Thursday, September 25, 2008
Using LDIFDE & ADSIEdit to Verify Recipient Policies
Tuesday, September 23, 2008
WM 6.1 - MOTO Q9h
Sunday, September 21, 2008
Tricking Exchange - A Different Database Move
Thursday, September 18, 2008
Sychronization Errors - 0X80190193 / 0X8004010F
12:11:28 Synchronizer Version 11.0.8200
12:11:28 Synchronizing Mailbox 'Kym Thomas'
12:11:28 Done
12:11:28 Microsoft Exchange offline address book
12:11:28 0X8004010F
AND
9:44:33 Synchronizer Version 12.0.6315
9:44:33 Synchronizing Mailbox 'Paul Morris'
9:44:33 Done
9:44:35 Microsoft Exchange offline address book
9:44:35 0X80190193
These can commonly be caused by the SSL check box being checked on the OAB virtual directory. This requires an iisreset to undo.
Tuesday, September 16, 2008
Azaleos Blog Note
Exchange 2007 Certificate Install with Autodiscover
New-ExchangeCertificate -GenerateRequest -Path c:\SANCERT.txt -SubjectName "c=US, l=City, s=Washington, o=company, cn=mail.company.com" -DomainName www.mail.company.com, autodiscover.company.com, mailarchive.company.com -PrivateKeyExportable:$true
This will create a CSR text file that will be sent to the third part cert issuer.
EXAMPLE (yes it is fake):
-----BEGIN CERTIFICATE-----
MIIFkjCCBHqgAwIBAgIQceeHYPQhfEuFCNJTLIZjNzANBgkqhkiG9w0BAQUFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
GOsM8XxUg6/tAPqIpsoYNdJttM9TlLZQh6WfQHLmBgiJzQdy4uWdHTmMbm+GxElv
A21yJjtWgIJlKgQKRBJ6aWd7gnRU8DLpOd5gSPdzoIss2Q+QBWBgSL5v3oDZ1j59
z17jzljy/j/BZZVsvcQGJ6WfvPhjkIRo5SiOSZ5pj5e5V+9R1/bhPpr/AupVifix
Zh5kCM2f8bpQ7Lky0y/6g+VBR/DHXv80yioMR1o481Z8NQEqGXRZweisxWrdMuug
zLs81M9W4WD7hiNvgdgB2dHYrFvnyUOgz8NzCPM5N9fOdm98wvafC6UCAwEAAaOC
AbAwggGsMB8GA1UdIwQYMBaAFDBD3GTNGVyp8xnSNwmWkZ4M6NY9MB0GA1UdDgQW
BBSkBs+ovwl4zkfHVb6u763uERYYPjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJYIZIAYb4QgEB
BAQDAgbAMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYIKwYBBQUHAgEW
lksfoiuPOEifrjpioPUOewopPIOJEFipefIFoIefpOEFIOPEF[foipeEFOPifPEFOIEIOFpOPEFb+Rkgso
z38mcr83UL88DtthcLPYY+BXkfmNv+sb4j1jfDiCO5wsHlL/s2pHhKIl485D31V/
e1VIQELus5tRACV1njH5JoLt6QnDXmZvwRBYJSUr+4vIx1ETDF80QsSvUm5CgruA
xofSeWcz4kxNiin9qWNWSZbC5L8D45+RebXOlr5dzp4Eye5lzAdx1eVAnLKTOm7n
Gli866BFG98yKjgNgX6kQWPgsZN0Oz7UmmkPMuhwuTBRBrya8/D55lC+vMHHkTnZ
1dTlipPYgkgxUXaPF3veQulaA88z1JKO/D7FykCc5tUBAIN7HfI=
-----END CERTIFICATE-----
Once they send it back to you, proceed to the next step.
Checking Certificate Properties
There are two things we need. First thing is to verify that that the certificate has a valid private key. Double click the certificate, look below:
The next piece of information that you’ll need is the thumbprint:
Importing the Certificate into Exchange
Import-ExchangeCertificate -path
This will import the certificate into Exchange and make it available for use.
Enable the Certificate
Enable-ExchangeCertificate -Thumbprint C45DD764DE2F36CD907FJSND7682970F1358 -Services "POP, IMAP, IIS, SMTP"
Confirm.
Overwrite existing default SMTP certificate,
'E38LKJS5766237D887DN7SJBF66192CF018801' (expires 9/7/2009 5:59:59 PM), with
certificate ' C45DD764DE2F36CD907FJSND7682970F1358' (expires 1/23/2009
4:59:59 PM)?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help
(default is "Y"):a
Confirm the Configuration
Get-ExchangeCertificate
Thumbprint Services Subject
---------- -------- -------
C45DD764DE2F36CD907FJSND7682970F1358 IP.WS CN=mail.company.com,...
I, P, W, S stand for the four layers that you set above; IMAP, POP, Web (IIS), SMTP
The certificate is now available for the messaging protocols and IIS.
Configure For Use With Autodiscover
**NOTE**
Wherever you see “get-ClientAccessServer | Set-ClientAccessServer” you are getting all CAS servers and setting this on all of them. If this is not what you want, perform a get-ClientAccessServer and only set it on the ones you want by using “Set-ClientAccessServer –identity SERVER”.
Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.company.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory –Identity "SERVER\EWS (Default Web Site)" -InternalUrl https://mail.company.com/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "SERVER\oab (Default Web Site)" -InternalUrl https://mail.company.com/oab
Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.company.com/autodiscover/autodiscover.xml
Get the Certificate in Use
Right click MSExchangeAutodiscoverAppPool in IIS, and then click 'Recycle'
Verify
Load up a web browser and browse to OWA. Use the browser to check the certificate (usually a lock in the lower corner). Verify that OWA works, and that autodiscover works in Outlook. To test Outlook, hold ctrl and right click on the Outlook icon in the lower right hand corner (system tray).
In order to configure externally you can run the following command templates:
Enable-OutlookAnywhere -Server CASSERVER -ExternalHostname "mail.domain.com" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False
Set-OABVirtualDirectory -identity "CASSERVER\OAB (Default Web Site)" -externalurl https://mail.domain.com/OAB -RequireSSL:$true
et-UMVirtualDirectory -identity "CASSERVER\UnifiedMessaging (Default Web Site)" -externalurl https://mail.domain.com/UnifiedMessaging/Service.asmx -BasicAuthentication:$True
Set-WebServicesVirtualDirectory -identity "CASSERVER\EWS (Default Web Site)" -externalurl https://mail.domain.com/EWS/Exchange.asmx -BasicAuthentication:$True
Monday, September 15, 2008
NetApp / Storevault Command Dump
Thursday, September 11, 2008
Blogs
Wednesday, September 10, 2008
OWA Redirection
ii) Enter/owa in the text field
Create the following file and name it Redirect.htm:
Telnet 25 - The Scary Basics
Tuesday, September 9, 2008
Blackberry Service Order
Ever wonder what order services start up on a Blackberry Enterprise Server? Tired of RIM just telling you to reboot all the time? Here is the start order..
Blackberry Controller
Blackberry Router
Blackberry Dispatcher
Blackberry MDS Connection
Blackberry Policy Service
Blackberry Attachment Service
Blackberry Synchronization Service
Blackberry Alert
Blackberry MDS Services - Apache Tomcat Service
Journaling + Archive = Ideal Litigation Searches -- Part2
Abstract
While Custom Views are good for a quick search from your Inbox, sometimes legal departments require an export to PST for burning to CD etc. This area is where Archive Search comes in (or Discovery Attender once the integration happens in the next release!).
Directions
Log on to the archive server, and open AAConsole.exe. Choose Archive Locations from the left hand column, then right click in the white space and choose “Search Archive..” (or alternatively click the magnifying glass.)
Fill out the information to choose which archives to search, sender/recipient, etc. Click Search.
Highlight the emails you wish to export. Right click and choose “Copy Selected Messages to a PST…”
To pull from a specific folder structure, simply sort by folder (scroll to the right in the screen shot).
Enter the location of your PST..and done!
Conclusion
This process is the perfect procedure for compliance related exports for your legal department. With journaling active in the Exchange site, it is much easier to simply query the journaling mailbox instead of single mailboxes.
Journaling + Archive = Ideal Litigation Searches -- Part1
My answer is one that I have been deploying to the field in a solution comprised of Exchange journaling, and SherpaSoftware’s Archive Attender.
I set up Journaling at the Hub Transport level in order to catch everything that passes through. This will inherently catch more traffic than setting up Journaling at the database level, and provide the litigation team all of the raw emails they need. The only complications with this are determining the folder structure to which these messages used to belong, and the fact that the Journaling mailbox could quickly grow out of control. The assumption of growing out of control is caused by either a lack of retention restrictions, or depending on the project requirements, poor planning.
That being said, I prefer to use a single Journaling mailbox on its own storage group and database in combination with Archive Attender. The reason for this is that there need not be any prior knowledge of message location, and the search speed is still relatively quick in Archive Attender. It is possible to break these out at the database level which could result in quick searches, but more personnel overhead and management. Something to consider:
We need to create a rule on the Journaling mailbox to pipe all unwanted emails (items such as backup notifications that will never have legal relevance) to some folders to be deleted prior to them being archived. This will save on storage if you have a process that continually sends generic emails or updates. The best way to do this that I know of is:
1. Create MRM policies, folders, and schedules.
a. Open the Exchange Management Console
b. Organization Configuration -> Mailbox -> Manage Custom Folders -> New Customer Folder
c. Create a folder for the items you want to delete.
d. Click the Managed Folder Mailbox Policies tab and create a new policy.
e. Go back to the Manage Custom Folders tab and expand the tree for the folder. Right click the content settings and click properties. Set retention to 1 day, and to delete permanently.
f. Apply the policy to the mailbox by right clicking on the Journal mailbox (under Recipient Configuration), clicking the Mailbox Settings tab, Messaging Records Management, and clicking properties. Choose the policy to apply.
g. Navigate back to Server Configuration -> Mailbox -> Right click Exchange Server and click on the Messaging Records Management tab.
h. Click customize and choose a schedule to run it. Depending on the volume of items going to this folder, you might want to run this a few times during the day.
2. We now need to create a rule in Outlook.
a. Open up Outlook for the Journaling mailbox. Create rules to pipe messages meeting X criteria to the managed folders you created upon arriving.
b. Even though it is best practice no to, we need to leave the Journaling mailbox visible by the GAL so that it is accessible by Archive Attender. We can offset this by only allowing Exchange to email it via:
Set-Mailbox journal -AcceptMessagesOnlyFrom "Microsoft Exchange" -RequireSenderAuthenticationEnabled $True
3. Now that the exceptions are done, we need to configure Archive Attender to run on the mailbox.
a. Create a policy that applies to all messages in the inbox, and archives them without a stub.
b. You will want this policy to run at least once per day if not 2-3 times.
c. You will also want to configure the policy to NOT archive the managed folder that we created by creating an exception in the folder list.
d. Under conditions choose ‘Capture all messages.’
e. The schedule is a dynamic setting that is based on your company size. This could range anywhere from every 10 minutes, to once per day. My default is to perform the task every 30 minutes to ensure that it doesn’t fall behind (if the processing power is there).
f. We will also want to ensure that the archive is searchable and that the policy as applied. Both of these can be set in the properties of the Journal user in Archive Attender.
4. We now have all mail that passes through the Hub Transport server going to the Journaling mailbox, parse for irrelevant mail to be purged, and then pushed off to the archives leaving no stub behind. This is good for a couple of reasons.
a. It provides an easy way to search mail, whether it is through Archive Attender, or another tool from SherpaSoftware called Discovery Attender (Slated to be fully integrated in their next release!)
b. It keeps the Journaling mailbox empty, and efficient!
This concludes part one. I will be writing up part two soon that will cover litigation searches in Archive Attender, and PST exports.
Monday, September 8, 2008
Message Submission Woes
Friday, September 5, 2008
TCP/IP Offload Chimney
http://blogs.technet.com/mikelag/archive/2008/08/28/scalable-networking-pack-rollup-released.aspx
At least it is automatically disabled in Windows Server 2008..
Relay rights on self??
Wednesday, September 3, 2008
LDAP Filters - Mail Enabled Objects
Tuesday, September 2, 2008
Google Chrome
Now if we can just get some better skins for it... (or at least allow it to use the OS's theme).
Archiving Policies - Hard limit, or Quotas?
My personal preference is to set the archive quota to use the warning limit. This way, it is seamless to the user as it prevents the notifications, and doesn't hit the send/receive limit either. Another pro to using the warning quota in Exchange is that because they don't see a warning, they don't misinterpret what is going on and try to archive it themselves. This is compounded if the ability to use PSTs has not been disabled via group policy. Hard set limits such as nothing in the last 7 days will help with potential user grief (especially if the slider on the quota limit tab is set toward size rather than date). Also setting the "Do not archive messages smaller than" setting is good to set so that it mitigates the frustration of having to pull down an archive that didn't really get any size savings anyways. Stubs tend to be around 2-3kb, so that part is a no brainer. I like setting it a bit higher due to the balance of overall size savings versus user acceptance. Again this is a culture based decision.
The quota limit tab is another place decisions come in to play. You'll want to set the percentage of the quota to begin archiving from to at least be less than what the person could receive in a day. That number also affects how far down to archive. The size versus message age debate is one of, surprise, culture. If your company receives a barrage of large images for viewing/editing, you'll obviously take different steps than if your business relies on email primarily as a quick messaging service.
Now to the dynamic part. The best part about this system is that you only need one policy. This means no messing with automation policies down the road, no messy clean ups, etc. Merely change the quota limit in Exchange for the mailstore or individual and viola. Powershell scripts in Exchange 2007 make this a very powerful solution!