Thursday, September 25, 2008

Using LDIFDE & ADSIEdit to Verify Recipient Policies

Originally I wanted to run something like this:

ldifde -f C:\test.txt -t 3268 -s -j C:\ -r "(&(|(mailnickname=*)(objectClass=user))(|(homeMDB=*)(msExchHomeServerName=*))(userPrincipalName=*" -l "msExchPoliciesIncluded"

Unfortunately userprinicipalname doesn't play nicely with  "msExchPoliciesIncluded."  I'm guessing this is the case with more than one user defined attribute.  Example output:

dn: CN=sname\, gname,OU=Users-Company,OU=User,DC=Corp,DC=com
changetype: add

If we change it to reflect only objectclass=user:

ldifde -f C:\test.txt -s -j c:\ -r "(&(objectClass=user)(homeMDB=*))" -l "msExchPoliciesIncluded"

It pulls this as example:

dn: CN=sname\, gname,OU=User,DC=domain,DC=Corp,DC=com
changetype: add

You can also find this in adsiedit here to verify:

Tuesday, September 23, 2008

WM 6.1 - MOTO Q9h

I was a day or so behind my coworker Jeremy Phillips upgrading my MOTO Q.  A couple good points are the threaded text messages, and the soft delete key for email (I've REALLY been wanting this).  You should check it out his blog posting on this @ as it has a couple pretty screenshots to illustrate the changes a little better.

I differ with Jeremy in that my phone seems a bit slower now, whereas his seemed faster.  I speak primarily on basic functionality though, whereas he may have been coming from a purely activesync perspective.  The only difference I can tell right off the bat is that my phone is a Q9h and his is a Q9c.  I haven't put in the appropriate research to really decipher the major differences between my AT&T Moto Q and my colleague's Sprint doppelganger.  Here are the specs though:

 9Qh * 

Simple, elegant and stylish, the ultra-slim MOTO Q™ 9h, at only 11.8 millimeters thick packs in a host of advanced features * QWERTY keyboard and large, crisp display * Quad-Band (GPRS/EDGE) functionality * Video capture and playback at 30fps * HSDPA technology for fast data transfers, streaming media and web browsing¹ * Connectivity: EMU, USB 2.0 full speed transfers and data access * Integrated Class 2 Bluetooth® wireless technology (A2DP, AVRCP - stereo) for hands-free connectivity with compatible Bluetooth® enabled stereo devices² * Messaging via MMS, SMS, Instant Messaging and Windows Outlook Mobile * Supports a variety of audio formats including AMR NB, AMR WB, MWA, MP3, AAC, AAC+, eAAC+, WAV, MIDI * Video formats supported includeH.263, MPEG4, WMV, H.264 decode * Up to 2 GB of optional removable storage space with a microSD memory slot * Integrated 2.0 megapixel camera with digital zoom and LED photo indicator light * Special productivity features: Opera browser, Attachment Viewer or Editor, Voice Recognition, File Manager, Voice Notes, VPN capability and Anti-Virus protection


Network o Type + CDMA dual band ( 800/1900 MHz) o Data + CDMA2000 1xRTT/1xEV-DO rev.0 o 3G Support + Yes * Size o Dimensions + Help dummy popup info 4.6 x 2.5 x 0.5 inches (117 x 65 x 11.9 mm) o Weight + 4.8 oz (135 g) * Battery o Capacity + 1170 mAh o Talk + 4.55 hours ( 273 mins) of Talk time o Standby + 212 hours ( 9 days) of Stand-by time * Main Display o Resolution + 320 x 240 pixels o Type + 65 536 colors, Color, TFT o Features + 2.4 inches * Camera o Resolution + 1.3 megapixels Resolution o Video + Yes o Features + Flash, 8x Digital zoom * Multimedia o Video Playback + H.263, MPEG4, WMV, H.264 formats supported , Windows Media Player 10 o Music Player + MP3, AAC, AAC+, eAAC+, WAV, WMA formats supported , Windows Media Player 10 * Memory o Memory Slot + miniSD * Smartphone o OS + Windows Mobile for Smartphones o OS Version + 6.0 Standard o Processor + Intel StrongArm o Memory + 256MB Flash, 96MB RAM * Input o Predictive Text Input + Yes o Full Keyboard + QWERTY * Connectivity o USB + miniUSB 2.0 o Connectors + HeadSet Jack (2.5mm) * Other Features o PhoneBook + capacity depends on system memory, Multiple Numbers Per Contact, Picture ID, Ring ID o PIM + Alarm, Calendar, Calculator, TO-DO, Notes o Voice + Dialing, Commands, Recording, Speaker Phone o GPS + aGP

Sunday, September 21, 2008

Tricking Exchange - A Different Database Move

The issue arose of moving a database to a new location.  Now there are built in commands for this:

Move-StorageGroupPath -identity SERVER\StorageGroup -LogFolderPath X:\PathToLogFiles -SystemFolderPath X:\SystemFolderPath

Move-DatabasePath  Server\StorageGroup\MailboxStore -EDBFilePath X:\PathToDatabase

The problem was that we wanted to specifically use eseutil to move the databases.  We used eseutil to push a good copy over, however, we couldn't repoint the database without Exchange trying to copy it over.  I believe you can repoint the registry, but we opted to just trick Exchange in a manner of speaking.  Due to size constraints, we created a new empty database, ran the above command to move it, then deleted the new database and replaced it with the eseutil copied one.  This mounted up and worked great.

An alternative method to the normal methods of moving it over if you have odd circumstances to work under.

Thursday, September 18, 2008

Sychronization Errors - 0X80190193 / 0X8004010F

12:11:28 Synchronizer Version 11.0.8200

12:11:28 Synchronizing Mailbox 'Kym Thomas'

12:11:28 Done

12:11:28 Microsoft Exchange offline address book

12:11:28        0X8004010F


9:44:33 Synchronizer Version 12.0.6315

9:44:33 Synchronizing Mailbox 'Paul Morris'

9:44:33 Done

9:44:35 Microsoft Exchange offline address book

9:44:35 0X80190193

These can commonly be caused by the SSL check box being checked on the OAB virtual directory.  This requires an iisreset to undo.

Tuesday, September 16, 2008

Azaleos Blog Note

Checking the Azaleos blog link on the right hand side can be good for extra information about my business, and my coworkers.  I submit some blogs there that I don't submit here as well. 

Exchange 2007 Certificate Install with Autodiscover

Generate the CSR

New-ExchangeCertificate -GenerateRequest -Path c:\SANCERT.txt -SubjectName "c=US, l=City, s=Washington, o=company," -DomainName,, -PrivateKeyExportable:$true

This will create a CSR text file that will be sent to the third part cert issuer.  

EXAMPLE (yes it is fake):


Once they send it back to you, proceed to the next step.

Checking Certificate Properties

There are two things we need.  First thing is to verify that that the certificate has a valid private key.  Double click the certificate, look below:

The next piece of information that you’ll need is the thumbprint:

Importing the Certificate into Exchange

Import-ExchangeCertificate -path

This will import the certificate into Exchange and make it available for use.


Enable the Certificate

Enable-ExchangeCertificate -Thumbprint C45DD764DE2F36CD907FJSND7682970F1358 -Services "POP, IMAP, IIS, SMTP"


Overwrite existing default SMTP certificate,

'E38LKJS5766237D887DN7SJBF66192CF018801' (expires 9/7/2009 5:59:59 PM), with

certificate ' C45DD764DE2F36CD907FJSND7682970F1358' (expires 1/23/2009

4:59:59 PM)?

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help

(default is "Y"):a


Confirm the Configuration


Thumbprint                                Services   Subject

----------                                --------   -------

C45DD764DE2F36CD907FJSND7682970F1358  IP.WS,...


I, P, W, S stand for the four layers that you set above;  IMAP, POP, Web (IIS), SMTP

The certificate is now available for the messaging protocols and IIS.

Configure For Use With Autodiscover


Wherever you see “get-ClientAccessServer | Set-ClientAccessServer” you are getting all CAS servers and setting this on all of them.  If this is not what you want, perform a get-ClientAccessServer and only set it on the ones you want by using “Set-ClientAccessServer –identity SERVER”.

Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri

Set-WebServicesVirtualDirectory –Identity  "SERVER\EWS (Default Web Site)" -InternalUrl

Set-OABVirtualDirectory -Identity "SERVER\oab (Default Web Site)" -InternalUrl

Get-ClientAccessServer | Set-ClientAccessServer  -AutodiscoverServiceInternalUri


Get the Certificate in Use

Right click MSExchangeAutodiscoverAppPool in IIS, and then click 'Recycle'



 Load up a web browser and browse to OWA.  Use the browser to check the certificate (usually a lock in the lower corner).  Verify that OWA works, and that autodiscover works in Outlook.  To test Outlook,  hold ctrl and right click on the Outlook icon in the lower right hand corner (system tray).


In order to configure externally you can run the following command templates:

Enable-OutlookAnywhere -Server CASSERVER -ExternalHostname "" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False

Set-OABVirtualDirectory -identity "CASSERVER\OAB (Default Web Site)" -externalurl -RequireSSL:$true

et-UMVirtualDirectory -identity "CASSERVER\UnifiedMessaging (Default Web Site)" -externalurl  -BasicAuthentication:$True

Set-WebServicesVirtualDirectory -identity "CASSERVER\EWS (Default Web Site)" -externalurl -BasicAuthentication:$True

Monday, September 15, 2008

NetApp / Storevault Command Dump

I noticed I had a list of some quick helpful commands for NetApp and Storevault filers.

How to Configure a Filer back to Factory
1) Connect to the filers management port via a serial cable and log in
2) Command: priv set advanced
3) Command: halt -c factory
4) This will shut down filer and leave you at a command prompt.
5) Command: boot_ontap
6) Press ctrl-c for special boot menu when prompted during boot
7) Select option 4a to create a flexible root volume and zero all the owned disks on the filer

Quick Commands 
Filer Factory
1) Connect to the filers management port via a serial cable and log in
2) Command: priv set advanced
3) Command: halt -c factory
4) This will shut down filer and leave you at a command prompt.
5) Command: boot_ontap
6) Press ctrl-c for special boot menu when prompted during boot
7) Select option 4a to create a flexible root volume and zero all the owned disks on the filer

Create Volume:
vol create DPMBackups aggr0 90g

Create a CIFS Share:
cifs shares -add DPMBackups$ /vol/DPMBackups

Resize the Volume:
vol size DPMBackups 44g

Create a LUN
lun create -s 34g -t windows /vol/DPMBackups/lun1

Create an ISCSI group:
igroup create -i -t windows DPM04

Map the LUN to an igroup:
lun map /vol/DPMBackups/lun1 EX-MBX-01

Configure an Interface:
ifconfig -a  **To check
ifconfig e0b netmask broadcast up

Resize a LUN:
lun resize /vol/Archive/archive.lun 1900g

Thursday, September 11, 2008


If you guys haven't checked out the blogs I have posted on the right hand side for JeremyinMotion and SherpaSoftware, you should do so.  Sherpa has a product line that Azaleos works with, and Jeremy Phillips is a coworker/raconteur.

Wednesday, September 10, 2008

OWA Redirection

Many companies want to create an environment in which user involvement in technology is as easy as possible. This makes the IT team look good, and keep frivolous help desk tickets low. A good addition to your environment to this end is something as simple as a redirector for OWA. There are a few ways to accomplish this.


1. Open IIS Manager

2. Right click the Default Web Site and click properties

3. Click the Home Directory Tab and follow these steps:

i) Pick the 'redirection to a url' option
ii) Enter/owa in the text field
iii) Select the "directory under this one" radio button

4. OK out and test via the web browser.


The second way, and seemingly the most reliable method across the board for different configurations, is to create an html file and force it to the top of the list on the Documents tab.

Create the following file and name it Redirect.htm:

You will also want to assign this file to the 403;4 customer error code. This will auto push users that attempt to access the site on port 80 (http://) to SSL port 443 (https://). This will help you avoid confusion from the user community that doesn't know the difference.

Another reference using asp..

Telnet 25 - The Scary Basics

Sometimes the easiest tasks can sound the most daunting at first. Take for example sending mail via telnet. It is a great tool for testing connectivity and relay permissions. Following the screenshot below, you can see that we can use nslookup, and set the type to mx. This type is the mailexchanger.

This will show you essentially the internet accessible mail connection point for whatever domain you enter. If you run this outside of the company you are querying, you could very well hit something that doesn't resemble your company whatsoever. This is likely a third party company that resides between the company and the outside world. The reason for this is spam filtration, security, and virus checking typically. A couple examples of these are Postini (now owned by Google I believe), and Messagelabs (an EXCELLENT solution offered by Azaleos as ProtectXchange).

After you telnet to this address on port 25, you will see the following:

As seen above, we type ehlo to identify ourselves, and then to begin to form our message.

MAIL <--Sender. This is essentially spoofing an address.
RCPT <--Recipient. This is whole will receive the test message.
250 2.1.0 Sender OK <--- Sender checks out. If it doesn't, the open relay could be close (good unless its intended)
data <-- Initiates data entry.
Subject:Test Subject
. to end the data entry.

The mail sends out and viola here it is!

Tuesday, September 9, 2008

Blackberry Service Order

I just dug this up in my notes and figured I'd post it...

Ever wonder what order services start up on a Blackberry Enterprise Server? Tired of RIM just telling you to reboot all the time? Here is the start order..

Blackberry Controller
Blackberry Router
Blackberry Dispatcher
Blackberry MDS Connection
Blackberry Policy Service
Blackberry Attachment Service
Blackberry Synchronization Service
Blackberry Alert
Blackberry MDS Services - Apache Tomcat Service

Journaling + Archive = Ideal Litigation Searches -- Part2


While Custom Views are good for a quick search from your Inbox, sometimes legal departments require an export to PST for burning to CD etc. This area is where Archive Search comes in (or Discovery Attender once the integration happens in the next release!).


Log on to the archive server, and open AAConsole.exe. Choose Archive Locations from the left hand column, then right click in the white space and choose “Search Archive..” (or alternatively click the magnifying glass.)

Fill out the information to choose which archives to search, sender/recipient, etc. Click Search.

Highlight the emails you wish to export. Right click and choose “Copy Selected Messages to a PST…”

To pull from a specific folder structure, simply sort by folder (scroll to the right in the screen shot).

Enter the location of your PST..and done!


This process is the perfect procedure for compliance related exports for your legal department. With journaling active in the Exchange site, it is much easier to simply query the journaling mailbox instead of single mailboxes.

Journaling + Archive = Ideal Litigation Searches -- Part1

Requiring litigation searches has been a long standing topic for most IT departments. The issue is how to deploy a method to do this that both appeases the litigation team in question, while allowing for the Journaling mailbox to not become encumbered to the point that it ceases to properly function.

My answer is one that I have been deploying to the field in a solution comprised of Exchange journaling, and SherpaSoftware’s Archive Attender.

I set up Journaling at the Hub Transport level in order to catch everything that passes through. This will inherently catch more traffic than setting up Journaling at the database level, and provide the litigation team all of the raw emails they need. The only complications with this are determining the folder structure to which these messages used to belong, and the fact that the Journaling mailbox could quickly grow out of control. The assumption of growing out of control is caused by either a lack of retention restrictions, or depending on the project requirements, poor planning.

That being said, I prefer to use a single Journaling mailbox on its own storage group and database in combination with Archive Attender. The reason for this is that there need not be any prior knowledge of message location, and the search speed is still relatively quick in Archive Attender. It is possible to break these out at the database level which could result in quick searches, but more personnel overhead and management. Something to consider:

We need to create a rule on the Journaling mailbox to pipe all unwanted emails (items such as backup notifications that will never have legal relevance) to some folders to be deleted prior to them being archived. This will save on storage if you have a process that continually sends generic emails or updates. The best way to do this that I know of is:

1. Create MRM policies, folders, and schedules.

a. Open the Exchange Management Console

b. Organization Configuration -> Mailbox -> Manage Custom Folders -> New Customer Folder

c. Create a folder for the items you want to delete.

d. Click the Managed Folder Mailbox Policies tab and create a new policy.

e. Go back to the Manage Custom Folders tab and expand the tree for the folder. Right click the content settings and click properties. Set retention to 1 day, and to delete permanently.

f. Apply the policy to the mailbox by right clicking on the Journal mailbox (under Recipient Configuration), clicking the Mailbox Settings tab, Messaging Records Management, and clicking properties. Choose the policy to apply.

g. Navigate back to Server Configuration -> Mailbox -> Right click Exchange Server and click on the Messaging Records Management tab.

h. Click customize and choose a schedule to run it. Depending on the volume of items going to this folder, you might want to run this a few times during the day.

2. We now need to create a rule in Outlook.

a. Open up Outlook for the Journaling mailbox. Create rules to pipe messages meeting X criteria to the managed folders you created upon arriving.

b. Even though it is best practice no to, we need to leave the Journaling mailbox visible by the GAL so that it is accessible by Archive Attender. We can offset this by only allowing Exchange to email it via:

Set-Mailbox journal -AcceptMessagesOnlyFrom "Microsoft Exchange" -RequireSenderAuthenticationEnabled $True

3. Now that the exceptions are done, we need to configure Archive Attender to run on the mailbox.

a. Create a policy that applies to all messages in the inbox, and archives them without a stub.

b. You will want this policy to run at least once per day if not 2-3 times.

c. You will also want to configure the policy to NOT archive the managed folder that we created by creating an exception in the folder list.

d. Under conditions choose ‘Capture all messages.’

e. The schedule is a dynamic setting that is based on your company size. This could range anywhere from every 10 minutes, to once per day. My default is to perform the task every 30 minutes to ensure that it doesn’t fall behind (if the processing power is there).

f. We will also want to ensure that the archive is searchable and that the policy as applied. Both of these can be set in the properties of the Journal user in Archive Attender.

4. We now have all mail that passes through the Hub Transport server going to the Journaling mailbox, parse for irrelevant mail to be purged, and then pushed off to the archives leaving no stub behind. This is good for a couple of reasons.

a. It provides an easy way to search mail, whether it is through Archive Attender, or another tool from SherpaSoftware called Discovery Attender (Slated to be fully integrated in their next release!)

b. It keeps the Journaling mailbox empty, and efficient!

This concludes part one. I will be writing up part two soon that will cover litigation searches in Archive Attender, and PST exports.

See here for part 2.

Monday, September 8, 2008

Message Submission Woes

Issue: Outbound messages get stuck in the drafts folder displaying issues with message submission.  Issues happened after patching and a subsequent reboot.  Inbound mail works fine.

Troubleshooting: First thought based on it being fresh in my mind was back pressure.   (

I verified that the edgetransport.exe.config file in Exchange bin folder had the setting:

add key="EnableResourceMonitoring" value="false"

This shows us that back pressure is off.  The symtoms certainly cry out submission issues, so I checked the services just for fun.  Sure enough, the services for mail submission, mailbox assistants, replication, and transport logs were all offline.  Firing these back up solved the problem as expected.

A quick note is that submission queues are easy to see in outlook sitting in the Outbox, but in OWA it is a little trickier.  They pass through the Drafts folder, and that is where the back log shows up.

Friday, September 5, 2008

TCP/IP Offload Chimney

Windows Server 2003 SP2 brought a change to the TCP Chimney feature, forcing it to be enabled by default.  In theory a good idea, but it ended up wrecking havoc on systems.  It primarily affects Broadcom chipsets, and servers with older drivers installed.  Just when we thought it was safe I got an email from our VP of Development..

Relay rights on self??

Credit Microsoft's major security push that started about a year and a half ago with changing defaults to be more security minded.  This mentality (for the  better in most cases) carried into Exchange apparently.

Relay on the Exchange server won't work for self?  This will open it up.

Get-ReceiveConnector "Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Wednesday, September 3, 2008

LDAP Filters - Mail Enabled Objects

Recently I had to come up with an LDAP filter to grab all mail enabled objects for a customer preparing to utilize the Schemus tool provided by our partner Messagelabs (Azaleos's ProtectXchange offering).

A lot of people, even sharp technicians, I've noticed tend to avoid LDAP queries like the plague.  I think the reason is the lack of basic understanding.

Simple things like understanding the operators (such as & being AND, | being OR, ! being NOT, etc) can help immensely.  

My final product for the filter is:

(|(&(mailnickname=*)(objectCategory=person)(objectClass=user))(&(mailni ckname=*)(objectCategory=group)))

A great quick site to glance at for a general overview is here.

Tuesday, September 2, 2008

Google Chrome

For those of you who haven't seen this, a colleague of mine pointed out that Google's Chrome web browser is now available for download. You can grab it here.

Very cool idea of running tabs in different processes. Seems as though they really want to position themselves for running apps (Gmail, Calendar, etc..). I noticed that it seems require half the memory that firefox does, and the visual design is very appealing. One cool thing is Chrome's taskbar. It shows strain on the system broken out by tab, but it also shows which ones are actively hitting the network. This is useful to find out if your tab is autorefreshing (whether that be a good or bad thing!).

Another thing that was pointed out was the discrepancy between what Chrome thinks its using for resources, and what Window's task manager thinks its using. Small difference, but interesting none-the-less.

Now if we can just get some better skins for it... (or at least allow it to use the OS's theme).

Archiving Policies - Hard limit, or Quotas?

I run into this constantly on the job. Many people like the simplicity of a hard set policy; IE archive everything 30 days old or older. My argument to this is that quotas, while requiring a bit more planning and foresight, are eventually much more dynamic and easily managed in the long run.

My personal preference is to set the archive quota to use the warning limit. This way, it is seamless to the user as it prevents the notifications, and doesn't hit the send/receive limit either. Another pro to using the warning quota in Exchange is that because they don't see a warning, they don't misinterpret what is going on and try to archive it themselves. This is compounded if the ability to use PSTs has not been disabled via group policy. Hard set limits such as nothing in the last 7 days will help with potential user grief (especially if the slider on the quota limit tab is set toward size rather than date). Also setting the "Do not archive messages smaller than" setting is good to set so that it mitigates the frustration of having to pull down an archive that didn't really get any size savings anyways. Stubs tend to be around 2-3kb, so that part is a no brainer. I like setting it a bit higher due to the balance of overall size savings versus user acceptance. Again this is a culture based decision.

The quota limit tab is another place decisions come in to play. You'll want to set the percentage of the quota to begin archiving from to at least be less than what the person could receive in a day. That number also affects how far down to archive. The size versus message age debate is one of, surprise, culture. If your company receives a barrage of large images for viewing/editing, you'll obviously take different steps than if your business relies on email primarily as a quick messaging service.

Now to the dynamic part. The best part about this system is that you only need one policy. This means no messing with automation policies down the road, no messy clean ups, etc. Merely change the quota limit in Exchange for the mailstore or individual and viola. Powershell scripts in Exchange 2007 make this a very powerful solution!