Category Archives: Exchange Server 2007

Deleted Items Folder is not visible in OWA or Outlook

One of our teams experienced a weird problem yesterday. One of the users was experiencing issues with him mailbox size. Mailbox Stats on the mailbox server (Exchange 2007) was showing his total mailbox item size as 1.3GB but the items in outlook were definitely not even close to that size as a sum of size of all items. I am sure a lot of us have already experienced similar issues already.

While taking a little closer look the team found that the problem was with the Deleted Items folder of that particular mailbox. The said folder was neither visible in outlook nor in OWA and contained most of the items in it, approximately 1 gig of data :-O. Yes, and that is why the mailbox size was exceeding the quota size limits.

We tried using Outlook.Exe /ResetFolders but that did not help either. The next step was to find out what is wrong with the deleted items folder that it is visible via powershell when Get-MailboxStatistics but not in outlook or OWA. If nothing is visible through conventional clients, the only way to manage/fix the things is to use MFCMAPI. Download latest version of MFCMAPI from http://mfcmapi.codeplex.com

Warning: MFCMAPI can cause severe damages to the mailbox if it is used incorrectly. Use this tool at your own risk.

1. Open MFCMAPI and logon to the problem mailbox.

2. Navigate to Deleted Items folder and simply highlight the Deleted Items Folder in left side pane of the utility.

image

3. Sort the property names in ascending order in the right hand side pane of MFCMAPI and locate the property named PR_ATTR_HIDDEN

This is a Boolean property which accepts the values as True or False. Objects with this property value set to True become invisible to clients and that is exactly what happened in our case too. For some reasons the value of this prop was set to True. Due to time constraints we could not find out the reason why it got changed.

4. The next step is to change the value to False so that the folder / object becomes visible in the client. To change the value simply double click on the prop PR_ATTR_HIDDEN and a pop up box comes up.

image

Check the checkbox Boolean and hit Ok button. Checking or un-checking the checkbox on above dialog box toggles the value between True and False.

 

Well that is it! you should get your lost folder visible back in mailbox using outlook / OWA.

How to generate a report of full mailbox access

 

If you have gone through an ExRAP lately and have encountered this as an observation during operational interview you are definitely going to need this very small piece of powershell command.

$CreateStamp = Get-Date -UFormat %d_%m_%Y
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where {$_.User.ToString() -ne “NT AUTHORITYSELF” -and $_.IsInherited -eq $false} | Select Identity,User,@{Name=’Access Rights’;Expression={[String]::Join(‘, ‘, $_.AccessRights)}} | Export-Csv -NoTypeInformation -Path “C:tempFull_Mailbox_Access_Report_$CreateStamp.csv”

 

.

Find All Distribution Groups and their Members in Exchange Org

Get-DistributionGroup –ResultSize Unlimited | FL Identity | Out-File C:TempAll_DGs.txt

$AllDGs = Get-Content "D:TempAll_DGs.txt"
ForEach ($DG in $AllDGs)
{
Echo $DG >>"D:TempAll_DG.csv"
Get-DistributionGroupMember –Identity $DG -ResultSize Unlimited | FT Name, PrimarySMTPAddress, RecipientType >> "D:TempAll_DG.csv"
}

 

I know this simple script can be even better but it was written in extreme hurry so it does have some extra lines. If you feel that it could be really better then please feel free to comment with your own idea. :-)

Disabling Outlook Anywhere Per User

RPC/HTTPS was the first name when outlook anywhere access was introduced with Exchange Server 2003. Exchange 2003 did not provide a very granular control on it though. With increase in productivity it also brought a concern with it. It could allow configuring user’s mailbox on any outlook client even if the user was not supposed to do it. Result, people could make unauthorized copies of their mailboxes on their home PCs and laptops.

Exchange 2007 SP1 and later has a great feature of disabling outlook anywhere access per user basis. It is a very simple process of running few commands in powershell and the administrator is done with the configuration. Lets take a look:

To disable outlook anywhere for a single user:

Get-Mailbox –Identity <username> | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True

To disable it for all users:

Get-Mailbox –ResultSize Unlimited | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$True

To disable it for selected users only:

  • Identify the user who need to be blocked access to Outlook Anywhere.
  • Make a list of all such user’s user accounts.
  • Put it in a simple text file as below:

User1

User2

User3

  • Now save this text file to any location you want with name Mailboxes.txt. In my case it is D:Mailboxes.txt
  • Simply run the script below.

$Mailboxes = Get-Content D:Mailboxes.txt
Foreach ($Mailbox in $Mailboxes)
{
Set-CASMailbox -Identity $Mailbox -MAPIBlockOutlookRpcHttp:$true -Verbose
}

The harder way:

Each mailbox in active directory has an attribute named ProtocolSettings on it. When you have outlook anywhere enabled for a specific user mailbox the value of ProtocolSettings is set to MAPI§§§§§0§§§, HTTP§1§1§§§§§§, OWA§1 and when you disable outlook anywhere the value of this attribute changes to MAPI§§§§§1§§§, HTTP§1§1§§§§§§, OWA§1

I would not touch these attributes in AD unless there is a good reason to do so but thought it could help for some people for troubleshooting. Hope this post helps Smile

Exchange 2007 on Windows 2008 R2 will be supported soon

Microsoft Exchange 2007 on Windows 2008 R2 support is under consideration perhaps Microsoft has already made decision to support this combination. Though there is no further information available on this yet you can read the official story here Supporting Exchange 2007 on Windows Server 2008 R2

Changing OWA time out on an Exchange 2007 and 2010 Computers

Exchange Server 2007 OWA will automatically time out for the security purposes. This feature has been designed to restrict unauthorized access to any mailbox when the user is using a public or shared computer. You can select this option before you logon to your mailbox:

Though this feature is good for security reasons it may be annoying for many users who use OWA regularly and they may not want to enter the password several times after the time out. This can settled down with a simple registry tweak on the CAS box that runs your Internet facing OWA site. This can be done by following registry modification.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeOWA

Name: PublicTimeout

Type: DWORD

Value: {value in minutes} (This value is 15 minutes by default)

image0041255958448201

The above suggestion applies only when the user selects the Public Computer option from the OWA logon screen. For the user who select the Private Computer from the logon screen you might want to modify:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchange OWA

Name: PrivateTimeout

Type: DWORD

Value: {value in minutes} (This value is 8 hours by default)

If you don’t see the DWORD values named, PublicTimeout and PrivateTimeout then you have create then manually.

How to Manually Rebuild the Full-Text Index Catalog

Content Indexing also known as CI is a great feature to speed up item searching through mailboxes. I had to rebuild a CI database for a mailbox yesterday because there were some errors showing up on application log (I dont really remember the errors now) which were indicating that the CI was unable to update few items from database. Turned out the problem was not with database but with a faulty CI catalog associated with that database. After a good 2 hours of troubleshooting we figured out that the problem was with the faulty CI database associated with that database. Here is the process to manually delete the CI catalog and rebuild it and of course this is how we did it. Its not very difficult though  you need to take care that you are deleting the correct CI database.

First of all locate the database locations on the physical drive.

image

Your indexing catalogs are located within this folder.

image

Now if you multiple databases homed within the single folder you may find more than one Catalogs created.

image

In such case I use the built in script GetSearchIndexForDatabase.ps1 to find out which catalog belongs to which database. The script uses the path of index catalogs to help you determining the name of its associated database. See figure below.

image

Once you are done with determination of associated database you can simply stop the Microsoft Exchange Search service and then remove the appropriate catalog based on the output of the script and then start the Microsoft Exchange Search service again.

After deleting the catalog files the service may take some time to enter the started status.

Well, I updated this post because someone pointed out an irrelevant infomration here. I would like to thank Jack who spent his time and corrected me on this. Thanks much, Jack :-)

Using Secondary Email Address to Send Emails in Exchange 2007

This is just a work around and not a standard method. Broken rules on transport server may break the complete function.

Due to design limitations outlook and exchange together wont allow to send emails using the secondary email address on some user account. There are some third party utilities like IvaSoft which will allow to use secondary email address as a primary or to send emails. Here I am explaining the way to use Exchange Server 2007 features to achieve this.

In a scenario; user Administrator has an his primary email address as administrator@cassicrm.com and secondary email address as jsmith@contoso.com . For business reason Administrator needs to be able to send emails using both email addresses however this wont be possible due to restrictions in Exchange design. Here are steps to work around this problem;

1. Remove email address jsmith@contoso.com  from user account Administrator.

2. Create a new in AD using ADUC and mail enabled user account using EMS or EMC. Make sure the removed secondary email address from Administrator account is used as a primary email address on new user.image

3. Use ADUC again to assign Send As permissions to Administrator user account on newly created user account. Here, you need to consider that you will be using this user account to send emails so you may not want to have the display name different than the user having send as permissions on this user account. In stead of creating a new user account named Joe Smith the display name should be Administrator or the name of the user you are assigning Send As permissions to.

image

4. Configure a transport rule on HT to have emails redirected to administrator@cassicrm.com once an email is received for email address jsmith@contoso.com

 image

5. Use outlook to send as new email address. Now in this step when you create the user account you need to make sure that the new user’s display name need to be same as the Administrator’s display name in GAL.

image

6. Check if the recipient received an email sent using alternate email address.

This work around will work for Exchange 2003 as well but with a limitation that recipient of email sent using secondary email address wont be able to reply as there is no mechanism in Exchange 2003 that can understand where to put the received email.

 

 

 

-

Exchange Server 2007 SP2 on its way

Microsoft Exchange Team announced the launch of Service Pack 2 for Exchange Server 2007 to be expected in third quarter of 2009. Few things you can expect from SP2:

  • Exchange Server 2007 Auditing features:

For those who have already started working on / testing Exchange 2010 Beta it may not be a new concept. Yes, they are offering the auditing features on Exchange 2007 as well. This is a great feature when you operate a giant environment and you need to keep track of what your administrators and helpdesk folks are doing with mailboxes and server configurations. Exchange 2010 has it built in already and it works well. It would be nice feature from the compliance and security perspectives. This feature will offer a performance based model and will make sure that the logs generated by auditing should go into a separate repository.

  • Added Backup facility:

One of the most critical aspect in the day to day administration is to have your exchange databases backed up regularly. Like NTBACKUP on legacy versions of Windows could backup exchange databases. Windows Server 2008 backup tool was not efficient enough to understand exchange stores correctly. SP2 will add an extended functionality in the form of a plug in for Windows Server 2008 users to allow them backing up their databases with native windows tools itself. This will be a great added advantage for smaller companies who can not invest more money into backup solutions.

 

  • Dynamic Active Directory Schema Update and Validation:

The dynamic AD schema update and validation feature allows for future schema updates to be dynamic deployed as well as proactively preventing conflicts whenever a new property is added to the AD schema. Once this capability is deployed it will enable easier management of future schema updates and will prevent support issues when adding properties that don’t exist in the AD schema.

 

  • Public Folder Quota Management:

SP2 enables a consistent way to manage quotas by improving the current PowerShell cmdlets to perform quota management tasks.

 

  • Centralized Organizational Settings:

Exchange Server 2007 SP2 will have new PowerShell option added that enables centralized management of many of the Exchange organization settings.

 

  • Named Properties cmdlets:

Named properties sometimes are headaches for Exchange Administrators. Applications may also loose the connectivity to stores. SP2 will allow the administrators to monitor the named properties quota per database.

 

  • New User Interface for Managing Diagnostic Logging:

One of the options that Exchange 2007 did not have was the diagnostics logging options in its GUI based console though diagnostics logging related tasks can yet be done using EMS. Exchange 2007 SP2 enables Exchange administrators to easily configure and manage diagnostic logging from within the Exchange Management Console.

 

Exchange team talks more about this at http://msexchangeteam.com/archive/2009/05/11/451281.aspx

You can click on above link and get to Exchange team’s official blog to read more.

Using MFCMAPI to delete delegate rules from mailbox

Note: This post is purely intended to demonstrate the use of MFCMAPI to delete calendar delegate rules. There are several other steps you may want to go through before you actually go ahead and follow steps in this post.

Outlook, LDAP and MAPI offer a great feature of delegation of mailboxes to a particular user within the organization. It works almost the same way in all version of Exchange Server 200x family. I am not pretty sure about Exchange 2010 yet because never had a chance to look at it so closely.

Well, though the delegation feature is a great facility provided to end users it becomes a pain for administrators sometimes. One of the most annoying situations I always come across is when someone reports that he/she sent an email to some distribution list and then got an NDR that indicates that the email was not delivered to a user which has been deleted recently and does not work for the company anymore. and the NDR looks like:

From: System Administrator
Sent: Tuesday, April 28, 2009 10:06 AM
To: Geek, Exchange
Subject: Test Meeting Request

Your message did not reach some or all of the intended recipients.

Subject: Test Meeting Request
Sent: 4/28/2009 10:06 AM

The following recipient(s) could not be reached:

Geek, Exchange on 4/28/2009 10:06 AM
    The e-mail address could not be found. Perhaps the recipient moved to a different e-mail    organization, or there was a mistake in the address. Check the address and try again.
     <FQDN of my server.com #5.1.7>

This type of NDR starts generating after you delete some user account from your organization and this user account was also a part of some DL and at the same time was delegated permissions on some other user’s mailbox in the same DL. Another case would be when you already know the delegated mailbox name however you are not able to fix the issue.

1. When you don’t know the name of the delegated mailbox yet you get the NDR:

Download the script at Glenn’s blog and run it in your Exchange Organization to find the user who had the deleted user account set as delegate or have a rule configured to forward emails. This script can be downloaded from http://gsexdev.blogspot.com/2006/08/reporting-on-meeting-delegate-forward.html (This script requires you having full mailbox access on all mailboxes in your organization)

Script shows all the delegate and forwarding rules in mailboxes. I will strongly recommend reading instructions at above link before you run it.

Once you get the name of desired mailbox you can certainly remove the rule either by logging on to the mailbox or by using MFCMAPI or mdbview32.exe. An alternate location to download it would be here.

2. When you know the delegated user account name but can not remove the rule using outlook:

Now, here you can use MFCMAPI to remove all those calendaring delegates and forward rules from a particular mailbox. Steps are below:

A. Open MFCMAPI.exe and logon to the store with Administrator privileges or with an user account which has full access to other mailboxes. To logon follow Session –> Logon and Display Store Table. This will show up the screen like below;

B. Right click on the mailbox you are logged on as and select Open Store from the context menu.

image

C. The next screen comes up which explore all visible and invisible folders in your mailbox.

D. Expand Root Container at the top of tree structure –> Expand Top of Information Store –>  right click on Inbox and select Display Rules Table

image

E. Another windows opens up and shows you the rules configured in the mailbox. Please note that only server side rules are displayed here.

image

F. This window may display several other rules as well. You have to find and select the rule which is provided by Schedule+ EMS Interface.

G. Right click on the rule and select to delete.

F. Any other rule can also be deleted using the similar method.