by
Shijaz Abdulla on 13.07.2008 at 13:11
If you are running Exchange 2003 and Exchange 2007 in co-existence and you have users on both systems, you will notice that, while Exchange 2007′s new OWA interface has a brand new Change Password option, the Change Password functionality for the users on Exchange 2003 has stopped working and you receive a 404 – File Not Found error.
This is because the IISADMPWD virtual directory, which was previously available on your Exchange 2003 Front-End server is no longer present on your Client Access Server. So here’s the solution:
1. If you are running Exchange Server 2007 on Windows Server 2003:
Simply enable the IISADMPWD virtual directory by following this article.
2. If you are running Exchange Server 2007 SP1 on Windows Server 2008
Things can get a little tricky here. Especially when you’ve noticed that there is no IISADMPWD folder inside the \Windows\System32\Inetsrv folder! Now what are we gonna do?! Here’s something that I’ve tried and it works:
a. Simply copy the \Windows\System32\InetSrv\IISADMPWD folder from your Exchange 2003 Front End server and copy it to \Windows\System32\InetSrv\ folder on your Windows 2008 Exchange Client Access Server.
b. Open IIS Manager. Right click on Default Web site and choose Add Virtual Directory. Specify the alias as IISADMPWD and browse to the path of the \Windows\System32\InetSrv\IISADMPWD folder.
c. Right click on the IISADMPWD virtual directory, and select the option Convert to Application.
d. Click on IISADMPWD application to select it. On the right pane, open the Authentication icon. Disable Anonymous authentication and enable Basic Authentication. Make sure only Basic Authentication is enabled.
e. Restart IIS service by using the command iisreset /noforce
Your Exchange 2003 users should now be able to change their passwords.
by
Shijaz Abdulla on 12.05.2008 at 15:27
After you have configured your Client Access Servers, and installed your organizations SSL certificate on IIS, you realize that users are not able to see the Free/Busy information for other users from Outlook 2003 or Outlook 2007.
Here are some of the symptoms:
When you try to create a new meeting request in Outlook using the scheduling assistant, you find that you are able to see free/busy information only for your own and not other users. Other users appear as ‘No information’. Under ‘suggested times’, in Outlook 2007, you find that it perpetually shows "loading". You may also receive a certificate error, concerning a name mismatch.
However, you are able to see the Free/Busy information for other users if you use Outlook Web Access (OWA).
The problem here is because of a certificate name mismatch. You have installed the certificate for your company’s webmail URL (webmail.company.com) on your Client Access server but your Outlook client is accessing it using the host’s FQDN, which results in the mismatch. If you have configured your internal DNS servers to resolve webmail.company.com directly to the CAS server (or the CAS NLB virtual IP), you can modify the InternalURL value by using the Set-WebServicesVirtualDirectory cmdlet. In the following command I am making the internalURL same as the externalURL.
Set-WebServicesVirtualDirectory -id:"EWS*" -ExternalUrl "https://webmail.company.com/ews/exchange.asmx" -InternalUrl "https://webmail.company.com/ews/exchange.asmx"
Before you do this, make sure your internal DNS servers are setup correctly to resolve webmail.company.com directly to the Client Access server(s). If you have multiple CAS servers in an NLB configuration, you will need to repeat the above command on all CAS servers.
Come back to Outlook and create a new meeting request with the Scheduling Assistant. Everything should be honky dory!
by
Shijaz Abdulla on 07.05.2008 at 16:25
In this post, I explain how you can use System Center Data Protection Manager 2007 (hereafter DPM) to recover a single Exchange Server 2007 mailbox to a Recovery Storage Group (hereafter RSG) and ‘merge’ the restore with the actual mailbox.
On our production environment, we have Exchange Server 2007 SP1 SCC running on a Windows Server 2008 failover cluster.
Before continuing, make sure you have created a Recovery Storage Group on your Exchange 2007 mailbox server for the mailbox database that you want to restore to. This can be done via GUI (Toolbox > Database Recovery Management) or via Powershell.
new-storagegroup -Server <Server_Name> -LogFolderPath path_to_Logfiles> -Name <RSG_Name> -SystemFolderPath <Database_Path> -Recovery
On the DPM server, click on the Recovery tab, and navigate through the hierarchy and locate the storage group that contains the mailbox that you want to recover. Double clicking on the mailbox database, shows a list of mailboxes. Right click on the mailbox you want to restore and click Recover. You can also select a date and time of the recovery point from which you would like to restore.
In the Recovery Wizard, review the recovery information click Next and select the recovery type. Click browse to select your mailbox server. You will have to manually type the Storage Group Name (specify your Recovery Storage Group name here) and your Database Name (the mailbox database name inside your RSG). 
Click Next, review the options and begin the restoration process.
Once the recovery process is complete, go back to the Exchange 2007 mailbox server. Open Exchange Management Console –> Toolbox –> Database Recovery Management.
Mount the Mailbox database that you just restored in the Recovery Storage Group. This shouldn’t require more explanation.
After mounting the database, come back to the above menu and select Merge or copy mailbox contents.
Select the mailbox database that contains the mailbox you want to recover and click Gather Merge information. On the next screen, review the merge options and click Perform pre-merge tasks.
Select your mailbox and click Perform Merge actions. Once the process completes, review the result.
The restored mailbox on the RSG database is now merged with the production database.
***Lighten your load. Store, Backup and Access Important Files Online using ElephantDrive – Free Trial.***
by
Shijaz Abdulla on 07.05.2008 at 10:38
See also: Data Protection Manager 2007 with Exchange Server 2007 SP1 – Part 1
I’ve just managed to get Data Protection Manager 2007 to protect my production Exchange Server 2007 SP1 mailbox servers running in a Single Copy Cluster (SCC) configuration on Windows Server 2008.
The configuration process is fairly simple. Once I have installed the DPM agents on all cluster nodes, I created a protection group for my SCC cluster as follows:
Since I will not be using a tape drive, I just chose a short-term recovery goal to back up to a storage device. You can choose to have a synchronization done every 15 minutes so that you will be able to restore your database to the latest 15 minute recovery point and then automatically apply the any logs remaining on your production servers.
It’s also important to configure your Express Full backup at least once a day. This also takes care of truncating the committed transaction log files, which tend to grow over time and fill up disk space on your log drives.
See also: Recovering a single Exchange 2007 mailbox using DPM 2007
***Lighten your load. Store, Backup and Access Important Files Online using ElephantDrive – Free Trial.***
by
Shijaz Abdulla on 06.05.2008 at 19:09
There are a few things to keep in mind while installing Microsoft System Center Data Protection Manager.
One thing worth noting is that Data Protection Manager 2007 (‘DPM’ from now on) does not support being installed on Windows Server 2008 at the time of this writing. You will need to prepare a Windows Server 2003 machine. I’m using a Windows Server 2003 x64 Enterprise Edition with Service Pack 2 for this purpose.
Another important thing if you are installing DPM to protect Exchange Server 2007 SP1 running on Windows Server 2008 – you need a DPM hotfix to be installed for it to work correctly. The hotfix is KB950082 and it’s available from Microsoft Product Support. At the time of this writing, this hotfix has not been released in a rollup yet, but I’ve been told that it is a supported hotfix.
I installed this hotfix on my DPM server and successfully pushed the DPM agent on all nodes of my Exchange Server 2007 Single Copy Cluster running on Windows Server 2008 Failover clustering.
More updates on my adventures with DPM will follow. 
by
Shijaz Abdulla on 05.05.2008 at 17:11
I’ve managed to pull up a two node Exchange Server 2007 SP1 Single Copy Cluster (SCC) running on Windows Server 2008 failover cluster. Moved in a few mailboxes (mostly belonging to my colleagues, who have so graciously consented to being guinea pigs.. um err.. volunteers for this project). So far so good, there weren’t any major surprises.
Until when I started thinking about Backup.
Here’s the shocker for those of you who don’t know: Windows Server Backup (the all-new ‘NTBACKUP’ that ships with Windows Server 2008) does not support backing up Exchange Server 2007 mailbox stores!
Other major backup vendors like Veritas/Symantec Netbackup do not support Windows Server 2008 yet. Well, what can you do whilst you wait for the vendors to come up with Windows Server 2008 support?
You can use System Center Data Protection Manager 2007! I am currently evaluating this possibility, and will post my experiences on this blog.
***Lighten your load. Store, Backup and Access Important Files Online using ElephantDrive – Free Trial.***
by
Shijaz Abdulla on 30.04.2008 at 14:13
If you have two separate Exchange Server 2007 mailbox servers, and users in one mailbox server can login to Outlook Web Access using your Client Access Server, while the users on the second mailbox server cannot log in to Outlook Web Access using the same Client Access Servers, the following might help.
This issue is seen if the mailbox server is running Exchange Server 2007 SP1 on Windows Server 2008. From Server Manager, open Web Server (IIS). Make sure the following Role services are added:
Under Application Development, select the following:
- ASP.NET
- .Net Extensibility
- ASP
- ISAPI Extensions
- ISAPI Filters
- Server Side Includes
- .NET environment
Under Security, select the following:
- Basic authentication
- Windows Authentication
Do an IISRESET /noforce.
You should be able to login now. If you can’t try logging in using the domain\username format, even if you chose the option for ‘user name only’ on your Client Access Server. If you are able to log in with domain\username and not just username, and you have enabled ‘username’ only option under Forms based Authentication on your Client Access Servers, try the following.
On the IIS of your Exchange Server 2007 mailbox server, navigate to the /exchange virtual directory, open Authentication, and change the properties for Basic Authentication and enter a "\" without the quotes for the Default Domain.
by
Shijaz Abdulla on 26.04.2008 at 19:52
Here’s one for users and IT support personnel who sometimes have problems understanding what exactly an email non-delivery report (NDR) is trying to convey. Messaging experts, please excuse.
In Exchange Server, all NDRs returned to the sender appear to come from the local Exchange Server of your organization and not from the remote recipient’s mail server – even if the problem is at the receiving end. If the mail is received at the remote server and an error occurs during further re-routing/relaying, then the NDR might not appear to come from your organization’s Exchange Server. The NDR is formatted in an easy-to-read email message by the Exchange server in your organization and is sent back to the sender.
So, how easy is it to understand an NDR?
At first sight of the new, well-designed NDR of Exchange Server 2007, most users and non-email administrators tend to think that the problem is always on the local Exchange Server. To add to the confusion the NDR contains the words “Sent by Microsoft Exchange Server 2007″ and “Generating server: “.
Here are some tips:
- The text marked in blue is not what’s important. It will always show YOUR organizations edge transport server – unless the error occurred at a subsequent mail re-routing operation at the destination.
- Pay attention to the part that I’ve marked in red. The part labeled (1) is more important. It gives you an overview of what’s wrong – but need not always give you the full picture.
- The part labeled (2) is the server on which the error occurred. If this doesn’t look like one of the servers inside your organization, the problem is most likely not at your end.
- The part labeled (3) is the error reported by the server mentioned in (2).
- Part (4) shows the flow of the message between various servers both within and outside your organization. All it takes is a little effort to understand what’s going on.
- Trust your email servers . Don’t always think the problem is at your end, even if it looks like your server is reporting the error. Make an earnest attempt and apply some educated logic to figure out where the problem lies.
The more users you train on how to read NDRs the lesser helpdesk calls you will get. I’ve seen that sometimes very simple NDRs like the following get escalated all the way to the email administrator as an “email problem”:
Your message did not reach some or all of the intended recipients.
Subject: RE: Acquisition of Yahoo Sent: 4/15/2008 11:09 PM
The following recipient(s) could not be reached:
shijaz@2hotmail.com on 4/15/2008 11:09 PM The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
The solution? Teach the user how to type an email address correctly .
by
Shijaz Abdulla on 23.04.2008 at 08:56
The year is 2008 and you might be wondering why I’m making such a post.
This blogger has seen that even in this time and age, some people simply love POP3 and prefer it over better and more secure alternatives. This post serves as an eye-opener to users as well as administrators who are die-hard POP fans.
Some reasons why you shouldn’t use POP
- Traditional POP3 (without any secure configuration – which is also the most common way admins configure your Outlook Express) transmits your username and password over the network in plaintext. Any user with malicious intent, can “sniff” your password over the network and get hold of your email. In most cases, the credentials that you use to retrieve mail are the same that you use to send mail, which means the intruder can not only read your mail, but also send mails to other people on your behalf!
- Now, relating to the above point, replace the ‘hacker’ with malicious software/spyware/virus on the PC of a legitimate user on your network. The malware can do the sniffing and use the credentials to inject spam into your organization, as well as the rest of the known universe, pretending that its YOU the POP user who is sending the spam.
- All your emails are dumped to your PC from the server. What if you’ve been using POP for the past 5 years and your PC decides to crash – and you have no backup.
- What if your PC doesn’t crash, but your mail folders get corrupted – quite common with many POP3 clients.
- What if you want to access your received emails from some place else and you do not have your PC with you. Of course, for points 3, 4 and 5, you could leave a copy of your mails on the server – but what’s the point in sticking to POP3? – read on!
- For some users, their email might seem very secure when it’s sitting on their own PC and nowhere else. I have news for you. The moment someone else sits on your PC, kiss privacy goodbye. A knowledgable user can open password protected folders. An additional point to ponder: SMTP traffic on the internet is not encrypted by default. It is most likely that your sensitive email is flying about cyberspace in plain text anyway!
- If you travel to a partner/client’s office with your laptop, accessing your mailbox via POP3 might require intervention of their network administrator if POP is not already open on their firewall – or you may require some sort of firewall client.
- No access to your company’s Address Book.
Some reasons why you should use RPC over HTTPS instead
- Passwords don’t go out in plain text. Just about anybody can’t get hold of your password.
- If you use RPC over HTTPS, an SSL session is established between your PC and the server that has your email. The email content reaches you in a secure, encrypted channel.
- The email is stored on your server, and (hopefully) a backup is taken every night.
- If you use Outlook in cached mode, all you have is an offline copy of the same email – which means its available for your reference even when your PC is not connected to the office network.
- If your client PC crashes, or if your Outlook folders get corrupted, your emails are still safe on the server. All it needs is a fixing of your Outlook. (Note: If you archive some of your email on PST – make sure its backed up – or that the organization has a centralized email archiving system in place)
- You can access your company’s Address Book and all your contacts, tasks, calendar, etc.
- Presence information from Live Communications Server, integration with SharePoint workspaces, etc.
- Unlike POP3, Outlook Anywhere uses HTTPS and can be used from any partner network where they allow you to surf the net. No additional config required.
Some users need to have more than one Exchange mailbox open at the same time on the same PC (usually executive secretaries). The common excuse is that they cannot configure two Exchange mailboxes on the same Outlook profile.
It is indeed possible to configure two Exchange Server mailboxes on the same Outlook profile. Here’s a tip: In Outlook 2007: Tools –> Account Settings –> Select your Exchange mailbox –> Change –> More Settings –> Advanced tab –> Add –> type the second mailbox name –> OK –> Next…Finish. See this page for more details.
by
Shijaz Abdulla on 17.04.2008 at 22:06
In an earlier post, I explained how you can use Outlook Web Access (OWA) hosted on Exchange 2007 CAS Servers for accessing Exchange 2003 mailboxes in a co-existence environment by using the /exchange virtual directory.
Exchange Server 2007 CAS Servers come with Forms Based Authentication enabled by default. Now, if you wanted to disable the forms based authentication (required if you want to publish using ISA Sever 2006 Forms based authentication), OWA would still work fine internally (i.e. https://servername/exchange or /owa), as long as you choose Basic Authentication. The user will be presented with a popup password window instead of the form.
Now, what if you didn’t want users who are already logged in to the domain to be prompted for their password. The answer sounds simple – enable Integrated authentication, right?
Well, no. If you are co-existing Exchange 2003 and Exchange 2007 mailboxes and if your users have mailboxes on Exchange 2003 backend servers, and if they try to login via a CAS server using https://servername/exchange, they will receive an HTTP 404 Page not found message.
This is because ‘/exchange’ on the CAS is an Exchange 2003 virtual directory. Exchange 2007 supports Integrated Authentication only on Exchange 2007 virtual directories (see this article).
So the moral of the story is that you cannot enable Integrated Authentication on the CAS Server for the /exchange folder in an Exchange 2007 co-existence scenario. Exchange 2007 users can use Integrated authentication only if they use /owa virtual directory for accessing OWA.
< Previous postsNext posts >
