Address Book Synchronization error on Office Communicator 2007

by Shijaz Abdulla on 21.05.2008 at 10:19




image

After installing the Office Communications Server 2007 (OCS), if your users get an Address book synchronization error, it is probably because they are not able to access the Address Book shared folder that you created during the OCS setup.

Make sure you have verified the configuration as per KB938286.

On the client machine, try to browse the location https://<OCS POOL FQDN>/Abs/Int/Handler. Take care to use the OCS Pool FQDN and not the server FQDN or IP address. Make sure that your browser does not report any certificate errors. If it does, then you need to sort out the problem.

  1. If the root CA certificate is not installed on the client machine, install it.
  2. If the common name of the certificate is not the OCS server FQDN, you need to re-issue the certificate so that it contains your OCS Pool FQDN. This can be done by running OCS Setup and selecting the option to issue a certificate. Make sure you apply the certificate.

Once you have ironed out all the certificate errors, you should no longer get any certificate errors on IE when you navigate to the above URL. Sign out and sign in to Communicator 2007. You should be able to search the Address Book and the exclamation mark on the OCS icon should vanish.




Error opening Address Book in Outlook Web Access

by Shijaz Abdulla on 08.04.2008 at 12:30

While trying to open Outlook Web Access hosted on an Exchange Server 2007 Client Access Server, I get an error stating that Outlook Web Access could not connect to Active Directory, followed by a detailed stack trace:

Request Url: https://owaURL/owa/forms/premium/DirectoryView.aspx?ae=AddressList&t=Recipients&a=
User host address:
User: someone
EX Address: /o=MYORG/ou=MYOU/cn=RECIPIENTS/cn=SOMEONE
SMTP Address:
someone@mydomain.com
OWA version: 8.0.685.24
Mailbox server: mail.mydomain.com



My initial search fetched a Microsoft KB article 919166, which deals with exactly the same problem. However, unlike the conditions mentioned in the article, the locale on my domain controller and Exchange servers are the same and my domain controller has Windows Server 2003 Service Pack 2 which supersedes the mentioned hotfix.

So I called Microsoft, and it turned out to be related more to KB886683 while OWA is querying the Global Catalog. To fix the problem:

1. Open ADSIEDIT.
2. Navigate to CN=Configuration, CN=Services, CN=Windows NT, CN=Directory Service
3. Right click on CN=Directory Service and choose Properties.
4. Edit the multi-valued attribute msDS-Other-Settings
5. If you see a string value DisableVLVSupport=1, remove it and change it to DisableVLVSupport=0 and add it back. Click OK all the way out.

Replicate the changes across all your domain controllers. You should now be able to open your address book.

How to specify the default Address List in OWA

by Shijaz Abdulla on 31.01.2008 at 17:56

By default, Microsoft Outlook Web Access shows all address lists in Active Directory, regardless of the permissions that are set on the address list. To restrict access so that users can only view the address lists that are contained in their own OU, you can configure the msExchQueryBaseDN attribute for the OWA user.

In an Active Directory environment with a large number of users where there is a need to filter the long list to just a number of relevant recipients, this is particularly useful.

Here’s how to go about it:

  1. Open ADSIEDIT
  2. Find the user for whom you want to restrict the view and open the properties
  3. Find the msExchQueryBaseDN attribute. Enter the DN for the OU or restricted Address list you want the user to see in OWA. To enable user to see all lists, just clear the field.

To find the DN for the restricted address list you created, open ADSIEDIT and navigate to Configuration > Services > Microsoft Exchange > [Organization Name] > Address Lists container. Here is an example:

CN=My Address List,CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MyDomain,DC=com

If you prefer to use the DN of an OU, it would look something like this:

OU=Department,OU=Division,DC=MyDomain,DC=com

If you want to edit msExchQueryBaseDN attribute for a large number of users (entire OU or domain), you can use the ADModify tool.

Upgrading address lists created in Exchange Server 2003

by Shijaz Abdulla on 29.01.2008 at 16:22

EHLO again.

Hope you enjoyed my previous post that explains how to upgrade Exchange 2003 recipient policies for use with Exchange Server 2007.

This post deals with the “art and science” of upgrading Exchange 2003 Address Lists to its Exchange Server 2007 form. I say “art and science” because it can be a little tricky to understand for those who havent worked much on Powershell or any scripting/coding environment.

If you click on an address list created by Exchange 2003 in the Exchange Management Console, you will receive the following error:

Unable to edit the specified E-mail address policy. E-mail address policies created with legacy versions of exchange must be upgraded using the ‘Set-EmailAddressPolicy’ task, with the Exchange 2007 Recipient Filter specified. specified.

Exchange 2003 Address Lists have a recipient filter that is made up of an LDAP filter. Exchange Server 2007, on the other hand, understands only OPATH filters. The trick is to convert the LDAP filter to an OPATH filter, and this needs to be done manually.

I’m going to explain this with the help of an example. Lets open an Address List in Exchange 2003 System Manager and examine the LDAP filter:

(& (& (& (mailnickname=*) ( (& (objectCategory=person) (objectClass=user) (homeMDB=CN=Mega MailStore (EXCH01),CN=SG01,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com) ) ) ) ))

To refresh our brains, this LDAP filter basically creates an Address list out of all users that have a mailbox in the ‘Mega MailStore’ mailbox store on EXCH01 server.

Before we convert this LDAP to OPATH, lets write this in a better way:

(&
(&
(&
(mailnickname=*)
( (&
(objectCategory=person)
(objectClass=user)
(homeMDB=CN=Mega MailStore (EXCH01),CN=SG01,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com)
) )
)
)
)

Now, carefully change all ampersands (&) to an -and. The ampersands are placed in a prefix fashion in LDAP filter, but in OPATH, its much simpler – you place -and between the two parameters. Similarly, change all equal signs (=) to -eq.

(RecipientType -eq ‘UserMailbox’)
-and
(Database -eq ‘CN=Mega MailStore (EXCH01),CN=SG01,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com’)

Notice that I have also replaced the property ‘homeMDB’ with ‘Database’. This kind of change is required to convert LDAP property names to OPATH. You can get a complete list of properties here.

So, I arrive at my full command:

Set-AddressList “Mega users” -RecipientFilter { (RecipientType -eq ‘UserMailbox’) -and (Database -eq ‘CN=Mega MailStore (EXCH01),CN=SG01,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com’) }

The guys at Microsoft Exchange Team have more to say about conversion from LDAP to OPATH, and is worth a peek.

Upgrading recipient policies created in Exchange 2003

by Shijaz Abdulla on 29.01.2008 at 15:19

After installing Exchange Server 2007 Mailbox server into an Exchange Server 2003 organization, you open Exchange Management Console and navigate to Organization Configuration > Hub Transport > Email Address Policies.

You find all the legacy recipient policies that you created in Exchange 2003 over here, but when you try to edit a recipient policy, you get the following error:

Unable to edit the specified E-mail address policy. E-mail address policies created with legacy versions of Exchange must be upgraded using the ‘Set-EmailAddressPolicy’ task, with the Exchange 2007 Recipient Filter specified.

So just how do you fix your email address policy? Yup, you will need to use Exchange Management Shell, no matter how much you hate it.

First, lets fix the Default policy using the Set-EmailAddressPolicy cmdlet:

Set-EmailAddressPolicy “Default Policy” -IncludedRecipients AllRecipients

Hit ‘Y’ when you are asked to confirm the upgrade.
If you have additional recipient policies, you need to upgrade them as required. One important thing to remember is that, in Exchange 2007, you can specify only from the following ‘filter’ fields, as far as email address policies (recipient policies) are concerned:

  • Department
  • Company
  • CustomAttribute1, CustomAttribute2, … , CustomAttribute15

In Exchange 2003, it was possible to define recipient policies from complex LDAP queries, but I see that kind of flexibility is unavailable in Exchange Server 2007. For instance, in Exchange Server 2003, you could create a recipient policy for all users who have mailboxes in a particular mailbox store.

Anyways, lets upgrade our policy using one of the available tactics – lets say – based on Department. If I have an Exchange 2003 recipient policy that gives all users from the sales department email addresses of the form @sales.mydomain.com, my Set-EmailAddressPolicy command would look like this:

Set-EmailAddressPolicy “Sales Dept Recipient Policy” -ConditionalDepartment ‘Sales’ -IncludedRecipients AllRecipients

Note that I do not need to specify the email address format for upgrading the recipient policy.

When Setup fails: Exchange Server 2007 Mailbox Server Role

by Shijaz Abdulla on 28.01.2008 at 20:14

I went ahead to install the mailbox server role on one of the brand new servers commissioned for Exchange Server 2007.

The prerequisite checks went OK, and setup began doing the ‘real stuff’. Happiness was shortlived, because, towards the end setup showed that it failed. The following error was thrown:

An unexpected error has occurred and a Watson dump is being generated: The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error. It was running command ‘$error.Clear(); $count=0; $ExchangeServers = Get-ExchangeServer -DomainController $RoleDomainController; foreach($server in $ExchangeServers) { if(($server.AdminDisplayVersion.Build -gt 641) -and ($server.IsMailboxServer -eq $true)) { $count++; } } if( $count -eq 1) { Set-OrganizationConfig -DomainController $RoleDomainController; }’.

I closed the Setup program, and tried to assess what’s been done. I could see that Exchange Management Console and Exchange Management Shell have been installed and that I could open both, but I could not edit the existing address lists or recipient policies from Exchange Management Console.

Upon further investigation, it dawned on me that Exchange Server 2007 does not use LDAP filters for recipient policies! It uses OPATH instead. How to make this change from LDAP to OPATH filters will be discussed in another post, but in order to make this change I need setup to complete successfully, otherwise I get an error that the Address List service is not responding. Now we have a deadlock situation.

We can trick Exchange 2007 setup into believing that the filter is alright by removing parenthesis “(“, “)”and ampersand “&” symbols from the filter. To do this,
  • Open ADSIEDIT
  • Navigate to CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=, CN=Recipient Policies
  • You will find all your Exchange 2000/2003 recipient policies here. Open each and find the purportedSearch attribute. Click Edit to open the value. Note the original value of this field and save it in a notepad file. Then hit the Clear button to change the value to (not set).
  • Do the previous step for each recipient policy
  • Re-run Setup. You will find that setup completes successfully!

The next question is, what do I do with the original values of purportedSearch? I put them back as they were before setup, so that I can upgrade the policies to Exchange 2007 later without disturbing the current Exchange 2003 users.