July 2008 - Posts

As you probably know, Microsoft is working on running up its marketing machine to talk about how good Vista really is. (And yes, I was an early convert - I am one of those folks that really like Vista - it took some major thought-pattern changes, but it is really much easier to use.)

As part of this, Microsoft has decided to offer free - yes free - installation and compatibility support for all users of Windows Vista SP1 through March 18, 2009. (Why that date? I have no idea.)

Worldwide telephone support is available, and in the USA and Canada you can also get email and online chat-based support.

For more information, or to take advantage of this offer, visit this website: http://support.microsoft.com/common/international.aspx?rdpath=1&prid=11274&gprid=500921

(Yes, I know this sounds like a marketing post - and it really isn't - I'm just encouraging you to use Vista, if you aren't already!)

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | with no comments
Filed under:

Learn something new every day...

I was working with a new client today, on an SBS 2003 computer, and they use external e-mail.

However, the original technican that had done the installation of their server had gone through the process of installing Exchange Server, and then disabled all of the services that start with "Microsoft Exchange..." in the Services applet - but they hadn't disabled the SMTP service. As you may know, when you install Exchange Server 2003, it overwrites the Windows SMTP service with its own version of the service that "speaks Exchange".

Whenever I go into a client, I always like to be able to use a local SMTP server to send daily status report to me, for monitoring, and just general e-mailing. Usually, in an SBS environment, I'll use the Exchange SMTP service and if Exchange isn't installed, I'll simply install the Windows SMTP service. This allows me to get around all of the usual problems associated with secure relays, etc. etc.

So, in this case, I was sure that the SMTP service wouldn't work.

I was wrong. The SMTP service works just fine for relaying. You can't manage the SMTP service from the normal IIS Manager, you still have to go to the Exchange System Manager to make changes. But it works just fine.

 Like I said, learn something new every day...

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | 2 comment(s)
Filed under: ,

Jeffrey Snover of Microsoft, PowerShell dude extraordinaire, recently reminded us of a way to Speed Up PowerShell Startup times, based on an article of over a year ago titled Update-Gac.ps1. And yes, this does help to speed up the Exchange Management Shell and the OpsMgr Command Shell too.

Taking that just a bit further, the assemblies you want to put into the GAC are slightly different when you are running AMD-64 (AMD) or EMT-64 (intel). Here is the script updated to deal with x64 and to suppress the ngen logo:

Set-Alias ngen @(
$ngen_path = Join-Path ${env:\windir} "Microsoft.NET\Framework"
$ptr_width = (gwmi -query "select addresswidth from win32_processor").addresswidth
if ($ptr_width -eq 64) { $ngen_path += "64"; }
dir $ngen_path ngen.exe -recurse | where {$_.length -gt 0} | sort -descending lastwritetime 
)[0].fullName

[appdomain]::currentdomain.getassemblies() | %{ngen /nologo $_.location}

You should execute this script once on each computer where you have PowerShell installed (or each time you install new PowerShell related binaries, too!).

You will not need to do this in PowerShell v2, but that is still not here yet. 

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | 2 comment(s)
Filed under: , ,

The question was recently posed on a mailing list asking whether there was any book that covered the Exchange 2003 security model in depth.

The question came up for the poster because of a recent video that is making the rounds on youtube and elsewhere (http://www.thewebsiteisdown.com). In that video, an errant system administrator deletes a message from his bosses Sent Items folder, so that the boss cannot verify that the administrator was told something specific.

Can that happen??? Well - yes. And it isn't unique to Exchange Server. And yes, that administrator should be fired.

A savvy Exchange administrator, who also has appropriate permissions in Active Directory, can assign herself permissions at any level of an Exchange organization - per mailbox, per mailbox store, per storage group, per server, or for the entire Exchange organization.

While the backend permission sets have expanded dramatically in Exchange Server 2007, the store and user permissions are still quite similar to Exchange Server 2003. There are three whitepapers at Microsoft that can help you learn about the various permissions and how they work within themselves and within Active Directory:

Exchange Server 2003 Technical Reference Guide

Working with Active Directory Permissions in Microsoft Exchange Server 2003

Working with Store Permissions in Microsoft Exchange 2000 and 2003

Another resource is Alain Lissoir's web site. Alain wrote a couple of great white papers on scripting in Exchange 2000 and 2003 and they contain some excellent security related resources.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | 2 comment(s)

I'm in the process of tech-reviewing an important book (you'll want it on your shelf once it is released), and one of the things I did today was spend a while figuring out how to do Attribute Scoped Queries in PowerShell. If you develop in C# or C++, or use adfind to do your searches, those tools have supported ASQs for a long time.

I use PowerShell quite a bit for Exchange Server 2007+ maintenance tasks, but I am no expert when it comes to all of the various .NET Framework classes and methods available. In the past, when you've needed to search for all the members of a particular group (using the 'member' attribute) or all of the members of a particular address list (using the 'showInAddressBook' attribute), those particular searches could be very slow and quite inefficient.

With the Windows Server 2003 Domain Functional Level, the ASQ capability becomes available. Using a DirectorySearcher object, you can specify a particular group or a particular address book or (anything else that leads to a multi-valued attribute) and execute an efficient search against the sources to find their components. In this example, you can easily find the members of the 'Domain Admins' group in your domain (note, this is an easy one - there are others that are likely more significant for you).

$group  = New-Object System.DirectoryServices.DirectoryEntry( `
    "LDAP://CN=Domain Admins,CN=Users,DC=essential,DC=local")
$source = New-Object System.DirectoryServices.DirectorySearcher

$source.SearchRoot  = $group
$source.SearchScope = [System.DirectoryServices.SearchScope]::Base
$source.Filter      = "(objectClass=*)"

$source.PropertiesToLoad.Add("member")
$source.PropertiesToLoad.Add("sAMAccountName")

$source.AttributeScopeQuery = "member"

$results = $source.FindAll()

$results

One caveat: when searching for members of a group, ASQ does not work for the primaryGroup! So if you do a search for "Domain Users", it is likely that you will receive no responses in your result. This is NOT an error.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | 2 comment(s)
Filed under: ,

I've brought up a number of new clients on Exchange 2007 recently, and a common issue is this event log warning:

Event Type:      Warning
Event Source:    MSExchangeIS Mailbox Store
Event Category:  General 
Event ID:        1025
Date:            7/18/2008
Time:            10:26:40 AM
User:            N/A
Computer:        EXCHANGE
Description:
An error occurred on database "StorageGroup\Database".
 Function name or description of problem: Restrict/SetSearchCriteria
Error: 1162 Warning: fail to apply search optimization to folder (FID 4-3DBEABE)   Retrying without optimization. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

If you spend time on Internet search engines, you'll find lots of bad advice about running an Isinteg to eliminate these, or running an offline defragmentation to get rid of these. At best, those are temporary solutions. I finally had seen so many of these, I asked Microsoft about them. Here is the answer from the horse's mouth:

You have an application that is trying to perform a search using restrictions against a users search folders and this could be a time based query, etc.We will do two types of searches (1 fast optimized search if the indexes are there, 1 slow find) which takes a long time and will chew up processor time for store if your user has a ton of items in their folders (more than 5,000 items per folder). This is just telling you that we are performing an un-optimized search against that table in the store. They cannot be suppressed.

In other words, ignore them. You may have users that have far too many items in their primary folders (Calendar, Tasks, Inbox, Sent Items, Deleted Items) and you can get rid of these messages if you get them to clean those up. But it may not be worth your time and energy.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | 1 comment(s)
Filed under:

In 2004, I wrote an article Why Can't I Have Outlook and Exchange on the same Computer? It applied to versions of Exchange prior to Exchange Server 2007. When written, E12 (Exchange 2007) was still quite early in development at MSFT...

Today, times and situations have changed.

With Exchange Server 2007, in fact, the export-mailbox command is only supported on 32-bit machines. This means that you must run export-mailbox on a 32-bit Vista or XP computer where the Exchange Management Tools have been installed, along with Outlook! Amazing.

And, in fact, there are times where Outlook (or the CDO/MAPI binaries) will be required to be executed on an Exchange server to get certain tools to work, including OABinteg and MFCmapi.

Prior to Exchange Server 2007, installing Outlook on an Exchange Server would replace certain DLLs that Exchange required with stub libraries that Outlook used instead. This could break Exchange severely.

Those problem DLLs are gone in Exchange Server 2007. This gives us clear sailing for Outlook and Exchange on the same computer - both servers and workstations.

Thanks to Dave Goldman and Ben Winzenz, both of Microsoft, for answering my questions on this topic.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | 4 comment(s)
Filed under: ,