Master Exchange 2007

powershell, automation & more…

Archive for August, 2009

Cannot get External Out Of Office (OOF) working with Exchange 2007

Posted by shauncroucher on August 31, 2009

There are several areas that need to be checked in order to get OOF working for Exchange 2007.

Thankfully testing and troubleshooting can be easily achieved using powershell.

These are items on the itinerary for checking:

1) Does the Remote domains ALLOW External OOF, and if the users are using Outlook 2003, does it allow OOF for external domains?

By default ONLY Outlook 2007 clients can send externally. This is because Outlook 2003 has no way to define that a OOF message should be for External users or Internal users.

To check the setting type the following:

Get-RemoteDomain | ft Id*,*OOF*

If you have Outlook 2003 clients the AllowedOOFType needs to read ‘ExternalLegacy’. If you have only Outlook 2007 users it should read ‘External’

For the most part you will just have one Remote Domain (unless you need to manage message settings for a few domains or perhaps if you have a sister company. In this case, you need to decide if you would like users that define an OOF as Internal to be delivered to these Remote Domain?

2) Does the user have rights to send Externally

By Default users DO have the right to send Externally, but worth checking the setting here:

Get-Mailbox <IDENTITY> | fl *OOF*

The ExternalOOFOptions should read External, otherwise they will not be able to send External OOF’s.

3) Are you using a Smarthost to send outbound mail?

If so, you should be aware that when an OOF message is dressed for sending, it DOES NOT INCLUDE a Return-Path address in the message envelope (The MAIL FROM is set to <>). For this reason, many smarthosts will NOT relay the messages on.

It is to comply with RFC guidelines. Message Disposition Notification (MDN) messages are defined in RFC 3798. which states that messages of this type should be sent with a blank sender (ie: <>). This behavior is new in Exchange 2007, E2003 and eariler set the sender field for OOF messages.

http://tools.ietf.org/html/rfc3798

http://technet.microsoft.com/en-us/library/bb430743.aspx

So, how do you detect if this is the cause?

Well, by using one of two tests you can see if this is the problem. First of all use the MessageTrackingLog to find the message and its associated failure message:

Begin by sending an email from outside to the user who has OOF enabled. Make sure you use a unique subject such as ‘QWERTY1’

Now, use the following command on your Edge Transport server (or Hub server on the edge of your network)

Get-MessageTrackingLog | where {$_.MessageSubject -eq ‘QWERTY1’} | fl

Now, if you see one that says failed, you can look at the RecipientStatus – this will tell you why it was FAILED. Usually this will give a 550 code ‘Relaying denied’ or ‘Unable to relay’. This is the evidence you are looking for. It is likely the cause is because there is no Reply-To in the envelope.

To know this is the cause for sure, you can try using DNS to route mail temporarily and see if this resolves the issue.

Also remember that by default, OOF messages will only send ONCE per external sender per  ‘Out of office session’. So, if you test OOF using an external user account, the OOF attempt to the external user account will run once, and will not attempt to deliver further OOF messages when you send subsequent emails from the same external account. So, each time you test OOF (if using the same external email account) you need to TURN OOF Off, then turn it back on again!

Hopefully you found this article useful, feedback always welcome!

Shaun

Posted in Transport | 4 Comments »

Exchange 2007 ‘Managed by’ does not allow user to change, add or delete distribution list members

Posted by shauncroucher on August 31, 2009

No, it doesn’t!

The Managed By: in the Group Information tab of a Distribution Group is for informational purposes. It does not give a user / group to manage the distribution group.

You need to run the Add-ADPermission cmdlet to add this permission:

Add-ADPermission -Identity <name of distribution group> -User <name of user> -AccessRights WriteProperty -Properties “Member”

This will then allow the specified user to manage the distribution group membership.

It is an area common for confusion in Exchange 2007 due to the change of behaviour.

http://technet.microsoft.com/en-us/library/cc164350.aspx

Shaun

Posted in Mailbox\Recipient | 8 Comments »

Using Powershell to REMOVE the internal message headers

Posted by shauncroucher on August 30, 2009

First of all, I’m not a fan of doing this at all, but it is a very common question amongst administrators, and many cite security as the reason for doing so.

The reason I’m not a fan is because this reduces the level of information you have when it comes to troubleshooting mail flow issues. It does not allow you to see the SMTP audit trail as a message traverses through the ether.

That aside, there are two ways that this can be achieved.

METHOD 1 – Removing a permission from the Anonymous Logon.

The first involves removing a specific permission from the Send Connector. The permission is "ms-Exch-Send-Headers-Routing". If this is removed from the Anonymous Logon on the send connector that delivers OUTSIDE the organisation, then all the ‘Received’ headers will be removed from the message.

To remove the permission run the following cmdlet:

Get-SendConnector "<NAME OF SEND CONNECTOR>" | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights "ms-Exch-Send-Headers-Routing" -user "NT AUTHORITYAnonymous Logon"

Then RESTART THE TRANSPORT SERVICE using the following command:

Restart-Service MSExchangeTransport

Let’s say you have come to your senses and decided its not a good idea to remove the header information from outgoing mail. You would run the following command:

Get-SendConnector "<NAME OF SEND CONNECTOR>" | Add-ADPermission -AccessRight ExtendedRight -ExtendedRights “ms-Exch-Send-Headers-Routing” -user “NT AUTHORITYAnonymous Logon”

METHOD 2 – Using Transport Rules to remove the ‘Received’ header information

On the server that delivers messages outside the organisation, create a Transport rule using the GUI or using powershell:

$Condition = Get-TransportRulePredicate FromScope
$Condition.Scope = "InOrganization"
$Action = Get-TransportRuleAction RemoveHeader
$Action.MessageHeader = "Received"
New-TransportRule -name "Remove Headers" –comments “Hide headers revealing internal Transport server FQDN’s” -Condition @($Condition) -Action @($Action)

Obviously, when you come to your senses, remove the rule using Remove-TransportRule "Remove Headers"!

Shaun

Posted in Transport | Leave a Comment »

Windows Server 2008 SP2 (service pack 2) & Exchange 2007 SP2 (service pack 2)

Posted by shauncroucher on August 27, 2009

Both these service packs are now available.

64bit (x64) downloads:

Windows 2008 SP2 (SP1 IS a prerequisite)
http://www.microsoft.com/downloads/details.aspx?FamilyID=656c9d4a-55ec-4972-a0d7-b1a6fedf51a7&displaylang=en

Exchange 2007 SP2 (service pack 2)
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4c4bd2a3-5e50-42b0-8bbb-2cc9afe3216a
Shaun

Posted in Global\General | Leave a Comment »

Local Continuous Replication – No excuse not to!

Posted by shauncroucher on August 27, 2009

Local (or clustered if you prefer) replication should be a mandatory requirement on every 2007 server in the world where there isn’t already a level of mailbox data redundancy!!!

I recently came across a situation where somebody with a little IT knowledge was trying to retreive a CD (that had become stuck) from a server … after looking in 3 drives, they still couldn’t find the CD? Then it dawns on them that instead of looking for the CD in the various CD-ROM drives, they were actually pulling out the Hotswappable HDD’s!!!

Net effect…. Destroyed RAID5, luckily it wasn’t so bad getting the company up and running again, but it got me thinking how easy it is to place too much faith in hardware. Nothing will prepare for user error.

So back to Local Continuous Replication. It’s really simple – a copy of your mailbox database and storage group files (transaction log files etc) are copied asyncronously to another set of disks. This can be another RAID volume on the server, or even NAS/SAN storage. The point is in the event of a major disk failure you can switch over to the passive copy almost instantly.

So, how to do this in powershell.

Well, first of all you need to ensure that you have enabled the database for replication. To do this run the following command (note the DB name must be the same as the original):

Enable-DatabaseCopy -Identity:”SG1\DB1″ -CopyEdbFilePath:”D:\DB1\SG1\Mailbox Database.edb”

Of course, this is where D: is another set of disks, NAS or SAN. Once done it is time to Enable Storage Group Replication

Enable-StorageGroupCopy -Identity “SG1” -CopyLogFolderPath “E:\DB1\SG1” -CopyLogSystemPath “E:\DB1\SG1”

Now, as long as the Storage group has one database in it and that database is set to copy, then these really are the minimal commands required to get LCR working on your server. You can optionally provide the -SeedingPostponed command parameter to stop the database copy from starting immediantly.

If you have chosen to Seen at a later stage, you can run the seen operation by using the Suspend-StorageGroupCopy and then Update-StorageGroupCopy to initiate the seeding. Don’t forget to Resume-StorageGroupCopy afterwards!!

Excellent Further Reading:

http://technet.microsoft.com/en-us/library/bb125195.aspx
http://technet.microsoft.com/en-us/library/bb124727.aspx
http://www.msexchange.org/tutorials/Demystifying-Local-Continuous-Replication-LCR.html

Shaun

Posted in Mailbox\Recipient | Leave a Comment »

Managed Default Folders managed custom folder exchange 2007

Posted by shauncroucher on August 20, 2009

It can be a little confusing what the difference is with Managed Default Folders and Managed Custom Folders. I recently tried to clarify the differences for a confused administrator!

A Managed Default Folder can be of type ‘Inbox’ , ‘Calendar’ , ‘Deleted Items’, basically all the usual folders you find by ‘default’ in an Exchange 2007 mailbox.

Only 1 “Managed Default Folder” ‘of a particular type’ can be assigned to a “Managed Folder Mailbox Policy” and only 1 “Managed Folder Mailbox Policy” can be assigned to a mailbox user. So if you simply create a Managed Default Folder called “Inbox – 60 day retention”, this will do nothing until you link it to a “Managed Folder Mailbox Policy” and link that policy to a mailbox user.

So the steps may look like this:

1) You have set up a Managed Default (or Custom) Folder Policy for the folder
2) You have set Managed Content Settings to set retension as per your requirements
3) You have added the Managed Default (or Custom) Folder Policy to a Managed Folder Mailbox Policy
4) You have ensured that the users mailboxes are configured to use the Managed Folder Mailbox Policy
5) You have scheduled the Managed Folder Assistant to run regularly, or you have manually run the assistant.!!

It’s a little confusing at first, don’t confuse “Managed Default Folders” with “Managed Custom Folders”. With custom folders you can create *additional* folders in a mailbox, but not so with Managed Default Folders.

POWERSHELL COMMANDS:

Some useful powershell commands to double check the policies and settings are in place:

Get-Mailbox <username> | fl *man* (This will show you the MailboxPolicy applied for a particular user)

Get-ManagedFolderMailboxPolicy <Name of ManagedFolder from above> | fl *fo* (This will show all the Managed Folders that are managed by the policy)

Get-ManagedFolder <Folder Name from above, replace {Name} with ‘Name ‘ > |

 
Get-ManagedContentSettings | fl  (This will show the content settings and the Mailbox Folders they apply to)

Review the articles found in this section of technet http://technet.microsoft.com/en-us/library/bb123548.aspx, they make it pretty clear. Also a *quicker* read can be found here:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/compliance-policies-archiving/exchange-2007-messaging-records-management-part1.html

Shaun

Posted in Mailbox\Recipient | Leave a Comment »

Customised UPN or Email alias when bulk creating users in Exchange 2007

Posted by shauncroucher on August 20, 2009

I found on a recent Experts-exchange article a really great way of manipulating the UPN or email alias based on certain letters found in the name, ie 7 letters from last name then . then first initial.

The script is written by Chris-Dent on EE. The script shows some pretty useful basic concepts with Powershell such as string concatenation and using Functions to convert basic string to secure string on the fly.

## Run BulkImport.ps1 c:tempimportusers.csv
## Import data from csv and store it in variable ‘data’

$data = import-csv $args[0]

## Function to convert password into a secure string

function New-SecureString([string] $plainText)
{
$secureString = new-object Security.SecureString
foreach($char in $plainText.ToCharArray()) { $secureString.AppendChar($char) }
$secureString
}

foreach ($i in $data)
{
$ss = new-securestring $i.password

# Build the UPN
$UPN = $i.lastname
# If the last name length is greater than 7 characters trim off the end
If ($UPN.Length -gt 7) { $UPN = $UPN.SubString(0, 7) }
# Concatenate with the first character of the first name and the domain name
$UPN = “$UPN.$($i.firstname.SubString(0, 1))@bch.local”

new-mailbox -Password $ss -Alias $i.alias -LastName $i.lastname -Firstname $i.firstname `
-Name $i.name -Database $i.database -UserPrincipalName $upn -OrganizationalUnit $i.ou

Add-DistributionGroupMember “citrix_staff” -member $UPN
}

http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_24664498.html?cid=295

Shaun

Posted in Mailbox\Recipient | Leave a Comment »

NTBackup and VSS capability for Exchange backup

Posted by shauncroucher on August 19, 2009

Recently a friend asked me why he cannot simply use the VSS capability of NTBackup on his 2003 64bit server to backup the Exchange system.

The answer lies in the generic nature of the VSS capability of NTBackup. It is not exchange-aware and requires that you make sure that all disks with exchange information are also backed up to ensure a successful backup.

There are no time advantages, because using the generic VSS streams the data, instead of a quick ‘snapshot’ of the data as a Fully exchange aware VSS based backup solution would offer.

This msexchangeteam article runs through this subject:

http://msexchangeteam.com/archive/2004/06/25/166104.aspx

Shaun

Posted in Global\General, Miscellaneous | Leave a Comment »

Testing POP3 using Telnet

Posted by shauncroucher on August 11, 2009

I wrote an article on Experts Exchange recently detailing how to test a POP3 service using telnet.

Telnet is such a simple tool, and yet offers so much during troubleshooting. You can cut the problem right back to basics. If it doesn’t work with telnet, then you know that it is nothing to do with the configuration settings or complexity of the application you are using to POP collect. You can work from this principle up. Bit like the OSI model for networking….start at layer 1 and physical connections etc (ie – is it plugged in) and move up from there!

http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Testing-POP3-with-telnet.html

Shaun

Posted in Transport | Leave a Comment »

Offline Address Book (OAB) and web based distribution

Posted by shauncroucher on August 11, 2009

Exchange 2007 manages the Offline Address Books and distribution of these offline address books using BITS transfer to Outlook 2007 clients. The article below does a great job of explaining the process that occurs:

http://msexchangeteam.com/archive/2006/11/15/431502.aspx

 

Shaun

Posted in Mailbox\Recipient | Leave a Comment »