by
Shijaz Abdulla on 31.01.2008 at 17:56
By default, Microsoft Outlook Web Access shows all address lists in Active Directory, regardless of the permissions that are set on the address list. To restrict access so that users can only view the address lists that are contained in their own OU, you can configure the msExchQueryBaseDN attribute for the OWA user.
In an Active Directory environment with a large number of users where there is a need to filter the long list to just a number of relevant recipients, this is particularly useful.
Here’s how to go about it:
- Open ADSIEDIT
- Find the user for whom you want to restrict the view and open the properties
- Find the msExchQueryBaseDN attribute. Enter the DN for the OU or restricted Address list you want the user to see in OWA. To enable user to see all lists, just clear the field.
To find the DN for the restricted address list you created, open ADSIEDIT and navigate to Configuration > Services > Microsoft Exchange > [Organization Name] > Address Lists container. Here is an example:
CN=My Address List,CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MyDomain,DC=com
If you prefer to use the DN of an OU, it would look something like this:
OU=Department,OU=Division,DC=MyDomain,DC=com
If you want to edit msExchQueryBaseDN attribute for a large number of users (entire OU or domain), you can use the ADModify tool.
by
Shijaz Abdulla on 29.01.2008 at 16:22
EHLO again.
Hope you enjoyed my previous post that explains how to upgrade Exchange 2003 recipient policies for use with Exchange Server 2007.
This post deals with the “art and science” of upgrading Exchange 2003 Address Lists to its Exchange Server 2007 form. I say “art and science” because it can be a little tricky to understand for those who havent worked much on Powershell or any scripting/coding environment.
If you click on an address list created by Exchange 2003 in the Exchange Management Console, you will receive the following error:
Unable to edit the specified E-mail address policy. E-mail address policies created with legacy versions of exchange must be upgraded using the ‘Set-EmailAddressPolicy’ task, with the Exchange 2007 Recipient Filter specified. specified.
Exchange 2003 Address Lists have a recipient filter that is made up of an LDAP filter. Exchange Server 2007, on the other hand, understands only OPATH filters. The trick is to convert the LDAP filter to an OPATH filter, and this needs to be done manually.
I’m going to explain this with the help of an example. Lets open an Address List in Exchange 2003 System Manager and examine the LDAP filter:
(& (& (& (mailnickname=*) ( (& (objectCategory=person) (objectClass=user) (homeMDB=CN=Mega MailStore (EXCH01),CN=SG01,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com) ) ) ) ))
To refresh our brains, this LDAP filter basically creates an Address list out of all users that have a mailbox in the ‘Mega MailStore’ mailbox store on EXCH01 server.
Before we convert this LDAP to OPATH, lets write this in a better way:
(&
(&
(&
(mailnickname=*)
( (&
(objectCategory=person)
(objectClass=user)
(homeMDB=CN=Mega MailStore (EXCH01),CN=SG01,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com)
) )
)
)
)
Now, carefully change all ampersands (&) to an -and. The ampersands are placed in a prefix fashion in LDAP filter, but in OPATH, its much simpler – you place -and between the two parameters. Similarly, change all equal signs (=) to -eq.
(RecipientType -eq ‘UserMailbox’)
-and
(Database -eq ‘CN=Mega MailStore (EXCH01),CN=SG01,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com’)
Notice that I have also replaced the property ‘homeMDB’ with ‘Database’. This kind of change is required to convert LDAP property names to OPATH. You can get a complete list of properties here.
So, I arrive at my full command:
Set-AddressList “Mega users” -RecipientFilter { (RecipientType -eq ‘UserMailbox’) -and (Database -eq ‘CN=Mega MailStore (EXCH01),CN=SG01,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com’) }
The guys at Microsoft Exchange Team have more to say about conversion from LDAP to OPATH, and is worth a peek.
by
Shijaz Abdulla on 29.01.2008 at 15:19
After installing Exchange Server 2007 Mailbox server into an Exchange Server 2003 organization, you open Exchange Management Console and navigate to Organization Configuration > Hub Transport > Email Address Policies.
You find all the legacy recipient policies that you created in Exchange 2003 over here, but when you try to edit a recipient policy, you get the following error:
Unable to edit the specified E-mail address policy. E-mail address policies created with legacy versions of Exchange must be upgraded using the ‘Set-EmailAddressPolicy’ task, with the Exchange 2007 Recipient Filter specified.
So just how do you fix your email address policy? Yup, you will need to use Exchange Management Shell, no matter how much you hate it.
First, lets fix the Default policy using the Set-EmailAddressPolicy cmdlet:
Set-EmailAddressPolicy “Default Policy” -IncludedRecipients AllRecipients
Hit ‘Y’ when you are asked to confirm the upgrade.
If you have additional recipient policies, you need to upgrade them as required. One important thing to remember is that, in Exchange 2007, you can specify only from the following ‘filter’ fields, as far as email address policies (recipient policies) are concerned:
- Department
- Company
- CustomAttribute1, CustomAttribute2, … , CustomAttribute15
In Exchange 2003, it was possible to define recipient policies from complex LDAP queries, but I see that kind of flexibility is unavailable in Exchange Server 2007. For instance, in Exchange Server 2003, you could create a recipient policy for all users who have mailboxes in a particular mailbox store.
Anyways, lets upgrade our policy using one of the available tactics – lets say – based on Department. If I have an Exchange 2003 recipient policy that gives all users from the sales department email addresses of the form @sales.mydomain.com, my Set-EmailAddressPolicy command would look like this:
Set-EmailAddressPolicy “Sales Dept Recipient Policy” -ConditionalDepartment ‘Sales’ -IncludedRecipients AllRecipients
Note that I do not need to specify the email address format for upgrading the recipient policy.
by
Shijaz Abdulla on 28.01.2008 at 20:14
I went ahead to install the mailbox server role on one of the brand new servers commissioned for Exchange Server 2007.
The prerequisite checks went OK, and setup began doing the ‘real stuff’. Happiness was shortlived, because, towards the end setup showed that it failed. The following error was thrown:
An unexpected error has occurred and a Watson dump is being generated: The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error. It was running command ‘$error.Clear(); $count=0; $ExchangeServers = Get-ExchangeServer -DomainController $RoleDomainController; foreach($server in $ExchangeServers) { if(($server.AdminDisplayVersion.Build -gt 641) -and ($server.IsMailboxServer -eq $true)) { $count++; } } if( $count -eq 1) { Set-OrganizationConfig -DomainController $RoleDomainController; }’.
I closed the Setup program, and tried to assess what’s been done. I could see that Exchange Management Console and Exchange Management Shell have been installed and that I could open both, but I could not edit the existing address lists or recipient policies from Exchange Management Console.
Upon further investigation, it dawned on me that Exchange Server 2007 does not use LDAP filters for recipient policies! It uses OPATH instead. How to make this change from LDAP to OPATH filters will be discussed in
another post, but in order to make this change I need setup to complete successfully, otherwise I get an error that the Address List service is not responding. Now we have a deadlock situation.
We can trick Exchange 2007 setup into believing that the filter is alright by removing parenthesis “(“, “)”and ampersand “&” symbols from the filter. To do this,
- Open ADSIEDIT
- Navigate to CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=, CN=Recipient Policies
- You will find all your Exchange 2000/2003 recipient policies here. Open each and find the purportedSearch attribute. Click Edit to open the value. Note the original value of this field and save it in a notepad file. Then hit the Clear button to change the value to (not set).
- Do the previous step for each recipient policy
- Re-run Setup. You will find that setup completes successfully!
The next question is, what do I do with the original values of purportedSearch? I put them back as they were before setup, so that I can upgrade the policies to Exchange 2007 later without disturbing the current Exchange 2003 users.
by
Shijaz Abdulla on 07.01.2008 at 10:27
Most administrators think the best way to back up user’s Outlook PST files is to store it on a network share and let Outlook connect to it from a file share or mapped drive. This way all PST files are on a central location and backup is easy. Sounds like a nice strategy, doesn’t it?
Don’t ever do it. Ever.
Why? Here are two good reasons:
1. This can cause your file server to hang!
Believe it or not, the way Outlook access the PST files is aggressive. Let’s take an example. Early in the morning, some user sends out an email to 500 employees in your company. Some of these 500 users may need to extend their PST file in order to accomodate the incoming email message. To extend a PST, an extra allocation on the disk has to be made via NTFS. During this process, the whole volume is locked out while free space is allocated and the Master File Table (MFT) is updated. While this is happening for one user, all I/O for the other 499 users is on hold. This includes other users’ PST files as well as ordinary file shares on the same volume!
Now imagine if each user had multiple PST files! The disks get overloaded and the server suffers from serious performance issues. The queues for writing data to disk build up. This ultimately amounts to a server hang or PagedPool memory depletion!
2. It’s not supported
In case you were thinking – NO, it isn’t supported by Microsoft for you to store PST files on network shares. This restriction is not new, and has been around since Microsoft Exchange 4.0. This means storing PST files on a network share is an unsupported configuration and you will not receive support from Microsoft. For details, see
MSKB article 297019.
Storing PST files on the file server is a very common mistake that administrators make and I thought it would be helpful if I posted it here.
by
Shijaz Abdulla on 20.11.2007 at 09:48
If you are planning on co-existing Exchange Server 2003 backend servers alongside Exchange Server 2007 mailbox servers, you will have the following question lingering in your mind:
But what about Outlook Web Access?
If some of your users have mailboxes on Exchange Server 2003 while others have mailboxes on Exchange Server 2007, and you publish your OWA URL as http://webmail.mycompany/owa, you will notice that Exchange 2003 users get the following error:
Outlook Web Access could not find a mailbox for DOMAIN\USER. If the problem continues, contact technical support for your organization and tell them the following: The mailbox may be stored on a Microsoft Exchange 2000 or Microsoft Exchange 2003 server, or the Active Directory user account was created recently and has not yet replicated to the Active Directory site where this Client Access server is hosted.
The solution is to use the URL http://webmail.mycompany/exchange on the Client Access server. The ‘/exchange’ virtual directory on the Client Access server is able to proxy OWA requests for Exchange 2003 mailboxes to the appropriate Exchange 2003 back end server and the user sees the Exchange 2003 OWA experience. The ‘/exchange’ virtual directory will also automatically redirect OWA requests for Exchange 2007 mailboxes to the ‘/owa’ virtual directory.
For more information, see this post on the Exchange Team blog.
by
Shijaz Abdulla on 14.11.2007 at 10:23
I have finally completed building the servers required for my Exchange 2007 test lab. I have used Microsoft System Center Virtual Machine Manager (SCVMM) for virtualizing the lab environment. For the purposes of testing I will have a total of 10 guest machines running on my SCVMM host. The machines include 2 domain controllers, 2 Exchange 2003 back ends, 2 Exchange 2003 front ends, Exchange 2007 servers (1 hub transport, 1 edge transport, 1 mailbox and 1 CAS).
For easy management of the VMs, I installed the SCVMM Administrator Console on my Windows Vista notebook.
I’m all set to test, validate, and abuse my test lab servers as I wish! [*devilish laugh*]
by
Shijaz Abdulla on 08.11.2007 at 09:03
The organization that I work for has decided thats it’s time to upgrade to Exchange Server 2007. With approximately 18,000 Exchange mailboxes scattered across one four-node active-active-active-passive cluster and five two-node active-passive clusters spanning six geographic locations, this is going to be a mammoth task, nevertheless exciting!
The project will religiously adhere to the Microsoft Solutions Framework (MSF). Preparation is key to success. One of the most crucial stages is the testing. I’m doing the testing on a virtualized environment. More specifically, System Center Virtual Machine Manager 2007. The virtualization software is Virtual Server 2005 R2. The host is machine is a Windows 2003 x64 box with 16 GB RAM.
The virtualized environment will consist of two domain controllers, two Exchange 2003 backends, two front ends, an Exchange 2007 CAS server, a mailbox server, a hub transport server, and an edge server.
More on my adventures with this massive implementation will follow.
by
Shijaz Abdulla on 29.10.2007 at 08:14
In the RTM version of Exchange 2003, if you disable an active directory user account, mail flow to the disabled user’s mailbox stops. To a sender, it is as though the mailbox doesn’t exist.
With service packs, this behaviour has been changed. Hotfixes 916783 and 903158 make changes to the store.exe as follows:
If the SELF SID is missing from the Mailbox permissions, store.exe checks to see if the msExchMasterAccountSID is populated (this is the same as before). If it is not populated, then store.exe will use the objectSID of the user account, which should always be present.
This is good news for some administrators and bad news for others.
The good news is that if you want to temporarily restrict a user from accessing his mailbox but do not want him to lose out on receiving important e-mail, this is now possible. Also, if an employee leaves the company and you would like to configure an Out of Office message stating that he is no longer working there and at the same time disable the account for security purposes, this is now possible.
The bad news is that the above is not good enough for some companies. They just want to disable the account and forget about it. In such cases, administrators can adjust the delivery restrictions for the disabled user and configure that the user receive mails *only from* his own account. Or, you can configure ‘prohibit send/receive’ at 0 KB. Or, you can simple change or remove the SMTP email address of the user.
by
Shijaz Abdulla on 24.09.2007 at 08:48
I installed Windows Server 2003 Service Pack 2 on a client’s Exchange Server 2003 cluster on Thursday night (Yeah, I hear you – what a way to spend a weekend!). Everything went well, installation completed, rebooted and everything was happy and kicking.
…until on Friday morning when the Exchange HTTP Virtual Server Instance failed. Since this resource was configured to ‘affect the group’, the failure forced a failover of the whole Exchange cluster group to the passive node.
Within no time, Exchange HTTP Virtual Server Instance failed again, this time on the passive node! Someone press the Panic button!! The initial understanding of the situation was clear – Installation of Windows Server 2003 Service Pack 2 brought the mighty Exchange cluster to its knees.
I rebooted both nodes and normal operation ensued. But after a couple of hours it happened again. In the event logs, I could see things like:
Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event Category: General
Event ID: 1115
Description:
Error 0xfffffbbe returned from closing database table, called from function JTAB_BASE::EcCloseTable on table DeletedFolders. For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Error
Event Source: MSExchangeCluster
Event Category: Services
Event ID: 1005
Description: Exchange HTTP Virtual Server Instance 100 (servername): The IsAlive check for this resource failed. For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Error
Event Source: Srv
Event Category: None
Event ID: 2019
Description: The server was unable to allocate from the system nonpaged pool because the pool was empty. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I couldn’t find much on these errors on the Internet, and this is the reason for this post. Here’s what the problem is.
My client is running Windows Server 2003 on a 32 bit server. 32-bit versions of Windows, as we all know, support a maximum of 4 GB RAM. By default, Windows slices the total memory right down the middle: 2 GB is reserved for the OS and 2 GB for the applications. Out of the 2 GB reserved for the OS, 256 MB is reserved for non-paged pool memory.
My client is using the /3GB switch, which forces Windows to limit itself to 1 GB RAM and let the applications use 3 GB. But this causes the non-paged pool memory reservation to be reduced to 128MB instead of 256MB.
Now, 128 MB is a tight little space. IIS uses non paged pool memory for processing requests. On Windows Server 2003 and Windows Vista, IIS stops processing requests once the available non-paged pool memory goes below 20 MB. Event 2019 is evidence for that.
Of course you know, Exchange relies heavily on IIS. So that explains why the Exchange HTTP Virtual Server resource went down! But wait – what’s hogging up the non-paged pool memory? And how do we fix this?
That’s when Microsoft sent in their Poolmon utility, that grabs information on whats in there. The culprit? – Broadcom’s NetXtreme II network card driver! It was incompatible with scalable networking features bundled with Windows Server 2003 SP2 (and the Windows Scalable Networking Pack) and caused a memory leak! I disabled the TCP Chimney with the following command:
Netsh int ip set chimney DISABLED
I also disabled the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA registry value setting by it to zero on both nodes and other steps mentioned in KB936594. That was all it took to solve the problem!
See my earlier related post: Delayed Logins: Change Password feature in ISA 2006
< Previous postsNext posts >
