Microsoft Exchange Server 2010 Service Pack 1 has been released

Microsoft has released Exchange SP1 Open-mouthed smile.

So What’s New in Exchange SP1:

New Deployment Functionality

During an Exchange 2010 SP1 installation, you can now select a new option to install the required Windows roles and features for each selected Exchange 2010 SP1 server role. For more information, see New Deployment Functionality in Exchange 2010 SP1.

Exchange ActiveSync

In Exchange 2010 SP1, you can manage Exchange ActiveSync devices using the Exchange Control Panel (ECP). Administrators can perform the following tasks:

  • Manage the default access level for all mobile phones and devices.
  • Set up e-mail alerts when a mobile phone or device is quarantined.
  • Personalize the message that users receive when their mobile phone or device is either recognized or quarantined.
  • Provide a list of quarantined mobile phones or devices.
  • Create and manage Exchange ActiveSync device access rules.
  • Allow or block a specific mobile phone or device for a specific user.

For every user, the administrator can perform the following tasks from the user’s property pages:

  • List the mobile phones or devices for a specific user.
  • Initiate remote wipes on mobile phones or devices.
  • Remove old mobile phone or device partnerships.
  • Create a rule for all users of a specific mobile phone or device or mobile phone type.
  • Allow or block a specific mobile phone or device for the specific user.

SMS Sync

SMS Sync is a new feature in Exchange ActiveSync that works with Windows Mobile 6.1 with the Outlook Mobile Update and with Windows Mobile 6.5. SMS Sync is the ability to synchronize messages between a mobile phone or device and an Exchange 2010 Inbox. When synchronizing a Windows Mobile phone with an Exchange 2010 mailbox, users can choose to synchronize their text messages in addition to their Inbox, Calendar, Contacts, Tasks, and Notes. When synchronizing text messages, users will be able to send and receive text messages from their Inbox. This feature is dependent on the user’s mobile phones or devices supporting this feature

Reset Virtual Directory

In Exchange 2010 SP1, you can use the new Reset Client Access Virtual Directory wizard to reset one or more Client Access server virtual directories. The new wizard makes it easier to reset a Client Access server virtual directory. One reason that you might want to reset a Client Access server virtual directory is to resolve an issue related to a damaged file on a virtual directory. In addition to resetting virtual directories, the wizard creates a log file that includes the settings for each virtual directory that you choose to reset. For more information, see Reset Client Access Virtual Directories.

Exchange Store and Mailbox Database Functionality

The following is a list of new store and mailbox database functionality in Exchange 2010 SP1:

  • With the New-MailboxRepairRequest cmdlet, you can detect and repair mailbox and database corruption issues.
  • Store limits were increased for administrative access.
  • The Database Log Growth Troubleshooter (Troubleshoot-DatabaseSpace.ps1) is a new script that allows you to control excessive log growth of mailbox databases.
  • Public Folders client permissions support was added to the Exchange Management Console (EMC).

Mailbox and Recipients Functionality

The following is a list of new mailbox and recipient functionality included in Exchange 2010 SP1:

  • Calendar Repair Assistant supports more scenarios than were available in Exchange 2010 RTM.
  • Mailbox Assistants are now all throttle-based (changed from time-based in Exchange 2010 RTM).
  • Internet calendar publishing allows users in your Exchange organization to share their Outlook calendars with a broad Internet audience.
  • Importing and exporting .pst files now uses the Mailbox Replication service and doesn’t require Outlook.
  • Hierarchical address book support allows you to create and configure your address lists and offline address books in a hierarchical view.
  • Distribution group naming policies allow you to configure string text that will be appended or prepended to a distribution group’s name when it’s created.
  • Soft-delete of mailboxes after move completion

High Availability and Site Resilience Functionality

The following is a list of new high availability and site resilience functionality included in Exchange 2010 SP1:

  • Continuous replication – block mode
  • Active mailbox database redistribution
  • Enhanced datacenter activation coordination mode support
  • New and enhanced management and monitoring scripts
  • Exchange Management Console user interface enhancements
  • Improvements in failover performance

Messaging Policy and Compliance Functionality

The following is a list of new messaging policy and compliance functionality included in Exchange 2010 SP1:

  • Provision personal archive on a different mailbox database
  • Import historical mailbox data to personal archive
  • Delegate access to personal archive
  • New retention policy user interface
  • Support for creating retention policy tags for Calendar and Tasks default folders
  • Opt-in personal tags
  • Multi-Mailbox Search preview
  • Annotations in Multi-Mailbox Search
  • Multi-Mailbox Search data de-duplication
  • WebReady Document Viewing of IRM-protected messages in Outlook Web App
  • IRM in Exchange ActiveSync for protocol-level IRM
  • IRM logging
  • Mailbox audit logging

Technet Exchange 2010 SP1 info
Release Notes for Exchange Server 2010 SP1
What’s New in Exchange 2010 SP1
Downloads:
Microsoft Exchange Server 2010 Service Pack 1
Microsoft Exchange Server 2010 SP1 Language Pack Bundle
Exchange Server 2010 SP1 UM Language Packs
Exchange Server 2010 SP1 Help

Your account in Microsoft Exchange Server does not have have permissions to synchronize with your current settings 0x85010004 or Eventid 1053 Exchange ActiveSync doesn’t have sufficient permissions to create the user container under Active Directory user "Active Directory operation failed on domain controller.

Error: Your account in Microsoft Exchange Server does not have have permissions to synchronize with your current settings.

Afb0021

Eventlog:
image

Exchange ActiveSync doesn’t have sufficient permissions to create the "CN=ward,OU=Users,DC=wardvissers,DC=local" container under Active Directory user "Active Directory operation failed on DC2008-03.ad.local. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn’t have any deny permissions that block such operations.

Because my account has domain admins rights the security settings will be reset every hour by
AdminSDHolder

Each Active Directory domain has an object called AdminSDHolder, which resides in the System container of the domain. The Admin-SDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups (what I like to call “protected” groups). Every hour, a background process called SDPROP runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the ACL lists aren’t the same, the ACL on the security principal is overwritten with the ACL from the Admin–SDHolder object. In addition, inheritance is disabled on the security principal.

Temporally Solution:

1. Active Directory Users and Computers

image
2. Enable Advanced Features
image
3. Search the User and go to the Security tab.

image
4. Advanced
image

5. Include Inheritable permissions from the Object’s parent
image

Source: Blog

Remote Desktop Services Component Architecture Poster

This poster provides a visual reference for understanding key Remote Desktop Services technologies in Windows Server 2008 R2. It explains the functions and roles of Remote Desktop Session Host, Remote Desktop Virtualization Host, Remote Desktop Connection Broker, Remote Desktop Web Access, Remote Desktop Gateway, RemoteFX and Remote Desktop Licensing.

To Download: Click on the picture.

image

Exchange 2010 Configuring Mail Tips

MailTips is a one of the new features of Exchange Server 2010. When a user sends a message, MailTips gives the some status information of the recipient and that helps to reduces unnecessary and undeliverable e-mails, as well as reduce some embarrassing things done by senders. MailTips are hosted as an Exchange Web Services on the Client Access Server.

MailTips are work with the Scenarios given below.

  1. If one of the recipients is out of office.
  2. When the recipient’s mailbox is full
  3. Message size exceeds sender’s send limit.
  4. If The Message quota exceeds of the recipient.
  5. When Sending email to a large number of recipients.
  6. When trying to send email to restricted recipients.
  7. When a booking a room with exceeded invitees.
  8. When sending to External and invalid domains.
  9. When trying to send to moderated recipients.
  10. Attaching more attachments than allowed.

Configuring MailTips

Gather Organization wide configuration MailTips settings.

Get-OrganizationConfig | fl *mailtips*

clip_image001

Enable or Disable MailTips.

You must use “Set-OrganizationConfig” CmdLet to enable or disable mailTips. Mailtips are enabled by default.

Set-OrganizationConfig -MailTipsAllTipsEnabled $true

clip_image002

Configure the large audience size for MailTips.

You must use “Set-OrganizationConfig” Cmdlet to configure large audience size. With a fresh Exchange Server 2010 installation it would be 25 by default. If we decrease it to 15, then Mailtip would be display to sender if sender add more than 15 recipients. See figure 3.

Set-OrganizationConfig -MailTipsLargeAudienceThreshold 15

Large Audience Threshold MailTip will display after adding more than 15 recipients . See figure 4.

 image

Enable or disable the External Recipients MailTips

We have some embarrassing experiences of sending some internal information to external parties. However company doesn’t want to restrict sending emails to outside domains. With MailTips  at least we can give a alert to the sender before click send button. See figure 5.

Set-OrganizationConfig –MailTipsExternalRecipientsTipsEnabled $True

image

External Recipients MailTips displays when trying to send to an external domains. See figure 6.

image

Enable or disable MailTips that rely on mailbox data

Mailbox based MailTips are rely on the mailbox data. There are two Mailbox based Mailtips, The Recipient Out of Office and Mailbox Full MailTips, rely on the mailbox data.

Set-OrganizationConfig -MailTipsMailboxSourcedTipsEnabled $true

image

The Recipient Out of Office. You can get to know if whether the recipient is out of the office before you send the email. See figure 8.

image

Mailbox Full. If recipient’s Mailbox is full, you can know that before sending the email. See figure 9.

image

Configure Group Metrics

MailTIps relies on Group Metrics data to provide information on the the size of distribution groups and dynamic distribution groups. Exchange  server normally query a lot of LDAP requests to the Active Directory to get group membership information for each message.This could affect the the performance experienced by the users. To eliminate these issues Exchange server uses the Group Metric data. Group Metric data can be scheduled to run during office hours. You should use Set-MailboxServer CmdLet to configure Group metric Data. See figure 10.

Set-MailboxServer DAGEK10-01 GroupMetricsGenerationEnabled $true

image

Used this article as Source for my article.

Exchange 2007/2010 Performance settings on vSphere.

When install a Exchange 2007 or Exchange 2010 Server on vSphere there are some settings that will increase de performance.

Use de VMXNET 3 Adapter
– Use per Disk a SCSI Controller
– Store the Log & Database files on physical Lun on a SAN
– Use the LSI LOGIC SAS controller for Windows 2008 & 2008 R2
Use the VMware Paravirtual SCSI (PVSCSI) Controller for Every physical Raw Device Mapping (RDM).

Another TIP.  Exchange 2007 & Exchange 2010 needs a lots of Memory. When choosing the size for the OS partition, swap file need also al lot of space.

MDT 2010 Multiple Partitions Issues & hidden Bitlocker partition

I had a new laptop where I wanted to deploy Windows 7 x64 Enterprise and walked to a bug in MDT 2010. Default config.

I configured 2 partitions to use the whole disk. See screenshot.
imageimage
When I deploy the task I get the following error

IMAG0003
He wants to format partition D. But partition D is not availably. 
I ended the task and opened the PE window and started Diskpart and listed the volumes.

IMAG0001

The strange thing was that the extended partition has the drive letter S had and it was a raw partition.

After studying ZTIDiskpart.log (X:\MININT\SMSOSD\OSDLOGS\ZTIDiskpart_diskpart.log)

I found out that there was no space left to create a 300mb partition for saving Bitlocker information.

So what did ZTIDiskpart.wsf. ZTIDiskpart.wsf gave the last partition that was created the drive letter S. This is the default letter for the Bitlocker partition. So hey wanted to format the file system with fat32. Because in my case the partition size was 200GB he cannot format the disk.

Solution:

Setting the extended partition to use 95%. Then MDT have enough space to create a 300mb hidden partition for Bitlocker.

image image

Exchange 2010 MapiExceptionLogonFailed: Unable to make connection to the server

The Error that I get when I did a local move request to move a user to a another mailbox database.
The new user cannot send email & could not login to Outlook Web Access.

image

Error:
Failed to communicate with the mailbox database.

MapiExceptionLogonFailed: Unable to make connection to the server. (hr=0x80040111, ec=1010)
Diagnostic context:
    Lid: 37053   Win32Error: 0x6A6
    Lid: 23065   EcDoConnectEx called [length=48]
    Lid: 17913   EcDoConnectEx returned [ec=0x0][length=48][latency=31]
    Lid: 18969   EcDoRpcExt2 called [length=313]
    Lid: 27161   EcDoRpcExt2 returned [ec=0x3F2][length=342][latency=46]
    Lid: 41073   StoreEc: 0x3F2    
    Lid: 48243 
    Lid: 50033   StoreEc: 0x3F2    
    Lid: 1494    —- Remote Context Beg —-
    Lid: 1238    Remote Context Overflow
    Lid: 49213   StoreEc: 0x8004010F
    Lid: 48573 
    Lid: 64957   StoreEc: 0x8004010F
    Lid: 56253 
    Lid: 65085   StoreEc: 0x8004010F
    Lid: 40381 
    Lid: 56765   StoreEc: 0x8004010F
    Lid: 31229   Error: 0x0
    Lid: 19149   Error: 0x0
    Lid: 24509   Error: 0x0
    Lid: 1219    StoreEc: 0x8004010F
    Lid: 3225    StoreEc: 0x8004010F
    Lid: 60049   StoreEc: 0x8004010F
    Lid: 49469 
    Lid: 65341   StoreEc: 0x8004010F
    Lid: 56125 
    Lid: 47933   StoreEc: 0x8004010F
    Lid: 32829 
    Lid: 49213   StoreEc: 0x8004010F
    Lid: 48573 
    Lid: 64957   StoreEc: 0x8004010F
    Lid: 31229   Error: 0x0
    Lid: 19149   Error: 0x0
    Lid: 24509   Error: 0x0
    Lid: 1219    StoreEc: 0x8004010F
    Lid: 24041 
    Lid: 13488   StoreEc: 0x3F2    
    Lid: 28780 
    Lid: 20076   StoreEc: 0x3F2    
    Lid: 57713   StoreEc: 0x3F2    
    Lid: 49009   StoreEc: 0x3F2    
    Lid: 1750    —- Remote Context End —-
    Lid: 52465   StoreEc: 0x3F2    
    Lid: 60065 
    Lid: 33777   StoreEc: 0x3F2    
    Lid: 59805 
    Lid: 52209   StoreEc: 0x3F2    
    Lid: 19778 
    Lid: 27970   StoreEc: 0x3F2    
    Lid: 17730 
    Lid: 25922   StoreEc: 0x3F2    

Exchange Management Shell command attempted:
‘wardvissers.local/wardvissers/wardtest2’ | New-MoveRequest -TargetDatabase ‘MailStore II’

Elapsed Time: 00:00:01

Solution:

I backup the AD with Windows Backup for sure.

Then I suspend and dismounted every mailbox database.

I opened ADSIEDIT.MSC to check the value of HomeMDB and homeMTA:

Go to:
CN=Configuration->CN=Services->CN=Microsoft Exchange->CN=wardvissers->CN=Administrative Groups->CN=Exchange Administrative Group (FYDIBOHF23SPDLT)->CN=Servers->CN=DAGEK10-01->CN=Microsoft System Attendant

The value by my mailbox server looks a bid strange:
HomeMDB: CN=InformationStore,CN=DAGEK10-02,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=wardvissers,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=wardvissers,DC=local

HomeMTA: CN=Microsoft MTA,CN=DAGEK10-01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=wardvissers,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=wardvissers,DC=local

Clear the Value bij HomeMDB & HomeMTA like the picture below.
image

Important:
Clear the value by every mailbox server if you have a dag cluster

Restarted the Microsoft Exchange System Attendant Service on every mailbox server.

Mounted & Resuming the mailbox database. Now the users could login again in OWA Smile.

Exchange 2010 Autodiscovery Issues

Two weeks ago a build my first production Exchange 2010 cluster. The Exchange 2010 web services are causing a lot of issues to people, and my self not any more.

Well, let us first list the directories that are used in the Exchange web service:

EWS is used for OOF, Scheduling assistance and free+busy Lookup.
OAB provides offline address book download services for client.
Autodiscover is used to provide users with autodiscover service.
EAS provides ActiveSync services to Windows Mobile based devices.
OWA provides outlook web access for users.
ECP provides Exchange control panel feature for Exchange 2010 users only.

Issues that might be resolved using the troubleshooting steps here:

You cannot set the OOF using outlook client, you receive the server not available error.
You cannot view free/busy information for other users.
You cannot use scheduling assistance, also you might receive not free/busy information data retrieved.
You cannot download Offline Address book errors.
You cannot use autodiscover externally.
Certificate mismatch error in autodiscover, users prompted to trust certificate in outlook 2007/2010.

First let us start by settings the right virtual directory configuration required for Exchange 2010 to work correctly:
Configure External and Internal URLs for OWS, ref: http://technet.microsoft.com/en-us/library/bb310763.aspx

You have to configure the internal URL to be the server name. In case you have multiple cas/hub servers configured in a NLB then can use the nlb cluster name for the internal url. 
External URL will be the URL used by users to access webmail e.g. https://webmail.wardvissers.nl/owa 

Configure the autodiscover internal URL, ref: http://technet.microsoft.com/en-us/library/bb201695.aspx

You will use the powershell cmdlet : Set-ClientAccessServer –Identity <CAS Server Name> -AutoDiscoverServiceInternalUri: <Internal URL>, this FQDN must match the URL included in the certificate. If you have NLB cluster then you put the internal name here like nlbek10.wardvissers.local

If you cannot use autodiscover.wardvissers.nl internally (you have a domain name of domain.local and you must use it), you will get a certificate miss match error, you will have to include the internal name in the SAN certificate if you purchase an external SAN certificate. 

You cannot set autodiscover external URL since outlook will try to access https://autodiscover.wardvissers.nl/autodiscover/autodiscover.xml, this behavior is by design and cannot be changed.

Best Practice: Use SAN Certificates

Depending on how you configure the service names in your Exchange deployment, your Exchange server may require a certificate that can represent multiple domain names. Although a wildcard certificate, such as one for *.wardvissers.nl, can resolve this problem, many customers are uncomfortable with the security implications of maintaining a certificate that can be used for any sub-domain. A more secure alternative is to list each of the required domains as SANs in the certificate. By default, this approach is used when certificate requests are generated by Exchange.

Best Practice: Use the Exchange Certificate Wizard to Request Certificates

There are many services in Exchange that use certificates. A common error when requesting certificates is to make the request without including the correct set of service names. The certificate request wizard in the Exchange Management Console will help you include the correct list of names in the certificate request. The wizard lets you specify which services the certificate has to work with and, based on the services selected, includes the names that you must have in the certificate so that it can be used with those services. Run the certificate wizard when you’ve deployed your initial set of Exchange 2010 servers and determined which host names to use for the different services for your deployment.

Which Names you must include when you use a third party SAN certificate, ref http://technet.microsoft.com/en-us/library/dd351044.aspx:
External:
webmail.wardvissers.nl
autodiscover.wardvissers.nl
legacy.wardvissers.nl (If you migrating from 2003 to 2010)
Internal:
autodiscover.wardvissers.local
legacy.wardvissers.local
nlbek10.wardvissers.local(Internal NLB CAS/HUB Cluster)
casarray.wardvissers.local(I use this address for the casarray. It has the same ip as the nlbek10)

How to Install & Configure Immidio Flex Profiles Advanced Edition

Install Immidio Flex Profiles Advanced Edition with setup.exe. There is one thing you must no.

The Management console is there in to flavors x86 and x64.

The Immidio Flex Profiles Advanced Edition.msi that you need later works both fine on x86 and x64 machines.

clip_image001clip_image002

clip_image003clip_image004

clip_image005clip_image006

clip_image007clip_image008

Start Immidio FlexProfile Kit
clip_image010
clip_image011
Best Practice is that the ini are placed on a domain controller because If one domain controller fails you have no problems with your flex profile kit.
clip_image013
Import the ini files that you will find in the package
I have al ready some ini files (Word 2007, Outlook 2007, Excel 2007) that i used with a older version of flex profile kit.
clip_image015

Create on a File Server an application install folder. I named it Immidio Flex profiles
Copy the Immidio Flex Profiles Advanced Edition.msi to that folder and the following script.

flexprofilesinstall.cmd

REM Voor Immidio FlexProfiles.
IF EXIST "C:\Program Files\Immidio\Flex Profiles\flexengine.exe" GOTO END
msiexec.exe /i "\\ward-dc01\install\Immidio Flexprofiles\Immidio Flex Profiles Advanced Edition.msi" /qb! LICENSEFILE="\\ward-dc01\Install\Immidio Flexprofiles\wardvissers.lic" /l* c:\InstallFlex.log

:END

Create A New GPO on the computers where you want to install Immidio Flexprofile kit. I named Install Immidio Flexprofiles. Asssign the  flexprofilesinstall.cmd als a startup script. Set the maximum wait time on 3600.
image 

Afther that i created a new policy for my domain users witch a named Immidio FlexProfiles Users

Add the Immidio Flex Profiles.adm to the new created GPO Immidio FlexProfiles Users
clip_image018 
I did some settings where to find the ini files and where to save the settings.
image

Now you have a working roaming profile based on Immidio Flexprofiles. It’s a great tool a im loving it.

It’s works great when you migrate from XP to Windows 7