http://msexchangeteam.com/archive/2008/09/11/449787.aspx

Now the real RU4 has been released today but will only be listed on the Windows Download site and not on the Microsoft Update servers.

Update Rollup 4 for Exchange Server 2007 Service Pack 1 (KB952580)

http://www.microsoft.com/downloads/details.aspx?FamilyID=8b492ed2-ea92-412f-a852-3aa1c58d9499&DisplayLang=en

The below links outlines all the changes in the rollup

http://support.microsoft.com/?kbid=952580

You can see the message tracking is ENABLED by defaultThe only 2 options we have from the EMC is :
1. Enable message tracking
2. specify the log path

If we look at the properties of the mailbox server we cannot manipulate any of the setting from

EMS
We can use the get-transportserver and get-mailboxserver cmdlets to show message tracking information.

get-mailboxserver


get-transportserver

We can see from the output from our cmdlets that we have much more information in EMS then in EMC.

This is a default configuration:
MessageTrackingLogSubjectLoggingEnabled : True

MessageTrackingLogEnabled : True
MessageTrackingLogMaxAge : 30.00:00:00
MessageTrackingLogMaxDirectorySize : 250MB
MessageTrackingLogMaxFileSize : 10MB
MessageTrackingLogPath : C:\Program Files\Microsoft\Exchange S erver\TransportRoles\Logs\MessageTracking
MessageTrackingLogSubjectLoggingEnabled : True

I cannot provide an answer as to what the settings above should be as these should be part of your company policy how long the logs must be retained.

At a minimum I recommend the log path be moved from the OS partition however if you limited a limited number of drives and your OS is a Raid 1 mirror the logs can perfrom find on the OS disk.

We can manipulate our settings with the Set-TransporServer and Set-Mailboxserver cmdlets

I am going to use the Get-TransportServer cmdlet and pipe it to the Set-transportserver cmdlets to set the Log path, Max Age and directory size

Get-TransportServer | Set-TransportServer -MessageTrackingLogMaxAge 60 -MessageTrackingLogMaxDirectorySize 500mb -MessageTrackingLogPath d:\MessageTrac kingLogs

We can use the Get-Transportserver to view our changes

Lets take a look at our log, we can see the location has been moved to our specified location

Lets look at the log in its native format

Searching Message Tracking Logs

Permissions:

Exchange 2007 RTM, the account you use must be delegated the following:

• Exchange Server Administrator role and local Administrators group for the target server

Exchange 2007 SP1, the account you use must be delegated the following:

• Exchange View-Only Administrator role

Edge Transport server role you must log on by using an account that is a member of the local Administrators group on that computer.

EMC

Lets take a look at some message tracking option in EMC

Click “toolbox” -> Under Mail flot tools –> Select Message tracking

when the this is first selected the tool will connect to Microsoft and see if there are any new updates.

next we are presented with the welcome screen

On the Message Tracking Parameters we have the ability to select from the following filters
Recipients, Sender, Server, Event ID (Receive, Send, Fail, DSN, Deliver, BadMail, Resolve, Expand), Message ID, Internal Message ID, Subject m reference, Start, and End

Once we have made our selections the window as the bottom shows up the EMS commands that will be run to retrive the logs

I sent a message from brian.tirch@vm.local to generate some log data, for my filters I selected Sender,Start, and End

We can see the 2 entries are returned 1. Receive and 1 for Deliver

We can see in the data returned that there are a number of fields listed that are not search able from EMC like client IP and Server IP

From this log we can see that the message was received from vmmbx1 to vmcashub and then delivered from vmcashub to vmmbx1

**Notice the only logs we have data are from the server which we ran the message tracking tool from**

http://technet.microsoft.com/en-us/library/bb124375(EXCHG.80).aspx

Event name	Description
BADMAIL	A message was submitted by the Pickup directory or the Replay directory that cannot be delivered or returned.
DELIVER	A message was delivered to a mailbox.
DEFER	Message delivery was delayed.
DSN	A delivery status notification (DSN) was generated.
EXPAND	A distribution group was expanded.
FAIL	Message delivery failed.
POISONMESSAGE	A message is put in the poison message queue or removed from the poison message queue.
RECEIVE	A message was received and committed to the database.
REDIRECT	A message was redirected to an alternative recipient after an Active Directory directory service lookup.
RESOLVE	A message’s recipients were resolved to a different e-mail address after an Active Directory lookup.
SEND	A message was sent by Simple Mail Transfer Protocol (SMTP) to a different server.
SUBMIT	A message was submitted by an Exchange 2007 computer that has the Mailbox server role installed to an Exchange 2007 computer that has the Hub Transport server role or Edge Transport server role installed. The message tracking logs that are generated by the Mailbox server role contain only SUBMIT events.
TRANSFER	Recipients were moved to a forked message because of content conversion, message recipient limits, or agents.

EMS:
Lets use EMS to search the message tracking logs and please reference the “How to Search Message Tracking Log” article below to see the differences between the available fields.

If we run the Get-Help command we can see the available switches.

C:\>get-help Get-MessageTrackingLog

Name
Get-MessageTrackingLog

SYNOPSIS
Use the Get-MessageTrackingLog cmdlet to search message information that i
stored in the message tracking log.

SyNTAX
Get-MessageTrackingLog [-DomainController ] [-End ] [-Even
Id ] [-InternalMessageId ] [-MessageId ] [-Message
ubject ] [-Recipients ] [-Reference ] [-ResultSi
e ] [-Sender ] [-Server ] [-Start ] []

let perform the same search as above and see if we get any different data:
Get-Messagetrackinglog -Sender “brian.tirch@vm.local” -Start “5/10/2008 7:42:00PM” -End “5/12/2008 7:52:00 PM”

you can see the first return is truncated

so we can pipe to the FL command to get more details

After viewing this the data both results are the same…..

Now we can add some parameters to our command so that we can pull logs from all servers.
Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog

by piping the Get-ExchangeServer cmdlet to the Where command we can pull logs from all hubs servers and mailbox server to limit our filter to pull from selected servers.

Lets run the same command for Get-Messagetrackinglog but add the leading Where statement.

We can see now that we have an additional entry for Submit

the Submit entry shows the log from our mailbox server submitting a message to a hub server for delivery.

We can see that the message tracking logs can be vary useful in determining any issues or validating messages delivery.

References:

How to Search Message Tracking Logs
http://technet.microsoft.com/en-us/library/bb124926.aspx

Managing Message Tracking

http://technet.microsoft.com/en-us/library/bb124375(EXCHG.80).aspx

How to configure Message Tracking

http://technet.microsoft.com/en-us/library/aa997984(EXCHG.80).aspx

When utlizing Outlook 2007 the autodiscover service is heavily tied into Outlook anywhere functionality, I am going to reference a previous posting that explains those functions in detail.
http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html

With Exchange 2007 in order to allow clients remote access to the mail system you will need to install an Exchange 2007 CAS server which will allow clients to access thier mail via Imap,Pop,OWA,Active Sync, and Rpc/https (outlook anywhere).

For this article I am going to skip the installation of each server role and just work with the configuration. The lab consists of 1 DC, 1 CAS/Hub and 1 MBX server running Windows 2003 and Exchange 2007 SP1.

Rpc/http was first introduced with Exchange 2003 and has been renamed with Exchange 2007 to Outlook Anywhere. In order to use this functionality with Exchange we must install the RPC over HTTP Proxy networking component on a server (recommened on your Exchange server).

What does this network componet do for us?
RpcProxy.dll is an Internet Server API (ISAPI) that runs in Internet Information Services (IIS). RpcProxy.dll listens for activity on the RPC virtual directory

The rpcproxy.dll requires authentication and will not pass anonymous request even if IIS is configured for anonymous authentication.

When an Outlook clients typicaly communicates with an Exchange server the client attempts to connect via Mapi Rpc, with Rpc/http Outlook makes a http connection to the rpc proxy server which strips the http and send the rpc request to tha appropriate Exchange server.

Installing Rpc/http networking componet:
1. From the Add/Remove programs select Windows components
2. Select Networking Services then details

3. Select Rpc over http proxy -> OK

4. Click Next to start the installation
5. Click Finish to complete the installation

How do we verify the installation?
1. Validate you have 2 virtual directories installed called RPC and RPC with Cert
The 2 new virtual directories points to C:\WINDOWS\System32\RpcProxy which is the location of the rpcproxy.dll

2. Verify the RPC Proxy server extension is allowed in IIS (this will be enabled after you install the component)

Later we will look at a tool called rpc dump that can be used to troubleshoot connectivity problems.

After we have installed our CAS server we need to enable Outlook Anywhere which can be done in 1 of two ways, 1. EMS (command line) or 2. EMC (gui)

1. EMS
To work with Outlook anywhere via EMS we would use the the following set of commands Get-OutlookAnywhere,Set-OutlookAnywhere,Enable-OutlookAnywhere.

A. Open EMS
B. Now we will use the Enable-OutlookAnywhere command to enable this feature
–The following switches are available for the command
** Pre SP1
Enable-OutlookAnywhere -DefaultAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm []] [-DomainController ] [-Server ] [-TemplateInstance ] [-WhatIf []]
** Post SP1
Enable-OutlookAnywhere -ClientAuthenticationMethod -ExternalHostname -SSLOffloading <$true $false> [-Confirm []] [-DomainController ] [-IISAuthenticationMethods ] [-Server ] [-TemplateInstance ] [-WhatIf []]

For this demo I used the following command
[PS] C:\>Enable-OutlookAnywhere -Server vmcashub -SSLOffloading:$false -ExternalHostname vmcashub.vn.local -ClientAuthenticationMethod basic -IISAuthenticationMethods basic

*Note if you use the defaultauthenticationmethod is will override the clientauth and IISAuth **
*Setting the ClientAuthMethod is what autodiscover will user to configure the client*

Enable-OutlookAnywhere
http://technet.microsoft.com/en-us/library/bb124993%28EXCHG.80%29.aspx

We can ouse the Get-OutlookAnywhere command to view our configuration
Get-OutlookAnywhere
http://technet.microsoft.com/en-us/library/bb124263%28EXCHG.80%29.aspx

Once we have enable Outlook Anywhere any future modification will be done with the Set-OutlookAnywhere command (i.e. changing authentication)
Set-OutlookAnywhere http://technet.microsoft.com/en-us/library/bb123545%28EXCHG.80%29.aspx

2. EMC
a. Open EMC –> Server configuration –> client Access Server
b. Select the CAS server you want to enable
c. Click the button to Enable Outlook Anywhere

d. Enter the External name that clients will use to connect to your Exchange Server, note this name should match the name on your certificate. Select the authentication method of choice

e. On the Completion Wizard Click finish

As you saw there is very little configuration when enabling Outlook Anywhere we have 3 options
1. Url 2. authentication and 3. Enable SSL offloading

Once we have Enabled Outlook Anywhere we can validate the registry key has configured correct ports for communication to our mailbox servers. Note only the name listed in the key can be used by clients to connect and you will notice there is no IP address listed so testing via IP will fail through the rpc proxy.

1. Click start Run
2. Regedit – this will open the registry editor
3. HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
4. Notice the Dword called Enabled set to 1
5. There is a String value called “ValidPorts”
VMMBX1:6001-6002;VMMBX1:6004;vmmbx1.vm.local:6001-6002;vmmbx1.vm.local:

**Note if the port are not listed it could take up to 15 minutes to update or you can restart the Microsoft Exchange Service Host **
we can see that the rpc proxy connects to our mailbox server on the following port 6001-6002 and 6004. Each port is defined below

Microsoft Exchange Information Store service: 6001
referral service of DSProxy: 6002
proxy service of DSProxy: 6004
Active Directory (if the global catalog server and Exchange Server are on the same server): 6004

In our client testing we can validate the proxy making connections to our mailbox server with these ports.

Configure a client:
Manually
1. Create a New profile
2. check the manually configure box at the bottom

3. Select Microsoft Exchange

4. Input your mailbox server name (this could be FQDN or Netbios Name)

5. Click the “More settings” button

6. Select the connections tab

7. Check the box “Connect to Microsoft Exchange using HTTP” -> Exchange Proxy Settings

8. Input the url of your Outlook Anywhere server, check the appropriate authentication

9. Click OK and finish the profile

2. Autodiscover
** if autodiscover is not working please refer to my blog on autodiscover **
http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html

1. Click Add

2. Give a name for the profile

3. Input the display name and users email address and password
**Note a domain logged on user will auto populate the information**

5. Logon to your mailbox

6. Click Finish

Validation:
That we have installed all the components we need to do some testing to validate we have access to our mail.

Check Outlook connection status:
1. Log onto Outlook
2. in the System tray hold the CTRL key and right click the Outlook icon
3. select connection status

You can see our connection shows https, which validates we are going through the CAS server and proxying our connection.

Netstat:
We can use netstat to show our connection for each hop Client-> CAS -> Mbx -> DC

Open a command windows on the CAS server and type netstat -na

You can see from the screen shot above that our client 192.168.1.5 is making connections are port 443 to our CAS server 192.168.1.101

As noted in the connections window from Outlook you can see that the Outlook client makes multiple connections to the CAS server on port 443 and this is validated in the netstat

CAS -> MBX
On the mailbox server open a command window and type Netstat -na

The first item to note is our mailbox server listening on ports 6001,6002, and 6004 which is the ports used by rpc/http to make connections

Below you can see our mbx server 192.168.1.102 receiving connections on port 6001 and 6004 from our CAS server 192.168.1.101

MBX -> DC
On our domain controller we can see Ldap 389 and GC 3268 ports with connections from both our CAS server and MBX server.

Packet Captures:
We can use a tool like NetMon or WireShark to perform network captures on each hop as well to validate our traffic between each node. We must note this is encrypted traffic so we will only see sessions between the nodes

This capture is run on the XP client and we can see TLS communication between our client 192.168.1.5 and our CAS 192.168.1.101

This capture show communication from the CAS 192.168.101 to the mailbox server on port 6001/6004

See the highlighted section showing a destination port 6001 from the CAS to the MBX server

See the highlighted section showing a destination port 6004 from the CAS to the MBX server

Mailbox Server -> DC/GC
Below we can see our mailbox server making connections to the DC Ldap port 389

RPCPing:

RpcPing is a utility that we can use to troubleshoot or validate that our rpc proxy is working properly.
Rpc ping is a command line tool that can be found in the Windows 2003 resource kit http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en We can use this tool to test rpc connectivity through an rpc proxy server which is used for Outlook Anywhere.

You can use this MS article to assist with this utility http://support.microsoft.com/kb/831051

1. Open a command line to the resource kit directory

2. Lets connect to port 6001 =store

rpcping -t ncacn_http -s vmmbx1.vm.local -o RpcProxy=mail.vm.local -P “brian.tirch,vm.local,*” -I “brian.tirch,vm.local,*” -H 1 -F 3 -v 3 -B msstd:mail.vm.local -e 6001 -u 10 -a connect

You can see we make a successful connection

3. Lets connect to port 6004 =DsProxy

rpcping -t ncacn_http -s vmmbx1.vm.local -o RpcProxy=mail.vm.local -P “brian.tirch,vm.local,*” -I “brian.tirch,vm.local,*” -H 1 -F 3 -v 3 -B msstd:mail.vm.local -e 6004 -u 10 -a connect

You can see we make a successful connection

These tests show us that we are properly connecting through the rpc proxy server to the correct ports associated with Outlook Anywhere.

reference the above MS article for a break down of the switches.

PerfMon:
Windows 2008 has added some additional perf counters that we can use with Rpc/Proxy that can assist in identifying connectivity and user load.

common issues:
1. Certificates – If the client machine does not trust the certificate that is being presented it will fail to connect. So if you are using self signed or self issued certificates you will need to deploy them to each client machine

http://technet.microsoft.com/en-us/library/bb124149%28EXCHG.80%29.aspx

 

Windows 2008 has added a number of new security enhancement from firewalls to a more secure version of IIS, with these new security settings the installation of Exchange 2007 SP1 is slightly different. You cannot install Exchange 2007 on Windows 2008 but only Exchange 2007 SP1.

Thanks to Paul Bowden of Microsoft I am going to post a few Xml files which can make your installation of Exchange 2007 SP1 easier on a Windows 2008 server. These file where not included with the Exchange 2007 release but will be included in future version of Exchange

No longer is powershell a download and install but Windows 2008 has included powershell in the OS and can be installed from a command prompt as you will see later in this blog.

Note: the following xml files are not included with Exchange 2007 you can choose to use them to simplify an installation or manually install each component.

Windows 2008 has added a new command line tool that allows an administrator to install any number of Windows components from a command line. To evoke this tool you would use the command ServerMangerCmd the -i switch tell the system to install.

For Example to install powershell on a Windows 2008 server you would type ServerManagerCmd -i PowerShell

There are 5 Xmil files to install componets, notice the Hub do not have any special requirements and the base is all that is needed to install those roles.

XML Files:
1. Exchange-base.xml
2. Exchange-Typical.xml
3. Exchange-CAS.xml
4. Exchange-Mbx.xml

** Please note I had to remove bracets to display the information on the page, see the screen shot for the correct format***

I have also labeled each row with a letter so I can refer to each line of the code

a:ServerManagerCmd Answer File compatible with Longhorn
b:Usage: ServerManagerCmd -ip Exchange-Base.xml
c:Contact: PBowden
d:ServerManagerConfiguration
E: Action=”Install” xmlns=”http://schemas.microsoft.com/sdm/Windows/ServerManager/Configuration/2007/1“>
F:BASE: Install PowerShell feature
G:Feature Id=”PowerShell”
H:– PREPARESCHEMA: Install LDIFDE and other directory tools –
I:Feature Id=”RSAT-ADDS”
j:ServerManagerConfiguration

What does this file do?
The baseline file will install Powershell and the Directory tools for a Windows 2008 server, you can see in lines G and I calls to install those components.

to use this file I would open a command windows and type servermanagecmd -ip c:\exchange-base.xml

This would then install powershell and the Admin tools for Windows 2008

2. Exchange-Typical.xml
– ServerManagerCmd Answer File compatible with Longhorn Beta 3 –
- Usage: ServerManagerCmd -ip Exchange-Typical.xml –
– Contact: PBowden –
ServerManagerConfiguration Action=”Install” xmlns=”http://schemas.microsoft.com/sdm/Windows/ServerManager/Configuration/2007/1“>
– BASE: Install PowerShell feature –
Feature Id=”PowerShell”
– PREPARESCHEMA: Install LDIFDE and other directory tools –
Feature Id=”RSAT-ADDS”
– CAS/MBX: Install the Web Server role with additional child components –
Role Id=”Web-Server”
RoleService Id=”Web-Metabase”
RoleService Id=”Web-Lgcy-Mgmt-Console”
– CAS: Install the three authentication types for OWA, GZip compression, plus Outlook Anywhere support –
RoleService Id=”Web-Basic-Auth”
RoleService Id=”Web-Digest-Auth”
RoleService Id=”Web-Windows-Auth”
RoleService Id=”Web-Dyn-Compression”
Feature Id=”RPC-over-HTTP-proxy”
ServerManagerConfiguration

A typical Exchange 2007 installation would constist of the hub,cas, and mbx role and as we can see this xmil file install the required Windows componets including the components of the Exchange-base.xml file.

The following components are install in the typical file:
Feature Id=”PowerShell”
Feature Id=”RSAT-ADDS”
Role Id=”Web-Server”
RoleService Id=”Web-Metabase”
RoleService Id=”Web-Lgcy-Mgmt-Console”
RoleService Id=”Web-Basic-Auth”
RoleService Id=”Web-Digest-Auth”
RoleService Id=”Web-Windows-Auth”
RoleService Id=”Web-Dyn-Compression”
Feature Id=”RPC-over-HTTP-proxy”

3. Exchange-CAS.xml
– ServerManagerCmd Answer File compatible with Longhorn
– Usage: ServerManagerCmd -ip Exchange-CAS.xml –
- Contact: PBowden -
ServerManagerConfiguration Action=”Install” xmlns=”http://schemas.microsoft.com/sdm/Windows/ServerManager/Configuration/2007/1“>
– Install the Web Server role with additional child components -
Role Id=”Web-Server”
RoleService Id=”Web-Metabase”
RoleService Id=”Web-Lgcy-Mgmt-Console”
– Install the three authentication types for OWA, GZip compression, plus Outlook Anywhere support –

RoleService Id=”Web-Basic-Auth”
RoleService Id=”Web-Digest-Auth”
RoleService Id=”Web-Windows-Auth”
RoleService Id=”Web-Dyn-Compression”
Feature Id=”RPC-over-HTTP-proxy”

The Exchange-CAS.xml install the same components as the Exchange-Typical exceprt for powershell and the Adminsitration tools. This mean you would need to run the Exchange-base.xml file first or user the typical installation file which installs the same components.

4. Exchange-Mbx.xml
Exchange 2007 SP1 still requires a small amount of IIS components to be installed on the mailbox server.

ServerManagerConfiguration
Action=”Install” xmlns=”http://schemas.microsoft.com/sdm/Windows/ServerManager/Configuration/2007/1“>
– Install the Web Server role with default child components –
Role Id=”Web-Server”
– Install the optional IIS6 Metabase and console –
RoleService Id=”Web-Metabase”
RoleService Id=”Web-Lgcy-Mgmt-Console”
ServerManagerConfiguration

5. Exchange-Edge.xml
The Exchange-Edge.xml installs ADAMServerManagerConfiguration Action=”Install” xmlns=”http://schemas.microsoft.com/sdm/Windows/ServerManager/Configuration/2007/1“>
– Install AD Lightweight Directory Services (aka ADAM) –
Role Id=”ADLDS”
ServerManagerConfiguration

Lets go ahead use the exchange-base.xml and Exchange-typical with the exchange-typical.xml

1. Launch a command window with Administrative rights

2. either run from the directory or specify the path of the xml file utilizing the servermanagecmd cli tool.

Servermanagecmd -ip exchange-base.xml

3. Reboot the computer

4. Run the command prompt as Administrator again and launch the exchange-typical.xml file

Notice the following components are installed

6. Run the Exchange 2007 sp1 setup as administrator

- this can be done from the command line or gui, since we already have a command prompt open I am going to use the comannd window to start the installation.

7. setup /m:install /r:h,c,m

This command will install the Hub,CAS, and mailbox role on our Windows 2008 server

8. reboot the server

9. validate the installation

**Please note there have a been a number of issue with rpc/https and Windows 2008 when Ipv6 is enabled see the link below on how to disable ipv6
http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx

Lets Logon to OWA

3. Select the correct address list – All rooms etc…

4. book room
I am going to select a date of Thursday, January 17, 2008 2:30 PM-3:30 PM.

Now lets create a 2nd meeting request

As you can see user should not require access to view a rooms availability directly with their calendar but should be using the free/busy information to find out when the resource is available. This reduces Administration on the room mailbox.

Installing Anti Spam Agents
By default the Anti Spam agents are not installed on the hub servers ***these must be installed on each hub that you want to utilze the agents ****

Open EMC
Organizational Configuration
Select the Hub Transport Server

As you can see there is no reference to the anti spam agents

Lets go ahead and install the Agents”

1. Open EMS
2. you can change to the directory or input the path to the powershell script (I chose to change to the directory) Change to C:\progroam files\Microsoft\Exchange Server\Scripts (assuming install directory is default)
3. ./install-AntiSpamAgents.ps1

After the agents are installed the Transport Service needs to be restarted

Lets go back to EMC–Organizational Configuration — Hub Transport

We now have an Anti Spam Tab with a number of items to configure

CONFIGURATION:
Now that we have installed our Anti Spam Agents lets take a look at what we can configure. Some configuration can only be done from EMS and some can be done from both EMS and EMC.
Content Filtering
IP Allow List
IP Allow List Providers
IP Block List
IP Block List Providers
Recpient Filtering
Sender Filtering
Sender ID
Sender Reputation

Content Filtering:
When the Content Filter agent is enabled on a computer, the Content Filter agent filters all messages that come through all Receive connectors on that computer. Only messages that come from external sources are filtered. External sources are defined as non-authenticated sources that are considered anonymous Internet sources.
http://technet.microsoft.com/en-us/library/bb124739.aspx

Content filter provides us with 3 tabs that we can configure
1. Custom Words
2. Exceptions
3. Action

Lets first set a custom message to the users when a message is filtered, to do this you use the the set-contentfilterconfig command
Set-Contentfilterconfig -rejectionresponse “Your message was rejected due to content it contained”

Custom Words
This options allows us to configure 2 options 1: Messages with certain words will not be blocked and 2. Messages containing works or phrases to block.

Lets perform some Tests:
1. Add a word to by pass our content filter
2. Add a word/phrase to block the message

I have created 2 new rules:
1. bypass will exempt a message from being filtered
2. baseball or “my dog has fleas” will be blocked

Since Content filter is only done for remote domains I setup a 2nd Exchange Org remote.local for the my tests.

Test:
Send Message From External.User@remote.local to Brian.Tirch@Vm.local with Baseball to catch the message

Result:
The Sender External.User@remote.local receives Error message stating message is restricted, we can see our custom error message towards the bottom of the message.

Test2: Send Messge From External.User@remote.local to Brian.Tirch@vm.local with bypass to bypass the content filter

Result: Message was receieved by Brian

Exceptions
We have the ability to let users or groups by pass the content filter, this would be good for help desk mailboxes etc……

I have added Brian.Tirch@vm.local to the Exepctions

Test: Send message from External.User@remote.local with baseball to Brian.tirch@vm.local

Result: The message was delivered and bypassed our content filter blocking the word baseball

Action:
The Action tab alllows use to set thresholds to 1. Reject 2. Delete or 3. quarantine messages

For this test I have set all message with SCL rating of 2 to be quarantined and Brian.Tirch@vm.local receive a copy.

Test:
1. Removed Brian from the Exception
2. Sent message from External.User@remote.local with spam like content

Result:
Message was captured by the content filter and a Quarantined version was sent to our spam mailbox.
I then released the message from our spam mailbox to the recipient which was delivered.

** To release a messsage from the spam mailbox you open the message and click send again **

IP Allow List
IP Allow lists are not configurable at the Org level, this is a server level setting and we must look under server configuration -> Hub transport to be able to configure this via EMC.

Lets use the Get-IPAllowListConfig to see what our default configuration is.

We can see that by default only filtering of external domains is enabled, however this feature can be configured for internal and(or) exteranl filtering.

To add a single IP or range of IP’s we would use Add-IPAllowListEntry command
Add-IPAllowListEntry -IPAddress 1.1.1.1

Any address or range added to your filter be bypass the content filter that you have enabled. This would be good for any remote system or new groups that are trusted or any smtp relays that are trusted.

After we have added the IP/Range we want to allow we can use the Get-IPAllowListEntry to view our configured systems.

http://technet.microsoft.com/en-us/library/bb123554.aspx
http://technet.microsoft.com/en-us/library/bb124385.aspx

IP Allow List Providers
IP Allow list provider aka Save List Services can be manged via EMS or EMC

Lets look at the properties of the IP Allow List Providers

Click Add

Provider name :Type the name of the IP Block List provider service. This name is for your own use
Lookup domain : type the domain name that the Connection Filter agent queries for updated IP Block list information.

Match to any return code When you select this option, the Connection Filter agent treats any IP Address status code that is returned by the IP Block List provider service as a match.
Match to the following mask When you select this option, the Connection Filter agent acts only on messages that match the return status code of 127.0.0.x, where the integer x is any one of the following values:
1 The IP address is on an IP Block list.
2 The Simple Mail Transfer Protocol (SMTP) server is configured to act as an open relay.
4 The IP address supports a dial-up IP address.
Match to any of the following responses When you select this option, the Connection Filter agent acts only on messages that match the same IP address status code that is returned by the IP Block List provider service.

IP Block List
IP Block Lists are the opposite of our allow lists, there are IP that we want to block from sending messages to our Exchange environment. IP block lists are not configurable at the Org level, this is a server level setting and we must look under server configuration -> Hub transport to be able to configure this via EMC.

We can use the Get-IPBlockListConfig to view our current

To modify our configuration we need to utlize the Set-IPBlockListConfig
http://technet.microsoft.com/en-us/library/bb123578.aspx

Lets create a custom response message for a blocked server:
[PS] C:\>Set-IPBlockListConfig -StaticEntryRejectionResponse “Your machine has been identified as malicious and all messages will be rejected from your server”.

Now lets add the IP address of our remote mail server to our block list:
Add-IpblockListEntry -IpAddress 192.168.1.120

Test:
Send a message from External.User@remote.local to Brian.tirch@vm.local

Result:
The Sender received an NDR with our custom message stating the server has been blocked

We can see that our message was reject by our content filter and our custom message was displayed.

IP Block List Providers IP Block List Providers like Spam Haus http://www.spamhaus.org/index.lasso have been around for a number of years and have compiled a list of known spamers and can greatly assist Exchange Administrators by using thier compiled list instead of manually blocking IP’s.

The agent can be managed from both EMS and EMC
On the properties of the agent we see the following

Let configure our server to use Spam haus as an Block List ProviderSelect the Providers Tab and Click Add

you can test to see if the SBL blocking is working by sending an email (any email) to: nelson-sbl-test@crynwr.com (you must send the email from the mail server which you wish to test). The Crynwr system robot will answer you to tell you if your server is correctly blocking SBL-listed addresses or not.We can also configure Exceptions so that email sent TO a user are not blocked even if they are found to be from someone on the Block List.

Recipient Filtering
Recipient Filtering allow the system to reject messages of users that are not in your address book or you can block recipients that should not be receiving mail from the outside.

Lets look at our settings
1. check the box to block messages to recipients not listed in the GAL
2. We can block messages to specific users or groups
Test1:
I am going to add Brian.Tirch@vm.local as a blocked users, then send a message from External.User@remote.local

Result:

Sender receives a 550 5.1.1 User unknown ##
Test2:
With the block messages to recipients not listed in the GAL checked, I sent a message from External.User@remote.local to Madeup@vm.local

Result:
Sender recieves a 550 5.1.1 User unknown ##

Test3:
With the block messages to recipients not listed in the GAL NOTchecked sent a message from External.User@remote.local to Madeup@vm.local 

Result
Sender recieves a #< #5.1.1 smtp;550 5.1.1 RESOLVER.ADR.RecipNotFound; not found> #SMTP# error

For more information on Recipient Filtering review the following
http://technet.microsoft.com/en-us/library/aa998898.aspx

Sender Filtering
Sender filtering compares the sender on the MAIL FROM: SMTP command to an administrator-defined list of senders or sender domains that are prohibited from sending messages to the organization to determine what action, if any, to take on an inbound message.

Sender Filtering can be managed via EMC or EMS, lets look at the settings we have available

You can see we have 3 tabs
1. General – provides a description of what sender filtering does
2. Blocked Senders – allow us to block users,domains, or messages with blank sender fields
3. Action – allows the message to be rejected or stamped with blocked sender

Lets configure some settings
1.Add External.User@remote.local as a blocked user and set the action to reject

Test:
Send a message from External.User@remote.local to Brian.Tirch@vm.local

Result:
The sender receives and NDR #554 5.1.0 Sender denied ##

Now we have remove the individual user from the block list and added the entire domain, for this test we will still leave the action to block.

Test2:
send a message from External.User@remote.local to Brian.Tirch@vm.local

Result:
The sender receives and NDR #554 5.1.0 Sender denied ##

I have left the domain block in place however this time changed the actions to stamp

Test3
send a message from External.User@remote.local to Brian.Tirch@vm.local

Result:
Message was received by Brian.Tirch@vm.local ….

“Stamp message with blocked sender and continue processing If you select this option, messages from a sender or domain that is on the Blocked Senders list are stamped with the blocked status and continue to process. This message metadata is evaluated by the Content Filter agent when a spam confidence level (SCL) is calculated. Additionally, sender reputation uses the message metadata when it calculates a sender reputation level (SRL) for the sender of the message.” http://technet.microsoft.com/en-us/library/aa997235.aspx

http://technet.microsoft.com/en-us/library/aa996031.aspx
http://technet.microsoft.com/en-us/library/aa996920.aspx

Sender ID
“The Sender ID Framework is an e-mail authentication technology protocol that helps address the problem of spoofing and phishing by verifying the domain name from which e-mail messages are sent. Sender ID validates the origin of e-mail messages by verifying the IP address of the sender against the alleged owner of the sending domain.”
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx
http://www.microsoft.com/mscorp/safety/technologies/senderid/overview.mspx

Lets take a look at what options we have

We have 2 tabs, general and actions

General: Gives an overview of what Sender ID does
Actions: Allow us to reject, delete, or Stamp message with sender ID result and continue to process

**that many people have not adopted sender ID and I would recommend the default action of tamp message with sender ID result and continue to process

Notice these action state the message MUST FAIL the sender ID check, if the sender ID look finds no SPF record then the message will be process and the header be tagged

X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (VMCASHUB.VM.Local: External.User@remote.local does not
designate permitted sender hosts)

To force a reject or delete, I will have to configure an SPF record and leave the IP of just hub server off the list. To use a wizard you can go to the following link http://www.openspf.org/

Sender Reputation
When Sender Reputation is enabled a sender reputation level (SRL) is calculated by Exchange using the following:

HELO/EHLO analysis
Reverse DNS lookup
Analysis of SCL ratings on messages from a particular sender
Sender open proxy test
http://technet.microsoft.com/en-us/library/bb124512.aspx

We have 3 tabs General, Sender Confidence, and Action

The Sender Confidence tab allow us to perform an open proxy test

The actions tab allows us to set a threshold for our SRL

The last item I want to mention is how to set the SCL Junk threshold
SCL Junk E-mail folder threshold
If the SCL value for a specific message exceeds the SCL Junk E-mail folder threshold, the Mailbox server puts the message in the Outlook user’s Junk E-mail folder. If the SCL value for a message is lower than the SCL delete, reject, quarantine, and Junk E-mail folder threshold values, the Mailbox server puts the message in the user’s Inbox.

use the Get-OrganizationalConfig command to display the current settings

we can see our current value is set to 8, let change this to 2 and generate a message that will exceed this value.
C:\>Set-OrganizationConfig -SCLJunkThreshold 2

Lets send a message from External.User@remote.local to brian.tirch@vm.local and simulate a junk message.

If we look at the message header we can see the SCL was 4 which exceeded our SCL threshold of 2 and sent the message to junk

X-MS-Exchange-Organization-SCL: 4
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report

http://support.microsoft.com/kb/555924
http://technet.microsoft.com/en-us/library/bb123502.aspx

Now Exchange 2007 has made drastic improvements and made managing resource quite easy.

As you can see if we attempt to create a new user we now have native options to create 2 types of mailboxes that we can use to resource scheduling 1. Room Mailbox and 2. Equipment Mailbox

Lets walk through the creation of each type of mailbox

Room Mailbox
Open EMC
Select Recipient Configuration
Click New Mailbox
Select Room Mailbox ->next

click New User –> Next

Fill in the logon information, remember this creates a disabled account

Select the location of the Room Mailbox database

Click New

Finish

If we open Active Directory Users and computers we will see our newly created disable account

Lets open EMC and see the additional properties we have on a Room Mailbox

You can see we have an additional Tab called Resource Information that allows us to specify room capacity and add custom properties

You can see on Jessica Steele’s mailbox that tab does not exist

How do we manage this resource?
Delegate someone Full Access to the mailbox so the mailbox can be open by that user account

this can be done via EMC or EMS with the add-mailboxpermission command
Add-mailboxpermission “Conferene Room 1″ -user Brian.Tirh -accessrights fullaccess

Now I can use my Brian account to open the mailbox in OWA, there we will see some additional tabs.

Once we open the conference room mailbox and select options we can see an additional option called Resource Settings

Under Resource Setting we have 4 areas
1. Resource Scheduling options
2. Resource Scheduling Permission
3. Resource Privacy Options
4. Response Message

Resource Scheduling options
The following options are listed:
Automatically process meeting requests and cancellations
Disable Reminders
Maximum number of days:
Always decline if end date is beyond this limit
Limit meeting duration Maximum allowed minutes:
Allow scheduling only during working hours
Allow conflicts
Allow recurring meetings
Allow up to this number of individual conflicts:
Allow up to this percentage of individual conflicts:

Resource Scheduling Permission

Specify users and groups which have permissions to schedule this resource by sending a meeting request
These users can schedule automatically if the resource is available: Everyone
Select Users and Groups:
These users can submit a request for manual approval if the resource is available:
Everyone
Select Users and Groups:
These users can schedule automatically if the resource is available and can submit a request for manual approval if the resource is unavailable:
Everyone
Select Users and Groups:
For requests requiring approval:
Always forward to delegates
Always tentatively accept these requests

Resource Privacy Options
Always add the organizer name to the meeting subject
Always remove the private flag on an accepted meeting
When declining meeting requests due to a conflicting meeting:
Include detailed information about conflicting meetings in response
Include organizer’s name in conflict information
Always delete the following when sent to this resource:
E-mail messages
Attachments from meeting requests
Comments from meeting requests
Subject of meeting requests

Response Message

Allows you to configure an automatic response to users

I am going to configure all the Resource Permissions so that only Jodie Bartos and Jessica Steele can use the automatic processing.

Now that I have scoped down the permission on who can submit a calendar invite I am going to attempt to send an invite using this resource room from my Brian Tirch account

We can see this request was declined automatically since I do not have permissions.

Now I will send a message from Jodies account to attempt to use this resource

This invite was automatically processed and accepted.

Within most organization there is a priority level of who can use resources and bump other user from a location. We can setup a delegate on this resource so that only certain users can automatically process meetings and the rest must be approved by our delegate.

Open EMS

set-mailboxcalendarsettings “conference room 1″ -resourcedelegate booth.scates

Now that Booth is our delegate lets change the permissions so that Everyone (we can scope this down as well) can submit message but they will need to be processed by the delegate.

Now Let try from my Brian Tirch account to submit a request for this resource

We can see that we have been tentatively scheduled for this resource

If we look at our Delegates mailbox we can see the delegate received a message from the conference room stating a users has submitted a request that is out of scope and must be approved.

Note the message at the top the screen — so far I have been doing all my testing from OWA however currently the delegate cannot accept the tentative meeting from OWA and the full client must be used

You can see that I have opened Outlook and now have an accept/decline button on the message

Once the delegate has accepted the message my Brian account receives notification that the meeting has been accepted

Now that we have configured permissions for our Room Mailbox lets look at attributes that we can configure.

1. Capacity

2. Custom Properties

We can set the capacity via EMC or EMC however we can only create custom properties via EMS and can assign them via EMC

We can use the Get-ResourceConfig command to see what definitions we currently have (by default none)

Lets create 2 custom resources 1. WhiteBoard and 2. Projector

Open EMS

Set-ResourceConfig -ResourcePropertySchem (“Room/Projector”, “Room/WhiteBoard”)

Now lets Open EMC and we can see that we have the option to add Projector and WhiteBoard to our room mailbox.

Note: OWA will show the capacity but not the custom properties, Outlook 2003 will not show either capacity nor room properties, only Outlook 2007 will show all the properties of the room

We can see from Outlook 2007 that our room capacity is 15 and we have our whiteboard and projector.

Equipment Room
The creation of an Equipment Room is the same as already outlined above so I will skip those steps and just show some of the features.

I created a new Equipment Room called Ford_Mustang, which is common for people to have vechicle checked out.

Lets run a Get-Mailbox command to see the mailbox details

[PS] C:\>Get-Mailbox ford_mustang fl *resource*,recipienttypedetails
IsResource : True
ResourceCapacity :
ResourceCustom : {}
ResourceType : Equipment
RecipientTypeDetails : EquipmentMailbox

We can see that our mailbox is of type equipment….

We get the same resource information tab on equipment mailboxes as room mailboxes

If you noticed before when we created the resource config I only created items for room mailboxes. Lets add some features for our cars
**note the Set-ResourceConfig command will overwrite the entire entry so you must list everything you want**

Set-ResourceConfig -ResourcePropertySchem (“Room/Projector”, “Room/WhiteBoard”, “equipment/2Door”,”equipment/cherryred”,”equipment/siriusradio”,”equipment/convertable”

Now we can add this custom properties to our Mustang

 

There are a few pre configured messsage classifications that Microsoft has already create for Exchange 2007 users, we will take a look at those and see how we can create new classification for our users then walk through how to deploy them to our Outlook 2007 users.

Preconfigured Message Classifications
If we run Get-MessageClassification from powershell we can see the 6 preconfigured message classifications.
1. A/C Privileged
2. Attachment Removed
3. Company Confidential
4. Company Internal
5.Originator Requested Alternate Recipient Mail
6. Partner

ClassificationID : d74dbde8-4cb0-4043-ae4b-2a1b5686c9dc
DisplayName : A/C Privileged
DisplayPrecedence : Medium
Identity : Default\ExACPrivileged
IsDefault : True
Locale :
RecipientDescription : This message is either a request for legal advice from an attorney or a response by an attorney to a request for legal advice. It should be treated confidentially, should only be sent to people with a need to know, and should only be forwarded by an attorney.
RetainClassificationEnabled : True
SenderDescription : This message is either a request for legal advice from an attorney or a response by an attorney to a request for legal advice. It should be treated confidentially, should only be sent to people with a need to know, and should only be forwarded by an attorney.
UserDisplayEnabled : True
Version : 0

ClassificationID : a4bb0cb2-4395-4d18-9799-1f904b20fe92
DisplayName : Attachment Removed
DisplayPrecedence : Low
Identity : Default\ExAttachmentRemoved
IsDefault : True
Locale :
RecipientDescription : An attachment was removed from this e-mail messase because the attachment was determined to pose apossible security risk.
RetainClassificationEnabled : False
SenderDescription : A system-generated classification to inform users that an attachment was removed from this message
UserDisplayEnabled : True
Version : 0

ClassificationID : 19e795ab-f38c-4d55-a009-0a3ad32ffc1f
DisplayName : Company Confidential
DisplayPrecedence : Medium
Identity : Default\ExCompanyConfidential
IsDefault : True
Locale :
RecipientDescription : This message contains proprietary information and should be handled confidentially.
RetainClassificationEnabled : True
SenderDescription : This message contains proprietary information and should be handled confidentially.
UserDisplayEnabled : True
Version : 0

ClassificationID : f93fcaf3-00b6-4bfe-a84b-40e78f498560
DisplayName : Company Internal
DisplayPrecedence : Medium
Identity : Default\ExCompanyInternal
IsDefault : True
Locale :
RecipientDescription : This message contains sensitive information that should only be delivered to internal recipients.
RetainClassificationEnabled : True
SenderDescription : This message contains sensitive information that should only be delivered to internal recipients.
UserDisplayEnabled : True
Version : 0

ClassificationID : 3f4cc40b-2a9f-4be5-8a55-0e3fdacddd43
DisplayName : Originator Requested Alternate Recipient Mail
DisplayPrecedence : Medium
Identity : Default\ExOrarMail
IsDefault : True
Locale :
RecipientDescription : This message is an originator requested alternate recipient message.
RetainClassificationEnabled : False
SenderDescription : This message is an originator requested alternate recipient message.
UserDisplayEnabled : True
Version : 0

ClassificationID : 030e9e2f-134b-4020-861c-5bfc616f113d
DisplayName : Partner
MailDisplayPrecedence : Low
Identity : Default\ExPartnerMail
IsDefault : True
Locale :
RecipientDescription :
RetainClassificationEnabled : False
SenderDescription :
UserDisplayEnabled : True
Version : 0

Lets take a look at the fields that are available to us:
ClassificationID : Use this parameter to specify a classification ID of an existing message classification that you want to import and use in your Exchange organization.
DisplayName : This is displayed to the user in OWA and Outlook 2007
DisplayPrecedence : It specifies the ordering of the recipient descriptions and it determines which message classification travels with a forwarded or replied message.
Identity : Name given during creation
IsDefault :
Locale : This specifies a cultural code the for locale
RecipientDescription : This is the description seen by the recipient
RetainClassificationEnabled : Use this parameter to specify whether the message classification should persist with the message if the message is forwarded or replied to. The default value is $true.
SenderDescription : This is a description seen by the sender which explains what this message classification is used for
UserDisplayEnabled : specifies whether the values that you entered for the DisplayName and RecipientDescription parameters are displayed in the recipient’s Outlook message
Version : Shows the current version number

Outlook Web Access

Lets logon to Jodies mailbox and see what deafult message classifications are available.

We can see the A/C, company confidiental, and Company Internal are displayed
Lets create a new message classifiation for Jodie called “I love you”, message classifcation can only be create from powershell with the new-messageclassification commandlet.

http://technet.microsoft.com/en-us/library/bb124400.aspx

From powershell I used the following:

[PS] C:\>New-MessageClassification -Name “Jodie Loves Brian” -SenderDescription”This message is intended to show Brian how much Jodie adhors him” -RecipientDescription “I just wanted to say how much I love you” -DisplayName “I love you” -UserDisplayEnabled:$true

If we now run a get command we can see our newly create message classification

PS] C:\>Get-MessageClassification ft IdentityIdentity

default\ExACPrivileged

default\ExAttachmentRemoved

default\ExCompanyConfidential

default\ExCompanyInternal

default\ExOrarMail Originator Requested

default\ExPartnerMail

default\Jodie Loves Brian

Now lets logon to Jodies mailbox in OWA and see the newly created message classification

Lets create a new message and select the “I love you” classification and see the sender description

As we see at the top of the message you sender is shown the message from the senderDescription parameter.

Now lets logon to Brians mailbox and see the message

The recipient see ‘s information from the -Recipientdescription

Its easy enough to create a new classificaiton however what is we want certain message classification to be tagged on all messages from particular groups to particular groups. We can combine Transport Rules take the work out of the users hands.

Combing Transport rules with Message Classification

I am not going to go into great detail of transport rules so for more information see, http://exchange-genie.blogspot.com/2007/11/exchange-2007-transport-rules.html

Lets create a new transport rule for when message are sent from Jodie to Brian the message classification is added.

Now that we created our transport rule lets logon to Jodies mailbox and create a new message to Brian but this time we will not add the message classification manully.

Lets logon to Brians mailbox and see the new message sent from Jodies mailbox

You can see the sender never added the message classication but the transport rule did the work for us.

Outlook 2007 –Section not completed

Microsoft introduced the Recovery Storage Group with Exchange 2003 which added some nice recovery functionality; we no longer needed a recovery AD forest to restore items to mailboxes or a single mailbox. Exchange 2007 has kept this feature however has drastically changed the interface and added the ability to use power shell for recovery.

For this article I am going to focus on using power shell only to recover mailboxes and messages to a mailbox. One big change is that even when a RSG is created you will not see it with the gui (EMC) and it can only been see via power shell.

First let’s start by logging onto a mailbox and seeing the content

As you can see we have 3 new messages in Jodie’s mailbox

Now we can use NTBackup to backup our Exchange servers database
1. Launch NTBackup from the system tools

2. Select next on the backup/restore wizard

3. Choose the radius button to backup files and settings

4. Select the radius button “Let me choose what to backup”

5. I am only going to backup the first storage group since that is the location of mymailboxes

6. Specify the location of the backup (D:\backup)

7. Click finish to start the backup

Here we can see our backup file has been created.

Now that we have a current backup I am going to delete the messages from Jodie’s mailbox so that we can then use a recovery storage group to recover the data .

Lets create a new RSG and take a look in the gui and then the command line.

To create an RSG we use the new-storagegroup commad but add the -Recover switch
new-storagegroup -Server vmmbx1 -LogFolderPath d:\rsg\logs -Name ExchangeGenie
-SystemFolderPath d:\rsg\data -Recovery

now that we have created our RSG let see if we get any info from EMC

As you can see the RSG does not show up

but if we do a get-storgegroup fl our new RSG will be shown

notice the recovery option is set to true

Now that we have created an RSG we need to add the database we want to recover

new-mailboxdatabase -mailboxdatabasetorecover “Mailbox Database” -storagegroup Vmmbx1\ExchangeGenie -edbfilepath “D:\RSG\Data\mailbox database.edb”

We do not need to set this database can be overwritten since that is enabled by default.

Now that we have created our RSG and added the appropriate database to the RSG we now have to restore the data from backup.

1. Launch NTBackup

2. Click Next

3. Select the backup we want to restore

4. input a temp location for the patch file and Check “Last Restore”

**since this is a full backup and no other logs are to be restored the last restore check box is marked”***

5. Click Next to start the restore

6. Click close after the restore completes

You can see we now have data restored to our recovery database location.

Now that the data has been restored from our backup we need to mount the recovery database

mount-database -identity ‘vmmbx1\exchangegenie\mailbox database’

Now that we have created our RSG, added a recovery database, and restored our data from backup we can now recover data to our users mailbox.

I will perform 3 different recoveries

1. Merge data back into a users mailbox
2. Merge data back into a sub folder in the users mailbox
3. Merge data to another users mailbox into a subfolder

Merge Data back to the original location

The following command will merge the data from our recovery database back to the original live mailbox.

Restore-Mailbox -id ‘Jodie Bartos’ -RSGDatabase ‘ExchangeGenie\Mailbox Database’

You can see that all our messages have been brought back to the original location

Merge data into a sub folder in a users mailbox

Restore-Mailbox -RSGMailbox ‘Jodie Bartos’ -RSGDatabase ‘ExchangeGenie\Mailbox Database’ -id ‘Jodie.Bartos’ -targetfolder ‘RestoredMail’

You can see we have a new folder called RestoredMail which has a copy of the user inbox

Merge data to another users mailbox into a subfolder
Restore-Mailbox -RSGMailbo ‘Jodie Bartos’ -RSGDatabase ‘ExchangeGenie\Mailbox Database’ -id ‘Brian.Tirch’-targetfolder ‘JodiesMbx’

You can see my mailbox now has a subfolder called JodiesMbx with a copy of all her data

There are a number of recovery options that I did not mention in this blog i.e datarate,keywords, etc… that allow a more flexable recovery

After we completed our recover we need to remove the RSG, this is an item that you should not keep unless you are utilizing it.

First we need to dismount the database

Dismount-database -identity ‘vmmbx1\exchangegenie\mailbox database’

Now that we have dismounted the database we need to remove it

Remove-MailboxDatabase -identity ‘vmmbx1\ExchangeGenie\Mailbox Database’

**Note this will not delete the files from the drive, you must manually delete the restored database ***

The last step we need to remove the Recovery Storage Group

Remove-StorageGroup -identity ‘Vmmbx1\ExchangeGenie’

To validate our RSG is gone we need to use the Get-StorageGroup command

For this blog I used a simple setup with 1 CAS/Hub and 1 MBX server, this blog does not cover all the configurations and thier options but goes into detail about Exchange 2007 Autodiscover service.

There are 4 ways to get autodiscover to function:
1. Set the SCP to the url of the autodiscover server (this will work for domain joined machines)
2. DNS/HTTP
3. Deploy an Xml file to the users machine which also requires registry changes on the client
4. DNS SRV records (requires Outlook 2007 SP1)

There are a number of setting when it comes to configuring autodiscover and its associated components:

By default Exchange creates the 2 virtual directories on the CAS server that are needed for the autodiscover and availability service, however there is no gui interface to manage these services and all management must be done from EMS (exchange management shell)

- EWS – Exchange Web Services and Autodiscover — for autodiscover service

Lets start from the begining:

SERVICE CONNECTION POINT – SCP

———————————————–
The SCP informtion can be found using LDP or Adsieidt, for this blog I will use Adsiedit in my examples:
Open the Configuration container to the following path:
CN=Services, CN=Microsoft Exchange,CN=First Organization (your org name),CN=Administrative Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Servers,CN=YourServer,CN=Protocols,CN=Autodiscover,

By default the SCP will be set to Https://yourserverfqdn/autodiscover/autodiscover.xml

How can the SCP be manged?

Currently there is no gui interface to manage the SCP setting however we can use the new EMS.
1. Open EMS
2. Get-clientAccessServer ¦ fl Name,AutoDiscoverServiceInternalUri

The get command will allow us to view the current SCP for a given server or all servers.

To set the SCP we use the commandlet: Set-ClientAccessServer -Identity vmcashub -AutoDiscoverServiceInternalUri “https://mail.vm.local/autodiscover/autodiscover.xml”
** Note: You can leave this as the internal servername unless you have an NLB that you want to take advantage of**

and we can validate our change with the get command:
Get-clientAccessServer ¦ fl Name,AutoDiscoverServiceInternalUri

Now that the SCP is set domain joined clients could use the autodiscover service however there are some additional components are tied to the autodiscover serivce like Offline address book, UM, availability.

Lets use the Test-OutlookWebServices commandlet and see what happens
Test-OutlookWebServices -identity Brian.Tirch
**Note if you don’t specify an identity the system will choose a user

Id : 1003Type : InformationMessage : About to test AutoDiscover with the e-mail address Brian.Tirch@vm.local.
Id : 1018Type : InformationMessage : The SSL certificate on mail.vm.local is self-signed.
Id: 1006Type : InformationMessage : Contacted AutoDiscover at https://mail.vm.local/autodiscover/autodiscover.xml.
Id: 1018Type : InformationMessage : The SSL certificate on vmcashub.vm.local is self-signed.
Id : 1016Type : SuccessMessage : [EXCH]-Successfully contacted the AS service at https://vmcashub.vm.local/EWS/Exchange.asmx.
Id : 1015Type : SuccessMessage : [EXCH]-Successfully contacted the OAB service at https://vmcashub.vm.local/EWS/Exchange.asmx.
Id : 1014Type : SuccessMessage : [EXCH]-Successfully contacted the UM service at https://vmcashub.vm.local/UnifiedMessaging/Service.asmx.
Id : 1006Type : SuccessMessage : Successfully tested AutoDiscover.

Let take a look at the Output:
1. The first return shows the user that is being used to test autodiscover
InformationMessage : About to test AutoDiscover with the e-mail address Brian.Tirch@vm.local.
2. Exchange creates self signed certificates during installation (from here on out I will skip this message)
Id : 1018Type : InformationMessage : The SSL certificate on mail.vm.local is self-signed.
3. The system connects to the SCP to find the autodiscover service
Id: 1006Type : InformationMessage : Contacted AutoDiscover at https://mail.vm.local/autodiscover/autodiscover.xml.
4. The availability service is contacted
Id : 1016Type : SuccessMessage : [EXCH]-Successfully contacted the AS service at https://vmcashub.vm.local/EWS/Exchange.asmx.
** note the url- this is the fqdn of the server and we have not modified this yet

5. The OAB url is checked
Id : 1015Type : SuccessMessage : [EXCH]-Successfully contacted the OAB service at https://vmcashub.vm.local/EWS/Exchange.asmx.
** note the url- this is the fqdn of the server and we have not modified this yet and would cause problems for external users
6. The UM serverurl is checked
Id : 1014Type : SuccessMessage : [EXCH]-Successfully contacted the UM service at https://vmcashub.vm.local/UnifiedMessaging/Service.asmx.
** note the url- this is the fqdn of the server and we have not modified this yet and would cause problems for external users
7. The process completes succuess
Id : 1006Type : SuccessMessage : Successfully tested AutoDiscover.

The test looks good and users will be able to use autodiscover service (AS).

The following services can be set from the gui or from EMS in this example I will use EMS:
OAB
UM
—-EMS Only
EWS

We need to set the internal and external urls, by default the internal url is set to the fqdn of the server.

Lets start with EWS (Exchange web services) which controls the availability service
EWS
Get-WebServicesVirtualDirectory ¦ fl name,internalurl,externalurl
Name : EWS (Default Web Site)InternalUrl : https://vmcashub.vm.local/EWS/Exchange.asmx
ExternalUrl :
from the output we see the external url is not set and the internal is set to the server fqdn which will work for internal clients however we want to use our external name of mail.vm.local for our configuration.

Here I am piping the get command to the set command which will set all my Web services virtual directories at once instead of one by one:
Get-WebServicesVirtualDirectory set-WebservicesVirtualDirectory -intrnalurl https://mail.vm.local/EWS/Exchange.asmx -externalurl https://mail.vm.local/EWS/Exchange.asmx
**Note if you are not using an NLB then you can leave the internal settings to the default.

Lets verify this by running the get again:
Get-WebServicesVirtualDirectory ¦ fl name,internalurl,externalurl
Name : EWS (Default Web Site)
InternalUrl : https://mail.vm.local/EWS/Exchange.asmx
ExternalUrl : https://mail.vm.local/EWS/Exchange.asmx
**You do not need to set external urls on non internet facing CAS servers

Repeat the steps with the commands below:

Offline Address Book
Get-OabVirtualDirectory ¦ fl Server,Name,internalurl,externalurl
Server : VMCASHUB
Name : OAB (Default Web Site)
InternalUrl : http://vmcashub.vm.local/OAB
ExternalUrl :

Set-OabVirtualDirectory -Identity “vmcashub\oab (default web site)” -InternalUrl https://mail.vm.local/oab -ExternalUrl https://mail.vm.local/oab

Get-OabVirtualDirectory ¦ fl Server,Name,internalurl,externalurl
Server : VMCASHUB
Name : OAB (Default Web Site)InternalUrl : https://mail.vm.local/oab
ExternalUrl : https://mail.vm.local/oab

Unified Messaging:
Get-UMVirtualDirectory ¦ fl Name,Server,Internalurl,externalurl
Name : UnifiedMessaging (Default Web Site)
Server : VMCASHUBInternalUrl : https://vmcashub.vm.local/UnifiedMessaging/Service.asmx
ExternalUrl :

set-UMVirtualDirectory -Identity “vmcashub\UnifiedMessaging (Default Web Site)” -InternalUrl https://mail.vm.local/UnifiedMessaging/Service.asmx -ExternalUrl https://mail.vm.local/UnifiedMessaging/Service.asmx

[PS] C:\>Get-UMVirtualDirectory ¦ fl Name,Server,Internalurl,externalurl
Name : UnifiedMessaging (Default Web Site)
Server : VMCASHUBInternalUrl : https://mail.vm.local/UnifiedMessaging/Service.asmx
ExternalUrl : https://mail.vm.local/UnifiedMessaging/Service.asmx

Now that we have set all the directories lets rerun our TEST-OutlookWebService

C:\>Test-OutlookWebServices -Identity brian.tirch fl
Id : 1003Type : InformationMessage : About to test AutoDiscover with the e-mail address Brian.Tirch@vm.local https://mail.vm.local/autodiscover/autodiscover.xml
.
Id : 1016Type : SuccessMessage : [EXCH]-Successfully contacted the AS service at https://mail.vm.local/EWS/Exchange.asmx

id : 1015Type : SuccessMessage : [EXCH]-Successfully contacted the OAB service at https://mail.vm.local/EWS/Exchange.asmx
.
Id : 1014Type : SuccessMessage : [EXCH]-Successfully contacted the UM service at https://mail.vm.local/UnifiedMessaging/Service.asmx.

Id : 1006Type : SuccessMessage : Successfully tested AutoDiscover.
An alternate way for clients to find the autodiscover service is to create an entry in DNS. Outlook 2007 looks at two urls by default to attempt to locate the autodiscover service.
The client locates the Autodiscover service on the Internet by using the primary SMTP domain address from the user’s e-mail address. The Autodiscover service will query DNS for either https://primarysmtpdomain/autodiscover/autodiscover.xml or https://autodiscover.primarysmtpdomain/autodiscover/autodiscover.xml.

Configure Autodiscover via DNS
————————————–

When an Exchange 2007 CAS server is installed a virtual directory for autodiscover is created. We must use EMS to configure the urls for the autodiscover vdirs

*** we already set the information for the OAB, UM, and availability so those steps will not be repeated but all steps done under the SCP section would need to be done as well

1. Open EMS
2. use Get-autodiscovervirtualdirectory ¦ fl
This will return all autodiscover vdirs and their information, in a large organization you may want to specify the -Server switch to return only the server of interest

[PS] C:\>Get-AutodiscoverVirtualDirectory ¦ fl Name,internalurl,externalurl
Name : Autodiscover (Default Web Site)
InternalUrl :
ExternalUrl :
** Note this am current bug that the urls are exposed. The autodiscover information is pulled form the SCP or the 2 deafult urls.

Depending of the url of your choice the appropriate record must be created in DNS for either
https://primarysmtpdomain/autodiscover/autodiscover.xml or https://autodiscover.primarysmtpdomain/autodiscover/autodiscover.xml.

I typically use https://autodiscover.primarysmtpdomain/autodiscover/autodiscover.xml

Create an (A) record called Autodiscover
Verify internal and external users resolve this to the appropriate Server

Now that we have created the DNS record and set the Autodiscover urls we need to test a remote client.

I have configured a Windows XP Pro client running Outlook 2007 that is not domain joined to test Autodiscover.

1. Lauch Outlook 2007
2. Input the client information

3. Select Next

4. We are prompted for a certificate message

** This was a lab envrionment and self signed certs should not be used in with production systems.

** Note the url is looking for https://autodiscover.vm.local however by default the autodiscover website is underneath the default web site that is tied to mail.vm.local for OWA, OOF , etc… to resolve this we need to remove the autodiscover site from the default website and create an additional website and associate a certificate for autodiscover.vm.local to that site or utilize a wildcard certificate or SAN cert

http://technet.microsoft.com/en-us/library/aa995942.aspx

5. We are prompted to Logon to MBX server

6. Process completes successful

Now that we have tested Autodiscover lets validate that our client can contact the other services tied to Autodiscover: Availability, UM, OAB

1. Open Outlook 2007

2. Hold the Control Key and Right click the Outlook Icon in the system tray

3. Select Test Email AutoConfiguration

4. Input the users email address and credentials ( I like to remove the guess smart and Secure Guess smart authentication to narrow the search scope for my needs)

 
Lets look over the output

Select the Log tab

We can see that autodiscover attempts the 2 urls first https://vm.local/autodiscover/autodiscover.xml and https://autodiscover.vm.local/autodiscover/autodicover.xml

Since we Created an A record in DNS for Autodiscover.vm.local we in the log a succeeded when contacting the url.

Next let’s select the results tab

From this we get lots of good output and can see that all the urls are set and everything appears to be working properly. We can perform some additional tests to check OOF, OAB, and Availability but will leave those for the last section.
Deploying an XML file:
————————-

There are a number of scenarios that can come into play that would cause issues with the first two methods that I have described above. A common scenario relates to mergers between companies. Lets say Company A has a namespace of CompanyA.com and purchases Company B with a namespace of CompanyB.com. Since these are now all assets of Company A, their primary STMP address will be CompanyA.com for both entities. Company A is running Exchange 2003 and Company B has Exchange 2007.

What is the problem you say…… Outlook 2007 will always attempt to use the primary SMTP address of the user when attempting to locate autodiscover information. Since all primary addresses are now CompanyA.com Outlook will attempt to find the information at that address.

What can be done?

Outlook 2007 allows an XML file to be deployed to the users machine and can be configured to check the local file first. This XML file can specify the url of the appropriate autodiscover server.

Sample XML

What steps need to be take to use the local XML file?

1. Modify the follow Registry information on each client machine
***Note be careful when making changes to the registry****

A. Hkey_current_user –> Software –> Microsoft –> Office –> 12.0 –> Outlook -> autodisover

** you will find a number of built in xml file installed with Outlook
** You can also add the following registry key to force Outlook to prefer the xml file
HKCU\Software\Microsoft\Office\12.0\Outlook\AutodiscoverDWORD: PreferLocalXML = 1

B. create a String Value called yournamespace i.e madeup.com

C. Set the path to Drive\autodiscover\autodiscover.xml ( or whatever path you choose)

D.create the autodiscover folder in the path listed above

E Deploy the XML file to the clients machine

For this test I have changed the primary smtp address of my user to Brian.tirch@madeup.com this address is not resolvable by my client.

Lets test autodiscover now:

We can see Outlook attempted to contact the 2 urls for madeup.com but fails.

The highlighted sections show the redirect from our local file which directs the client to https://autodiscover.vm.local/autodscover/autodiscover.xml and is successful
** Note we can make an additional registry change so that the local file is checked first **

Now select the Results tab:

From the highlighted section we can see the url was found via redirect and all associated urls are configured correctly

Lets test some features to verify functionality.

1. Send a meeting request and check attendees availability

We can see that the availability service is working since Jim Mcbee is showing busy.

2. Check OOF

If OOF is not functioning properly it will not bring up the away message information after selecting tools –> Out of Office assistant

SRV Record
Outlook 2007 has been recently updated (http://support.microsoft.com/kb/940881 ) to allow the user of SRV records as well, this can elminate the need to additional certificates.

Create an SRV record
Service: _autodiscoverProtocol: _tcpPort Number: 443Host: mail.YourPrimarnySMTP

Outlook client will not perform the following lookup

1. Autodiscover posts to https://YourPrimarySmtp/Autodiscover/Autodiscover.xml. This fails.

2.Autodiscover posts to https://autodiscover.YourPrimarySmtp/Autodiscover/Autodiscover.xml . This fails.

3.Autodiscover performs the following redirect check:
GET http://autodiscover.YourPrimarySmtp/Autodiscover/Autodiscover.xml This fails.

4.Autodiscover uses DNS SRV lookup for _autodiscover._tcp.YourPrimarySmtp, and then “mail.YourPrimarySmtp” is returned. (or whatever url you choose)

5. Outlook asks permission from the user to continue with Autodiscover to post to https://mail.YourPrimarySmtp/autodiscover/autodiscover.xml.

6.Autodiscover’s POST request is successfully posted to https://mail.YourPrimarySmtp/autodiscover/autodiscover.xml

Can you force clients to a particular server?

Yes, you can use the following commands to forces server information for autodiscover however
The following information describes a function that can be done, but is not recommended.

The Set-OutlookProvider commandlet will override any automatic values that the client would receive and can force configuration of a number of items.

these attributes can be viewed in Adsiedit with the following steps
1. Open Adsiedit
2. Expand configuration
3. Services
4. Microsoft Exchange
5. Organization name
6. Client Access
7. Autodiscover
8. Outlook
9. On the properties of EXCH,WEB,EXPR
- msExchAutoDiscoverServer which specifies the server name.
- msExchAutoDiscoverCertPrincipalName
and a variety of attributes can be set….

Set-OutlookProvider –id -Server myValueHere

If this value is set (and you never should), it will always override the automatically computed value for the provider. If it’s EXCH, it will override the Exchange server that’s populated in your profile. If it’s EXPR, it will override the RPCProxy server pushed out by Autodiscover.

To fix it, unset it:

Set-OutlookProvider EXCH –Server $null
Set-OutlookProvider EXPR –Server $null

How to Test configuration:
There are a few ways to test autodiscover after all the configuration is completed:
http://msexchangeteam.com/archive/2007/04/30/438249.aspx
http://www.exchangeninjas.com/AvailabilityServiceFAQ
http://technet.microsoft.com/en-us/library/b03c0f21-cbc2-4be8-ad03-73a7dac16ffc.aspx

1. From EMS run the following command
— Test-OutlookWebServices -ClientAccessServer “CASServer01″

2. From Outlook 2007

a. Open Outlook 2007

b. hold the control button and right click the icon in the system tray, select test email autodiscover

additional links