Quarantine Mailbox: Displaying original SCL, sender and recipients

In Exchange Server 2007, messages delivered to the quarantine mailbox show up as DSNs sent by the postmaster address of the default domain. In HOW TO: Expose original senders and recipients of quarantined messages, we modified the QTNE.cfg form for Microsoft Outlook to reveal original senders and recipients.

Although the original sender and recipient fields were added, the original SCL stamped on the quarantined message wasn't visible. The OriginalScl property was exposed in Exchange 2007 SP1, and is now included in the updated form in that post. Installing the updated form exposes the original SCL for messages in the quarantine mailbox, as seen in Figure 1.


Figure 1: The original SCL for messages in the quarantine mailbox can be displayed using the updated Outlook form

Exchange Server Antispam Updates: Do I have the latest update?

Not sure if the Exchange 2007 or 2003 (IMF) updates on your system are the latest and greatest? Doubt if the automatic update process is working?

You can use the Microsoft Update Catalog web site to search for these. You can also subscribe to the RSS feeds for each update (search result on the web site).

• Exchange Server 2007 Antispam updates  
  
• Exchange 2003 Intelligent Message Filter updates  
  

You can also use the site to search for other Microsoft products and subscribe to the feeds.

Delay Notifications: Informing users about delays in mail delivery

Users consider email to be a reliable communication mechanism - not as reliable as the dial tone, but pretty close. Most users expect mail to be delivered within minutes, if not seconds.

Many organizations, including those operating in the financial & banking sectors, have strict SLAs for mail delivery which specify mail delivery times granularly— for mail within a particular location (that is, within a Routing Group in Exchange 2003 and within an AD Site in Exchange 2007), between two locations, and to/from the internet.

Exchange Server sends a delay notification to inform the sender if delivery of a message is delayed beyond a configured timeout. The default delay notification timeout in Exchange Server 2003 is 12 hours. This has been reduced to a (comparatively) more realistic 4 hours in Exchange Server 2007.

When considering changing these defaults, it's a good idea to consider any SLAs and user expectations. Is it reasonable to expect a user to wait for 24 hours before informing him/her about a delay? 12 hours? 1 hour?


Figure 1: In Exchange 2007, the default delay notification timeout is 4 hours

You can change the delay notification timeout using the Exchange console (EMC) from Server Configuration | Hub Transport | SERVERNAME -> Properties | Limits tab.

To change delay notification timeout using the Exchange shell:

Set-TransportServer "SERVERNAME" -DelayNotificationTimeout 01:00:00

This sets the notification timeout to 1 hour. The value is specified in dd.hh:mm:ss (the standard format used by the shell). Valid values— minimum: 00:00:01 (yes, 1 second!) to 30.00:00:00 (30 days). It's recommended to wait till transient failure retries have been completed before sending a delay notification (that is, higher than TransientFailureRetryInterval x TransientFailureRetryCount).

In Exchange Server 2003, the delay notification timeout can be changed from SMTP Virtual Server | Properties | Delivery tab. There are different delay notification timeouts for outbound and local mail.

If you decide users don't need to know about mail delivery delays (and there could be perfectly legitimate reasons for that - although as I write this I can't think of any... ), you can disable delay notifications:

Set-TransportServer "SERVERNAME" -ExternalDelayDsnEnabled $false -InternalDelayDsnEnabled
$false

Have you changed the default delay notification in your organization? What is a reasonable time for notifying users about delays?

Related:

• SMTP Virtual Servers: Some irksome defaults you should change
  
• Set-TransportServer
  

PowerShell: Listing multi-valued attributes

In previous posts, we've taken a look at how to update multi-valued attributes and remove values from multi-valued attributes using PowerShell/Exchange Shell (EMS).

Multi-valued attributes have a special significance in AD, and interfaces/APIs used to access AD. Whereas single-valued attributes can be retrieved and updated quite easily, multi-valued attributes come with a twist. Values from a multi-valued attribute are returned as an array (of values). To evaluate values in a multi-valued attribute, you need to iterate through each one (using a foreach loop in most cases). Similarly, when updating a multi-valued attribute, we need to remember we're adding/updating one value of what could possibly be multiple items in an array.

With that out of the way, a real-word experience relates to how these values are listed in Exchange shell cmdlet output. For instance, the BypassedSenders property of ContentFilterConfig may have a few dozen safe senders that you do not want to subject to the Content Filter. If you list these bypassed senders using Get-ContentFilterConfig, the output will list a few bypassed senders. Note the trailing dots to indicate there are more values?

Using a format-list or fl (Get-ContentFilterConfig |select BypassedSenders | fl) doesn't help.


Figure 1: Output from Exchange shell cmdlets does not list all values in multi-valued attributes

BypassedSenders and Safelist Aggregation

The Content Filter Agent does not filter messages from addresses on its BypassedSenders property, regardless of the recipient. This should not be confused with a recipient's Safe Senders list (used by the Safelist Aggregation feature) to bypass mail for a recipient from the senders he/she adds to Safe Senders list in Microsoft Outlook. CFA's BypassedSenders is global in scope.

To get a list of all values in a multi-valued attribute such as BypassedSenders:

$senders = (Get-ContentFilterConfig).BypassedSenders; $senders

Alternatively, you can list them without adding them to a hash table ($senders in above example):

(Get-ContentFilterConfig).BypassedSenders

Figure 2: Listing all values in BypassedSenders multi-valued attribute

Similarly, multiple IP addresses or address ranges in a Receive Connector's RemoteIPRanges property:

(Get-ReceiveConnector "MyConnector").RemoteIPRanges

or formatted as a table with the required info:

(Get-ReceiveConnector "MyConnector").RemoteIPRanges | ft Lowerbound,Upperbound,RangeFormat -AutoSize

Figure 3: Listing all values in RemoteIPRanges multi-valued attribute of a Receive Connector

Related posts:

• HOW TO Update multi-valued attributes in PowerShell
  
• HOW TO: Remove values from multi-valued properties using Exchange shell
  

Where are mailbox last logon, client IP address, and other details in Exchange 2007?

In Exchange Server 2003/2000, expanding a Mailbox Database provides information about mailboxes in a database, last logon/logoff times and account(s) that logged on to mailboxes (see 'Displaying Client IP Address in Exchange System Manager' for details).


Figure 1: In Exchange 2003, the Logons node displays Store logon-related information. Click here to see a bigger screenshot.

In Exchange Server 2007, these details are not displayed in the EMC. These can be retrieved easily using the Exchange shell.

The Get-LogonStatistics cmdlet provides the following logon-related information.

AdapterSpeed :
ClientIPAddress :
ClientMode :
ClientName :
ClientVersion :
CodePage :
CurrentOpenAttachments :
CurrentOpenFolders :
CurrentOpenMessages :
FolderOperationCount :
FullMailboxDirectoryName :
FullUserDirectoryName :
HostAddress :
LastAccessTime :
Latency :
LocaleID :
LogonTime :
MACAddress :
MessagingOperationCount :
OtherOperationCount :
ProgressOperationCount :
RPCCallsSucceeded :
StreamOperationCount :
TableOperationCount :
TotalOperationCount :
TransferOperationCount :
UserName :
Windows2000Account :
ServerName :
StorageGroupName :
DatabaseName :
Identity :

The command can be constrained to a mailbox database (get-logonstatistics -Database "MyDatabase" | fl), a mailbox server (get-logonstatistics -Server "MyServer"), or a particular mailbox.

Mailbox information

In ESM, the Mailboxes node of a Mailbox Store displays mailbox-related information such as mailbox size, number of items, and last logon/logoff.


Figure 2: In Exchange 2003, the Mailboxes node displays mailbox-related information. Click here to see a bigger screenshot.

This information can be retrieved using the Get-MailboxStatistics cmdlet. It provides the following information related to a mailbox:

AssociatedItemCount :
DeletedItemCount :
DisconnectDate :
DisplayName :
ItemCount :
LastLoggedOnUserAccount :
LastLogoffTime :
LastLogonTime :
LegacyDN :
MailboxGuid :
ObjectClass :
StorageLimitStatus :
TotalDeletedItemSize :
TotalItemSize :
Database :
ServerName :
StorageGroupName :
DatabaseName :
Identity :

It can also be constrained to a -Database, -Server, or mailbox.

Now that we're dealing with the shell, besides these cmdlets' built-in filtering capabilities (Database, Server, or mailbox), you can use Powershell's where-object cmdlet to further filter the results based on the properties returned by each cmdlet. For example, to find out logon sessions from a particular IP address:

Get-LogonStatistics -Server "MyServer" | where {$_.ClientIPAddress -like "192.168.2.101"}

Script: Listing Distribution Groups a recipient is a member of

It's easy to get a list of all members of a Distribution Group. The Exchange shell (EMS) ships with the Get-DistributionGroupMember cmdlet that makes it a short one-liner (compared to 100s of lines of code in VBS).

However, how do we get all Distribution Groups a user, group, or contact is a member of? There's no equivalent cmdlet that can list a recipient's distribution group memberships using the shell. From the AD side, a recipient's memberOf attribute is a back-linked attribute, which I briefly talked about in memberOf Attribute can now be used in OPATH filters!. A group's membership is stored in the group's member attribute.

In the following command/script (what's the boundary between a command and a script?? when do a bunch of commands become a script?), we look at all distribution groups in AD, look at each member and determine if it matches the one we're looking for.

$contact = get-contact "foo@somedomain.com"; Get-DistributionGroup | foreach {$dg = $_ ; write-host "Looking at: "
$dg; Get-DistributionGroupMember $dg | foreach {if ($_.identity -like $contact.identity) {"Member of : " + $dg} }}

Clearly, this isn't very efficient!

Using the ADSI provider

The shell can also look at the AD objects natively using the ADSI provider. It's not as friendly or easy to use (as a native AD provider for Powershell would probably be), but it's a huge improvement over VBScript. There's no need to grab AD objects into ADO recordsets— that part is taken care of by Powershell.

Here's one way to do this using the ADSI provider:

$dn = "LDAP://" + (Get-Contact foo@somedomain.com).distinguishedName; $foo=[ADSI]$dn; $foo.memberOf | foreach {$dg = $_; get-distributiongroup $dg}

Here's a script with some changes and validation: Get-DGMembership.zip

What it does: Uses the ADSI provider to get list of all groups a recipient is a member of, determines if the group is a Distribution or Security group, outputs names of Distribution Groups.
Usage:

.\Get-DGMembership.ps1 Mailbox1@mydomain.com

.\Get-DGMembership.ps1 Mailbox1@mydomain.com Contact2@somedomain.com

What we can really use is a native AD provider that lends the same automation capabilities to AD management tasks that the Exchange shell and Powershell lend to Exchange and Windows management tasks.

Released: Update Rollup 3 for Exchange Server 2007 SP1

Update Rollup 3 for Exchange Server 2007 SP1 has been released. Download it here.

Fixes for the following issues are included (details in in KB 949870):

• 937436 Error message when an Exchange 2007-based user sends a meeting request to a resource that is located in a Lotus Domino resource reservation database: "Error autoprocessing message"
  
• 941770 How to disable the "Sent by Microsoft Exchange Server 2007" branding sentence in an Exchange Server 2007 DSN message
  
• 945453 You cannot log on to Outlook Web Access in an Exchange Server 2007 environment, and you receive an error message: "HTTP Error 403.4"
  
• 947573 It takes a long time for the Exchange Management Console to load in an Exchange Server 2007 organization that was deployed in a multiple-domain environment
  
• 949206 ( The e-mail address of a contact does not appear in the Outlook Address Book after you use Exchange Web Services to edit the contact in Exchange Server 2007 with Service Pack 1
  
• 949549 Error message when you import a .pst file by running the Import-Mailbox cmdlet in Exchange Server 2007: "Unable to make connection to the server"
  
• 949778 The icons that represent TIFF attachments may not be shown correctly if the e-mail message is viewed by using Outlook Web Access 2007 in an Exchange Server 2007 environment
  
• 950153 A storage group may not mount after you move the resources from the active node to the passive node while the backup is in progress in Exchange Server 2007
  
• 950674 Web services sends meeting request information that has an incorrect time if a delegate modifies an appointment in an Exchange Server 2007 environment
  
• 951263 The heading of the "State" column is translated incorrectly in the German version of the Exchange Management Console in Exchange Server 2007
  
• 951293 Error message when you enter logon credentials after an Outlook Web Access session times out in Exchange Server 2007: "Server Error in '/ExchWeb/bin' Application"
  
• 953539 The W3wp.exe process may intermittently stop responding, and event ID 1000 is logged in Exchange Server 2007 Service Pack 1
  
• 950120 You cannot control the behavior of attachments on mobile devices by using the ActiveSync policy in Exchange Server 2007 Service Pack 1
  
• 951094 You cannot run the New-X400AuthoritativeDomain cmdlet successfully in an Exchange Server 2007 environment if an X.400 address contains a space character
  
• 953747 MS08-039: Vulnerabilities in Outlook Web Access for Exchange Server could allow elevation of privilege
  
• 950930 You cannot resolve a sender name or a recipient name when the name belongs to an alternative domain tree in Exchange Server 2007
  
• 950758 OVA announces "Unrecognized caller" in an Exchange Server 2007 environment even though Outlook and Outlook Web Access correctly resolve the caller address
  
• 951563 External e-mail message senders receive an NDR when you select the Turkish language setting on a computer that is running Exchange Server 2007 Service Pack 1
  

Creating a Dynamic Distribution Group for all mailboxes on a Database

I posted about this in Adventures with OPATH: some annoyances if you're used to LDAP, shortly after Exchange Server 2007 RTMed (Yes, it has really been that long... ). Here's a quick recipe to create a Dynamic Distribution Group to include all mailboxes on a database.

$DB = (Get-MailboxDatabase "SERVER\Storage Group\Mailbox Database").distinguishedName

New-DynamicDistributionGroup MyGroup -RecipientFilter {Database -eq $DB} -RecipientContainer "DC=MyDomain,DC=com" -OrganizationalUnit "OU=Distribution Groups,DC=MyDomain,DC=com" -RequireSenderAuthenticationEnabled $false

The first step gets the distinguishedName of the mailbox database in a variable called $DB.

Parameters:
- OrganizationalUnit: Specifies the container/OU where the group will be created
- RecipientContainer: Specifies container to pick up recipients from. If not specified, this gets set to the same value as the OrganizationalUnit parameter (the OU/Container where the group is created), and the filter may not return the expected recipients (or worse— may not return any recipients at all... )
- RequireSenderAuthenticationEnabled: As discussed in 'New Distribution Groups do not receive internet email by default', new groups do not receive internet email (that is, email from unauthenticated/anonymous senders)) by default. If you want the group to receive internet email, set this to $false.

Controlling OOFs per domain and per mailbox

OOFs can be controlled per domain using Remote Domain settings. By default, setup creates the default Remote Domain for address space *. (As with Connector namespaces, * translates to all domains for which Exchange isn't authoritative/has an Accepted Domain for, and doesn't have an explicit Remote Domain for).


Figure 1: Remote Domains allow control of OOF messages to the internet or specific domains

The choices:
None: OOFs are disabled for the remote domain.
External: Allows only external OOFs to be sent to the remote domain. OOFs created using legacy Outlook clients and those sent by Exchange 2003/2000 servers will be not be allowed. If blocking OOFs to external domains in Exchange 2003/2000, this allows you to restrict legacy Outlook clients from sending OOFs, but allow Outlook 2007/Exchange 2007 users to send external OOFs.
ExternalLegacy: Allows external and legacy OOFs to be sent to the remote domain.
InternalLegacy: Allows internal and legacy OOFs to be sent to the remote domain.

Allowing Internal OOFs to Remote Domains

The InternalLegacy setting sends internal OOF messages to a Remote Domain. If verbiage or content of internal OOFs isn't something you want to share with the outside world, do not use this for Remote Domains.



The InternalLegacy option can be useful in distributed organizations with multiple address spaces and multiple email systems, or specific cases where you may want to share such information with a trusted organization.

Controlling OOFs per-mailbox

Besides the settings in Remote Domains, you can also control external OOFs per-mailbox. This is done using the Set-Mailbox cmdlet. The ExternalOofOptions parameter defaults to External. You can change it to InternalOnly to restrict a mailbox user from sending OOFs outside the organization:

Set-Mailbox foo@mydomain.com -ExternalOofOptions InternalOnly

Related:

• While you were out: Scheduling meetings and OOFs
  
• The hilarious lingo of Exchange folks
  
• Why is OOF an OOF and not an OOO?
  
• Legacy client and Out of Office (OOF) interoperability
  
• OOF integration with Exchange Server 2007 Unified Messaging (UM)

Released: ISA 2006 Service Pack 1

ISA Server 2006 SP1 has been released. SP1 brings some new features, and improvements such as support for SAN certificates. Download SP1.

New features:

• Configuration Change Tracking: Registers all configuration changes applied to ISA Server to help you assess issues that may occur as a result of these changes.
  
• Test Button: Tests the consistency of a Web publishing rule between the published server and ISA Server.
  
Traffic Simulator:Simulates network traffic in accordance with specified request parameters, such as an internal user and the Web server, providing information about firewall policy rules evaluated for the request.

• Diagnostic Logging Viewer: Now integrated as a tab into the ISA Server Management console, this feature displays detailed events on packet progress and provides information about handling and rule matching.

Improvements for existing features:

• Support for integrated NLB mode in all three modes, including unicast, multicast, and multicast with Internet Group Management Protocol (IGMP). Previously, ISA Server integrated NLB-supported unicast mode only.
  
• Support for use of server certificates containing multiple Subject Alternative Name (SAN) entries. Previously, ISA Server was able to use either only either the subject name (common name) of a server certificate, or the first entry in the SAN list.
  
• Support for KCD cross-domain authentication. Credentials from users located in a different domain than the ISA Server, but in the same Forest, can now be delegated to an internal published Web site by using KCD .
  
• Support for client certificate authentication in a workgroup deployment. This removes the requirement to map each client certificate to an Active Directory® directory user account when forms-based authentication is used as the primary authentication method and client certificates are used as the secondary method.

SP1 fixes the following issues:

• 894679 Users who do not have the appropriate permissions can receive restricted content from ISA Server 2004
  
• 920913 Error message in response to some HTTP requests on client computers that are running ISA Server 2004 as a proxy server: "400 Bad Request"
  
• 921944 A client computer takes longer than expected to connect to a Web site through an ISA Server 2004 Web proxy server
  
• 922851 You receive a blank page when your Web browser submits a POST request to an ASP Web site over an ISA Server 2004 access rule that requires client authentication
  
• 922899 An ISA Server 2004 Web chaining rule may not redirect requests to the specified port
  
• 923318 Error message in SecureNAT clients after you configure a Web chaining rule to forward HTTP as HTTPS in ISA Server 2004: "The target principal name is incorrect"
  
• 923322 A large file download fails when an ISA Server 2004 SOCKS client computer uses passive mode FTP
  
• 923765 The Microsoft Firewall service stops responding to client computer requests and Event IDs 7034, 14057, and 1000 are logged after you publish an OWA server in ISA Server 2004
  
• 923766 A client computer may not be authenticated by ISA Server 2004 when you use integrated Windows authentication
  
• 924405 Client computers cannot download attachments when you use ISA Server 2004 or ISA Server 2006 forms-based authentication and run a third-party OWA add-in program to manage attachments
  
• 925288 One or more published sites may stop being available if you create more than 300 Web site publishing rules in ISA Server 2006 Enterprise Edition
  
• 928273 Users may receive slow responses when you enable the Cache Array Routing Protocol in ISA Server 2004, Enterprise Edition
  
• 929818 You receive an error message when you try to install or to run Windows Vista: "The Software Licensing Service reported that the license is invalid"
  
• 930415 You cannot apply an OWA Web publishing rule that redirects users who connect to the root of the OWA Web site to an internal folder by using ISA Server 2006
  
• 933523 When an Internet Security and Acceleration Server 2004 client performs an action that uses the HTTP POST method, the action may be performed multiple times
  
• 934022 An ISA Server 2004 downstream server does not reuse the TCP connections to a third-party upstream server
  
• 935767 The authentication delegation in the existing Web publishing rules does not work after you upgrade ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition
  
• 938465 Error message when you try to access Web sites through a downstream server after you enable hotfix 927265 on an upstream server that is running ISA Server 2004: "502 Proxy Error"
  
• 938550 An update enables multicast operations for ISA Server integrated NLB
  
• 940659 Error message when you try to visit a Web site that is published in ISA Server 2004: "HTTP error 500: network name no longer exists"
  
• 940708 The "401 Authentication Required" response that is sent by a Web site is dropped when you use ISA Server 2004 as a Web proxy
  
• 941162 In ISA Server 2006, you cannot set a session time-out for private computers in a Web listener that has the RSA SecurID authentication method configured
  
• 941296 An ISA Server 2006 computer may stop responding under a heavy load
  
• 941634 After an ISA Server 2006 application filter establishes an HTTP connection, the connection closes before it can be used, and a "0x80004001 (E_NOTIMPL)" status code is logged
  
• 941870 Only 1,000 PPTP ports and 1,000 L2TP ports are open in Routing and Remote Access if the maximum number of VPN clients is set to more than 1,000 in ISA Server 2006
  
• 942313 Web pages do not appear as expected when you publish a Web site by using a publishing rule in Internet Security and Acceleration (ISA) Server 2006
  
• 942637 A user cannot access a Web site that is published in ISA Server 2006 by using Kerberos constrained delegation if the user is not in the same domain as the ISA Server computer
  
• 942638 POST requests that do not have a POST body may be sent to a Web server that is published in ISA Server 2006
  
• 943200 The Microsoft Firewall service stops unexpectedly on a computer that is running ISA Server 2004
  
• 943212 You cannot filter the RPC traffic based on universally unique identifiers (UUID) by using an access rule in ISA Server 2006
  
• 943214 When you publish a back-end ISA Server 2006 computer on a front-end ISA Server 2006 computer that faces the Internet, you cannot enable forms-based authentication on both computers
  
• 944699 The Microsoft Firewall service stops unexpectedly if a Web filter is used on a computer that is running ISA Server 2006
  
• 944764 Requests that have large request bodies may fail when you publish a Web site in ISA Server 2006
  
• 944824 Stop error message on a computer that has ISA Server 2006 installed: You receive a "Stop 0x0000007f"
  
• 945224 ISA Server 2006 may forward requests to an incorrect Web server when a client computer accesses Web sites that have different public names in the same session
  
• 945524 Some Web servers that are published in ISA Server 2006 by using the Web Publishing Load Balancing feature may be incorrectly detected as unavailable at random times
  
• 945814 Error message when you try to change the password of a user account even if you configure ISA Server 2006 to allow users to change their passwords
  
• 945882 HTTP SEARCH requests that do not have a SEARCH body may be sent to a Web server that is published in ISA Server 2006
  
• 947254 A computer that is running ISA Server 2006 may randomly stop routing packets from certain VPN clients or from certain VPN site-to-site networks
  
• 947255 Packets from the branch office may not reach the destination servers in the central office over a site-to-site VPN connection that you create through ISA Server 2006
  
• 947521 When HTTP compression is enabled in Web publishing rules in ISA Server 2006, the compression filter may be unable to handle HTTP responses
  
• 948711 A report may not display HTTPS traffic in ISA Server 2006
  
• 949628 The Microsoft Firewall service crashes randomly when you use ISA Server 2006 to publish a Web server by enabling forms-based authentication
  
• 950139 The Microsoft Firewall service in ISA Server 2006 stops responding to client requests after you publish a Web server by using NTLM authentication delegation
  
• 951508 When you use ISA Server 2006 to publish a Web server, and authentication delegation is enabled, some Web content may not be displayed correctly when a user accesses the published Web server
  
• 951509 Users cannot access a Web site that is published in ISA Server 2006 if the Web site accepts only the SPNEGO authentication package
  
• 950150 Error message when you open a .gz file that you downloaded through an ISA Server 2004 Web proxy server: "Invalid archive directory"
  
• 952675 You cannot log on to a local intranet site that you publish by using ISA Server 2006 when there are multiple user accounts that have the same account name in different domains

Monitoring Exchange Server 2007 Performance: Perfmon counters and thresholds

Monitoring mission-critical services such as email is a necessity in most organizations. Whereas monitoring software like Microsoft SCOM can use Exchange monitoring expertise and rules encoded in Management Packs, and many third-party monitoring solutions ship with some embedded knowledge, if you're setting up a monitoring system or creating a home-grown app to do so, you need to know what to monitor.

I was fortunate enough to (sort of) take a course on Exchange performance monitoring at my previous employer, and get a lot of input on the subject from some great minds in the business. The resulting fondness for performance monitoring and performance counters is probably understandable.

If you share my enthusiasm for performance monitoring, here's some documentation and guidance you may find very useful:

- Monitoring Common Counters
- Monitoring Mailbox Servers
- Monitoring Hub Transport Servers
- Monitoring Client Access Servers
- Monitoring Unified Messaging Servers with System Center Operations Manager

Released: New Whitepapers on Continuous Replication and Planning for Large Mailboxes

New whitepapers have been released today on TechNet.

Whitepaper: Continuous Replication Deep Dive
- written by Ross Smith IV and Scott Schnoll

This whitepaper discusses the different components of Continuous Replication— used by LCR, CCR and SCR, how replication works, backups and log file truncation, what happens during scheduled and unscheduled outages, and how Continuous Replication compares with other replication solutions.

The whitepaper is available here.

Whitepaper: Planning for Large Mailboxes with Exchange Server 2007
- written by Tom Di Nardo

This whitepaper discusses planning and operational issues faced when dealing with large mailboxes, including planning storage, long database backup and online/offline maintenance times.

The whitepaper is available here.

Released: Windows Server 2008 Hyper-V

While I was away yesterday, Windows Server 2008 Hyper-V made its public debut (RTMed in Microsoftese). I know what you're thinking: Let the Microsoft PR storm begin, VMWare has a better virtualization product, and other unbloggable thoughts... :).

I've been using Hyper-V for a few months now, and all I can say is— it's been a great experience way before RTM, and I am impressed! Of all things Hyper-V that impress me, I'm blown away by the performance - it flies! This, on a desktop class machine (one that meets the CPU and other requirements, of course, but poorly-configured to be used as a server/Hyper-V box that's running quite a few virtual machines).

Next, the simplicity and ease-of-use. As InfoWorld's Randall C. Kennedy puts it:

As with most Server 2008 "roles," enabling Hyper-V was a simple matter of ticking a check box in Server Manager and picking a NIC for use by the virtual network manager.

Read more of Randall's review in Test Center review: Microsoft's Hyper-V does the trick.

Scott has a post with plenty of links to Hyper-V resources and blog posts— Hyper-V has RTM'd and is Available!

As Scott mentions in the post, Microsoft will have a support statement about Exchange Server and virtualization 60 days from Hyper-V RTM. This was announced at TechEd IT Pro in Orlando little over 2 weeks ago.

Exchange Quick Audit: mailboxes created in last 7 days

I remember writing plenty of scripts to report on different things such as user accounts created every week/month, user accounts modified, accounts disabled, etc. for SOX compliance. Some of those scripts used to be rather long, and in hindsight— involved a lot more lines of code than an administrator should have to write. Although I had a lot of fun (and still do... albeit with PowerShell), I would totally understand if you said you never wanted to hear about things like Wscript, VBScript, WSH, COM objects, ADSI, and WMI ever again.


Let's take a look at how the shell (EMS) makes it so easy.

In this examnple, we need to get a list of all accounts created in the last 7 days. When a user account is created, its whenCreated attribute gets stamped with the time of creation. Here's how it can be used:

Get-User -resultsize unlimited | where {$_.WhenCreated -gt (get-date).adddays(-7) | ft Name,whenCreated -Autosize

Similarly, when an AD object is changed, it's whenChanged attribute gets stamped with the time the change was made. This makes it easy to determine which objects were changed in a given period, a useful tool for auditing/reporting as well as troubleshooting. In the following example, we determine if any Receive Connectors were changed in the last 7 days.

Get-ReceiveConnector | where {$_.whenChanged -gt (get-date).adddays(-7)}

Another frequently required and requested report— how do I get a list of mailboxes that haven't been accessed in the last X days. Let's use 100 days as the value here:

Get-MailboxStatistics -resultsize unlimited | where {$_.LastLogonTime -lt (get-date).AddDays(-100)} | ft displayName,lastlogontime,lastloggedonuseraccount,servername

Or mailboxes that have never been logged on to:

Get-MailboxStatistics -resultsize unlimited | where {$_.LastLogonTime -eq $null | ft displayName,lastlogontime,lastloggedonuseraccount,servername

Note, you can filter mailboxes by Database or ServerName to restrict the results to a more manageable size.

Next, let's list mailboxes disabled in the last 14 days:

Get-MailboxStatistics | Where {$_.DisconnectDate -gt (get-date).AddDays(-14)} | ft displayName,ServerName,DatabaseName,TotalItemSize -Autosize

Released: Transporter Suite v08.02.0053

An updated version of the Transporter Suite— a set of tools for interoperability and migration from Lotus Domino and generic POP/IMAP servers to Exchange Server 2007, has been released.

Download Transporter Suite v08.02.0053 from here.
Updated release notes are here.

If you're getting started on an interop or migration project, take a look at Resources for Interoperability and Migration from Lotus Domino.

Modifying Display Templates and additional attributes

Recently got a question about customizing the GAL and my previous post that talks about it: "HOW TO: Modify Display Template to make default email address appear in Address Book/GAL".

The new Details Template Editor in Exchange 2007 (in EMC | Tools) makes it much easier to modify templates and give your GAL the kind of look you want (short of adding that 5 Mb. purple bitmap file as a background and an extra-large company logo perhaps... :). Screenshots and more information about Details Templates can be found in Managing Details Templates.

So, you're trying to customize the properties pages of your address lists and want to add an attribute such as ipPhone. You don't see the attribute you're looking for. Can you add additional attributes to the list? Or should you? Dave Goldman explains in Adding attributes to the Exchange details templates.

Exchange Server 2007: Listing Exchange ActiveSync users and device information

In How to get a list of Exchange ActiveSync users we list EAS users on Exchange 2007. Some users may have more than 1 device, or perhaps the user simply got a new smartphone and the old device partnership has not been removed.

Output from Get-ActivesyncDeviceStatistics -mailbox foo@somedomain.com:

FirstSyncTime : 12/22/2007 1:34:10 AM
LastPolicyUpdateTime : 12/22/2007 1:34:43 AM
LastSyncAttemptTime : 1/14/2008 7:45:15 AM
LastSuccessSync : 1/14/2008 7:45:15 AM
DeviceType : PocketPC
DeviceID : *******************************
DeviceUserAgent :
DeviceWipeSentTime :
DeviceWipeRequestTime :
DeviceWipeAckTime :
LastPingHeartbeat :
RecoveryPassword : ********
DeviceModel : WIZA100
DeviceIMEI : ************21900
DeviceFriendlyName : Pocket_PC
DeviceOS : Windows CE 5.2.19134
DeviceOSLanguage : English
DevicePhoneNumber : 1650*******
Identity : foo@somedomain.com\AirSync-PocketPC-*******************************

The * characters in the Identity field are for the DeviceID.

Here's a a quick code snippet (it can probably be scrubbed up a little... ) that will list users and all their devices, along with first sync and last successful sync times:

$mbx = get-casmailbox | where {$_.hasactivesyncdevicepartnership -eq $true -and $_.identity -notlike "*CAS_{*"} ; $mbx | foreach {$name = $_.name; $device = get-activesync devicestatistics -mailbox $_.identity; $device | foreach {write-host $mbx.name, $_.devicemodel, $_.devicephonenumber, $_.deviceid, $_.FirstSyncTime, $_.LastSuccessSync} }

Related posts and links
- Cmdlet: Get-ActiveSyncDeviceStatistics
- Cmdlet: Get-CasMailbox

Community content in Exchange docs: the wikization begins!

Microsoft recently started allowing community content (annotations/links) in Exchange documentation on TechNet. Initially available for Exchange 2003 documentation, this feature was recently expanded to Exchange 2007 documentation as well.

At the bottom of each page in Exchange documentation (on TechNet) you'll see the links to add community content.


Figure 1: Links to add community content in Exchange documentation pages on TechNet

This is a great way to share your Exchange expertise and add more value to Exchange documentation - you can add your code snippets, undocumented scenarios, tips & tricks, links to relevant content on web sites/blogs— yes, links to your blog posts too!

The wiki-zation of Exchange documentation has begun!

For an example of what this looks like, check out the Messaging Records Management (MRM) docs:
1) How to Create Managed Content Settings
2) How to Apply a Managed Folder Mailbox Policy to User Mailboxes

Registration required. Here's the code of conduct, and answers to some frequently asked questions are in this faq.

What it's not...
This is not a place to post product feedback or new feature requests. You can provide new feature requests by email to exwish at microsoft. It's also not a place to post requests for help with any issues— that's better handled in Exchange newsgroups and TechNet Forums, where you can get assistance from expert IT Pros, including MVPs, and Microsoft folks.

ISA 2006 SP1: Support for SAN certs, and new features

When ISA Server 2006 SP1 rolls out this summer, there will be some cool new features to look forward to, including support for SAN certificates.

Having started using Proxy Server 1.0 (I know... hold on to your comments for now.. :) back in the days, I turned away from ISA's predecessor(s) for a few years to engage with what I thought were better options at that time— "dedicated" hardware firewalls. Not too long ago, I started using ISA again, and became a convert with ISA 2006. It made "publishing" (am I the only one who finds the phrase "publishing to the internet" amusing?) Exchange services such as OWA, EAS, Outlook Anywhere, and SMTP secure and relatively effortless.

If you have ISA 2006 deployed with Exchange Server 2007, you're probably looking forward to SP1 as well for its SAN certificate support. Check out the other cool features in this post on the ForeFront TMG (ISA) team blog: ISA Server 2006 Service Pack 1 Features.

Quick antispam report or status check?

Having received an annoyingly higher proportion of spam in my Inbox this morning, I wanted to quickly check what the antispam agents are doing. Here's a quick cmdlet (besides the ones to check whether the antispam agents are enabled, checking the Content Filter SCL thresholds, etc.).

Get-AgentLog -StartDate "6/16/2008" | group action | ft name,count -Autosize

What you get back:

Name Count
---- -----
RejectCommand 520
AcceptMessage 39
RejectMessage 163
QuarantineMessage 11
DeleteMessage 21

The filters are still working. Perhaps it's one of those days when you wake up to high volume of spam.

Note to self: Create a quick monitoring script that provides more information from agent logs, antispam configs, and perfmon counters.

Related posts:
- Keeping tabs on Antispam filters: A few handy scripts in Exchange Server 2007
- Exchange Server 2007: How are RBLs performing?
- Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs

Updated: Mailbox Server Role Storage Calculator v14.7

An updated version of the Mailbox Server Role Storage Calculator (let's just call it Storage Calculator or StorageCalc? :) has been released. More details about v14.7 in Ross' post on the team blog: Updates to the Mailbox Server Role Storage Requirements Calculator.