| Exchange |
|CHANGING THE EXCHANGE SERVICE ACCOUNT PASSWORD|
||The Exchange Service Account is one of the few accounts that you'll hold dearer than even your own administrator account! This account not only has Permission Admin authority to every server in your Exchange organization, it also has rights to log on locally (if your Exchange server is a domain controller), act as part of the operating system, and log on as a service.Because the Exchange Service Account must be functional for your Exchange servers to operate, you'll always want to make sure that the Password Never Expires option is checked in the account's User Properties sheet. This means that you'll be responsible for remembering to change the password on a timely basis. You should change the password at least as often as you change your own password, if not more often.To change the password, begin by performing the following steps in each site: Open Exchange Administrator, select the site's Configuration container, and choose File | Properties. Then click the Service Account Password tab, type the new password in the Password and Confirm Password fields, and click OK.Remember that each Exchange server's Schedule Service uses the Service Account. Therefore, you must also log on to each Exchange server, stop the Exchange Services, and change the Schedule Service password. Open the Services applet, select Schedule Service, click Startup, and enter the new password in the Password and Confirm Password fields. Then click OK and close. Finally, restart Exchange Services.|
|EXPLORING PERFORMANCE OPTIMIZER'S MODAL OPTIONS
Exchange Server 5.5's setup program prompts you to run Performance Optimizer (PERFWIZ.EXE) as the last step of the installation procedure. Performance Optimizer is the only interface that allows you to configure Exchange Server memory usage, resource allocation, public information store options, and database paths. Performance Optimizer analyzes both your system's hardware and your Exchange Server's user-configured options and automatically configures resource allocations for you. Therefore, you should run Performance Optimizer every time you upgrade server hardware, or add or remove connectors or large numbers of recipients.
You can execute Performance Optimizer normally by choosing it from the Start menu. However, you can also start Performance Optimizer in either silent or unattended mode. In silent mode, Performance Optimizer runs in the background and configures options automatically without displaying dialog boxes or asking for input. To start Performance Optimizer in silent mode, enter the following: C:\exchsrvr\bin\perfwiz.exe --s
In unattended mode, Performance Optimizer configures options using settings that you've specified in an .inf file without prompting you for input. To start Performance Monitor in unattended mode, enter: C:\exchsrvr\bin\perfwiz.exe --f c:\exchsrvr\bin\perfopt.inf where perfopt.inf is the name of your .inf file. For information on how to create an .inf file for running Performance Optimizer in unattended mode, see Microsoft Knowledge Base article Q175283.
HIDDEN RECIPIENTS DON'T APPEAR IN A DISTRIBUTION LIST'S MEMBERSHIP
If anyone in your organization has ever complained about unintended recipients getting mail messages that were sent to a distribution list, you'll want to check your organization's list of hidden recipients. To do so, open Exchange Administrator and choose View | Hidden Recipients. If the recipient is hidden and is also a member of the distribution list in question, users won't see that name in the distribution list's membership. This can cause problems, especially if your users send sensitive information to the distribution list!
You can hide a recipient from your organization's Global Address List (GAL) by simply choosing the Hide From Address Book option on the Advanced tab in the Recipient's Properties sheet. Many new Exchange administrators are unaware of the problems they can cause by injudiciously hiding recipients from the GAL. Hiding a recipient prevents the name from appearing anywhere on the Global Distribution List, which is usually a user's only way of determining a distribution list's membership. Before hiding a recipient, be sure to determine what distribution lists the user belongs to by viewing the Distribution Lists tab in the Properties sheet.
ASSIGNING MULTIPLE OWNERS TO A DISTRIBUTION LIST
Users come and go, and when the day is done, the Exchange administrator must make sure that distribution lists are kept up-to-date. But if you're smart, you'll want to offload some of this "administrivia" to the users who requested the distribution lists by assigning them as owners of the lists that they request. Distribution list owners can use Outlook's Address Book to add or remove users from a list. You can use the General tab in the Distribution List's Properties sheet to assign an Owner to the list. Though each distribution list can only have one Owner, other users can have permissions equivalent to Owner to add and remove list members.
To assign multiple owners, click the Permissions tab in the Distribution List's Properties sheet. Then click Add and select the NT account to which you want to assign owner permissions and click OK. Finally, select the user that you added and change the Role to User. The default Admin role is only appropriate for Exchange administrators. Assigning multiple owners distributes the list's administration load across several people and ensures that someone (other than you, hopefully) will be available to modify a list's membership.
RECOVER DELETED ITEMS FROM THE EXCHANGE "DUMPSTER"
It never hurts to have a safety net. Exchange Server 5.5 offers an exciting feature that can save valuable time that would otherwise be wasted restoring mailbox data from tape. You can configure a Deleted Item Retention Period for your Exchange server's Information Stores or selected mailboxes in your organization. When you enable this option for an entire Information Store, Exchange keeps any messages that users delete or empty from their Recycle Bins. Instead of actually deleting the items, Exchange hides the message from the mailbox for the duration of the retention period and then deletes them. This limbo state is often referred to as the "Dumpster."
To enable and configure the Deleted Item Retention Period, use Exchange Administrator to open your server's Private Information Store's Properties sheet. Select the General tab and enter a value in the Deleted Item Retention time [day] field. If you perform regular backups, check the option Don't Permanently Delete Items Until The Store Has Been Backed Up. You can also configure these options on the mailbox level by opening a mailbox's Properties sheet and clicking on the Limits tab. Then deselect the Use Information Store default option.
To restore items from the Dumpster, use Outlook 98 or 2000 to log on to the mailbox, then select the Deleted Items Folder and choose Recover Deleted Items from the Tools menu.
QUICKLY "UNHIDING" A MAILBOX
Hidden mailboxes can be great if you want to quickly blank out the mailbox of a recently departed employee or records of a confidential project. But what if you need to glimpse the mailbox's contents without reopening it to the user's view?
Here's a quick tip: Use Exchange Administrator in raw mode (employ the /r switch) to change the hidden mailbox's display name to something you know, but that will be meaningless to users. So, you can view the mailbox's contents without opening it back up to users.
Select the desired mailbox and choose File | Raw Properties. Find the Obj-Dist-Name attribute, click on Viewer, and copy the text. Now, go to the display-name attribute and paste this value into the Edit Value field. Click Set and then click OK.
Now you need to create an Outlook profile with a mailbox name that's the same as the display name that you copied from the raw properties. Open Outlook using this new profile, and you'll be able to see the hidden mailbox.
CREATE RECIPIENTS' ALIASES RIGHT THE FIRST TIME
Good Exchange administration requires good planning, as Exchange is not nearly as forgiving of our mistakes as we would like it to be. To wit, when you create a recipient, you must make sure that you've correctly spelled its alias before you click OK. Why is this so important? When you create a recipient, Exchange uses the alias you've entered to create the recipient's Directory Name. For those of you familiar with databases, the Directory Name field is the Primary Key in the Exchange Directory database. This means that whenever you perform directory imports, you must reference a recipient's Directory Name to modify its entry (record) in the directory. Even if you change the recipient's alias after creation, you cannot modify the recipient's Directory Name. The only effective way to modify the recipient's Directory Name is to delete and recreate the recipient!
Exchange Administrators commonly make the mistake of using a "friendly" alias in the form of first initial plus last name (which is the example often given in Exchange Administration tutorials) for creating mailboxes. Instead, we recommend that when you create employee mailboxes you use an employee number as the alias instead of a friendly alias name. That way an employee name change will not require you to delete and recreate the employee's mailbox to keep the Directory Name consistent with her or his actual name.
CREATING A DEAD LETTER OFFICE
Employees come and go; their mail subscriptions stay with you for a long time. When you delete a former employee's mailbox, you'll find that Non-Delivery Reports (NDRs) for mail messages addressed to their once-valid Internet addresses will arrive in the Postmaster (or Administrator) mailbox (along will all the other non-deliverable messages sent to your domain). Although users eventually stop sending mail once it goes unanswered or they receive an NDR themselves, many listservs and other automated messaging applications will, unfortunately, continue to send mail to invalid addresses, creating an unnecessary number of NDRs in the Postmaster mailbox.
As a busy Administrator, you don't have time to unsubscribe former employees' addresses from all the mailing lists they subscribed to. Instead, route that mail to a Dead Letter Office and keep the unnecessary NDRs from appearing in your Postmaster mailbox.
Now Exchange will deliver all the mail that your domain receives for the expired addresses to the Dead Letter Office mailbox instead of the Postmaster mailbox. Be sure to clean out the Dead Letter Office fairly frequently using Exchange Administrator's Clean Mailbox tool.
- 1. Create a mailbox named Dead Letter Office and hide it from your Global Address List.
- 2. Open the mailbox's Properties sheet and select the E-mail Addresses tab.
- 3. Add the Internet addresses of former employees to the mailbox.
CREATING PASS-THROUGH ALIASES
Often a recipient in your organization will act as a relay point to another recipient outside the organization. Your users have probably already asked you to create mailboxes that they intend to use for this purpose by creating a rule that forwards all of the mail the mailbox receives to the Internet address for someone else. This allows the outside recipient to receive mail as though he or she was actually a recipient in your own organization.
Though a mailbox is useful for this purpose, it's not necessarily the best tool for the job. As an administrator, you should strive to keep the number of mailboxes in your organization to an absolute minimum. If you only need to pass mail sent to one Internet address to another, it would be better to create a pass-through alias. To do so, follow these steps:
Now, when your Exchange Server receives mail addressed to firstname.lastname@example.org, it will send the mail message to the Internet address specified in the Custom Recipient entry.
- 1. Create a Custom Recipient entry that points to the outside recipient's Internet address.
- 2. Open the Custom Recipient's Properties sheet and select the E-mail Addresses tab.
- 3. Click the New-- button and add an Internet address that follows the naming convention at your company (e.g., email@example.com).
GOING LOW-FI: CLIENT-SIDE FOLDER PERMISSIONS
Yesterday, we advised you to use Exchange Adminstrator to set permissions as the Exchange server admin. However, sometimes your users may want to allow other users on the network to access their mailboxes-of course, this is the kind of task that drives busy admins crazy. So, you may want to distribute this quick walk-though of client-side permission configuration to managers or experienced users. It probably wouldn't hurt to give a heads-up to your help desk, as well.
You can also customize the new user's role by using the check boxes.
IS THE SERVER YOU LOVE A SPAM RELAY?
Many administrators don't find out that it's possible for their mail
servers to be used to relay spam or other unauthorized messages until
someone has already done so. How does this happen? Unfortunately, the
default configuration of many types of mail servers, including
Microsoft Exchange, allows open SMTP relaying. This feature lets anyone
use an SMTP mail client program to send a message to your mail server,
which it in turn relays to one or more (or hundreds) of external
addresses. In the early days of the Internet, admins left this feature
enabled in the spirit of openness and cooperation. However, today it's
too often abused and should be disabled if you want to save you and
your company the embarrassment of being an unwitting relay for spam.
The Open Relay Behavior-modification System (ORBS) is a grassroots
effort to increase awareness of open SMTP relaying. ORBS tests mail
hosts for the open SMTP relaying feature and lists the host's IP
address in its database if it finds that the host is an open relay.
ORBS also notifies the host's Postmaster of its findings. You can query
the ORBS database and find out if your Exchange server is listed there.
ORBS is somewhat controversial; many people think that because it
"outs" open SMTP relays it encourages spam. But ORBS insists that
outing is simply a way to encourage administrators to protect their
mail systems. We've published tips on restricting your Exchange
server's SMTP relaying behavior, but you can also learn more by reading
Microsoft Knowledge Base article Q193922.
SETTING FOLDER PERMISSIONS WITH EXCHANGE ADMINISTRATOR
The advantage to setting folder permissions in Exchange Administrator
rather than from the Exchange client is that you can specify that
permissions apply to all subfolders, as well. If you don't take this
approach and a user adds a folder to Favorites, the link to the
original folder bypasses all permissions later assigned to that folder.
To prevent this potential confusion, enter Exchange Administrator and
execute the following steps:
1. Select the folder you want to modify from the left panel.
2. Click on the Properties button on the tool bar.
3. Select Client Permissions and change the appropriate settings, as
you would in your Exchange client.
4. Check Propagate These Properties To All Subfolders.
5. Click OK.
6. Within the Subfolders Properties dialog box, select Client
SPAM WATCH, PART 1: PROTECTING YOUR TURF
Spam senders are pretty smart--they've figured out how to relay their
unsolicited messages through well-known Internet servers to trick the
ultimate recipient into believing that the mail is from a trusted host.
Fortunately, Internet Mail Service includes several features that let
your server sort the spam from legitimate Internet mail.
(If you want more details on any of the tactics we describe in this
series of tips, check out the Readme files that come with the Exchange
5.5 Server CD.)
PROTECTING YOUR TURF
The first step in protecting your server from spam is to set a list of
sender domains that you want to block messages from and the place where
you want to redirect this offensive mail. The blacklist for mail
senders is called TurfList; blocked messages are sent to TurfDir. NOTE:
When mail is blocked in this fashion, the sender does not receive a
notice from your server.
Setting up this level of protection requires you to edit the Exchange
server's registry. Navigate to the key
and add the following values:
This specifies the directory where aborted messages are moved.
Microsoft suggests that you send the messages to
Exchsrvr\Imcdata\Turfdir, where Exchsrvr is the directory where the
Microsoft Exchange Server files are located.
specifies the masks that filter spam messages. You can filter by domain
or by user.
If you don't specify a TurfDir value, the server permanently deletes
aborted messages. Before these settings take effect, you must stop or
restart the Internet Mail Service and the Information Store service
using Control Panel's Services applet.
SPAM WATCH, PART 2: TRACKING DELETED MESSAGES
Last time, we discussed using the TurfList to identify offending
spammers and send their messages to a directory on your Exchange
server. We also mentioned that if you don't set up a directory where
aborted spam should be routed, Exchange Server automatically deletes
these messages. But even if you elect not to archive all that spam, you
may sometimes want to get a glimpse of who's sending what to your
Regardless of your Internet Mail Service diagnostics logging settings,
Exchange logs an event to the Application Event Log that details
aborted file senders and message filenames. If you're using the
Diagnostics Logging property page for Internet Mail archiving, you can
locate automatically deleted files in the Internet Mail Service archive
For more information, see Microsoft Knowledge Base article Q155683.
SPAM WATCH, PART 3: BLOCKING RELAY REQUESTS
As we mentioned earlier in this series, spammers not only send your
users undesirable mail, they can also use your reputable servers as a
relay to mask their messages' true nature. If your Internet Mail
Service allows rerouting for POP3 or IMAP4 clients, it relays mail to
However, you can edit the server's registry to refuse RCPT commands
specifying a non-local recipient.
Open the registry for editing and navigate to the key
and add the following values:
This defines which relay control rules are in effect.
This specifies hosts that cannot relay messages through your server.
This specifies hosts that can relay messages through your server.
This specifies the local IP addresses of the server to which an SMTP
client can connect and relay mail. This is useful for multi-homed
servers that have internal and external interfaces. Enabling IP
forwarding disables this feature.
RelayDenyList, RelayAllowList, and RelayLocalIPList consist of a net
and optional mask per line.
The exact syntax for editing RelayFlags and the other registry settings
we discuss here can be quite complex. For more information, check out
Microsoft Knowledge Base article Q193922.
TAKE YOUR SETUP FOR A TEST SPIN
Before you even think about rolling out a new Exchange configuration,
you need to test it out in as realistic a simulation as possible. Most
credible sources suggest you build what is known as a conference room
pilot--in other words, take over a conference room and jam as much
hardware and networking stuff in there that will fit. Be sure to
* Workstations that represent the array of your company's hardware and
client software installs
* Servers of all shapes and sizes that you might employ
* Modems and telecom connections, particularly if you plan on
* Hubs and any other type of network connection that could possibly go
In addition, ask your manager to help you secure the services of a few
users in the company to help you simulate traffic--as well as users'
unique ability to bring your solution to a grinding halt.
If management balks at your request for these resources, be prepared to
impress them with the estimated expense of one day's downtime due to
unforeseen complications and insufficient planning. Any reasonable
request will probably be approved.
THE UPS AND DOWNS OF ANONYMOUS LDAP ACCESS
An out-of-the-box Exchange Server installation enables anonymous access
to your organization's directory via the Lightweight Directory Access
Protocol (LDAP) on TCP port 389. If your Exchange Server's TCP port 389
is accessible via the Internet or other network, users outside your
organization can use LDAP to look up Internet addresses for recipients
in your organization.
Microsoft intended this feature to be useful, but you should be aware
that it is easily misused. If you leave the anonymous LDAP enabled,
savvy users can anonymously retrieve the Internet addresses of all of
your organization's recipients and use the addresses to send
unsolicited commercial e-mail or inappropriate messages.
To disable anonymous LDAP for your entire site, use Exchange
Administrator to open your site's Configuration container and expand
the Protocols child container. Then highlight LDAP protocol in the
right pane and choose File | Properties. In the resulting LDAP Site
Defaults Properties dialog box, select the Anonymous tab and deselect
Allow Anonymous Access. Then click OK. Now, any Exchange server in your
site that is configured to use the LDAP Site Defaults Properties will
no longer allow anonymous access to your organization's directory.
NOTE: Disabling Anonymous LDAP access does have one unpleasant side
effect--it renders Outlook Web Access to the server inoperable.
USE THE TURFTABLE TO STOP SPAM
Spam, the unavoidable plague of unsolicited e-mail messages from the
Internet, is something that every Exchange administrator must
eventually deal with. Exchange Server 5.5 includes the TurfTable, a
primitive spam filter. While this tool doesn't have the sophisticated
features that some third-party tools have, it will get the job done in
a pinch. To enable this tool, you must modify the registry of the
Exchange server that runs your Internet Mail Service (IMS). Use
REGEDT32.EXE to open the key
and add this REG_MULTI_SZ value:
In the Multi-String Editor dialog box, enter the mask entries, one per
line, which identify the offending spammers. Use the following format
to generate mask entries:
#@spamdomain.com - flags all messages sent by spamdomain.com
@spamdomain.com - flags all messages sent by spamdomain.com and its
firstname.lastname@example.org - flags all messages sent by email@example.com
When you stop and restart your IMS, it will automatically discard all
messages flagged by the TurfTable's mask entries. For more information
on the TurfTable, see the Microsoft Exchange Server 5.5 Release Notes
in the README.doc file in the root directory of your Exchange Server
5.5 Installation CD-ROM.
USING THE CLEAN MAILBOX TOOL
Has a user called to complain that his or her mailbox has exceeded its
size limit and he or she is unable to send messages? If so, you may
need to use the Clean Mailbox tool to quickly reduce the size of the
To do this, open Exchange Administrator and select the user's mailbox
in the Recipients container. Then choose Clean Mailbox from the Tools
menu. In the Clean Mailbox dialog box, select the criteria that
identify the messages you want to delete. Criteria include message age,
size, and status (read or unread). You have the option of deleting the
items immediately or moving the items to the deleted folder. After
choosing your options, click OK to clean the mailbox and purge the
messages that match your deletion criteria. This tool is especially
handy for cleaning out stuffed mailboxes that users have left
unattended for lengthy periods of time.
WHO'S USING THAT INTERNET ADDRESS?
As you probably know, you can assign more that one Internet address to
a recipient. This practice is known as creating Internet address
aliases and can be very useful when you need to provide an easy way for
users outside your organization to contact groups or individuals in
your organization. For example, you might create a distribution list
that contains your company's system administrators. This distribution
list may have the display name @SysAdmins for use inside your
Organization, but by creating Internet address aliases you can make
this distribution list known as firstname.lastname@example.org,
email@example.com, firstname.lastname@example.org, or any dozen or
more aliases on the Internet.
To add an Internet address alias to a recipient, simply open the Custom
Recipient's Properties sheet and click the E-mail Addresses tab. Then
click the New button and add an Internet address.
Once you've become accustomed to assigning multiple Internet address
aliases to a single recipient, you'll find that you've lost track of
who's using which aliases. You'll usually find this out when you try to
assign an alias that's already assigned to another recipient.
Unfortunately, Exchange Administrator doesn't let you search for
recipients by Internet Address alias. The easiest way to find out which
recipient is using an alias is to open a New Message window in Outlook.
Then type the alias in the To: field and press [Ctrl]K. Outlook will
resolve the alias to the Display Name for the recipient in your
- 1. Start the Exchange client (typically Outlook or Outlook Express).
- 2. Make sure you are viewing the Folder List.
- 3. Select the mailbox in question from the Folder List.
- 4. Right-click on the mailbox and choose Properties.
- 5. Click on the Permissions tab.
- 6. Use the Add button to add users.
- 7. Click OK.
- 8. Highlight the new user and allocate a role (you must give them at least Reviewer status or they won't be able to open the mailbox).
CALL THE DOCTOR BEFORE THINGS GO WRONG
Troubleshooting application errors that crash your Exchange Server services and the Windows NT 4.0 OS can be extremely difficult if your server doesn't log application crash dump information. We recommend that you configure your Exchange servers to use Dr. Watson to create these log files when a crash dump occurs. If your Exchange server is crashing consistently and you plan to call MS Premier support for assistance, odds are good that Microsoft will ask you for crash dump Drwtsn32.log and user.dmp files. So save yourself some time and make sure that you're collecting the info before you call for support. Dr. Watson is a Windows NT debugging tool that can log application crash dump information to the Drwtsn32.log text file and log data to the user.dmp file. Using the user.dmp file requires a User mode debugging tool like Windbg.exe.
To install Dr. Watson as the default debugger, run drwatsn32-I at the command. Then run drwatson32 at the command prompt with no parameters to open the Dr. Watson For Windows NT Options dialog box. Configure the options for drwatson.log and user.dmp (crash information). Be sure to deselect the Visual Notification option to allow Dr. Watson to log the crash information without requiring user intervention. This will allow services that have crashed to stop completely; they will restart if you've configured service-monitoring tools to restart them. Then click OK to close the Options dialog box. Please note: Your server must have a pagefile on its system partition equal in size to its physical memory in order to capture dump information.
CAPTURING PERSISTENT MTA CRASH INFORMATION
When your Exchange Server's Message Transfer Agent (MTA) logs a fatal
error (an event log error with a severity level of 16), it's designed
to try to recover from the error and then attempt to shut itself down
cleanly. If the MTA cannot shut down cleanly, it may "hang" and require
you to kill its process. When you have to kill the process, the MTA
doesn't write other significant events that could help explain why the
crash occurred to the event log. If you're having a problem with
persistent and unexplainable MTA crashes or hangs, you may want to
temporarily suspend the MTA's ability to recover from a fatal error.
Doing so will cause the MTA to shut down immediately when it encounters
a fatal error. If you've configured Dr. Watson as your default debugger
(as we explained in a previous tip), it will capture the MTA's dump
information to user.dmp and you can use this info for debug analysis.
To suspend the MTA's ability to recover from a fatal error, you must
make a registry change.
1. Start Regedt32 and open the key HKEY_LOCAL_MACHINE on Local Machine.
2. Open SYSTEM/CurrentControlSet/Services/MSExchangeMTA/Parameters.
3. Choose Add Value from the Edit menu.
4. In the Value Name field, enter Raise Exception On Fatal Error.
5. In the Data Type box, enter REG_DWORD.
6. Click OK and enter the value 1 in the Data field.
We recommend that you use this registry setting until you've been able
to successfully troubleshoot your MTA problems and then set the value
of the key to 0 when your system is stable. This will allow the MTA to
try to shut itself down if a different fatal error occurs.
CONFIGURING THE TURF TABLE WITHOUT EDITING THE REGISTRY
In a previous tip we explained how to edit your Exchange Server's
registry to configure Exchange's TURF table--a table of usernames and
domain names. As you may know, Exchange Server will reroute messages
received from the usernames and domains in the TURF table to its TURF
directory instead of delivering them to local recipients or rerouting
them. If the TURF directory doesn't exist, Exchange will simply delete
A tip reader wrote to suggest an easier way to configure the TURF table
that doesn't require tricky registry editing. Simply open Exchange
Administrator and view the Properties dialog box for your Internet Mail
Connector. Then, select the Connections tab and click the Mail
Filtering button. In the resulting Message Filtering dialog box you
will find an interface that allows you to configure all of the options
that we showed you how to configure by editing the registry. To keep
messages instead of deleting them, deselect the Delete Messages Instead
Of Moving Them To The TURF Directory option.
EDITING PUBLIC FOLDER PERMISSIONS FROM THE COMMAND LINE
Exchange tip reader Mark Turner asks, "Is there a way to append
permissions to public folders and all the subfolders like you can with
CACLS.EXE for NT permissions?"
Yes, there is a way to set, modify, and extract permissions for your
Exchange Organization's Public Folder Hierarchy from the command line.
For this job, there's a command-line tool called PFADMIN.EXE, which is
included in the Microsoft BackOffice Resource Kit, second edition. If
you've used the Windows NT Server 4.0 Resource Kit's CACLS.EXE, you'll
find PFADMIN.EXE very familiar. To use PFADMIN.EXE, install Outlook on
your workstation or server and create a MAPI profile that logs on to a
mailbox that uses the Exchange service account as its primary Windows
NT account. PFADMIN.EXE can also extract public folder permissions to a
file and later use the file to reapply the extracted permissions. This
can be a lifesaver if permissions have been manually misapplied and
propagated through subfolders. For more information on PFADMIN.EXE, see
the documentation that comes with the BORK or read Microsoft Knowledge
Base article Q199319 to learn how to use the tool to extract public
GET YOUR POST-SP3 HOTFIXES!
No service pack would be complete without a handful of post-service
pack hotfixes! Now that you've just gotten around to putting Exchange
Server 5.5 Service Pack 3 on all your production servers, you'll need
to read up on the hotfixes. But remember, apply them only if they fix a
problem that you're experiencing. For a comprehensive overview of the
available post-SP3 hotfixes, see Microsoft Knowledge Base article
Note that if you reapply an Exchange Service Pack after applying
hotfixes, you'll need to reapply the hotfixes as well. But if you
didn't remove the hotfixes before reapplying the Service Pack,
HOTFIX.EXE may return an error when to try to apply a hotfix. See
Microsoft Knowledge Base article Q180002 for details on how to
reinstall hotfixes after reapplying a Service Pack.
PROPAGATING FOLDER PERMISSIONS WITH EXCHANGE ADMINISTRATOR
The advantage to setting folder permissions in Exchange Administrator
rather than the Exchange client is that you can set your permissions to
apply to all subfolders as well. However, there is a drawback to this
approach--if a user has added a folder to Favorites, that link to the
original folder bypasses all permissions later assigned to that folder.
To prevent this potential conflict, enter your Exchange Administrator
and execute the following steps:
1. Select the folder you want to modify from the left pane.
2. Click Properties on the toolbar.
3. Select Client Permissions and change the appropriate settings, as
you would in your Exchange client.
4. Check Propagate These Properties To All Subfolders.
5. Click OK.
6. Within the Subfolders Properties dialog box, check Client
REDUCE YOUR IMS'S DEPENDENCY ON DNS
The mail must go through, and as a good administrator, you'll take the
extra steps needed to make sure it does. But if you administrate for a
small organization, your Exchange server probably uses your ISP's DNS
to resolve host names to the IP addresses of the servers that receive
mail for a domain. If so, your Exchange Server's Internet Mail Service
(IMS) would be unable to send mail if your ISP's DNS servers were
unavailable. To eliminate this dependency, you could implement your own
in-house DNS server. However, since all systems are subject to failure,
any DNS outage could render your IMS incapable of sending mail.
Fortunately, Exchange Server's IMS lets you create a table that
overrides DNS resolution. You can use this feature to create a
permanent host name-to-IP mapping for domains that are critical for
your organization. For example, you may want to create mappings for the
domains of your business partners or key vendors. To do this, follow
1. Start Exchange Administrator.
2. Open IMS Properties and select the Connections tab.
3. Click E-mail Domain. In the resulting E-mail Domains dialog box,
click Add and the Add E-mail Domain button will appear.
4. Enter the domain in the E-mail Domain field.
5. Select the Forward All Messages For This Domain To Host option and
enter the IP address of the host that receives mail for the domain.
6. Click OK three times to close the dialog boxes. Stop and restart the
Now your Exchange server will be able to resolve the critical host
names even if a DNS outage occurs. Just remember to update the mappings
if the IP address of the domain's mail server changes.
Also note: Your Exchange IMS never uses its local HOSTS file to resolve
IP addresses for a domain's mail server. Microsoft purposely designed
the IMS to overlook this conventional form of host name resolution to
prevent an out-of-date HOSTS entry from affecting mail delivery.
TEST YOUR RPC CONNECTIVITY WITH RPINGS.EXE
As you may know, Exchange server-to-client and intrasite Exchange
server-to-server communication takes place via RPC (Remote Procedure
Calls). Though Windows 9x and Windows NT operating systems come with
tools that allow you to easily check TCP and other network protocol
connectivity between machines, you'll need a special tool to check RPC
connectivity between an Exchange server and its clients or other
Microsoft provides the RPINGS.EXE server application and its companion
client application RPINGS32.EXE on the Exchange Server 5.5 CD-ROM.
These tools behave much like their TCP cousin, PING.EXE. You execute
RPINGS.EXE on Machine A and RPINGS32.EXE on the Machine B. Then use
Machine B's RPINGS32.EXE's diagnostic to "rping" the RPINGS.EXE running
on Machine A. For complete diagnosis, reverse roles by running
RPINGS.Exe on Machine B and RPINGS32.EXE on Machine A and perform the
TechRepublic reader email@example.com wanted information about
the quickest and safest way to back up an entire system from one NT
Exchange Server to another in preparation for an upgrade.
Copy and paste this URL into your browser:
Reader MCSE Lee suggested creating another Exchange Server in the same
Site and using the Move Mailboxes feature from the Tools Menu. Lee also
advised jlichtefeld to obtain another server license if the backup
server is to be used for an extended period of time.
CHECKING THE PRIVATE INFORMATION STORE
It's a good idea to clean house before problems develop. Here's how to
check the physical resources being used by every mailbox on a server:
1. Open Exchange Administrator.
2. Select the site you want to work with.
3. Select the Configuration container.
4. Select the Servers container to display all the Exchange servers.
5. Select the server that holds your Private Information Store.
6. Highlight Private Information Store.
7. Select Properties from the File menu.
8. Within the resulting dialog box, select the Mailbox Resources tab.
Now you can see where your resources are going and either move some
mailboxes to another server, clean the overloaded mailboxes, or set up
mailbox storage limits.
LOCKING DOWN SERVER-TO-SERVER INTERNET CONNECTIONS
When configuring an Internet Mail Service connector, you may want to
take some additional security steps to protect your data as it goes
flying around the Internet from Exchange server to Exchange server. In
particular, you may want to configure Exchange to encrypt all data--
including directory and replication messages--and configure connected
servers to accept only authenticated, encrypted information.
Here are four IMS settings you may want to employ to improve security
on servers connected via the Internet. (These settings do interfere
with the ability to send general Internet mail, so use them
1. Click Specify By Host and then click Add. Enter the remote server's
subnet mask and IP address. Also specify that the host must use
authentication and encryption.
2. Specify the host name or IP address of the remote server under
3. Select the Address Space tab. Delete the default settings, enter a
new address space of type SMTP, and use the domain name of the remote
server as the address. (This blocks routing of general Internet mail.)
4. Select the Security tab. Click Add and then enter the remote site's
address. Select the Windows NT Challenge/Response option, then set the
Exchange Site Service account as the validator.
PROTECTING AND OPTIMIZING YOUR TRANSACTION LOGS
Every Exchange administrator should understand the importance of
Exchange transaction logs. Exchange uses its transaction logs to record
database transactions to disk before committing the transactions to its
database. Exchange Server uses these logs to perform a soft recovery
after a system crash. Exchange writes the logs to disk in contiguous
blocks to optimize disk writes and transaction logging performance. The
best place to put your transaction logs depends on many factors.
However, when configuring Exchange Server, try to use the following
rules whenever feasible.
1. Always make sure there is plenty of room on the volume where you
place the transaction logs, and monitor disk space availability. When
Exchange Server runs out of room for transaction logs, it shuts itself
2. Do not put transaction logs in the same volume with the Exchange
databases themselves or other files shared by applications. Doing so
makes the logs contend with other files for disk space and requires the
disk's head to move to different parts of the disk while performing
3. Use RAID 1 (mirroring) to protect your files. Small SCSI disk drives
are now inexpensive enough that you can justify the benefit of
mirroring two of them and using them exclusively for Exchange
transaction logs. Remember that even if the array or volume holding
your Exchange databases stops functioning, you can recover up to the
minute of failure if you have a tape backup of the database and your
current transaction logs.
DELIVERING EXTERNAL MAIL TO PUBLIC FOLDERS
You'll probably find that Public Folders are a better alternative to
shared mailboxes when you need to let multiple users share e-mail or
other documents centralized in a single container. If you use an
Internet Mail Connector in your Organization, Exchange will assign an
SMTP alias to each Public Folder that you create. However, if the
Public Folder's permissions for the default user are set to None, users
outside your Organization that don't have another defined permission
role will be unable to send mail to the folder via its SMTP alias.
There are two methods to allow users outside your Organization to send
e-mail to a Public Folder via its SMTP alias.
1. You can allow all outside users to send to the folder by setting the
folder's default permission role to Author instead of None.
2. You can allow only specific outside users to send to the folder by
creating Custom Recipient entries for the users' own SMTP aliases and
then assigning the permission role of Author to their Custom Recipient
ENABLING POP3 AND IMAP LOGGING
If you support mail clients that use Post Office Protocol 3 (POP3) or
Internet Message Access Protocol (IMAP) to read mail from your Exchange
server, you may be perplexed when troubleshooting client authentication
and connectivity problems. Or maybe you'd just like to know who's using
these protocols to read mail from your server and from where they're
connecting. Why doesn't Exchange Administrator let you log and review
POP3 and IMAP communications with a server? No one but Microsoft knows
the answer. Fortunately, you can configure Exchange Server to log POP3
and IMAP activity to a flat text file by editing the registry. Read
Microsoft Knowledge Base article Q182504 for details on how to do this.
We need to warn you that these text log files can grow rather large
very quickly depending on the logging level that you use and your
server's activity level.
ENABLING SMTP LOGGING
Troubleshooting problems associated with Simple Mail Transfer Protocol
(SMTP) communications between servers can be difficult if you don't
know what the servers are saying to each other. Fortunately, you can
use Exchange Administrator to enable SMTP logging, which records SMTP
conversations in a flat text file. To enable logging, start Exchange
Administrator and open the Server's Internet Mail Service's Properties.
Select the Diagnostic Logging tab, select SMTP Protocol Log, and set
its logging level to Maximum. When you stop and restart your Internet
Mail Service, it will log all SMTP activity in a file named
L000000X.log (where X is the log serial number) in the
Exchsrvr\Imcdata\log directory. These log files can get rather large,
so it's a good idea to only enable logging while you're trying to
troubleshoot a problem and then turn it off when it's resolved.
PROVIDING NAME RESOLUTION FOR REMOTE CLIENTS THAT DON'T USE WINS
If your remote clients don't use WINS servers for NetBIOS name
resolution, they may be unable to connect to your Exchange server if
they can't resolve the server's computer name (given in the Outlook
profile) to an IP address. When they try to connect, they may receive
the error, "Network problems are preventing connection to your
Microsoft Exchange server. Please contact your system administrator,"
even though the server is perfectly functional. To provide name
resolution, add an entry to the client's LMHOSTS file for the Exchange
server's computer name. Then to refresh the NetBIOS cache, type nbtstat
-R at the command prompt.
The LMHOSTS file contains instructions for adding an entry. Once added,
remote clients should be able to resolve the name to an IP address and
connect to the server. Note: If the Exchange server's IP address
changes, you'll need to change the LMHOSTS entry on each client.
OUTLOOK WEB ACCESS, OFFICE 2000, AND EXCHANGE SERVICE PACK 3 ARE A BAD
Does applying a service pack make you nervous? If not, it should. As a
savvy Exchange administrator, you should understand that every time you
apply a service pack you are potentially trading old problems for new
ones. Applying Service Pack 3 to your Outlook Web Access server will
cause problems for clients that have Microsoft Office 2000 installed.
These clients will be unable to use Outlook Web Access to open Office
documents attached to e-mail messages. This problem is described in
Microsoft Knowledge Base article Q244744, and there is currently no
VERIFYING .EXE AND .DLL VERSIONS AFTER HOTFIXES AND UPGRADES
Have you applied and possibly even reapplied so many hotfixes and
service packs to your Exchange Server that you've lost track of them
all? If so, you may run into problems when applying Exchange add-ons
and third-party tools that use specific versions of core Exchange .exe
and .dll files. Microsoft Knowledge Base article Q243604 lists the file
size, revision date, and version number of all Exchange Server
executable and dynamic link library files and their corresponding
service pack levels. We recommend that if you have .dll conflicts, you
should verify your server's current file versions and descriptions
against the lists given in this article. To capture file size, date,
and version information en masse, use the Filever.exe command line
utility from the Windows NT Resource Kit.
WHEN AUTO-FORWARDING RULES DON'T WORK LIKE THEY SHOULD
Have you ever created a mailbox rule to automatically forward messages
to an Internet address and found that the rule didn't work when you
knew that it should? This can be an incredibly frustrating problem
since Exchange doesn't generate an error or a warning message to tell
you that your rule isn't working properly. The root cause of this
problem is that Exchange Server 5.5 doesn't know the difference between
an auto forward to the Internet and an auto reply to the Internet. If
you've configured your Exchange Server to disable auto replies to
Internet messages (an option in Internet Mail Service Properties),
you've also prevented Exchange Server from auto-forwarding messages to
the Internet. Fortunately, Exchange Server 5.5 Service Pack 2 fixes
this problem. If you haven't yet applied SP2, you can fix the problem
by modifying the server's registry. See Microsoft Knowledge Base
article Q192982 for more details.
WHEN OUTLOOK HANGS WHILE USING A SLOW CONNECTION
If you have users who connect to your Exchange server over slow WAN
connections, they've probably complained that their Outlook or Exchange
clients occasionally hang for no apparent reason. While your first
thought might be to blame the slow connection, there is a documented
bug in NT Server 4.0 that could account for this problem. As Microsoft
Knowledge Base article Q232512 explains, NT Server 4.0 TCP/IP can
prematurely retransmit packets to clients connected over slow
connections and dramatically degrade client/server throughput. This OS
behavior is especially problematic for the Exchange Information Store
service, which uses RPC to communicate with clients. Service Pack 6a
for Windows NT Server 4.0 fixes this problem with the OS, though there
are hotfixes available for previous service packs. If you're looking
for a reason to apply NT Service Pack 6a to your Exchange Server, this
could be it.
A BETTER DEFAULT ROLE FOR PUBLIC FOLDERS THAT RECEIVE INTERNET MAIL
In a previous tip ("Delivering external mail to Public Folders," Jan.
20, 2000), we explained that you could allow Internet users to send e-
mail to a Public Folder's SMTP alias. We recommended that you do this
by setting the folder's default user role to Author. However, tip
reader Jeff Brigham offered a better suggestion:
Instead of setting the Public Folder's default permission role to
Author, set it to Contributor. The Author role allows users to create
and read items and files, and modify and delete items and files they
create. The Contributor role only allows the user to create items and
files. The contents of the folder do not appear.
It's important to remember in this instance that the default user's
role defines the role for users both outside and inside your Exchange
DISPELLING PHANTOM UNREAD MESSAGES
As an Exchange Administrator, you'll eventually receive a complaint
that Outlook's unread message counter shows an unread message, when, in
fact, no unread messages are visible in the mailbox. This symptom is
often thought to be an indication of a serious problem, such as mailbox
corruption. However, before you look any further, check the Outlook
client's folder views and permissions. If the user changed the default
folder view to a view that would prevent Outlook from displaying the
message, Outlook would still count the message as an unread item. Go to
View | Current View | Customize Current View, and check the Filter
option to determine whether there's a setting that's filtering the item
from view. Also keep in mind that if Delegate permissions are used to
share the mailbox, a message marked Private would not be displayed
unless the mailbox's associated NT account was logged into the mailbox.
Use the associated NT account to log in to the mailbox, and then see if
you can see the message and whether it was marked Private.
DON'T REMOVE X.400 ADDRESSES FROM DIRECTORY OBJECTS
Yes, we know that you want to run a tight ship and keep your Exchange
Organization's directory as tidy as possible. But don't be overzealous!
We've heard from a few administrators who thought that the X.400
addresses they saw displayed in directory objects' Properties sheets
were unnecessary. Remember that even though you and your users don't
use X.400 addresses, Exchange does, and removing an object's address
can have dire consequences. So what's an X.400 address for, you ask?
X.400 is a CCITT standard that governs the exchange of all kinds of
electronic messages, including e-mail, faxes, and even voicemail.
Exchange Server 5.5 uses X.400 addresses to route messages internally.
OPTIMIZING YOUR IMS FOR A DIAL-UP CONNECTION
When you install an Internet Mail Service (IMS) connector on your
Exchange 5.5 server, the connector is optimized for LAN (10 MB or
better throughput) connection speeds. If your IMS must use a dial-up
connection to send and receive mail, we recommend that you configure
the connector to forward all of its mail to your ISP's SMTP server.
This configuration keeps your connection overhead to a minimum as it
puts the tasks of DNS resolution and end delivery on your ISP's server,
not yours. Also, you will need to configure the IMS's Advanced Transfer
Mode options to limit the maximum number of inbound and outbound
connections, but increase the maximum number of messages transferred in
a single session to a higher value (between 40 and 60). To configure
these options, open IMS Properties, click the Connections tab, and then
click Advanced Transfer Mode Options.
GETTING ANSWERS TO FREQUENTLY ASKED QUESTIONS
Before you solicit an expert resource for advice, it's always a good
idea to do your homework first. For example, one of the most common
questions asked by new administrators about Exchange Server 5.5 is:
"Can you configure Exchange Server to append a global signature to all
The answer, unfortunately, is no. If you have a question regarding
Exchange Server, you can save yourself a lot of time by checking one of
the many FAQ (Frequently Asked Questions) files available on the
Internet. One excellent FAQ site is Exchangefaq.org.
LOG RECORD STALLS/SEC
If you're having performance problems with Exchange Server, it might be
because you have too few log buffers. When Exchange is ready to write
something to a log buffer and there isn't one available, it has to wait
until one is. That wait becomes a bottleneck that can impair the
performance of your system.
On your Exchange Server, open Performance Monitor, go to the Database
object, and check the Log Record Stalls/sec counters for your
information store and directory. If they're greater than zero, you'll
more than occasionally need to take corrective action. Open the
Registry Editor and add a DWORD value named Log Buffers to the
ParametersSystem key. The default value is usually less than 80, so try
setting it to 256 or even 512.
Each log buffer holds a single log sector (i.e., a sector on your log
drive) that is typically 512 bytes.
If you have users who go away on trips but need their mail forwarded to
someone else or to an outside account, then you'll want to use
Exchange's Alternate Recipient settings. On the Delivery Options tab of
the mailbox's Properties sheet, you can specify the mailbox of another
user to whom the mail should be redirected.
An interesting option that you may want to give some thought to is
whether you want the mail delivered to both the original recipient and
the alternate, or just to the alternate. Sending to both has the
advantage that when the original recipient comes back (or checks in),
all of his or her mail is there. Sending to just the alternate,
however, allows that person to sort the mail and purge what's junk and
decide what can be readily handled by the alternate, so the original
recipient has only the important, pending messages to deal with upon
A word of caution: If the original recipient handles potentially
confidential information, it's a good idea to notify others in the
company that the alternate will be reading their e-mail while the
intended recipient is away. It would be an ugly situation for someone
in the firm to send the original recipient a confidential message,
unaware that it was going to be delivered to an alternate recipient who
might not otherwise be privy to that information.
CONNECT THROUGH PROXY
If you have a Proxy Server connection to the Internet, you can use that
Proxy Server to transfer your Internet e-mail in and out. It's really
quite easy to do. (Note: This assumes you have the Internet Mail
Service installed on your Exchange server.) The first step is to make
sure that, in the Winsock Proxy client configuration, it's set so that
the clients connect to the Proxy via IP address (and not machine name).
Then install the Proxy Client software on your Exchange server and
configure the DNS settings on the Exchange server to use appropriate
DNS servers for Internet addresses.
Once that's done you'll need to create two text files--both called
Wspcfg.ini--and place them in the appropriate directories. The first
one goes in the same directory as the Msexcimc.exe file and contains
The second one goes in the same directory as the Store.exe file and
contains these lines:
If you're using access controls on your Winsock Proxy, you'll need to
make sure to grant permission to the account that starts up the
Exchange services for access. Once that's done, restart the Exchange
server and it should now be able to listen (and transmit) messages via
the Internet Mail Service through the Proxy Server. The last step is to
make sure that your ISP has your MX & A records pointing at your Proxy
Server so that incoming mail will arrive at the Proxy Server--where the
Exchange server will be listening.
TechRepublic reader firstname.lastname@example.org runs Proxy Server 2.0 and
Exchange on the same server and needed to know why, after enabling
dynamic packet filtering, SMTP mail was unable to make it through the
Proxy Server. Enabling the Ident protocol did not solve the problem.
Copy and paste this URL into your browser:
User email@example.com recommended looking at Microsoft's
Knowledge Base article Q176771, adding that enabling packet filtering
would block e-mail in this case.
A new tool for cleaning out Exchange mailboxes is now available in the
Back Office Resource Kit. It's called CleanSweep, and it can be used to
clean out permissions, views, rules, and even forms from an Exchange
CleanSweep runs as an add-in to Outlook or the Exchange client. The two
"gotchas" are (1) in order to run it, you have to have a profile that
opens the mailbox you want to clean, and (2) it doesn't work with the
Win95 Exchange client version 4.0 (but it does with the NT Exchange
client 4.0). For Win95 you'll need the Exchange client version 5.0 or
Outlook to run CleanSweep.
You can obtain detailed instructions for installing and using
CleanSweep from Microsoft Knowledge Base article Q174045.
SINGLE-INSTANCE STORE VS. PSTs
In some cases it may seem attractive to set your users up with .pst
files rather than having them store their mail in Exchange mailboxes,
but there are several good reasons NOT to:
1. They can get corrupted, especially by those users who like to power
their machines down at the end of the day without bothering to actually
shut down Windows properly.
2. They can't be shared--a user who needs to access someone else's
calendar, for example, won't be able to while that person is using it.
3. Do you back up your Exchange server? How about each individual C
4. Single-instance storage--the same message sent to 50 people is
stored just once on an Exchange server; pointers in each mailbox let
each user open it. The same message sent to 50 people using .pst files
is stored 50 times, which obviously takes a lot more disk space.
5. It's not very secure--there are a number of utilities available to
break the passwords on .pst files.
The one thing you should use .pst files for is archival. The
AutoArchive tool in Outlook can help keep your mailbox lean and clean
by moving older items to a .pst file.
EXCHANGE SERVER UPDATE TIP OF THE WEEK: MAKING PUBLIC FOLDER CONTACTS AVAILABLE VIA THE ADDRESS BOOK
(contributed by Ric Liang, firstname.lastname@example.org)
Many clients want to make better use of Exchange's workgroup
functionality, especially when it comes to shared contacts. Rather than
having each client have a copy of the same contact, it's advantageous
to put the contact into a Shared Public Folder (SPF). Once the contact
name is in the SPF, any number of people can access it. If a client
wants to perform name resolution on the SPF, you must make the SPF part
of that client's addressing list search. To do this, proceed as
1. Create a Contacts type Public Folder, and name it (e.g., IT Business
2. Add \Public Folders\All Public Folders\IT Business Contacts to your
Favorites by right-clicking and selecting Copy. Choose your Favorites
as the destination (not to be confused with your Web favorites). This
step creates a pointer to the SPF without duplicating the data. Your
\Favorites\IT Business Contacts folder will automatically reflect
any changes made to \Public Folders\All Public Folders\IT Business
3. In the Properties of \Public Folders\Favorites\IT Business Contacts,
select the Outlook Address Book tab and enable "Show this folder as an
email Address Book."
4. In Outlook, select Tools, Services, Addressing tab. Click the Add
button and include the reference to the new IT Business Contacts item.
(This step is necessary only if you require name resolution.)
Clients can now search through their personal contacts and workgroup
business contacts when sending messages. Another advantage is that by
creating a Favorites folder item, a user can enable that folder for
synchronization and use it when offline, and traveling users can access
the workgroup contacts even when they're not in the office or connected
THE ROLE OF THE KEY MANAGEMENT SERVER
To use the advanced security features built into Microsoft Exchange
Server, you must configure at least one server in your Exchange
Organization as the server that stores and manages the security
database. This server is called the Key Management (KM) Server.
The KM Server creates public and private encryption keys, maintains
backups of private encryption keys and public signing keys, generates
temporary keys, and maintains the original copy of the revocation list.
Before you can set up your users for advanced security, you must
install the Microsoft Exchange Key Management Server by going to the
SETUP\\EXCHKM directory on your Exchange CD-ROM and running
When you install the KM Server, remember the following:
* The KM Server should be in the master domain if you're using a multi-
* The KM Server should be physically secure and backed up regularly.
* The KM Server must use the NTFS file system.
After you have installed the Key Management Server successfully, you
should see a new object named Encryption under the Configuration
container. Go to its Properties sheet. You'll be prompted for a
password. By default, Exchange sets this password to "password." Here
you can add or remove Key Management Administrators who can enable
advanced security for accounts, recover keys, revoke advanced security,
and change the Key Management password.
TROUBLE INSTALLING KM SERVER
If you're installing Exchange's Key Management Server, you may get this
error message: "Unable to get information about the sites in your
organization. Verify the NT account you are logged on as has Microsoft
Exchange Administrative rights and you have access on the TEMP
directory before running setup."
This is perplexing if you're sure the account under which you're logged
on has full administrative rights to both the TEMP directory and to
Exchange. Your next step should be to check the TEMP environment
variable. If someone's changed the variable, that could be the cause of
the trouble. Change it back and you'll probably be able to install KM
Server without a problem.
"HASHING" OUT SECURITY
Although sending a message is as simple as clicking a button on the
client toolbar, Exchange is busy in the background ensuring, through a
process called hashing, that your message reaches its destination
Hashing is a mathematical function that converts a message to a unique
128-bit number. The same message always hashes out to the same number,
but if you change any part of the message it will hash to a different
Exchange performs the hash function on both the sending and the
receiving ends and compares the values to make sure the message
contents are the same.
But keep in mind, this process requires a great deal of processing
power, so most organizations only set up this level of security for a
few departments, such as legal and human resources.
HOW DOES KM SERVER GENERATE A SECURITY TOKEN?
As the Key Management administrator (an Exchange administrator
responsible for the maintenance of security), you can enable security
for a specific mailbox or for a recipient container.
You can enable security for a user in the Security tab of the user's
Mailbox object. This tab was added when you installed the KM Server.
Before you can go into the Security tab, Exchange prompts you for the
KM administrator password. Only give this password to Exchange
administrators who need to configure Exchange security. This allows you
to separate security administrators from other Exchange administrators.
When you click the Enable Advanced Security button, SECADMIN.DLL
retrieves the location of the KM Server from the Exchange directory. It
then passes the directory name of the mailbox and the KM
administrator's password to the KM Service through encrypted remote
procedure calls. Once the KM Service receives a request to enable
advanced security for a mailbox, it creates a sealing key pair that's
written to the Key Management database. The KM Service then generates a
12-character security token and passes it back to the administrator's
console using encrypted RPC. The Exchange administrator program uses
SECADMIN.DLL to decrypt the token.
Once the token is generated, you must give it to whomever is going to
configure security on the Exchange client. To be the most secure,
deliver the token in person.
WARNING EXCHANGE CLIENTS ABOUT MAILBOX SIZE LIMITS
(contributed by Ric Liang, email@example.com)
Many organizations limit the size of clients' mailboxes to avoid
overstuffed mailboxes and the continual disk upgrades that IT
departments must perform as a result. Part of the process of limiting
mailbox size is warning clients when their mailbox size nears the
limit. If you warn clients too infrequently, they might reach or exceed
their storage limit before they receive a warning. Conversely, if you
warn clients too frequently, they might become annoyed and might not
have a chance to clean up their mailboxes before the next warning
message arrives. I recommend warning clients twice daily--once in the
morning and once in the afternoon.
Exchange uses a 1-hour grid as the default view for setting the
times when events occur. When you schedule the warning interval, use
the 15-minute view; otherwise, a client will receive a warning at the
top of the hour, quarter-past, half-past, and quarter-to. To schedule
the warning messages to appear at 9 A.M. and 3:00 P.M.
- Run Exchange Administrator.
- Select Site-name/Configuration/Information Store Site
- Select Storage Warnings tab.
- Change the Detail View to 15 Minutes.
- Click the columns to select 9:00 A.M. and 3:00 P.M.
APPLYING A SERVICE PACK TO A KM SERVER
When applying a service pack to a KM Server, you could receive this
error message: "The system cannot find the file specified."
If this happens, it could be a result of the KM Server password being
added to the ImagePath registry value in the HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\MSEXCHANGEKMS registry key.
To correct the problem, remove the value. Here's how:
1. Open Regedt32.
2. Highlight the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MSEXCHANGEKMS registry key.
3. Click Edit on the File menu.
4. Select String.
5. Remove the password. The key should only contain the full path to
6. Click OK.
Note: Remember, editing your registry can be risky; always have a
verified backup before you begin.
CHANGING THE EXCHANGE SERVICE ACCOUNT PASSWORD
You can change the Exchange Service account's password within the
Service Account Password Properties tab in the Site Configuration
object. After you change the service account's password, the Exchange
Administration application will remind you to change the password
through User Manager For Domains.
If you don't change the password in your domain, you'll have a service
logon failure the next time you stop and start Exchange Services.
COMPACTING THE INFORMATION STORE
Over time, the Information Store tends to become fragmented, and that
can mean longer response times for your users.
Although Exchange 5.5 normally takes care of this itself, there may be
times when you want to manually defragment the Information Store. For
this reason, Microsoft includes the ESEUTIL.EXE utility with Exchange
To run the utility, you must first stop the Information Store service
(for the Private or Public Information Store) or the Directory Service
(for the Exchange directory).
The syntax for ESEUTIL.EXE is:
Eseutil /d [/ds | /ispriv | /ispub ] [/l ] [/s ] [/b
] [/t ] [/p] [/o]
* /d = sets ESEUTIL to defrag mode.
* /ds = defragments the directory store.
* /ispriv = defragments the Private Information Store.
* /ispub = defragments the Public Information Store.
* /l = specifies the log file.
* /s = specifies the location of the system files.
* /b = creates a backup copy of the store with the specified filename.
* /t = sets the temp database filename.
* /p = leaves the original file uncompacted.
* /o = suppresses the normally displayed logo.
After the file has been defragmented, you must restart the Exchange
Service so users can again access their mailboxes.
ENABLING MESSAGE TRACKING
Messages sent to and from an Exchange server can be tracked to help
resolve mail delivery problems. Message tracking can be enabled on the
MTA, the Information Store, the MS Mail Connector, or the IMS. When
message tracking is enabled, each component that handles mail records
its activities in a log file.
Keep in mind that the default is to have message tracking off, so you
must enable it before you can use it.
To enable message tracking on the Information Store or MTA:
1. Open Exchange Administrator.
2. Highlight the IS site or the MTA site configuration object on which
you want to track messages.
3. Go to File | Properties | General.
4. Select Enable Message Tracking and click OK.
To enable message tracking on the MS Mail Connector:
1. Open Exchange Administrator.
2. Highlight the MS Mail connector object on which you want to track
3. Select File | Properties | Interchange.
4. Select Enable Message Tracking and click OK.
To enable message tracking on the IMS:
1. Open Exchange Administrator.
2. Highlight the IMS on which you want to track messages.
3. Go to File | Properties | Internet Mail.
4. Select Enable Message Tracking and click OK.
After enabling message tracking, all components must be restarted on
each server in the site before it will take effect.
MONITORING YOUR TRAFFIC
Most Exchange administrators are curious about how much traffic their
servers actually handle. Luckily there's a fairly easy way to find out.
Performance Monitor includes several counters that you can use to
measure your total or average message throughput.
Within the Private Information store, you can check out Messages
Submitted or Messages Submitted/Min to monitor total traffic.
Want to monitor your Internet Mail Service traffic? Depending on
whether you prefer to see it measured in bytes, messages, or
connections, you can find a counter to suit your needs in the
MSExchangeIMC object (e.g., Outbound Messages/Hr and Inbound
You can also monitor the number of concurrent clients you're supporting
at any given time by checking the MSExchangeIS Private object's Client
Logons object, which tells you how many clients (including system
processes) are currently logged on. The Peak Client Logons object will
tell you the maximum number of concurrent logons you've had since the
service was started.
RECOVER THE .OST
If you have a server crash or otherwise lose a mailbox and need to
recover data from an .ost file, STOP! Before you do anything else,
start the Outlook client in Offline mode as if nothing ever happened to
your Exchange server. When it comes up, go to File | Import And Export
and export all the folders and items to a .pst file. Only when you're
satisfied that all the items have been successfully exported can you
create the new server/mailbox and adjust the Outlook profile to connect
to it. Once you can connect to the new mailbox, go to File | Import And
Export and import the data from that .pst file you created into the new
It's VERY important that you start the Outlook client in offline mode
to access that .ost file before you do anything else. If you connect to
the new mailbox with that Outlook client, it will lock you out of the
.ost file, and there's no known way to recover it at that point.
SEPARATE YOUR EXCHANGE LOG FILES AND DATABASES
When setting up an Exchange server, you should put your log files on a
separate spindle from the database. This is because of the way Exchange
accesses a disk when writing to logs and databases. When the system
writes a piece of data to a log, it's appended to the file
sequentially. When the system then applies this change to the database,
the disk is accessed randomly.
To maximize your system's performance, you want the head to move as
little as possible. If you put all the logs and the databases on one
drive, the head will continually jump all over the place, and your
performance will suffer significantly.
If Exchange wasn't installed this way on your server, you can use the
Exchange Optimizer, which offers you the option of moving the database
files to a different disk drive if one's available.
SETTING EXCHANGE SO USERS CAN RECOVER DELETED ITEMS
Have your users ever asked you to recover e-mail that they accidentally
deleted? In versions of Exchange prior to 5.5, the Exchange
administrator had to restore the Private or Public Information Store.
With Exchange 5.5, you can configure your server to retain these
deleted items for a set period of time. During this period, which is
configurable by the Exchange administrator, a user can retrieve the
deleted mail simply by highlighting the Deleted Items folder and
selecting Tools | Recover Deleted Items (Outlook 98 or later).
USING THE INFORMATION STORE INTEGRITY CHECKER
The Exchange Server Information Store Integrity Checker, ISINTEG.EXE
(located on the \excsrvr\bin directory), finds and eliminates common
Information Store database errors. You should use this utility if you
can't start the IS service, if users can't access their mailboxes, or
if you have to recover the IS database with something other than NT's
native backup utility.
You can run the utility in one of three modes--Check mode, Check And
Fix mode, and Patch mode.
Check mode searches the IS database for table errors, incorrect
reference counts, and any objects that are not referenced. ISINTEG
displays the results and also writes them to a log file.
Check And Fix mode checks for the same things as Check mode, but under
this mode, ISINTEG also attempts to fix any errors it finds.
Patch mode is used when the Information Store will not start after
being restored from an offline backup.
The syntax for using ISINTEG in Check or Check And Fix mode is:
ISINTEG -pri | -pub [-fix] [-verbose] [-l ] [-test]
-pri = works on the private information store.
-pub = works on the public information store.
-fix = tells the utility to fix the errors it finds.
-verbose = provides detailed feedback.
-l = sets the log file name.
-test = performs a specific ISINTEG test.
The syntax for running ISINTEG in Patch mode is:
ISINTEG - patch
No matter what mode you run the utility in, the Information Store must
be stopped first and afterwards restarted.
HOW THE INTERNET MAIL SERVICE RESOLVES NAMES
The Internet Mail Service will first try to resolve a name by looking
to the HOSTS file on the NT server where it's running. If the name map
isn't present, the IMS will hand off the resolution to the NT server,
which can use DNS, WINS, or LMHOSTS.
Because Exchange goes to the HOSTS file first, it's possible for you to
manually PING a host by name even when the IMS can't resolve the name.
This discrepancy could arise from a typo or bad entry in the HOSTS
file. The reason PING works is because NT knows to resolve the value
A SHORT COURSE ON MTACHECK
The utility MTACHECK.EXE is in the \exchsrvr\bin directory. This
utility checks the consistency and integrity of Exchange's MTA queues.
Over time, messages in transit may become corrupt. When the MTA service
will not start, crashes, or shuts itself down after a system crash, you
need to manually run the MTACHECK utility.
To run MTACHECK use the following syntax:
where is the complete path and filename of the desired log.
When MTACHECK is run, it examines each queue in the database. When an
error is found, the item is removed from the queue and placed in the
\MTADATA\MTACHECK.OUT file for further diagnosis.
PROBLEMS WITH CIRCULAR LOGGING
If you run the default Exchange installation, your Information Store
and Directory Synchronization transaction will be set for circular
logging. This means there is only one log file , EDD.LOG, in the
The problem with circular logging is that it is unlikely that all of
the information that has changed and not been written to the database
since your last backup is in the log file. If transactions are
happening quickly, the system will not have time to write the
transactions before they are overwritten.
Keep in mind that circular logging is controlled on the server advanced
property page and is configurable server by server. Therefore, turning
it off on one server will not remove it from other services.
|HOW TO RECOVER FROM RUNNING OUT OF DISK SPACE|
||If you start the Information Store service and get the error message, "The MS Exchange Information Store returned the specific error 4294966796," it means you have a problem writing the transaction logs to your server, probably due to a lack of space. When you run out of space, the system first uses the reserve logs and enters a notification in the event log. If you don't correct the problem, the Information Store shuts itself down, and when you try to restart it, you get the above error.Although you could go in and delete all of the old log files out of the \exchsrvr\ directory, we suggest that you initiate a full backup and allow Exchange to delete the logs for you. This way, you'll also have a backup of the logs in case you need to replay them to restore your database.|
|THE DOWN SIDE TO DIAGNOSTIC LOGGING AND THE INTERNET MAIL SERVICE|
||The Diagnostic Logging Properties page of the Internet Mail Service lets you set the logging level in any of several categories.One of the categories you can choose to turn on from here is the SMTP Protocol Log. Enabling logging in this category causes Exchange to write information to a log file in the \exchsrvr\imsdata\log directory. Basic transaction information and the text of the message are stored in the log file. So, anyone who can read your log file can also read e-mail traveling across the IMS unless the e-mail has been sealed.Message Archival is another category that captures the text of your messages traveling across the IMS. When set to Medium or Maximum, Exchange saves the text in separate files under the \exchsrvr\imsdata\in\archive or \exchsrvr\imsdata\out directories.Therefore, you should probably turn this option on only for troubleshooting purposes and securing the directories where the logs are stored with NTFS read rights to Domain Administrators only.|
|AUTOMATE MONITORING OF EXCHANGE EVENTS|
||There are two excellent tools you can use to monitor Exchange events that are generated in the event logs of Exchange servers.The first, Evtscan.exe, lets you monitor servers for specific events, and when an event is detected, the tool will (depending on how you configure it) send an e-mail, send a message to specific users or computers, or restart or stop a service.The other utility, Elf.exe, lets you specify the servers and events that you want to monitor. The utility then writes the results to a text file.Both of these tools are available in the Exchange Resource Kit.|
|DISTRIBUTING ADMINISTRATIVE RIGHTS|
||Before others can manage your Exchange environment, you must grant them access to the site and configuration containers. The easiest way to do this is to assign rights to a Windows NT global group and put the desired users into that group.Users and groups with permissions to the site container can then manage recipient objects and create new mailboxes. Users and groups with permissions to the configuration container can administer Exchange Server's core components and connectors.To add permissions:|
- 1. Create an Exchange Administrator's global group and assign users to the group.
- 2. In Exchange Administrator, select the object whose permissions you
want to change.
- 3. Go to File | Properties.
- 4. Click on the Permissions tab.
- 5. Click Add.
|OPTIMIZING EXCHANGE'S PERFORMANCE|
||Performance Optimizer is a critical component in ensuring peak performance from Exchange Server. You should run Performance Optimizer immediately after installing Exchange as well as whenever you change resources or move Exchange Server directory components to another disk.Performance Optimizer does the following:|
To run Performance Optimizer, go to Start | Programs | Exchange | Performance Optimizer.
- Analyzes your hard disk configuration to determine which device has the fastest access times. It reserves the disk that has the fastest access time for Exchange's transaction logs.
- Analyzes your hard disk configuration to determine which device has the fastest random access time. This drive becomes the location of your Public Information Store.
- Analyzes physical memory against the number of users and the way the server will be used. It uses this information to determine the optimal size of the directory and information store caches.
|REHOMING PUBLIC FOLDERS|
||Sometimes you may need to move a public folder from one server to another. For example, if a server in your site is going to be taken offline for an extended period of time, you may want to move its public folders to another server in your site.This process is known as rehoming public folders. Microsoft has provided a utility, PFAdmin, in the BackOffice Resource Kit for Exchange to allow easy rehoming.To rehome a public folder without the BackOffice Resource Kit, follow these steps:|
- 1. Create a personal folder in Outlook.
- 2. Choose the public folder you want to move and copy the entire contents to the personal folder.
- 3. Delete the public folder.
- 4. Allow replication to take place so the deletion is replicated to all other sites within your organization.
- 5. Log on to a mailbox on the server where you want to home the public folder.
- 6. Create a new public folder that will become your rehomed public folder.
- 7. Copy the folder contents from your .pst file to the new folder and assign the appropriate permissions.
|SETTING AGE LIMITS FOR PUBLIC FOLDER CONTENTS|
||You can set age limits for the contents of folders in the Public Information Store by using the Public Information Store Properties page.To set age limits on all folders in your Public Information Store, follow these steps:|
Check the Age Limit For All Folders On This Information Store (Days) checkbox and enter the number of days you want to keep items.Exchange Server will then delete all messages in your public folders that are older than the age limit you entered.
- 1. Double-click the Site Configuration container for the site you're modifying.
- 2. Double-click the server whose Public Folder Settings you're modifying.
- 3. Select the Public Information Store object.
- 4. Choose File | Properties.
- 5. Select the Age Limits tab.
|THE EXCHANGE SITE SERVICE ACCOUNT|
||During the setup of your Exchange server, you'll be prompted to designate the Site Service account. You should enter the account name in the form domain\account.It's not a good idea to use the Administrator account as the Service account. Instead, you should always create a dedicated Service account for Exchange to communicate across servers. If you try to use the Administrator account as the Service account, you could grant rights during setup that would conflict with the rights already assigned to the Administrator account.|
|THE QUIRKY X.400 CONNECTOR|
||The x.400 connector provides greater control and flexibility than a site connector does, because it's not dependent on RPC and doesn't require a permanent LAN/WAN connection. The x.400 connector is a good way to connect Exchange sites across slow network links.However, one quirk on the x.400 connector that could cause you some grief is that it's case-sensitive. When setting up the connector, type the name of the MTA in all uppercase letters on the General and Stack Properties pages. If you don't, messages may still get through if you have enough of the address correct to specify a unique recipient; however, delivery will be unreliable at best.|
|ADMINISTER EXCHANGE FROM YOUR WORKSTATION|
||If you sit more than 10 feet from your Exchange server it can be
awfully inconvenient to have to get up to go administer it elsewhere.
Fortunately you have some options for remote administration.
If you're running NT Workstation on your machine you have the best
option--just install Exchange Administrator right on your desktop and
you can administer any Exchange server on your network from there. To
install it on your workstation, start the Exchange setup program, do a
custom install, and tell it to just install the Administrator program
on your workstation. When you start the Administrator program you'll
just have to tell it which server you want to administer (you can
specify a default) and it will connect to that server.
If you run Windows 9x your options are a little more limited. Basically
you'll need to use a remote control program like PC Anywhere. One good
option is a freeware remote control tool called Virtual Network
Computing (VNC) from AT&T Labs.
|ALTERING THE TIME WHEN DIRECTORY CHANGES ARE READ|
||If you make changes to your Exchange 5.5 directory, you may be
perplexed to discover that the changes aren't always immediately
reflected in the Information Store. This is because the Information
Store caches the directory store and only rereads it about every 2
hours. So, any changes you make might not take effect for up to two
hours. If you'd like to expedite the process, you can do so by going to
Services\MSExchangeIS\ParametersSystem registry key and adding this new
Name: Mailbox Cache Age Limit
Value: a number (in minutes, representing how often you want it to
update) of type Hex.
You can set the number to anything you want; many admins have set it to
check as often as every 5 minutes with no ill effects.
After you make this change you'll need to stop and restart your
Information Store service and you'll want to update your emergency
repair disks to reflect the change.
Note: Remember, editing your registry can be risky; always have a
verified backup before you begin.|
|RERUN PERFORMANCE OPTIMIZER AFTER AN UPGRADE|
||Any time you make a change to the hardware in your Exchange server you
should rerun the Performance Optimizer (you'll find it on the Start
menu with the rest of the Exchange Admin programs). It can evaluate
your new hardware and service expectations and make modifications to
your server configuration to take best advantage of your new hardware.
Starting the Performance Optimizer in Verbose Mode (with a -v switch)
gives you considerably more (six screens worth) of choices that you can
make in optimizing your Exchange server.
Added bonus: You can use the Performance Optimizer to change the
drives/directories where key files (such as Transaction Log files) are
kept. This can be helpful if you've added new drives that you want to
dedicate to the log files. Just start the Performance Optimizer, answer
the questions on the first screen, then after it does a little
evaluating of your system you'll be presented with the list of key
files and paths to them. You can accept the suggested paths, or change
them to paths that you select.|
|USING OFFLINE FOLDERS|
||That road warrior with the notebook probably won't be able to easily or
cheaply access your Exchange server from seat 11B (at least not yet),
but with offline folders, data can be accessed whenever the laptop is
booted. To enable offline folders go to (on the Outlook client) Tools |
Services | Microsoft Exchange Server Service and click the Advanced
tab. At the bottom of the dialog box you'll see the options for
enabling offline folder use.
Once the folder has been enabled and created, you can go into the
properties for any mailbox folder and customize the offline-folder
settings. Next time the user logs on, Outlook will synchronize the
offline folder with the Exchange server. Later, when disconnected, the
user can work offline and access all of the items that were in the
mailbox when it was last synchronized.
Special Tip #1: If the user is going to synchronize over a slow line
make use of the Filter button in the sync options to restrict the items
that will come across the line. Of particular interest: Deleted Items
and items that have large attachments.
Special Tip #2: Want to sync public folders for offline use? Copy the
folder from the All Public Folders container to the Favorites
container. Then go into the properties of the Favorites copy and set
the Sync options.|
|CREATE AN ORGANIZATIONAL FORMS LIBRARY|
||If you're creating forms with Outlook that you want to share with the rest of your Exchange users, just publish them to an Organizational Forms library. "But I don't seem to have one!" you say? No worries; just create one.To do so, go to Exchange Administrator, select the server you're working with, then click Tools | Forms Administrator. From there you can add one or more new Organizational Forms Libraries to publish forms to. When you create the Forms Library you're asked to specify a language; when a foreign language client connects to the Exchange server it will look for a library in its own language. If you support clients in multiple languages, pay particular attention to the language you choose. Although you can change the name of the library after it's created, you can't change the language.Before you close the program, be sure to add yourself as owner to the Organizational Forms Library or you won't be able to publish to it.|
|SHARE A MAILING LIST WITH A PUBLIC FOLDER|
||The increasing number of industry-specific electronic newsletters have spotlighted an excellent use for Public Folders--as mailboxes for these newsletters. If you have several users who would all like to receive an e-mail newsletter, simply create a public folder for them, give it an SMTP address that's easy for you to work with, then subscribe to that e-mail newsletter with the e-mail address of the public folder. This has the added benefit that the users can read the newsletter from the public folder and even post messages to each other discussing it there.Doing this alleviates the need for several users to all subscribe to and manage the flow of newsletters. And there's the added benefit that you can keep old copies of the newsletter for as long as you like--no more calls from the VP of Marketing asking if you can somehow retrieve that five-week-old newsletter message that he accidentally deleted from his mailbox.Security gotchas: Make sure that the users all have appropriate access to the public folder and grant the Anonymous user at least Contributor status so that the newsletters can be received in the folder.|
|USING CUSTOM ATTRIBUTES|
||If you're making extensive use of your Exchange directory, you may find a need to add information that doesn't already have a field. Microsoft has accounted for this possibility by including 10 Custom Attribute fields (on the Custom Attributes tab of the Mailbox Properties sheet), which you can populate with any data you like.Can't remember which Custom Attribute field was for mother's maiden name and which one was for birth date? Well, you're in luck--you can rename those fields by going to Exchange Administrator, finding the server's Configuration container, selecting the DS Site Configuration object and clicking File | Properties. On the Custom Attributes tab you can assign new names to each of those 10 fields.Changes you make to the DS site configuration tab are reflected throughout the Exchange site, so you can use the same set of Custom Attribute fields on multiple servers as long as they're in the same Exchange site.|
|View/Monitor Mailbox Contents on the Server|
||How do I view the contents of mailboxes on the Exchange Server? I would like to be able to view the contents of a user's mailbox on the server. Right now we are adding the administrator as a member of the mailbox and then opening the mailbox using the Outlook client. Is there a way to do this on the server? If you log on to the server with the service account you are using to start the exchange services, you will be able to open any mailbox from your Exchange client.|
||If you're like me, you often find that it's quicker and easier to
use a keyboard shortcut than to navigate the various menus. Here are
some shortcuts (some documented some not) that I've discovered and use
within Outlook. (My current configuration is Outlook 2000, with Word 97
as my default editor.)
Ctrl-N New message
Ctrl-D Delete item
Ctrl-K Insert hyperlink
Ctrl-S Send item
Alt-K Check names
Shift-F7 Access thesaurus
Alt-F1 Advance to next hyperlink
Alt-F4 Close active window screen
Alt-F7 Advanced spelling shortcut
Alt-F8 Run macros
Shift-F3 Change the case of highlighted text
Alt-Enter Message properties
Shift-F12 Save message, without closing screen
Shift-F4 Find and replace
Shift-F1 Office Assistant
F5 Go to page number (Find and Replace popup)
F7 Spell checker (Spelling and Grammar popup)
Del Delete item
Ctrl-Left-arrow Jump to start of previous word
Ctrl-Right-arrow Jump to start of next word
Ctrl-Home Top of document
Ctrl-End End of document
PgUp Page up one relative-size screen
PgDn Page down one relative-size screen
Ctrl-PgDn Page down one full screen
Ctrl-PgUp Page up one full screen|
|CONFIGURING THE IMAP4 PROTOCOL|
||The newest protocol in the Exchange arsenal is IMAP4. This protocol is
much more robust than POP3. Although IMAP4 allows the same access to a
user's inbox as POP3 does, it also allows access to the entire mailbox
and public folders from an IMAP4 client.
To configure the IMAP4 protocol:
1. Double-click the Site Configuration object (in Exchange
Administrator) that contains the server you want to modify.
2. Double-click the Server object to open the container.
3. Double-click the Protocols container.
4. Highlight IMAP4 (Mail) Settings and choose File | Properties to open
the IMAP4 Protocol Properties page.|
||Exchange 5.5 gives you flexibility as to which events it writes to the
Application Log. Exchange writes to the log in groups known as
categories. You can determine which categories you want to log and
select them from the Diagnostic Logging Properties page for the MTA,
Directory, Information Store, IMS, Microsoft Mail Connector, Microsoft
Schedule Free/Busy Connector, or the Microsoft Exchange Connector for
You can set the logging level to None, Minimum, Medium, or Maximum. Be
careful when you choose Maximum because your disk space can be taken up
very quickly. You should only use the maximum logging level when you
suspect that a specific category is causing you a problem.|
|DISTRIBUTION LIST EXPANSION SERVER|
||When a user sends an e-mail message to a distribution list, Exchange
has to expand the list and resolve all of the names in it. This can
place a high load on a busy Exchange server.
Exchange allows you to specify a server in your site to handle the
expansion of the distribution lists.
To change a distribution list expansion server:
1. Double-click the site configuration container for the site you are
2. Double-click the Recipient object.
3. Select the Distribution List that you want to modify.
4. Choose File | Properties to open the Distribution List's Properties
5. Go to the General tab.
6. From the Expansion Server drop-down list select the server in your
site that you want to perform the expansion.|
|ENABLING DELETED ITEM RECOVERY|
||If your users are typical, they occasionally call to ask if you could
possibly undelete something they accidentally got rid of. Naturally the
user emptied the Deleted Items folder before realizing the item was
needed (and we won't even go into the users who don't empty their
Deleted Items folders at all out of the fear of losing something
valuable). Traditionally your only solution may have been to try to
restore from backup and hopefully you could restore their individual
Exchange 5.5, however, introduces a feature called Deleted Item
Recovery that lets you retrieve purged items. To enable it, start the
Exchange Administrator program, find the Properties sheet for the
Private Information store and go to the General tab. There you can
select the number of days you want messages saved after they're deleted
or specify that nothing should be permanently deleted until after a
backup is done.
On the client side, you'll need to make sure that the Deleted Item
Recovery add-in is installed and active and then go to the Deleted
Items folder and select Recover Deleted Items from the Tools menu.|
|HOW MUCH WHITE SPACE IS IN MY DATABASE?|
||With all of the deleting, moving, and adding of data in your
Information Store, you might suspect that there's a fair amount of
white space in there--storage space that was formerly used for data but
is now empty. Well, you'd be right, but how do you tell how much white
space is really there? If you have Exchange configured for nightly
online defragmentation (as most admins do), then you can just check
your Event Viewer - Application Log for an Event 1221. The text of that
event will give you an estimate of how much free space is currently in
The only way to get rid of this white space, and shrink the size of
your Information Store, is to run an offline defragmentation, but as a
general rule you should refrain from doing this unless the amount of
reported white space is considerable and you really need to recover the
|LIMITING USERS' CREATION OF PUBLIC FOLDERS|
||Don't want your users creating a raft of public folders on their own?
You can limit their ability to do so. Here's how:
1. Go to the Configuration object under the Site container.
2. Select the Information Store Site Configuration object.
3. Click File | Properties.
4. On the Top Level Folder Creation tab you can specify those users who
may create top-level folders and those who may not.
If you envision a considerable hierarchy of public folders, it would be
advisable to restrict top-level folder creation to yourself and maybe a
couple of trusted assistants. Then you can create top-level folders
that will just be containers for subfolders (e.g., "Sales,"
"Production," "Human Resources," etc.) and then designate within each
of those folders which users have permission to create subfolders for
those top-level folders. To do so, right-click the top-level folder (in
Outlook) and assign the Create Subfolder permission to a user or group
|OUTLOOK WEB ACCESS|
||HTTP support is added during the installation of Exchange Server 5.5 if
the Web component of Internet Information Server is installed. With the
Outlook Web access component, a user can access an Exchange mailbox
from a supported Web browser.
You can configure the properties for Outlook Web access from the site
configuration object by following these steps:
1. Double-click the site configuration object (in Exchange
Administrator) that contains the server you want to modify.
2. Double-click the Server object to open the container.
3. Double-click the Protocols container.
4. Highlight HTTP (Web) Settings and choose File | Properties. The HTTP
(Web) Properties page has four tabs. The only settings that you have to
configure are on the General tab, where you'll check the Enable
Protocol check box, and on the Permissions tab, where you'll define
those users and groups that have access to this object.|
|QUICKLY SEE VALUES OF AN ITEM|
||There will be times when you'll want to know the message class of an
item you've received or who created an appointment on a group calendar.
A quick trick for finding this information lies in the Field Chooser
tool and the Table view.
To see the message class of a received item, just right-click one of
the column headers (Subject, for example) and select Field Chooser.
Change the fields list from Frequently Used Fields to All Mail Fields
and then drag the Message Class field onto the view. Now you can see
the message class of each received item. When you're done with it, just
drag that column header off the view again.
To see the creator of a calendar item on a group calendar, switch your
view from Day/Week/Month to a table view such as Active Appointments.
Now right-click a column header, open the Field Chooser, and add the
Organizer field to the view.
You can use this trick in practically any folder to see the values of
almost any field for each item.|
|REVERTING TO AN ORIGINAL MAILBOX NAME|
||Most admins have had a user who somehow managed to rename one of the
root folders in his or her mailbox. The first question to ask is: Where
was it renamed?
If the user just renamed the Outlook shortcut, that can be fixed simply
by right-clicking the shortcut and choosing Rename Shortcut.
If, on the other hand, the user actually managed to rename one of the
mailbox's root folders, the easiest way to revert to the original name
is to start the Exchange client (Exchng32.exe) on the user's
workstation and log in to his or her mailbox. Once you're in go to View
| Folder, right-click the folder to be renamed, and select Rename. You
should then be able to change the folder name back to what it was.
On the subject of renaming: Did you know that you can rename any column
in an Outlook view by right-clicking the column header, selecting
Format Columns, and changing the Label field to whatever you'd like?|
|FIND OUT WHICH SERVICE PACKS YOUR EXCHANGE SERVER IS RUNNING|
||To quickly determine which build and service pack you're running on an
Exchange server, start the Exchange Administrator program and click the
Servers object in your organization. On the table to the right you will
find a column that lists the version, build, and service pack level of
each of your servers.
Finding your NT service pack level is a little harder, but not much. Go
to Start | Programs | Administrative Tools | Windows NT Diagnostics.
The General tab shows you the version, build, and service pack level
for NT. The system tab will give you information about your HAL and
Finding the build and mode of your Outlook client is as easy as
clicking Help | About Microsoft Outlook from within Outlook. That will
tell you the version, build, and the mode (Corporate/Workgroup,
Internet Mail Only or No E-mail) that the software is running in.
Clicking the System Info button on that screen will give you
information about the workstation's operating system version and build.|
|TESTING CONNECTIVITY THE PAINLESS WAY|
||Wondering if your Internet mail is flowing smoothly? You could send a message to a friend, but maybe that friend is away from her desk and won't get the mail (or respond to it) until Monday. You could send a message to a mailing list you subscribe to, but unless that list is specifically for testing mail connections, chances are good you'll get flamed by other participants for cluttering their inboxes with test messages.So how do you test your connectivity quickly and painlessly? Here are a couple of common tricks:
Any of these tricks are fast, free, ways to check whether your mail is flowing properly without irritating anybody in the process.
- Many ISPs have an autoresponder set up for testing. You send a message to it and it automatically pops back a response verifying that your message was received. Check with your local ISP to see if it has one you can use.
- If the ISP doesn't have one, there are a number of commercial autoresponders out there--they're basically systems that will autoreply with an advertisement if you send a message to the address. The ads may not excite you, but you only wanted to verify your ability to send and receive mail, right? A current list can be found here: http://www.myreply.com/classifieds.html
- Get yourself an Internet e-mail account so you can periodically send a test message to yourself. You can complete your test by replying to that message, sending it back to your Exchange server.
|THE INFORMATION STORE MAINTENANCE JOB|
||By default, the Exchange Server 5.5 Information Store maintenance job
runs every 15 minutes to clean up deleted item retention, delete
expired folder contents, synchronize the server's Public Information
Store, and remove expired Public Folder contents.
If these Information Store maintenance jobs are causing too much
processing overhead during the day when your users are connected to
their mailboxes, you can change the schedule. Here's how:
1. Highlight the server whose maintenance job you are modifying.
2. Go to File | Properties.
3. Click the IS Maintenance tab.
4. Choose Selected Times to have Exchange run the maintenance job at
the times you specify in the schedule grid.|
|THE KNOWLEDGE CONSISTENCY CHECKER|
||The Knowledge Consistency Checker (KCC) runs on every server and corrects directory information. The knowledge it checks is the configuration information for directory replication, and it runs in one of two modes--intrasite or intersite.In intrasite mode, the KCC reads the knowledge directly from the Directory System Agent (DSA) and compares it with knowledge from the other servers in the site. If another server has information that the first knows nothing about, the KCC will update the knowledge on the local machine by making replication configuration calls.In intersite mode, Exchange doesn't assume network connectivity between sites. This means that the KCC does not have direct access to the DSA it needs to replicate. To resolve this problem, the KCC on each site shadows a portion of the knowledge its DSA contains to an object in its directory, which is then replicated to each site. The KCC can then look to this knowledge as if it were dealing with the DSA directly.|
|LOOKING AT THE QUEUE PROPERTIES SHEET|
||Each connector within Exchange Server contains a Queue Properties sheet
that lists messages that are awaiting some type of action. This can
provide useful information about the status of outgoing messages. It's
a good idea to view this information prior to performing any
significant server maintenance tasks, for example.
To view the Queue Properties page:
1. Double-click on the Site Configuration object that contains the site
2. Double-click the Server object.
3. Select the server whose MTA queue you want to view.
4. Select the MTA object.
5. Go to File | Properties.
6. Click the Queues tab.
7. Select the queue you want to view from the Queue Name drop-down
|MANUALLY RESETTING THE EXCHANGE ROUTING TABLE|
||The Exchange routing table is rebuilt once each day or after a change.
If you want changes to take place immediately, you can rebuild the
table manually. Here's how:
1. Double-click the Site Configuration container for the site you want
2. Double-click the server whose routing table you're rebuilding.
3. Select the Message Transfer Agent object to open the Message
Transfer Agent Properties page.
4. Select the General tab.
5. Click Recalculate Routing.|
|THE INTERNET LOCATOR SERVICE|
||To allow individual Exchange users to participate in Microsoft
NetMeetings, you must specify the Internet Locator Service (ILS) server
in Exchange Administrator. This will enable other NetMeeting users to
locate the mailbox owner and set up online meetings.
To enable this functionality:
1. Open Exchange Administrator.
2. Highlight the user's mailbox object.
3. Go to File | Properties | Advanced.
4. Type in the name of the ILS server and the ILS account in the
|ADDING INDEXES TO OBJECTS USING RAW MODE|
||Using Exchange Administrator in raw mode is not for the faint of heart;
however, the daredevil application does allow you to do things you
can't accomplish via other means. Like adding indexes to Exchange
objects, for instance. Here's how.
1. Once you've opened Exchange Administrator in raw mode, select the
object attribute you want to add to the searchable index.
2. Hold down the Control key and hit Enter.
3. Scroll down until you see the search attribute.
4. In the index value, enter either: 0 for disabled; 1 for attribute
indexed but not included in address resolution; or 2 for attribute
indexed and included in address resolution.|
|COMMON EXCHANGE ERROR FIXES, PART 1|
||If the Internet Mail Connector (Exchange 4.0) or Internet Mail Service
(Exchange 5.0) generates an error saying, "The Internet Mail connector
service failed to start due to the following error: The service did not
respond to the start or control request in a timely fashion," you need
to take the following steps:
1. Go the Services Control Panel.
2. Select Microsoft Exchange Internet Mail Service.
3. Click Start Up.
4. Select This Account under Log On As.
5. Select the name of the System Account or an account that has service
account admin rights in your Exchange organization, site, and
|COMMON EXCHANGE ERROR FIXES, PART 2|
||Let's say you try to start an Exchange service and get the following
error: "Could not start the Microsoft Exchange Directory Service on
\\. Error 0002: The system cannot find the file
The problem? One of the executables associated with the service is
missing or corrupt. To resolve this issue, obtain the associated file
from a backup or service pack CD and copy it onto the Exchange server.
Here are the major Exchange services and their associated files:
* Exchange Information Store--Store.exe
* Exchange System Attendant--Mad.exe
* Exchange Message Transfer Agent--Emsmta.exe
* Exchange Internet Mail Connector--Msexcimc.exe|
|COMMON EXCHANGE ERROR FIXES, PART 3|
||After installing the Microsoft Exchange Connector for Lotus cc:Mail,
you receive a non-delivery report and an Event 142 in the event log
when trying to send a message to a cc:Mail recipient. What happened?
This problem usually occurs when the Address Space tab under Properties
is not configured properly.
To configure the Address Space tab properly, follow these simple steps:
1. Open Exchange Administrator.
2. Choose the appropriate Exchange connector for Lotus cc:Mail and
select File | Properties.
3. Click on the Address Space tab and verify that the entry exists for
4. Select the Site Addressing object.
5. Go to File | Properties | Routing | Recalculate Routing.|
|EXCHANGE AND CLUSTER SERVER PART 1 OF 3|
||Exchange Server 5.5 Enterprise Edition includes support for Microsoft
Cluster Server version 1.0. Clustering your Exchange environment
ensures that your messaging environment remains uninterrupted even if
one server fails. When one of the clustered servers fails, the other
server takes on that server's load with no impact to the users.
An Exchange cluster consists of two Exchange servers that share one or
more common disk drives, an IP address, a network name, and Exchange
Server cluster resources. All network requests to the Exchange cluster
are sent to a "virtual server" that forwards the requests to the active
server in the cluster.
By clustering your Exchange servers, you are adding yet another level
of fault tolerance to ensure the availability of your messaging system.|
|EXCHANGE AND CLUSTER SERVER PART 2 OF 3|
||It goes without saying that in order to have Exchange on Cluster
Server, the first thing you have to do is install and configure Cluster
Server. Once you've installed and configured Cluster Server, you're
ready to run the Exchange Server setup program on the active node. The
setup program will copy the files to the active node's system32
directory and to the clustered drive, and it creates resources in the
Exchange Server's cluster resource group.
After Exchange has completed setup, you should run the Exchange
performance optimizer. Next, run the setup program on the secondary
node, being careful to select UPGRADE NODE. Setup will copy the files
to the system32 directory on the secondary node, where it also creates
the Exchange services. (Notice that you can't run Performance Optimizer
on the secondary node.)
Remember, when you install any new Exchange components on the primary
node, you must also install it on the secondary node.|
|EXCHANGE AND CLUSTER SERVER PART 3 OF 3|
||When installed on a Cluster Server, Exchange's services are set to
manual start, which prevents the automatic startup of the Exchange
services. The Cluster Server's resource manager starts the services in
order of dependency.
If you need to manage the services on an Exchange server in a clustered
server environment, you should only use the Cluster Administrator
program, not the services control panel or the Net Stop command. Keep
in mind, though, that you should fail over the Exchange server cluster
group prior to stopping the services.|
|REFRESHING A STALE PUBLIC INFORMATION STORE|
||Some events can cause an entire public information store (IS) to become
stale. For example, if a server is shut down for an extended period of
time, the public folder replication process will automatically try to
update all the instances in your organization to the same level by a
process called backfill.
Backfill relies on the IS' periodic creation of a message that
broadcasts its status to the other ISs with which it's replicating
folders. This message is sent any time a public folder is altered. If
no changes occur, the message will be sent once a day.
When the server mentioned in the example above is brought back online,
it will receive a list and compare that to what is on its own server.
If that list contains information not on its own server, then
information has been submitted to the IS that sent the message that the
local IS has not received yet. In that case, the local IS will send a
message requesting that the information be replicated to it so it can
be brought up to date.|
|SIMPLY REBOOT TO CORRECT MTA START FAILURE|
||When you upgrade Microsoft Exchange Server 4.0 Service Pack 3 to
Exchange Server 5.0, the message transfer agent (MTA) may fail to
start. You may also get the following error:
"Event ID 2000 MSX-IS PRIV Verify that the MSX MTA service has started.
Consecutive ma-open calls are failing with error 3051."
Amazingly, all you have to do to correct the problem is restart
|USING CIRCULAR LOGGING TO FREE UP DISK SPACE|
||Increasing transaction logs, files that Exchange uses to commit data to
the corresponding database file on disk, can cause the Information
Store (IS) to run out of operating space. When enabled, an option
called circular logging limits the amount of disk space these
transaction logs use by overwriting previous log files with new ones.
At first glance, this seems like a good idea. However, for disaster
recovery, this introduces some problems.
The log files include transactions that haven't yet been written to the
IS. In case of a server failure, rolling back the log files can
"replay" the transactions that occurred since the last IS write.
If Exchange Server is backed up properly and on a regular schedule,
circular logging should never come into play--the log files are
automatically deleted after being backed up. Backing up Exchange Server
is the preferred way of saving the log files and removing them from the
disk to free up space.|
|USING LDAP TO DELETE MAILBOXES OPENS SECURITY HOLE|
||If you use the Lightweight Directory Access Protocol (LDAP) application
to delete an Exchange 5.5 mailbox, Exchange will delete the directory
object--but not the associated messages and folders in the information
store. Consequently, if a new mailbox with the same distinguished name
is created--regardless of the Windows NT account associated with the
new mailbox--the contents of the old information store become available
to the new mailbox.
Here's how you can see this security problem for yourself:
1. Create a mailbox in Exchange Administrator.
2. Send mail to the mailbox.
3. Use the LDP.EXE tool to delete the mailbox.
4. Recreate a mailbox with the same distinguished name, but a different
associated NT account.
5. Log on to the mailbox and read the e-mail you just sent.|
|DETERMINE MEMBERS OF A DISTRIBUTION LIST|
||In a previous tip, "Determine What Group or DL a Person Belongs To" (Exchange Server UPDATE, December 3, 1999), I discussed how to check which distribution list (DL) someone belongs to via the Member Of tab when viewing a mailbox's properties in Outlook. You can take that one step further to see who else is in a particular DL. To do so, select the Member Of tab, double-click any of the DLs that appear, and you'll see the DL properties, including a member list. This tip is useful when you're trying to find out who else is in a person's workgroup.|
||The Exchange download logging feature writes events to the NT Event Log
when users download attachments, messages, and folders from public or
To configure download logging in public folders, you need to edit the
To configure download logging in private folders, you need to edit the
Add a reg_dword value with the value (decimal) that corresponds to the
level of logging you want:
* Attachments only=1
* Messages only=2
* Attachments and messages=3
* Folders only=4
* Attachments and folders=5
* Messages and folders=6
NOTE: As always, use caution when editing the registry. Always have a
verified backup before you begin.|
|EXCHANGE LOGGING, PART 1|
||Exchange uses TRANSACTION LOGS (for each database) to accept, track,
and maintain data. Each database transaction is written to the
transaction log before being written to the database. The current
transaction log file, edb.log, consists of an inactive part
(transactions that have already been committed to the database) and an
active part (transactions still needing to be committed). During a full
or incremental backup, the inactive part of the transaction log is
|EXCHANGE LOGGING, PART 2: PREVIOUS LOGS|
||When a transaction log becomes full, it is renamed and a new edb.log
file is created. The renamed log file is stored in the same
subdirectory as the edb.log file. Log files are renamed in a sequential
order using hexadecimal numbers (for example, edb00009.log).
Keep in mind that when circular logging is enabled, Exchange does not
maintain its previous logs.
The directory and information store each maintain a res1.log and a
res2.log file. These reserve logs are used when the directory or
information store service renames the transaction log (edb.log) file
and attempts to create a new one. If an error occurs before it shuts
down, the service flushes the transactions in memory that haven't been
written to the transaction log into the res1.log and res2.log files.|
|LIMITED ADMINISTRATION OF PUBLIC FOLDERS|
||If your whole Exchange organization is on Exchange version 5.5, public
folders are attached to their home site and server. In order to perform
administrative actions on a public folder, a user must have
administrative permissions on that folder's home site. Any subfolders
that are created will inherit the limited administrative access
designations from the top-level folder.
You can change a public folder's limited access designation on its
General tab. Simply select the Limit Administrative Access To Home Site
box to turn it on, or uncheck it to deactivate it.
Keep in mind that if you upgrade from a previous version of Exchange,
the public folder hierarchy won't automatically be set for limited
administration access, so you'll have to manually turn it on.|
|PUBLIC FOLDER REPLICATION|
||You want to create a replica of an existing public folder. Here's what
you need to do:
1. Open Exchange Administrator.
2. Add the new information store to the Instances property page of the
public folder, or add the public folder to the Replicas property page
of the Public Information Store.
During replication, changes made to items in a replica are sent to all
other replicas of the public folder throughout the organization.
Changes made to the folder, a folder's properties, or the public folder
hierarchy are replicated to all public folder servers (even those
without replicas of this folder).
When you no longer want a specific public folder replica, you can
delete it from its information store. When an information store detects
a new replica and determines that it's responsible for that replica, it
generates a backfill request for the contents of the folder.|
|RESTORING EXCHANGE DATA|
||If you're restoring Exchange data from a backup, keep in mind that you
can't restore the Exchange directory to a computer on a different
Windows NT domain. Also, if the Exchange server that you're restoring
is a Primary Domain Controller, the Security Identifier (SID) value on
the restored server must match the SID value that was on the original
server. If it doesn't match, you won't be able to access the
information store unless you manually rebuild the Windows NT accounts
that were on the domain.|