One corrupted mailbox can have the potential to disrupt service by taking down the entire information store, thereby affecting all users on that server. Mailbox quarantine has been introduced in Exchange Server 2010 to help prevent this situation.

What is Mailbox Quarantine?

Mailbox quarantine is a feature in the Exchange Server 2010 information store. Based on values in the registry, the store detects a mailbox or mailboxes that have the potential to or have caused the store to crash and quarantines them for specific period. The mailboxes that have the potential to crash the store are called Poisoned mailboxes.

When does quarantining happen?

Quarantining of mailboxes can occur in two situations:

• A thread that is doing work for a mailbox has crashed.
• More than 5 threads allocated to process a mailbox, have not progressed for long time.

How does it work?

The store will tag a mailbox that has the potential to crash the store. The tag includes the number of times that mailbox has caused the store to crash and a time stamp. If the store is crashed by a mailbox, a registry key is created. The path to the registry key is:

HKLM\SYSTEM\CCS\Services\MSexchangeIS\Servername\Private-dbguid\Quarantined Mailboxes\ {Mailbox GUID}

It will have the following two values:

• CrashCount – The number of times the mailbox has crashed the store.
• LastCrashTime – The last time the mailbox crashed the store.

The key is not created until the store has been crashed at least one time by a mailbox.

Each time a database is mounted, the store checks the registry to see if any mailboxes hosted on this particular database is tagged. If the registry indicates that a mailbox has caused the store to crash the mailbox will be quarantined.

By default, if a mailbox has been identified as a threat 3 times in 2 hours then that mailbox will be quarantined for 6 hours.

These default settings can be modified by creating the following key:

HKLM\SYSTEM\CCS\Services\MSexchangeIS\ParameterSystem\Servername\Private-dbguid\Quarantined Mailboxes

Using the following values:

• MailboxQuarantineCrashThreshold – The number of times a mailbox can be identified before the store quarantines it.
• MailboxQuarantineDurationInseconds – The number of seconds a mailbox remains in quarantine before the store releases it.

These two values do not exist by default. They should be created only if there is a need to change the default behaviour.

A background process in the store runs every 2 hours (this default can’t be changed) to check the registry values for each mounted database. The store checks the CrashCount and LastCrashTime values and performs any of the following four actions:

• If all tagged mailboxes have a CrashCount value less than the MailboxQuarantineThreshhold (default value of 3) in the last 2 hours, then the dbguid registry value for the mailbox located at HKLM\SYSTEM\CCS\Services\MSexchangeIS\Servername\Private-dbguid\Quarantined Mailboxes is deleted.
• If a tagged mailbox has a CrashCount is greater than the value MailboxQuarantineThreshhold (default value of 3) and a mailbox is not quarantined then the mailbox will be quarantined immediately.
• If a mailbox has been quarantined longer than the default 6 hours or the time specified in the value MailboxQuarantineDurationInSeconds then it will be released immediately.
• If a mailbox is quarantined for less than the default six hours or time specified in the value MailboxQuarantineDurationInSeconds then it will remain quarantined.

What happens when clients try to access a quarantined mailbox?

When a client attempts to access a mailbox the following occurs:

1. The store will return an error code ecMailboxQuarantined and based on this, XSO throws the transient exception MapiExceptionMailboxQuarantined to signal transport and other XSO clients

2. Every 5 minutes transport tries to deliver message sent to a quarantined mailbox

3. Outlook clients see the following pop up when they try to access a quarantined mailbox

4. OWA displays the following pop up error message when trying to access a quarantined mailbox

Only clients such as MFCMAPI that can pass Open-As-Admin flag can access a mailbox while it is in quarantined state. Even Exchange processes such as content indexing and mailbox assistants cannot access the mailbox.

For example, a move mailbox request will fail with the following pop up error:

Resetting a quarantined mailbox

It is possible to reset a quarantined mailbox by deleting the quarantine registry key for that mailbox located at:

HKLM\SYSTEM\CCS\Services\MSexchangeIS\Servername\Private-dbguid\Quarantined Mailboxes\ {Mailbox guid}.

The database then has to be dismounted and remounted or the IS service restarted for the reset to take effect immediately. Unless the underlying issue is not resolved, the mailbox could crash the store and become quarantined again.

Troubleshooting

Application log

The following event will be logged when a mailbox is automatically quarantined:

Log Name: Application

Source: MSExchangeIS

Event ID: 10018

Task Category: General

Level: Error

Description: The mailbox for user /o=AMERICAS/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=test1 has been quarantined. Access to this mailbox will be restricted to administrative logons for the next 6 hours.

The following event will be logged when a mailbox is automatically removed from the quarantine:

Log Name: Application

Source: MSExchangeIS

Event ID: 10019

Task Category: General

Level: Error

Description: The quarantine of the mailbox for user /o=AMERICAS/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=test1 has expired. Access to the mailbox has been restored.

Shell Command

We can also use the Get- MailboxStatistics cmdlet to see if a mailbox has been quarantined.

Get-MailboxStatistics –identity test1 | FL Isquarantined

Isquarantined : True

Performance Monitor

The store also provides the performance monitor counter: MSExchangeIS Mailbox\Quarantined Mailbox Count. This counter shows the number of quarantined mailboxes on a specific server.

EXTRA

Finally we can used EXTRA to trace data. Select Function from Trace Types and use the tag tagQuarantineMailbox under component Store.

Thanks to Hamza Hassen and Jonathan Runyon for putting all this information together which will help so many of us certainly…

In most environments that plan to implement Exchange 2010, there will probably be an older (legacy) version of Exchange Server running. This document provides information on how Exchange 2003, Exchange 2007, and Exchange 2010 will work together in regards to OWA. If implemented correctly this will provide a single namespace for user access to the Outlook Web App (OWA), regardless of where their mailbox is located.

Because the variations are numerous in customer environments, the steps in this bulletin may not work for every implementation. The steps are tailored for several typical environments and actual steps for configuring this solution may vary.

Planning for Coexistence

Some general planning guidelines for coexistence are as follows:

• Make sure that the Exchange Server 2003 servers are running Service Pack 2 or higher.
• Make sure that the Exchange Server 2007 servers are running Service Pack 2 or higher.
• An Exchange Server 2010 server running the Client Access Server, Hub Transport and Mailbox roles (CAS/HUB/MBX) is present in the Internet-facing site
• Update the main OWA URL to point to the Exchange Server 2010 CAS servers. Consider changing your public DNS records so that the public OWA URL (i.e. mail.contoso.com) points to the new IP address of your Exchange 2010 CAS server, or the virtual IP address of your load-balanced CAS Array.
• Create a legacy URL to point to the Exchange Server 2007 CAS or Exchange Server 2003 FE servers if they exist and make a DNS entry externally to point to the legacy server.
• Create a certificate for the Exchange Server 2010 CAS servers to include the OWA URL, the Legacy URL, and Autodiscover URLs – Other names may be needed for protocols such as IMAP and SMTP.
• Change the External URL setting on the Exchange Server 2007 CAS Server to the legacy URL if applicable
• Update the rules on the firewall/ISA Server to point to the correct locations for Exchange Web traffic.

Single AD Site with Exchange 2007 and Exchange 2010

This scenario is a typical scenario for most of our small to mid-sized customers. Typically, they will have one Active Directory site and the addition of Exchange 2010 into their environment will not change that. If the steps below are followed, users can continue to use their existing URL for OWA. They can also expect to have single sign-on for their OWA users, even if they are on Legacy versions of Exchange.

This is a very clean experience for the users and should help make the migration painless as a user’s learning curve will not be required.

The following list contains the basic instructions for the setup of the single sign-on and a brief explanation of what will happen when a user accesses OWA:

• Change the current owa.company.com address to point to the 2010 internet facing CAS server. The reason for this is that Exchange 2010 CAS server is designed to properly handle requests for legacy mailbox requests. Exchange 2007 can handle requests for 2007 and 2003 but not 2010 so if you want a uniform URL you need to have the 2010 CAS server as the internet facing CAS server.
• Create a legacy.company.com Host record to point to the 2007 CAS server. The reason for this is to be able to have a Host record that can be used by the 2010 CAS server to know the location of the 2007 CAS server that can handle the legacy requests.
• Ensure that the ExternalURL value is populated and the InternalURL value is set to $NULL for the OWA virtual directory on the Exchange Server 2007 CAS that is the target of the redirect. If necessary, use the following command to set this: Set-OwaVirtualDirectory -Identity "CAS_Server_Name\OWA (Default Web Site)" -ExternalURL https://legacy.company.com/owa -InternalURL $NULL.
• Create a SAN certificate that will either have the wildcard entry (i.e. *.contoso.com) or contain subject name entries for owa.contoso.com, legacy.contoso.com and autodiscover.contoso.com (other names may be needed for protocols such as IMAP and SMTP).
• Assign that certificate to the CAS servers. This certificate should be assigned to the 2007 and 2010 CAS servers to prevent any name mismatch certificate warnings. The reason the 2007 CAS servers would need the certificate is because the name that the 2010 CAS servers will be using to access the 2007 CAS servers will be the new legacy name and unless a wildcard certificate was previously used then that name will not be on the certificate.
• On the 2007 CAS server type the following. The following command will turn on FBA, Turn on Basic Authentication, and set the External URL. The reason we are doing this is to ensure the 2007 and 2010 CAS servers have the same Authentication settings and that we add the new External URL so that the 2010 knows where to go with the legacy requests: Set-OwaVirtualDirectory -Identity "CAS_Server_Name\OWA (Default Web Site)" -ExternalURL https://legacy.company.com/owa -FormsAuthentication $True -BasicAuthentication $True.
• On the 2010 CAS server type the following. The following command will turn on FBA, Turn on Basic Authentication, and set the External URL to match what was being currently used by the users: Set-OwaVirtualDirectory -Identity "CAS_Server_Name\OWA (Default Web Site)" -ExternalURL https://owa.company.com/owa -FormsAuthentication $True -BasicAuthentication $True.
• We are also setting the ECP to match OWA because then the single sign-on will continue to work when a 2010 user clicks on the options within OWA: Set-ECPVirtualDirectory -Identity "CAS_Server_Name\ECP (Default Web Site)" -ExternalURL https://owa.company.com/owa -FormsAuthentication $True -BasicAuthentication $True.

What happens when a user logs in?

• A user browses to https://owa.contoso.com/owa then authenticates in the FBA page presented by 2010 External facing CAS server.
• The 2010 CAS server will verify the users AD site/Mailbox Version/External URL set on the 2007 CAS servers in that site in our case https://legacy.cotoso.com/owa.
• CAS2010 will then silently redirect the user’s browser session to https://legacy.contoso.com/owa using a hidden FBA form with the fields populated.  OWA will return a small web page containing a hidden form with the same information as what the user had originally submitted to CAS2010 FBA page (username, password, public/private selector, URL to redirect to after logon) and a submit URL synthesized from URL obtained in step 2, and target Exchange -specific path and query string. The web page will also contain script to automatically submit the form as soon as it is loaded.  This is the last part of the logon process that E2010 CAS will have a role in.
• CAS2007 will consume that hidden form’s data, authenticate the user and:

• Retrieve and render the user’s mailbox data from the Exchange 2007 mailbox server and provide the data view back to the user.  The response will contain an FBA cookie for the legacy namespace, and from that point on all user activity within the session will go to legacy CAS only.
• Or proxy the request to the Exchange 2003 mailbox server and provide the data view back to the user.  The response will contain an FBA cookie for the legacy namespace, and from that point on all user activity within the session will go to legacy CAS only.

Multiple AD Sites with Exchange 2007 and Exchange 2010 (redirect)

In most cases in a 2 internet facing site Environment the users in the internet facing sites would type the name that correlates to the site they are located in but for this example we will assume they did not.

This scenario is typically found in a medium- to large-size company that has multiple Active Directory sites that are not well connected. In this case, you would not want the traffic from a CAS server to return mailbox data from a server in an Active Directory site where the connection is not optimized.
In this case if a user goes to a site where the mailbox is not located and authenticates, the Exchange Server 2010 CAS server would provide a page informing the user to click on a link to take them to the CAS server for the site where the mailbox is located. When the link is clicked, the user will be prompted for authentication again, this time from their local (to the Mailbox server) CAS server. This will not be a single sign-on scenario unless the user accesses the proper link for the site where there mailbox is located.

An explanation of what the user will see follows the instructions to configure the solution:

• As stated above change the current owa.company.com address to point to the 2010 internet facing CAS server. The reason for this is that Exchange 2010 CAS server is designed to properly handle requests for legacy mailbox requests. Exchange 2007 can handle requests for 2007 and 2003 but not 2010 so if you want a uniform URL you need to have the 2010 CAS server as the internet facing CAS server.
• The opposing regional site should already have a unique URL such as regional.company.com. If this is an existing setup the naming should still be in place and there would be no need to Change this.
• Create a SAN certificate that will either have the wildcard entry (i.e. *.contoso.com) or the cert should contain subject name entries for owa.contoso.com, legacy.contoso.com and autodiscover.contoso.com (other names may be needed for protocols such as IMAP and SMTP).
• Make sure that the OWA in the regional site is set for basic Authentication with FBA for OWA and that the external URL value is set correctly similar to the following: Set-OwaVirtualDirectory -Identity "CAS_Server_Name\OWA (Default Web Site)" -ExternalURL https://regional.company.com/owa -FormsAuthentication $True -BasicAuthentication $True.
• On the 2010 CAS server type the following. The following command will turn on FBA, Turn on Basic Authentication, and set the External URL: Set-OwaVirtualDirectory -Identity "CAS_Server_Name\OWA (Default Web Site)" -ExternalURL https://owa.company.com/owa -FormsAuthentication $True -BasicAuthentication $True.
• We are also setting the ECP to match OWA because then the single sign-on will continue to work when a 2010 user clicks on the options within OWA: Set-ECPVirtualDirectory -Identity "CAS_Server_Name\ECP (Default Web Site)" -ExternalURL https://owa.company.com/owa -FormsAuthentication $True -BasicAuthentication $True.

What happens when a user logs in?

• Browse to https://mail.contoso.com/owa. Authenticate in the FBA page presented by 2010.
• The 2010 CAS server will verify the users AD site/Mailbox Version/External URL set on the 2007 CAS servers in that site in our example https://regional.coontoso.com/owa.
• CAS2010 will then provide a redirection page for the user to click a link for https://regional.contoso.com/owa and let them know this is the link they should use. The reason this will occur is because the users are located in a different AD site and they have External Facing CAS servers in that site. This process will be the same whether the other site has 2007 or 2010 CAS servers in the internet facing site.
• After clicking the link the user will get another authentication prompt at the CAS server in the site where the mailbox is located and all of the traffic will then go through the users Local CAS servers.

Multiple AD Sites with Exchange 2007 and Exchange 2010 (proxy)

This scenario could apply in a medium- to large-size company that has multiple Active Directory sites that are well connected. This provides a single namespace for the users to connect to for OWA access and minimizes user confusion.

In this case if a user goes to the published OWA URL and authenticates, the Exchange 2010 CAS server silently proxies to the Client Access Server that is local to their Mailbox server. The user would not be prompted again or redirected to another site for action.

This will generate more network traffic, as the rendered mailbox data will be passed to and from the CAS server in the site where the mailbox is located back to the External facing CAS server. The configuration steps and the user experience explanation follow:

• As stated above change the current owa.company.com address to point to the 2010 internet facing CAS server. The reason for this is that Exchange 2010 CAS server is designed to properly handle requests for legacy mailbox requests. Exchange 2007 can handle requests for 2007 and 2003 but not 2010 so if you want a uniform URL you need to have the 2010 CAS server as the internet facing CAS server.
• The opposing regional site CAS Servers should not have an External URL value set for the OWA virtual directory they should have just an internal URL value the default values for this are typically fine.
• Create a SAN certificate that will either have the wildcard entry (i.e. *.contoso.com) or the cert should contain subject name entries for owa.contoso.com, legacy.contoso.com and autodiscover.contoso.com (other names may be needed for protocols such as IMAP and SMTP).
• Assign that certificate to the 2010 CAS servers.
• Make sure that the OWA in the regional site is set for integrated Authentication for OWA using a command similar to the following on the 2007 non internet facing CAS server. The reason for this is because we will be using integrated authentication for requests that are proxied to this server from the Exchange 2010 CAS server. This is the same process as in Exchange 2007: Set-OwaVirtualDirectory -Identity "CAS_Server_Name\OWA (Default Web Site)" –ExternalURL $Null –formsAuthentication $False –WindowsAuthentication $true.
• On the 2010 CAS server type the following. The following command will turn on FBA, Turn on Basic Authentication, and set the External URL: Set-OwaVirtualDirectory -Identity "CAS_Server_Name\OWA (Default Web Site)" -ExternalURL Https://owa.company.com/OWA -FormsAuthentication $True -BasicAuthentication $True.
• We are also setting the ECP to match OWA because then the single sign-on will continue to work when a 2010 user clicks on the options within OWA: Set-ECPVirtualDirectory -Identity "CAS_Server_Name\ECP (Default Web Site)" -ExternalURL Https://owa.company.com/OWA -FormsAuthentication $True -BasicAuthentication $True.
• 7. From the External facing 2010 CAS server go to the 2007 server and copy the latest set of binary files to the 2010 server (every time a rollup is placed on the 2007 CAS servers this process will need to be redone). The reason for this is when you are being proxied the External facing 2010 server has to present the rendered data to the users. Since they are legacy users we need to have a comparable copy of the binary files based on the Exchange Rollup they are on:

• From the 2010 CAS server go to START then RUN then type something similar to \\2007cas\c$\program files\microsoft\Exchange Server\Client Access\OWA.
• Copy the Highest version of the build files from that location and paste them on the internet facing 2010 CAS server in the location similar to the following c:\program files\Microsoft\Exchange Server\V14\ClientAccess\OWA.
• Then restart IIS on the 2010 CAS server and this should allow proxying to work. If the wrong files are copied or this step is not completed you will see an error on the 2010 external facing CAS servers in the application log telling you to copy the files.

What happens when a user logs in?

• Browse to https://owa.contoso.com/owa. Authenticate in the FBA page presented by 2010.
• The 2010 CAS server will verify the users AD site/Mailbox Version/External URL set on the site where the user is located.
• There will not be an External URL Value set on the site where the user is located, so the user will be authenticated via Proxy using integrated authentication over the internal URL.
• The 2007 non internet facing server will render the data and pass that along to the 2010 server to pass along to the user. The 2010 internet facing CAS server will NOT be out of the loop in this case.

Exchange 2010 and Exchange 2003 within a Single Site or Cross Site

The scenario below is for a company that does not have Exchange Server 2007 installed and is migrating or coexisting with Exchange Server 2010 and Exchange Server 2003, only.

The Exchange2003URL value can be found in Active Directory in the following location using ADSIEdit.MSC:

This will allow the Exchange 2010 server to know where to direct the Legacy users so that they can access OWA using the 2010 CAS servers URL. This parameter was added as there is no longer a /exchange virtual directory in Exchange Server 2010, as there was in Exchange Server 2007. 

It is important to understand that Exchange Server 2010 cannot proxy to Exchange Server 2003 Mailbox role servers. Exchange Server 2010 must redirect this traffic.

In this situation you would use the new Exchange2003URL parameter that is configurable via the Exchange Management Shell with the set-OWAVirtualDirectory commandlet explained below:

• Change the current owa.company.com address to point to the 2010 internet facing CAS server. The reason for this is that Exchange 2010 CAS server is designed to properly handle requests for legacy mailbox requests. Exchange 2003 can handle requests for 2003 only. If you want a uniform URL you need to have the 2010 CAS server as the internet facing CAS server.
• Create a legacy URL such as legacy.company.com to point to the 2003 FE server. We need this in place so that we have a URL that we can provide the Exchange 2010 CAS server the proper configuration to find the 2003 FE server.
• On the 2010 CAS server type the following. The following command will turn on FBA, Turn on Basic Authentication, and set the External URL: Set-OwaVirtualDirectory -Identity "CAS_Server_Name\OWA (Default Web Site)" -ExternalURL https://owa.company.com/owa -FormsAuthentication $True -BasicAuthentication $True.
• We are also setting the ECP to match OWA because then the single sign-on will continue to work when a 2010 user clicks on the options within OWA: Set-ECPVirtualDirectory -Identity "CAS_Server_Name\ECP (Default Web Site)" -ExternalURL https://owa.company.com/owa -FormsAuthentication $True -BasicAuthentication $True.
• Configure the Exchange2003URL property on the 2010 CAS server to point to the new Legacy URL. Then new Exchange2003URL value was added to Exchange 2010 as a configurable attribute for the OWA virtual directory to provide a way for Exchange 2010 to know the location to send the 2003 users. In previous versions we used DAVEX for this but since DAVEX was removed we now rely on this property…. The following is an example of how to set this property: set-owavirtualdirectory “2010 CAS server name\owa (default web site)” -exchange2003url https://legacy.company.com/exchange.
• FBA will need to be enabled on the 2003 FE server. The reason for this is because we are passing the credentials from the 2010 CAS server to the 2003 FE server via a hidden form. This is designed to prevent the user from having to authenticate again.

What happens when a user logs in?

• Browse to https://owa.contoso.com/owa. Authenticate in the FBA page presented by 2010.
• The 2010 CAS server will verify the users AD site/Mailbox Version/External URL/ and in this case Exchange2003URL value.
• The 2010 CAS server will then silently redirect the user to the legacy URL and auto-populate the Credentials provided in step one using a hidden FBA Page.
• The 2003 server will then Authenticate the user silently and will provide the data to the user. This process will allow for a single sign on for the legacy users. At this point the 2010 server would be out of the loop.

Thanks to Timothy Heeney, Chris Lineback and Sam Kamau putting together all of this awesome piece of information which will help so many customers in migration processes.

Exchange Server 2007 introduces many new and really well defined recipient types. One of them is the one my customer asked me about. The process to create a Shared Mailbox will create a disable Active Directory user as there is no point to have it - that is not the purpose of this recipient. On the old and still actual days of Exchange Server 2003 or older, when we created a Shared Mailbox  we basically created an Active Directory account with an associated mailbox and those credentials would be shared within who needed to use it. What is the issue here? Security! Was never a good idea to more than one individual login with same credentials. Control on it would be inexistent.

So in Exchange Server 2007 what we have is a mailbox with a disabled user and in a way we can give access to users or distributions lists we just add the proper permissions to the mailbox and it is done.

First of all we need to create our Shared Mailbox and to do that we need to use the Exchange Management Shell!

[PS] C:\>New-Mailbox -Name "mailbox" -Database "database" -UserPrincipalName mailbox@domain.com -Shared

At this stage we have our mailbox created and our active directory user disabled...

However now we need to give the right permissions...

Let's start by giving instructions to the shared mailbox that a few users should have Full Access on it, otherwise won't work. Advice here is do this to a Security Group more than to individual users by the same reasons referred above. Let's do it then to the users on the Sales Team!

[PS] C:\>Add-MailboxPermission "mailbox" -User "user" -Access Rights FullAccess

Almost done but a couple more things to do. At this stage the users on the Sales Team can access totally the mailbox however they still can't send e-mails from the shared mailbox. To do that we need to give them some permissions in Active Directory side...

[PS] C:\>Add-ADPermission "mailbox" -User "user" -ExtendedRights Send-As

At this stage the Sales Users are GOD within the Sales Team Shared Mailbox.

With Exchange Server 2007 Service Pack 1 we can actually setup the Full Access and Send As permissions. Basically we just right click on the Shared Mailbox and add the recipients to the desired permission or just select the account, and on the right hand side of the console you will see the same options.

And that's it!

Exchange Recipients have changed a quite a bit since Exchange Server 2003. With this post I will try to give you an overview of how it works now and eventually a few tips regarding troubleshooting.

Recipient Management

One thing that definitely will make Exchange Administrators life easier is the Recipient Configuration container as it brings such a simplified recipient provisioning for them, such asthe fact that we can split permissions in a single forest, or by other words we have the ability to delegate recipient management to a lower level Administrator as in we will not need to give unnecessary permissions to someone that should just deal with Recipients Management; other ability is we can now create Active Directory objects and mail or mailbox enable them without the need to use Active Directory Users and Computers.

We have improved a lot in terms of scoping as we can now choose between Domain or Forest scoping which basically will allow the Administrator to see only the objects relevant to him, and it can go down to a Organizational Unit level.

Finally seems that Exchange Server was the clear distinctions software starting on the server roles and yes, even here on Recipient Management. We now have very clear and distinct recipient types such as User Mailbox, Room Mailbox, Equipment Mailbox, Linked Mailbox and Shared Mailbox.

There is no longer a need to wait for a recipient to be populated or stamped from Recipient Update Service. Once a user is created from the Exchange Management Console or the Exchange Management Shell, the user is ready to go. If you use the Exchange Management Console for this task, the Edit Email Address Policy wizard will guide you through the process of editing and applying the policy. If you use the Exchange Management Shell, you will use the Set-EmailAddressPolicy cmdlet to edit the policy settings and the Update-EmailAddressPolicy to apply the policy to the intended recipients.

The policy is created with the mailbox now, and once it's created it takes effect immediately for users. For a recipient to receive or send email messages, the recipient must have an email address. Email Address Policies generate the primary and secondary email addresses for your recipients (which include users, contacts, and groups) so they can receive and send e-mail. By default, Microsoft Exchange contains an Email Address Policy that specifies the recipient's alias as the local part of the email address and uses the default accepted domain. The local part of an e-mail address is the name that appears before the at sign (@). For Email Address Policies, you define how the recipients' e-mail addresses will display. For example, you may want to have all of your e-mail addresses display as firstname.lastname@domain.com. In Exchange Server 2007, recipient policies (which were part of Exchange Server 2003) are divided into two separate features: accepted domains and email address policies.

Working With Recipients

In Exchange Server 2007, recipients are comprised of mailbox users, mail-enabled users, mail contacts, distribution groups, security groups, dynamic distribution groups and mail-enabled public folders. In previous versions of Exchange Server, you performed recipient management tasks in Active Directory Users and Computers. You can actually now create Active Directory user accounts from within the Exchange Management Console or Exchange Management Shell when these are mail or mailbox enabled. However, although you can perform all recipient management tasks in the Exchange Management Shell, only some are performed in the Exchange Management Console.

Working With Recipients And Active Directory Users And Computers

Have you ever asked yourself if having Exchange Server 2003 and Exchange Server 2007 in your Exchange Organization and using Active Directory Users and Computers extensions from Exchange Server 2003 to create a mailbox in an Exchange Server 2007 database, would work?

Answer is quite simple... or not. We do not have any way to block creating mailboxes on Exchange Server 2007 from Exchange Server 2007 Active Directory Users and Computers extensions, but it is not supported. There are negative consequences to doing this for the mailbox – principally that Exchange Server 2007 will see this mailbox as a “legacy” mailbox rather than a true Exchange Server 2007 mailbox and that will block various Exchange Server 2007 actions and properties from being edited.

To retrieve and fix all mailboxes wrongly set on the Exchange Server 2007 we need to run the Set-Mailbox -ApplyMandatoryProperties cmdlet. That parameter applies the mandatory properties to the "legacy" mailbox, such as version and type metadata associated with the mailbox. When you apply it a few steps happen:

1. Check whether the mailbox is hosted on Exchange Server 2007 by verifying its ServerLegacyDN (by the prefix “/o=<OrganizationName>/ou=<DefaultAdministrativeGroupName>/”);
2. If it is, we do both of the following things: the ExchangeVersion value is changed to Exchange Server 2007, "0.1 (8.0.535.0)"; the RecipientTypeDetails/RecipientDisplayType is updated according the value of “IsResource/IsLinked/IsShared”;
3. Otherwise, we error out to tell that the task cannot do it because it is hosted on legacy server;

The end result is that the mailbox will have its ExchangeVersion, RecipientTypeDetails, and RecipientDisplayType updated to match reality. When you create a mailbox through Exchange Server 2007 tools, all this process happens automatically. When you create an Exchange Server 2003 mailbox with Exchange Server 2003 tools and move it to Exchange Server 2007, it still happens automatically. However, if you create an Exchange Server 2007 mailbox using the Exchange Server 2003 Active Directory Users and Computers extensions, it will not happen automatically. Run this cmdlet against a mailbox where it's already been run will just reset the values to the same (correct, and presumably current) value, so no problem at all.

Scoping

The default scope for the admin session (whether in the Exchange Management Console or Exchange Management Shell) is what's called Domain Scope. This means that your admin session is configured to talk to a Domain Controler (not to the Global Catalog port, even if it's also a Global Catalog). And it means that your reads/writes will only operate within this Domain's Domain Controlers. This is pretty much how Active Directory Users and Computers snap-in handled scope too. Scope for the admin session only applies to first class objects. If I do Get-Mailbox cmdlet while I'm in Domain Scope, I'll only get back mailboxes (the first class object requested) for the current Domain Scope.

The Forest Scope is a little different. When you're in Forest Scope, the admin session talks to a Global Catalog for all reads (to get the whole Forest view), but does any writes back to a Domain Controller in the appropriate Domain. This is great because it means it's possible to get a view of all mailboxes in the whole Forest, for instance. But it's also bad, because when you're in this mode, replication latency can make things in your view be out of date - since you're reading from a Global Catalog and writing to a Domain Controller in the object's Domain, it's quite possible you won't read the latest data if it has just been changed. So, short version - Forest Scope is great because it lets you see a unified, Forest wide view. But beware of replication latency in some cases.

Administrators can control the scope of recipients shown to be the whole Forest, a whole Domain, or by Organizational Unit within a Domain by using the Modify Recipient Scope context menu of the Recipient Configuration node. Setting your scope controls which recipient objects will be displayed in the Graphic User Interface result panes and also controls which recipient objects will be found by the Graphical User Interface pickers in many cases. For instance, if you configure your scope to be a particular Organizational Unit, then you will only be able to specify this Organizational Unit or one of its children as the target of a new mailbox creation and you will only be able to select a user from this Organizational Unit or one of its children while enabling a mailbox. This can help to reduce the size of the result set you have to filter through while doing administrative tasks if your tasks are easily scoped to a particular part of the directory. In the Active Directory Users and Computers you see objects only under an Organizational Unit Scope, while Exchange Server 2007 Recipient Management allows you to define your scope to be an Organizational Unit, Domain, or even Forest wide increasing administrative flexibility.

$AdminSessionADSettings is a variable exposed by the Exchange Management Shell to allow you to control a number of aspects of the admin session:

1. ViewEntireForest is a boolean (set with $true or $false) that controls whether we're in Forest Scope ($true) or Domain Scope ($false);
2. DefaultScope is the path you're scoped to (i.e. domain.com, domain.com/users, domain.com/users/department). It's ignored if you're in Forest Scope;
3. PreferredGlobalCatalog is how you can hardcode a Global Catalog server to be used for anything that requires it (Forest Scope, and also doing resolution of any global objects you're referencing in the admin session);
4. ConfigurationDomainController is how you can hardcode a configuration Domain Controller;
5. PreferredDomainControllers is how you can configure one (or more) Domain Controllers to be used by the admin session any time as it is required (Domain Scope, or writes while in Forest Scope). This is a multivalued entry, so you can add more than one. If you need a Domain Controler for a Domain where there isn't Domain Controllers specified here, Active Directory Driver will go find one automatically and ignore this list;

The easiest way to manipulate this variable is just like you'd manipulate any other variable. Here's a syntax example:

[PS] C:\Documents and Settings\Administrator>$AdminSessionADSettings.ViewEntireForest = $true

[PS] C:\Documents and Settings\Administrator>$AdminSessionADSettings

ViewEntireForest: True
DefaultScope:
PreferredGlobalCatalog:
ConfigurationDomainController: server1.domain.com
PreferredDomainControllers: {}

Enable/Disable vs New/Remove

In Exchange Server 2007 each mailbox consists of an Active Directory user and the mailbox data that is stored in the Exchange mailbox database. All configuration data for a mailbox is stored in the Exchange attributes of the Active Directory user object. The mailbox database contains the mail data that is in the mailbox associated with the user account. Any of these operations can be done either on Exchange Management Console or Exchange Management Shell.

The Enable and Disable tasks are used against existing objects to remove attributes. When you enable, Enable-Mailbox, a mailbox you are adding Exchange attributes to an existent Active Directory object - mail or mailbox enable. When you disable, Disable-Mailbox, you remove those atributes leaving the mailbox orphan during the retention period after which it will be purged.

The New and Remove tasks need to have windows Account Operator permissions, otherwise the task will fail when trying to perform. Those tasks act directly on the Active Directory objects - mail or mailbox enable. When you create a mailbox, New-Mailbox, you will create a user on the Active Directory and respective mailbox if mailbox enabled or respective external SMTP address if mail enabled. When you remove a mailbox, Remove-Mailbox, you will be actually removing the Active Directory user and leave the mailbox orphan during the retention period, or you can actually through the Remove-Mailbox -Permanent cmdlet purge it with immediately efects. This last operation can only be done through Exchange Management Shell.

Last but not least we have the cmdlet Connect-Mailbox. Use it to connect a disconnected (disabled/removed) mailbox to an Active Directory object. Make sure that mailboxes have been used before at least once otherwise you will not see them here at all.

Email Address Policies

By default, Exchange contains an Email Address Policy for every mail or mailbox enabled user. This default policy specifies the recipient's alias as the local part of the email address and uses the default accepted domain. The local part of an e-mail address is the name that appears before the at sign (@). However you can change how your recipients' email addresses will display. For example, you can specify that your recipients' email addresses display as firstname.lastname@domain.com. Furthermore, if you want to specify additional email addresses for all recipients or just a subset, you can modify the default policy or create additional policies. In Exchange Server 2007, each time a recipient object is modified and saved, Exchange Server 2007 enforces the correct application of the email address criteria and settings. When an Email Address Policy is modified and saved, all associated recipients are updated with the change. In addition, if a recipient object is modified, that recipient's Email Address Policy membership is re-evaluated and enforced.

Exchange Server 2007 brings already some Pre-Canned filters to be used on the creation of Email Address Policies:

• State or Province - Select this check box if you want the Email Address Policy to only include recipients from specific states or provinces. This information is contained on the Address and Phone tab in the recipient's properties;
• Department - Select this check box if you want the Email Address Policy to include only recipients in specific departments. This information is contained on the Organization tab in the recipient's properties;
• Company - Select this check box if you want the Email Address Policy to include only recipients in specific companies. This information is contained on the Organization tab in the recipient's properties.
• Custom - Select this check box if you want the Email Address Policy to include only recipients in specific customized fields you have defined in your users' information. This information is contained on the Organization tab in the recipient's properties. This information will be visible on the Exchange Management Console, however to be edited you need to use Exchange Management Shell.

In addition Email Address Policies once created have to be applied to a set of users, but don’t have to be applied at that very moment. A schedule in the Exchange Management Console allows the Administrator to have the Email Address Policy to take effect after business hours. Exchange Server 2007 has eliminated the asynchronous behavior of the Exchange Server 2003 Recipient Update Service in favor of a more predictable and synchronous provisioning process. Use the Update-AddressList and Update-EmailAddressPolicy Exchange Management Shell cmdlets. To replace the full functionality of Recipient Update Service, you can schedule these Exchange Management Shell cmdlets by using the Task Scheduler in Windows Server 2003.

Mailbox Manager functionality has been separated from Email Address Policies as in Recipient Policies used to be all in one. It has been replaced by Messaging Records Management functionality.

In continuation of my last post, Exchange Recipients, I brought this one to kind of complement a bit more and go deep on the troubleshoot side. Besides that will try to show differences or what we have new since Exchange Server 2003 to Exchange Server 2007.

Mailbox Management Tasks

We can split these ones between the functionalities that we brought from Exchange Server 2003 (even these ones having now Exchange Management Shell cmdlets) and the new ones that we got with Exchange Server 2007. 

New Mailbox

With this one you can use the New Mailbox wizard in the Exchange Management Console or use the New-Mailbox Exchange Management Console cmdlet. To be able to create accounts you must be delegated Exchange Recipient Administrator role and Account Operator role for the applicable Active Directory containers. Administrators can create a new mailbox by creating a new user and mail or mailbox enabling it in one step, or by mail or mailbox enabling an existing user (in this last bit if using Exchange Management Console you use New Mailbox task, if using Exchange Management Shell you should use Enable-Mailbox cmdlet).

Move Mailbox

You can move mailboxes across mailbox databases, servers, domains, sites, and forests. You can also move mailboxes among different versions of Exchange Server 200x. To move mailboxes, you can use either the Move Mailbox wizard in the Exchange Management Console or use the Move-Mailbox Exchange Management Console command. To the specific scenario of moving mailboxes between forests you need to use the Exchange Management Shell.

Remove Mailbox

With this task the Exchange Management Shell cmdlet Remove-Mailbox will delete the user account (however if we use the Exchange Management Shell cmdlet Disable-Mailbox will remove the Exchange atributes between the user account and the mailbox - but at the end any of the cmdlets which can be performed through the Exchange Management Console too make the mailbox account orphan during the retention period, unless you use the Exchange Management cmdlet Remove-Mailbox -Permanent).

Change Mailbox

The properties of a mailbox can be modified from the Exchange Mailbox Console or using the Exchange Management Console cmdlet Set-Mailbox.

The new mailbox management tasks that we got with Exchange Server 2007 have a more staistical focus than the operational one found in the above tasks. These tasks can only be performed through Exchange Management Shell.

Get-LogonStatistics

With this task you can get the open item counts which tell us about the number of messaging operations, progress operations, table operations, transfer operations, total operations and successful Remote Procedure Calls operations. Besides that you can get the number of open attachments, folders and messages and names and identities associated with the database such as server, storage group, and full mailbox directory names. Last but not least you still can get other information such as latency, client version, client address and logon times.

Get-MailboxStatistics

This task can show you the size of the mailbox, number of messages it contains and last time it was accessed.

Get-MailboxFolderStatistics

Finally this one brings you information about the folders in a specified mailbox, including the number and size of items in the folder, the folder name and other information.

Mailbox Access Troubleshoot

We can troubleshoot a mailbox access issue in many ways, some of them known from the past, others not that much such as cmdlets from the Exchange Management Shell. Here are a few examples.

Test-MAPIConnectivity

This Exchange Management Shell cmdlet serves you basically to verify server functionality. It will log on to the mailbox that you specify (using the credentials of the account with which you are logged on to the local computer), or to the system mailbox if you do not specify the -Identity parameter, and retrieve a list of items in the Inbox. Logging on to the mailbox tests two critical protocols that are used when a client connects to a mailbox server: MAPI and LDAP. During authentication, the command indirectly verifies if the MAPI server, Exchange Store, and Directory Service Access are working. After a successful authentication, the command accesses the mailbox to verify that the database is working. If a successful connection to a mailbox is made, the command also determines the time that the logon attempt occurred. You have three levels of granularity here that it can be used through parameters: -Database: will take a database identity and tests the ability to log on to the system mailbox on the specified database; -Identity: will take a mailbox identity and tests the ability to log on to a specific mailbox; and finally -Server: which will take a server identity and tests the ability to log on to each system mailbox on the specified server.

Outlook Logging

Outlook logging can be enabled on the client side from the Outlook client or through the registry. By default the file is created in “\Documents and Settings\<username>\Local Settings\Temp”. The following article explains how to enable this logging: http://support.microsoft.com/kb/831053/en-us.

Network Trace

It is a good idea to reproduce the issue (try to logon from a local computer and see if the problem can be reproduced) while you monitor network traffic, on both the client and the server, at the same time. When you analyze the data, look for retransmits. A retransmit occurs when the client or the server has to send the same packet of information again, typically because the packets are being dropped between the client and the server. Therefore, when you analyze network captures, determine if the client request is actually getting to the server or if the server is responding but the response is lost before the client receives it.

Moving Mailbox

As said before, but it is always great to remember you can move mailboxes across mailbox databases, servers, domains, sites, and forests. You can also move mailboxes among different versions of Exchange Server 200x. To move mailboxes, you can use either the Move Mailbox wizard in the Exchange Management Console or use the Move-Mailbox Exchange Management Console command. To the specific scenario of moving mailboxes between forests you need to use the Exchange Management Shell.

One good thing that Exchange Server 2007 Move Mailbox task brings you is what is called the Pre Validation. Basically Move Mailbox task will perform a series of checks before actually trying to move the mailbox in a way it saves time by identifying errors right away, rather than waiting until they happen during the move process. Those tests will be user existence verification, source and target credential (done by connecting to the server), mailbox size limit against target database, system mailbox moves blocking, failure if source user does not have a mailbox and finaly verification if the target mailbox is mounted.

Administrators can run the validation directly from the Exchange Management Shell cmdlet Move-Mailbox -ValidateOnly. In addition, validation is always executed before a “real” move, i.e. even when running moves using the Exchange Management Console Move Mailbox wizard, a Pre-Validation will be performed and any errors will be reported right away.

Some other advanced options you can use with this Exchange Management Shell cmdlet are: