Service

Event ID:          951

Description:

When sending mail to the following address exchange2007name.domain.com.5B2DCAE3-0882-1148-8DEB-B36F641F9E2B, we have found the connector with target domain *.5B2DCAE3-0882-1148-8DEB-B36F641F9E2B matching destination address exists in DS. However, we have no way of getting there. You need to check your topology and add appropriate connectors among Routing Groups.

The root cause is that there is no Routing Group Connector between Exchange 2003 RG and Exchange 2007 RG. During Exchange 2007 installation, there is an option to select an Exchange 2000/2003 Routing Group Connector Bridge Head Server. If you do not configure this option, the Routing Group Connector won’t be created between the default routing group in Microsoft Exchange Server 2007 and Exchange Server 2003 routing groups.

Note: The first routing group connector between Exchange 2007 and Exchange 2003 or Exchange 2000 is created and configured during installation of the first Hub Transport Server role in an existing Exchange organization.

To resolve this issue, you can use the Exchange Management Shell to manually create the routing group connector.

For example, run the following command to create reciprocal routing group connectors between the Exchange 2007 routing group and the routing group that is associated with the specified Exchange Server 2003 server, assign a cost of 100 to that connector, and enable public folder referrals:

New-RoutingGroupConnector -Name "Interop RGC" -SourceTransportServers "Ex2007Hub1.contoso.com" -TargetTransportServers "Ex2003BH1.contoso.com" -Cost 100 -Bidirectional $true -PublicFolderReferralsEnabled $true

For the detailed steps to remove public folder replicas and the public folder store, please refer to the following article.

How to remove Exchange 2007 from a computer

http://support.microsoft.com/default.aspx?scid=kb;EN-US;927464

Exchange 2007 SP1 will be released in the second half of this year. A partial list of what you'll find included in this SP is:

Standby Continuous Replication (SCR)

With Exchange 2007, we introduced Cluster Continuous Replication (CCR) for replication of data between 2 servers within a cluster.  With SCR, data can be replicated on a per-storage group basis to standby servers or clusters.  The SCR target, whether a single mailbox server or a cluster, can be placed inside the primary datacenter or in a remote location, ready to be manually activated if the primary server or datacenter fails.

OWA

SP1 will fill in the feature holes that we just didn't have time to complete by RTM:

• Personal distribution lists
• S/MIME
• Rules
• Monthly calendar view
• Deleted items recovery
• Public folder access

OWA 2007 SP1 spell checking will add support for:

• Arabic
• Korean

OWA 2007 SP1 will add support for viewing Office 2007 file formats as HTML.

Exchange Management Console

SP1 will fill in the GUI holes that we just didn't have time to complete by RTM, including:

• Public folder configuration
• POP and IMAP configuration
• SendAs permission configuration
• Delegation wizard scenarios

Web Services

New web service coverage will include:

• Public folder access 
• Delegate management
• Folder permission management

IPv6

On Longhorn Server, we will support Exchange 2007 on native IPv6 networks.

Move Mailbox

This vital tool administrator tool has been beefed up to include import and export to a .pst

We have received some requests regarding how to move Microsoft Exchange 2007 to new hardware and keep the same server name. You can find the solution by following detailed steps below.

1.       Complete copy of the mailbox database.edb and pubic database.edb as well as mail.que files to the network/external drive location.

Once the files have completed copy:

2.       Power down the current Exchange server

3.       In ADUC reset the machine account for "Your Exchange Server Name" and synchronize your domain controllers (if you have multiple).

4.       Change the new server name to "Your Exchange Server Name" and join the domain.

5.       Adjust the IP Address for the new machine so that it uses a static IP that matches the IP in the DNS host record for the old server.

6.       Run Exchange setup. From the Run windows browse to the setup executable and add the /recoverserver and /donotrestart switches. The complete command should resemble the following:

Setup /m:recoverserver /donotrestart

Once setup completes.

a. Move the mail.que database back into the queue folder (this folder should be empty): c:\program files\Microsoft\Exchange Server\TransportRoles\data\queue

b. Move the mailbox database into the production folder (this folder should also be empty): c:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group

c. Move the Public database into the production folder (this folder should also be empty): c:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group

d. Open the Exchange Management Console – obtain properties of the two stores and select the option that “This database can be overwritten by a restore”.

e. Start all Exchange services.

7.       Verify your Send Connector configuration – you should have a * domain listed with a type = SMTP in order to send mail outbound.

8.       Verify your Receive Connector configuration – In order to receive mail the connector needs to accept anonymous connections.

9.       If your external SMTP domain is different than the internal domain you need to Verify the External SMTP Domain is added to the Accepted Domains list.

10.   OPTIONAL: enable the Anti-Spam Agents for the Hub Transport role. To do so:

a. Open Exchange Management shell and navigate to the scripts directory: c:\program files\Microsoft\Exchange Server\Scripts. Issue following command: .\install-AntispamAgents.ps1

b. Once installed restart the Exchange Transport Service (MSExchangeTransport).

c. In Exchange Management console verify that the SPAM Agents are enabled on the Anti-Spam tab. This will be Organization Configuration – Hub Transport – Anti-Spam.

Now, you can test both internal and external mail-flow. If both work you are done.

Exchange Server 2007 allows customers to flexibly configure and control inbound and outbound Internet mail flow in a way that meets the requirements of their environments. The three typical mail flow scenarios are:

• You send and receive Internet e-mail by relaying through a subscribed Edge Transport server. A subscribed Edge Transport server has been subscribed to the Exchange organization. The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers periodically synchronizes recipient and configuration data to the ADAM instance on the Edge Transport server.
• You send and receive Internet e-mail by relaying through Microsoft Exchange Hosted Services or other third-party Simple Mail Transfer Protocol (SMTP) gateway servers.
• You send and receive Internet e-mail directly by the Hub Transport server. This usually applies to small organizations with only one Exchange 2007 server having all the Hub Transport, CAS and Mailbox roles.

Each scenario requires specific configurations to allow proper Internet mail flow. Please view the Microsoft TechNet at http://technet.microsoft.com/en-us/library/aa998212.aspx and pick up the scenario for which your organization meets prerequisites.

This topic lists licensing error messages that can appear on client computers. It also describes the causes of and solutions for these errors. Although these error messages appear on clients, they are frequently caused by problems with the Windows Server 2003 Terminal Server license server or the terminal server. Therefore, when you troubleshoot Terminal Server Licensing issues, it is useful to first determine whether there are server configuration issues or problems with network connectivity.

http://technet2.microsoft.com/WindowsServer/en/Library/159e6ff8-4edb-43fd-8767-3d9858897e2c1033.mspx

If you have not gotten word by other means, SMS 2003 SP3 has shipped and is available on the web for download here!

There has however been some confusion over the SMS 2003 R2 product in conjunction with the SP3 release which I hope is cleared up by the following.

SMS 2003 R2 remains a distinct value-add for SMS 2003 and requires either SMS 2003 SP2 or SMS 2003 SP3 versioned sites.  R2 provides added functionality including both the Scan Tool for Vulnerability Assessments and the Inventory Tool for Custom Updates.  Find more information about the SMS 2003 R2 evaluation version here!

SMS 2003 SP3 does not require R2 nor will it provide, impact, or duplicate the R2 functionality.  SP3 does introduce RTM Vista Support and Asset Intelligence features to SMS 2003. 

Some original wording on the SP3 download site looks to have been changed which should eliminate future confusion around SMS 2003 SP3 and R2

Windows Server 2003 SP2 is a combination of security updates, functionality updates, and new features. SP2 contains the latest collection of updates to help improve the security, reliability, and performance of the following operating systems. As well as Windows Server 2003 SP1, it makes some significant changes to security including start up account for services, DCOM security and etc.  Since Windows Server SP2 has stronger defaults and privilege reduction on services, it may result in some issues after installing Windows 2003 SP2.

Here we introduce a typical security related issue after installing SP2:

Windows 2003 SP2 uses Network Service account for the RPC service. Prior to SP2 and SP1, OS was using Local System account for the same. After installing SP2 for Windows Server 2003 services will not start that use the Network Service or Local Service account.

Have you ever encountered the following problem?

• RPC service or other services set to automatic dependent on RPC will not start properly.  For example, when trying to start the service, get error of "Error 1068: The dependency service or group failed to start"
• Network connection fails to open or Network adapter icons do not appear in Network Connections.
• Incoming and outgoing network communication fails
• COM+, Volume Shadow Copy and Shell Hardware Detection services are in the “starting” state
• Receive “Access is denies” when selecting the dependencies tab of a service that does not start

Why?

Remote Procedure Call (RPC) service has been changed from Local System account to Network Service account for better security. “Impersonate a client after authentication” right is required to include Administrators and the SERVICE group if the RPC Service runs as the Network Service account.

What can we do if meeting with the issue?

a. Open the Group Policy configuration window (gpedit.msc or open it in Active Directory Users and Computers).

b. Locate the policy entry: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication.

c. Ensure that the “Administrators” group and the “SERVICE” group is granted this privilege.

d. If the problem remains, correct the Access Control List for HKEY_CLASSES_ROOT\CLSID (and all child keys and values) to ensure NT Authority\Network Service can read. This can be accomplished by adding Authenticated Users or Users group and providing Read permissions.

Note: If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that apply to this computer, and then make the policy changes to the appropriate Group Policy settings. 

e.  In the Enter the object names to select box, type Administrators , and then click OK. 

f.  Repeat step d through e for the SERVICE group account. 

g.  Click OK to close the Impersonate a client after authentication Properties dialog box. 

h.  On the File menu, click Exit. 

i.  Restart the computer. 

If you can add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, restart the computer.

When we connect Outlook 2007 to Exchange Server, we may receive a variety of errors due to there being no default gateway set on the machine. Please refer to the following article for how to work around this issue.

Error messages when you try to connect Outlook 2007 to Exchange Server: "The action cannot be completed" or "Your Microsoft Exchange Server is unavailable" or "Cannot start Microsoft Office Outlook"

http://support.microsoft.com/kb/913843/en-us

NOTE: Based on our analysis, this issue always occurs when a user tries to connect at home via RPC over HTTP. Since home PC's ISP may not have default gateway set.

Should the installation of ISA Server 2004 SP3 fail for any reason, a rollback operation will execute so that ISA components are returned to their pre-update versions.  If the ISA management console was opened while the update or rollback was in progress, this rollback process may fail.  This most often occurs when the ISA management is left open in a separate RDP session on that server.

We have had reports that the rollback is failing, which may result in leaving mixed components on the ISA Server, causing ISA service startup to fail.  We are investigating ways to prevent the update conflict and also to correct the rollback failures.

There are two options to resolve the rollback failure:

Option A: reinstall in repair mode (preferred)

A.      Download Service Pack 3 from ISA Download Site for your ISA 2004 Edition

B.      Make sure all ISA UI is closed and no other ISA utilities are in use

C.      Reinstall SP3 using this command line:

Msiexec /p <FullPathToSp3Package> REINSTALL=all REINSTALLMODE=omus SKIP_DIAGLOGACLS=1 /l*v c:\sp3.log

Option B; re-register an ISA administration component

A.      Start | Run

B.      Type “cmd” <Enter>

C.      Run the following commands:

1.       cd /d "%programfiles%\Microsoft ISA Server" (use the quotes)

2.       regsvr32 wspadmin.dll

3.       md VPN\Netsh

4.       net start fwsrv.

If none of these processes are successful, please contact PSS immediately.

Anyone who has tried enabling BitLocker has been greeted with a friendly dialog box insisting that you create a recovery password. At this point, you probably are thinking to yourself: “what is this recovery password, and what am I supposed to do with it?” 

First, let’s take a look at the BitLocker system.  BitLocker has two major features: 1) it encrypts the hard drive to prevent offline attacks against lost or stolen laptops and 2) it takes measurements of the boot process to ensure the integrity of the system at start-up. These measurements detect attacks that try to get into your system before the OS loads. 

If the measurements taken during start-up match the measurements taken when BitLocker was enabled, the system will boot into Vista as expected.  If the measurements change, however, BitLocker will enter recovery mode.  There are several scenarios that can cause these measurements to change.  Some scenarios are harmless, like moving a BitLocker-protected drive into a new computer, while others are malicious, like a rootkit attack. For a more complete discussion of recovery scenarios, check out the BitLocker Technical Overview.

In recovery mode, encrypted data will not be unlocked unless you can present the recovery password, either by inserting a USB flash drive containing the recovery password or typing it in manually.  Start-up PINs and keys will not work in recovery mode.

 This leads to two critical points:

Ø  If you lose the recovery password and the system goes into recovery mode, the data is irretrievable. 

Ø  If an adversary gets your recovery password, he can make changes to your system and bypass BitLocker (this is equivalent to a thief learning your Windows XP administrator password or mothers’ maiden name).

So this leads to an interesting dichotomy: you want to preserve your recovery password, but not leave it accessible to an attacker.  Taping your recovery password to your laptop is a bad idea.  But what other backup options are available?  Well, we have a few ideas:

Ø  Save your recovery password on a USB drive, and put it on your key chain (or in a safe).

Ø  Print out the recovery password and hide it away in a file folder.

Ø  Burn the recovery password onto a CD (or floppy) and store that away in some safe place.

Ø  BitLocker also supports automatic backup to Active Directory servers. 

These are the recommended method for backing up recovery passwords in business scenarios. 

Two things you should always remember about the BitLocker recovery password: back it up and keep it safe.

With Exchange 2003, if you wanted to create Active Directory accounts based on the list of disconnected mailboxes in the mailbox database, you could use the Mailbox Export Wizard, a component of the Mailbox Recovery Center. Before that, you could have used MBCONN, a tool we employed for that very purpose. That function would let you create a LDF file for AD import, based on the list of disconnected mailboxes in the mailbox database in case you need to bulk create AD accounts to which you can then connect those mailboxes.

But how do you do this in Exchange 2007?  Check out this article for the answer: http://technet.microsoft.com/en-us/library/bb430758.aspx