Dynamic Distribution Groups

So i'm sure everyone agrees that it is an annoyance that through EMC the only attribs that can be used for dynamic groups are company, state, department or the custom attributes.

Much has been written on using opath filters in PS to get around this limitation, but since using office location is so common i thought i'd just post on how to create a dynamic distribution list in exchange 2007 using the AD attribute Office Location

New-DynamicDistributionGroup "*ALL at OFFICENAME" -RecipientFilter {Office -eq 'OFFICENAME'}
Of course you can do a whole lot more with the recipient filter, for details, see here: http://msexchangeteam.com/archive/2007/01/10/432143.aspx

A few thoughts about SCR target activation

I recently activated an SCR target as part of adding a mailbox server to remote office. I couldn't find much on the web about how long the activation would take, or what if any effect SCR activation would have on BES. All clients are outlook 2007, so i knew autodiscover would take care of the mailbox move. I used the activation procedure found here: http://technet.microsoft.com/en-us/library/bb738132(EXCHG.80).aspx

First, on the time to failover to SCR (or activate SCR target)

1. I used a target DB with the same log file prefix (E04 in my case) so i wouldn't have to mess with eseutil or worry about the DB being in a clean shutdown state (the mount-database operation would clear up a dirty shutdown with matching prefixes). I would suggest this if you have the ability to do so as it allows you to skip several potentially time consuming steps.

2. The resume-storagegroupcopy cmdlet took about 7 minutes to complete. There were 0 logs in the copy queue and 50 in the replay queue (kept with the defaults when setting up SCR).

3. I manually replicated AD after the move-storagegroup path, again after move-databasepath and again after move-mailbox, this might have been overkill, but with our site repl at 120 minutes, i didn't mind a little over kill. This added about 10 minutes to the process.

4. The move-mailbox -configuration only went extremely fast; 50 mailboxes in less than 5 seconds.

5. The mount-database was also extremely fast, but i would assume that is b/c it was in a clean shutdown state, it may take a little longer with a dirty db shutdown.

overall, the process took me less than 20 minutes of downtime, then add another 10 of bes downtime when i realized i had forgotten to give the BESadmin account the necessary permissions on the mailbox server.

Enumerate all members of a group

this works for any type of group; thanks to Amit Tank from the technet forums for the syntax! Again the actual pipe key doesn't show up in blogger so I've replaced it with the word PIPE.

$grp = get-group “Group Name”
$grp.members PIPE fl Name

My 15 minutes!

http://edge.technet.com/Media/Change-control-using-Sharepoint-2007-with-DPM/

Well, 9 minutes and 16 seconds anyway.

Some Handy powershell cmdlets with syntax (note the pipe doesn't show up in blogger, so i'll use the word PIPE)

Setup Resource Mailboxes (like a new conf room).
1st, add create the new mailbox with EMC, then with EMS:

Add-MailboxPermission -AccessRights FullAccess -Identity ResourceMailbox -User Test1
Set-MailboxCalendarSettings -AutomateProcessing:AutoAccept

Add Mailbox Rights
Add-MailboxPermission "Mailbox" -User "Trusted User" -AccessRights FullAccess

Get Mailbox Sizes for all users
Get-MailboxStatistics PIPE fl totalitemsize, displayname

Set Rights for BesAdmin on a mailbox server (any time one is added)
Get-mailboxserver PIPE add-adpermission –user BESAdmin -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Get Mailbox Size/Location for 1 user
get-mailboxstatistics user.name PIPE fl

To get detailed information about the mailbox and what folders might be large, run this:
Get-mailboxfolderstatistics user.name

Force the GAL to update:
Get-globaladdresslist PIPE update-globaladdress list

Godaddy.com Subject Alternate Name certificate (SAN cert)

I purchased the UCC cert for 5 domain names for $90 (they don't call it a SAN cert) and added the godaddy trusted root cert into the main certificate store, then with the SAN cert just from powershell :

import-exchangecertificate -path c:\owa.company.com.crt enable-exchangecertificate -services IIS, SMTP, POP, IMAP

the pipe won't show up on blogger but you need a pipe before the enable as you are passing the import command data along to the enable command.

Passed 70-238 with a 908

This test was just weird. 70-236 and 70-237 were right on with the MS objectives, however this one was just all over the place. I obviously can't say much about it, but like any other test, if you have real world experience and know your stuff, you'll pass. At the time of this post, neither 237 nor 238 have books released so I just took the tests blind (but with 2nd shot) and passed easily from being in the trenches with exchange 07.

Passed 70-237 with a breeze

That was a little too easy I think, I got a 921, again the exam objectives on the MS site are all covered, know your AD infrastructure or don't even try this one.

Passed 70-236 today, taking 237 friday

Obviously I can't say much about it, but the exam objectives listed on MS's site were dead on. The test did make me wonder who really backs up the queue databases on their hub transport servers?

There is no book out for 237, so I'm taking blind (thank goodness for 2nd shot). Wish me luck.

Public Folders and Exchange 07

So SP1 gave us some GUI management, but still no way to set permissions with the gui other than 'send as'. The 2 most common resolutions to this problem are 1. Leave PF's on Exchange 2003, and 2. Suck it up, and deal with it in powershell; here is how:

To modify the permissions of a top level folder to give the user "sally" editor rights and have this permission apply to all sub-folders, execute this command:

get-publicfolder -"\top level folder name" -recurse PIPE add-publicfolderclientpermission -accessrights "editor" -user "sally"

Use the pipe symbol, not the word, for some reason the symbol doesn't show up on blogger.

editing the default recipient policy

For most of us, using the cmdlet

set-emailaddresspolicy "default policy" -includedrecipients allrecipients

will work fine, however some will get an error stating:

Unable to edit the specified E-mail address policy. E-mail address policies created with legacy versions of Exchange must be upgraded using the 'Set-EmailAddressPolicy' task, with the Exchange 2007 Recipient Filter specified.

This is generally because of a mailbox manager setting applied to your default policy, and exchange 2007 doesn't do mailbox manager. Remove the mailbox manager settings and re-run the command.

Creating Exchange 07 mailboxes with ADUC

If you use active directory users and computers to mail enable a user account with an exchange 07 mailbox, it'll probably work and seem fine in outlook until the user tries to hit OWA. Then they'll get the error below. Also, EMC will list their mailbox as 'legacy mailbox'. To resolve, execute this cmdlet: Set-Mailbox username -ApplyMandatoryProperties


RequestUrl: https://webmail.company.com/owa/lang.owa host address: 192.168.10.10
ExceptionException type: Microsoft.Exchange.Data.Storage.StoragePermanentExceptionException message: There was a problem accessing Active Directory.Call stack
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Inner ExceptionException type: Microsoft.Exchange.Data.Directory.InvalidADObjectOperationExceptionException message: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. Current version of the object is 0.0 (6.5.6500.0).Call stack
Microsoft.Exchange.Data.Directory.PropertyBag.set_Item(PropertyDefinition key, Object value)
Microsoft.Exchange.Data.Directory.ADObject.set_Item(PropertyDefinition propertyDefinition, Object value)
Microsoft.Exchange.Data.Directory.ADObject.StampCachedCaculatedProperties(Boolean retireCachedValue)
Microsoft.Exchange.Data.Directory.ADObject.ValidateWrite(List`1 errors)
Microsoft.Exchange.Data.Directory.Recipient.ADRecipient.ValidateWrite(List`1 errors)
Microsoft.Exchange.Data.Directory.Recipient.ADUser.ValidateWrite(List`1 errors)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()

Exchange 2007 SP1 rollup 1

Its got a lot fixes listed here: http://support.microsoft.com/?kbid=945684

All went fine for me in lab testing and in production rollout, however it did not start any of the exchange services upon completition, nor did it start IIS on the CAS server or ask for a reboot, so be prepared to either reboot or manually start all services.

Exchange 2007 leap year bug

February 29th; what a day. I found that I could not create new users and isolated the problem to the date (it worked if you changed the system time to March 1st and stopped the windows time service). This is from MS PSS...all i can say is wow...its like y2k but stuff actually broke :-)

John,

You are absolutely right.

Symptoms of this include not being able to create mailboxes or create public stores or update email policy and results in an error “The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error”. we found this to be a Leap Year bug and if we reset the date to either 28th Feb or 1st March it works.

We strongly recommend not to change the system time to work around the issue as this may cause undesirable results

I shall update as soon as we have some kind of solution to this.

Custom DSNs on Exchange 2007

Tired of end users calling asking what an NDR means when its relatively clearly stated in the message body? The cmdlets set-systemmessage and new-systemmessage will allow you to customize them so they are even more clear, although somehow I think users will still call :-)

This example sets DSN text for an external 'unkown mailbox" 5.0.0 fail.

[PS] C:\>New-SystemMessage -DsnCode 5.0.0 -internal $false -Text "The intended recipient was not found. Please check the spelling and e-mail address of the recipient." -Language en

All you have to do is change the DSN code and the boolean for -internal to manipulate all the DSN's you want.

Generic Exchange 2007 Deployment Thoughts

I was recently asked to review a 2007 deployment plan, and the high-level feedback I had was so darn standard, I figured I'd post it. The deployment was 2 CCR clusters, 4hub transports, 4 CAS, 1 Edge and 1 SCR target. The CAS and HUB servers were to run on VMWare. There was also a 3rd party SMTP gateway.

I would definitely recommend SCR, but write and test your failover powershell scripts/commands before you need to use them. As you also probably already know, virtualized exchange servers are not supported by Microsoft, but that does not mean it can’t work. Remember with CCR and SCR DB paths have to be IDENTICAL, so remember to use mount points, not drive letters. Also, don’t use the same DB/SG names on your separate CCR clusters if they are going to target back to a single SCR box (the file paths then become identical). Have a look at pfmigrate.wsf to help with public folders if you need it.

Another question to ask is, do you really need edge if you have a 3rd party SMTP gateway. If you have something like postini or frontbridge, you might be fine with routing inbound mail right to a hub transport server from the SMTP gateway.

For your cas/hub, you can run them both on the same machine as long as you don’t plan on using NLB, so you may not need vmware if that works for you.

My favorite site is msexchangeteam.com, but again, I’m sure you’ve seen it. If not, read up on their info on CAS certificates, very different requirements on 2007 than 2003 FE servers.

Exchange SP1: setup previously failed while performing the action Install. You cannot resume setup by performing the action "BuildToBuildUpgrade".

If you are upgrading a CCR environment to Exchange 2007 SP1 from Exchange 2007 RTM and you attempt the setup.com /upgradecms and it fails, it'll keep failing with the error:


Setup previously failed while performing the action "Install". You cannot resume setup by performing the action "BuildToBuildUpgrade".

To clear this, you'll need to go into the registry and delete the watermark and/or action:install key located here:
HKLM\SOFTWARE\Microsoft\Exchange\v8.0\ClusteredMailboxServer

BES and Exchange 2007 transition

Before moving any Blackberry Enterprise Server users from 2000 or 2003 over to a 2007 mailbox server make sure BESAdmin is exchange view only admin, then run this

Get-mailboxserver add-adpermission –user BESAdmin -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

(for some reason the pipe doesn't show up after get-mailboxserver on blogger, but you'll need the pipe)

Once successful you can start moving Blackberry users as well as the BESadmin account to 07.

After moving the BESAdmin account you'll need to use the Blackberry server admin tool to point the MAPI profile to Exchange 07 as well as download and install the latest MAPI .dll files. The file info is documented here:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB12697&sliceId=SAL_Public&dialogID=41824370&stateId=0%200%2041820640

Creating SG's/DB's in Exchange 2007

Because of the path match requirements of CCR and SCR, most paths will not be to the default location. It is much easier to create the SG's and DB's with powershell and specify the path's then to use the GUI (too many clicks). I keep the following in a notepad doc and use find and replace for "executive 2gb" any time i want to create a new SG/DB.


New-StorageGroup -Name "Executive 2GB" -server "mailbox01"-SystemFolderPath "E:\databases\Executive 2GB" -LogFolderPath "E:\logfiles\Executive 2GB"

new-mailboxdatabase -StorageGroup 'mailbox01\Executive 2GB' -Name 'Executive 2GB' -EdbFilePath 'E:\databases\Executive 2GB\Executive 2GB.edb'

Mount-database "Executive 2GB"

OT: Slaves to the Robots Part II

I would like our future Robot overlords to know that i've worked very hard to further technology and i would like a top-notch slave position or a quick and painless death.

OT: Slaves to the Robots

My 2 year old is afraid of any non-living thing that moves. E.G. tickle-me-elmo. I think this is because he somehow knows he is part of the generation that will have to fight down the robots once they become self aware (to which Elmo is very close). If they can't beat the Elmo-led armies of robots, then the terminator movies become a reality...damn.

HTTP to HTTPS OWA redirect on Exchange 07

With Exchang 07 SP1 having such a lovely and full featured OWA client, our users are using it more regularly, and complaining about having to type in the HTTPS:// for ssl.

To redirect, i set the 404.3 custom error (under custom errors, default website) and pointed it to an HTML file that re-directs. Note that with your users in 03 and 07 you'll want the redirect to go the /exchange directory, 07 only, use the /owa directory.

I'll put an image up with the HTML code.