Friday, December 19, 2008

PowerShell Remove Email Addresses

To remove an email address from many users is a time consuming task. This PowerShell command will automate the process.

$mailbox = Get-Mailbox mail.alias ; $mailbox.EmailAddresses -="email.alias@mydomain.com" ; $mailbox set-mailbox

Friday, September 19, 2008

Store.exe using excessive memory


There are many reasons why store.exe would use lots of memory. The strangest one i have found recently was failed backups.
After performing a backup of the mailbox databases the memory utilisation of store.exe dropped from 15.6Gb to 2.9Gb.



The drop in the above screen capture was 1 of 3 drops that occurred during the backup process. So if your store.exe is using heaps of memory and you cannot explain it. Check when your last backup was successful.

Thursday, July 24, 2008

Unified Messaging Language Packs

If you are from South Africa or the UK, you'd probably say "what the hell is the pound key?" when the auto assistant on Exchange 2007 asks you to press it.


The default installation of the Unified Messaging role installs the US English Language Pack. If you would like to speak to the auto assistant's sexy and sultry british alter-ego, you need to install the British English Language Pack. She will then prompt you to press the "Hash" key.


To make a date with this British beauty you will need the Exchange 2007 Server media or installation files. The language pack can only be installed from the command prompt.


Exsetup /AddUmLanguagePack:en-GB /sourcedir:d:\Downloads\UmLanguagePacks


Once this has installed the pack, simple open exchange management console. Expand Organization Configuration and then Unified Messaging. Right-Click the UM Dial Plan you would like to change the language for, and select properties. Select the Settings Tab and change the language pack from English(United States) to English(British)


That's it, instant results.


Monday, June 9, 2008

Anonymous relay

To enable anonymous relay on exchange 2007 you need to create a new connector, assign an inbound range of ip addresses to it and then enable relay to the anonymous account.

1) Create the connector
In exchange management console. expand Server Configuration, click Hub Transport. On the right, select the hub transport server that will relay. In the Action pain, click "New Receive Connector". Give it a name, something intuitive preferable. "Anonymous Relay" is good one :) Click Next.
You can leave the next screen alone, unless you plan to use a different IP address for this relay.

Next you need to specify what IP addresses will be allowed to relay through this connector.
Select the default range listed and click Edit. If you are using a single IP address, enter the same address in the start address and end address.
Click OK and then Next. Click New and then Finish to complete this process.

2) The next step actually enables the anonymous relay.
Right-click the new receieve connector, and select properties. One the Authentication Tab remove all the existing ticks and place a tick in the "Externally Secured (for example IPsec)" box. On the Permission group Tab, select Anonymous and Exchange Servers only. Click OK.
Close the exchange management console and open the exchange management shell.
type in the following :

Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

That's it. The ip addresses you specified in the receive connector will be able to relay to any domain.

Saturday, May 17, 2008

Exchange 2003 and 2007 cannot exchange mail

If you have created the routing group connector using the Management Shell and you are still unable to route mail between exchange 2003 and exchange 2007, you may find the permission inheritance on the exchange 2003 servers has been disabled.

To correct this, you will first of all need to enable the security tab in exchange 2003 system manager.

http://support.microsoft.com/default.aspx/kb/264733


1. Start Registry Editor (Regedt32.exe).
2. Locate the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin
3. On the Edit menu, click Add Value, and then add the following registry value:
Value Name: ShowSecurityPageData Type: REG_DWORDRadix: BinaryValue: 1


Once this is done, open Exchange System Manager, navigate to each server in turn and edit the properties. On the security tab, click advanced. Tick the "Allow inheritable permission from the parent ... " check box. Click OK twice.

Incidently, if you run the Best Practices Analyser that come with exchange 2007, and choose the 2007 readiness check, it will report this as a problem area if permission inheritance is not enabled.

Tuesday, April 29, 2008

Mail delivery limits and settings

Mail delivery settings in Exchange 2007 are not as easy to find as in Exchange 2003.
The first settings we will look at, is the Size settings for inbound and outbound smtp traffic.

To see what your current configuration is, open Exchange Management Shell, and type
Get-TransportConfig or (get-tran tab tab tab )* (* tab is auto-complete in powershell)

These are the default settings. To configure Maximum outgoing message size, we use the -MaxSendSize switch. Microsoft has been kind enough to allow us to specify the units we are working with, ie: kb, mb, gb or tb. Kilobytes is assumed if no unit is specified. So we could change the outbound message size to a 10Mb limit by typing: Set-TransportConfig -MaxSendSize 10mb

We could then also specify maximum receiveable size at 10mb too.

Set-TransportConfig -MaxReceiveSize 10mb

now, if we Get-TransportConfig


Incidently, you can override these settings on a per-mailbox basis.

Get-Mailbox Select-Object MaxSendSize, MaxReceiveSize
will return the current setting. If you wish to change it use:
Set-Mailbox -MaxSendSize 5mb -MaxReceiveSize 5mb

The last thing i would like to mention is the outbound mail connections.
Many companies use external mail filtering solutions. This means that all inbound and outbound mail is passed through a smart host for processing and delivery. Exchange 2007 does not assume this to be the case straight off. In Exchange Management Console, We need to make a change to the maximum outbound connections per domain. To make this change, expand Server Configuration on the left, select the Hub Transport Server that is reponsible for delivering to the smart host. Click Properties in the Action Pain on the Right. Navigate to the limits tab.
At the bottom, there is the setting. Change the maximum outbound connections per domain to 1000. This will ensure Exchange is able to open as many threads to the smart host as possible.


Limits all set, your mail should be flying in and out.








Friday, April 25, 2008

RPC over https Part 2

Configuring exchange.

The next step is to configure exchange virtual directories. This assumes that you are running all the roles on one server. So you've installed Client Access, Hub Transport and Mailbox Role to a single server.

Start by opening Exchange management shell.



Now we get started with some almost difficult command-line stuff. If you started out with ms-dos you should feel quite at home. First we need to set the web services virtual directory internal and external url's. Type Get-WebServicesVirtualDirectory and press enter.
(tip: if you type get-web and press Tab, it will auto-complete for you.)
Click the top-left corner of the shell box, hover your mouse over edit and click mark.
Create a block by selecting all the text and then press enter. Open notepad and paste the text.
Edit the Internalurl to reflect the common name you registered in the certificate. Select this url and click edit and then copy.
Go back to the shell. type:

Set-ClientAccessServer -AutoDiscoverInternalUri 'https://thenameonyourcert/autodiscover/autodiscover.xml'


Set-WebServicesVirtualDirectory -InternalUrl 'https://thenameonyourcert/EWS/Exchange.asmx' -Identity 'servername\EWS (Default Web Site)'

Next we set the Outlook Address Book internal url:
Set-OabVirtualDirectory -InternalUrl 'http://thenameonyourcert/OAB'

Next we set the Outlook Web Access internal url:
Set-OabVirtualDirectory -InternalUrl 'http://thenameonyourcert/OAB'

and finally we set the autodiscover url:
Set-AutodiscoverVirtualDirectory -InternalUrl https://thenameonyourcert/Autodiscover/Autodiscover.xml -Identity 'servername\Autodiscover (Default Web Site)'

Ok, certificates all done. Now open Exchange Management Console. and enable Outlook anywhere.

You will be prompted for the external address. You need to specify the name on your certificate.
Once successfully installed. Your Outlook Anywhere or RPC over HTTPS is configured and ready to use.








Thursday, April 24, 2008

RPC over https Part 1

Outlook Web Access and Outlook Anywhere configuration in Exchange 2007 is an interesting procedure. Here are the steps to configure them using an internal root certificate authority.


First install a Stand-Alone root certificate authority, that is, if you don't already have one in your organisation.

Go to Add/Remove Programs in Control Panel. Select "Add/Remove Windows Components".




Select Certificate Services, and click Details. Click in the Select box for Certificate Services CA, you will be shown a dialog box warning that you will not be able to change the name of the server once you install the certificate services. Click Yes and then OK. Click Next. Choose Stand-Alone Root CA and click next. Enter the name of your CA. You can call it whatever you like really. Click Next. Verify the path of the certificate database and log and click next.

You will get a dialog box warning that IIS will be stopped temporarily. Click Yes. Windows will then copy some files, so make sure you have you Windows Server 2003 Disk 1. You may be warned that ASP needs to be enabled on IIS, choose Yes. Click Finish when it's all done.

Next we can get CA Services to automatically issue the certificates on request. In administrative tools, Select Certificate Authority. Right-click "Certificate authority (local)" and click properties. On the Policy Module tab select Properties and choose "follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate." and click ok. The certificate services will restart. Close the Certificate Authority.


Ok, CA installed. NExt step is to request a certificate.

Open Internet Information Services Manager from Administrative Tools. Expand your server name and websites. Right-click "Default Web Site" and click properties. On the Directory Security tab, click Server Certificate.


Click Next, select Remove the Current certificate and click next twice and then finish. Click Server Certificate again. Click next. Choose Create a new certificate and click next. Choose Prepare the request now, but send later. Click Next. Accept the Default name and bit length and click next. Enter you organisation information and click next. Now the next step is very very important. Here you enter the common name. This is the name you will enter into your browser to connect to you outlook web access. This name should be a public name. I'm using webmail.rndorg.net - If you get this wrong, your certificate will be useless and you will have to start again. So enter the name and click next. Choose your country, state/province and city/locality and click next. Accept the default name and path and click next twice and then finish.

Now we need to submit the request to the Root CA. To do this we go into internet explorer. and navigate to http://caservername/certsrv

Click Request a certificate. and then advanced certificate request. Choose the second option, "Submit a certificate request by using .... PKCS #7 file." You can either browse for the file to insert or open c:\certreq.txt in notepad, select the text, copy and paste it into the block provided. and then submit.

Go back into Certificate Authority from the Adminstrative tools menu. Expand root CA and then pending requests. Select the right-click the certificate on the right and click all tasks - and then issue. Close the CA. Go back into internet explorer and back to http://caservername/certsrv/

Click View the status of a pending certificate request. and then saved request (and the date).

Click download the certificate. select the same location as your certificate request.

Go back into IIS management. Right-click default web site and click properties. Select the Directory Security tab and then click server certificate. Click next. and then ensure process the pending request and install the certificate is selected and click next. click browse and locate the certnew.cer file you saved earlier. Click next and accept port 443, click next twice and then finish. Close IIS Management. Well done, you now have a web server certificate all installed and ready to go.


Tuesday, April 22, 2008

Domain Functional Level Error

One of the requirements for Exchange 2007 is a Domain Functional Level of "Windows Server 2003" mode or higher. The default installation of Windows Server 2003 R2 having been promoted to a domain controller using dcpromo is not in the required mode. This is the error you will get when trying to install before raising the functional level of the domain.To fix this, open Active Directory Domains and Trusts, which is located in Administrative Tools.
Right-Click on the domain name and select "Raise Domain Functional Level" Select Windows Server 2003 from the drop down and then click "Raise".



Once this is done, (it takes only a few seconds). Switch back to your installation and select "Retry".

Provided you have not got any more missing pre-requisites, the installation should go ahead.

Thursday, April 3, 2008

Outlook 2007 password prompt

Outlook 2007 uses https to collect free/busy and address book information from the Client Access Server (CAS).

If you have a proxy enabled in internet explorer, Outlook uses this connection setting for all http and https traffic. To fix the problem, go to internet explorer, select 'tools' and then 'internet options', navigate to the 'connections' tab. Click the 'Lan Settings' button. Select advanced.


Under 'Exceptions' enter the IP address of the Exchange CAS Server.


440 Login Timeout

When you try to log on to Microsoft Exchange Server 2007 by using Microsoft Office Outlook Web Access, you receive the following error message: 440 Login Timeout.

This is an IIS authentication issue. To repair it, do the following from the exchange management shell:


Remove-OwaVirtualDirectory "exchange (default web site)"
Remove-OwaVirtualDirectory "public (default web site)"
Remove-OwaVirtualDirectory "exchweb (default web site)"
Remove-OwaVirtualDirectory "owa (default web site)"

To re-create the Outlook Web virtual directories, type the following commands

New-OwaVirtualDirectory "exchange" -OwaVersion Exchange2003or2000 -VirtualDirectoryType Mailboxes -WebSiteName "Default Web Site"

New-OwaVirtualDirectory "public" -OwaVersion Exchange2003or2000 -VirtualDirectoryType PublicFolders -WebSiteName "Default Web Site"

New-OwaVirtualDirectory "exchweb" -OwaVersion Exchange2003or2000 -VirtualDirectoryType Exchweb -WebSiteName "Default Web Site"

New-OwaVirtualDirectory -name "owa" -OwaVersion Exchange2007 -WebSiteName "Default Web Site"

Test OWA.

It is also possible to remove and re-install the CAS role from the control panel.