Exchange Out of Office replies

I guess you are all familiar with the Out of Office Assistant in Exchange server. Whenever you activate it Exchange will send a messages to anyone who sends you mail that you are out of the office. I never really thought much about the internals of OOF Assistant, but a question from a customer prompted me to do some digging. The question was simply about how often the OOF Assistant would send messages, or Out of Office replies, as they are called. I had no idea and had just assumed that OOF Assistant would send a reply for every message received, but a quick test revealed that that was not the case. It turns out that OOF Assistant maintains a table of all senders sending you mail when the OOF is activated. It will only send an OOF message once to each sender. So if I am away for two weeks and you send me 100 messages (from the same account) you will only receive one OOF messages from me. Neat! More info about this is in this KB article:

Only one reply is sent to each sender when the Out of Office Assistant is enabled (http://support.microsoft.com/kb/157961)

Windows 7: Netdom anyone?

The other day I was joining a Windows 7 RC machine to a domain and I figured I would use my old friend netdom.exe. Netdom has been around since NT and is a command line utility for joining a machine to a domain. It provides some nice extras over the GUI, most notably the ability to specify the OU for the domain account during the join. But Windows 7 just replied ‘netdom.exe’ is not recognized as an internal or external command, operable program og batch file when I typed in  netdom.exe. Had Microsoft really removed this great tool?
Yes, they had, but fortunately for us they have given us something better. PowerShell v2 is included in Windows 7 and Windows Server 2008 R2 by default and is no longer an optional component that you can remove or add. It is there permanently. PS v2 has a couple of new cmdlets that perform the same operations that netdom.exe did. Namely Add-Computer which adds a computer to a workgroup or domain (with the ability to specify the OU) and Remove-Computer which removes a machine from a workgroup or domain. Both cmdlets have many parameters making them more than able to replace netdom.exe.
I think this is a great development and hope that all command line tools will be PowerShell cmdlets in the future.

Outlook Web Access: There was an unknown error accessing the directory

While troubleshooting message delivery between two email systems, I received this error from Outlook Web Access:

—————————
Message from webpage
—————————
There was an unknown error accessing the directory.  If the problem continues, contact technical support for your organization.

I was trying to send a message to contact in my Exchange organization representing a user on the other messaging system. This particular contact was hidden from the address list so I was manually typing the address. I was sending to the targetAddress, or External E-Mail Address, of the contact, not the local address.

A quick web search did not reveal an answer. The only KB from Microsoft regarding the error, http://support.microsoft.com/kb/945917, was not the solution in my case.

First I had a look at the email addresses of the contact. It had only one; userx@sub.domain.com. (domain.com is a shared domain between the two messaging systems.) The address was both in the proxyAddresses and targetAddress attributes. Since sub.domain.com is a sub-domain of the shared SMTP domain I figured I would try adding an address from domain.com. That is when the solution presented itself, because Exchange Management Console (EMC) displayed this error:

——————————————————–
Microsoft Exchange Error
——————————————————–
The following error(s) occurred while saving changes:

set-mailcontact
Failed
Error:
The proxy address “SMTP:userx@sub.domain.com” is already being used by “domain.com/Users/userx”. Please choose another proxy address.

Turns out that there was already a mail enabled user in the directory using the address. That meant that when OWA tried to resolve the address the directory returned two matches. That is one too many. After I resolved this conflict the error disappeared from OWA.

Want to see the contents of the system partition on Windows 7?

On Windows 7 the system partition, the partition the computer boots from (I know, I know, the names are messed up.), is hidden from the user. It isn’t really hidden, it just isn’t mounted to a drive letter or directory. Windows really doesn’t need drive letters or mount points. It is just as happy to use the volume GUID (see a previous post about Volume GUIDs here). It is just for our benefit that the various volumes on a computer has drive letters. It is a very good idea to not mount the system volume, that keeps users from messing with the boot critical files required for computer startup. It also makes it easy to enable BitLocker since the small unencrypted volume that loads the BitLocker driver is already in place. So in shot, good work Microsoft. But what if you’re a geek and really want to see what is on that volume? Fear not, it is quite easy.

The first thing we need to do is find the GUID of the system volume. The easiest way I know to do that is to run mountvol.exe. On a Windows 7 machine you will se one volume that has no mount points. That is probably your system volume. Just copy the GUID from the command prompt window and past it into the Run box. Windows will open a new explorer window with the contents of the system volume displayed, just like any other volume on the system. If you do not like the Run box, you can just type start.exe <Volume GUID> directly from the command prompt.

Here is the output from mountvol.exe on a test system:

Possible values for VolumeName along with current mount points are:

\?Volume{540a0153-2083-11de-9315-806e6f6e6963}
*** NO MOUNT POINTS ***

\?Volume{540a0155-2083-11de-9315-806e6f6e6963}
D:

\?Volume{540a0156-2083-11de-9315-806e6f6e6963}
E:

\?Volume{540a0157-2083-11de-9315-806e6f6e6963}
F:

\?Volume{540a0154-2083-11de-9315-806e6f6e6963}
C:

To open the system volume I just run this from the same command line:

start.exe \?Volume{540a0153-2083-11de-9315-806e6f6e6963}

And here is the result with the complete contents of the system volume:

systemvolume_windows7_thumb_635BF9B8

But please remember to be careful when you poke around in here. Chances are your computer will not start if you do.

Tip for creating Outlook profiles

NOTE: Disregard the info in this post for now. It has come to my attention that this might not always work and therefore requires some more research. Sorry!
With the introduction of Autodiscover in Exchange 2007 this might not be very relevant, but some users still use PRF files or the Office Customization Wizard to pre-stage settings for uses’ Outlook Profiles. Whenever you use one of these methods, or if you create your Outlook profile manually, you will be prompted with a list of users in the Global Address Lists that match your username. E.g. if you username is paulo and another user’s username is paulos, Outlook cannot uniquely identify you and prompts you to select which user is you. This can be a problem for users who are likely confused by the list and also a source of errors since the possibility exists that the user will select the wrong entry. This last case will result in an access denied error since the user does not have access to the selected mailbox.
To work around this you can add the default SMTP domain to the %username% variable specified either in the PRF file or the Office Customization Wizard. There cannot be two users with the same SMTP address in you organization so this will uniquely identify the user. Note that this approach requires each user to have an SMTP address in the form <username>@<SMTP domain>.

Licensing your Exchange 2007 Edge Server

One of the new roles in Exchange 2007 is the Edge server role. The edge server is an Exchange server that sits in your DMZ and receives and sends SMTP mail to and from the Internet. It also performs a lot of other task like spam checking, anti-virus (if installed) etc. The Edge server is not a member of you Active Directory domain and uses an ADAM partition to hold the directory information it receives from an internal Hub/Transport server. The Edge server is present in Active Directory though, it is listed with the other servers under the Exchange Administrative Group (FYDIBOHF23SPDLT) in the configuration partition.

Whenever you install any Exchange 2007 server, before you enter a product key, each time you open the Exchange Management Console (EMC) you are reminded of the Exchange servers that still do not have a product key registered and are thus regarded by the EMC as trial servers. You can enter the product keys by using EMC or the Exchange Management Shell (EMS) which is PowerShell with some additions. I recently ran across an interesting problem trying to enter the product key for my Edge server.

After entering the product key for my combined Mailbox, Hub/Transport server and the CAS server; they disappeared from the warning displayed when I opened the EMC. But that still left me with the Edge server. First I tried entering the product key on the Edge server itself, that succeeded and the warning disappeared from the local EMC on the Edge server, but since there is no communication from the Edge server to the Hub/Transport server, only the other way, that did not help with the error displayed in the EMC on the internal servers. Next I tried using the EMS to set the key on the Edge server. The command is:

Set-ExchangeServer <servername> -ProductKey AAAAA-BBBBB-CCCCC-DDDDD-EEEEE

I then received this error:

Set-ExchangeServer : An error happened while accessing registry of the specified server: “<servername>”. The error message: “Attempted to perform an unauthorized operation.”.

At line:1 char:19

+ Set-ExchangeServer <<<< <servername> -ProductKey AAAAA-BBBBB-CCCCC-DDDDD-EEEEE

 

I guessed that the reason was that my domain administrator account was not allowed to update the registry on the Edge server, which made sense. (I did open port 445/TCP from the H/T server to the Edge server in the firewall, in addition to the ports required for ADAM sync.) I then tried running the cmdlet using runas in different ways, using the NETONLY option etc. If I ran runas with NETONLY I could access the Edge server, but then I lost access to the DC since the local account on the Edge server, which runas was using, did not have access to Active Directory. After pondering this duality for a while, the need to access the Active Directory and the registry on the Edge server at the same time over the network, using only one account I figured it out. How do you get “single-sign-on” in Windows across different security boundaries? You create duplicate accounts in each security boundary and give them the same password.

I created an account in the Edge Server’s security database (SAM) with the same name as my internal Domain Admins account and gave it the same password. Immediately the Set-ExchangeServer cmdlet succeeded and my Edge server was licensed in the eyes of Active Directory. No more warnings in the EMC.

I have installed a few Exchange 2007 servers now, but never had this problem before. That was also the reason it took me some time to figure this out; it had never been a problem before! I kept asking myself “Why doesn’t it work at this site, when it has worked so many times before?”. The reason was that on all the other sites I was already running with identical accounts on the internal network and on the Edge server. But this time the accounts were different.

Mismatched Email addresses causes recipients to be skipped during Offline Address Book generation

You might experience this error during an Offline Address Book generation cycle:

Index : 94460
EntryType : Warning
EventID : 9327
Message : OALGen skipped some entries in the offline address list ‘Global Address List’. To see which entries are affected, event logging for the OAL Generator must be set to at least medium.
– Default Offline Address List
Category : OAL Generator
CategoryNumber : 13
ReplacementStrings : {Global Address List, Default Offline Address List}
Source : MSExchangeSA
TimeGenerated : 03.01.2008 11:35:31
TimeWritten : 03.01.2008 11:35:31
UserName :

After you set the event log level for the OAL Generator to at least medium, eg. by using this EMS command:

Set-EventLogLevel ‘MSExchangeSAOAL Generator’ -level Medium

You start seeing these errors:

Index : 94454
EntryType : Error
EventID : 9325
Message : OALGen will skip user entry ‘user1’ in address list ‘Global Address List’ because the SMTP address ” is invalid.
– Default Offline Address List
Category : OAL Generator
CategoryNumber : 13
ReplacementStrings : {user1, Global Address List, , Default Offline Address List}
Source : MSExchangeSA
TimeGenerated : 03.01.2008 11:35:27
TimeWritten : 03.01.2008 11:35:27
UserName :

As we can see from the error in the Event Log, OAL Generator claims that the SMTP address ” (blank) is invalid. This is not surprising, as a blank address can not be used for anything.

I have discovered one reason for this error, there might be more. If the user’s primary SMTP address does not match the value in the mail attribute in Active Directory, this error is generated. This happens if you change the primary SMTP address in EMC. EMC does not update the address in the mail attribute. To see if you have any recipients in your organization that have a mismatch between these two values, run these EMS commands:

get-mailbox -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ft –auto

get-distributiongroup -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ft –auto

get-dynamicdistributiongroup -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ft –auto

This should be possible to do with Get-Recipient as well, but I cannot make it work. Get-Recipient always return every recipient in the organization.

To remedy this situation, these EMS commands may be of interest:

get-mailbox -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ForEach { Set-Mailbox $_ -WindowsEmailAddress $_.PrimarySMTPAddress }

get-distributiongroup -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ForEach { Set-distributiongroup $_ -WindowsEmailAddress $_.PrimarySMTPAddress}

get-dynamicdistributiongroup -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ForEach { Set-dynamicdistributiongroup $_ -WindowsEmailAddress $_.PrimarySMTPAddress}

You should probably test these commands with the –whatif parameter added to the Set cmdlets.

A good pointer as to which recipients have a mismatch between these values, are those recipients who no longer have their Email addresses updated by a recipient policy. You can quickly list which recipients are in this state:

get-mailbox -ResultSize unlimited | where { $_.EmailAddressPolicyEnabled -eq $false } | ft –auto

get-distributiongroup -ResultSize unlimited | where { $_.EmailAddressPolicyEnabled -eq $false } | ft –auto

get-dynamicdistributiongroup -ResultSize unlimited | where { $_.EmailAddressPolicyEnabled -eq $false } | ft –auto

Also recipients who are targets of E-Mail address policies (EAP), but where those policies have not been applied, are candidates for this error.

Lastly, you cannot set the mail attribute if a recipient is a target of an EAP.

Remember to set the Event Log level back to it’s original value after you have finished troubleshooting:

Set-EventLogLevel ‘MSExchangeSAOAL Generator’ -level lowest

What does the Protect object from accidental deletion setting in Windows Server 2008 Active Directory actually do?

Windows Server 2008 Active Directory introduced a setting called Protect object from accidental deletion on all directory objects:

040309_1011_Whatdoesthe1

This was implemented to avoid accidentally deleting objects from the directory. OUs have this setting set by default. But what does it actually do?

When this setting is set a Deny access control entry (ACE) is added to the security descriptor of the object (“DELETE” & “DELETE TREE”) and a Deny access control entry (ACE) is added to the security descriptor of the PARENT of the object (“DELETE CHILD”). The security principal associated with these ACEs is Everyone, and they apply to This object only.

So if we select to protect the OU company.com/Unit/Usersfrom deletion the following will happen in the directory:

  • The UsersOU itself will get the “DELETE” and “DELETE TREE” DENY ACE set.
  • The parent of Users, in this case the OU Unit, will get the “DELETE CHILD” DENY ACE set.

Quried with DSACLS.EXE this will look like this:

For the Users OU:

dsacls.exe “OU=Users,OU=Unit,DC=company,DC=com”
Owner: COMPANYDomain Admins
Group: COMPANYDomain Admins

Access list:
Deny  Everyone                        SPECIAL ACCESS
DELETE
DELETE TREE

For the Unit OU (the parent of Users):

dsacls.exe “OU=Unit,DC=company,DC=com”
Owner: COMPANYDomain Admins
Group: COMPANYDomain Admins

Access list:
Deny  Everyone                        SPECIAL ACCESS
DELETE
DELETE CHILD
DELETE TREE

If you want to set these ACEs yourself you can use DSACLS.EXE:

For the Users OU:

DSACLS “OU=Users,OU=Unit,DC=Company,DC=Com” /D “Everyone:SDDT”

For the Unit OU (the parent of Users):

DSACLS “OU=Unit,DC=Company,DC=Com” /D “Everyone:DC”

If your are still running Windows 2000 or Windows Server 2003, I highly recommend making this part of your standard steps for creating new OUs. You can also change the Active Directory Schema so that the ACEs are set by default when creating new objects. When I figure out how that is done I will update this post.

Using IIS 7 URL Rewrite Module to simplify Exchange 2007/2010 Outlook Web Access URLs on Windows Server 2008/2008 R2

The default URL for Outlook Web Access i Exchange Server 2007 is https://<server FQDN>/owa. This URL is always an issue for end users who find it too long or complex. They either forget to use HTTPS in front of the URL, or to append /owa to the server name, or both. The first mistake results in an error saying SSL is required. The second loads the root of the site. I agree that this could be made more user-friendly so I always implement some form of rewrite or redirection. Typically I make OWA available at just <server FQDN>. No HTTPS or subfolder, e.g. owa.company.com. This requires two things; redirecting HTTP traffic to HTTPS and redirecting the root folder to the /owa subfolder.

Note: The final URL for OWA is always (almost) https://<server FQDN>/owa. We cannot disable HTTPS or publish OWA at the root of the site. But the URL users type can be simplified. This simplification is what I mean when I say redirect in this article.

Until recently the redirection to HTTPS and the subfolder OWA could be accomplished by first redirecting the root folder with IIS 7’s HTTP redirect functionality and then editing the HTTP error page , typically 403, so that it would redirect to HTTPS instead of throwing an error. I have never liked this approach, especially the latter part. You could also use ISA Server 2006 in front of your Exchange server and do the same there. But recently a much better solution has arrived. The IIS team has released the URL Rewrite Module extension to IIS 7 which lets you perform advanced URL rewrites and redirects using, among other things, regular expressions.

How to simplify the OWA URL with URL Rewrite:

      1. Download and install the URL Rewrite extension on your CAS server.
        http://www.iis.net/extensions/URLRewrite
        Remember to get the version for your architecture. This will almost always be x64 unless you are in a lab and running the x86 version of Exchange 2007.
        To avoid having to restart your server follow the steps in this post:
        http://forums.iis.net/t/1153276.aspx
        Also, these instructions are written for the 2.0 version. I cannot guarantee that they will work with any older or newer version.
      2. Disable the Require SSL setting on the Default Web Site.
        This is necessary for the redirection in URL Rewrite to work. This is not a security issue since URL Rewrite will force SSL for the entire site (except for OAB).
        040209_1209_UsingIIS7UR1
      3. Open the web.config file under your wwwroot folder.
        This is usually under %systemdrive%inetpubwwwroot.
        The web.config file does not exist by default, so change a setting on your site and change it back again to have IIS generate the file.
      4. Paste the following text in web.config in the <system.webserver> section:

https://gist.github.com/morgansimonsen/8040092

NOTE: The PowerShell vdir entry is to exempt the /powershell virtual directory found on Exchange 2010 Servers from HTTPS enforcement. This is necessary for remote management of Exchange 2010 Client Access Servers. This rule should have no bearing on an Exchange 2007 server as they do not have the powershell vdir.

This will create three new rewrite rules.

      • Open the URL Rewrite item under Default Web Site.
        040209_1209_UsingIIS7UR2
      • Your three new rules will look like this:
        image
        The rules will be processed from top to bottom.
Rule name Function Notes
Redirect root Redirects the root folder to /owa
Exempt OAB from SSL Turns off the requirement for SSL for the /OAB subfolder.
This is the default Exchange 2007/2010 setting. If you want to have SSL for the OAB folder as well, delete this rule and update the OAB URL setting in Exchange.
Stop processing enabled
Exempt PowerShell vdir from SSL This rule is only required for Exchange 2010, but can safely be imported on Exchange 2007. Stop processing enabled
Force HTTPS Enforces HTTPS for all requests to the site.
      • Perform a test

All requests for the root folder or for the /owa folder missing SSL will now be redirected to the OWA logon page. All other subfolders are not redirected, except to enforce SSL, and can be accessed directly.

Note: The Exchange 2007/2010 web folders usually inherit their SSL settings from the Default Web Site, so when you turn off the SSL requirement for the site you also turn it off for the web folders. If, for some reason, any of the subfolders manage the SSL setting in their own context (ie. they do not inherit the SSL setting from the site level) you have to disable Require SSL for those folders as well. If not, the URL Rewrite will not kick in and you will get an error instead of a redirect. The folders associated with Exchange 2007/2010 are:

      • Autodiscover
      • EWS
      • ecp
      • Exchange
      • Exchweb
      • Microsoft-Server-ActiveSync
      • OAB
      • Owa
      • Public
      • Rpc
      • RpcWithCert
      • UnifiedMessaging

All these should have their Require SSL Setting turned off. For any other folders you may have on the server you will have to decide for yourself if you want them to be included in the URL Rewrite SSL Enforce or manage their SSL settings individually. Also make sure to check any other folders that should have SSL active still has that setting set when you deactivate the requirement for the site.

I find this solution to simplifying the URL for OWA to be much more streamlined and elegant than any previous solution. The URL Rewrite filer is a module developed by Microsoft meaning it has been through the Secure Development Lifecycle (SDL). You have only one place to make all changes. You do not have to make changes to the default IIS configuration (ie. editing or changing the error pages).

Morgan

Update: When you disable the Require SSL setting in IIS you rely on URL Rewrite to perform the enforcement for SSL on your sites and directories. I have been in contact with the author of URL Rewrite, asking him if this configuration is a security risk and if the enforcement of SSL through URL Rewrite is as strong as the one in IIS. His reply was that it was not but that this was a cause for concern in very few situations. You have been warned.

Reducing the size of a dynamically expanding VHD file

All Microsoft virtualization software allows you to manipulate virtual hard disk files (VHDs). The standard operations you can perform are listen in the table below.

image

* To fixed of same size as source
** To dynamically expanding of same size as source

What is missing here is the ability to shrink disks, either dynamically expanding or fixed. This is something that the built in tools cannot do. Enter the guys at vmToolkit and their VHDResizer. VHDResizer will let you shrink a fixed or dynamically expanding disk, provided you do some preparation.

032709_2254_Reducingthe1

Notice how VHDResizer has determined that the source VHD is a dynamically expanding disk, and that the destination VHD can be set to either fixed or dynamically expanding. This particular source VHD has a maximum size of 16 GB. Because of this the minimum size we can select for the destination VHD is 16 GB, regardless of disk type. The reason we cannot get the disk smaller than 16 GB is that the partitions or volumes in the VHD take up the entire 16 GB of space, even though the actual physical file is much smaller. This is the very basis of a dynamically expanding disk; the guest operating system sees all the space and can address it, but only blocks that have data on them are written to the VHD file. So we need to shrink the volumes inside the VHD to free up space. I find that the easiest way to do this is with Diskpart.exe and the SHRINK command. As long as there is free space at the end of the volume, SHRINK can reduce the size of the volume. You can see how much you can shrink the volume by running SHRINK QUERYMAX. Then you can use SHRINK to shrink the volume by the maximum space available.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:UsersAdministrator.LAB>diskpart
Microsoft DiskPart version 6.0.6001
Copyright (C) 1999-2007 Microsoft Corporation.
On computer: LAB-RODC1
DISKPART> select disk 0
Disk 0 is now the selected disk.
DISKPART> select volume 1
Volume 1 is the selected volume.
DISKPART> shrink querymax
The maximum number of reclaimable bytes is: 15 GB
DISKPART> shrink
DiskPart successfully shrunk the volume by: 15 GB
DISKPART>

But sometimes there is data at the end of the volume or very close to it, making the size you can shrink a volume by very small. To get around this you need to move the files to the beginning of the volume. The best tool I have found to do this is JKDefrag. By using JKDefrag’s action option 5 (Force together) we can force all the files on the volume together at the beginning of the volume. This will cause fragmentation, but we can deal with that by doing a normal defragmentation run when the volume has reached its desired size.

JkDefrag.exe -a 5 c:

But sometimes even this isn’t enough. However many times you run JKDefrag you will still see data at the end of your volume. Chances are that this is the NTFS Master File Table (MFT) stored in the file $Mft. The MFT also reserves a portion of the volume it calls the MFT Reserved space. This is to guarantee that the MFT has space to grow in, even when the disk is nearly full. The inability to write to or update the MFT would lead to disk corruption and orphaned files, which is the reason for this precaution. But to achieve our goal, we need to move the MFT and the MFT Reserved space blocks from the end of the volume and towards the start of the volume. (The MFT isn’t really at the end of the volume, at least it wasn’t in the beginning. Windows places the MFT around the middle of the volume by default, but since we have shrunk our volume it is now at the end.) The author of JKDefrag says that version 4 of JKDefrag will be able to move and defragment the MFT, but until that version is available we have to use another tool. The best I have found is Raxco PerfectDisk 10. PerfectDisk is commercial software, but you can download a trial version to perform your MFT defragmentation. Remember to get the correct version of PerfectDisk, the Pro version will not install on Windows Server for example. Install PerfectDisk 10 inside your virtual machine and analyze the volume you want to shrink. Select the Boot check-box next to the volume drive letter and reboot the virtual machine.

032709_2254_Reducingthe2

During the boot PerfectDisk will defragment your volume and move the MFT to around the middle of it. You have no control of where PerfectDisk moves the MFT, it uses its own internal logic to determine that. You probably will also see that the MFT will grow, this is also due to PerfectDisk’s internal optimization settings. After the virtual machine has booted you can again use Diskpart.exe and the SHRINK command to further reduce the size of the volume. You can repeat this process until you have reached your desired size for the volume. Then, finally, you can run VHDResizer and shrink your VHD file, and also convert it at the same time.