There are some "new" or updated tools up on the Exchange 2003 download site.
I work with Exchange Server, but all Microsoft employees are very aware of security. I am posting this just so you are aware.
Stephen Toulouse has posted some blurbs about a security vulnerability in Word 2003 and Word XP.
http://blogs.technet.com/msrc/archive/2006/05/20/429612.aspx
http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx
You can also read more (such as the workarounds until a fix is released) at http://www.microsoft.com/technet/security/advisory/919637.mspxI'm thinking that the above link will be updated with developments. It is version 1.0 at the time I write this.
Keep an eye on this one...
Under the heading of: "You may already be aware of this, but we wanted to make sure..."
Some of our customers are having issues with permissions since they have upgraded to Exchange 2003 SP2 and a hotfix that makes the store.exe version 7650.23 or higher. I wanted to make sure that you were aware of some resources that are available to help you, in case you run across this.
What is the issue? The introduction here explains it well:
"In the past, additional accounts could be granted the "Full Mailbox Access" permission to a mailbox and these accounts could then send mail as the mailbox owner. From now on, the "Send As" permission must be explicitly granted to additional accounts or they will not be able to send mail as the mailbox owner. "
We recently updated the KB article that addresses this issue.
In the KB article we now include a script that will let you know which accounts in the organization have "Full Mailbox Access" permissions, but not "Send As" permissions. The script has three modes: Export – this tell you the accounts that have "Full Mailbox Access", but not "Send As" permissions. Import – This allows you to modify a list so that certain accounts that have "Full Mailbox Access" will get "Send As" permissions as well. SetAll – This automatically sets all accounts with "Full Mailbox Access" to have "Send As" permissions as well. Now you know... Again... :) Update: Post SP2 hotfix and formatting.
In the KB article we now include a script that will let you know which accounts in the organization have "Full Mailbox Access" permissions, but not "Send As" permissions.
The script has three modes:
Now you know... Again... :)
In the Event log on the server that generates your OAB you may see the following:
Event Type: ErrorEvent Source: MSExchangeSAEvent Category: OAL Generator Event ID: 9325Description:OALGen will skip user entry 'Display Name' in address list '\Global Address List' because the SMTP address '' is invalid. - Default Offline Address List
If you check the user that is mentioned in the event you may find that all of the SMTP proxy addresses look fine on the "E-mail Addresses" tab in Active Directory Users and Computers (ADU&C). However if you look at the "E-mail" field on the "General" tab you may notice that the address there doesn't match the Primary SMTP address on the "E-mail Addresses" tab (the one next to the bold SMTP). These have to match.
About the only place I have found this documented is in the link in the actual event. You know the one that says:
For more information, see Help and Support at:http://go.microsoft.com/fwlink/events.asp
That link will take you to here, where it says:
"This Error event indicates that the user account specified in the event description has not been included in an offline address list because of an incorrectly configured SMTP address. For example, an incorrectly configured SMTP address is an address that contains a dash "-", an underscore "_", or no characters after the @ symbol. Incorrectly configured SMTP addresses can occur in the following circumstances:
A script modified either a user's primary SMTP proxy address attribute or e-mail address attribute. These attributes must match for a user to be added to an offline address list.
An administrator modified the e-mail address of a user on a computer that did not have the Exadmin.dll extensions loaded. "
If you have administrators using ADU&C but don't have the Exchange extensions loaded, then they may think that this is the right place to change someone's email address. If they had the proper extensions this would also change the Primary SMTP address as well, but since they don't... The next time the server generates the OAB, it will skip this user and your users with Outlook 2003 in cached mode may be missing that mailbox.
I'd be remiss if I didn't mention that OABInteg also helps you with this issue. See Dave Goldman's blog for more about that.
Well it is officially public now. The name is Exchange Server 2007. http://www.microsoft.com/exchange/preview/default.mspx
And Vivek also is telling us that Monad is now called PowerShell.The downloads also have been updated to show this.
I gave some thought to some of the issues you might experience after a cross-site move of mailboxes.
The main thing is that you must either recreate the profile or run the Exchange Profile Update Tool (ExProfRe.exe). Just putting changing the name of the server in the profile is not enough.
Please take a look at the information found at:873214 The Exchange Profile Update toolhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;873214
The first sentences of the article pretty much spells it out:
“After you move a mailbox across an administrative group, any Microsoft Outlook profiles that were in use for this mailbox no longer function correctly. Mailbox servers can refer Outlook to the correct server after mailboxes have been moved within an administrative group, but this process does not work correctly for mailboxes that are moved across an administrative group. Security settings for e-mail messages, calendaring, free and busy information, public folder moderation, and delegation may not work. You must update the profile for 100 percent functionality after such a move.”
More information can be found at:838235 TechNet Support WebCast: Mixed-mode site consolidation in Microsoft Exchange Server 2003 Service Pack 1http://support.microsoft.com/default.aspx?scid=kb;EN-US;838235The transcript of this presentation is available for those who would rather read it.
In that transcript it says:
"... when we move mailboxes cross-site we're actually eliminating the object that represents the mailbox in 5.5 and creating a new object in a different site. So if you don't run that Exchange Profile Redirector Tool, the profile on your Outlook client will then still believe that it is associated with the distinguished name of the source site mailbox, meaning that the profile will make assumptions about who it actually is. Even though you can get into your mail after you do a cross-site move, and you can even send and receive mail after a cross-site move without running that Exchange Profile Redirector, if you don't run the Exchange Profile Redirector you'll have weird little issues going on because we will make assumptions about who we are that will be incorrect. So you need to run that Profile Redirector Tool. "
Many people are aware of the changes in Exchange 2003 SP2 with the V4 OAB. What many are not aware of are the changes with the other two versions of the OAB, V3a and V2.
Starting with SP2, when a change is done in your environment that would have required a full download of the OAB previously, we now actually throw an event that says:
Event ID : 9360Category : OAL GeneratorSource : MSExchangeSAType : ErrorGenerated : 4/17/2006 10:52:34 AMMachine : ServerNameMessage : OALGen encountered an error while generating the changes.oab file for version 2 and 3 differential downloads of address list '\Global Address List'. The offline address list has not been updated so clients will not be able to download the current set of changes. Check other logged events to find the cause of this error.
If the cause of the problem was intentional or cannot be resolved, OALGen can be forced to post a full offline address list by creating the DWORD registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters\OAL post full if diff fails' and setting it to 1 on this server. When OALGen next generates the offline address list, clients will perform a full OAB download. After that time, the registry key should be removed to prevent further full downloads.
- Default Offline Address List
Read that error again... It is telling you that the server has stopped generating OAB for those older versions. So your clients that are not running Outlook 2003 SP2 and that are using OSTs will probably give an error when trying to download the OAB.
The good news is that prior to that error we throw another event that explains what happened. For instance you may see the following:
Event ID : 9340Category : OAL GeneratorSource : MSExchangeSAType : WarningGenerated : 4/17/2006 10:52:34 AMMachine : ServerNameMessage : A new parent Legacy Exchange DN container value '/o=Organization/ou=Site/cn=NewRecipientsContainer' was found during generation of the differential update file for offline address list '\Global Address List'. This will force clients using this offline address list to do a full download of the offline address list.
Now this is useful. If I go to that site I may find a recipient container that is not needed and I could remove that container. Or perhaps it is an X500 address that was added with a typo to a mailbox. I can fix that and then next time the OAB generation run we should be fine.
For more information regarding this, look at Dave Goldman's blog. It is kind of deep, but if you take the time to read it, you will learn a lot.
Does anyone else find the fact that you have to do an F4 in Outlook to Find something extremely annoying? I use CTRL-F for every other application to do a Find. But evidently Forwarding is more important.
I found that Jenson Harris wrote about this in detail as to why this is the case.
I still don't like it... :)
I am in Redmond today and next week. It is always nice to get away from my office since I tend to have time to poke around in areas that I normally don't.
I like scripts. The power a few short lines of code can possess never ceases to amaze me. That is why I am really looking forward to Exchange 12 (We are still calling it that publicly, right?) and Monad.
I ran across the Microsoft Exchange Community-Submitted Script Center today. If you are looking for scripts that run on Exchange 2003 take a look there. I've mentioned Glen's site before as well. He has some good stuff up there. I have found that his scripts don't always work in every environment, but they are very useful if you don’t know where to start.
Also Monad Beta 3.1 is now available for download. You can get the x86 version here.
The Script Center has more information on Monad as well.
You can find the first published book on Monad here.
On March 20, 2006 we released an updated set up rules for EXBPA. Next time you fire up EXBPA you should be notified of this. This will update the rules to 2.11.2.0. You can verify this by clicking on "About the Exchange Server Best Practices Analyzer"
If you have to do a manual download then you can go to: http://go.microsoft.com/fwlink/?LinkId=34290There are some 50 new rules in this update. One of them really makes me happy: We recommend using StorPort instead of SCSI Miniport drivers. Happy days...
One of the more common events we see in organizations that are migrating to Exchange 2003 from 5.5 is the 9548.
Event Type: Warning Event Source: MSExchangeIS Event Category: General Event ID: 9548 Date: Date Time: Time Computer: Computer Name Description: Disabled user /o= Organization Name /ou= Administrative Group Name /cn=Recipients/cn= Computer Name does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account.
This event occurs when you have a disabled user account that is not configured correctly. The mailbox may not be able to receive mail and the mailbox may not be able to be logged in to by certain users. In the past we had a utility called NoMas.exe that would fix these accounts, but it was a manual process to run it unless you set it up to run at a scheduled time.
The great news is that we have released a Post SP1 hotfix that should make administrators jobs a little easier. The Post SP2 hotfix is soon to be released.
903158 A hotfix is available to modify the way that Exchange Server 2003 handles a disabled Active Directory user account that is associated with an Exchange Server 2003 mailboxhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;903158
You will need to call Microsoft Support to receive the hotfix.
(Kudos to Alex Seigler and others for helping to push this fix through...)
(Edit: The post SP2 version of this hasn't been released yet.)
There has been some confusion as to what number should be put into the MinUserDC registry key if you decide to use it. Most people use this registry key to reduce the load on their PDC emulator (PDCE).
298879 Exchange Server 2003 and Exchange 2000 Server may experience performance problems when the PDC emulator is used for DSAccesshttp://support.microsoft.com/default.aspx?scid=kb;EN-US;298879
If you read that article it may seem that setting the number to one less than the total number of DCs in the site might be a good idea. But, what number should you subtract 1 from? If you have other DCs from other domains in the Site, should they be included? Will this limit the total number of DCs that the Exchange uses? What if I figure out that there are 10 DCs available and I set MinUserDC at 9? If I have 1 DC stop working, then won't the PDCE be used? Should I set the number at 8 then? But then, what if 2 go down...?
The easy answer to this is: Don't worry about it. If your overall goal is to not use the PDCE, then set the value at "1". The way this works is that as long as there is at least more than one DC available, then we won't ever use the PDCE. Simple enough...
Next time DSAccess goes through and creates the list of DCs available to decide which ones to use, it won't include the PDCE in that list. Unless, of course, there is only one server available then we will use the PDCE if it is the only one still running.
Setting this number at 1, doesn't limit the total number to only 1 DC. (Well, I suppose it would if you only had 2 DCs.) It really is like a switch. If you have the number "X" as the value and we have more than "X" DCs available, the option to use the PDCE is switched off and we don't use the PDCE.
I hope that this makes more sense now.
Here is some recommended reading. Ross Smith IV has made another post about the changes in DSProxy that occurred with SP2. He does a very good job of explaining what will happen when you install SP2, but he also mentions that there is a hotfix available to change the behavior back to the way it was with a registry key.
http://blogs.technet.com/exchange/archive/2006/03/17/422350.aspx
You will need to request the hotfix in order for the registry key to have any effect.
As you can see, I don't post much to this blog. There are many reasons for this, but most have to do with the time to post what I consider "quality" posts. However, it seems that most perople who read this blog would prefer that I post more often. I actually get email asking for this.
After taking some time to think about this, I have decided to change my postings so that I may be including information that you are already aware of. I will still try to post information every couple of weeks that may be new as well.
Hopefully you will still find it useful.
The article "905872 You cannot limit the file size of the e-mail messages that you want to download in Outlook 2003" doesn't really mention in it that this only applies to IMAP accounts and not MAPI accounts. If you look at the registry key you get an idea that it applies to IMAP though. I submitted a change request to update the article.
I have been asked some questions recently regarding the Cross-site mailbox moves using the native tools in Exchange 2003. I have found a very good explanation from Evan Dodds of what we do in general with Move Mailbox:
Some key points: Users don’t have to be logged out of the mailbox during a mailbox move. You should stop the ADC before doing a move mailbox in a mixed mode site or Routing Group. You don’t have to stop the ADC for Cross-site moves however. This includes cross-site mixed mode as well. Please read the above entry for more great information regarding Move Mailbox in general.
Some key points:
Please read the above entry for more great information regarding Move Mailbox in general.
If you use Perfmon, it can get really old looking at all of the vertical lines in the graphs. Here is a tip that will revert back to the old view we had in the NT4 days.
283110 Vertical lines are displayed in the Sysmon tool that obscure the graph viewhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;283110
Also, if you would rather see that you have 2,000,000 MB of RAM instead of 2000000, you can add another registry key that adds the commas.
300884 HOW TO: Display Comma Separators in the Windows Performance Tool in Windows XPhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;300884
So, its been a while since I have posted. I've been on ICL and this time I actually took the whole month off to spend time with my new son instead of working...
The Exchange Group has released a new Config XML file for EXBPA (2.9.0.1). When you fire up EXBPA you will see a message that it is available. Paul Bowden sent out a list of some of the new rules that we check for. I have extracted some that I most excited about:
Internally at Microsoft, we have had these things called "Exchange Technical Bulletins" that were organized by Nino Bilic. These nuggets of information were very useful and I have gone back to them many times to look for things that I had forgotten. For us they worked well, but they weren't available to our customers because they really just weren't "customer-ready". Now, they are being ported over to a customer friendly format and will be available publicly.
http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx
Keep checking for updates since there is a lot of content that still has to be converted... There isn't an RSS feed on the page yet.
Exchange 2003 SP2 was released to the Web early this morning.
It's a good idea to install this (after a backup and testing) as there are a number of fixes in this as you can see by looking at the fix list at KB article 906669. If you look at the list you will see a lot of articles that seem to apply to Exchange 2000 and not 2003. Actually, this usually means that the fix was released for Exchange 2000 before it was ported to Exchange 2003. So the article still says Exchange 2000, but applies to Exchange 2003 as well.
Also it would be a real good idea to take a look at the "Read Me" notes at http://support.microsoft.com/kb/906671. You will see that if you are looking to enable the new feature Sender ID on your server you will want to get the Windows 2003 hotfix for the SMTP service. Otherwise the server could stop responding. Unfortunately, until Windows 2003 SP2 is released you will need to call Microsoft for this fix. I know you wish it was available for download publicly... The good news is that you shouldn't get charged for the support call.
The new feature to enable or disable MAPI access per user is a neat feature if you want to limit people to only being able to access in cached mode. The downside is that doing this for every user using ADSIEdit can get old really quick. Here is a tip:
And as always, running the newest version of EXBPA after the install would be a great idea.
Update: Corrected link to http://support.microsoft.com/kb/906671
There is an article out there that addresses the issue that some of our customers are seeing:828764 "Event 8197" Error Message Is Logged Repeatedly in the Application Eventhttp://support.microsoft.com/?id=828764It says that if you are getting this, there is a good chance that Exchange is trying to authenticate against a GC that doesn't have a trust with the domain that your Exchange 5.5 service account is in. But... How do you verify this? Can you just look at the DSaccess tab on the Exchange server? No. As Jasper Kuria states in his post at http://blogs.technet.com/exchange/archive/2005/07/29/408394.aspx in this instance we don’t look at the output from DSAccess. This is authentication, not an LDAP call. In this case we look at the same GC that you would get if you were to run “nltest /dsgetdc: /gc”. If you are getting 8197s on your Exchange servers, you can run this and see if you are getting a GC in another domain that doesn’t have an explicit trust with the domain that the Exchange 5.5 service account is in. In fact if you have auditing on and look at the GC’s security logs you may see something similar to the following:
Event Type: Failure AuditEvent Source: SecurityEvent Category: Account Logon Event ID: 680Date:Time:User: NT AUTHORITY\SYSTEMComputer: <GC Server Name>Description:Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon account: <Exchange 5.5 Service Account>Source Workstation: <Exchange 2003 server>Error Code: 0xC0000064
At this moment there are currently two workarounds:
Hopefully this will help someone else who is seeing this...
Just read this in the news: We are releasing SP2 for Office 2004 for Mac today. This includes much needed fixes to Entourage, the Exchange client for Mac.
http://www.microsoft.com/presspass/press/2005/sep05/09-20EnhancedEntourage2004PR.mspx
It is available at http://www.microsoft.com/mac now.
If you have Entourage clients, for your Exchange server 2003 you will want to make sure you have the fix at http://support.microsoft.com/kb/888619 installed.(Edit - SP2 is up there now...)
Here are some things brought out in the document:
This is really just a small part of the great information in the release notes. I strongly encourage you to read it because it is a interesting read.
When running Exchange Best Practices Analyzer (EXBPA) you may get a report saying “The number of free page table entries is low, which can cause system instability”. This may be incorrect if you are running Windows 2003 but don’t have Windows 2003 SP1 installed. The issue is that EXBPA uses the Perfmon counters for the Free System Page Table Entries (FreeSysPTEs) and that counter could be wrong. The Performance tool does not accurately show the available Free System Page Table entries in Windows Server 2003http://support.microsoft.com/default.aspx?scid=kb;en-us;894067This was resolved in Windows 2003 SP1. If you don’t have the ability to install SP1 yet and want to know what the real value is, you could follow the directions in the KB article 894067. That article recommends of getting the tool LiveKD from Sysinternals. Now... should you do this on a mailbox server that is in production? How familiar are you with live kernal debugging? Never done it before? Then I would stick to seeing if I could get the Service Pack installed instead.
The Performance tool does not accurately show the available Free System Page Table entries in Windows Server 2003http://support.microsoft.com/default.aspx?scid=kb;en-us;894067
It looks like Paul Flaherty has updated the Microsoft Platform Support Reporting Utility (MPSReports) for Exchange. We have had this utility available for some time at this location, but the new version is not up there yet. You can download the new version here. The name of the file is MPSRPT_Exchange.zip.
Some of the things it does:
An older version is still online at the downloads site, but if you have an issue and need support, the new version may be the tool that you will want to run to collect information.