I've been chasing after an issue with a new Exchange deployment not sending any outbound mail. When you telnet to port 25 on any SMTP server it just fails straight away as if there's a firewall or something in between. I finally got a network trace and the very odd thing was that there was absolutely no network traffic at all. Usually you would see a bunch of TCP SYNs if there was a firewall in the mix.

I noticed that McAfee's little shield in the tray was bright red which it does when it as something to say. The log had these nice entries (well a lot of them) in it:

6/29/2009    11:39:13 AM    Blocked by port blocking rule     C:\Exchange\Bin\edgetransport.exe    Anti-virus Standard Protection:Prevent mass mailing worms from sending mail    10.100.10.16:25

6/29/2009    11:40:46 AM    Blocked by port blocking rule     C:\Windows\system32\telnet.exe    Anti-virus Standard Protection:Prevent mass mailing worms from sending mail    10.100.10.15:25

You can see Exchange trying to relay mail (the Edge Transport process) and me trying to test it by hand (telnet). Apparently McAfee has kindly inserted itself into the network stack somewhere and is intercepting these connections before they even leave the box.

In order to turn this off, you need to go in ePO and edit the Access Protection policy which applies to your servers. Inside the policy, go to Anti-virus Standard Protection and uncheck both boxes for Prevent mass mailing worms from sending mail:

Don't forget to do this for both the "Server" and "Workstation" policies (or just the server one).

If you run into a scenario where your Exchange databases are failing to mount with either of these errors, first reference this Technet article. Assuming that doesn't apply then manually start the System Attendant (MSExchangeSA) service on the machine which is failing. After doing that try mounting the databases (or bringing your clustered mailbox server online with Start-ClusteredMailboxServer). Bottom line I spent hours trying to figure out why Exchange wasn't succeeding in creating the mailboxes it needs for each store before I decided to randomly try this.

Log Name: Application
Source: MSExchangeIS
Date: 6/6/2009 7:48:43 PM
Event ID: 9519
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: FooExchange.domain.com
Description: Error 0x97e starting database "SG01\MB10SG01MS01" on the Microsoft Exchange Information Store.

Log Name: Application
Source: MSExchangeIS
Date: 6/6/2009 7:48:43 PM
Event ID: 9546
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: FooExchange.domain.com
Description: Failed to create the Event Registration Mailbox for Database SG01\MB10SG01MS01. Error - 0x97e.

 

If you've ever had Exchange 2007 setup fail partially, you've probably noticed that some of the components (maybe even the one it failed during) show up as installed, but, if you run the ExBPA (Best Practices Analyzer), it will probably complain that setup failed. Most applications you just go to Add/Remove Programs (or Programs and Features in WS2008) and there's a repair option. Exchange of course has no such option.

The trick with Exchange is to fix it with the exsetup utility. If for example you needed to fix up a Mailbox server role installation, you'd go to C:\Exchange\Bin (or where ever you installed Exchange to) and run "exsetup /role:Mailbox". The utility will resume setup where it left off and clean things up.

Coming to TechEd in a couple weeks? Come say Hello! I'll be hanging out at the MS Active Directory booth in the Technical Learning Center all week answering questions and talking to customers. I'll be at the booth for sure in the afternoon every day, and I'll probably be around most mornings (but no promises there). If you're going to be at TechEd, come say hello.

As far as Active Directory, 4^th Ed goes, if you've got a copy and would like to get it signed, bring it with. If you don't have a copy, I understand they will be for sale at the TechEd book store. It's usually near the front door somewhere. You could also pick one up from Amazon (at a discount off list) and bring it along.

If you weren't able to make the webcast that Laura and I did last week on What's New in Active Directory for Windows Server 2008 R2, there is now a recording available that you can watch any time. Additionally, note the O'Reilly discount code at the bottom of this post. It's good through May 1, 2009 for 40% off your order from www.oreilly.com! I've also uploaded the slides and you can find them here.

We're pleased to let you know that the recording of the recent O'Reilly webcast by Laura E. Hunter and Brian Desmond is now ready for viewing: What's New in Windows Server 2008 R2 Active Directory.

The recording is available on our webcast page or view it in higher resolution on the O'Reilly YouTube channel (Click the "HD" button on the movie window to view it in high definition.) Please feel free to share it with others.

And, to thank you for registering for this webcast, we're offering you a discount code good for 40% off your entire book order from O'Reilly. Just use the code 4CAST in the shopping cart when you check out to take 40% off your order (our apologies—this discount doesn't work in the UK shopping cart).

Here are some titles that may interest you:

Active Directory, Fourth Edition by Brian Desmond, Joe Richards, Robbie Allen, Alistair G. Lowe-Norris

By giving you a thorough grounding in Active Directory, this bestselling book teaches you how to design, manage, and maintain an AD infrastructure, whether it's for a small business network or a multinational enterprise with thousands of resources, services, and users. The fourth edition covers Active Directory from Windows 2000 through Windows Server 2008 in an easy-to-understand narrative style.

Active Directory Cookbook, Third Edition by Laura E. Hunter, Robbie Allen

When you need practical hands-on support for Active Directory, the updated edition of this Cookbook provides quick solutions to more than 300 problems you might encounter when deploying, administering, and automating Microsoft's network directory service. You'll find recipes for the Lightweight Directory Access Protocol (LDAP), ADAM, multi-master replication, Domain Name System (DNS), Group Policy, the Active Directory Schema, and many other features. This discount code is only valid through May 1, 2009. You may use it more than once, and share it with your family and friends.

Thanks again for your interest in O'Reilly webcasts. Visit webcasts.oreilly.com for news about future webcasts.

 

The O'Reilly Webcast Team

webcast@oreilly.com

UPDATE 1 - New Registration Link

UPDATE 2 - Recording available here.

Tomorrow, Laura Hunter and I will be doing a webcast discussing and demoing the new Active Directory features in Windows Server 2008 R2 as well as answering AD questions. We have a 90 minute slot and I expect we will spend ~45-60 minutes on R2 and the remainder taking questions on the presentation and AD in general.

We'd love to see you there. The webcast is hosted by O'Reilly and is free to attend. If you can't make it, a recording will be available. Here are the details:

Registration Link - https://oreillymedia.webex.com/oreillymedia/onstage/g.php?d=662451195&t=a

Date: Friday, April 24, 2009

Time: 10am PT, San Francisco
6pm - London | 1pm - New York | Sat, Apr 25th at 3am - Sydney | Sat, Apr 25th at 2am - Tokyo | Sat, Apr 25th at 1am - Beijing | 10:30pm - Mumbai

Presented by: Brian Desmond, Laura E. Hunter

Duration: Approximately 90 minutes.

Cost: Free

https://oreillymedia.webex.com/oreillymedia/onstage/g.php?d=662451195&t=a

 

I had a question come across my desk the other day about how to enable protocol logging in Exchange 2007 for IMAP and POP. Protocol logging for these protocols generates comma delimited logs similar to HTTP logs (except for IMAP). In Exchange 2003 you enabled these with a couple of registry tweaks. These don't however work in Exchange 2007. Exchange 2007 instead uses a couple of config files on the file system.

To enable the logging for IMAP, you would do this:

1. Browse to C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap
2. Open Microsoft.Exchange.Imap4.exe.config with text editor (e.g. Notepad) and scroll to the bottom
3. Modify ProtocolLog from false to true.
4. Modify LogPath as necessary
5. Restart the MsExchangeImap4 service

For POP, simply edit Microsoft.Exchange.Pop3.exe.config instead and restart the MsExcahngePop3 service.

You can use a number of tools to parse the logs, although one tool I would recommend is LogParser from Microsoft.

I'll be in sunny Las Vegas Henderson, NV next week for TEC. I've got sessions I'm doing this year and hope to see some of you there:

• Networking for AD Pros [Tuesday, 2:45PM – 4:00PM] – We're going to do a few things in this hour. I've got some useful but sometimes obscure replication topology constructs I'm going to talk about and then we're going to take those plus the basics and apply them to some complex network topologies. One of the challenges I often see working with large customers is the communication disconnect between the networks team and the AD folks. My goal is to show some examples and introduce some concepts to help bridge that gap. Finally, I've got a bunch of replication related tips and tricks demos that should be a fun way to wrap things up.
• Scripting DC Deployments [Monday, 1:00PM – 2:15PM] – I've worked on a few projects now where I've had to roll out a large number of DCs for new domains/forests, hardware refreshes, OS upgrades, etc. Each time I've come up with a semi to fully automated process to do this that's been adopted not only for the project but as an ongoing DC build process during steady state operations (e.g. for day-to-day tasks like a new DC, rebuilding a DC, etc). We'll look at some of the techniques for doing this, lessons learned over these projects, and perhaps some fun war stories as well. Note: If you're interested in this topic, attending TEC, and have something specific you'd like to hear about in this space, let me know ASAP – this session is shall we say, early in the development process.
• Hardcore Windows Troubleshooting [Tuesday, 9:45AM – 11:00AM] – This is going to be fun. In many organizations I've worked, AD and Exchange folks are often the top of the food chain for Wintel support. I've put together about half a dozen scenarios that I'll use to demonstrate some tried and tested troubleshooting methodologies. Many of these scenarios are extremely frequent Wintel problems that are often frequent PSS calls. My goal is have folks leave armed to tackle these problems themselves. This talk is going to be mostly demos – I've got demo code to use for troubleshooting as well as data from actual customer issues to troubleshoot live.

Books – Have you got a copy of Active Directory, 4^th Ed? If you bring it along and find me, I'll sign it. Joe also will if you track him down. I don't have any give-away copies this year. The book industry is one of the many sectors being hit pretty hard by the economy. If you don't have a copy, find Joe Richards, Laura Hunter, or myself and we've got 30% off bookmarks for Active Directory, 4^th Edition as well as the Active Directory Cookbook, 3^rd Edition. If you do have a copy, still track us down and you can have a bookmark (or two or three) anyway. We've collectively got tons of them.

I should be at the hotel by about 1 on Sunday and will be around until Wednesday afternoon. Look forward to seeing you there!

I'll be down in Orlando at TechEd IT Pro next week. I'm working a booth of some fashion in the Technical Learning Center most of the week I'm told, so feel free to drop in and say hello if you're in town as well.

The Microsoft error code lookup tool (which no Windows admin should be without) got updated today: http://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e02a13696c&displaylang=en&tm.

While it says it's for Exchange, it really covers Exchange, Windows and a number of other Microsoft products. You can plug an error code in and this tool will give you whatever definitions it finds in the headers compiled into it. If you've ever seen an event that says "the error code is in the data", or you get a message that "unknown error 0x80045500" has occurred and you have no idea what to do, this is where to start. I keep the binary in the path on my workstations. Here's a sample for one of the most common codes you'll see:

C:\Documents and Settings\Administrator>err c0000005
# for hex 0xc0000005 / decimal -1073741819 :
  STATUS_ACCESS_VIOLATION                                       ntstatus.h
# The instruction at "0x%08lx" referenced memory at
# "0x%08lx". The memory could not be "%s".
  USBD_STATUS_DEV_NOT_RESPONDING                                usb.h
# 2 matches found for "c0000005"

Generally speaking the correct result is the first one for this example. When you get more than one result though you'll have to look at the names of the header files (e.g. usb.h) and see which one makes sense.

So I have an MCSE: Messaging 2003. Took something like 7 or 8 tests to get that way back when and it's still good. Being the good consultant that I am I decided I'd figure out what I need to do to get whatever the new equivelants are on Windows 2008 and Exchange 2007:

The new Windows 2008 exam seems to be an "MCITP: Enterprise Administrator":

• Windows 2003 MCSE upgrade Test
• Windows Vista Test
• Windows 2008 Enterprise Administrator Test

OK so, three tests total for an upgrade. That's a lot of test questions, but, seeing as my transcript says I took the Windows 2000 client test - they have a point. Unfortunately this means I'm going to have to make peace with Vista on some piece of hardware and actually use it. Not looking forward to that - 2003 runs so well on my machines.

The new Exchange 2007 tests I can run as a seperate thread - seems that's now called an "MCITP: Enterprise Messaging Administrator":

• Configuring Exchange 2007 Test
• Designing Exchange 2007 Test
• Deploying Exchange 2007 Test

Well, three more tests to upgrade. 3 + 3 = 6 tests total to upgrade. I only took 7 or 8 originally so might as well not even call this an upgrade - perhaps renumbering would be a better term.

So, I need to take six tests to change the alphabet soup in my signature line at work. Speaking of alphabet soup - what is up with these new certification names? I can fit "MCSE: Messaging" in my signature without any sort of space constraint. If I plug in there that I'm an "MCITP: Enterprise Administrator and MCITP: Enterprise Messaging Administrator" I'm going to practically have a buffer overrun at only 80 characters across the screen, not to mention I'd look like one of those folks that spells out their 12 useless certifications in their signature line and pastes the jpegs in that they send you when you pass.

Time to start the test taking and theorizing on how to summarize that whole jumble.

Apparently when installing a new Exchange 2007 SCC cluster, you can't give the resource group containing the physical disks the same name as what the cluster virtual name will be.

For example if your mailbox virtual server will accessible via shortname "vmbx01", calling the cluster group "vmbx01" will result in setup failing with this error:

Cluster Common Failure Exception: Cluster Common Failure Exception: The group or resource is not in the correct state to perform the requested operation. (Exception from HRESULT: 0x8007139F)

Once I renamed my cluster group to "vmbx01-disk", setup proceeded business-as-usual. After setup completes you need to migrate all the disks to the new "vmbx01" cluster group that setup will create. This is documented in this article starting at step 19: http://technet.microsoft.com/en-us/library/bb123969.aspx.

A few months ago I came across this shareware utility called Anagram. It's a plug-in for Outlook that parses textual contact and appointment information into a new contact or appointment object. I really only use it for contacts, but the basic scenario is take the common email signature tons of people have with their name, email, phone number, address, etc at the bottom of every email. Out of the box if you want to convert that to a new Outlook contact, you create a new contact and then you copy and paste each field one at a time. With Anagram, you select the signature and press F12 and a new Outlook contact window pops up pre-populated. The text can be in anything – a webpage, text file, an email, etc. It's just a little app that runs in your tray.

I'm not one to buy shareware very often, but this was one of the better uses of $30 in a while in my opinion. Check it out www.getanagram.com.    

A comment I received on a previous post on sites and subnets in Active Directory was "what benefit(s) does a dedicated Exchange site provide?". There's a couple things to consider here with the advent of Exchange 2007. The first is the great degree of dependency Exchange has on Active Directory data for everything it does. The second, applicable to Exchange 2007 deployments is that Exchange now uses the Active Directory site topology to route email. I'm not familiar enough with this scenario yet to speak to it, but I will speak to the need for fast and reliable global catalog access for Exchange servers.

With Exchange 2000 and 2003, the vast majority of the configuration data for Exchange is stored in Active Directory in the Exchange services container in the configuration partition. All of the configuration data for recipients is stored on top of the objects representing them in Active directory – users for mailboxes, contacts, distribution groups, public folders, etc. More specifically when Exchange needs access to this data, it goes to a global catalog server to get it as a global catalog holds the relevant data for every single recipient in the forest. The configuration partition information can be read from any DC in a forest due to the replication scope of the partition. In a busy Exchange deployment, Exchange places an disproportionate load on the global catalogs it uses as compared to clients. Every single message that has to be routed requires a look up against a global catalog, distribution list expansions, address book builds, etc.

When the Active Directory traffic generated by Exchange isn't segmented off of that generated from end users, workstations, and other applications there tends to be a performance hit seen by both parties. If the shared domain controllers are too busy with Exchange, complaints about logon times can be seen. Conversely, if the shared domain controllers are too busy with logon traffic and servicing other applications, Exchange will see a hit must notably in message routing. These scenarios of course apply to larger Exchange deployments – a small operation is unlikely to run into this.

The solution to this problem is to deploy a dedicated Active Directory site for Exchange. If you have multiple datacenters with highly concentrated Exchange deployments in them, the solution might actually be multiple Exchange sites enterprise-wide. Place a couple of global catalogs in these sites which are geared towards very high read performance – 64 bit deployments with as much memory as possible to hold a large amount (or all of) the DIT in memory will see a huge performance gain.

This article from TechNet explains a handful of performance counters which should be monitored to see if Active Directory may be the root of Exchange performance issues.

This article from Microsoft IT Showcase explains exactly how to go about configuring a dedicated Exchange site. Note that Microsoft IT deployed a series of /32 subnet objects to create their Exchange site. It is also possible to provision dedicated Exchange subnet(s) in your datacenter(s) and associate those with an Exchange site. I've taken both paths and generally it tends to depend more on whether the network guys at the shop are willing to light up a dedicated site or not.

I was working on a customer's Exchange server today when I got presented with a weird error in Exchange System Manager (ESM) while trying ot do some work on their public folder hierarchy. I was first getting this error:

---------------------------
Exchange System Manager
---------------------------

The operation failed because of an HTTP error 501 (Not implemented). Verify that the ExAdmin virtual root exists on the destination server.

ID no: c1030af7 Exchange System Manager

---------------------------
OK
---------------------------

I traced this down to someone having applied IP address level restrictions to the various Exchange virtual directories (including exadmin and public) which prohibited me from connecting with ESM to work on the public folder hierarchy. I removed these and then I got a new error:

---------------------------
Exchange System Manager
---------------------------

The operation failed due to an invalid format in the HTTP request. Verify that the host header is correct for the virtual server.

ID no: c1030af0
Exchange System Manager

---------------------------
OK
---------------------------

I figured out that the Default Web Site which had all the Exchange virtual directories in it was bound to a specific IP address on this server (which had multiple IPs) and that was not the address that ESM was attempting to connect to. Changing this to all unassigned took care of the issue.

After the fact I found this useful link on other errors ESM might throw while managing public folders: http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/publicfolders.mspx

Microsoft released a little addin for Outlook which you can use to forward junk mail not caught by the builtin filter to them for analysis (and hopefully improving the filter):

"The Junk E-mail Reporting Tool submits e-mail to Microsoft when you explicitly choose to do so. If you receive a junk e-mail and want to report it to us for analysis, first select the e-mail in Outlook and then click the junk e-mail button on your tool bar. You will see a pop-up window asking whether you want to report the selected e-mail to Microsoft and its affiliates. When you click “Yes” to confirm that you’d like to report the selected e-mail as junk e-mail, the junk e-mail will be deleted from your Inbox and sent to FrontBridge, a Microsoft company, for analysis to help us improve the effectiveness of our junk e-mail filtering technologies."

Download here

October 2006 has 5 Sundays, and this leads to a bug in Exchange 2003 manifesting itself where user's meetings are moved a day ahead. The hotfix (and a bit of info) is available here.

Backup Exec (10.1 at least) has an annoying (and undocumented) bug when it comes to restoring to an Exchange 2003 Recovery Storage Group. When you go to restore a mail store to a recovery storage group, BE goes along for a couple minutes and then fails with error "V-79-57344-65280 - Unable to restore the selected Microsoft Exchange database 'MailStoreNameHere' because it is currently mounted. Use the Exchange System Manager to dismount it, and then retry the job.". The whole point of the recovery storage group is to restore user data without dismounting the production store, so this doesn't make a whole lot of sense. Recovery Storage Groups are a feature that is transparent to the backup/restore program. Exchange automatically redirects the restore to the recovery storage group as part of the existing APIs.

Apparently the issue is that Backup Exec is doing a query to Active Directory to determine whether the store is mounted, and of course it is. There is a registry key which can be set to tell Backup Exec to ignore the results of this query. To make this change create the following registry value (DWORD) on the Backup Exec server and the Exchange server:

HKLM\Software\Veritas\BackupExec\Engine\ese

name = "ignore mount state"

value = DWORD(1)

After a couple hours of customization, I activated a new theme for the BrianDesmond.com site. The old look was the same theme I had when I started a blog on weblogs.asp.net in 2003. I felt like it was kind of depressing to look at the old colors - there was a lot of gray in there. With that in mind I settled on a new theme which is far brighter and certainly less visually depressing.

I also recently added a little "Share this post" bar at the bottom of each post - it has links for emailing the post, as well as integration with Digg, Del.icio.us, and Live.com. I've seen all of these floating around various blogs I read, and I found a cool Community Server module that takes care of the links, so why not add them to the site.

The other major change I've made in the way of aesthetics on this site recently is the addition of Google AdSense advertisements. Running this site costs me money every month, and really the only thing I get in return is the gratification of sharing information with people (which I'm perfectly happy with). I made the decision to add the advertising hoping to offset the cost of running the site. When I did this on the old theme I didn't really think much about the ad placement, I just plopped the little scriptlet from Google down where ever it seemed logical at the time. This didn't really net much in the way of click through's. In fact, the click through ratio was horrible. So, as part of my project to revamp the visual theme of the site, I spent quite a bit of time researching where the best placement for the ads was. I think I've done a good job balancing the placement such that I will hopefully get increased click through and also making sure the advertising is not intrusive to the main goal of the site which is the content I post. I will not add any sort of advertising to the RSS feed for the site, and I'm committed to that. I will continue to tinker with the placement and look of the ads on the site with the goal of optimizing them to offset the cost of the server.

Another thing I've decided to do in the coming weeks is to add an articles section, or something along that line. I spend a lot of time answering questions on the Microsoft newsgroups and a couple of mailing lists. A good portion of the questions I answer are either repetitive or stem from the person asking not correctly doing something earlier on. So, my plan is to spend a bunch of time documenting common procedures I run across on the newsgroups and in my day to day work. I'm going to stick with mostly Active Directory and Exchange stuff since that's really what I know best. I haven't fully figured out my plan for this idea, so I'll have another post or two about it as I finish hashing out that plan. As always feel free to drop a comment on the post or hit the email me link on the site if you've got any thoughts on this.

I found another useful script I wrote last year on my hard drive this evening. It's pasted in below. This script will dump quite a bit of useful information about each mailbox on a particular server or set of servers to a CSV file which you can in turn import into Excel and create a spreadsheet from. I typically would import data into a SQL Server table using DTS (Data Transformation Services) if I needed to do alot of computation or data mining. Excel gets very slow when doing tasks that really require an index over a lot of data.

Note: The script uses WMI to get this information so Exchange 2003 is required. Only Exchange View Only level permissions are required in Active Directory, however you will likely need local Administrator privleges on each Exchange server. I don't have an Exchange 2003 server readily available to test and I was running as an Exchange Full Admin when I originally wrote this script.

There are a few properties which I did not export as I did not need them at the time. The specific meaning of each property available is available on MSDN. Adding these properties to the script should be self explanatory (especially given a very similar script at the bottom of the MSDN article).

There are two things you must edit in order for this script to function within your organization:

Line 28:
"Const TOTAL_SERVERS = 3"

You should put the total number of servers you plan to inventory in TOTAL_SERVERS.

Lines 36 - 37:
strComputer(0) = "xmb01"
strComputer(1) = "xmb02"
strComputer(2) = "xmb03"

You should create or remove additional lines for each server name in the strComputer() array. Note that the array starts with index 0. The script has been tested with twelve servers and sixty thousand mailboxes.

Here is the code for the script. Use this at your own risk, it's not my fault if anything happens.

 

'==========================================================================
' NAME   : Exchange Mailbox Stats Dumper
' AUTHOR : Brian Desmond, brian@briandesmond.com
' DATE   : 12/28/2005
' COMMENT: This script requires Exchange 2003. It will dump information
'			about each mailbox on the mailbox servers specified
'
'	Version		Date		Author			Note
'	-----------------------------------------------------------------
'	1.0			28Nov05		Brian Desmond	Initial Version
'	1.1			03Sep06		Brian Desmond	
'	1.2			13Dec08		Brian Desmond	Fixed array sizing bug,
'											Added error handling note
'											Added TODOs
'											Moved configurable items up
'==========================================================================
Option Explicit

' Note this script currently uses On Error Resume Next
' this isn't best practice - in reality this should be tightly 
' wrapped around the WMI connection logic in the loop rather
' than up here.
On Error Resume Next

' TODO: Configure this
' This is the total number of servers which you
' will specify for inventory
Const TOTAL_SERVERS = 3

Dim strComputer()
ReDim strComputer(TOTAL_SERVERS)

' TODO: Populate this array
' Enter each server name below as an entry in the array
' starting with zero
strComputer(0) = "xmb01"
strComputer(1) = "xmb02"
strComputer(2) = "xmb03"

'==========================================================================

Dim objWMIService
Dim colItems

Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")

Dim fil
Set fil = fso.CreateTextFile("mailboxes.txt")

Dim objItem
Dim line
Dim i

' Write a header row to the CSV
fil.WriteLine """Server"",""Storage Group"",""Mail Store"",""Mailbox GUID"",""Display Name"",""LegacyDN"",""Size"",""Item Count"",""Associated Content Count"",""Deleted Message Size"",""Date Absent"",""Storage Limit Level"""

For i = 0 To TOTAL_SERVERS - 1
	Set objWMIService = GetObject("winmgmts:" _
	    & "{impersonationLevel=impersonate}!\\" & strComputer(i) & _
	        "\ROOT\MicrosoftExchangeV2")
	
	Set colItems = objWMIService.ExecQuery _
	    ("Select * from Exchange_Mailbox")
	
	For Each objItem in colItems
		line = """" & objItem.ServerName & """"
		line = line & ","
		line = line & """" & objItem.StorageGroupName & """"
		line = line & ","
		line = line & """" & objItem.StoreName & """"
		line = line & ","
		line = line & """" & objItem.MailboxGUID & """"
		line = line & ","
		line = line & """" & objItem.MailboxDisplayName & """"    
		line = line & ","
		line = line & """" & objItem.LegacyDN & """"
		line = line & ","
		line = line & """" & objItem.Size & """"
		line = line & ","
		line = line & """" & objItem.TotalItems & """"
		line = line & ","
	    line = line & """" & objItem.AssocContentCount & """"
	    line = line & ","
	    line = line & """" & objItem.DeletedMessageSizeExtended & """"
	    line = line & ","
	    line = line & """" & objItem.DateDiscoveredAbsentInDS & """"
	    line = line & ","
	    line = line & """" & objItem.StorageLimitInfo & """"
	    
	    fil.WriteLine line 
	    'WScript.Echo line 
	Next
Next

fil.Close
Set fso = Nothing
Set objWMIService = Nothing

If you find any broken links here, send me an email or leave a comment. I think I caught them all, but the manner in which the software this site runs on makes URLs is rather complex and I don't really understand the config files, so it's pretty entirely possible I botched something setting all this up.

I had some issues with the server this site is hosted on the last week of May/first week of June. Six weeks later I've finally gotten everything all fixed. I took the downtime as an oppurtunity to upgrade the software that runs this site and think about some new idas for blog posts. I've got some other ideas for this site and there will be some changes that I'm going to try.

I also turned comments back on, so I'm going to see how that goes. If it doesn't go well they'll get turned off. This new software seems to have some ability to help control the blog spam issues.

Technorati Profile

I decided to get a box, actually a virtual server over at www.bitshop.com. I'm in the process of getting that all squared away and working, and then I'm going to swing this site over, and hopefully in the process upgrade the blog software and get rid of all the spam on here. My method of getting rid of spam includes all the comments, unfortunately. I can't efficiently or reliably pick 100 good rows out of 20000 table rows. I think the new version of this blog software actually includes a comment spam reduction widget, and if not, I'm going to home brew something.

The URLs should all stay the same, but, if they don't, I'll do my best to either put redirect pages or have IIS issue the redirect codes. Site may be down for a few hours to a day while I get this all done. Stay tuned.

Susan Bradley asked me this evening how to go about import/exporting the list of filtered sender domains in Exchange 2003. This will do a merge rather than a replace on import. There are two steps, import and export.

Export

Open a command prompt, and run this command:

ldifde -m -f senderfilter.ldf -r "(objectCategory=msExchSMTPTurfList)" -d "cn=configuration,dc=yourdomain,dc=local" -l msExchTurfListNames

You'll need to replace dc=yourdomain,dc=local with the dn of your domain nc head. Here's the formula for building that in case you're not sure:

Add dc= to the beginning and then replace every period (“.“) with ,dc=. So, a couple examples:

• sbs1.house.briandesmond.com becomes dc=sbs1,dc=house,dc=briandesmond,dc=com
• bigtire.local becomes dc=bigtire,dc=local
• smalltire.bigwheel.com becomes dc=smalltire,dc=bigwheel,dc=com

This will export your blocked domains to a text file called senderfilter.ldf. You can just open it in notepad (notepad senderfilter.ldf from the command prompt) and view it.

Import

To import the file, you need to change dc=yourdomain,dc=local to reference the target domain in the ldf file first. The import command is:

ldifde -i -f senderfilter.ldf

If you're going to be importing this list frequently, there's a command to save you editing the ldf file everytime. Open the ldf file and replace the reference to the source domain (dc=yourdomain,dc=local) to dc=x. Then, use this import command instead:

ldifde -i -f senderfilter.ldf -c dc=x dc=targetdomain,dc=local

This will replace the occurrences of dc=x with dc=targetdomain,dc=local

Check out http://support.microsoft.com/?kbid=841516. This is totally unintuitive. Sufficiently so that all of the back-ends in my exchange org were accidentally nuked. This is definitely not something that could have gotten past the usability testing as far as I can tell. Should you happen to be in the predicament of having deleted the server objects from your exchange organization, you'll need to do an authoritative restore of Active Directory to retrieve the sub trees which were toasted.

This page is a good auth restore reference if you're not familiar with the process - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/5d683eeb-e76c-46e9-92f4-fcb2a10f955f.mspx

Just to summarize what needs to happen first:

Bounce one of the DCs in your Exchange site into DS Restore Mode. Hopefully you know the DSRM password, but, if not, before you restart in DS restore mode, do this:

Open a command prompt and start ntdsutil:

set dsrm password
reset password on server null
quit
quit

Specifying server null indicates to reset the password on the local machine (you could specify any DC in its place)

You'll need the backup person to restore the latest system state backup of the particular DC in question prior to this happening. After this happens, open up a command prompt, and start ntdsutil:

authoritative restore
restore subtree “FullDNOfDeletedServerHere”
quit
quit

Note that if you have 2003 SP1 on your DC (which is quite helpful here), ntdsutil will export a ldif file of back links for your root domain and each domain containing mailboxes on the restored server. Remember where these are stashed because you need to import them shortly. If you don't have 2k3 SP1, the above doc goes through the extra pieces involved. This is also potentially contingent on the functional level of your forest and/or domain.

Bounce the box back into normal mode
Import the ldif files, ldifde -s DCInDomainLdifFileIsFor -i -f myldiffile.ldf

Let things replicate at least within the site before you go diddling with Exchange. I had to bounce Exchange services to get everything squared away on some of them. At this point you want to do a couple of things:

Look in ESM and see if mailboxes are showing disconnected (run the cleanup agent on a couple stores and see if it looks abnormal). I experienced probably a little less than 1% that didn’t' get reconnected after the ldif files were imported. You'll have to screw around in ADSIEdit with the homeMDB values of the user to square them away.

Test OWA. When the server object in the config cn goes, so does the protocol configs for ds2mb. This means all the exchange specific stuff from IIS is gone. OWA isn't going to work in this case. You'll need to convince ds2mb to do a sync again. This KB outlines that - http://support.microsoft.com/default.aspx?scid=kb;en-us;888033. My experience doing 12 servers was that it isn't always instant and you may need to repeat the process or bounce the services a few times to make things happen. Have patience.

Total time to repair 12 missing servers and associated problems - 5 or 6 hours. I was moving slowly and doing this remotely. If I were moving very rapidly this could have gotten done in 3 - 4 hours.

Another thing to realize is that your SMTP bridgeheads will start bouncing inbound mail for lack of any place to deliver it to (those server containers are linked to various things which are cleared out when you delete them). If you can, shutdown the SMTP services on your bridgeheads and let mail queue upstream.

Bottom line - read the messages in ESM very carefully - goofy behaviors like this will cause you a major headache.

My server machine that I ran this site off of from the house lost its motherboard a few weeks ago. I've been so swamped I still haven't fixed it. To make things easier, I've moved the site off to a shared host instead. Hopefully will have some time to put some content up in the near future!

Still resolving some lingering DNS issues, so some links might be broken for a few more hours. I goofed punching in the A records last night.

I'm writing this up here mostly because I answer this at least once a week on the msnews newsgroups. Hopefully Google will pick it up, and now, I can link to it:

The question goes something like this: “If I upgrade my forest or domain functional level to Windows 2003, can I still have NT4 or Windows 2000 member servers?”

The answer goes like this “Yes!”. Forest & domain functional levels control the OS of the domain controllers you can have in your domain only. If you have a 2000 Functional level , you can have 2000 and 2003 DCs. If you have a 2003 functional level, you can have 2003 DCs only.

If you have an Exchange 2000 organization in your AD setup, which many places do, here's the member server caveat. Microsoft added something called linked-value-replication (LVR) to Windows 2003 AD. Basically, rather than replicating the entire member attribute on agroup everytime someone is added/removed, just that single entry is replicated. This saves a ton of bandwidth when you think about a universal group with thousands of members, for example. The Recipient Update Service, which Exchange uses to do things like stamp email addresses on users depends on linked values, and it doesn't detect changes when LVR is on. LVR is only on when the whoel forest is in 2003 functional mode. The Exchange 2000 Active Directory Connector (ADC) has the same issue with regard to replicating group memberships between downlevel and v2k organizations.

There are two ways to work around this:

Run a rebuild on your RUS - this can take a long time and has the potential to overwrite custom email address changes
Install an Exchange 2003 serverion in your Exchange org and transfer the RUS to this. This is the optimal solution here if you want to goto 2003 forest mode before going to Exchange 2003.

The KB article on the Exchange issue is at http://support.microsoft.com/?kbid=831809
The KB article with all the details on functional modes - http://support.microsoft.com/kb/322692

 

A while back, I promised I'd continue talking about CDO, .Net, Exchange, AD, and good stuff like that. Albeit belatedly, I thought I'd post how to mailbox enable a user in VB.Net.

I'm goign to assuem that the user is already in the directory, as we already covered creating objects a while back. Inorder to do this, you're goign to need the Exchange Management Tools installed on your dev box, as a COM object does the work here.

In your VS project, you'll need to add a reference to the “Microsoft CDO for Exchange Management Library” (aka CDOEXM). You're also going to need the full distinguished name of the exchange mailbox store you're planning to create the mailbox in. This can be a hassle to get right if you've never tried to type out the path by hand. The easiest way to find the path, copy & paste ready is to use the handy ldp utility included with any server OS (see my previous blog entry on using this utility). The data is in the Configuration/Services/Microsoft Exchange/Your Org/Administrative Groups/Your Admin Group/Servers/Your Server/Information Store/Information Store Name/MailboxStoreName tree.

There's actually only a couple of lines of code involved in doing the actual mailbox creation. The code is below, and then I'll explain briefly below:

>>>>>
Option Strict Off
Imports System.DirectoryServices
Imports CDOEXM

Dim user As New DirectoryEntry(”LDAP://cn=john doe,cn=users,dc=mydomain,dc=local”)
Dim mbx as IMailboxStore = user.NativeObject

mbx.CreateMailbox(”CN=My Mailbox Store (MyServer),CN=Information Store,CN=InformationStore,CN=MyServer,CN=Servers,CN=MyAdminGroup,CN=Administrative Groups,CN=MyOrganization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local”)
user.CommitChanges
<<<<<<<

So, what we've done here is quite simple: First, we bound to the user in the directory, and then we created a IMailboxStore object representing the user. We then called IMailboxStore.CreateMailbox, passing the distinguished name of the mailbox store to it. We saved the changes to the user object, and, voila, mailbox created! The IMailboxStore object has a bunch of other properties, items such as quotas and other odd's and ends. They're pretty self explanatory if explored through intellisense, and there are full docs in MSDN.

Sometimes remembering or deriving the full distinguished name of an object in the directory can be painful to do by hand. Luckily, Microsoft provides a nice little browser utility with the server os' and the 2003 admin pack. Beware that you can do A LOT of damage with the utility, so, my recommendation is to use standard user credentials when binding - you could delete a nice chunk of the directory tree without much effort!

So, open up the utility (start>run>ldp), and then goto File>connect, and up in the FQDN of the domain you want to bind to (e.g. mycompany.local). Next, goto File>bind, and put in some domain credentials - stadnard user ones are more than enough and highly recommended! The third step is going to View>tree, and then just press OK. If you're in a large domain, you might want to specify the DN of a root to cut down on DC load.

Now you can browse to the object you need the DN of. Find it, and double click. On the right, if you scroll up a bit, you'll find all the object's attributes, including it's DN. Highlight it, press Ctrl + C, and paste it in whereever useful

Well, I'm trying some of that crazy self-help medicine with all this David Allen hype. I use the red flags in Outlook 2003 because they're easy to tag messages with. I'm not the sort that likes a clean Inbox - having all my email where I can find it is important to me - I sort some of it with rules, but I know everything else will be where it's journey ended after bouncing through SMTP - my inbox (as an example of this, I have 5249 items in my root inbox at school, and another three or four thousand carefully sorted by server rules).

Instead of scrubbing my inbox, I've decided to be industrious, and pick three flag colors to define the status of an email if it has one:

Red - Action Items - aka get off your ass and do something about this
Yellow - Pending Items - aka I sent a reply and the other end needs to get off their ass and send me a reply
Green - Useful Items - aka interesting pieces of information for me to catalog into the proper places at some later date & time (e.g. passwords, cool links, etc)

I've set up three search folders in Outlook, with names which describe their contents (action items, pending items, and useful items). They retrieve the properly flagged emails for my viewing pleasure. I also have search folders setup for unread items in my root inbox, and other folders with important stuff (e.g. not general discussion DLs). I guess if I use this search folder, it's sort of like the clean Inbox. It does keep me from seeing something else a few messages down and getting distracted.

The problem with this plan is that I actually have to implement it. So, I've printed a nice strip of paper with three colored rectangles in a row - they each have one word in them, Action, Pending, or Useful, and remind me what to do when reading my email. If this works, I'll hopefully get into the habit of it quickly, and, not have this wierd strip of paper to explain to office visitors.

What would be really nice is if there was a simple way to flag messages a certain color - e.g. click the flag for red, alt click for green and ctrl click for yellow.

I also need to see if I can repro the Outlook SNAFU tonight - I broke one of the buttons & it crashed out & kept doing it for a while. Eventually Clippy decided to open up again and let me back into my mailbox. I hope I didn't corrupt something in the IS with this experiment in productivity (I wonder if I can get Outlook to start with my Action Items search folder open - then I'd see my to-do list before anything else).

I guess I'll see in a week or two if this works.

I have a Dell Axim which I use for my tasks, contacts calendar, and as an MP3 Player. I've read a bit about various RSS Aggregators for the PPC on this feed ad a few others.

What I need/want, though, is for the items I read on my PPC to be marked read in Outlook when I've read them on my PocketPC. I currently use Intravnews at home. I thought ActiveSync would let you sync an arbitrary folder in your PST, but, it appears to be solely the inbox, and I don't want to read email on the train in the morning.

Is there a solution available to do what I want, or am I out of luck for now?

I found out this afternoon that OWA 2003 will not work with an Exchange 2000 BackEnd configuration. “Darn!” is all I can say. I was counting on it to work, and I'm not sure why I didn't recall that OWA2000 didn't/doesn't work with exch55 back ends. I have a new front end box on order already, I guess it's going to get Exch2000 loaded on it for the interim. The backends will have to get upgraded to Exchange 2003 this summer, not originally in my plan hardware-wise, so stuff's going to have to get repurposed in June.

On other fronts, stay tuned for an update on the .Net/CDO stuff I started. That project got put on the backburner, but I'm hoping it will be migrating back to active status in the next couple weeks. I've also got several file servers coming in from Dell in two weeks, so, I've been working on our DFS (distributed file system) namespace design too. I really regret not having implemented it with our single server configuration when I moved everything to AD over the summer. Live and learn.

Well, this new Agg Views thing indicates that my babbling about Active Directory stuff is mildly interesting, so, I'm continuing the series here. This morning's task is creating a contact in AD. Before we get going, let me give a brief overview of my take on what Contacts are for. Feel free to reference the Platform SDK for whatever the official word is.

Without an Exchange Server, I think contacts are pretty darn useless, unless you intend to keep the corporate rolodex in AD, which, I guess is feasible. A contact is like a user, except it doesn't have an account in your domain. Contacts have all the attributes a contact in your rolodex would have - name, address, email, phone, etc. But, unlike a user, they cannot log on to the domain. When an Exchange Server comes into play, contacts become a lot more useful. You can do a couple of things with them - create a forwarding address for a user object, or simple create a forwarding address. They also are ten times as useful as a “contact” in the corporate rolodex, as they can be displayed in the GAL along with other users.

So, here's what we're going to do: create a contact object in AD. You can follow this example pretty easily and modify it to create a user or a group if you want. Tomorrow (or next time), we'll dive into CDOEXM and mail enable the contact, and setup a user with forwarding. Not sure what's next - perhaps create a user & a mailbox to go along with it.

First thing we're going to do is setup a directoryEntry for the OU we're creating the contact in. We'll create our contact in an OU called Contacts in the root of our domain MyDomain.local:

Dim root as new DirectoryEntry(LDAP://OU=Contacts,DC=MyDomain,DC=local)

The key to creating something in AD is to create another DirectoryEntry off of the Add method of our root's Children property:

Dim myContact as DirectoryEntry = root.Children.Add("CN=Jane Doe", "contact")

What we've done here is created a new container of class contact inside the Contacts OU. I always name my contacts and user CNs the same as their display name in the GAL. So, Jane Doe's contact object is in container (CN) Jane Doe.

Now we can set some properties. I'm just going to set the first (givenName) and last (surName) name attributes like we did last night. For demo, I'll also set Jane's home phone to 773-555-1212 (that's Chicago directory assistance if you want to call)

myContact.Properties(”givenName”).Value = “Jane”
myContact.Properties(”sn”).Value = “Doe”
myContact.Properties(“homePhone“).Value = “773-555-1212“
myContact.CommitChanges()

This is the same as last night - nothing to go over, just remmeber to call CommitChanges(), or nothing will get pushed to the directory.

So, in conclusion, we've used the code below to create a contact for Jane Doe in the Contacts organizational unit (OU), whose home phone is 773-555-1212. 

Dim root as new DirectoryEntry(“LDAP://OU=Contacts,DC=MyDomain,DC=local“)
Dim myContact as DirectoryEntry = root.Children.Add("CN=Jane Doe", "contact")
myContact.Properties(”givenName”).Value = “Jane”
myContact.Properties(”sn”).Value = “Doe”
myContact.Properties(“homePhone“).Value = “773-555-1212“
myContact.CommitChanges()

Well, I haven't posted here recently because I've been a busy sysadmin & haven't had time to touch my copy of Visual Studio.Net. A new project, writing an Intranet for Payton's teachers and students has cropped up, and, I've been doing some new stuff.

Namely, I've gotten to learn the joys of programming an Exchange Server with .Net. It's not what I'd call joyous with good old VB6, and it isn't any better with .Net (though System.DirectoryServices is a bit easier).

I figure somebody else might find some of the stuff I've been up to a bit interesting/useful, so, I'm going to be posting code and explanations over the next week or so. I can't say precisely what I'm doing as this is getting syndicated on BrianDesmond.com, and, kids from Payton read there, and, whatever it is I'm working on is slated to be a surprise.

I write all my code for Payton in VB.Net, so, that's what the samples are going to be in. I thought I'd start off with a simple one ... how to find a user with DirectorySearcher.

There are two things that we need in order to successfully and efficiently search for our user. Number one is a search root. I keep all my user accounts under one OU in the domain, Accounts, so, that's my search root. If your accounts are under multiple OUs, you could set your search root to the domain. Lets assume they're all in/under one OU for this.

Dim searchRoot as new DirectoryEntry(“LDAP://OU=Accounts,DC=MyDomain,DC=local“)
Dim searcher as New DirectorySearcher(searchRoot)

When you define an LDAP path, the thing to remember is to go from the bottom to the top (I consider the deepest OU to be the bottom, and the topmost piece to be the end of my domain name). When you define a domain, you have to do a DC= for each subdomain. If I had an AD on BrianDesmond.com, I'd do DC=BrianDesmond,DC=com This is quite a bit, so, I keep this, and a lot of other LDAP strings in the snippets section of my VS toolbox (if you weren't aware, you can drag text onto the toolbox and it will be saved as a code snippet). A side note about LDAP paths, if you need to use a comma in the name of an element (e.g. if you wanted to access container Smith, Jane), you have to escape the comma with a \, so it'd be CD=Smith\, Jane.

Moving along, part two of using a directorysearcher object is defining an LDAP filter. LDAP Filters are actually pretty easy to write, though they take a bit of getting used to, and you have to know the names of attributes in AD (you can look up the whole AD schema in the Platform SDK). A quick explanation of how to write a filter:

The and operator is &, the or operator is |, and the not operator is !. If you want to AND a bunch of stuff together, you do (&(criteria1)(criteria2)(criteriaN)). Likewise, to or a bunch of stuff together, you do (|(criteria1)(criteria2)(criteria3)). You can also use wildcards like *. So, let's write our filter to find a specific username:

searcher.Filter = “(&(objectCategory=person)(sAMAccountName=brian))”

This filter tells the DirectorySearcher to look for objects of category Person with attribute sAMAccountName=Brian (sAMAccountName is your preWin2000 logon, aka your username). The objectCategory part isn't actually necessary, but, it speeds the search up greatly, as the DirectorySearcher doesn't even touch computers or anything else other than Person objects.

So, we've got the two major pieces done here. Just have to run the search, and do something with the result. I'm going to write the rest of the code below and explain from there:

Dim searchRoot as new DirectoryEntry(“LDAP://OU=Accounts,DC=MyDomain,DC=local“)
Dim searcher as New DirectorySearcher(searchRoot)
searcher.Filter = “(&(objectCategory=person)(sAMAccountName=brian))”

Dim result as DirectoryEntry = searcher.FindOne.GetDirectoryEntry

So, we've not retrieved the result and stored it in a DirectoryEntry object called result. If we were looking for or could possible get more than one result, we'd use the FindAll function of DirectorySearcher, and then loop through it (the FindAll function returns a collection of type SearchResultCollection, which contains SearchResult objects). This particular query guaranetees only one result as the sAMAccountName attribute must be unique to the domain. The GetDirectoryEntry method of the SearchResult type returns the underlying DirectoryEntry representing the result.

Now that we have a result, we can access the user's properties. Let's look up the user's first and last name:

Dim firstName as String = CType(result.Properties(”givenName”).Value, String)
Dim lastName as String = CType(result.Properties(”sn”).Value, String)

The first name of a user is stored in the givenName attribute, and the lastname, or surname of a user is stored in the sn attribute. These are actually LDAP specs, AD follows them. The .Value property of a DirectoryEntry property is of type object, as there are quite a few different datatypes in AD, so you're going to need to know what you're accessing, unless you use late binding.

That's just a simple System.DirectoryServices example. I'm sure there is someone out there that can benefit from it. Tomorrow (or next time), I'll post an example of how to create a contact object in AD. This is actually all leading up to something ... after the contact object has been created, we can setup email forwarding for a user's Exchange mailbox. I'm leading towards this, and after that, I'm not sure what is next - probably more CDO/AD, depends what I decide to write the code for next.

I just learnt the hard way that one of the limitatins of Exchange 2000 & 2003 Standard is the number of mailbox stores one can have on the server: 1. Part of my plan for setting up student email includes a seperate mailbox store for students so that I can link a system policy limiting their mailbox size. Time to go get Exchange Enterprise.

The consensus on Google is that I can pop in an Exchange 2000 Enterprise CD, install over the top of Exch 2000 Standard, reapply the service pack, and be in business again, running Enterprise Edition. Looking forward to testing this on my test setup.