Exchange
CHANGING THE EXCHANGE SERVICE ACCOUNT PASSWORD
The Exchange Service Account is one of the few accounts that you'll hold dearer than even your own administrator account! This account not only has Permission Admin authority to every server in your Exchange organization, it also has rights to log on locally (if your Exchange server is a domain controller), act as part of the operating system, and log on as a service.
Because the Exchange Service Account must be functional for your Exchange servers to operate, you'll always want to make sure that the Password Never Expires option is checked in the account's User Properties sheet. This means that you'll be responsible for remembering to change the password on a timely basis. You should change the password at least as often as you change your own password, if not more often.
To change the password, begin by performing the following steps in each site: Open Exchange Administrator, select the site's Configuration container, and choose File | Properties. Then click the Service Account Password tab, type the new password in the Password and Confirm Password fields, and click OK.
Remember that each Exchange server's Schedule Service uses the Service Account. Therefore, you must also log on to each Exchange server, stop the Exchange Services, and change the Schedule Service password. Open the Services applet, select Schedule Service, click Startup, and enter the new password in the Password and Confirm Password fields. Then click OK and close. Finally, restart Exchange Services.
EXPLORING PERFORMANCE OPTIMIZER'S MODAL OPTIONS
Exchange Server 5.5's setup program prompts you to run Performance Optimizer (PERFWIZ.EXE) as the last step of the installation procedure. Performance Optimizer is the only interface that allows you to configure Exchange Server memory usage, resource allocation, public information store options, and database paths. Performance Optimizer analyzes both your system's hardware and your Exchange Server's user-configured options and automatically configures resource allocations for you. Therefore, you should run Performance Optimizer every time you upgrade server hardware, or add or remove connectors or large numbers of recipients.
You can execute Performance Optimizer normally by choosing it from the Start menu. However, you can also start Performance Optimizer in either silent or unattended mode. In silent mode, Performance Optimizer runs in the background and configures options automatically without displaying dialog boxes or asking for input. To start Performance Optimizer in silent mode, enter the following: C:\exchsrvr\bin\perfwiz.exe --s
In unattended mode, Performance Optimizer configures options using settings that you've specified in an .inf file without prompting you for input. To start Performance Monitor in unattended mode, enter: C:\exchsrvr\bin\perfwiz.exe --f c:\exchsrvr\bin\perfopt.inf where perfopt.inf is the name of your .inf file. For information on how to create an .inf file for running Performance Optimizer in unattended mode, see Microsoft Knowledge Base article Q175283. http://support.microsoft.com/support/kb/articles/Q175/2/83.ASP

HIDDEN RECIPIENTS DON'T APPEAR IN A DISTRIBUTION LIST'S MEMBERSHIP

If anyone in your organization has ever complained about unintended recipients getting mail messages that were sent to a distribution list, you'll want to check your organization's list of hidden recipients. To do so, open Exchange Administrator and choose View | Hidden Recipients. If the recipient is hidden and is also a member of the distribution list in question, users won't see that name in the distribution list's membership. This can cause problems, especially if your users send sensitive information to the distribution list!
You can hide a recipient from your organization's Global Address List (GAL) by simply choosing the Hide From Address Book option on the Advanced tab in the Recipient's Properties sheet. Many new Exchange administrators are unaware of the problems they can cause by injudiciously hiding recipients from the GAL. Hiding a recipient prevents the name from appearing anywhere on the Global Distribution List, which is usually a user's only way of determining a distribution list's membership. Before hiding a recipient, be sure to determine what distribution lists the user belongs to by viewing the Distribution Lists tab in the Properties sheet.

ASSIGNING MULTIPLE OWNERS TO A DISTRIBUTION LIST

Users come and go, and when the day is done, the Exchange administrator must make sure that distribution lists are kept up-to-date. But if you're smart, you'll want to offload some of this "administrivia" to the users who requested the distribution lists by assigning them as owners of the lists that they request. Distribution list owners can use Outlook's Address Book to add or remove users from a list. You can use the General tab in the Distribution List's Properties sheet to assign an Owner to the list. Though each distribution list can only have one Owner, other users can have permissions equivalent to Owner to add and remove list members.
To assign multiple owners, click the Permissions tab in the Distribution List's Properties sheet. Then click Add and select the NT account to which you want to assign owner permissions and click OK. Finally, select the user that you added and change the Role to User. The default Admin role is only appropriate for Exchange administrators. Assigning multiple owners distributes the list's administration load across several people and ensures that someone (other than you, hopefully) will be available to modify a list's membership.

RECOVER DELETED ITEMS FROM THE EXCHANGE "DUMPSTER"

It never hurts to have a safety net. Exchange Server 5.5 offers an exciting feature that can save valuable time that would otherwise be wasted restoring mailbox data from tape. You can configure a Deleted Item Retention Period for your Exchange server's Information Stores or selected mailboxes in your organization. When you enable this option for an entire Information Store, Exchange keeps any messages that users delete or empty from their Recycle Bins. Instead of actually deleting the items, Exchange hides the message from the mailbox for the duration of the retention period and then deletes them. This limbo state is often referred to as the "Dumpster."
To enable and configure the Deleted Item Retention Period, use Exchange Administrator to open your server's Private Information Store's Properties sheet. Select the General tab and enter a value in the Deleted Item Retention time [day] field. If you perform regular backups, check the option Don't Permanently Delete Items Until The Store Has Been Backed Up. You can also configure these options on the mailbox level by opening a mailbox's Properties sheet and clicking on the Limits tab. Then deselect the Use Information Store default option.
To restore items from the Dumpster, use Outlook 98 or 2000 to log on to the mailbox, then select the Deleted Items Folder and choose Recover Deleted Items from the Tools menu.

QUICKLY "UNHIDING" A MAILBOX

Hidden mailboxes can be great if you want to quickly blank out the mailbox of a recently departed employee or records of a confidential project. But what if you need to glimpse the mailbox's contents without reopening it to the user's view?
Here's a quick tip: Use Exchange Administrator in raw mode (employ the /r switch) to change the hidden mailbox's display name to something you know, but that will be meaningless to users. So, you can view the mailbox's contents without opening it back up to users.
Select the desired mailbox and choose File | Raw Properties. Find the Obj-Dist-Name attribute, click on Viewer, and copy the text. Now, go to the display-name attribute and paste this value into the Edit Value field. Click Set and then click OK.
Now you need to create an Outlook profile with a mailbox name that's the same as the display name that you copied from the raw properties. Open Outlook using this new profile, and you'll be able to see the hidden mailbox.

CREATE RECIPIENTS' ALIASES RIGHT THE FIRST TIME

Good Exchange administration requires good planning, as Exchange is not nearly as forgiving of our mistakes as we would like it to be. To wit, when you create a recipient, you must make sure that you've correctly spelled its alias before you click OK. Why is this so important? When you create a recipient, Exchange uses the alias you've entered to create the recipient's Directory Name. For those of you familiar with databases, the Directory Name field is the Primary Key in the Exchange Directory database. This means that whenever you perform directory imports, you must reference a recipient's Directory Name to modify its entry (record) in the directory. Even if you change the recipient's alias after creation, you cannot modify the recipient's Directory Name. The only effective way to modify the recipient's Directory Name is to delete and recreate the recipient!
Exchange Administrators commonly make the mistake of using a "friendly" alias in the form of first initial plus last name (which is the example often given in Exchange Administration tutorials) for creating mailboxes. Instead, we recommend that when you create employee mailboxes you use an employee number as the alias instead of a friendly alias name. That way an employee name change will not require you to delete and recreate the employee's mailbox to keep the Directory Name consistent with her or his actual name.

CREATING A DEAD LETTER OFFICE

Employees come and go; their mail subscriptions stay with you for a long time. When you delete a former employee's mailbox, you'll find that Non-Delivery Reports (NDRs) for mail messages addressed to their once-valid Internet addresses will arrive in the Postmaster (or Administrator) mailbox (along will all the other non-deliverable messages sent to your domain). Although users eventually stop sending mail once it goes unanswered or they receive an NDR themselves, many listservs and other automated messaging applications will, unfortunately, continue to send mail to invalid addresses, creating an unnecessary number of NDRs in the Postmaster mailbox.
As a busy Administrator, you don't have time to unsubscribe former employees' addresses from all the mailing lists they subscribed to. Instead, route that mail to a Dead Letter Office and keep the unnecessary NDRs from appearing in your Postmaster mailbox.
  • 1. Create a mailbox named Dead Letter Office and hide it from your Global Address List.
  • 2. Open the mailbox's Properties sheet and select the E-mail Addresses tab.
  • 3. Add the Internet addresses of former employees to the mailbox.
Now Exchange will deliver all the mail that your domain receives for the expired addresses to the Dead Letter Office mailbox instead of the Postmaster mailbox. Be sure to clean out the Dead Letter Office fairly frequently using Exchange Administrator's Clean Mailbox tool.

CREATING PASS-THROUGH ALIASES

Often a recipient in your organization will act as a relay point to another recipient outside the organization. Your users have probably already asked you to create mailboxes that they intend to use for this purpose by creating a rule that forwards all of the mail the mailbox receives to the Internet address for someone else. This allows the outside recipient to receive mail as though he or she was actually a recipient in your own organization.
Though a mailbox is useful for this purpose, it's not necessarily the best tool for the job. As an administrator, you should strive to keep the number of mailboxes in your organization to an absolute minimum. If you only need to pass mail sent to one Internet address to another, it would be better to create a pass-through alias. To do so, follow these steps:
  • 1. Create a Custom Recipient entry that points to the outside recipient's Internet address.
  • 2. Open the Custom Recipient's Properties sheet and select the E-mail Addresses tab.
  • 3. Click the New-- button and add an Internet address that follows the naming convention at your company (e.g., recipient@mycompany.com).
Now, when your Exchange Server receives mail addressed to recipient@mycompany.com, it will send the mail message to the Internet address specified in the Custom Recipient entry.

GOING LOW-FI: CLIENT-SIDE FOLDER PERMISSIONS

Yesterday, we advised you to use Exchange Adminstrator to set permissions as the Exchange server admin. However, sometimes your users may want to allow other users on the network to access their mailboxes-of course, this is the kind of task that drives busy admins crazy. So, you may want to distribute this quick walk-though of client-side permission configuration to managers or experienced users. It probably wouldn't hurt to give a heads-up to your help desk, as well.
  • 1. Start the Exchange client (typically Outlook or Outlook Express).
  • 2. Make sure you are viewing the Folder List.
  • 3. Select the mailbox in question from the Folder List.
  • 4. Right-click on the mailbox and choose Properties.
  • 5. Click on the Permissions tab.
  • 6. Use the Add button to add users.
  • 7. Click OK.
  • 8. Highlight the new user and allocate a role (you must give them at least Reviewer status or they won't be able to open the mailbox).
You can also customize the new user's role by using the check boxes. IS THE SERVER YOU LOVE A SPAM RELAY? Many administrators don't find out that it's possible for their mail servers to be used to relay spam or other unauthorized messages until someone has already done so. How does this happen? Unfortunately, the default configuration of many types of mail servers, including Microsoft Exchange, allows open SMTP relaying. This feature lets anyone use an SMTP mail client program to send a message to your mail server, which it in turn relays to one or more (or hundreds) of external addresses. In the early days of the Internet, admins left this feature enabled in the spirit of openness and cooperation. However, today it's too often abused and should be disabled if you want to save you and your company the embarrassment of being an unwitting relay for spam. The Open Relay Behavior-modification System (ORBS) is a grassroots effort to increase awareness of open SMTP relaying. ORBS tests mail hosts for the open SMTP relaying feature and lists the host's IP address in its database if it finds that the host is an open relay. ORBS also notifies the host's Postmaster of its findings. You can query the ORBS database and find out if your Exchange server is listed there. ORBS is somewhat controversial; many people think that because it "outs" open SMTP relays it encourages spam. But ORBS insists that outing is simply a way to encourage administrators to protect their mail systems. We've published tips on restricting your Exchange server's SMTP relaying behavior, but you can also learn more by reading Microsoft Knowledge Base article Q193922. http://www.orbs.org/ http://support.microsoft.com/support/kb/articles/Q193/9/22.asp SETTING FOLDER PERMISSIONS WITH EXCHANGE ADMINISTRATOR The advantage to setting folder permissions in Exchange Administrator rather than from the Exchange client is that you can specify that permissions apply to all subfolders, as well. If you don't take this approach and a user adds a folder to Favorites, the link to the original folder bypasses all permissions later assigned to that folder. To prevent this potential confusion, enter Exchange Administrator and execute the following steps: 1. Select the folder you want to modify from the left panel. 2. Click on the Properties button on the tool bar. 3. Select Client Permissions and change the appropriate settings, as you would in your Exchange client. 4. Check Propagate These Properties To All Subfolders. 5. Click OK. 6. Within the Subfolders Properties dialog box, select Client permissions. SPAM WATCH, PART 1: PROTECTING YOUR TURF Spam senders are pretty smart--they've figured out how to relay their unsolicited messages through well-known Internet servers to trick the ultimate recipient into believing that the mail is from a trusted host. Fortunately, Internet Mail Service includes several features that let your server sort the spam from legitimate Internet mail. (If you want more details on any of the tactics we describe in this series of tips, check out the Readme files that come with the Exchange 5.5 Server CD.) PROTECTING YOUR TURF The first step in protecting your server from spam is to set a list of sender domains that you want to block messages from and the place where you want to redirect this offensive mail. The blacklist for mail senders is called TurfList; blocked messages are sent to TurfDir. NOTE: When mail is blocked in this fashion, the sender does not receive a notice from your server. Setting up this level of protection requires you to edit the Exchange server's registry. Navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIMC\Parameter s and add the following values: TurfDir REG_SZ This specifies the directory where aborted messages are moved. Microsoft suggests that you send the messages to Exchsrvr\Imcdata\Turfdir, where Exchsrvr is the directory where the Microsoft Exchange Server files are located. TurfTable REG_MULTI_SZ specifies the masks that filter spam messages. You can filter by domain or by user. If you don't specify a TurfDir value, the server permanently deletes aborted messages. Before these settings take effect, you must stop or restart the Internet Mail Service and the Information Store service using Control Panel's Services applet. SPAM WATCH, PART 2: TRACKING DELETED MESSAGES Last time, we discussed using the TurfList to identify offending spammers and send their messages to a directory on your Exchange server. We also mentioned that if you don't set up a directory where aborted spam should be routed, Exchange Server automatically deletes these messages. But even if you elect not to archive all that spam, you may sometimes want to get a glimpse of who's sending what to your users. Regardless of your Internet Mail Service diagnostics logging settings, Exchange logs an event to the Application Event Log that details aborted file senders and message filenames. If you're using the Diagnostics Logging property page for Internet Mail archiving, you can locate automatically deleted files in the Internet Mail Service archive directory (Exchsrvr\Imcdata\In\Archive). For more information, see Microsoft Knowledge Base article Q155683. http://support.microsoft.com/support/kb/articles/Q155/6/83.ASP SPAM WATCH, PART 3: BLOCKING RELAY REQUESTS As we mentioned earlier in this series, spammers not only send your users undesirable mail, they can also use your reputable servers as a relay to mask their messages' true nature. If your Internet Mail Service allows rerouting for POP3 or IMAP4 clients, it relays mail to non-local recipients. However, you can edit the server's registry to refuse RCPT commands specifying a non-local recipient. Open the registry for editing and navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\MSExchangeIMC\Parameters and add the following values: RelayFlags, REG_DWORD This defines which relay control rules are in effect. RelayDenyList, REG_MULTI_SZ This specifies hosts that cannot relay messages through your server. RelayAllowList, REG_MULTI_SZ This specifies hosts that can relay messages through your server. RelayLocalIPList, REG_MULTI_SZ This specifies the local IP addresses of the server to which an SMTP client can connect and relay mail. This is useful for multi-homed servers that have internal and external interfaces. Enabling IP forwarding disables this feature. RelayDenyList, RelayAllowList, and RelayLocalIPList consist of a net and optional mask per line. The exact syntax for editing RelayFlags and the other registry settings we discuss here can be quite complex. For more information, check out Microsoft Knowledge Base article Q193922. http://support.microsoft.com/support/kb/articles/Q193/9/22.ASP TAKE YOUR SETUP FOR A TEST SPIN Before you even think about rolling out a new Exchange configuration, you need to test it out in as realistic a simulation as possible. Most credible sources suggest you build what is known as a conference room pilot--in other words, take over a conference room and jam as much hardware and networking stuff in there that will fit. Be sure to include: * Workstations that represent the array of your company's hardware and client software installs * Servers of all shapes and sizes that you might employ * UPSs * Modems and telecom connections, particularly if you plan on supporting RAS * Hubs and any other type of network connection that could possibly go wrong In addition, ask your manager to help you secure the services of a few users in the company to help you simulate traffic--as well as users' unique ability to bring your solution to a grinding halt. If management balks at your request for these resources, be prepared to impress them with the estimated expense of one day's downtime due to unforeseen complications and insufficient planning. Any reasonable request will probably be approved. THE UPS AND DOWNS OF ANONYMOUS LDAP ACCESS An out-of-the-box Exchange Server installation enables anonymous access to your organization's directory via the Lightweight Directory Access Protocol (LDAP) on TCP port 389. If your Exchange Server's TCP port 389 is accessible via the Internet or other network, users outside your organization can use LDAP to look up Internet addresses for recipients in your organization. Microsoft intended this feature to be useful, but you should be aware that it is easily misused. If you leave the anonymous LDAP enabled, savvy users can anonymously retrieve the Internet addresses of all of your organization's recipients and use the addresses to send unsolicited commercial e-mail or inappropriate messages. To disable anonymous LDAP for your entire site, use Exchange Administrator to open your site's Configuration container and expand the Protocols child container. Then highlight LDAP protocol in the right pane and choose File | Properties. In the resulting LDAP Site Defaults Properties dialog box, select the Anonymous tab and deselect Allow Anonymous Access. Then click OK. Now, any Exchange server in your site that is configured to use the LDAP Site Defaults Properties will no longer allow anonymous access to your organization's directory. NOTE: Disabling Anonymous LDAP access does have one unpleasant side effect--it renders Outlook Web Access to the server inoperable. USE THE TURFTABLE TO STOP SPAM Spam, the unavoidable plague of unsolicited e-mail messages from the Internet, is something that every Exchange administrator must eventually deal with. Exchange Server 5.5 includes the TurfTable, a primitive spam filter. While this tool doesn't have the sophisticated features that some third-party tools have, it will get the job done in a pinch. To enable this tool, you must modify the registry of the Exchange server that runs your Internet Mail Service (IMS). Use REGEDT32.EXE to open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ MSExchangeIMC\Parameters and add this REG_MULTI_SZ value: TurfTable In the Multi-String Editor dialog box, enter the mask entries, one per line, which identify the offending spammers. Use the following format to generate mask entries: #@spamdomain.com - flags all messages sent by spamdomain.com @spamdomain.com - flags all messages sent by spamdomain.com and its subdomains user@spamdomain.com - flags all messages sent by user@spamdomain.com When you stop and restart your IMS, it will automatically discard all messages flagged by the TurfTable's mask entries. For more information on the TurfTable, see the Microsoft Exchange Server 5.5 Release Notes in the README.doc file in the root directory of your Exchange Server 5.5 Installation CD-ROM. USING THE CLEAN MAILBOX TOOL Has a user called to complain that his or her mailbox has exceeded its size limit and he or she is unable to send messages? If so, you may need to use the Clean Mailbox tool to quickly reduce the size of the mailbox. To do this, open Exchange Administrator and select the user's mailbox in the Recipients container. Then choose Clean Mailbox from the Tools menu. In the Clean Mailbox dialog box, select the criteria that identify the messages you want to delete. Criteria include message age, size, and status (read or unread). You have the option of deleting the items immediately or moving the items to the deleted folder. After choosing your options, click OK to clean the mailbox and purge the messages that match your deletion criteria. This tool is especially handy for cleaning out stuffed mailboxes that users have left unattended for lengthy periods of time. WHO'S USING THAT INTERNET ADDRESS? As you probably know, you can assign more that one Internet address to a recipient. This practice is known as creating Internet address aliases and can be very useful when you need to provide an easy way for users outside your organization to contact groups or individuals in your organization. For example, you might create a distribution list that contains your company's system administrators. This distribution list may have the display name @SysAdmins for use inside your Organization, but by creating Internet address aliases you can make this distribution list known as security@mycompany.com, administrator@mycompany.com, sysadmin@mycompany.com, or any dozen or more aliases on the Internet. To add an Internet address alias to a recipient, simply open the Custom Recipient's Properties sheet and click the E-mail Addresses tab. Then click the New button and add an Internet address. Once you've become accustomed to assigning multiple Internet address aliases to a single recipient, you'll find that you've lost track of who's using which aliases. You'll usually find this out when you try to assign an alias that's already assigned to another recipient. Unfortunately, Exchange Administrator doesn't let you search for recipients by Internet Address alias. The easiest way to find out which recipient is using an alias is to open a New Message window in Outlook. Then type the alias in the To: field and press [Ctrl]K. Outlook will resolve the alias to the Display Name for the recipient in your Organization.

CALL THE DOCTOR BEFORE THINGS GO WRONG

Troubleshooting application errors that crash your Exchange Server services and the Windows NT 4.0 OS can be extremely difficult if your server doesn't log application crash dump information. We recommend that you configure your Exchange servers to use Dr. Watson to create these log files when a crash dump occurs. If your Exchange server is crashing consistently and you plan to call MS Premier support for assistance, odds are good that Microsoft will ask you for crash dump Drwtsn32.log and user.dmp files. So save yourself some time and make sure that you're collecting the info before you call for support. Dr. Watson is a Windows NT debugging tool that can log application crash dump information to the Drwtsn32.log text file and log data to the user.dmp file. Using the user.dmp file requires a User mode debugging tool like Windbg.exe.
To install Dr. Watson as the default debugger, run drwatsn32-I at the command. Then run drwatson32 at the command prompt with no parameters to open the Dr. Watson For Windows NT Options dialog box. Configure the options for drwatson.log and user.dmp (crash information). Be sure to deselect the Visual Notification option to allow Dr. Watson to log the crash information without requiring user intervention. This will allow services that have crashed to stop completely; they will restart if you've configured service-monitoring tools to restart them. Then click OK to close the Options dialog box. Please note: Your server must have a pagefile on its system partition equal in size to its physical memory in order to capture dump information. CAPTURING PERSISTENT MTA CRASH INFORMATION When your Exchange Server's Message Transfer Agent (MTA) logs a fatal error (an event log error with a severity level of 16), it's designed to try to recover from the error and then attempt to shut itself down cleanly. If the MTA cannot shut down cleanly, it may "hang" and require you to kill its process. When you have to kill the process, the MTA doesn't write other significant events that could help explain why the crash occurred to the event log. If you're having a problem with persistent and unexplainable MTA crashes or hangs, you may want to temporarily suspend the MTA's ability to recover from a fatal error. Doing so will cause the MTA to shut down immediately when it encounters a fatal error. If you've configured Dr. Watson as your default debugger (as we explained in a previous tip), it will capture the MTA's dump information to user.dmp and you can use this info for debug analysis. To suspend the MTA's ability to recover from a fatal error, you must make a registry change. 1. Start Regedt32 and open the key HKEY_LOCAL_MACHINE on Local Machine. 2. Open SYSTEM/CurrentControlSet/Services/MSExchangeMTA/Parameters. 3. Choose Add Value from the Edit menu. 4. In the Value Name field, enter Raise Exception On Fatal Error. 5. In the Data Type box, enter REG_DWORD. 6. Click OK and enter the value 1 in the Data field. We recommend that you use this registry setting until you've been able to successfully troubleshoot your MTA problems and then set the value of the key to 0 when your system is stable. This will allow the MTA to try to shut itself down if a different fatal error occurs. CONFIGURING THE TURF TABLE WITHOUT EDITING THE REGISTRY In a previous tip we explained how to edit your Exchange Server's registry to configure Exchange's TURF table--a table of usernames and domain names. As you may know, Exchange Server will reroute messages received from the usernames and domains in the TURF table to its TURF directory instead of delivering them to local recipients or rerouting them. If the TURF directory doesn't exist, Exchange will simply delete the messages. A tip reader wrote to suggest an easier way to configure the TURF table that doesn't require tricky registry editing. Simply open Exchange Administrator and view the Properties dialog box for your Internet Mail Connector. Then, select the Connections tab and click the Mail Filtering button. In the resulting Message Filtering dialog box you will find an interface that allows you to configure all of the options that we showed you how to configure by editing the registry. To keep messages instead of deleting them, deselect the Delete Messages Instead Of Moving Them To The TURF Directory option. EDITING PUBLIC FOLDER PERMISSIONS FROM THE COMMAND LINE Exchange tip reader Mark Turner asks, "Is there a way to append permissions to public folders and all the subfolders like you can with CACLS.EXE for NT permissions?" Yes, there is a way to set, modify, and extract permissions for your Exchange Organization's Public Folder Hierarchy from the command line. For this job, there's a command-line tool called PFADMIN.EXE, which is included in the Microsoft BackOffice Resource Kit, second edition. If you've used the Windows NT Server 4.0 Resource Kit's CACLS.EXE, you'll find PFADMIN.EXE very familiar. To use PFADMIN.EXE, install Outlook on your workstation or server and create a MAPI profile that logs on to a mailbox that uses the Exchange service account as its primary Windows NT account. PFADMIN.EXE can also extract public folder permissions to a file and later use the file to reapply the extracted permissions. This can be a lifesaver if permissions have been manually misapplied and propagated through subfolders. For more information on PFADMIN.EXE, see the documentation that comes with the BORK or read Microsoft Knowledge Base article Q199319 to learn how to use the tool to extract public folder permissions. http://support.microsoft.com/support/kb/articles/Q199/3/19.asp GET YOUR POST-SP3 HOTFIXES! No service pack would be complete without a handful of post-service pack hotfixes! Now that you've just gotten around to putting Exchange Server 5.5 Service Pack 3 on all your production servers, you'll need to read up on the hotfixes. But remember, apply them only if they fix a problem that you're experiencing. For a comprehensive overview of the available post-SP3 hotfixes, see Microsoft Knowledge Base article Q248838. http://support.microsoft.com/support/kb/articles/Q248/8/38.asp Note that if you reapply an Exchange Service Pack after applying hotfixes, you'll need to reapply the hotfixes as well. But if you didn't remove the hotfixes before reapplying the Service Pack, HOTFIX.EXE may return an error when to try to apply a hotfix. See Microsoft Knowledge Base article Q180002 for details on how to reinstall hotfixes after reapplying a Service Pack. http://support.microsoft.com/support/kb/articles/Q180/0/02.asp PROPAGATING FOLDER PERMISSIONS WITH EXCHANGE ADMINISTRATOR The advantage to setting folder permissions in Exchange Administrator rather than the Exchange client is that you can set your permissions to apply to all subfolders as well. However, there is a drawback to this approach--if a user has added a folder to Favorites, that link to the original folder bypasses all permissions later assigned to that folder. To prevent this potential conflict, enter your Exchange Administrator and execute the following steps: 1. Select the folder you want to modify from the left pane. 2. Click Properties on the toolbar. 3. Select Client Permissions and change the appropriate settings, as you would in your Exchange client. 4. Check Propagate These Properties To All Subfolders. 5. Click OK. 6. Within the Subfolders Properties dialog box, check Client Permissions. REDUCE YOUR IMS'S DEPENDENCY ON DNS The mail must go through, and as a good administrator, you'll take the extra steps needed to make sure it does. But if you administrate for a small organization, your Exchange server probably uses your ISP's DNS to resolve host names to the IP addresses of the servers that receive mail for a domain. If so, your Exchange Server's Internet Mail Service (IMS) would be unable to send mail if your ISP's DNS servers were unavailable. To eliminate this dependency, you could implement your own in-house DNS server. However, since all systems are subject to failure, any DNS outage could render your IMS incapable of sending mail. Fortunately, Exchange Server's IMS lets you create a table that overrides DNS resolution. You can use this feature to create a permanent host name-to-IP mapping for domains that are critical for your organization. For example, you may want to create mappings for the domains of your business partners or key vendors. To do this, follow these steps: 1. Start Exchange Administrator. 2. Open IMS Properties and select the Connections tab. 3. Click E-mail Domain. In the resulting E-mail Domains dialog box, click Add and the Add E-mail Domain button will appear. 4. Enter the domain in the E-mail Domain field. 5. Select the Forward All Messages For This Domain To Host option and enter the IP address of the host that receives mail for the domain. 6. Click OK three times to close the dialog boxes. Stop and restart the server's IMS. Now your Exchange server will be able to resolve the critical host names even if a DNS outage occurs. Just remember to update the mappings if the IP address of the domain's mail server changes. Also note: Your Exchange IMS never uses its local HOSTS file to resolve IP addresses for a domain's mail server. Microsoft purposely designed the IMS to overlook this conventional form of host name resolution to prevent an out-of-date HOSTS entry from affecting mail delivery. TEST YOUR RPC CONNECTIVITY WITH RPINGS.EXE As you may know, Exchange server-to-client and intrasite Exchange server-to-server communication takes place via RPC (Remote Procedure Calls). Though Windows 9x and Windows NT operating systems come with tools that allow you to easily check TCP and other network protocol connectivity between machines, you'll need a special tool to check RPC connectivity between an Exchange server and its clients or other servers. Microsoft provides the RPINGS.EXE server application and its companion client application RPINGS32.EXE on the Exchange Server 5.5 CD-ROM. These tools behave much like their TCP cousin, PING.EXE. You execute RPINGS.EXE on Machine A and RPINGS32.EXE on the Machine B. Then use Machine B's RPINGS32.EXE's diagnostic to "rping" the RPINGS.EXE running on Machine A. For complete diagnosis, reverse roles by running RPINGS.Exe on Machine B and RPINGS32.EXE on Machine A and perform the test again. THE QUESTION: TechRepublic reader jlichtefeld@airguard.com wanted information about the quickest and safest way to back up an entire system from one NT Exchange Server to another in preparation for an upgrade. Copy and paste this URL into your browser: www.techrepublic.com/trbbs/message_detail.jhtml?thread_id=2882&thread_title= NT+Exchange+Server+&ooc=open THE ANSWER: Reader MCSE Lee suggested creating another Exchange Server in the same Site and using the Move Mailboxes feature from the Tools Menu. Lee also advised jlichtefeld to obtain another server license if the backup server is to be used for an extended period of time. CHECKING THE PRIVATE INFORMATION STORE It's a good idea to clean house before problems develop. Here's how to check the physical resources being used by every mailbox on a server: 1. Open Exchange Administrator. 2. Select the site you want to work with. 3. Select the Configuration container. 4. Select the Servers container to display all the Exchange servers. 5. Select the server that holds your Private Information Store. 6. Highlight Private Information Store. 7. Select Properties from the File menu. 8. Within the resulting dialog box, select the Mailbox Resources tab. Now you can see where your resources are going and either move some mailboxes to another server, clean the overloaded mailboxes, or set up mailbox storage limits. LOCKING DOWN SERVER-TO-SERVER INTERNET CONNECTIONS When configuring an Internet Mail Service connector, you may want to take some additional security steps to protect your data as it goes flying around the Internet from Exchange server to Exchange server. In particular, you may want to configure Exchange to encrypt all data-- including directory and replication messages--and configure connected servers to accept only authenticated, encrypted information. Here are four IMS settings you may want to employ to improve security on servers connected via the Internet. (These settings do interfere with the ability to send general Internet mail, so use them judiciously.) 1. Click Specify By Host and then click Add. Enter the remote server's subnet mask and IP address. Also specify that the host must use authentication and encryption. 2. Specify the host name or IP address of the remote server under Message Delivery. 3. Select the Address Space tab. Delete the default settings, enter a new address space of type SMTP, and use the domain name of the remote server as the address. (This blocks routing of general Internet mail.) 4. Select the Security tab. Click Add and then enter the remote site's address. Select the Windows NT Challenge/Response option, then set the Exchange Site Service account as the validator. PROTECTING AND OPTIMIZING YOUR TRANSACTION LOGS Every Exchange administrator should understand the importance of Exchange transaction logs. Exchange uses its transaction logs to record database transactions to disk before committing the transactions to its database. Exchange Server uses these logs to perform a soft recovery after a system crash. Exchange writes the logs to disk in contiguous blocks to optimize disk writes and transaction logging performance. The best place to put your transaction logs depends on many factors. However, when configuring Exchange Server, try to use the following rules whenever feasible. 1. Always make sure there is plenty of room on the volume where you place the transaction logs, and monitor disk space availability. When Exchange Server runs out of room for transaction logs, it shuts itself down. 2. Do not put transaction logs in the same volume with the Exchange databases themselves or other files shared by applications. Doing so makes the logs contend with other files for disk space and requires the disk's head to move to different parts of the disk while performing writes. 3. Use RAID 1 (mirroring) to protect your files. Small SCSI disk drives are now inexpensive enough that you can justify the benefit of mirroring two of them and using them exclusively for Exchange transaction logs. Remember that even if the array or volume holding your Exchange databases stops functioning, you can recover up to the minute of failure if you have a tape backup of the database and your current transaction logs. DELIVERING EXTERNAL MAIL TO PUBLIC FOLDERS You'll probably find that Public Folders are a better alternative to shared mailboxes when you need to let multiple users share e-mail or other documents centralized in a single container. If you use an Internet Mail Connector in your Organization, Exchange will assign an SMTP alias to each Public Folder that you create. However, if the Public Folder's permissions for the default user are set to None, users outside your Organization that don't have another defined permission role will be unable to send mail to the folder via its SMTP alias. There are two methods to allow users outside your Organization to send e-mail to a Public Folder via its SMTP alias. 1. You can allow all outside users to send to the folder by setting the folder's default permission role to Author instead of None. 2. You can allow only specific outside users to send to the folder by creating Custom Recipient entries for the users' own SMTP aliases and then assigning the permission role of Author to their Custom Recipient entries. ENABLING POP3 AND IMAP LOGGING If you support mail clients that use Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP) to read mail from your Exchange server, you may be perplexed when troubleshooting client authentication and connectivity problems. Or maybe you'd just like to know who's using these protocols to read mail from your server and from where they're connecting. Why doesn't Exchange Administrator let you log and review POP3 and IMAP communications with a server? No one but Microsoft knows the answer. Fortunately, you can configure Exchange Server to log POP3 and IMAP activity to a flat text file by editing the registry. Read Microsoft Knowledge Base article Q182504 for details on how to do this. We need to warn you that these text log files can grow rather large very quickly depending on the logging level that you use and your server's activity level. http://support.microsoft.com/support/kb/articles/Q182/5/04.asp ENABLING SMTP LOGGING Troubleshooting problems associated with Simple Mail Transfer Protocol (SMTP) communications between servers can be difficult if you don't know what the servers are saying to each other. Fortunately, you can use Exchange Administrator to enable SMTP logging, which records SMTP conversations in a flat text file. To enable logging, start Exchange Administrator and open the Server's Internet Mail Service's Properties. Select the Diagnostic Logging tab, select SMTP Protocol Log, and set its logging level to Maximum. When you stop and restart your Internet Mail Service, it will log all SMTP activity in a file named L000000X.log (where X is the log serial number) in the Exchsrvr\Imcdata\log directory. These log files can get rather large, so it's a good idea to only enable logging while you're trying to troubleshoot a problem and then turn it off when it's resolved. PROVIDING NAME RESOLUTION FOR REMOTE CLIENTS THAT DON'T USE WINS If your remote clients don't use WINS servers for NetBIOS name resolution, they may be unable to connect to your Exchange server if they can't resolve the server's computer name (given in the Outlook profile) to an IP address. When they try to connect, they may receive the error, "Network problems are preventing connection to your Microsoft Exchange server. Please contact your system administrator," even though the server is perfectly functional. To provide name resolution, add an entry to the client's LMHOSTS file for the Exchange server's computer name. Then to refresh the NetBIOS cache, type nbtstat -R at the command prompt. The LMHOSTS file contains instructions for adding an entry. Once added, remote clients should be able to resolve the name to an IP address and connect to the server. Note: If the Exchange server's IP address changes, you'll need to change the LMHOSTS entry on each client. OUTLOOK WEB ACCESS, OFFICE 2000, AND EXCHANGE SERVICE PACK 3 ARE A BAD MIX Does applying a service pack make you nervous? If not, it should. As a savvy Exchange administrator, you should understand that every time you apply a service pack you are potentially trading old problems for new ones. Applying Service Pack 3 to your Outlook Web Access server will cause problems for clients that have Microsoft Office 2000 installed. These clients will be unable to use Outlook Web Access to open Office documents attached to e-mail messages. This problem is described in Microsoft Knowledge Base article Q244744, and there is currently no hotfix available. http://support.microsoft.com/support/kb/articles/Q244/7/44.asp VERIFYING .EXE AND .DLL VERSIONS AFTER HOTFIXES AND UPGRADES Have you applied and possibly even reapplied so many hotfixes and service packs to your Exchange Server that you've lost track of them all? If so, you may run into problems when applying Exchange add-ons and third-party tools that use specific versions of core Exchange .exe and .dll files. Microsoft Knowledge Base article Q243604 lists the file size, revision date, and version number of all Exchange Server executable and dynamic link library files and their corresponding service pack levels. We recommend that if you have .dll conflicts, you should verify your server's current file versions and descriptions against the lists given in this article. To capture file size, date, and version information en masse, use the Filever.exe command line utility from the Windows NT Resource Kit. http://support.microsoft.com/support/kb/articles/Q243/6/04.asp http://support.microsoft.com/support/kb/articles/Q183/7/13.ASP WHEN AUTO-FORWARDING RULES DON'T WORK LIKE THEY SHOULD Have you ever created a mailbox rule to automatically forward messages to an Internet address and found that the rule didn't work when you knew that it should? This can be an incredibly frustrating problem since Exchange doesn't generate an error or a warning message to tell you that your rule isn't working properly. The root cause of this problem is that Exchange Server 5.5 doesn't know the difference between an auto forward to the Internet and an auto reply to the Internet. If you've configured your Exchange Server to disable auto replies to Internet messages (an option in Internet Mail Service Properties), you've also prevented Exchange Server from auto-forwarding messages to the Internet. Fortunately, Exchange Server 5.5 Service Pack 2 fixes this problem. If you haven't yet applied SP2, you can fix the problem by modifying the server's registry. See Microsoft Knowledge Base article Q192982 for more details. http://support.microsoft.com/support/kb/articles/Q192/9/82.asp WHEN OUTLOOK HANGS WHILE USING A SLOW CONNECTION If you have users who connect to your Exchange server over slow WAN connections, they've probably complained that their Outlook or Exchange clients occasionally hang for no apparent reason. While your first thought might be to blame the slow connection, there is a documented bug in NT Server 4.0 that could account for this problem. As Microsoft Knowledge Base article Q232512 explains, NT Server 4.0 TCP/IP can prematurely retransmit packets to clients connected over slow connections and dramatically degrade client/server throughput. This OS behavior is especially problematic for the Exchange Information Store service, which uses RPC to communicate with clients. Service Pack 6a for Windows NT Server 4.0 fixes this problem with the OS, though there are hotfixes available for previous service packs. If you're looking for a reason to apply NT Service Pack 6a to your Exchange Server, this could be it. http://support.microsoft.com/support/kb/articles/Q232/5/12.asp A BETTER DEFAULT ROLE FOR PUBLIC FOLDERS THAT RECEIVE INTERNET MAIL In a previous tip ("Delivering external mail to Public Folders," Jan. 20, 2000), we explained that you could allow Internet users to send e- mail to a Public Folder's SMTP alias. We recommended that you do this by setting the folder's default user role to Author. However, tip reader Jeff Brigham offered a better suggestion: Instead of setting the Public Folder's default permission role to Author, set it to Contributor. The Author role allows users to create and read items and files, and modify and delete items and files they create. The Contributor role only allows the user to create items and files. The contents of the folder do not appear. It's important to remember in this instance that the default user's role defines the role for users both outside and inside your Exchange Organization. DISPELLING PHANTOM UNREAD MESSAGES As an Exchange Administrator, you'll eventually receive a complaint that Outlook's unread message counter shows an unread message, when, in fact, no unread messages are visible in the mailbox. This symptom is often thought to be an indication of a serious problem, such as mailbox corruption. However, before you look any further, check the Outlook client's folder views and permissions. If the user changed the default folder view to a view that would prevent Outlook from displaying the message, Outlook would still count the message as an unread item. Go to View | Current View | Customize Current View, and check the Filter option to determine whether there's a setting that's filtering the item from view. Also keep in mind that if Delegate permissions are used to share the mailbox, a message marked Private would not be displayed unless the mailbox's associated NT account was logged into the mailbox. Use the associated NT account to log in to the mailbox, and then see if you can see the message and whether it was marked Private. DON'T REMOVE X.400 ADDRESSES FROM DIRECTORY OBJECTS Yes, we know that you want to run a tight ship and keep your Exchange Organization's directory as tidy as possible. But don't be overzealous! We've heard from a few administrators who thought that the X.400 addresses they saw displayed in directory objects' Properties sheets were unnecessary. Remember that even though you and your users don't use X.400 addresses, Exchange does, and removing an object's address can have dire consequences. So what's an X.400 address for, you ask? X.400 is a CCITT standard that governs the exchange of all kinds of electronic messages, including e-mail, faxes, and even voicemail. Exchange Server 5.5 uses X.400 addresses to route messages internally. OPTIMIZING YOUR IMS FOR A DIAL-UP CONNECTION When you install an Internet Mail Service (IMS) connector on your Exchange 5.5 server, the connector is optimized for LAN (10 MB or better throughput) connection speeds. If your IMS must use a dial-up connection to send and receive mail, we recommend that you configure the connector to forward all of its mail to your ISP's SMTP server. This configuration keeps your connection overhead to a minimum as it puts the tasks of DNS resolution and end delivery on your ISP's server, not yours. Also, you will need to configure the IMS's Advanced Transfer Mode options to limit the maximum number of inbound and outbound connections, but increase the maximum number of messages transferred in a single session to a higher value (between 40 and 60). To configure these options, open IMS Properties, click the Connections tab, and then click Advanced Transfer Mode Options. GETTING ANSWERS TO FREQUENTLY ASKED QUESTIONS Before you solicit an expert resource for advice, it's always a good idea to do your homework first. For example, one of the most common questions asked by new administrators about Exchange Server 5.5 is: "Can you configure Exchange Server to append a global signature to all e-mail messages?" The answer, unfortunately, is no. If you have a question regarding Exchange Server, you can save yourself a lot of time by checking one of the many FAQ (Frequently Asked Questions) files available on the Internet. One excellent FAQ site is Exchangefaq.org. http://www.exchangefaq.org/ LOG RECORD STALLS/SEC If you're having performance problems with Exchange Server, it might be because you have too few log buffers. When Exchange is ready to write something to a log buffer and there isn't one available, it has to wait until one is. That wait becomes a bottleneck that can impair the performance of your system. On your Exchange Server, open Performance Monitor, go to the Database object, and check the Log Record Stalls/sec counters for your information store and directory. If they're greater than zero, you'll more than occasionally need to take corrective action. Open the Registry Editor and add a DWORD value named Log Buffers to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ ParametersSystem key. The default value is usually less than 80, so try setting it to 256 or even 512. Each log buffer holds a single log sector (i.e., a sector on your log drive) that is typically 512 bytes. ALTERNATE RECIPIENT If you have users who go away on trips but need their mail forwarded to someone else or to an outside account, then you'll want to use Exchange's Alternate Recipient settings. On the Delivery Options tab of the mailbox's Properties sheet, you can specify the mailbox of another user to whom the mail should be redirected. An interesting option that you may want to give some thought to is whether you want the mail delivered to both the original recipient and the alternate, or just to the alternate. Sending to both has the advantage that when the original recipient comes back (or checks in), all of his or her mail is there. Sending to just the alternate, however, allows that person to sort the mail and purge what's junk and decide what can be readily handled by the alternate, so the original recipient has only the important, pending messages to deal with upon return. A word of caution: If the original recipient handles potentially confidential information, it's a good idea to notify others in the company that the alternate will be reading their e-mail while the intended recipient is away. It would be an ugly situation for someone in the firm to send the original recipient a confidential message, unaware that it was going to be delivered to an alternate recipient who might not otherwise be privy to that information. CONNECT THROUGH PROXY If you have a Proxy Server connection to the Internet, you can use that Proxy Server to transfer your Internet e-mail in and out. It's really quite easy to do. (Note: This assumes you have the Internet Mail Service installed on your Exchange server.) The first step is to make sure that, in the Winsock Proxy client configuration, it's set so that the clients connect to the Proxy via IP address (and not machine name). Then install the Proxy Client software on your Exchange server and configure the DNS settings on the Exchange server to use appropriate DNS servers for Internet addresses. Once that's done you'll need to create two text files--both called Wspcfg.ini--and place them in the appropriate directories. The first one goes in the same directory as the Msexcimc.exe file and contains these lines: [MSEXCIMC] ServerBindTcpPorts=25 Persistent=1 KillOldSession=1 The second one goes in the same directory as the Store.exe file and contains these lines: [STORE] ServerBindTcpPorts=110,119,143 Persistent=1 KillOldSession=1 If you're using access controls on your Winsock Proxy, you'll need to make sure to grant permission to the account that starts up the Exchange services for access. Once that's done, restart the Exchange server and it should now be able to listen (and transmit) messages via the Internet Mail Service through the Proxy Server. The last step is to make sure that your ISP has your MX & A records pointing at your Proxy Server so that incoming mail will arrive at the Proxy Server--where the Exchange server will be listening. THE QUESTION: TechRepublic reader mgonzales@oak-tree.net runs Proxy Server 2.0 and Exchange on the same server and needed to know why, after enabling dynamic packet filtering, SMTP mail was unable to make it through the Proxy Server. Enabling the Ident protocol did not solve the problem. Copy and paste this URL into your browser: www.techrepublic.com/trbbs/message_detail.jhtml?thread_id=4303&thread_title= Unable+to+Receive+E-Mail&ooc=open THE ANSWER: User dlindgren@nationalstandard.com recommended looking at Microsoft's Knowledge Base article Q176771, adding that enabling packet filtering would block e-mail in this case. http://support.microsoft.com/support/kb/articles/Q176/7/71.ASP CLEANSWEEP A new tool for cleaning out Exchange mailboxes is now available in the Back Office Resource Kit. It's called CleanSweep, and it can be used to clean out permissions, views, rules, and even forms from an Exchange server mailbox. CleanSweep runs as an add-in to Outlook or the Exchange client. The two "gotchas" are (1) in order to run it, you have to have a profile that opens the mailbox you want to clean, and (2) it doesn't work with the Win95 Exchange client version 4.0 (but it does with the NT Exchange client 4.0). For Win95 you'll need the Exchange client version 5.0 or Outlook to run CleanSweep. You can obtain detailed instructions for installing and using CleanSweep from Microsoft Knowledge Base article Q174045. http://support.microsoft.com/support/kb/articles/Q174/0/45.ASP SINGLE-INSTANCE STORE VS. PSTs In some cases it may seem attractive to set your users up with .pst files rather than having them store their mail in Exchange mailboxes, but there are several good reasons NOT to: 1. They can get corrupted, especially by those users who like to power their machines down at the end of the day without bothering to actually shut down Windows properly. 2. They can't be shared--a user who needs to access someone else's calendar, for example, won't be able to while that person is using it. 3. Do you back up your Exchange server? How about each individual C drive? 4. Single-instance storage--the same message sent to 50 people is stored just once on an Exchange server; pointers in each mailbox let each user open it. The same message sent to 50 people using .pst files is stored 50 times, which obviously takes a lot more disk space. 5. It's not very secure--there are a number of utilities available to break the passwords on .pst files. The one thing you should use .pst files for is archival. The AutoArchive tool in Outlook can help keep your mailbox lean and clean by moving older items to a .pst file. EXCHANGE SERVER UPDATE TIP OF THE WEEK: MAKING PUBLIC FOLDER CONTACTS AVAILABLE VIA THE ADDRESS BOOK (contributed by Ric Liang, rliang@wei.org) Many clients want to make better use of Exchange's workgroup functionality, especially when it comes to shared contacts. Rather than having each client have a copy of the same contact, it's advantageous to put the contact into a Shared Public Folder (SPF). Once the contact name is in the SPF, any number of people can access it. If a client wants to perform name resolution on the SPF, you must make the SPF part of that client's addressing list search. To do this, proceed as follows: 1. Create a Contacts type Public Folder, and name it (e.g., IT Business Contacts). 2. Add \Public Folders\All Public Folders\IT Business Contacts to your Favorites by right-clicking and selecting Copy. Choose your Favorites as the destination (not to be confused with your Web favorites). This step creates a pointer to the SPF without duplicating the data. Your \Favorites\IT Business Contacts folder will automatically reflect any changes made to \Public Folders\All Public Folders\IT Business Contacts. 3. In the Properties of \Public Folders\Favorites\IT Business Contacts, select the Outlook Address Book tab and enable "Show this folder as an email Address Book." 4. In Outlook, select Tools, Services, Addressing tab. Click the Add button and include the reference to the new IT Business Contacts item. (This step is necessary only if you require name resolution.) Clients can now search through their personal contacts and workgroup business contacts when sending messages. Another advantage is that by creating a Favorites folder item, a user can enable that folder for synchronization and use it when offline, and traveling users can access the workgroup contacts even when they're not in the office or connected over RAS. THE ROLE OF THE KEY MANAGEMENT SERVER To use the advanced security features built into Microsoft Exchange Server, you must configure at least one server in your Exchange Organization as the server that stores and manages the security database. This server is called the Key Management (KM) Server. The KM Server creates public and private encryption keys, maintains backups of private encryption keys and public signing keys, generates temporary keys, and maintains the original copy of the revocation list. Before you can set up your users for advanced security, you must install the Microsoft Exchange Key Management Server by going to the SETUP\\EXCHKM directory on your Exchange CD-ROM and running Setup.exe. When you install the KM Server, remember the following: * The KM Server should be in the master domain if you're using a multi- domain model. * The KM Server should be physically secure and backed up regularly. * The KM Server must use the NTFS file system. After you have installed the Key Management Server successfully, you should see a new object named Encryption under the Configuration container. Go to its Properties sheet. You'll be prompted for a password. By default, Exchange sets this password to "password." Here you can add or remove Key Management Administrators who can enable advanced security for accounts, recover keys, revoke advanced security, and change the Key Management password. TROUBLE INSTALLING KM SERVER If you're installing Exchange's Key Management Server, you may get this error message: "Unable to get information about the sites in your organization. Verify the NT account you are logged on as has Microsoft Exchange Administrative rights and you have access on the TEMP directory before running setup." This is perplexing if you're sure the account under which you're logged on has full administrative rights to both the TEMP directory and to Exchange. Your next step should be to check the TEMP environment variable. If someone's changed the variable, that could be the cause of the trouble. Change it back and you'll probably be able to install KM Server without a problem. "HASHING" OUT SECURITY Although sending a message is as simple as clicking a button on the client toolbar, Exchange is busy in the background ensuring, through a process called hashing, that your message reaches its destination unaltered. Hashing is a mathematical function that converts a message to a unique 128-bit number. The same message always hashes out to the same number, but if you change any part of the message it will hash to a different value. Exchange performs the hash function on both the sending and the receiving ends and compares the values to make sure the message contents are the same. But keep in mind, this process requires a great deal of processing power, so most organizations only set up this level of security for a few departments, such as legal and human resources. HOW DOES KM SERVER GENERATE A SECURITY TOKEN? As the Key Management administrator (an Exchange administrator responsible for the maintenance of security), you can enable security for a specific mailbox or for a recipient container. You can enable security for a user in the Security tab of the user's Mailbox object. This tab was added when you installed the KM Server. Before you can go into the Security tab, Exchange prompts you for the KM administrator password. Only give this password to Exchange administrators who need to configure Exchange security. This allows you to separate security administrators from other Exchange administrators. When you click the Enable Advanced Security button, SECADMIN.DLL retrieves the location of the KM Server from the Exchange directory. It then passes the directory name of the mailbox and the KM administrator's password to the KM Service through encrypted remote procedure calls. Once the KM Service receives a request to enable advanced security for a mailbox, it creates a sealing key pair that's written to the Key Management database. The KM Service then generates a 12-character security token and passes it back to the administrator's console using encrypted RPC. The Exchange administrator program uses SECADMIN.DLL to decrypt the token. Once the token is generated, you must give it to whomever is going to configure security on the Exchange client. To be the most secure, deliver the token in person. WARNING EXCHANGE CLIENTS ABOUT MAILBOX SIZE LIMITS (contributed by Ric Liang, rliang@wei.org) Many organizations limit the size of clients' mailboxes to avoid overstuffed mailboxes and the continual disk upgrades that IT departments must perform as a result. Part of the process of limiting mailbox size is warning clients when their mailbox size nears the limit. If you warn clients too infrequently, they might reach or exceed their storage limit before they receive a warning. Conversely, if you warn clients too frequently, they might become annoyed and might not have a chance to clean up their mailboxes before the next warning message arrives. I recommend warning clients twice daily--once in the morning and once in the afternoon. Exchange uses a 1-hour grid as the default view for setting the times when events occur. When you schedule the warning interval, use the 15-minute view; otherwise, a client will receive a warning at the top of the hour, quarter-past, half-past, and quarter-to. To schedule the warning messages to appear at 9 A.M. and 3:00 P.M. - Run Exchange Administrator. - Select Site-name/Configuration/Information Store Site Configuration. - Select Storage Warnings tab. - Change the Detail View to 15 Minutes. - Click the columns to select 9:00 A.M. and 3:00 P.M. APPLYING A SERVICE PACK TO A KM SERVER When applying a service pack to a KM Server, you could receive this error message: "The system cannot find the file specified." If this happens, it could be a result of the KM Server password being added to the ImagePath registry value in the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\MSEXCHANGEKMS registry key. To correct the problem, remove the value. Here's how: 1. Open Regedt32. 2. Highlight the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MSEXCHANGEKMS registry key. 3. Click Edit on the File menu. 4. Select String. 5. Remove the password. The key should only contain the full path to KMSERVER.EXE. 6. Click OK. Note: Remember, editing your registry can be risky; always have a verified backup before you begin. CHANGING THE EXCHANGE SERVICE ACCOUNT PASSWORD You can change the Exchange Service account's password within the Service Account Password Properties tab in the Site Configuration object. After you change the service account's password, the Exchange Administration application will remind you to change the password through User Manager For Domains. If you don't change the password in your domain, you'll have a service logon failure the next time you stop and start Exchange Services. COMPACTING THE INFORMATION STORE Over time, the Information Store tends to become fragmented, and that can mean longer response times for your users. Although Exchange 5.5 normally takes care of this itself, there may be times when you want to manually defragment the Information Store. For this reason, Microsoft includes the ESEUTIL.EXE utility with Exchange 5.5. To run the utility, you must first stop the Information Store service (for the Private or Public Information Store) or the Directory Service (for the Exchange directory). The syntax for ESEUTIL.EXE is: Eseutil /d [/ds | /ispriv | /ispub ] [/l []] [/s []] [/b ] [/t []] [/p] [/o] where: * /d = sets ESEUTIL to defrag mode. * /ds = defragments the directory store. * /ispriv = defragments the Private Information Store. * /ispub = defragments the Public Information Store. * /l = specifies the log file. * /s = specifies the location of the system files. * /b = creates a backup copy of the store with the specified filename. * /t = sets the temp database filename. * /p = leaves the original file uncompacted. * /o = suppresses the normally displayed logo. After the file has been defragmented, you must restart the Exchange Service so users can again access their mailboxes. ENABLING MESSAGE TRACKING Messages sent to and from an Exchange server can be tracked to help resolve mail delivery problems. Message tracking can be enabled on the MTA, the Information Store, the MS Mail Connector, or the IMS. When message tracking is enabled, each component that handles mail records its activities in a log file. Keep in mind that the default is to have message tracking off, so you must enable it before you can use it. To enable message tracking on the Information Store or MTA: 1. Open Exchange Administrator. 2. Highlight the IS site or the MTA site configuration object on which you want to track messages. 3. Go to File | Properties | General. 4. Select Enable Message Tracking and click OK. To enable message tracking on the MS Mail Connector: 1. Open Exchange Administrator. 2. Highlight the MS Mail connector object on which you want to track messages. 3. Select File | Properties | Interchange. 4. Select Enable Message Tracking and click OK. To enable message tracking on the IMS: 1. Open Exchange Administrator. 2. Highlight the IMS on which you want to track messages. 3. Go to File | Properties | Internet Mail. 4. Select Enable Message Tracking and click OK. After enabling message tracking, all components must be restarted on each server in the site before it will take effect. MONITORING YOUR TRAFFIC Most Exchange administrators are curious about how much traffic their servers actually handle. Luckily there's a fairly easy way to find out. Performance Monitor includes several counters that you can use to measure your total or average message throughput. Within the Private Information store, you can check out Messages Submitted or Messages Submitted/Min to monitor total traffic. Want to monitor your Internet Mail Service traffic? Depending on whether you prefer to see it measured in bytes, messages, or connections, you can find a counter to suit your needs in the MSExchangeIMC object (e.g., Outbound Messages/Hr and Inbound Messages/Hr). You can also monitor the number of concurrent clients you're supporting at any given time by checking the MSExchangeIS Private object's Client Logons object, which tells you how many clients (including system processes) are currently logged on. The Peak Client Logons object will tell you the maximum number of concurrent logons you've had since the service was started. RECOVER THE .OST If you have a server crash or otherwise lose a mailbox and need to recover data from an .ost file, STOP! Before you do anything else, start the Outlook client in Offline mode as if nothing ever happened to your Exchange server. When it comes up, go to File | Import And Export and export all the folders and items to a .pst file. Only when you're satisfied that all the items have been successfully exported can you create the new server/mailbox and adjust the Outlook profile to connect to it. Once you can connect to the new mailbox, go to File | Import And Export and import the data from that .pst file you created into the new mailbox. It's VERY important that you start the Outlook client in offline mode to access that .ost file before you do anything else. If you connect to the new mailbox with that Outlook client, it will lock you out of the .ost file, and there's no known way to recover it at that point. SEPARATE YOUR EXCHANGE LOG FILES AND DATABASES When setting up an Exchange server, you should put your log files on a separate spindle from the database. This is because of the way Exchange accesses a disk when writing to logs and databases. When the system writes a piece of data to a log, it's appended to the file sequentially. When the system then applies this change to the database, the disk is accessed randomly. To maximize your system's performance, you want the head to move as little as possible. If you put all the logs and the databases on one drive, the head will continually jump all over the place, and your performance will suffer significantly. If Exchange wasn't installed this way on your server, you can use the Exchange Optimizer, which offers you the option of moving the database files to a different disk drive if one's available. SETTING EXCHANGE SO USERS CAN RECOVER DELETED ITEMS Have your users ever asked you to recover e-mail that they accidentally deleted? In versions of Exchange prior to 5.5, the Exchange administrator had to restore the Private or Public Information Store. With Exchange 5.5, you can configure your server to retain these deleted items for a set period of time. During this period, which is configurable by the Exchange administrator, a user can retrieve the deleted mail simply by highlighting the Deleted Items folder and selecting Tools | Recover Deleted Items (Outlook 98 or later). USING THE INFORMATION STORE INTEGRITY CHECKER The Exchange Server Information Store Integrity Checker, ISINTEG.EXE (located on the \excsrvr\bin directory), finds and eliminates common Information Store database errors. You should use this utility if you can't start the IS service, if users can't access their mailboxes, or if you have to recover the IS database with something other than NT's native backup utility. You can run the utility in one of three modes--Check mode, Check And Fix mode, and Patch mode. Check mode searches the IS database for table errors, incorrect reference counts, and any objects that are not referenced. ISINTEG displays the results and also writes them to a log file. Check And Fix mode checks for the same things as Check mode, but under this mode, ISINTEG also attempts to fix any errors it finds. Patch mode is used when the Information Store will not start after being restored from an offline backup. The syntax for using ISINTEG in Check or Check And Fix mode is: ISINTEG -pri | -pub [-fix] [-verbose] [-l []] [-test] where: -pri = works on the private information store. -pub = works on the public information store. -fix = tells the utility to fix the errors it finds. -verbose = provides detailed feedback. -l = sets the log file name. -test = performs a specific ISINTEG test. The syntax for running ISINTEG in Patch mode is: ISINTEG - patch No matter what mode you run the utility in, the Information Store must be stopped first and afterwards restarted. HOW THE INTERNET MAIL SERVICE RESOLVES NAMES The Internet Mail Service will first try to resolve a name by looking to the HOSTS file on the NT server where it's running. If the name map isn't present, the IMS will hand off the resolution to the NT server, which can use DNS, WINS, or LMHOSTS. Because Exchange goes to the HOSTS file first, it's possible for you to manually PING a host by name even when the IMS can't resolve the name. This discrepancy could arise from a typo or bad entry in the HOSTS file. The reason PING works is because NT knows to resolve the value using DNS. A SHORT COURSE ON MTACHECK The utility MTACHECK.EXE is in the \exchsrvr\bin directory. This utility checks the consistency and integrity of Exchange's MTA queues. Over time, messages in transit may become corrupt. When the MTA service will not start, crashes, or shuts itself down after a system crash, you need to manually run the MTACHECK utility. To run MTACHECK use the following syntax: MTACHECK /f where is the complete path and filename of the desired log. When MTACHECK is run, it examines each queue in the database. When an error is found, the item is removed from the queue and placed in the \MTADATA\MTACHECK.OUT file for further diagnosis. PROBLEMS WITH CIRCULAR LOGGING If you run the default Exchange installation, your Information Store and Directory Synchronization transaction will be set for circular logging. This means there is only one log file , EDD.LOG, in the \exchsrvr\ directory. The problem with circular logging is that it is unlikely that all of the information that has changed and not been written to the database since your last backup is in the log file. If transactions are happening quickly, the system will not have time to write the transactions before they are overwritten. Keep in mind that circular logging is controlled on the server advanced property page and is configurable server by server. Therefore, turning it off on one server will not remove it from other services.
HOW TO RECOVER FROM RUNNING OUT OF DISK SPACE
If you start the Information Store service and get the error message, "The MS Exchange Information Store returned the specific error 4294966796," it means you have a problem writing the transaction logs to your server, probably due to a lack of space. When you run out of space, the system first uses the reserve logs and enters a notification in the event log. If you don't correct the problem, the Information Store shuts itself down, and when you try to restart it, you get the above error.
Although you could go in and delete all of the old log files out of the \exchsrvr\ directory, we suggest that you initiate a full backup and allow Exchange to delete the logs for you. This way, you'll also have a backup of the logs in case you need to replay them to restore your database.
THE DOWN SIDE TO DIAGNOSTIC LOGGING AND THE INTERNET MAIL SERVICE
The Diagnostic Logging Properties page of the Internet Mail Service lets you set the logging level in any of several categories.
One of the categories you can choose to turn on from here is the SMTP Protocol Log. Enabling logging in this category causes Exchange to write information to a log file in the \exchsrvr\imsdata\log directory. Basic transaction information and the text of the message are stored in the log file. So, anyone who can read your log file can also read e-mail traveling across the IMS unless the e-mail has been sealed.
Message Archival is another category that captures the text of your messages traveling across the IMS. When set to Medium or Maximum, Exchange saves the text in separate files under the \exchsrvr\imsdata\in\archive or \exchsrvr\imsdata\out directories.
Therefore, you should probably turn this option on only for troubleshooting purposes and securing the directories where the logs are stored with NTFS read rights to Domain Administrators only.
AUTOMATE MONITORING OF EXCHANGE EVENTS
There are two excellent tools you can use to monitor Exchange events that are generated in the event logs of Exchange servers.
The first, Evtscan.exe, lets you monitor servers for specific events, and when an event is detected, the tool will (depending on how you configure it) send an e-mail, send a message to specific users or computers, or restart or stop a service.
The other utility, Elf.exe, lets you specify the servers and events that you want to monitor. The utility then writes the results to a text file.
Both of these tools are available in the Exchange Resource Kit.
DISTRIBUTING ADMINISTRATIVE RIGHTS
Before others can manage your Exchange environment, you must grant them access to the site and configuration containers. The easiest way to do this is to assign rights to a Windows NT global group and put the desired users into that group.
Users and groups with permissions to the site container can then manage recipient objects and create new mailboxes. Users and groups with permissions to the configuration container can administer Exchange Server's core components and connectors.
To add permissions:
  • 1. Create an Exchange Administrator's global group and assign users to the group.
  • 2. In Exchange Administrator, select the object whose permissions you want to change.
  • 3. Go to File | Properties.
  • 4. Click on the Permissions tab.
  • 5. Click Add.
OPTIMIZING EXCHANGE'S PERFORMANCE
Performance Optimizer is a critical component in ensuring peak performance from Exchange Server. You should run Performance Optimizer immediately after installing Exchange as well as whenever you change resources or move Exchange Server directory components to another disk.
Performance Optimizer does the following:
  • Analyzes your hard disk configuration to determine which device has the fastest access times. It reserves the disk that has the fastest access time for Exchange's transaction logs.
  • Analyzes your hard disk configuration to determine which device has the fastest random access time. This drive becomes the location of your Public Information Store.
  • Analyzes physical memory against the number of users and the way the server will be used. It uses this information to determine the optimal size of the directory and information store caches.
To run Performance Optimizer, go to Start | Programs | Exchange | Performance Optimizer.
REHOMING PUBLIC FOLDERS
Sometimes you may need to move a public folder from one server to another. For example, if a server in your site is going to be taken offline for an extended period of time, you may want to move its public folders to another server in your site.
This process is known as rehoming public folders. Microsoft has provided a utility, PFAdmin, in the BackOffice Resource Kit for Exchange to allow easy rehoming.
To rehome a public folder without the BackOffice Resource Kit, follow these steps:
  • 1. Create a personal folder in Outlook.
  • 2. Choose the public folder you want to move and copy the entire contents to the personal folder.
  • 3. Delete the public folder.
  • 4. Allow replication to take place so the deletion is replicated to all other sites within your organization.
  • 5. Log on to a mailbox on the server where you want to home the public folder.
  • 6. Create a new public folder that will become your rehomed public folder.
  • 7. Copy the folder contents from your .pst file to the new folder and assign the appropriate permissions.
SETTING AGE LIMITS FOR PUBLIC FOLDER CONTENTS
You can set age limits for the contents of folders in the Public Information Store by using the Public Information Store Properties page.
To set age limits on all folders in your Public Information Store, follow these steps:
  • 1. Double-click the Site Configuration container for the site you're modifying.
  • 2. Double-click the server whose Public Folder Settings you're modifying.
  • 3. Select the Public Information Store object.
  • 4. Choose File | Properties.
  • 5. Select the Age Limits tab.
Check the Age Limit For All Folders On This Information Store (Days) checkbox and enter the number of days you want to keep items.
Exchange Server will then delete all messages in your public folders that are older than the age limit you entered.
THE EXCHANGE SITE SERVICE ACCOUNT
During the setup of your Exchange server, you'll be prompted to designate the Site Service account. You should enter the account name in the form domain\account.
It's not a good idea to use the Administrator account as the Service account. Instead, you should always create a dedicated Service account for Exchange to communicate across servers. If you try to use the Administrator account as the Service account, you could grant rights during setup that would conflict with the rights already assigned to the Administrator account.
THE QUIRKY X.400 CONNECTOR
The x.400 connector provides greater control and flexibility than a site connector does, because it's not dependent on RPC and doesn't require a permanent LAN/WAN connection. The x.400 connector is a good way to connect Exchange sites across slow network links.
However, one quirk on the x.400 connector that could cause you some grief is that it's case-sensitive. When setting up the connector, type the name of the MTA in all uppercase letters on the General and Stack Properties pages. If you don't, messages may still get through if you have enough of the address correct to specify a unique recipient; however, delivery will be unreliable at best.
ADMINISTER EXCHANGE FROM YOUR WORKSTATION
If you sit more than 10 feet from your Exchange server it can be awfully inconvenient to have to get up to go administer it elsewhere. Fortunately you have some options for remote administration. If you're running NT Workstation on your machine you have the best option--just install Exchange Administrator right on your desktop and you can administer any Exchange server on your network from there. To install it on your workstation, start the Exchange setup program, do a custom install, and tell it to just install the Administrator program on your workstation. When you start the Administrator program you'll just have to tell it which server you want to administer (you can specify a default) and it will connect to that server. If you run Windows 9x your options are a little more limited. Basically you'll need to use a remote control program like PC Anywhere. One good option is a freeware remote control tool called Virtual Network Computing (VNC) from AT&T Labs. http://www.uk.research.att.com/vnc/
ALTERING THE TIME WHEN DIRECTORY CHANGES ARE READ
If you make changes to your Exchange 5.5 directory, you may be perplexed to discover that the changes aren't always immediately reflected in the Information Store. This is because the Information Store caches the directory store and only rereads it about every 2 hours. So, any changes you make might not take effect for up to two hours. If you'd like to expedite the process, you can do so by going to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MSExchangeIS\ParametersSystem registry key and adding this new value: Name: Mailbox Cache Age Limit Type: Reg_Dword Value: a number (in minutes, representing how often you want it to update) of type Hex. You can set the number to anything you want; many admins have set it to check as often as every 5 minutes with no ill effects. After you make this change you'll need to stop and restart your Information Store service and you'll want to update your emergency repair disks to reflect the change. Note: Remember, editing your registry can be risky; always have a verified backup before you begin.
RERUN PERFORMANCE OPTIMIZER AFTER AN UPGRADE
Any time you make a change to the hardware in your Exchange server you should rerun the Performance Optimizer (you'll find it on the Start menu with the rest of the Exchange Admin programs). It can evaluate your new hardware and service expectations and make modifications to your server configuration to take best advantage of your new hardware. Starting the Performance Optimizer in Verbose Mode (with a -v switch) gives you considerably more (six screens worth) of choices that you can make in optimizing your Exchange server. Added bonus: You can use the Performance Optimizer to change the drives/directories where key files (such as Transaction Log files) are kept. This can be helpful if you've added new drives that you want to dedicate to the log files. Just start the Performance Optimizer, answer the questions on the first screen, then after it does a little evaluating of your system you'll be presented with the list of key files and paths to them. You can accept the suggested paths, or change them to paths that you select.
USING OFFLINE FOLDERS
That road warrior with the notebook probably won't be able to easily or cheaply access your Exchange server from seat 11B (at least not yet), but with offline folders, data can be accessed whenever the laptop is booted. To enable offline folders go to (on the Outlook client) Tools | Services | Microsoft Exchange Server Service and click the Advanced tab. At the bottom of the dialog box you'll see the options for enabling offline folder use. Once the folder has been enabled and created, you can go into the properties for any mailbox folder and customize the offline-folder settings. Next time the user logs on, Outlook will synchronize the offline folder with the Exchange server. Later, when disconnected, the user can work offline and access all of the items that were in the mailbox when it was last synchronized. Special Tip #1: If the user is going to synchronize over a slow line make use of the Filter button in the sync options to restrict the items that will come across the line. Of particular interest: Deleted Items and items that have large attachments. Special Tip #2: Want to sync public folders for offline use? Copy the folder from the All Public Folders container to the Favorites container. Then go into the properties of the Favorites copy and set the Sync options.
CREATE AN ORGANIZATIONAL FORMS LIBRARY
If you're creating forms with Outlook that you want to share with the rest of your Exchange users, just publish them to an Organizational Forms library. "But I don't seem to have one!" you say? No worries; just create one.
To do so, go to Exchange Administrator, select the server you're working with, then click Tools | Forms Administrator. From there you can add one or more new Organizational Forms Libraries to publish forms to. When you create the Forms Library you're asked to specify a language; when a foreign language client connects to the Exchange server it will look for a library in its own language. If you support clients in multiple languages, pay particular attention to the language you choose. Although you can change the name of the library after it's created, you can't change the language.
Before you close the program, be sure to add yourself as owner to the Organizational Forms Library or you won't be able to publish to it.
SHARE A MAILING LIST WITH A PUBLIC FOLDER
The increasing number of industry-specific electronic newsletters have spotlighted an excellent use for Public Folders--as mailboxes for these newsletters. If you have several users who would all like to receive an e-mail newsletter, simply create a public folder for them, give it an SMTP address that's easy for you to work with, then subscribe to that e-mail newsletter with the e-mail address of the public folder. This has the added benefit that the users can read the newsletter from the public folder and even post messages to each other discussing it there.
Doing this alleviates the need for several users to all subscribe to and manage the flow of newsletters. And there's the added benefit that you can keep old copies of the newsletter for as long as you like--no more calls from the VP of Marketing asking if you can somehow retrieve that five-week-old newsletter message that he accidentally deleted from his mailbox.
Security gotchas: Make sure that the users all have appropriate access to the public folder and grant the Anonymous user at least Contributor status so that the newsletters can be received in the folder.
USING CUSTOM ATTRIBUTES
If you're making extensive use of your Exchange directory, you may find a need to add information that doesn't already have a field. Microsoft has accounted for this possibility by including 10 Custom Attribute fields (on the Custom Attributes tab of the Mailbox Properties sheet), which you can populate with any data you like.
Can't remember which Custom Attribute field was for mother's maiden name and which one was for birth date? Well, you're in luck--you can rename those fields by going to Exchange Administrator, finding the server's Configuration container, selecting the DS Site Configuration object and clicking File | Properties. On the Custom Attributes tab you can assign new names to each of those 10 fields.
Changes you make to the DS site configuration tab are reflected throughout the Exchange site, so you can use the same set of Custom Attribute fields on multiple servers as long as they're in the same Exchange site.
View/Monitor Mailbox Contents on the Server
How do I view the contents of mailboxes on the Exchange Server? I would like to be able to view the contents of a user's mailbox on the server. Right now we are adding the administrator as a member of the mailbox and then opening the mailbox using the Outlook client. Is there a way to do this on the server? If you log on to the server with the service account you are using to start the exchange services, you will be able to open any mailbox from your Exchange client.
Keyboard Shortcuts
If you're like me, you often find that it's quicker and easier to use a keyboard shortcut than to navigate the various menus. Here are some shortcuts (some documented some not) that I've discovered and use within Outlook. (My current configuration is Outlook 2000, with Word 97 as my default editor.) Ctrl-N New message Ctrl-D Delete item Ctrl-K Insert hyperlink Ctrl-S Send item Alt-K Check names Shift-F7 Access thesaurus Alt-F1 Advance to next hyperlink Alt-F4 Close active window screen Alt-F7 Advanced spelling shortcut Alt-F8 Run macros Shift-F3 Change the case of highlighted text Alt-Enter Message properties Shift-F12 Save message, without closing screen Shift-F4 Find and replace Shift-F1 Office Assistant F5 Go to page number (Find and Replace popup) F7 Spell checker (Spelling and Grammar popup) Del Delete item Ctrl-Left-arrow Jump to start of previous word Ctrl-Right-arrow Jump to start of next word Ctrl-Home Top of document Ctrl-End End of document PgUp Page up one relative-size screen PgDn Page down one relative-size screen Ctrl-PgDn Page down one full screen Ctrl-PgUp Page up one full screen
CONFIGURING THE IMAP4 PROTOCOL
The newest protocol in the Exchange arsenal is IMAP4. This protocol is much more robust than POP3. Although IMAP4 allows the same access to a user's inbox as POP3 does, it also allows access to the entire mailbox and public folders from an IMAP4 client. To configure the IMAP4 protocol: 1. Double-click the Site Configuration object (in Exchange Administrator) that contains the server you want to modify. 2. Double-click the Server object to open the container. 3. Double-click the Protocols container. 4. Highlight IMAP4 (Mail) Settings and choose File | Properties to open the IMAP4 Protocol Properties page.
DIAGNOSTIC LOGGING
Exchange 5.5 gives you flexibility as to which events it writes to the Application Log. Exchange writes to the log in groups known as categories. You can determine which categories you want to log and select them from the Diagnostic Logging Properties page for the MTA, Directory, Information Store, IMS, Microsoft Mail Connector, Microsoft Schedule Free/Busy Connector, or the Microsoft Exchange Connector for Lotus cc:MAIL. You can set the logging level to None, Minimum, Medium, or Maximum. Be careful when you choose Maximum because your disk space can be taken up very quickly. You should only use the maximum logging level when you suspect that a specific category is causing you a problem.
DISTRIBUTION LIST EXPANSION SERVER
When a user sends an e-mail message to a distribution list, Exchange has to expand the list and resolve all of the names in it. This can place a high load on a busy Exchange server. Exchange allows you to specify a server in your site to handle the expansion of the distribution lists. To change a distribution list expansion server: 1. Double-click the site configuration container for the site you are modifying. 2. Double-click the Recipient object. 3. Select the Distribution List that you want to modify. 4. Choose File | Properties to open the Distribution List's Properties sheet. 5. Go to the General tab. 6. From the Expansion Server drop-down list select the server in your site that you want to perform the expansion.
ENABLING DELETED ITEM RECOVERY
If your users are typical, they occasionally call to ask if you could possibly undelete something they accidentally got rid of. Naturally the user emptied the Deleted Items folder before realizing the item was needed (and we won't even go into the users who don't empty their Deleted Items folders at all out of the fear of losing something valuable). Traditionally your only solution may have been to try to restore from backup and hopefully you could restore their individual mailbox. Exchange 5.5, however, introduces a feature called Deleted Item Recovery that lets you retrieve purged items. To enable it, start the Exchange Administrator program, find the Properties sheet for the Private Information store and go to the General tab. There you can select the number of days you want messages saved after they're deleted or specify that nothing should be permanently deleted until after a backup is done. On the client side, you'll need to make sure that the Deleted Item Recovery add-in is installed and active and then go to the Deleted Items folder and select Recover Deleted Items from the Tools menu.
HOW MUCH WHITE SPACE IS IN MY DATABASE?
With all of the deleting, moving, and adding of data in your Information Store, you might suspect that there's a fair amount of white space in there--storage space that was formerly used for data but is now empty. Well, you'd be right, but how do you tell how much white space is really there? If you have Exchange configured for nightly online defragmentation (as most admins do), then you can just check your Event Viewer - Application Log for an Event 1221. The text of that event will give you an estimate of how much free space is currently in your database. The only way to get rid of this white space, and shrink the size of your Information Store, is to run an offline defragmentation, but as a general rule you should refrain from doing this unless the amount of reported white space is considerable and you really need to recover the disk space.
LIMITING USERS' CREATION OF PUBLIC FOLDERS
Don't want your users creating a raft of public folders on their own? You can limit their ability to do so. Here's how: 1. Go to the Configuration object under the Site container. 2. Select the Information Store Site Configuration object. 3. Click File | Properties. 4. On the Top Level Folder Creation tab you can specify those users who may create top-level folders and those who may not. If you envision a considerable hierarchy of public folders, it would be advisable to restrict top-level folder creation to yourself and maybe a couple of trusted assistants. Then you can create top-level folders that will just be containers for subfolders (e.g., "Sales," "Production," "Human Resources," etc.) and then designate within each of those folders which users have permission to create subfolders for those top-level folders. To do so, right-click the top-level folder (in Outlook) and assign the Create Subfolder permission to a user or group of users.
OUTLOOK WEB ACCESS
HTTP support is added during the installation of Exchange Server 5.5 if the Web component of Internet Information Server is installed. With the Outlook Web access component, a user can access an Exchange mailbox from a supported Web browser. You can configure the properties for Outlook Web access from the site configuration object by following these steps: 1. Double-click the site configuration object (in Exchange Administrator) that contains the server you want to modify. 2. Double-click the Server object to open the container. 3. Double-click the Protocols container. 4. Highlight HTTP (Web) Settings and choose File | Properties. The HTTP (Web) Properties page has four tabs. The only settings that you have to configure are on the General tab, where you'll check the Enable Protocol check box, and on the Permissions tab, where you'll define those users and groups that have access to this object.
QUICKLY SEE VALUES OF AN ITEM
There will be times when you'll want to know the message class of an item you've received or who created an appointment on a group calendar. A quick trick for finding this information lies in the Field Chooser tool and the Table view. To see the message class of a received item, just right-click one of the column headers (Subject, for example) and select Field Chooser. Change the fields list from Frequently Used Fields to All Mail Fields and then drag the Message Class field onto the view. Now you can see the message class of each received item. When you're done with it, just drag that column header off the view again. To see the creator of a calendar item on a group calendar, switch your view from Day/Week/Month to a table view such as Active Appointments. Now right-click a column header, open the Field Chooser, and add the Organizer field to the view. You can use this trick in practically any folder to see the values of almost any field for each item.
REVERTING TO AN ORIGINAL MAILBOX NAME
Most admins have had a user who somehow managed to rename one of the root folders in his or her mailbox. The first question to ask is: Where was it renamed? If the user just renamed the Outlook shortcut, that can be fixed simply by right-clicking the shortcut and choosing Rename Shortcut. If, on the other hand, the user actually managed to rename one of the mailbox's root folders, the easiest way to revert to the original name is to start the Exchange client (Exchng32.exe) on the user's workstation and log in to his or her mailbox. Once you're in go to View | Folder, right-click the folder to be renamed, and select Rename. You should then be able to change the folder name back to what it was. On the subject of renaming: Did you know that you can rename any column in an Outlook view by right-clicking the column header, selecting Format Columns, and changing the Label field to whatever you'd like?
FIND OUT WHICH SERVICE PACKS YOUR EXCHANGE SERVER IS RUNNING
To quickly determine which build and service pack you're running on an Exchange server, start the Exchange Administrator program and click the Servers object in your organization. On the table to the right you will find a column that lists the version, build, and service pack level of each of your servers. Finding your NT service pack level is a little harder, but not much. Go to Start | Programs | Administrative Tools | Windows NT Diagnostics. The General tab shows you the version, build, and service pack level for NT. The system tab will give you information about your HAL and BIOS levels. Finding the build and mode of your Outlook client is as easy as clicking Help | About Microsoft Outlook from within Outlook. That will tell you the version, build, and the mode (Corporate/Workgroup, Internet Mail Only or No E-mail) that the software is running in. Clicking the System Info button on that screen will give you information about the workstation's operating system version and build.
TESTING CONNECTIVITY THE PAINLESS WAY
Wondering if your Internet mail is flowing smoothly? You could send a message to a friend, but maybe that friend is away from her desk and won't get the mail (or respond to it) until Monday. You could send a message to a mailing list you subscribe to, but unless that list is specifically for testing mail connections, chances are good you'll get flamed by other participants for cluttering their inboxes with test messages.
So how do you test your connectivity quickly and painlessly? Here are a couple of common tricks:
  • Many ISPs have an autoresponder set up for testing. You send a message to it and it automatically pops back a response verifying that your message was received. Check with your local ISP to see if it has one you can use.
  • If the ISP doesn't have one, there are a number of commercial autoresponders out there--they're basically systems that will autoreply with an advertisement if you send a message to the address. The ads may not excite you, but you only wanted to verify your ability to send and receive mail, right? A current list can be found here: http://www.myreply.com/classifieds.html
  • Get yourself an Internet e-mail account so you can periodically send a test message to yourself. You can complete your test by replying to that message, sending it back to your Exchange server.
Any of these tricks are fast, free, ways to check whether your mail is flowing properly without irritating anybody in the process.
THE INFORMATION STORE MAINTENANCE JOB
By default, the Exchange Server 5.5 Information Store maintenance job runs every 15 minutes to clean up deleted item retention, delete expired folder contents, synchronize the server's Public Information Store, and remove expired Public Folder contents. If these Information Store maintenance jobs are causing too much processing overhead during the day when your users are connected to their mailboxes, you can change the schedule. Here's how: 1. Highlight the server whose maintenance job you are modifying. 2. Go to File | Properties. 3. Click the IS Maintenance tab. 4. Choose Selected Times to have Exchange run the maintenance job at the times you specify in the schedule grid.
THE KNOWLEDGE CONSISTENCY CHECKER
The Knowledge Consistency Checker (KCC) runs on every server and corrects directory information. The knowledge it checks is the configuration information for directory replication, and it runs in one of two modes--intrasite or intersite.
In intrasite mode, the KCC reads the knowledge directly from the Directory System Agent (DSA) and compares it with knowledge from the other servers in the site. If another server has information that the first knows nothing about, the KCC will update the knowledge on the local machine by making replication configuration calls.
In intersite mode, Exchange doesn't assume network connectivity between sites. This means that the KCC does not have direct access to the DSA it needs to replicate. To resolve this problem, the KCC on each site shadows a portion of the knowledge its DSA contains to an object in its directory, which is then replicated to each site. The KCC can then look to this knowledge as if it were dealing with the DSA directly.
LOOKING AT THE QUEUE PROPERTIES SHEET
Each connector within Exchange Server contains a Queue Properties sheet that lists messages that are awaiting some type of action. This can provide useful information about the status of outgoing messages. It's a good idea to view this information prior to performing any significant server maintenance tasks, for example. To view the Queue Properties page: 1. Double-click on the Site Configuration object that contains the site in question. 2. Double-click the Server object. 3. Select the server whose MTA queue you want to view. 4. Select the MTA object. 5. Go to File | Properties. 6. Click the Queues tab. 7. Select the queue you want to view from the Queue Name drop-down list.
MANUALLY RESETTING THE EXCHANGE ROUTING TABLE
The Exchange routing table is rebuilt once each day or after a change. If you want changes to take place immediately, you can rebuild the table manually. Here's how: 1. Double-click the Site Configuration container for the site you want to modify. 2. Double-click the server whose routing table you're rebuilding. 3. Select the Message Transfer Agent object to open the Message Transfer Agent Properties page. 4. Select the General tab. 5. Click Recalculate Routing.
THE INTERNET LOCATOR SERVICE
To allow individual Exchange users to participate in Microsoft NetMeetings, you must specify the Internet Locator Service (ILS) server in Exchange Administrator. This will enable other NetMeeting users to locate the mailbox owner and set up online meetings. To enable this functionality: 1. Open Exchange Administrator. 2. Highlight the user's mailbox object. 3. Go to File | Properties | Advanced. 4. Type in the name of the ILS server and the ILS account in the appropriate fields.
ADDING INDEXES TO OBJECTS USING RAW MODE
Using Exchange Administrator in raw mode is not for the faint of heart; however, the daredevil application does allow you to do things you can't accomplish via other means. Like adding indexes to Exchange objects, for instance. Here's how. 1. Once you've opened Exchange Administrator in raw mode, select the object attribute you want to add to the searchable index. 2. Hold down the Control key and hit Enter. 3. Scroll down until you see the search attribute. 4. In the index value, enter either: 0 for disabled; 1 for attribute indexed but not included in address resolution; or 2 for attribute indexed and included in address resolution.
COMMON EXCHANGE ERROR FIXES, PART 1
If the Internet Mail Connector (Exchange 4.0) or Internet Mail Service (Exchange 5.0) generates an error saying, "The Internet Mail connector service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion," you need to take the following steps: 1. Go the Services Control Panel. 2. Select Microsoft Exchange Internet Mail Service. 3. Click Start Up. 4. Select This Account under Log On As. 5. Select the name of the System Account or an account that has service account admin rights in your Exchange organization, site, and configuration containers.
COMMON EXCHANGE ERROR FIXES, PART 2
Let's say you try to start an Exchange service and get the following error: "Could not start the Microsoft Exchange Directory Service on \\. Error 0002: The system cannot find the file specified." The problem? One of the executables associated with the service is missing or corrupt. To resolve this issue, obtain the associated file from a backup or service pack CD and copy it onto the Exchange server. Here are the major Exchange services and their associated files: * Exchange Information Store--Store.exe * Exchange System Attendant--Mad.exe * Exchange Message Transfer Agent--Emsmta.exe * Exchange Internet Mail Connector--Msexcimc.exe
COMMON EXCHANGE ERROR FIXES, PART 3
After installing the Microsoft Exchange Connector for Lotus cc:Mail, you receive a non-delivery report and an Event 142 in the event log when trying to send a message to a cc:Mail recipient. What happened? This problem usually occurs when the Address Space tab under Properties is not configured properly. To configure the Address Space tab properly, follow these simple steps: 1. Open Exchange Administrator. 2. Choose the appropriate Exchange connector for Lotus cc:Mail and select File | Properties. 3. Click on the Address Space tab and verify that the entry exists for the address. 4. Select the Site Addressing object. 5. Go to File | Properties | Routing | Recalculate Routing.
EXCHANGE AND CLUSTER SERVER PART 1 OF 3
Exchange Server 5.5 Enterprise Edition includes support for Microsoft Cluster Server version 1.0. Clustering your Exchange environment ensures that your messaging environment remains uninterrupted even if one server fails. When one of the clustered servers fails, the other server takes on that server's load with no impact to the users. An Exchange cluster consists of two Exchange servers that share one or more common disk drives, an IP address, a network name, and Exchange Server cluster resources. All network requests to the Exchange cluster are sent to a "virtual server" that forwards the requests to the active server in the cluster. By clustering your Exchange servers, you are adding yet another level of fault tolerance to ensure the availability of your messaging system.
EXCHANGE AND CLUSTER SERVER PART 2 OF 3
It goes without saying that in order to have Exchange on Cluster Server, the first thing you have to do is install and configure Cluster Server. Once you've installed and configured Cluster Server, you're ready to run the Exchange Server setup program on the active node. The setup program will copy the files to the active node's system32 directory and to the clustered drive, and it creates resources in the Exchange Server's cluster resource group. After Exchange has completed setup, you should run the Exchange performance optimizer. Next, run the setup program on the secondary node, being careful to select UPGRADE NODE. Setup will copy the files to the system32 directory on the secondary node, where it also creates the Exchange services. (Notice that you can't run Performance Optimizer on the secondary node.) Remember, when you install any new Exchange components on the primary node, you must also install it on the secondary node.
EXCHANGE AND CLUSTER SERVER PART 3 OF 3
When installed on a Cluster Server, Exchange's services are set to manual start, which prevents the automatic startup of the Exchange services. The Cluster Server's resource manager starts the services in order of dependency. If you need to manage the services on an Exchange server in a clustered server environment, you should only use the Cluster Administrator program, not the services control panel or the Net Stop command. Keep in mind, though, that you should fail over the Exchange server cluster group prior to stopping the services.
REFRESHING A STALE PUBLIC INFORMATION STORE
Some events can cause an entire public information store (IS) to become stale. For example, if a server is shut down for an extended period of time, the public folder replication process will automatically try to update all the instances in your organization to the same level by a process called backfill. Backfill relies on the IS' periodic creation of a message that broadcasts its status to the other ISs with which it's replicating folders. This message is sent any time a public folder is altered. If no changes occur, the message will be sent once a day. When the server mentioned in the example above is brought back online, it will receive a list and compare that to what is on its own server. If that list contains information not on its own server, then information has been submitted to the IS that sent the message that the local IS has not received yet. In that case, the local IS will send a message requesting that the information be replicated to it so it can be brought up to date.
SIMPLY REBOOT TO CORRECT MTA START FAILURE
When you upgrade Microsoft Exchange Server 4.0 Service Pack 3 to Exchange Server 5.0, the message transfer agent (MTA) may fail to start. You may also get the following error: "Event ID 2000 MSX-IS PRIV Verify that the MSX MTA service has started. Consecutive ma-open calls are failing with error 3051." Amazingly, all you have to do to correct the problem is restart Exchange Server.
USING CIRCULAR LOGGING TO FREE UP DISK SPACE
Increasing transaction logs, files that Exchange uses to commit data to the corresponding database file on disk, can cause the Information Store (IS) to run out of operating space. When enabled, an option called circular logging limits the amount of disk space these transaction logs use by overwriting previous log files with new ones. At first glance, this seems like a good idea. However, for disaster recovery, this introduces some problems. The log files include transactions that haven't yet been written to the IS. In case of a server failure, rolling back the log files can "replay" the transactions that occurred since the last IS write. If Exchange Server is backed up properly and on a regular schedule, circular logging should never come into play--the log files are automatically deleted after being backed up. Backing up Exchange Server is the preferred way of saving the log files and removing them from the disk to free up space.
USING LDAP TO DELETE MAILBOXES OPENS SECURITY HOLE
If you use the Lightweight Directory Access Protocol (LDAP) application to delete an Exchange 5.5 mailbox, Exchange will delete the directory object--but not the associated messages and folders in the information store. Consequently, if a new mailbox with the same distinguished name is created--regardless of the Windows NT account associated with the new mailbox--the contents of the old information store become available to the new mailbox. Here's how you can see this security problem for yourself: 1. Create a mailbox in Exchange Administrator. 2. Send mail to the mailbox. 3. Use the LDP.EXE tool to delete the mailbox. 4. Recreate a mailbox with the same distinguished name, but a different associated NT account. 5. Log on to the mailbox and read the e-mail you just sent.
DETERMINE MEMBERS OF A DISTRIBUTION LIST
In a previous tip, "Determine What Group or DL a Person Belongs To" (Exchange Server UPDATE, December 3, 1999), I discussed how to check which distribution list (DL) someone belongs to via the Member Of tab when viewing a mailbox's properties in Outlook. You can take that one step further to see who else is in a particular DL. To do so, select the Member Of tab, double-click any of the DLs that appear, and you'll see the DL properties, including a member list. This tip is useful when you're trying to find out who else is in a person's workgroup.
DOWNLOAD LOGGING
The Exchange download logging feature writes events to the NT Event Log when users download attachments, messages, and folders from public or private folders. To configure download logging in public folders, you need to edit the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ SERVICES\MSEXCHANGEIS\PARAMETERS PUBLIC To configure download logging in private folders, you need to edit the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ SERVICES\MSEXCHANGEIS\PARAMETERS PRIVATE Add a reg_dword value with the value (decimal) that corresponds to the level of logging you want: * Attachments only=1 * Messages only=2 * Attachments and messages=3 * Folders only=4 * Attachments and folders=5 * Messages and folders=6 * Everything=7 NOTE: As always, use caution when editing the registry. Always have a verified backup before you begin.
EXCHANGE LOGGING, PART 1
Exchange uses TRANSACTION LOGS (for each database) to accept, track, and maintain data. Each database transaction is written to the transaction log before being written to the database. The current transaction log file, edb.log, consists of an inactive part (transactions that have already been committed to the database) and an active part (transactions still needing to be committed). During a full or incremental backup, the inactive part of the transaction log is deleted.
EXCHANGE LOGGING, PART 2: PREVIOUS LOGS
When a transaction log becomes full, it is renamed and a new edb.log file is created. The renamed log file is stored in the same subdirectory as the edb.log file. Log files are renamed in a sequential order using hexadecimal numbers (for example, edb00009.log). Keep in mind that when circular logging is enabled, Exchange does not maintain its previous logs. RESERVED LOGS The directory and information store each maintain a res1.log and a res2.log file. These reserve logs are used when the directory or information store service renames the transaction log (edb.log) file and attempts to create a new one. If an error occurs before it shuts down, the service flushes the transactions in memory that haven't been written to the transaction log into the res1.log and res2.log files.
LIMITED ADMINISTRATION OF PUBLIC FOLDERS
If your whole Exchange organization is on Exchange version 5.5, public folders are attached to their home site and server. In order to perform administrative actions on a public folder, a user must have administrative permissions on that folder's home site. Any subfolders that are created will inherit the limited administrative access designations from the top-level folder. You can change a public folder's limited access designation on its General tab. Simply select the Limit Administrative Access To Home Site box to turn it on, or uncheck it to deactivate it. Keep in mind that if you upgrade from a previous version of Exchange, the public folder hierarchy won't automatically be set for limited administration access, so you'll have to manually turn it on.
PUBLIC FOLDER REPLICATION
You want to create a replica of an existing public folder. Here's what you need to do: 1. Open Exchange Administrator. 2. Add the new information store to the Instances property page of the public folder, or add the public folder to the Replicas property page of the Public Information Store. During replication, changes made to items in a replica are sent to all other replicas of the public folder throughout the organization. Changes made to the folder, a folder's properties, or the public folder hierarchy are replicated to all public folder servers (even those without replicas of this folder). When you no longer want a specific public folder replica, you can delete it from its information store. When an information store detects a new replica and determines that it's responsible for that replica, it generates a backfill request for the contents of the folder.
RESTORING EXCHANGE DATA
If you're restoring Exchange data from a backup, keep in mind that you can't restore the Exchange directory to a computer on a different Windows NT domain. Also, if the Exchange server that you're restoring is a Primary Domain Controller, the Security Identifier (SID) value on the restored server must match the SID value that was on the original server. If it doesn't match, you won't be able to access the information store unless you manually rebuild the Windows NT accounts that were on the domain.
Most tips are from TipWorld - http://www.tipworld.com :The Internet's #1 Source for Computer Tips, News, and Gossip