Monday, December 1, 2008

Exchange 2007 SP1 – Rollup 5 installation Issue (OWA)

There have been quite a few incidents reported out there regarding installation issues with application of Rollup 5 (and other versions) to Exchange 2007.  Granted many incidents have been reported with the Rollup 5 install for Exchange 2007 RTM; however there are also incidents with Exchange 2007 SP1 as well.  Below I will provide a brief overview of a incident I have experienced and action taken to remediate.

Scenario:

   Server State Pre-Installation of Exchange 2007 SP1 Rollup 5: 

    • Exchange 2007 SP1 (w/ Rollup 3 applied). 
    • No interim hotfixes for Exchange 2007 applied.
    • Antivirus services stopped
    • Backend servers have applied the rollup successfully

Problem(s):

  • Installation of Rollup 5 takes LONG time (30-60 min) – Hangs on .NET assemblies portion of installation
  • Exchange related services are left in a “DISABLED” state following installation as well as Reboot.
  • Exchange related service will not start up.
  • Users accessing OWA images are not displayed properly and pageNotFound for reading pane, etc…..

Symptoms:

  • Visible Symptoms:
    • MSExchangeOWAAppPool does not exist for Rollup 5 version.  (MSExchangeOWAAppPool > OWA 8.1.336.0)
      Problem Server
      image

      Good Server
      image


  • OWA does not display correctly when accessed.  Images are replaced with a “X”.
  • *exe.config (C:\<drive>\Microsoft\Exchange Servers\Bin files have not been “recreated/updated” (reflecting Rollup application date)

Solution:

The installation of the rollup issue was not consistent across the board with the Client Access Servers.  Some servers installed successfully and other did not.  So the root cause was not determined; however the fix was the same across the board for problem servers.  

  1. If stopped > Start IISAdmin
  2. Modify the properties of the OWA 8.1.336 virtual Directory (Default Web Site > OWA > OWA 8.1.336) and assign Application Name and Application Pool (MSExchangeOWAAppPool)
  3. Start Exchange Related Services
  4. If services do not start, Verify *exe.config file contents for the following files.
  5. Start Exchange Related Services
  6. Verify OWA Authentication and set accordingly
  7. Verify OWA Connectivity
Start IISAdmin (if stopped/disabled)

1.  Open command Exchange Management Shell.

If Disabled Type:  Set-Service “IISAdmin” –startupType Automatic
If Stopped Type: Start-Service “IISAdmin”











Note:  Verify W3SVC and HTTPSSL service as well.









Verify MSExchangeOWAAppPool virtual Directory for Rollup 5 (owa 8.1.336)








1.  Open IIS Manager > ServerName > Application Pools >




MSExchangeOWAAppPool > owa/
<RollupVersion>   (ex.  <default web site>/owa/8.1.336)









2. If version does not exist that matches the rollup version (Rollup 5 for Exchange 2007 SP1 = 8.1.336), navigate down to the Web Sites > Default Web Site > OWA > <rollup version>









3.  Right click the virtual directory that matches the rollup version, select Properties > Application Name click “Create”.  Enter “owa” text.  and then for Application Pool select MSExchangeOWAAppPool.









4.  Select OK and verify that the MSExchangeOWAAppPool > owa/<rollupVersion> exists.  (Procedure in Step 1.)









5. From command prompt, run:    IISRESET /NoForce









If Exchange Services do not startup normally or hang.   Verify the Exchange   *.exe.config File Content of the following files:








Reference Articlehttp://msexchangeteam.com/archive/2008/07/08/449159.aspx









**Advise following the reference article for procedure.  However the gist of it is listed below.









1.  Check to see if the configuration files within the <Drive>\Microsoft\Exchange Server\bin directory contain the following key entry.  If not backup the existing files and either create or modify existing files.  List of files is below as well.









<configuration>




  <runtime>








          <generatePublisherEvidence enabled="false"/>








  </runtime>








</configuration>









*.exe.config files:  (exe.config versions of these files; so EdgeTransport.exe will have a EdgeTransport.exe.config file)









<>

</>

<>

</>


<>

</>
<>

</>




Bin\EdgeTransport.exe




Bin\ExBPA.exe








Bin\ExBPACmd.exe








Bin\ExTRA.exe








Bin\Microsoft.Exchange.Cluster.ReplayService.exe








Bin\Microsoft.Exchange.EdgeSyncSvc.exe








Bin\Microsoft.Exchange.Monitoring.exe








Bin\Microsoft.Exchange.Search.ExSearch.exe








Bin\Microsoft.Exchange.ServiceHost.exe








Bin\MSExchangeMailboxAssistants.exe








Bin\MSExchangeMailSubmission.exe








Bin\MSExchangeTransportLogSearch.exe








ClientAccess\PopImap\Microsoft.Exchange.Imap4.Exe








ClientAccess\PopImap\Microsoft.Exchange.Pop3.Exe












2.  After the configuration files have been modified.  Try to startup the Exchange services.









Verify OWA Authentication:








1.  First check to see if the authentication method is set correctly for the OWA virtual directory.









get-owavirtualdirectoy -identity "msgexsv23004\owa (default web site)" | fl *authenti*











InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : False
FormsAuthentication : False
















2.  If authentication is not set correctly then set it according to your standards.  Below is an example of enabling WIndows Integrated and Basic Authentication.









Set OWA Virtual Directory authentication (Integrated and Basic):









set-owavirtualdirectoy -identity "msgexsv23004\owa (default web site)"  -WindowsAuthentication $true -BasicAuthentication $true











3. Next you will want to reset IIS.  Open a command prompt and run the following command.








 IISRESET /NOFORCE












4. Finally, verify authentication settings and open a browser and test OWA access/connectivit. (Internal and External URLS).   The command below is the same verification command issued in step 1.
















get-owavirtualdirectoy -identity "msgexsv23004\owa (default web site)" | fl *authenti*



Exchange 2007 – Modify Default Managed Folders

Modify Default Managed Folders (i.e. Deleted Items)

Scenario:

  A company has elected to automate the deletion of messages within the “Deleted Items” folders based on a retention period of their choice. After the retention period for a specific message(s) with the “Deleted Items” folder, the message will be permanently deleted from that folder. However this will not apply to the Mailbox Database “Deleted Item Retention period currently enforced and users will still be able to perform the “recover deleted items” function from the client.

You can implement MRM (Message Records Management) within the organization to apply messaging policies in various scenarios. You can create managed custom folders in user mailboxes and apply MRM policies to these managed custom folders and also the default folder. You can then configure content settings for both the custom and the default e-mail folders

How to Modify Default Managed Folder (Deleted Items)

Method 1: From the Exchange Management Console

1. Run the EMC.

2. Expand the Organization Configuration node and then click Mailbox.

3. In the result pane, select the Managed Default Folders tab

4. Select the “Deleted Items” folder

5. Right Click and Select the “New Managed Content Settings

6. Enter a name for the Managed Folder Content Settings (Ex. 2 –Day Retention All)

7. Message Type Enter “All Mailbox Content”. This refers to the type of messages that this policy will apply. In this case anything that is deleted (Contact, Notes, Messages, etc.) will be deleted from the deleted items folder after two days from the day it is placed in the Deleted Items folder.

8. Set the length of retention period (days).

9. Select when the Retention Period starts. In this case select “When item is moved to the folder

10. Finally select the action to perform at the end of the retention period. Select “Delete and Allow Recovery”. This option will allow for users to still use the “recovery deleted items option” from the Outlook client.

11. Click “Next

12. On the Journaling options page, do not select anything and click “Next”.

13. Finally Click “New” to create the content setting.

14. Once it is created, click “Finish”.

15. After its complete, you will see that the Deleted Items managed folder can be expanded and that new content setting is listed below.

Method 2:  Exchange Management Shell

1. Open Exchange Management Shell

2. Enter the following command line:

new-ManagedContentSettings -Name '2 - Day Retention All' -FolderName 'Deleted Items' -RetentionAction 'DeleteAndAllowRecovery' -AddressForJournaling $null -AgeLimitForRetention '2.00:00:00' -JournalingEnabled $false -MessageFormatForJournaling 'UseTnef' -RetentionEnabled $true -LabelForJournaling '' -MessageClass '*' -MoveToDestinationFolder $null -TriggerForRetention 'WhenMoved'

Exchange 2007 – Creating Dynamic Distribution Groups

Creating Dynamic Distribution Groups

Scenario:

Dynamic Distribution Groups for the purpose of Maintenance Notifications to users. Unlike regular distribution groups that contain a defined set of members, the membership list for dynamic distribution groups is calculated each time a message is sent to them, based on the filters and conditions that you define. When an e-mail message is sent to a dynamic distribution group, it is delivered to all recipients in the organization that match the criteria defined for that dynamic distribution group.

How to create Dynamic Distribution Groups in Exchange 2007

Method 1: Exchange 2007 Management Console

1. Start the Exchange Management Console.

2. In the console tree, click Recipient Configuration node.

3. In the action pane, click New Dynamic Distribution Group. The New Dynamic Distribution Group wizard appears.

4. On the Introduction page, complete the following fields. All fields on this page are required:

· Organizational Unit   By default, this box will show the organizational unit (OU) that is set as the recipient scope. Click Browse to open the Select Organizational Unit dialog box. Use this dialog box to select a different OU, and then click OK.

· Name Use this text box to type the name for the dynamic distribution group. The name cannot exceed 64 characters.

· Alias   Use this text box to type the alias of the dynamic distribution group. The alias cannot exceed 64 characters and must be unique in the forest.

5. Click Next.

6. On the Filter Settings page, define the recipient filter for the new dynamic distribution group:

· Click Browse to select the OU to select the recipients from. A dynamic distribution group contains all recipients that are in the specified OU and any other OUs under it.

· Select the recipient types you want to include in the dynamic distribution group. You can select All recipient types or The following specific types. If you select The following specific types, you must select at least one recipient type.

7. Click Next.

8. On the Conditions page, define any additional conditions to further restrict the recipients included in this dynamic distribution group. You can set the conditions to have only the recipients that are in a specific state or province, work in a specific department, work for a specific company, or have specific values for custom attributes. Conditions are optional.

a. In the Step 1: Select condition(s) list box, select the check boxes that correspond to the conditions you want to set. As you select check boxes in this list box, the selected conditions will appear in the Step 2: Edit the condition(s) list box. A pencil icon will appear next to each condition indicating that a valid value needs to be provided.

b. In the Step 2: Edit the condition(s) list box, click the underlined value that reads specified for each condition and provide the value. After you provide a valid value for a condition, the corresponding pencil icon will disappear.

c. Click Preview to view the recipients that will be contained in the dynamic distribution group, based on the conditions that you specified.

Click Next.

On the New Dynamic Distribution Group page, review the Configuration Summary. To make any configuration changes, click Back. To create the new dynamic distribution group, click New.

On the Completion page, the Summary displays whether the dynamic distribution group was successfully created. The summary also displays the Exchange Management Shell command that was used to create the dynamic distribution group.

Click Finish

Method 2: Exchange Management Shell

· Run the following command to create a dynamic distribution group called Mailbox Users DDG that contains only mailbox users:

New-DynamicDistributionGroup -IncludedRecipients MailboxUsers -Name "Mailbox Users DDG" -OrganizationalUnit Users











· Run the following command to create a dynamic distribution group with a custom recipient filter. The dynamic distribution group contains all mailbox users on a server called Server1
















New-DynamicDistributionGroup -Name "Mailbox Users on Server1" -OrganizationalUnit Users -RecipientFilter {((RecipientType -eq 'UserMailbox' -and ServerName -eq 'Server1') -and -not(Name -like 'SystemMailbox{*')



Exchange 2007 – OWA Customization

Outlook Web Access Customization

This section addresses AMAT ‘s specific Outlook Customizations. The list below summarizes customizations contained within this document.

· Setting Forms-Based Authentication Time-Out

· OWA - Computer File Access Configuration

Setting Forms-Based Authentication Time-Out

This topic explains how to configure the cookie time-out values for public and private computers by using forms-based authentication on a Microsoft Outlook Web Access virtual directory that is on a Microsoft Exchange 2007 server that has the Client Access server role installed.

Permissions Required:

To perform the following procedures, the account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group for the target server.

Note: Default Time-Out Settings for Outlook Web Access are as follows:

· Public Computer Time-Out: 15 Minutes

· Private Computer Time-Out: 4 Hours

Modify Public Computer Time-Out Settings

This topic explains how to configure the cookie time-out values for public computers by using forms-based authentication on a Microsoft Outlook Web Access virtual directory that is on a Microsoft Exchange 2007 server that has the Client Access server role installed.

1. On the Client Access server, log on by using the Exchange administrator account, and then start Registry Editor (regedit).

2. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA

3. On the Edit menu, point to New, and then click DWORD Value. In the details pane, name the new value PublicTimeout.

4. Right-click the PublicTimeout DWORD value, and then click Modify.

5. In Edit DWORD Value, under Base, click Decimal.

6. In the Value Data box, type a value in minutes between 1 and 43,200 for a maximum of 30 days. Click OK.

Note: You must restart Internet Information Services (IIS) by using the command iisreset/noforce for these changes to take effect

To Modify the Public Time-Out settings through Exchange Management Shell:

Note: This command is to modify the Time-Out settings once the key already exists

set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -name PublicTimeout -value <amount of time> -type dword











Run the following command to view the public computer cookie time-out value:
















get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -name PublicTimeout











Modify Private Computer Time-Out Settings









This topic explains how to configure the cookie time-out values for private computers by using forms-based authentication on a Microsoft Outlook Web Access virtual directory in Microsoft Exchange Server 2007. Private computers are also known as trusted computers.









1. On the Exchange Client Access server, log on by using your Exchange administrator account, and then start Registry Editor (regedit).









2. In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA









3. On the Edit menu, point to New, and then click DWORD Value. In the details pane, name the new value PrivateTimeout.









4. Right-click the PrivateTimeout DWORD value, and then click Modify.









5. In Edit DWORD Value, under Base, click Decimal.









6. In the Value Data box, type a value in minutes between 1 and 43,200 for a maximum of 30 days. Click OK.









To Modify the Private Time-Out settings through Exchange Management Shell:









Note: This command is to modify the Time-Out settings once the key already exists




















set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -name PrivateTimeout -value <amount of time> -type dword











Run the following command to view the private computer cookie time-out value:













get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -name PrivateTimeout











OWA - Computer File Access Configuration









By default, public computer direct file access is enabled for new installations and upgrades of Outlook Web Access. Therefore, when users in your organization select This is a public or shared computer or This is a private computer on the Outlook Web Access logon page, they will be able to access files that are attached to e-mail messages.









Public and Private File Computer Access Settings









1. In the Exchange Management Console, click Server Configuration, and then click Client Access.









2. In the action pane, in Outlook Web Access, click Properties.









3. On the Outlook Web Access Properties page, click either the Public Computer File Access tab or the Private Computer File Access tab.









4. Make modification to the File Access configurations based on your business/security requirements.









More Info: Web Ready Document Viewing









WebReady Document Viewing converts documents to HTML files and displays them in a Web browser. This enables Outlook Web Access users to view a document that is attached to a message even when the application that would ordinarily be used to open that document is not present on the computer that is being used.









If the Client Access server is running Exchange 2007 SP1, WebReady Document Viewing supports the following file types:









· Word (.doc, .dot, rtf, .docx)









· Excel (.xls, .xlsx)









· PowerPoint (.ppt, .pps, .pptx)









· Adobe Portable Document Format (.pdf)

Exchange 2007 – Creating Message Disclaimers

Creating Message Disclaimers in Exchange 2007

This section provides the procedure to configuring a rule to apply Message Disclaimers, which are applied to messages when they pass through the Hub Transport Server. Legal requirements vary significantly from business to business, and therefore a plan to configure/deploy message disclaimers range from simple to complex. The key is to gather the requirements from the legal department and from there plot out the ideal deployment.

There are so many ways to configure these transport rules to apply disclaimers, so below we have provided an example of applying a disclaimer to email messages sent by members of the Legal Distribution Group.

SCENARIO:

A Company has mentioned a specific need for users to be able to modify disclaimer text. In this instance, users would apply the disclaimer within their signature or manually in the message body. Exchange would then be configured to apply a disclaimer to every message, and an exception defined that if certain text (disclaimer text phase) is not included in a message; apply the default disclaimer to those messages.

Procedure:

Note: This example we will append a disclaimer to email messages sent by members of the Legal distribution group

1. Begin the process by opening the Exchange Management Console.

2. Navigate to Organization Configuration -> Hub Transport and select the Transport Rules tab.

3. Click the New Transport Rule link found in the Actions pane to launch the New Transport Rule wizard.

4. Enter a name for the Exchange Server 2007 transport rule you're creating. For this example, let's call the rule "Legal Department Disclaimer." This screen also contains an area in which you can enter a description of the rule that you are creating. (I've never been one to tell people to fill in description fields, but transport rules can be complicated enough that some rules may warrant a description.)

5. This screen also contains an "Enable Rule" checkbox, which is selected by default. This means that the rule you're creating will be enabled as soon as you finish creating it, unless you deselect this box. For our purposes, let's leave the "Enable Rule" checkbox selected, as shown in Figure A.

Figure A: You should leave the Enable Rule checkbox selected.
image

6. Click Next and you will be taken to the wizard's Conditions screen, which will allow you to choose the circumstances under which the rule is activated. Notice in Figure B that there are many conditions from which to choose. One of the reasons why transport rules can be so complex is because you have the option to choose multiple conditions.

Figure B: Select the circumstances under which rules will be activated.
image

7. This example we will append a disclaimer to email messages sent by members of the Legal distribution group, select the" From a Member of a Distribution List" checkbox.

8. In Figure B, notice that the bottom half of the screen says "Apply rule to messages from a member of a distribution list." The words "distribution list" are hyperlinked. You must click on this link to specify the specific distribution groups to which you want the rule to apply. After doing so, the text at the bottom of the screen changes to reflect the name of the distribution list, as shown in Figure C.

Figure C : The text reflects the name of the distribution group you've selected.
image

9. Click Next, and you will be taken to the wizard's Actions screen. We have already specified the circumstances that should trigger the transport rule. Now we must tell Exchange Server 2007 what should happen when the rule is triggered. Again, you have lots of options available to you. Since our goal is to create a confidentiality disclaimer though, choose the "Append Disclaimer Text" checkbox.

10. If you look at Figure D, you will notice that the last line of text at the bottom of the screen says "append disclaimer text using Arial, smallest, Gray, with separator and fallback to wrap if unable to apply". Exchange Server 2007 gives you the option of specifying the disclaimer text and how that text is displayed. By clicking on the various hyperlinks you can specify the font, its size, the font color, and whether or not you want to use a separator.

Figure D: Not only can you specify the disclaimer, but also how it is displayed.
image

11. The font and separator options are pretty much self-explanatory, but there are two options on this screen that I want to talk about a little bit more.

12. The first is the fallback option. Take another look at Figure D. The last part of the rule states that Exchange Server should fall back to wrap if unable to apply. Wrap is the default option, which is basically a way of telling Exchange Server to ignore the formatting and append the disclaimer in plain text.

13. You also have the option of falling back to an ignore state. If the disclaimer was unable to be applied for some reason, this option would cause Exchange Server to send the message without the disclaimer. Your other option in a fallback situation is to reject the message, so that it will not be sent without a disclaimer.

14. The second option is the append option. By clicking on the Append link, you have the option of either appending or prepending the disclaimer. This means that you can place the disclaimer at either the bottom or the top of the message.

15. Configuring exceptions to an Exchange 2007 transport rule

16. When you finish specifying the disclaimer text and the related options, click Next and you will be taken to the wizard's Exceptions screen. The Exceptions screen is used to specify circumstances in you do not want to apply the rule when it would normally be triggered.

17. Let's suppose that an employee in the legal department is also a member of the company's recreation committee. If that employee sends a message to all of the other employees asking for a volunteer to dress up as Santa Clause for the company Christmas party, the message really doesn't need to be treated as confidential.

18. There are a few different ways you could use transport rule exceptions to handle this type of situation. One possible option is to create an exception based on the message recipients. For example, you might create a rule exception that applies to users inside the company. That way the disclaimer won't be attached to messages sent to employees.

19. A better option is to base the exception on distribution group membership. For example, you could create a distribution group called "Social" that contains all company employees. You could then create an exception so that messages sent to the Social distribution group do not contain the disclaimer.

20. Still another option is to base the exception on keywords in the message' subject line. If an employee in the legal department wants to invite someone to lunch or something like that, they could put the word "social" in the subject line and the disclaimer would be left off.

21. If you do decide to create keyword-based exceptions, just make sure to choose your keywords carefully. Imagine the implications of someone sending an email with a subject line like "Social engineering related security breach." You would definitely want that message to be kept confidential. But the subject line contains the word "social," so our rule would omit the confidentiality disclaimer from the message.

22. After configuring any desired exceptions, click Next and you will see a screen that displays a summary of all of the information that you have entered. This screen displays the rule's name, description, and the conditions, actions, and exceptions that you have created. Assuming that everything looks good, click the New button and the rule will be created.

23. When the process completes, click the Finish button.

24. The Exchange Server 2007 transport rule is now ready to use.

Exchange 2007 – Global Message Limits

Global Message Size Limits

This section will provide steps for setting Global message size limits.

Inbound Message Size Limits

Setting Inbound (Receive) Message Size Limits.

1. In Exchange Management Shell, run the following command where <size> is entered as the default of "unlimited" or the size in B (Bytes), KB (Kilobytes), or MB (Megabytes) in a range of 0 to 2147483647 bytes:

Set-TransportConfig -MaxReceiveSize <size>











a. For example, to set the maximum message size that can be received by recipients in the Exchange Organization to 10 Megabytes you would enter:
















Set-TransportConfig -MaxReceiveSize 10MB











b. To set the maximum message size that can be received by recipients in the Exchange Organization to the default value of unlimited you would enter:
















Set-TransportConfig -MaxReceiveSize unlimited











 









Outbound Message Size Limits









Setting Outbound (Send) Message Size Limits.









1. In Exchange Management Shell, run the following command where <size> is entered as the default of "unlimited" or the size in B (Bytes), KB (Kilobytes), or MB (Megabytes) in a range of 0 to 2147483647 bytes
















Set-TransportConfig -MaxSendSize <size>











a. For example, to set the maximum message size that can be sent by users in the Exchange Organization to 10 Megabytes you would enter:
















Set-TransportConfig -MaxSendSize 10MB











b. To set the maximum message size that can be sent by users in the Exchange Organization to the default value of unlimited you would enter:
















Set-TransportConfig -MaxSendSize unlimited



Exchange 2007 – Recipient Limits

Recipient Limits

There are several ways to establish recipient limits within Exchange 2007.

· Organization Limits

· Global Limits

· Connector Limits

· Server Limits

· User Limits

Organization Limits: Apply to all Exchange 2007 Servers within the Organization.

Global Limits: Apply to all Exchange 2007 and Exchange 2003 servers that exist in the Organization.

Connector Limits: These limits apply to any messages that use the specified Send connector, Receive connector, or Foreign connector for message delivery.

Server Limits: These limits apply to a specific Hub Transport or Edge Server.

User Limits: These limits apply to a specific user object such as a contact, mailbox, distribution group, public folder.

 

Recipient Limit Recommendations

Generally, it is better to maximize the restrictiveness of your message limits. You should base any exceptions on a proven need to exceed the established size limits, and you should put those limits as close as possible to the objects that must exceed the established limits. This strategy helps make sure that messages in the transport pipeline are rejected as early as possible if they violate message size limits. It is a waste of system resources to set a high message size limit at the Exchange organization level, allow a message to enter the Exchange organization, and then reject the message at the last stage of delivery because of a violation of a message limit.

Scenario: Recipient Limit Requirements

Note:  The information below is a stripped list of recipient limit Q&A taken from a real customer.  Recommendations are based on these requirements, and as in the real world.. not all of the requirements can be fulfilled out of the box with Exchange or may go against best practice for setting limits. 

  • Only select users can send to All the Organization? Yes
  • Restrict Certain Distribution Groups to only allow particular users to send to them (ex. All Users)? YES
  • Maximum Recipient limit for Messages Sent within the Exchange Organization (Exchange to Exchange): 500
  • Maximum Recipient limit for Messages Sent to the Internet? 500
  • Maximum Recipient limit for Messages Sent to Domino? 500
  • Maximum Recipient limit for Messages Received from Internet? Presently All Inbound mail flows through Domino to Exchange so the Recipient Limit from Domino would apply.
  • Maximum Recipient limit for Messages Received from Domino? No Limit

Recommended Recipient Limit configuration based on requirements defined by scenario above.

  • Set Receive Connector From Domino and Internet (Same Connector): Unlimited

WARNING: Mail from the Internet and Domino come through the same connector so no limit will be placed on Inbound Internet Mail. Recommendation would be to set this limit the same as the Exchange Organization limit or lower. If internal Exchange users cannot send to more than 500 users then email between the two messaging environments should adhere to the same limitations.

  • Set Organization: 500
  • Set Limits on who can send to Heavily Populated Distribution Groups (over Org Limit)
  • Even if the Organization Restriction is set to 500 and a Groups has 500+ members, the user/group granted the ability to send to this group will still be able to send to all members.

Setting Recipient Limits

This section will provide instruction to setting recipient limits at the Organization, Global, Connector, Server and User level.

Note: Exchange Management Shell is the most efficient way to make these changes, so the commands will be displayed below.

IMPORTANT! When setting limits, whether its recipient, message size, etc. make sure the settings do not step on each other at the various levels. Exchange 2007 SP1 was suppose to fix many of the issues of limits defined at the Organization and Global level; however there are instances where these issues are still evident in SP1.

Organization Recipient Limits

Example: Setting Recipient Limit to 3000:

Note: Default Recipient Limit within Exchange SP1 is “5000”.

Set-TransportConfig –MaxRecipientEnvelopeLimit 3000











To verify settings run the following command:













Get-TransportConfig | fl MaxRecipientEnvelopeLimit











 








Global Recipient Limits









In Exchange 2007 SP1, you shouldn't modify the global limits directly. In Exchange 2007 SP1, if you set a global limit to a different value than the corresponding organizational limit, you will generate event log errors. When you want to modify the organizational limits or the global limits in Exchange 2007 SP1, you should use the Set-TransportConfig cmdlet in the Exchange Management Shell or the Hub Transport organization configuration properties in the Exchange Management Console.









Conditions That Affect the Initial Values of Global Limits in Exchange 2007 SP1









The following list describes the conditions that cause the initial values of the global limits to differ from the default values in Exchange 2007 SP1:









The existing numeric values of delivContLength, submissionContLength, or msExchRecipLimit are preserved for the following circumstances:













  • The organization was upgraded from Exchange 2007 RTM and the corresponding organizational limit values that are specified by the MaxReceiveSize parameter, the MaxSendSize parameter, or the MaxRecipientEnvelopeLimit parameter on the Set-TransportConfig cmdlet were set to Unlimited.







  • The organization was upgraded from Exchange 2003, and a numeric value was specified for Incoming message size, Outgoing message size, or Maximum number of recipients.






  • The values of delivContLength, submissionContLength, or msExchRecipLimit are changed to match the values of the corresponding organizational limits that are specified by the MaxReceiveSize parameter, the MaxSendSize parameter, or the MaxRecipientEnvelopeLimit parameter on the Set-TransportConfig cmdlet when all the following conditions are true:







  • The organization was upgraded from Exchange 2007 RTM to Exchange 2007 SP1.






  • A numeric value was specified for delivContLength, submissionContLength, or msExchRecipLimit.






  • A different numeric value was specified for the corresponding organizational limit in the MaxReceiveSize parameter, the MaxSendSize parameter, or the MaxRecipientEnvelopeLimit parameter.










Connector Recipient Limits









This content is catered to the scenario’s environment so we will only go through the modifications for the Receive Connectors.









Ex. To set one Receive Connector at a time (ex. Set a connector named “From Domino” and a <server> to maximum of 1000 recipients):













Set-ReceiveConnector –identity “<server>\From Domino” –MaxRecipientsPerMessage 1000











Ex. To set ALL Receive Connectors at One Time:




















Get-ReceiveConnector | Set-ReceiveConnector –MaxRecipientsPerMessage 1000











 








Set Server Recipient Limits









This section will provide instruction to setting recipient limits at the Server level.









Note: These limits are applied to a Hub Transporter server









Ex. To Set Hub Transport Server Recipient Limit on a specific HT server to 1000.













Set-TransportServer –Identity <serverName> -PickupDirectoryMaxRecipientsPerPage 1000











Ex. To Set ALL Hub Transport Servers to Recipient limit of 1000.













Get-TransportServer | Set-TransportServer –PickupDirectoryMaxRecipientsPerPage 1000











 








Setting User Recipient Limits









This section will provide instruction to setting recipient limits at the Server level.









Ex. Apply Recipient Limits to a Mailbox.













Set-Mailbox –Identity <mbxUserA> -RecipientLimits 400











Ex. Apply Recipient Limits to a Contact













Set-MailContact –Identity <mContactA> -MaxRecipientsPerMessage 400











Ex. Apply Recipient Limits to a Mail-User













Set-MailUser –Identity <mUserA> -RecipientLimits 400



Exchange 2007 – Message Tracking and Logging

Message Tracking and Logging

How to verify message tracking settings.

To check current message tracking parameters set for an exchange mail server run the following commands. By default message tracking is enabled on exchange mailbox, Hub Transport and Edge Transport servers.

1. Start the Exchange Management Shell

2. Type Get-mailboxserver “servername” |fl *tracking*

3. The resulting output will show current tracking settings.

How to change the default Log file path

By default Exchange stores message tracking log files in the C:\Program files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking.

To change this location use the following procedures. “C:\exchange logs” should be replaced with the directory of your choosing.

1. Start the Exchange Management Shell

2. Type Set-TransportServer “servername” –MessgaeTrackingLogPath “C:\Exchange Logs”

Note: The log file path must be local to the server. If the new target directory does not exist, the command will create it.

All log files that were generated in the original directory will not automatically be moved to the new directory.

How to change the default log directory size limits

By default the message tracking log directory is will over write the oldest log files once the maximum directory size of 250MB has been reached. The following procedures will change the max directory size.

1. Start the Exchange Management shell

2. Type Set-TransportServer servername –MessageTrackingLogMaxDirectorySize 1GB

Note: Sizes are factored in bytes (B), Kilobytes (KB) Megabytes (MB) gigabytes (GB) and terabytes (TB)

How to set the Max log file age

By default Exchange will retain message tracking log files for a period of 30 days before overwriting them. The following procedures will change this retention time.

1. Start the Exchange Management shell

2. Type Set-TransportServer servername –MessageTrackingLogMaxAge DD.HH:MM:SS

How to Track messages

Exchange 2007 provides a message tracking tool available through the Exchange Trouble shooting assistant in the Exchange management console as well as through Exchange Command Shell.

 

Management Shell – Message Tracking

Use the following procedure to track a message in Exchange Management Shell

1. From Hub Transport server (DCA-APP-CSHU01) open the Exchange Management Shell

2. Enter the following command line with the correct parameters.

Get-MessageTrackingLog <SearchFilters>











Filter Table:







<>

</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>

</>




Search filter








Corresponding field in the message tracking log








End








date-time








EventId








event-id








InternalMessageId








internal-message-id








MessageId








message-id








MessageSubject








message-subject








Recipients








recipient-address








Reference








reference








ResultSize








None. This parameter limits the number of results that are displayed by the search.








Sender








sender-address








Start








date-time















 








Console - Message Tracking









Use the following procedures to track a message in Exchange Console.









1. Start the Exchange Management Console.









2. In the left hand pane select Toolbox.









3. In the middle pane select Message tracking.









4. With Message tracking highlighted select Open tool from the right hand pane. This will open the Exchange Troubleshooting assistant (Extra).









Within Extra, the following search criteria are provided to track messages.













  • i. Recipients.






  • ii. Sender.






  • iii. Server sent from.






  • iv. Event ID






  • v. Message ID






  • vi. Internal Message ID






  • vii. Subject.






  • viii. Reference.ix. Start and End dates for the search.










5. Once the search criteria has been defined click next to begin the search.









6. The search results will display the following data fields.



<>

</>

<>

</>


<>




</>


<>

</>
<>

</>




a. Time stamp









b. Event ID









c. Source









d. Source Context









e. Message ID









f. Message Subject









g. Message Sender









h. Recipients









i. Internal Message









j. Client IP
















a. Client Hostname









b. Server IP









c. Server Hostname









d. Connector ID









e. Recipient status









f. Total Byte size









g. Recipient count









h. Related recipients









i. Reference









j. Return path









k. Message Info























 








Message Tracking Example









This section will provide details for resolving a real world message routing issue.









Scenario: Sender Joe.Smith@company.com received NDR when sending to recipient:







<>

</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>




</>

<>

</>


<>




</>


<>

</>
<>

</>




Info








Details








Sender








Joe.smith@company.com








Recipient








Another.User@company.com








Date Time Message Delivered








10/07 12:01am – 2:00AM















NOTE: This is a Domino to Exchange mail routing scenario. All mail sent from Notes to Exchange targets the following Hub Transport Server (DCA-EM-CSHU01.amat.com)









Exchange Management Shell – Message Tracking








Below is the process for tracking the cause for the NDR for recipient Another.User@company.com









1. From Hub Transport server (HT01) open the Exchange Management Shell.









2. Enter the following command line based on information in table above.
















get-messagetrackinglog -Recipients:Another.User@company.com -Start "10/7/2008 12:01:00 AM" -End "10/7/2008 2:00:00 AM"











3. Data will be displayed for the messages that meet the filter criteria.









4. Key in on the eventID column. “Fail” is key indicator. To view the that particular message details enter the following command.
















get-messagetrackinglog –eventID “Fail” -Recipients:Another.User@company.com -Start "10/7/2008 12:01:00 AM" -End "10/7/2008 2:00:00 AM"











5. This will narrow down the search criteria to failed messages. Now view the message in Format-List view to display the message details.
















get-messagetrackinglog –eventID “Fail” -Recipients:Another.User@company.com -Start "10/7/2008 12:01:00 AM" -End "10/7/2008 2:00:00 AM" | format-list.











6. The message status states the RecipientStatus of 550 5.1.4 ambiguous address. Now this can be a result of duplicate email adddresses or duplicate “legacyExchangeDN” addresses.









7. To verify, perform a number of searches for duplicates within the console to determine the problem.









a. To locate duplicate email addresses run the following command:









i. Get-Recipient –id Another.User@company.com  .









ii. This command only came up with one recipient using that “email Address”. So duplicate email address is not the cause of the problem. Next step is to discover whether or not there are duplicate legacyExchangeDNs.









b. To locate duplicate legacyExchangeDNs.













Get-user –id “Another.User@company.com” 











ii. This command comes up with two users. Now to compare legacyExchangeDNs. Run the format-list option for each user to get the “RecipientType” in order to display and inspect the “legacyExchangeDN” value.








Note: Another indicator of duplicate legacyExchangeDns is duplicate “Alias” attributes (aka mailNickname).









iii. If “RecipientType” value equals “MailUser”. Then run the following command.
















get-mailUser –id “Another.User@company.com” | fl 











iv. Inspect the legacyExchangeDN for each user. In this case (although not shown) each user had the same LegacyExchangeDN value. This was due to the HR contractor to perm employee conversion process.









v. To resolve the mail routing issue for legacyExchangeDN duplicates. The incorrect account must be mail disabled (stripping of Exchange Attributes).

















Exchange Console– Message Tracking









Below is the process for tracking the cause for the NDR for recipient Another.User@company.com









Use the following procedures to track a message in Exchange Console.









1. Start the Exchange Management Console.









2. In the left hand pane select Toolbox.









3. In the middle pane select Message tracking.









a. Enter the following parameters for:









b. Recipients.









c. Start and End dates for the search.









4. Press “Next









5. The next screen will disply the filtered list based on your pararmeters.









6. Notice the “EventID” which indicates a FAIL. The same information is available within this screen as it is within the command shell.









7. Note the Recipient Status column. This will provide the delivery issue.









8. This particular error indicates that there are duplicate email addresses or legacyExchangeDN duplicates. The easiest method to discover the root cause is through the command shell. Below is the command shell process used to resolve this particular recipient delivery issue.









9. To verify, perform a number of searches for duplicates within the console to determine the problem.









a. To locate duplicate email addresses run the following command:









i. Get-Recipient –id Another.User@company.com  .









ii. This command only came up with one recipient using that “email Address”. So duplicate email address is not the cause of the problem. Next step is to discover whether or not there are duplicate legacyExchangeDNs.









b. To locate duplicate legacyExchangeDNs.













Get-user –id “Anja_Niederbremer@amat.com” 











ii. This command comes up with two users. Now to compare legacyExchangeDNs. Run the format-list option for each user to get the “RecipientType” in order to display and inspect the “legacyExchangeDN” value.








Note: Another indicator of duplicate legacyExchangeDns is duplicate “Alias” attributes (aka mailNickname).









iii. If “RecipientType” value equals “MailUser”. Then run the following command.




get-mailUser –id “Anaj_Niederbremer” | fl .









iv. Inspect the legacyExchangeDN for each user. In this case (although not shown) each user had the same LegacyExchangeDN value. This was due to the HR contractor to perm employee conversion process.









v. To resolve the mail routing issue for legacyExchangeDN duplicates. The incorrect account must be mail disabled (stripping of Exchange Attributes). Once stripped only one account will contain that legacyExchangeDN and therefore fix the mail delivery issue.

Exchange 2007 – Mail Disabling Objects

 Mail Disabling Objects

This section will detail procedures for mail disabling mail objects. The mail disabling process essentially strips the mail objects of its Exchange mail attributes. All Mail Specific attributes will be removed from the Active Directory object. The “Windows Email Address” (aka “mail”) attribute is the only attribute that will remain in tact, eventhough this attribute exists the object is not considered a mail object.

Mail Disabling Mail Users

How To Mail Disable a Mail User (Mail-Enabled user).

Command Shell
Note: The –identity can be any of the following attribute values for the mail user you are going to disable.

Identity Values

ADObjectID

GUID

distinguished name

Domain\SamAccountName

user principal name (UPN)

LegacyExchangeDN

E-mail Address

User alias

1. Open Exchange Management Shell
2. Have the Identity value on hand.
3. Enter the following command line pull the correct user object.

Get-MailUser –identity “<idValue>”



4. Verify that you have the correct Mail User based on the properties displayed.








5. If correct user has been chosen enter the following command to disable the mail user.








Tip: You can “Up” arrow to pull the command just entered above.












Get-MailUser –identity “<idValue>” | Disable-MailUser



6. Confirm action to perform. Press Enter.








Management Console (GUI)




1. Locate object within Exchange management console








2. Right Click and select Disable.








3. Follow the wizard and confirm successful disabling.









Mail Disabling Mailboxes









How To Mailbox Disable a Mailbox (Mailbox-Enabled user).









Command Shell




Note: The –identity can be any of the following attribute values for the mailbox you are going to disable.
















<>

</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>

</>




Identity Values








GUID








Distinguished name








Domain\Account








User principal name








LegacyExchangeDN








SmtpAddress








Alias












1. Open Exchange Management Shell




2. Have the Identity value on hand.








3. Enter the following command line pull the correct mailbox object.













Get-Mailbox –identity “<idValue>”



4. Verify that you have the correct Mailbox based on the properties displayed.








5. If correct user has been chosen enter the following command to disable the mailbox.








Tip: You can “Up” arrow to pull the command just entered above.












Get-Mailbox–identity “<idValue>” | Disable-Mailbox



6. Confirm action to perform. Press Enter.








 Management Console (GUI)








1. Locate object within Exchange management console




2. Right Click and select Disable.








3. Follow the wizard and confirm successful disabling.









Mail Disabling Distribution Groups









How to Mail Disable a Distribution Group.









Command Shell




Note: The –identity can be any of the following attribute values for the distribution group you are going to disable.









<>

</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>

</>




Identity Values








GUID








DN








LegacyExchangeDN








Domain\Account Name








Alias












1. Open Exchange Management Shell




2. Have the Identity value on hand.








3. Enter the following command line pull the correct distribution group object.













Get-DistributionGroup –identity “<idValue>”



4. Verify that you have the correct Distribution Group based on the properties displayed.








5. If correct user has been chosen enter the following command to disable the distribution group








Tip: You can “Up” arrow to pull the command just entered above.












Get-DistributionGroup–identity “<idValue>” | Disable-DistributionGroup



6. Confirm action to perform. Press Enter.








Management Console (GUI)




1. Locate object within Exchange management console








2. Right Click and select Disable.








3. Follow the wizard and confirm successful disabling.









Mail Disabling Contacts









How to Mail Disable a Mail Contact object.









Command Shell




Note: The –identity can be any of the following attribute values for the mail contact you are going to disable.









<>

</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>




</>

<>

</>


<>

</>
<>

</>




Identity Values








ADObject








Distinguished name








GUID








Alias












2. Have the Identity value on hand.




3. Enter the following command line pull the correct distribution mail contact object













Get-MailContact –identity “<idValue>”











4. Verify that you have the correct Distribution Group based on the properties displayed.




5. If correct user has been chosen enter the following command to disable the Mail Contact.








Tip: You can “Up” arrow to pull the command just entered above.













Get-MailContact–identity “<idValue>” | Disable-MailContact











6. Confirm action to perform. Press Enter.









Management Console (GUI)













  1. Locate object within Exchange management console






  2. Right Click and select Disable.







  3. Follow the wizard and confirm successful disabling.