Sunday, April 19, 2009

Distribution Group Manager

When I first start using Exchange 2007 I couldn’t understand why in order to give a user the ability to manage a Distribution Group (DG), adding and/or removing users, we needed to add him on the Exchange Console and then on Active Directory (AD) Users and Computers.

Well, that’s not exactly necessary... Here’s the explanation (which I think is somewhat stupid…):

In Exchange 2007, the Managed By property works in a different way than in previous versions of Exchange. According to Microsoft, this property is an informational field that users see in Outlook when viewing the properties of the distribution group. This property does not provide the user who is identified in the Managed By property with the ability to modify the members of that DG in Outlook.
To do that we must explicitly grant the required AD directory service permissions, and we have three options:

1. Using the Add-ADPermission cmdlet that adds permissions to an AD object. For example, to grant me the rights to add members to the Lets Exchange Admins distribution group:
Add-ADPermission -Identity "Lets Exchange Admins" -User "Nuno Mota" -AccessRights WriteProperty -Properties "Member"

  • Waning: This option does not show in AD Users and Computers (see screenshot bello) nor to Outlook users that I am the manager for this DG, but I can still add/remove members, so you might want to use this together with the option on Exchange.

  • Tip: You can also do this by going to the Security tab on the Properties of the DG and manually assign the Write Members special permission to the user.

  • For detailed syntax and information, refer to Add-ADPermission


2. Using the Set-Group cmdlet that modifies the settings of an existing Microsoft Windows group:
Set-Group -Identity "Lets Exchange Admins" -ManagedBy “Nuno Mota”

  • For detailed syntax and information, refer to Set-Group

3. Using Active Directory Users and Computers itself: right-click on the DG you want to set the manager, click on Properties, go to Managed By, select the desired user and tick the Manager can update membership list box:




Note: you can only be granted the manager rights on groups in your own domain. This is a limitation because of how Exchange uses the Global Catalogs.

Also, when using steps 2 or 3 you can only assign one manager per DG. If you want to have several managers for the same DG you must use the first option. However, you might also want to set the Exchange Managed By property so that users can see at least one of the managers.

Exchange 2010: in the new version of Exchange, this process stays the same. However, through the Exchange Console you can select several managers but you still have to set the permission on AD and there, only one can manage it. So why can we select several users on the Exchange Console? I still don’t know…

Posted by No comments:
Labels: , ,

Friday, April 17, 2009

Message Tracking Log Path

Here is a problem I faced today: when trying to move all the tracking logs for 3 CAS boxes from the C to the D drive I used the command:


Get-TransportServer Set-TransportServer -MessageTrackingLogPath D:\LogFiles\MessageTracking


At the time, I didn’t know that if the folder doesn’t exist Exchange will automatically create it. So, I manually created them, copied all the logs to the new location (because existing logs will remain in their previous location and new ones will be created in the new location) and immediately ran the command. After a couple of minutes I checked the Date Modified for the last log on the new folder and that showed me that Exchange was using the new folder. Ok, it’s done! :)
Not exactly...

When I went to the Application Log on the Event Viewer, I saw a few of these errors there:


Event Type: Error
Event Source: MSExchange Common
Event Category: Logging
Event ID: 6004
Date: 16/04/2009
Time: 09:20:32
User: N/A
Computer: DS-EXCAS3
Description: MessageTrackingLogs: Failed to write logs because of the error: Access to the path 'MSGTRK20090317-1.LOG' is denied..


What?! That’s from one month ago!
Ok, let’s look at my current configuration:

MessageTrackingLogEnabled : True
MessageTrackingLogMaxAge : 30.00:00:00
MessageTrackingLogMaxDirectorySize : 2GB
MessageTrackingLogMaxFileSize : 20MB
MessageTrackingLogPath : D:\LogFiles\MessageTracking
MessageTrackingLogSubjectLoggingEnabled : True


Here’s the problem: as you can see, I have it so that Exchange only keeps 30 days of tracking logs. Since I manually created the new folders, I didn’t set up the correct permissions on them. So, Exchange couldn’t delete that log from one month ago! It was creating new ones and logging everything, but just couldn’t delete that one...

If you create the target folder for the logs automatically when running the command, Exchange will assign the correct permissions to the folder. But If you manually create it, make sure you give the following permissions to it:

NETWORK SERVICE: Modify, Read & Execute, List Folder Contents, Read and Write (also give it the Delete Subfolders and Files permission!)


Just out of curiosity, this is the command I used to configure the Message Tracking Logs for my CAS boxes:


Get-TransportServer Set-TransportServer -MessageTrackingLogEnabled $True -MessageTrackingLogPath “D:\LogFiles\MessageTracking” -MessageTrackingLogMaxAge “30.00:00:00” -MessageTrackingLogMaxDirectorySize 2GB -MessageTrackingLogMaxFileSize 20MB -MessageTrackingLogSubjectLoggingEnabled $True


Hope this helps!
Posted by 2 comments:
Labels: , ,

Wednesday, April 15, 2009

Exchange 2010 Beta Available

Microsoft released today a public beta of Microsoft Exchange Server 2010, part of Microsoft’s unified communications family (http://www.microsoft.com/uc).

This release introduces a new integrated e-mail archive and features to help reduce costs and improve the user experience. The beta is available for download at http://www.microsoft.com/exchange/2010/en/us/trial-software.aspx.

According to Microsoft, Exchange Server 2010 will become available in the second half of 2009. Microsoft Office 2010 and related products will enter technical preview in the third quarter of 2009 and become available in the first half of 2010.

“Exchange 2010 ushers in the next generation of Microsoft unified communications software as the first server designed from inception to work both on-premises and as an online service,” said Rajesh Jha, corporate vice president of Exchange at Microsoft. “This release raises the bar with new archiving and end-user innovations that will help companies save money and employees save time.”









Top Reasons to Try Microsoft Exchange Server 2010 Beta

Solution Deployment Flexibility and Choice
Exchange Server 2010 offers new, flexible deployment options, which allows you to deliver powerful productivity tools to your users, in a way that best fits your business or technology needs.

Simplified High Availability and Disaster Recovery
Exchange Server 2010 introduces a simplified approach to high availability and disaster recovery, to help you achieve new levels of reliability and reduce the complexity of delivering business continuity.

Ease Administration and Lower Help Desk Dependency
Exchange Server 2010 provides new self-service capabilities to help users perform common tasks without calling help desk.

Greater Mobility and Flexible Access
Exchange Server 2010 offers an enhanced universal inbox experience, which provides your users with access to all of their business communications from a single location.

Ease Inbox Overload and Increase Productivity
Exchange Server 2010 adds new productivity features which help your users organize and prioritize the communications in their inboxes efficiently.

Transform Traditional Voice Mail
With Exchange Server 2010, users can receive their voice mail messages in their inbox with text preview.

Achieve and Maintain Compliance
Exchange Server 2010 delivers new integrated archiving functionality to help simplify compliance and discovery.

Safeguards for Sensitive Information
With centrally managed and enforced information protection and control capabilities, Exchange Server 2010 makes it easy to encrypt, control and moderate your company's communications.

Reduced Risk of Malware and Spam
Exchange Server 2010 actively helps protect your communications through built-in defenses against viruses and junk e-mail, and support for an array of third party security products.


Links

Official Website
http://www.microsoft.com/exchange/2010

Microsoft Exchange Server 2010 Beta Documentation
http://technet.microsoft.com/en-us/library/bb124558(EXCHG.140).aspx

What's New in Exchange Server 2010
http://technet.microsoft.com/en-us/library/dd298136(EXCHG.140).aspx
Posted by No comments:
Labels: ,

Sunday, April 5, 2009

Exchange Availability Service

For some Exchange Administrators, the Availability service is still a mystery or, at least, not quite well understood. So, let’s talk more about this new feature on Exchange 2007.

Basically, this service provides free and busy (f/b) information about Outlook 2007 users, used to determine users’ availability when scheduling meetings, in an up-to-date, reliable and secure way. Outlook obtains the URL of the Availability service by using the AutoDiscover service (maybe discussed in a future post!) which is responsible for providing to the client his display name, the location of his mailbox, the Outlook Anywhere server settings and the URLs for f/b information, Unified Messaging and the Offline Address Book (OAB).

Let’s go back a couple of years...In Exchange 2000 and 2003, and with clients older than Outlook 2007, a special public folder is used to store users' calendar f/b information. This folder is named SCHEDULE+ FREE BUSY and contains several subfolders for each administrative group.

Figure 1: The SCHEDULE+ FREE BUSY System Folder on Exchange Server 2003

What Outlook does is periodically publishing the calendar f/b information into this folder which then allows other users to query this information when scheduling a meeting. However, imagine a corruption on the public folder database, or how often the replication can cause a lag between the time a user updates his calendar and when the f/b information becomes available, giving origin to out-of-date f/b information.


Back to the present...
Besides providing Outlook Anywhere, Outlook Web Access, Active Sync and other non-MAPI forms of connectivity, the Client Access Server (CAS) also provides two very important and vital services for an Exchange 2007 infrastructure: the AutoDiscover and the Availability Web Services
With Exchange 2007, the f/b information is now obtained directly from the target mailbox rather than from the SCHEDULE+ FREE BUSY system folder. This is how f/b information is now retrieved in real-time.

Note: since this is a new functionality, Outlook 2007 clients running on Exchange Server 2003 mailboxes will use public folders for the f/b information. The same thing happens with the OAB distribution.


How does it work?
1. By using AutoDiscover, Outlook establishes a connection to the CAS server running the Availability service
2. The CAS server determines on which mailbox server the target mailbox is
3. The CAS server communicates with the mailbox server (via MAPI) and obtain the f/b information
4. The results are then returned back to the user

Scenario 1
In this case, both servers are in the same Active Directory (AD) site. If they were on different ones, the CAS server would make an HTTPS connection to the target CAS server located on the AD site of the target user which would obtain and return the information back to the original CAS server and then to the user.

Scenario 2
If the target user has his mailbox on a Exchange 2003 server, situation very common during migrations, the Availability service will have to obtain the f/b information from the SCHEDULE+ FREE BUSY system folder by making an HTTPS request to the /Public virtual directory on the mailbox server hosting that folder.

Scenario 3
What if the user was running Outlook 2003 for example? Well, in this case it doesn’t matter on which server, 2003 or 2007, the target mailbox is because Outlook 2003 will always attempt to gather and publish the f/b information from/to the SCHEDULE+ FREE BUSY system folder. How could it use the Availability service if it is a new functionality?

Scenario 4
What about when using Outlook Web Access (OWA)? In this situation, OWA works just like Outlook would.


Calendar Information
The Availability service also enables users to share their calendar information in a more granular way. For each target user/group, the user can choose one of four levels of sharing:
· Share nothing
· Share their Free-Busy information
· Share a little more detail including subject, location and timing
· Full calendar details.
Figure 2: Calendar Sharing Properties

Distribution Groups
While on previous versions of Exchange, the expansion of Distribution Groups (DGs) was made by a Global Catalog, now it is made by Exchange 2007. This allows the Availability service to provide consistent behavior for any Availability service user when expanding a DG. On Exchange 2003, for example, if the number of distribution group members was too large, the f/b data for the distribution group members would display as busy when expanded.



Configuring the Availability service
As I said before, it is crucial that the AutoDiscover service be configured for Outlook 2007 clients as it’s this service the responsible for allowing users to locate the Availability service. Most of its configuration is done automatically in a single-forest environment with no external Outlook access configured. However there are three situations where further configuration is necessary:
1. To provide external access to Exchange Web Services, like Outlook Anywhere
2. To access f/b data in a cross-forest topology
3. To access the Availability service when a Network Load Balancing array of CAS servers is in place

Since this post is already getting too big, I’m just going to give a simple example of how to do this when you are using NLB for your CAS servers without going into much detail:

1. In the Exchange Management Shell use the Get-WebServicesVirtualDirectory to check the ExternalURL in use, for example: Get-WebServicesVirtualDirectory –Identity “«CAS_Server»\EWS (Default Web Site)”
2. If necessary, modify this external URL using the Set-WebServicesVirtualDirectory cmdlet, for example: Get-WebServicesVirtualDirectory Set-WebServicesVirtualDirectory –ExternalUrl “https://«fully_qualified_domain_name»/EWS/Exchange.asmx” where «fully_qualified_domain_name» is the externally accessible DNS hostname of the CAS computer

Note that this cmdlet is also used to set the –InternalUrl parameter for a NLB cluster.



Troubleshooting the Availability service
If Outlook 2007 users can’t view calendar information for other Outlook 2007 users the problem might be a failure in either the Availability or the AutoDiscover service. So, my suggestion is to first take a look at the latter.

First, let’s see if the AutoDiscover service is unable to provide information to the clients by using Outlook 2007.
1. In Outlook 2007, log on to the mailbox of the user for whom you want to troubleshoot
2. On the Tools menu, click Options, click the Other tab, and then click Advanced Options
3. On the Advanced Options page, select Enable logging (troubleshooting), and then click OK
4. Restart Outlook and then try to view free/busy information for another user
5. Click Start, Run, and then type %temp%
6. In Windows Explorer, open the olkdisc.log file and locate the files in the olkas directory
7. The information that is contained in this directory can frequently provide information about which service is not functioning correctly

Secondly, let’s use Outlook 2007 to test the AutoConfiguration information that the AutoDiscover service provides. To test this, and while Outlook is running:
1. Hold down the CTRL key, right-click the Outlook icon in the notification area, and then select Test E-mail AutoConfiguration
2. Verify that the correct e-mail address is in the box next to E-mail Address
3. Clear the check boxes next to Use Guessmart and Secure Guessmart Authentication
4. On the Test E-mail AutoConfiguration page, verify that the check box next to Use AutoDiscover is selected, and then click the Test button

Take a look at the Results and Log tabs and check the information there for possible errors.

This was on the client side. On Exchange, there are also two ways to determine whether the Availability service is not functioning correctly.
The first one is by using the Application Event Log on the CAS server to check for events that are generated by the Availability service. For example, the events 4001, 4003, 4005 and 4011 or every event with an event source of “MSExchange Availability”.
The other way is to use the Test-OutlookWebServices cmdlet in the Exchange Management Shell to determine whether the Availability service is functioning correctly.

To diagnose the Availability service issues for an individual user:
Test-OutlookWebServices –Identity n.mota@letsexchange.com

To diagnose the Availability service issues for a CAS server:
Test-OutlookWebServices -ClientAccessServer EXCAS1

To diagnose the Availability service issues across different sites:
Test-OutlookWebServices -Identity n.mota@site1.letsexchange.com -TargetAddress j.smith@site2.microsoft.com

The resulting output will provide error details about the Availability service.

If you’re using the Availability service on a Cross-Forest scenario, please note that this service has a time limit when the it performs an AutoDiscover service request for cross-forest users in the AD directory service. By default, this is 10 seconds. If the AutoDiscover request does not finish in 10 seconds, the Availability service request for the cross-forest user may time out. This might be due to fact that the URL for the user is not cached, the AutoDiscover service is running slowly or it is experiencing network latencies.
If you want to increase this time-out value follow these steps (to increase it to 24 seconds):
1. Locate the Outlook Web Access Web.config file on the CAS server. The default location is in the following directory: C:\Program Files\Microsoft\ExchangeServer\ClientAccess\Owa
2. Make a backup copy of this file
3. Open the original file by using Notepad. Do not use IIS or WordPad to edit it
4. Add the following section directly under the Configuration node after the appSettings section:
5. Save the Web.config file.



If you have client computers running Outlook 2003 and earlier or Microsoft Entourage in your organization, they require a public folder database to support Schedule+ Free Busy functionality. Exchange 2007 is the first version of Exchange that gives you the option to not use public folders. However, until all your client computers are running Outlook 2007, you should continue to use public folders. This is why the Exchange 2007 Server Setup Wizard asks you whether Outlook 2003 or Entourage clients exist in your organization. Let’s see if in Exchange 14 we’ll still be able to work with pre-Outlook 2007 versions that still rely on public folders.
Posted by 3 comments:
Labels: , ,

Saturday, April 4, 2009

Hello Everyone!

This is my first blog so please forgive me if the first couple of posts aren’t that great... It will be 99% around Microsoft Exchange, sometimes about questions and problems I face at work, sometimes news, tasks or functionalities I like and think might be useful to others.

They say that the best way to learn is to teach. Well, I’m not here to teach anyone. What I’m here to do, is to share my knowledge with everyone out there that is interested and to learn from them. Therefore the name Lets Exchange!

Sincerely hope you like this blog and, with time, become a regular reader. Will make an effort for that!

Regards,
Nuno Mota
Posted by No comments:
Subscribe to: Posts (Atom)