Quarantine Mailbox: Displaying original SCL, sender and recipients

In Exchange Server 2007, messages delivered to the quarantine mailbox show up as DSNs sent by the postmaster address of the default domain. In HOW TO: Expose original senders and recipients of quarantined messages, we modified the QTNE.cfg form for Microsoft Outlook to reveal original senders and recipients.

Although the original sender and recipient fields were added, the original SCL stamped on the quarantined message wasn't visible. The OriginalScl property was exposed in Exchange 2007 SP1, and is now included in the updated form in that post. Installing the updated form exposes the original SCL for messages in the quarantine mailbox, as seen in Figure 1.


Figure 1: The original SCL for messages in the quarantine mailbox can be displayed using the updated Outlook form

Announced: Virtualization support for Exchange Server 2007

Exchange Server 2007 is now supported on Hyper-V and other (read "Non-Microsoft") hypervisors validated under the Microsoft Server Vitualization Validation Program. Vendors participating in the program: Citrix, Cisco Systems, Novell, Sun Micrososystems, and Virtual Iron Software.

The new support policy for Exchange in virtualized environments: Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments.

• What's supported: Exchange Server 2007 SP1 running on Windows Server 2008
  
• Supported Exchange 2007 Server Roles: All except Unified Messaging
  
• What Hypervisor: Microsoft Hyper-V, or any hypervisor validated by MSVVP
  
• Not supported: Differencing disks and expandable virtual disks
  
• Not supported: Taking VM snapshots (these aren't application-aware)
  
• Not supported: Combining Exchange's clustering features (SCC and CCR) with availability features from the virtualization layer, such as Hyper-V's quick migration.

A change has also been made to licensing policies allowing transfer of licenses for server applications (such as Exchange and SQL Server) between servers as frequently as required. This was earlier restricted to 90 days. This facilitates virtualization, where VMs running these server applications can be easily transferred from one server to another. More about the change in licensing policy in the Volume Licensing Brief titled Application Server License Mobility (Word DOC).

More details about the announcement in the Exchange team blog post: Microsoft Virtualization and Licensing Announcements

Exchange System Manager and Outlook on the same computer?

With the release of Exchange System Manager (ESM) for Windows Vista yesterday (Released: Exchange System Manager for Windows Vista), there's been concern about the fact that ESM is not supported on the same computer as Microsoft Outlook. However, the coexistence of the two has not been a supported scenario for long.

From KB 266418: Microsoft does not support installing Exchange Server components and Outlook on the same computer:

Microsoft does not support installing Microsoft Outlook and Microsoft Exchange Server 2003 (including Exchange System Manager), Microsoft Exchange 2000 Server (including Exchange System Manager), or Microsoft Exchange Server 5.5 on the same computer. The Product Support group does not support the coexistence of Outlook and Exchange on the same computer in a production environment.

The KBA provides an explanation of the issue related to MAPI32.DLL, and also indicates that these can be installed on the same computer for demonstration purposes. They're not supported in production.

Comments on the Exchange team blog post yesterday indicate many folks (myself included in the past) have been doing exactly that... installing ESM and Microsoft Outlook on the same computer. It's not the same thing as installing Outlook on the Exchange Server, something I haven't attempted in a long time, and wouldn't encourage you to do.

William Lefkovics (Exchange MVP and fellow coauthor of Exchange Server 2007: The Complete Reference) has a great overview about this on Slipstick: A Mixed History of Remotely Managing Exchange Servers

Released: Exchange System Manager for Windows Vista

If you've been waiting to install Exchange System Manager on Windows Vista, the wait is finally over.

Exchange System Manager for Windows Vista is now available.

Pre-requisites:
- The computer should be a member of a domain which has Exchange Server 2003 SP2.
- Windows Server adminpak (from Windows Server 2003 SP1 or Windows Server 2003 R2)

Known Issues (from the Release Notes):

• SMTP Current Sessions node is not supported (SMTPadmin.dll cannot be registered)
  
• NNTP property view is not supported (NNTPadmin.dll cannot be registered)
  
• Installing ESM on a computer which has Microsoft Outlook installed is not supported
  

Exchange Server Antispam Updates: Do I have the latest update?

Not sure if the Exchange 2007 or 2003 (IMF) updates on your system are the latest and greatest? Doubt if the automatic update process is working?

You can use the Microsoft Update Catalog web site to search for these. You can also subscribe to the RSS feeds for each update (search result on the web site).

• Exchange Server 2007 Antispam updates  
  
• Exchange 2003 Intelligent Message Filter updates  
  

You can also use the site to search for other Microsoft products and subscribe to the feeds.

TechNet Webcast: Disaster Recovery and SCR Deep Dive

Scott Schnoll's doing a TechNet Webcast on High Availability in Exchange Server 2007 SP1: Disaster Recovery and SCR Deep Dive.

What: TechNet Webast: High Availability in Exchange Server 2007 SP1 (Part 2 of 2):
Disaster Recovery and SCR Deep Dive
(Level 300)
When: Friday, August 15, 2008 9:30 AM Pacific
Who: Scott Schnoll, Principal Technical Writer
More info and registration

Standby Continuous Replication resources:

• Scott recorded a 5-part video series on SCR for the Exchange team blog last year.
  Links: Part 1 | Part 2 | Part 3 | Part 4 | Part 5
  
• Scott's blog posts:
  Exchange 2007 - Continuous Replication Architecture and Behavior
  More on Continuous Replication
  
• Ross Smith IV and Scott recently wrote a white paper on Continuous Replication. Whitepaper: Continuous Replication Deep Dive
  
• Exchange product documentation: Standby Continuous Replication
  

Delay Notifications: Informing users about delays in mail delivery

Users consider email to be a reliable communication mechanism - not as reliable as the dial tone, but pretty close. Most users expect mail to be delivered within minutes, if not seconds.

Many organizations, including those operating in the financial & banking sectors, have strict SLAs for mail delivery which specify mail delivery times granularly— for mail within a particular location (that is, within a Routing Group in Exchange 2003 and within an AD Site in Exchange 2007), between two locations, and to/from the internet.

Exchange Server sends a delay notification to inform the sender if delivery of a message is delayed beyond a configured timeout. The default delay notification timeout in Exchange Server 2003 is 12 hours. This has been reduced to a (comparatively) more realistic 4 hours in Exchange Server 2007.

When considering changing these defaults, it's a good idea to consider any SLAs and user expectations. Is it reasonable to expect a user to wait for 24 hours before informing him/her about a delay? 12 hours? 1 hour?


Figure 1: In Exchange 2007, the default delay notification timeout is 4 hours

You can change the delay notification timeout using the Exchange console (EMC) from Server Configuration | Hub Transport | SERVERNAME -> Properties | Limits tab.

To change delay notification timeout using the Exchange shell:

Set-TransportServer "SERVERNAME" -DelayNotificationTimeout 01:00:00

This sets the notification timeout to 1 hour. The value is specified in dd.hh:mm:ss (the standard format used by the shell). Valid values— minimum: 00:00:01 (yes, 1 second!) to 30.00:00:00 (30 days). It's recommended to wait till transient failure retries have been completed before sending a delay notification (that is, higher than TransientFailureRetryInterval x TransientFailureRetryCount).

In Exchange Server 2003, the delay notification timeout can be changed from SMTP Virtual Server | Properties | Delivery tab. There are different delay notification timeouts for outbound and local mail.

If you decide users don't need to know about mail delivery delays (and there could be perfectly legitimate reasons for that - although as I write this I can't think of any... ), you can disable delay notifications:

Set-TransportServer "SERVERNAME" -ExternalDelayDsnEnabled $false -InternalDelayDsnEnabled
$false

Have you changed the default delay notification in your organization? What is a reasonable time for notifying users about delays?

Related:

• SMTP Virtual Servers: Some irksome defaults you should change
  
• Set-TransportServer
  

PowerShell: Listing multi-valued attributes

In previous posts, we've taken a look at how to update multi-valued attributes and remove values from multi-valued attributes using PowerShell/Exchange Shell (EMS).

Multi-valued attributes have a special significance in AD, and interfaces/APIs used to access AD. Whereas single-valued attributes can be retrieved and updated quite easily, multi-valued attributes come with a twist. Values from a multi-valued attribute are returned as an array (of values). To evaluate values in a multi-valued attribute, you need to iterate through each one (using a foreach loop in most cases). Similarly, when updating a multi-valued attribute, we need to remember we're adding/updating one value of what could possibly be multiple items in an array.

With that out of the way, a real-word experience relates to how these values are listed in Exchange shell cmdlet output. For instance, the BypassedSenders property of ContentFilterConfig may have a few dozen safe senders that you do not want to subject to the Content Filter. If you list these bypassed senders using Get-ContentFilterConfig, the output will list a few bypassed senders. Note the trailing dots to indicate there are more values?

Using a format-list or fl (Get-ContentFilterConfig |select BypassedSenders | fl) doesn't help.


Figure 1: Output from Exchange shell cmdlets does not list all values in multi-valued attributes

BypassedSenders and Safelist Aggregation

The Content Filter Agent does not filter messages from addresses on its BypassedSenders property, regardless of the recipient. This should not be confused with a recipient's Safe Senders list (used by the Safelist Aggregation feature) to bypass mail for a recipient from the senders he/she adds to Safe Senders list in Microsoft Outlook. CFA's BypassedSenders is global in scope.

To get a list of all values in a multi-valued attribute such as BypassedSenders:

$senders = (Get-ContentFilterConfig).BypassedSenders; $senders

Alternatively, you can list them without adding them to a hash table ($senders in above example):

(Get-ContentFilterConfig).BypassedSenders

Figure 2: Listing all values in BypassedSenders multi-valued attribute

Similarly, multiple IP addresses or address ranges in a Receive Connector's RemoteIPRanges property:

(Get-ReceiveConnector "MyConnector").RemoteIPRanges

or formatted as a table with the required info:

(Get-ReceiveConnector "MyConnector").RemoteIPRanges | ft Lowerbound,Upperbound,RangeFormat -AutoSize

Figure 3: Listing all values in RemoteIPRanges multi-valued attribute of a Receive Connector

Related posts:

• HOW TO Update multi-valued attributes in PowerShell
  
• HOW TO: Remove values from multi-valued properties using Exchange shell
  

Where are mailbox last logon, client IP address, and other details in Exchange 2007?

In Exchange Server 2003/2000, expanding a Mailbox Database provides information about mailboxes in a database, last logon/logoff times and account(s) that logged on to mailboxes (see 'Displaying Client IP Address in Exchange System Manager' for details).


Figure 1: In Exchange 2003, the Logons node displays Store logon-related information. Click here to see a bigger screenshot.

In Exchange Server 2007, these details are not displayed in the EMC. These can be retrieved easily using the Exchange shell.

The Get-LogonStatistics cmdlet provides the following logon-related information.

AdapterSpeed :
ClientIPAddress :
ClientMode :
ClientName :
ClientVersion :
CodePage :
CurrentOpenAttachments :
CurrentOpenFolders :
CurrentOpenMessages :
FolderOperationCount :
FullMailboxDirectoryName :
FullUserDirectoryName :
HostAddress :
LastAccessTime :
Latency :
LocaleID :
LogonTime :
MACAddress :
MessagingOperationCount :
OtherOperationCount :
ProgressOperationCount :
RPCCallsSucceeded :
StreamOperationCount :
TableOperationCount :
TotalOperationCount :
TransferOperationCount :
UserName :
Windows2000Account :
ServerName :
StorageGroupName :
DatabaseName :
Identity :

The command can be constrained to a mailbox database (get-logonstatistics -Database "MyDatabase" | fl), a mailbox server (get-logonstatistics -Server "MyServer"), or a particular mailbox.

Mailbox information

In ESM, the Mailboxes node of a Mailbox Store displays mailbox-related information such as mailbox size, number of items, and last logon/logoff.


Figure 2: In Exchange 2003, the Mailboxes node displays mailbox-related information. Click here to see a bigger screenshot.

This information can be retrieved using the Get-MailboxStatistics cmdlet. It provides the following information related to a mailbox:

AssociatedItemCount :
DeletedItemCount :
DisconnectDate :
DisplayName :
ItemCount :
LastLoggedOnUserAccount :
LastLogoffTime :
LastLogonTime :
LegacyDN :
MailboxGuid :
ObjectClass :
StorageLimitStatus :
TotalDeletedItemSize :
TotalItemSize :
Database :
ServerName :
StorageGroupName :
DatabaseName :
Identity :

It can also be constrained to a -Database, -Server, or mailbox.

Now that we're dealing with the shell, besides these cmdlets' built-in filtering capabilities (Database, Server, or mailbox), you can use Powershell's where-object cmdlet to further filter the results based on the properties returned by each cmdlet. For example, to find out logon sessions from a particular IP address:

Get-LogonStatistics -Server "MyServer" | where {$_.ClientIPAddress -like "192.168.2.101"}

Powered by Hyper-V: Exchangepedia virtualized!

Finally, it was time to bid adieu to the endearing Dell box that served Exchangepedia for >4 years with all of its might (psssst... that means a 400 Mhz. PIII processor with 256 Mb. RAM.. :). Time to leave the world of phsyical servers, and move on to the virtualization world!

Today the site was moved to a Hyper-V VM, running Windows Server 2008 and IIS 7. Yes, just like microsoft.com, it's now "powered by Hyper-V".

If you have trouble accessing it, please let me know. For sporadic access issues, or any missing pages (some files may not have copied over from the old server... ), please leave a comment, or email me at info at exchangepedia dot com.

Script: Listing Distribution Groups a recipient is a member of

It's easy to get a list of all members of a Distribution Group. The Exchange shell (EMS) ships with the Get-DistributionGroupMember cmdlet that makes it a short one-liner (compared to 100s of lines of code in VBS).

However, how do we get all Distribution Groups a user, group, or contact is a member of? There's no equivalent cmdlet that can list a recipient's distribution group memberships using the shell. From the AD side, a recipient's memberOf attribute is a back-linked attribute, which I briefly talked about in memberOf Attribute can now be used in OPATH filters!. A group's membership is stored in the group's member attribute.

In the following command/script (what's the boundary between a command and a script?? when do a bunch of commands become a script?), we look at all distribution groups in AD, look at each member and determine if it matches the one we're looking for.

$contact = get-contact "foo@somedomain.com"; Get-DistributionGroup | foreach {$dg = $_ ; write-host "Looking at: "
$dg; Get-DistributionGroupMember $dg | foreach {if ($_.identity -like $contact.identity) {"Member of : " + $dg} }}

Clearly, this isn't very efficient!

Using the ADSI provider

The shell can also look at the AD objects natively using the ADSI provider. It's not as friendly or easy to use (as a native AD provider for Powershell would probably be), but it's a huge improvement over VBScript. There's no need to grab AD objects into ADO recordsets— that part is taken care of by Powershell.

Here's one way to do this using the ADSI provider:

$dn = "LDAP://" + (Get-Contact foo@somedomain.com).distinguishedName; $foo=[ADSI]$dn; $foo.memberOf | foreach {$dg = $_; get-distributiongroup $dg}

Here's a script with some changes and validation: Get-DGMembership.zip

What it does: Uses the ADSI provider to get list of all groups a recipient is a member of, determines if the group is a Distribution or Security group, outputs names of Distribution Groups.
Usage:

.\Get-DGMembership.ps1 Mailbox1@mydomain.com

.\Get-DGMembership.ps1 Mailbox1@mydomain.com Contact2@somedomain.com

What we can really use is a native AD provider that lends the same automation capabilities to AD management tasks that the Exchange shell and Powershell lend to Exchange and Windows management tasks.

IIS 7 Authentication: What happened to the IUSR_MachineName account?

In previous versions of IIS, the IUSR_MachineName account is created for anonymous authentication. This is an actual user account created on the server (a domain account can be used in domain environments), and like all user accounts— it has a SID, and an account password with the accompanying management costs and risks.

One of the resulting annoyances (for me): when you install IIS first and then change the computer name, the computer name and the MachineName in IUSR_MachineName account don't match.

IIS 7 gets rid of the IUSR_MachineName account in favor of a built-in IUSR account that's guaranteed to have the same SID on all computers. This ensures ACLs copied from one web server to another work, domain accounts are no longer required, and applications can be easily deployed across multiple web servers. The IIS_WPG group (for IIS Application Pool identities) is replaced by the built-in group IIS_IUSRS.

Note: The IUSR_MACHINENAME account isn't completely gone— it is used for anonymous authentication to FTP, and gets created if/when you install FTP.

More on the IIS team blog in 'Understanding the Built-In User and Group Accounts in IIS 7.0'

- Security identifiers
- Well-known security identifiers in Windows operating systems

Released: Update Rollup 3 for Exchange Server 2007 SP1

Update Rollup 3 for Exchange Server 2007 SP1 has been released. Download it here.

Fixes for the following issues are included (details in in KB 949870):

• 937436 Error message when an Exchange 2007-based user sends a meeting request to a resource that is located in a Lotus Domino resource reservation database: "Error autoprocessing message"
  
• 941770 How to disable the "Sent by Microsoft Exchange Server 2007" branding sentence in an Exchange Server 2007 DSN message
  
• 945453 You cannot log on to Outlook Web Access in an Exchange Server 2007 environment, and you receive an error message: "HTTP Error 403.4"
  
• 947573 It takes a long time for the Exchange Management Console to load in an Exchange Server 2007 organization that was deployed in a multiple-domain environment
  
• 949206 ( The e-mail address of a contact does not appear in the Outlook Address Book after you use Exchange Web Services to edit the contact in Exchange Server 2007 with Service Pack 1
  
• 949549 Error message when you import a .pst file by running the Import-Mailbox cmdlet in Exchange Server 2007: "Unable to make connection to the server"
  
• 949778 The icons that represent TIFF attachments may not be shown correctly if the e-mail message is viewed by using Outlook Web Access 2007 in an Exchange Server 2007 environment
  
• 950153 A storage group may not mount after you move the resources from the active node to the passive node while the backup is in progress in Exchange Server 2007
  
• 950674 Web services sends meeting request information that has an incorrect time if a delegate modifies an appointment in an Exchange Server 2007 environment
  
• 951263 The heading of the "State" column is translated incorrectly in the German version of the Exchange Management Console in Exchange Server 2007
  
• 951293 Error message when you enter logon credentials after an Outlook Web Access session times out in Exchange Server 2007: "Server Error in '/ExchWeb/bin' Application"
  
• 953539 The W3wp.exe process may intermittently stop responding, and event ID 1000 is logged in Exchange Server 2007 Service Pack 1
  
• 950120 You cannot control the behavior of attachments on mobile devices by using the ActiveSync policy in Exchange Server 2007 Service Pack 1
  
• 951094 You cannot run the New-X400AuthoritativeDomain cmdlet successfully in an Exchange Server 2007 environment if an X.400 address contains a space character
  
• 953747 MS08-039: Vulnerabilities in Outlook Web Access for Exchange Server could allow elevation of privilege
  
• 950930 You cannot resolve a sender name or a recipient name when the name belongs to an alternative domain tree in Exchange Server 2007
  
• 950758 OVA announces "Unrecognized caller" in an Exchange Server 2007 environment even though Outlook and Outlook Web Access correctly resolve the caller address
  
• 951563 External e-mail message senders receive an NDR when you select the Turkish language setting on a computer that is running Exchange Server 2007 Service Pack 1