5/26/11
Just because MS says Exchange 2010 uses the CAS for MAPI communications doesn't mean this is always the case
I recently had to upgrade to Exchange 2010 sp1 in a complex environment. I thought that as tech-net states http://technet.microsoft.com/en-us/library/ee332317.aspx outlook clients with Exchange 2010 mailboxes will always use the CAS server to communicate via MAPI (Mail RPC) traffic. In our case we found outlook communicating with the Mailbox servers directly. Specifically mailboxes servers with public folder databases. I suspect that there is a great deal that occurs with Exchange that Microsoft never publishes.
5/25/11
Corrupt exchange 2003 conference room mailboxes
I recently started moving mailboxes from 2003 to 2010 SP1. When it came time to move the conference room mailboxes it was a no go.
Specifically Exchange 2010 SP1 states that these mailboxes are in an inconsistent state because validation can not be performed upon on the the attributes.
The attribute in question was the "mailNickname" attribute. It turns out that my conference room mailboxes have whitespace and a trailing decimal or period. Both of these character uses are illegal in Exchange 2010 SP1.
The solution?
Luckly all of the conference room mailboxes are in a single OU in AD.
I wrote a script to perform the actions of replacing whitespace with an underscore and removing any number of trailing period characters.
Specifically Exchange 2010 SP1 states that these mailboxes are in an inconsistent state because validation can not be performed upon on the the attributes.
The attribute in question was the "mailNickname" attribute. It turns out that my conference room mailboxes have whitespace and a trailing decimal or period. Both of these character uses are illegal in Exchange 2010 SP1.
The solution?
Luckly all of the conference room mailboxes are in a single OU in AD.
I wrote a script to perform the actions of replacing whitespace with an underscore and removing any number of trailing period characters.
Function Remove-Spaces {
param($target)
begin {
filter Do-RemoveSpaces { $_ -replace "\s *", "_" }
}
process { if($_) { $_ | Do-RemoveSpaces } }
end { if($target) {$target | Do-RemoveSpaces} }
}
#$objArray = get-mailbox -identity "QuandaryPeak"
#$objArray = get-mailbox -organizationalunit "hq.corp.viasat.com/ViaSat West/Resource Mailboxes/Conference Rooms"
foreach($obj in $objArray)
{
$tempstring = $obj.alias
$tempstring = remove-spaces $tempstring
$tempstring = $tempstring.trimend(".")
set-mailbox -identity $obj -alias $tempstring
}
You must uncomment, remove '#' char, to make the program work. You use get-mailbox to gather the objects you want to process.
One odd side affect I found was that it sets the new alias as the primary SMTP reply address in hour system. I don't have access to 2003 so this is probably to be expected via the 2003 configuration. I alternatively looked at writing a similar program using get-ADObject and set-ADObject modifying the property directly without using the set-mailbox cmd-let would prevent setting the primary SMTP reply address to the alias.
References: http://msdn.microsoft.com/en-us/library/system.string_methods.aspx
References: http://powershell.com/cs/blogs/tips/archive/2009/09/14/trap-and-try-catch.aspx
5/23/11
The case of missing distribution group members in users Outlook GAL / OAB
I recently ran into a very peculiar issue. I had users on outlook 2007 & complaining about missing entries for distribution groups. Now keep in mind that until now we have been using Exchange 2003 w/ Outlook 2003, 2007, and 2010 and no issues at all.
So we start migration of some 2003 mailboxes to 2010. Keep in mind 2010 SP1 has been configured for weeks with no 2003 mailboxes showing signs of this issue...
So I go to test this in OWA with a test 2010 mailbox. Well I don't see anything wrong every user that should be there according to get-distributiongroupmember -identity "DL-AllHandsNYC" is there? What are the users smoking? OK I pull up Outlook 2010 and yep they are right missing entries. Now normally I would send a test email and see if the missing members get the mail and stop there, but I must make them viewable.
So maybe an issue with 2010 sp1 OAB distribution? Nope!
There are massive numbers of objects with the "hiddenfromaddresslistsenabled" attribute set to $true!!! How has this not been an issue until now?
The behavior was only noticed when our 2010 mailboxes started beta testing the system.
Long story short the fix is easy:
The solution: set "hiddenfromaddresslistenabled" to $false
get-recipient -recipienttype MailContact -resultsize unlimited -filter {HiddenFromAddressListsEnabled -eq $true} | set-contact -HiddenFromAddressListsEnabled $false
get-recipient -recipienttype UserMailbox -resultsize unlimited -filter {HiddenFromAddressListsEnabled -eq $true} | set-mailbox -HiddenFromAddressListsEnabled $false
get-recipient -recipienttype DistributionGroup -resultsize unlimited -filter {HiddenFromAddressListsEnabled -eq $true} | set-distributiongroup -HiddenFromAddressListsEnabled $false
get-recipient -recipienttype PublicFolder -resultsize unlimited -filter {HiddenFromAddressListsEnabled -eq $true} | set-publicfolder -HiddenFromAddressListsEnabled $false
Some objects were corrupt and get-recipient -resultsize unlimited -filter {HiddenFromAddressListsEnabled -eq $true} will show you any left over items that need repair/conversion.
Issues with OAB after applying URL simplification: Exchange 2010 SP1
Arriving at work I found out that OAB was giving some users issues. Specifically they are stuck at "Offline Address Book is connecting to Exchange Server".
A little research led me to discover others have had this behavior. http://social.technet.microsoft.com/forums/en-US/exchangesvrgeneral/thread/548f2ecc-faae-4744-8b33-7de536196d7d/?prof=required
Looking at C:\program files\Microsoft\exchange\v14\clientaccess\oab\ the permissions are set correctly. However, looking at the parent folder of \oab\ I discovered that there are not enough necessary permissions established to complete the permissions chain and give the desired effective permissions on the subfolder.
http://technet.microsoft.com/en-us/library/dd535384(EXCHG.80).aspx
I am still in testing on this one. I noticed that the CAS servers that did not have redirection performed upon them had the same /oab/ permissions structure so if this fixes the issue I am really confused. Alternatively, I am seeing some issue with permissions for the "authenticated users" on the web.config file that is generated by the redirection process. I have noticed that "authenticated users" have only read permissions on the web.config file and I am testing to see if https://mail.myorg.com/oab/yourguid/oab.xml returns an http 500 error code.
Well instead of http 500 I get 403; enalbed directory listing for the oab dir and now I can list the oab.xml. I have a new issue which is that using owa all distribution group members show up. Using outlook.exe only specific members of the groups show up. There is not a consistent listing of distribution group members between owa's oab and that of outlook.exe 2k7/2k10.
Still working on this issue; will update.
A little research led me to discover others have had this behavior. http://social.technet.microsoft.com/forums/en-US/exchangesvrgeneral/thread/548f2ecc-faae-4744-8b33-7de536196d7d/?prof=required
Looking at C:\program files\Microsoft\exchange\v14\clientaccess\oab\
http://technet.microsoft.com/en-us/library/dd535384(EXCHG.80).aspx
I am still in testing on this one. I noticed that the CAS servers that did not have redirection performed upon them had the same /oab/ permissions structure so if this fixes the issue I am really confused. Alternatively, I am seeing some issue with permissions for the "authenticated users" on the web.config file that is generated by the redirection process. I have noticed that "authenticated users" have only read permissions on the web.config file and I am testing to see if https://mail.myorg.com/oab/yourguid
Well instead of http 500 I get 403; enalbed directory listing for the oab dir and now I can list the oab.xml. I have a new issue which is that using owa all distribution group members show up. Using outlook.exe only specific members of the groups show up. There is not a consistent listing of distribution group members between owa's oab and that of outlook.exe 2k7/2k10.
Still working on this issue; will update.
5/17/11
Dreaded 0x8004010f & OAB
I have recently deployed an Exchange 2010 SP1 system and a small percentage of users were getting this when accessing the system remotely.
Client Details
outlook 2010
Fix
I enabled the web-distribution on all of the CAS servers in the CAS array.
There appear to be a multitude of issues associated with this very generic MAPI error. http://blogs.technet.com/b/exchange/archive/2007/04/19/3401966.aspx
Client Details
outlook 2010
Fix
I enabled the web-distribution on all of the CAS servers in the CAS array.
There appear to be a multitude of issues associated with this very generic MAPI error. http://blogs.technet.com/b/exchange/archive/2007/04/19/3401966.aspx
Get-Mailbox queries and -filter {}
I tried doing some get-mailbox queries recently with the -filter {property -like "*this*"} business, but could not get things going. I come to find out that the -organizationalunit and -recipientypedetails are not available in the -filter {} argument code block. This is because they are their own special purpose arguments. For instance get-mailbox -organziationalunit "corp.pvt/NorthAmerica/Accounts/General/" will get all the mailboxes in the North American General Accounts OU structure.
-recipienttypedetails legacymailbox; is how you find the 2003 mailboxes in your system during co-existence.
Somethings like DistinguishedName work fine with the -filter{} argument.
Any of these methods are preferred over get-mailbox | where {$_.attribute -like "*String*"}
I should mention my environment is entirely SP1 2010.
http://technet.microsoft.com/en-us/library/bb124268.aspx
http://exchangepedia.com/blog/2007/02/opath-filterable-properties-that-can-be.html
-recipienttypedetails legacymailbox; is how you find the 2003 mailboxes in your system during co-existence.
Somethings like DistinguishedName work fine with the -filter{} argument.
Any of these methods are preferred over get-mailbox | where {$_.attribute -like "*String*"}
I should mention my environment is entirely SP1 2010.
http://technet.microsoft.com/en-us/library/bb124268.aspx
http://exchangepedia.com/blog/2007/02/opath-filterable-properties-that-can-be.html
5/12/11
Exchange 2010 sp1 / 2003 Co-Existence Event ID 4003 & 4004
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/3203b390-d52a-4e81-8a7e-c2266d909589/
I have unchecked SSL required on the "/public" virtual directory in IIS on the for all of my CAS servers.
I have unchecked SSL required on the "/public" virtual directory in IIS on the for all of my CAS servers.
Update: The issues have mostly gone away after opening ports between my 2010 CAS servers and the Exchange 2003 servers hosting the public folder databases. Specifically ports 80, 135, and dynamic RPC ports were opened.
Exchange 2010 SP1 CAS server event ID 1033
After moving into the testing phase of the 2010 sp1 deployment I have started noticing a multitude of 1033 errors on the four CAS servers in the CAS array.
Source service is MSExchActiveSync
It turns out that the web.config file is missing an entry for the "ExternalProxy" setting. Which is fine if you don't use it.
To make the error go away add this entry to your web.config file and do a iisreset /noforce; which make take a while in a production enviroment. In fact you may need to drainstop the particular CAS sever from in the NLB service first to get the active connections to 0 and thus iisrest /noforce works.
For the code to insert in the web.config file see this thread:
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/7a308dcc-56b2-4c29-a586-7b476b913998
Source service is MSExchActiveSync
It turns out that the web.config file is missing an entry for the "ExternalProxy" setting. Which is fine if you don't use it.
To make the error go away add this entry to your web.config file and do a iisreset /noforce; which make take a while in a production enviroment. In fact you may need to drainstop the particular CAS sever from in the NLB service first to get the active connections to 0 and thus iisrest /noforce works.
For the code to insert in the web.config file see this thread:
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/7a308dcc-56b2-4c29-a586-7b476b913998
Passive Database Copies Event ID 123
Starting getting errors in the event log for some passive copies of databases. Not sure why yet there doesn't seem to be a pattern. Get-MailboxDatabaseCopyStatus shows everything being fine, but there are errors being generated in the log on the server hosting the passive copy.
Event ID 123 search catalog corrupt
http://technet.microsoft.com/en-us/library/ee633475.aspx
This command should ensure all the parameters are correct in generating a new search catalog:
update-mailboxdatabasecopy -SourceServer Exch03 -Identity "MBDB03\Exch01" -Network DagReplicationNetwork -CatalogOnly
In this scenario Exch03 has active db MBDB03, and Exch01 holds a passive copy. There are four DAG networks only one is replication "DagReplicationNetwork".
Event ID 123 search catalog corrupt
http://technet.microsoft.com/en-us/library/ee633475.aspx
This command should ensure all the parameters are correct in generating a new search catalog:
update-mailboxdatabasecopy -SourceServer Exch03 -Identity "MBDB03\Exch01" -Network DagReplicationNetwork -CatalogOnly
In this scenario Exch03 has active db MBDB03, and Exch01 holds a passive copy. There are four DAG networks only one is replication "DagReplicationNetwork".
5/11/11
New Exchange 2010 sp1 Learning Links
http://technet.microsoft.com/en-us/ff871920
http://www.microsoft.com/events/series/tnexchangeserver.aspx?tab=webcasts&id=43235
http://www.microsoft.com/events/series/tnexchangeserver.aspx?tab=webcasts&id=43235
Exchange 2010 SP1 routing: pickup directory
In addition to processing mail via SMTP and the Store driver (Think Get/Push mail from mailbox databases) Exchange will process mail messages placed in a folder on the hard disk of a HubTransport server. Known as the "pickup folder" it is not configured by default in Exchange 2010 sp1.
Set-TransportServer -identity ExchHub01 -pickupfolder "C:\incomingMail\"
For more information on configuration of the pick up folder see:
http://technet.microsoft.com/en-us/library/bb124549.aspx
Set-TransportServer -identity ExchHub01 -pickupfolder "C:\incomingMail\"
For more information on configuration of the pick up folder see:
http://technet.microsoft.com/en-us/library/bb124549.aspx
Exchange 2010 SP1 routing: auditing current mail routing
The get-adsitelink cmd-let allows you to view the cost metrics associated with AD sites in your organization. You can use this information to determine how mail is routed within your organization. Keep in mind that if you only a select number of internet facing hub transport servers all mail routing to the internet goes through them. Therefore, you must calculate the cost from any given hub transport server to these servers to determine which one will be used for internet bound email. Hub transport servers with a send connector namespace of * will be "catch-all" send connectors matching all destination email domain namespaces not specified by any other connector in the Exchange Organization.
http://technet.microsoft.com/en-us/library/bb123486.aspx
You could override the AD site cost to manipulate the way exchange routes using:
Set-ADSiteLink –Identity 'Atl-Nyc' –ExchangeCost 10
If you decide to remove this Exchange specific configuration for Site link Cost you can do so:
Set-ADSiteLink -Identitiy ' Atl-Nyc' -ExchangeCost $null
For a list of all of the "Sites" in active directory use get-adsite
http://technet.microsoft.com/en-us/library/bb124239.aspx
A bit simplistic, but viewing all of the hub transport servers in your Exchange organization is important be sure to use get-transportserver
http://technet.microsoft.com/en-us/library/bb125246.aspx
http://technet.microsoft.com/en-us/library/bb123486.aspx
You could override the AD site cost to manipulate the way exchange routes using:
Set-ADSiteLink –Identity 'Atl-Nyc' –ExchangeCost 10
If you decide to remove this Exchange specific configuration for Site link Cost you can do so:
Set-ADSiteLink -Identitiy ' Atl-Nyc' -ExchangeCost $null
For a list of all of the "Sites" in active directory use get-adsite
http://technet.microsoft.com/en-us/library/bb124239.aspx
A bit simplistic, but viewing all of the hub transport servers in your Exchange organization is important be sure to use get-transportserver
http://technet.microsoft.com/en-us/library/bb125246.aspx
5/10/11
Exchange 2003 to 2010 migration: Moving the OAB generation server
This one was very easy. I used the following tech-net article as a reference: http://technet.microsoft.com/en-us/library/bb125184.aspx
get-offlineaddressbook
Ok I only have the Default-OfflineAddressBook
get-offlineaddressbook | fl name, PublicFolderdatabase
Ok I can see the Exchange 2003 server is hosting the OAB.
get-offlineaddressbook | move-offlineaddressbook -server "Exchange2010mbx1"
This gives you a warning in Exchange 2010 SP1 stating that you should wait until this finishing occurring in the background before changing the PublicFolder distribution point. I will give it a couple of days and change this to 2010.
I now perform a get-offlineaddressbook | ft name, Server, PublicFolderDatabase
I can see the Exchange 2010 server is the OAB generating server, but the Exchange 2003 server is still publishing the OAB through public folders.
Not a very command intensive move and so far no issues with AD/Exchange 2003 compatibility.
Found a good screen shot blog with issues while performing these actions: http://blog.ronnypot.nl/?p=212
For a better understanding of OAB's in Exchange 2010 SP1 go here: http://technet.microsoft.com/en-us/library/bb232155.aspx
Issues sending mail to Exchange 2003 mailboxes during Exchange 2003/2010 co-existence
Shortly after upgrading some mailboxes to 2010 it became apparent that when sending emails to Exchange 2003 distribution list. Some of the Exchange 2003 mailbox recipients specified by the distribution list were bouncing with a 5.2.1 NDR message:
"There's a problem with the recipient's mailbox. Please try resending this message. If the problem continues, please contact your helpdesk."
After a some searching I found a great fact finding post on the technet forums: http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/552513a7-c70b-4c52-b208-173751d393e8/
Further inquiry resulted in these links:
This is one of the less common experiences I have had during Co-Existence.
Subscribe to:
Posts (Atom)