Monday, December 29, 2008

Configuring Autodiscover for Exchange 2007

The Autodiscover service provides a mechanism to automatically configure Exchange 2007 client applications to access the Client Access server.

It is used to set up client applications like Outlook to work with Exchange by returning configuration data that is necessary for applications to function properly without requiring users to know where to fetch the data, such as discovery of the server that hosts a user's mailbox.

Configuring Autodiscover for External Access

Outlook 2007 tries the following two URLs to try to connect to the Autodiscover service:

Step 1: Configuring DNS

We will discuss the two simple and most commonly used scenarios here:

1. Using a SSL Certificate That Supports Multiple DNS Names
There are third-party Certification Authorities (CAs) that currently support Subject Alternative Names. In this you provide all the necessary DNS names like, etc. in the same certificate by using a Unified Communications certificate that supports the Subject Alternative Name field.

For the Autodiscover service to function correctly, you must add an additional host record ( so that Outlook 2007 clients can locate and connect to the Autodiscover Service when they use the Outlook Anywhere feature from the Internet. The host record you create should map to the Public IP Address that will be used as the entry point to your Client Access server.

2. Using One Single-Name Certificate and the Autodiscover SRV Record
This solution is to use one single-name certificate installed on the Default Web Site.
If your DNS provider supports SRV records, this solution is the simplest and least expensive way to deploy Outlook Anywhere in hosted and non-hosted Exchange 2007 environments.

Create an SRV record:
Service: _autodiscoverProtocol: _tcpPort Number: 443 Host:

For more information on Outlook 2007 and Autodiscover SRV records configuration, please read this knowledgebase article:

Step 2: Modify the Service Connection Point (SCP)

By default, the URL for the Autodiscover Service stored in the SCP object in Active Directory will reference the internal FQDN for the Client Access server during Exchange 2007 Setup. You will use the Set-ClientAccessServer cmdlet to modify this URL so that it points to the new location (FQDN) for the Autodiscover service.

In the Exchange Management Shell, run the following command:

Set-ClientAccessServer -identity CAS_servername -AutodiscoverServiceInternalUri

You can point this to if you are using DNS host record for

Step 3: Configuring Exchange Services for Autodiscover

1. Enable Outlook Anywhere for the external host name.

Enable-OutlookAnywhere -Server CAS_servername -ExternalHostname "" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False

2. Configure the external URL for offline address book for the Autodiscover service.

Set-OABVirtualDirectory -identity "CAS_servername\OAB (Default Web Site)" -externalurl -RequireSSL:$true

3. Configure the external URL for Unified Messaging for the Autodiscover service.

Set-UMVirtualDirectory -identity "CAS_servername\UnifiedMessaging (Default Web Site)" -externalurl -BasicAuthentication:$True

4. Configure the external URL for Exchange Web Services for the Availability service and Out of Office services.

Set-WebServicesVirtualDirectory -identity "CAS_servername\EWS (Default Web Site)" -externalurl -BasicAuthentication:$True

Tuesday, November 25, 2008

Update Rollup 5 for Exchange 2007 SP1

The Update Rollup 5 for Exchange 2007 SP1 has been released and is available at Microsoft Download Center.
So would recommend that you should plan for its install as this has fixed quite a lot of issues.
More details at MS Exchange Team Blog.

Wednesday, November 12, 2008

Information Store Crashing, Exchange 2007

The Microsoft Information Store Service (Store.exe) is repeatedly crashing an Exchange 2007 Mailbox Server.
In the application log, we get the following error message and store.exe is crashing due to EXCDO.DLL file:

Faulting application store.exe, version XXXX, time stamp XXXX, faulting module EXCDO.DLL, version XXXX, time stamp XXXX, exception code XXXX, fault offset 0x00000000001ed390, process id 0x1fc8, application start time XXXX.

Have opened up a case with MS PSS and had them analyze the crash dumps. They have identified it as a Bug. The issue is casued by Mac's, Entourage clients that does calendar bookings in the ICS format and the crash is occuring due to Entourage Client accessing a badly created ICS.
MS will provide a fix to this issue in Update Rollup 6.

If anyone is experiencing this issue, make sure you call MS PSS first thing and have them provide the temp bug fix to you.

Saturday, November 1, 2008

Web Services, Exchange 2007

Now that we have finished the final phase of our migration and we have fully migrated the Public Folders to the new Exchange 2007 environment, want to talk about this exciting new component of Exchange 2007, that is the Web Services. Well I think this is the most exciting and amazing new feature in Exchange 2007 that makes life very easy of an Exchange Admin.

The Web Services that are included in Microsoft Exchange Server 2007 provide an XML messaging interface for managing Exchange store items and accessing functionality on a computer that is running Exchange 2007 from client applications.

Exchange 2007 includes the following Web services:

  1. Exchange Web Services
  2. Autodiscover Service
  3. Unified Messaging Web Service
1. Exchange Web Services

Exchange Web Services provides the functionality to enable client applications to communicate with the Exchange server. Exchange Web Services is deployed with the Client Access server (CAS) role. Microsoft Exchange Server 2007 clients connect to the computer that is running Exchange 2007 that has the Client Access server role installed in an Active Directory directory service site by using an HTTPS connection.

Some of the main operations that Exchange Web Services provide are:

  • The Availability Service: Outlook 2007 clients can use HTTPS to connect and download free and busy data for other users through the Availability Service. Unlike previous versions of Exchange, free/busy data does not have to be stored in public folders, instead we access the target mailbox’s free/busy data directly from the calendar (via the Availability service).
  • OOF: The ability to set Out-Of-Office messages is controlled by a new web service.
  • OAB Distribution: Outlook can use HTTPS to locate and download the Offline Address Book (OAB) from a web distribution point.
  • The Exchange Data Service operations: The Exchange Data Service operations enable the handling and organizing of items, folders, and attachments, as well as ambiguous name resolution and distribution list expansion.
  • Notification and Synchronization Operations.

2. Autodiscover Service

The Autodiscover service provides a mechanism to automatically configure Exchange 2007 client applications to access the Client Access server.

It is used to set up client applications like Outlook to work with Exchange by returning configuration data that is necessary for applications to function properly without requiring users to know where to fetch the data, such as discovery of the server that hosts a user's mailbox.

3. Unified Messaging Web Service

The Unified Messaging Web Service provides an extensibility point for clients to read and change information about Unified Messaging properties. If your mailbox is enabled to use Exchange 2007 Unified Messaging, you can use Outlook 2007 to play a voice message back to a phone.

Will discuss about their configuration in detail in the coming posts :-)

Wednesday, October 22, 2008

Get HUB server stats from Message Tracking

Now in Exchange 2007, from Command Shell using Message Tracking, you can pull out some of the very exciting statistics which were never so easy from the previous versions of exchange.

Here we are talking about pulling up records like:

  • Number of emails sent by HUB servers over a given period of time.
  • Number of emails received by HUB servers over a given period of time.
  • Number of emails sent by a particular sender or received by a particular recipient over a given period time

Example: To get the number of emails sent by a HUB server, run this command from EMS:

Get-MessageTrackinglog -server -start "MM/DD/YYYY hh:mm am/pm" -End "MM/DD/YYYY hh:mm /pm" -event SEND -ResultSize 999999 I measure-object

Similarly you can add the switches like -event RECEIVE to get the number of message recieved, -Sender "Email address" to get from a particular sender etc.

Read this article from Bharat Suneja to get more details on Message Tracking from Exchange Server 2007

Tuesday, September 9, 2008

Playing with RSG | Database Restore

This came across few days back when one of our production Exchange 2003 backend server went down due to hardware failure and was totaly dead.The Backup team was shortly in action to carry out the restore. The restore was done on the different server in a Recovery Storage Group (RSG).

Now the question is how to merge these mailboxes in RSG with the production ones... certainly direct merge was not possible as we didnt opt for Dialtone method as the production server was totaly dead and we didnt set up a new server to replace that one.

The one option was to to extract the mailboxes from RSG using Exmerge, delete the existing mailboxes of users and create new ones on another server, and then import that extracted mailboxes. But this is very time consuming.
However here's an another option to tweak the RSG to make it behave as the production store and move that mailboxes over.

The Recovery Storage Group is identified by the msExchRestore Attribute. The msExchRestore = TRUE property tells us if a database is a recovery database.
As such we cannot directly connect the mailbox from the RSG to user direcly. We have to modify this msExchRestore Attribute and make its value to Not Set so that it cannot be identified as RSG and we can connect the mailbox to the user.

The detailed steps are as follows:

1. Reset the MsExchRestore attribute on both the Recovery Storage Group, and the recovered mailbox store using Adsiedit:

Expand the Configuration Container node, and then browse the hierarchy to:

CN=Microsoft Exchange
CN=Administrative Groups
CN=Administrative Group Name
CN=Recovery Storage Group

Right click for Properties on the Recovery Storage Group, ensure that the checkbox for "Show Optional Attributes" is checked. Scroll down to the "MsExchRestore" attribute. Double-click the MsExchRestore attribute and check the Not Set parameter. Click OK, Apply, and OK to exit the properties pane.
Right click the "CN=MailBox Store(ServerName)" under the Recovery Storage Group, and select Properties. Ensure that the checkbox for "Show Optional Attributes" is checked. Scroll down to the "MsExchRestore" attribute. Double-click the MsExchRestore attribute and check the parameter. Click OK, Apply, and OK to exit the properties pane.
Close the AdsiEdit mmc

2. Now from the ADUC>Exchange Tasks, delete the mailboxes of the users that are in question.

3. In Exchange System Manager select the Recovery Storage Group, right click and select Refresh. Expand the Recovery Storage Group, then the mailbox store.

4. Select "Mailboxes" under the Mailbox Store, then right click the mailbox to be recovered, and select "Reconnect". The applet "Select a New User for this Mailbox" applet will appear. Enter the alias of the user you wish to associate with the recovered mailbox into the "Enter the Object Name to select" data entry field, the click "Check Name". The alias of the user should be resolved to the full display name. Click OK. You will see a pop-up stating "The operation has completed successfully".

5. Once its done for all the users, you can successfully move the mailboxes over to any of the servers.

Wednesday, August 27, 2008

IMAP not working for users | Mailbox server in different AD site than CAS

Here we have a cross site scenario where users from one site are trying to connect to the CAS that is on the different site.

By default, POP3 and IMAP4 connectivity between a Client Access server in one Active Directory site and a Mailbox server in another Active Directory site is not enabled. The Client Access server prevents users from logging on to their mailboxes by using POP3 or IMAP4 if their mailboxes are located on a Mailbox server in a different Active Directory site.

And we get the following warning in the application log of the Client Access Server:

User "User-Name" was prevented connecting to his/her mailbox because the Mailbox Server resides in a different ActiveDirectory site (CN=Site A,CN=Sites,CN=Configuration,DC=domain,DC=com) than the Client Access Server (CN=Site B,CN=Sites,CN=Configuration,DC=domain,DC=com) to which he/she connected. Either arrange for the Client Access Server and the Mailbox Server to reside in the same site, or change the configuration setting of AllowCrossSiteSessions to true.

To enable cross-site connectivity for POP3 and IMAP4 clients:

  1. On the Client Access server, locate the POP3 and IMAP4 configuration files. By default, the location is C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap.
  2. Use the text editor to open the configuration files. The two configuration files are as follows:
  3. Search for the key AllowCrossSiteSessions. add key="AllowCrossSiteSessions" value="false" /
  4. Edit the line of the configuration file as follows. add key="AllowCrossSiteSessions" value="true" /
  5. Repeat the steps in this procedure for each protocol for which you want to enable cross-site connectivity.
  6. Restart the services for each configuration file that you have updated to enable cross-site connectivity.

More Details at Microsoft Technet.

Thursday, July 31, 2008

500 Internal Server Error when using OWA with /Exchange

You get this 500 - Internal Server error while you access Outlook Web Access from while works fine.
This happens when you have seperate Exchange 2007 Mailbox and CAS servers. Ideally the request should be redirecetd to /owa but you get 500 - Internal Server Error right after typing in your credentials in the forms login page.

This happens due to the fact that redirection is not working because ISAPI Extensions are not installed on the Mailbox Server. ISAPI extensions handle specific incoming requests to the IIS server. Extensions are loaded when they are first needed and kept in memory until the host process shuts down.

To fix this issue, please install the ISAPI Extensions on the mailbox server.

Here is the command that you have to run from the EMS to install them:

ServerManagerCmd -i Web-ISAPI-Ext

Make sure to do an IISRESET after this.

Monday, July 21, 2008

Storage Group not responding | Version Store Issues

This happend few days earlier on our exchange server... all users in a particular Storage Group were not able to connect to Outlook/OWA. The mails queued up for them on the server...
On looking at the server logs... there were lot of logon error messages... users were not able to logon to their mailbox... and at the beginning when it all started, there was one error message with Event Id 623. It says:

Information Store (2984) Storage Group 1: The version store for this instance (3) has reached its maximum size of 155MB. It is likely that a long running transaction is preventing cleanup of the version store and causing it to build up in size. Updates will be rejected until long-running transaction has been completely committed or rolled back.


The Version Store keeps an in-memory list of modifications made to the database. It gives ESE the ability to track and manage the current transactions. Thus the Version Store is where transactions are held in memory until they can be written to disk.

Event 623 is the result, typically of a long running transaction. The result of this long running transaction is to exhaust resources in the version store. As a result, the Version Store no longer reaps deleted records causing unneeded data, which is marked as deleted, to accumulate in the database. The accumulation of unneeded data can exacerbate performance problems which can lead to event id 623. No more transaction can continue until this is clear.

Thus we will see 623 event indicating that the maximum Version Store size has been reached . All the Write operations to the database will fail because there's no more version store space to record the operation.

Why this happens

This can happen for one of the two reasons:

1) In order to properly reconcile write-conflicts and properly support repeatable reads, a given entry in the version store cannot be cleaned up until it is older that the oldest active transaction.
2) Version Store cleanup simply cant keep up with the load on the machine.

Possible Causes

- Online Maintenance Tasks running at peak times.
- Backups running at peak times.
- Disk I/O performance.
- Large Mails

Any of these can add up simultaneously and add to the performance degrade of the server.

More details and troubleshooting on this.

Monday, July 14, 2008

Useful Exchange Management Shell Cmdlets

Convert a legacy Exchange 2003 "resource" into a room mailbox in Exchange 2007

Move the mailbox to an Exchange 2007 server
Run: set-mailbox [MailboxName] –type Room
Then run: set-mailboxcalendarsettings [MailboxName] –AutomateProcessing AutoAccept

Configure the conference room resource mailboxes to remove attached files from meeting requests

Get-Mailbox - RecipientTypeDetails RoomMailbox Set-MailboxCalendarSettings -DeleteAttachments:$true

Get a list of Exchange ActiveSync users

$mbx = get-casmailbox where {$_.hasactivesyncdevicepartnership -eq $true -and $_.identity -notlike "*CAS_{*"} ; $mbx foreach {$name = $; $device = get-activesync devicestatistics -mailbox $_.identity; $device foreach {write-host $, $_.devicemodel, $_.devicephonenumber, $_.deviceid, $_.FirstSyncTime, $_.LastSuccessSync} }

Get details of single EAS mailbox

Get-ActivesyncDeviceStatistics -mailbox

An inappropriate message that has the subject line of exchange is sent to all users on the Exchange server 2007 mailbox server named Exch1. You need to delete this message from all the mailboxes.

Create a new mailbox named TempMailbox that has a folder named Export. Run the Get-Mailbox -Server Exch1 Export-Mailbox -TargetMailbox TempMailbox -TargetFolder Export -SubjectKeywords "Exchange" -DeleteContent cmdlet.

Get list of all user mailboxes with a list of email addresses attached to each user.

get-mailbox select-object name, alias, primarySmtpAddress Export-Csv C:\mailboxes.csv -NoTypeInformation

Saturday, June 14, 2008

Generic User Accounts | Exchange 2007 Shared Mailboxes

In an organization, there are mailboxes required that are shared by many individuals in a particular department... I will say them as generic accounts that a group of people use for common mail access. However, the Information Security team may take it as offensive as they have an active mailbox enabled user account... and if you decide to close on them, it becomes really difficult as users are used to them as it helps them to organize and manage their tasks efficiently... and instead creating the Distribution List with the same email address won't solve the purpose.

In Exchange 2007, we have concept of shared mailbox recipient type. When we create a mailbox as 'shared' it creates a disabled active directory account to which the mailbox is connected. Shared mailboxes do not have an associated password so we must grant mailbox permissions for the users requiring access to that mailbox.


  • Disabled accounts act as a security measure.
  • Since the user account is disabled by default no initial password is required.
  • If desired, existing mailboxes can be converted to shared mailboxes. Users can still be able to access emails and continue to receive emails on that mailbox.
  • Will let the users to continue their operations more or less the same way.
  • No need to setup Distributions Lists on account of closure of their respective generic accounts.

Tuesday, April 8, 2008

Public Folder database dismounted after you move all the Public Folder Replicas from Exchange 2003 server to Exchange 2007 server

Issue with Public Folders

It has been observered that when we decommision the Exchange 2003 server after moving all the Public Folders Replicas from it to the Exchange 2007 Server, the Outlook stops connecting for all the clients... Public folders doesn't show anything from Outlook Web Access and even Public Folder Management Console on Exchange 2007 server doesnt show any of the Public Folders and the Public Folder database doesnt mount.

This typically happens when we manually remove the Exchange 2003 server hosting earlier all the Public Folder replicas.

This happens because the msExchOwningPFTree attribute had its value missing. This msExchOwningPFTree attribute controls the Public Folder database path and contains a list of all the stores in the hierarchy.

We need to specify its correct value in order to make Public Folders work. We can do it from ADSI Edit tool.

  • Start the ADSI Edit tool
  • Expand the Configuration container, then expand out each container as follows: CN=Services then CN=Microsoft Exchange then CN=YourExchangeOrg then CN=Administrative Groups then CN=AdminGroupofyourPFServer then CN=Servers then CN=YourPFServer then CN=InformationStore and then click on CN=StorageGroupContainingYourPFStore. In the pane on the right you see the public store object listed. Right click on the object and click on properties.
  • In the list of attributes, double click on the msExchOwningPFTree attribute and specify the correct value.
  • Restart Microsoft Exchange Information Store service.

Here is the Microsoft KB article that will help you to determine the correct value of msExchOwningPFTree attribute and set that up.

Tuesday, April 1, 2008

Find Users not using Default Exchange Storage Limit set via Mailbox Policy

Here's an LDAP query that I use frequently to search and display all the users in the domain that do not have the default mailbox store policy set.


Wednesday, March 19, 2008

Windows update available that will turn off the SNP

There is a new High Priority Windows update available that will turn off the Scalable Networking Pack features which are installed by default in Windows 2003 SP 2.
You have to reboot the server after applying this update.

Tuesday, February 12, 2008

SMTP Connectors | Exchange 2007

Microsoft has split connectors in Exchange 2007 into Receive Connectors and Send Connectors.

This transition to a separate send/receive configuration scheme makes it a lot easier to tell Exchange how you want it to behave, while minimizing the chances that you're going to change a parameter and cause unintended consequences.

By default, when you install the Exchange Hub Transport role, it creates two default receive connectors. If you've installed Exchange 2007 into an existing environment with 2003, then you probably already have a Send Connector (SMTP Connector).
While Receive connectors represent an inbound connection point for SMTP, Send connectors relay outbound communications.

The two default receive connectors are configured for authenticated SMTP transactions only.
The "Default" receive connector on Hub is configured for other Exchange servers to authenticate, but it does not accept anonymous email by default.

So users receive the following NDR when they try to send mail from any external address:

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 12): 530 5.7.1 Client was not authenticated

The easiest way to address this is to add the "Anonymous users" on the Default Receive Connector.

Here is an excellent MSExchange Team Blog for Configuring Exchange 2007 Hub Transport role to receive Internet mail.

Wednesday, February 6, 2008

Public Folders not able to receive External Emails

When we set the Mail Enabled Public Folders, it receive all the internal emails fine but is unable to receive any mail from outside and throws the NDR to the sender:

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

Final-Recipient: rfc822;
Action: failedStatus: 5.2.1
X-Display-Name: abc

This happens when Permission to Anonymous is set to None. Make sure Anonymous has atleast Contributor rights.

Tuesday, January 8, 2008

Stats Setup for monitoring the Website

Few days back, I needed to set up the monitoring for my front-end webmail server for bandwidth usage, number of hits, tracking of IP addresses, browsers etc... I looked into the number of options but inarguably found that Awstats is the best in this business.

AWStats is a free powerful and featureful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. This log analyzer works as a CGI or from command line and shows you all possible information your log contains, in few graphical web pages.

The Setup consists of 5 major steps:

1. Installing Perl
2. The AWStats Setup
3. Setup IIS Logging
4. Setup AWStats Config File
5. Scheduling Log File Analysis

1. Installing Perl

Download the Perl binary for Windows. Grab the MSI version. GO ahead and run the install.
It will automatically create the Web Service Extension mapping in IIS. However you need to allow that from IIS manager.

2. The AWStats Setup

Now that Perl is installed, we can get AWStats all setup.

1. Run the Setup. Select all the defaults.
2. Copy the contents of its Bin directory to C:\Perl\Bin Folder.
3. Go into IIS Manager, create the virtual directory named stats under default Website for C:\Perl\Bin.
4. Give Execute Permissions, select Scripts and Executables from the dropdown.

3. Setup IIS Logging

Right click the website to be logged, go to properties, and then on the Configuration tab, check off
Enable Logging (if it isn’t already). Select W3C Extended Format from the dropdown, and then click Properties.
Proceed to the advanced tab and uncheck everything. There are certain items here that we’ll tick back off. Namely, the following items should be checked:

Date (date)
Time (time)
Client IP Address (c-ip)
Username (cs-username)
Method (cs-method)
URI Stem (cs-uri-stem)
Protocol Status (sc-status)
Bytes Sent (sc-bytes)
Protocol Version (cs-version)
User Agent (cs(User-Agent))
Referrer (cs(Referrer))

The IIS end is now done, the final step is to setup the AWStats.conf file.

4 . Setup AWStats Config file

It is already copied in the C:\Perl\Bin Folder directory. Copy the existing config file and save it as
* = name of the website you want to monitor.

The first parameter to setup is your log file item. The only important part is the final piece at the end with the date time codes. Here's the line from my config file below:


The config file and documentation say that one should specify LogFormat=2 for IIS. Unfortunately, IIS 6 does not follow this predefined format, so we’ll have to specify our own:

LogFormat="date time cs-method cs-uri-stem cs-username c-ip cs-version cs(User-Agent) cs(Referer) sc-status sc-bytes"

Then we have to specify the value of Site Domain. Site Domain must contain the main domain name, or the main intranet web server name, used to reach the web site.


5. Scheduling Log file Analysis

AWStats only analyzes log files when told to do so. It can easily be toggled from the command line, and running a scheduled task to do this is the best solution.

Here’s a command that look like:

c:\perl\bin\perl.exe –update

All set now, you can access the stats from