Category Archives: Uncategorized

How to Create a Hosted Exchange 2003 System Using Address List Segregation

Uncategorized

I’m going to show you how to created a “hosted” Exchange 2003 system.  What this essentially means is how to segregate the system so that you can host multiple companies on the same Exchange Organization, and not have any of them aware of each other.  Microsoft calls this “Address List Segregation”.  Keep in mind that this is not an officially supported setup from Microsoft, they only support it on Exchange 2007.  However, it is a good practice in the use of different permissions in relation to Active Directory and Exchange, as well as uses other techniques that can applied in different area’s.  For instance, the section on creating Multiple Global Address Lists, can be used by a company that wants to create a more toned down, or user friendly GAL to its end users, instead of the default one which lists all mailbox enabled service accounts and what not.

Let’s get down to business.

First, I have created three “companies” in Active Directory:

ScreenHunter_02 Nov. 14 21.06 

The first thing we need to do, is allow each user to log on with their company email domain.  Our Active Directory domain name is “ponzeka.test”.  We don’t want our users logging in with that, we want to give them the idea that they are the only one on the system.  To do this, we need to create User Principal Names or UPN’s.  We do this by navigating to Active Directory Domains and Trusts, right clicking on “Active Directory Domains and Trusts” and selecting properties.  Here, create Alternative UPN suffixes for each email domain and its corresponding company, like so:

ScreenHunter_03 Nov. 14 21.11

Now the next thing we need to do is create users for each company, and then groups, identifying the users in the company.  For each company, I created a group called Companyname Users, and assigned all the users to this company.  When you create a new user, make sure to assign the UPN suffix for their company.  For example, for the Ponzeka.selfip.com company, this would be the user setup:

ScreenHunter_04 Nov. 14 21.13

Notice I’m selecting the @ponzeka.selfip.com UPN so that this user can log on using his username@ponzeka.selfip.com instead of username@ponzeka.test

Once you have all your groups created, you can move on to creating Custom Recipient Update Policies so that each “Company” get’s their own email address. A note on this.

You do not want to remove the default Recipient Policy, or modify it.  In our example it gives every user an email address of @ponzeka.test.  The reason we want EVERY user to have this is because OWA needs it, and it allows us to enable sign on without specifying a domain.

First we will create a Recipient Update Policy for the Ponzeka.selfip.com company.  We need to filter the policy by members of the Ponzeka.selfip.com group that we created earlier.  In Exchange System Manager, navigate to Recipients->Recipient Policies->Right Click and Select Create New Policy.  Select and Email Addresses policy and select OK.  Entitle the Policy “Ponzeka.selfip.com”

ScreenHunter_05 Nov. 14 21.20

Next, go to the Email Address Policy Tab, and assign the SMTP email address and make it the default.  Remember, in Exchange 2003, when you add an email address to a Recipient Update Policy and select the check box for “This Exchange Organization is responsible for all mail delivery to this address”, this is how you tell Exchange that it should accept email for this domain.  When your done your Email Address Policy tab should look like this:

ScreenHunter_06 Nov. 14 21.24

Now comes the tricky part.  We need to change the filter so that it only applies this new policy to members of the Ponzeka.Selfip.com Users group.  For this we need to assistance of ADSIEDIT, because we need to get the Distinguished Name of the group.

In ADSIEDIT navigate to the group, right click and select properties:

ScreenHunter_07 Nov. 14 21.26

Now, under attributes navigate to the “distinguishedname” attribute, select edit, and copy the whole string, DO NOT CHANGE IT!

ScreenHunter_08 Nov. 14 21.27

In my case the value ended up being:

CN=Ponzeka.selfip.com Users,OU=Groups,OU=Ponzeka.Selfip.com,OU=Company’s,DC=ponzeka,DC=test

Now, go back to your Recipient Policy, General Tab, select modify for the filter.  Go to the Advanced Tab, and for Field select User, is a member of, and paste the distinguished name of the group into the value tab.

ScreenHunter_09 Nov. 14 21.29

Press Add to add the filter, and then Find Now to ensure that only the members of that group are found:

ScreenHunter_10 Nov. 14 21.30

Voila, all set!  Save the policy and have it apply!  Set up the same settings for all the remaining company’s.

If we check, the user has the correct email address:

ScreenHunter_11 Nov. 14 21.42

Okay, the next thing we need to do is create different Global Address Lists or GAL’s for the respective company’s.  We don’t want to go through all this work, and then have users from other company’s seeing each other in the GAL.

ScreenHunter_01 Nov. 14 20.59

Here, it lists all the users in the company.  By default, Exchange installs a GAL called the “Default Global Address List”.  The default GAL will list ANY and EVERY mail-enabled object in Active Directory.  This means any of the following:

  1. Mailbox Enabled Users
  2. Mail Enabled Users
  3. Mail Contacts
  4. Mail Enabled Groups
  5. Mail Enabled Public Folders

With Global Address Lists, each user can only have one, and the criteria for the system choosing one goes as follows:

Do they have rights to open the GAL?

Which GAL is the biggest?

Are they a member of the GAL?

The system uses those three criteria to determine which GAL each user gets.  So what we need to do, is disable the members of the three groups from opening the Default GAL.  We do not want to remove it, because certain programs rely on it such as Blackberry Enterprise Servers, and MOM monitoring.

Create a new GAL, and set its filter to be the same as the Recipient Update Policy.  Create a new GAL by navigating to Recipients->All Global Address lists-> New Global Address List

Remember, you are setting the same “User is a member of distinguished name of group” that you set for the Recipient Update Policy as before. Now, we need to stop users from opening the Default GAL, as that is bigger than any of the others we are creating.  Right click the “Default GAL” and select properties, and navigate to the security tab.  Select the advanced button, and then add.  Here, add each company’s group, and deny it the Read Permission (this will in turn deny it several other permissions) and deny it the Open Address List permission.

ScreenHunter_13 Nov. 14 21.57

Now each user in their respective company will only get the users in their company!

ScreenHunter_14 Nov. 14 22.00  ScreenHunter_15 Nov. 14 22.01

The only other thing you need to do is delete all the address lists that come created by default with Exchange.  The system will ask you if you want to delete the address lists, since they were created by default.  Select yes, there is no harm.  Otherwise, users could navigate to the address list and GHAST, see other people!

Recovering an Exchange Database using Log File Playback

Uncategorized

From time to time in an Exchange environment, we will have a situation where we will need to recover a corrupted or failed Exchange database. There is nothing more terrifying, and nothing that leaves you more exposed as an Exchange admin that this type of recovery.

There are various backup applications available, but essentially they all do the same function. There are some very important differences between VSS and Streaming backups, but for the sake of this article, the restore functions the same.

Here is the scenario:

You have a database that is backed up on Monday night. Come Thursday morning, the database has been completely corrupted beyond repair, and you need to restore from your full backup on Monday night. However, you want all the data that occurred from that backup, to Thursday morning. After all, if you tell your CEO that he’s loosing two days of emails, he’s telling you your losing your job.

That is the beauty of Exchange transaction logs, they allow you to "roll forward" up to the point that there was database corruption. Most backup software can do this automatically for you, by telling it that the backup your recovering is the "Last Backup Set", or you can run it manually by using the ESEUTIL.

Here it is, on my test server I have a database on my test server:

I have a database, named Schneider.com MDB1. Currently the database is brand new, with one mailbox in it, so the database is effectively blank. We will take a backup of it in its "blank" state, and then add data to it, restore the blank DB from restore and roll it forward! We will use Windows Backup to backup our entire server as below to the desktop:

Now that we have a backup of the DB, lets add some data to the DB. I’ve done this by simply importing a 500 MB PST to a mailbox on the Schneider.com

Now, lets simulate a failure by dismounting the DB.

 

 

So, our database is dismounted, simulating a corrupt database. Now, lets restore the old blank database.

Normally, when you restore a database in Exchange 2003, or 2007, you first create a Recovery Storage Group. In order to restore a backup over an existing DB, you need to select a simple check box. Right click the Database->Properties->Database Tab and select the check box “This database can be overwritten by a restore”:

 

 

 

 

 

 

 

 

 

Otherwise, if we tried to restore the database it would force us to go into a RSG. Now, lets recover the database. Notice in the restore window, it is asking for a temporary location for log and patch files, as well as the “Last Restore Set” checkbox:

 

 

 

 

 

 

 

Lets leave the Last Restore Set unchecked, because we want to run ESEUTIL ourselves. Choose a temp location and hit OK to start the Recovery.

Once the restore is finished, we have several things to note. First, the database has been restored to its previous state, and if we note, its quite small.

 

 

Next, the C:Recovery folder. Here we note there is a transaction log, and the Restore.env file. This file acts as a checkpoint file for the recovered database to determine where it should start playing back transaction log files from:

 

 

 

Last, we note the transaction logs for this Storage Group, that seems to indicate a decent amount of activity since the last backup, this are the files we will use to play back the missing data into the DB:

 

 

 

 

 

 

 

 

So, we now have our database restored, so its time to run ESEUTIL! Eseutil is located by default in C:Program FilesExchsrvrbin, so navigate there in a command prompt. The first thing we want to note is the condition of the restored database. Run the command eseutil /mh c:dbfoldernameofdb.edb or in my case

eseutil /mh "C:exchange dbschneider.comschneider.com mdb1.edb"

 

 

 

This is known as a header dump, and it will indicate the condition of the database:

 

As you can see we are in a “Dirty Shutdown” condition, which means the DB knows that its missing log files, the problem is it has no idea which ones. We tell it which ones by using eseutil and pointing it at the restore.env file we recovered earlier. If we tried to restart the databse now, we would recieve an error because our DB is not in a clean shutdown state.

We now want to perform a “hard replay” using the command eseutil /cc c:path to restore.env or in my case eseutil /cc “c:recoveryschneider.com”

 

 

 

 

 

 

 

 

Now if we do a header dump again, we see that our DB is in the Clean Shutdown state:

 

Note also that the EDB file is now returned to a normal size:

 

 

 

Now mount the store, and you are finished! Enjoy!

Defragmentation in the Exchange Enviornment

Uncategorized

Defragmentation is a vital part of any exchange organization. There are two types of defragmentation that every administrator should be aware of, as well as their differences, online and offline.

The first one we’ll discuss is online defragmentation. Online defrag’s occur as part of each database’s (mailbox and public) maintenance interval. These setting is usually set for 2:00AM to 6:00AM on the databases as seen below:

Now, there are several process that occur as part of this maintenance interval, including online defragementation. As you have most likely guessed, this is a period of heavy activity for the exchange server. You most likely wanted to stagger this interval with your backup windows, especially if your using the traditional streaming backups for exchange. This maintenance does not have to be run daily, and can be set to run on the weekends or at some other time. If it does not complete in the amounted time given, it will stop, and then pick up where it left off the next interval. While you can set it to run weekly, you want it to complete weekly, so make sure you give it enough time.

Okay, so after a little rambling, back to an online defrag and what the hell it does. An online defrag will go through the database and see all the items that were deleted from the mailboxes or public folders, and actually remove them from database. It then marks this deleted space as re-useable space or “white space” in the database. White space you ask? Drinking on the job you ask? Not usually, and not in this case. Exchange is a database program, consisting of the EDB file and STM file in Exchange 2003, and just the EDB file in Exchange 2007. This files grow only. Meaning if you have a 10 GB database, and some user deletes 5 GB worth of emails, that file is going to stay at 10 GB.

The benefit is that online defrag will return that 5 GB as white space to the database. This means that if you have 5 GB of white space, and someone add’s 2 GB of data to it, the database stays at 10 GB. Magic? Nope, it just put the 2 GB of data in the 5 GB of white space so it didn’t have to grow the database, leaving another 3 GB of white space for future data. Get it?

The process will actually show you how much white space is found. If you go to the application log in Event Viewer, and filter for Event ID 1221, you’ll see what I am talking about. The source will tell you if it came from a mailbox database, or a public folder database:

Now, if you look, it tells us that the Mailbox Store, in Storage Group “First Storage Group”, on Exchange Server 32DCEX has completed its online defrag, and has found 1 MB of free space. Now this is a test server with very little activity, but you get the point. It show’s you how it has opened space up for new data to be written.

Now, you want to know how to shrink that Exchange database. Well, that’s a job for Offline Defrag, handled manually by using the ESEUTIL.

Eseutil is a command line tool, found by default in C:Program FilesExchsrvrbin. Eseutil can be used for a lot of things, including database recovery and repair, but we’ll cover those in a later post. For now, let’s concentrate on the offline defrag.

First, let’s discuss how Eseutil actually does an offline defrag, and the issues we need to be aware of. First and foremost, Eseutil cannot work with a mounted exchange database. So to perform an offline defrag, your databases need to be dismounted, which means your users won’t be able to connect to their mailboxes. Be sure to configure a specified downtime for the defrag. Second, you need to have 110% of the current DB size, free on your hard drive. Meaning if you have a 100 GB database, you need 210 GB of free hard drive space. What!?! That’s nuts!! It has to do with what Eseutil does. It actually creates a new copy of the DB, and reads the data from the old one and transfers it to the new one. It doesn’t transfer the white space, thus shrinking the database. However, you do need this space on the disk. After it’s done with the defrag, it moves the new DB into the old ones position and removes the old one. Let’s see how this thing works!!

First, dismount your stores. Go to ESM, right click on a DB and select Dismount Store. You’ll get a warning about users being able to connect. Select Ok.

Now, open a command prompt. You’ll need to navigate to the C:program filesexchsrvrbin folder to start Eseutil. Now, your going to run the following command:

Eseutil /d . If you have left your databases in the default location, it should be the following:

Eseutil /d “c:program filesexchsrvrMDBDATApriv1.edb

Viola, all done. Note it created a temporary EDB and STM file (Exchange 2000/2003 only), and then moved them to the correct location. It also informs you that you should perform a Full Backup ASAP!! This is because all of the previous backups will not work because you have changed the DB files dramatically.

Almost done. Now, what happens if you don’t have the disk space?? That could very well be the reason your doing this defrag. Thanks a lot Paul, a whole article and nothing!! Hold your horses, I got you covered. You can actually specify a location to create the temp database file on. So if your C drive is full from the database, and you have a D drive with plenty of space for the defrag, you can create the temp file there, and have Eseutil move it back over. Yay!!

Here’s how. Again in Eseutil in the command prompt, we are going to run the following command:

Eseutil /d /t

(I always hated those example’s, impossible to comprehend, well here is something more real)

Eseutil /d “C:program filesexchsrvrmdbdatapriv1.edb” /tZ:exchangesample.edb

Now, what this above command did, was specify to Eseutil to create the temporary exchange files, on the Z drive, in a folder called Exchange, and name the temp file sample.edb instead of a random number. See the actual command below:
Notice that command line. It finishes the defrag, and note how its created a new EDB file and STM file (Again Exchange 2000/2003 only), on the Z drive where we specified it? Notice that it then copies the temp to the name of the original?

There you go, we are all set. The last thing to do is re-mount the database, and run a Full Backup. You are all set!!

It should be noted that there isn’t a terrible pressing reason to run an offline defrag, unless you have a significant amount of space to be reclaimed, or instructed to do so by Microsoft PSS. Just make sure you have a full backup before attempting. With big databases, this can take a while, Microsoft estimates usually between 6-7 GB per hour, so if you have a decent sized DB, it can take some time, make sure you plan accordingly.

Happy fragging!

Setting an Email Limit Above 2 GB in Exchange 2003

Uncategorized

As email administrators, we at some point will do one of those things that inherently pisses off the end user, setting a limit on the size of their mailbox. There are several places we can set mailbox limits, most notably on a per-user basis, or at the mailbox database level, as seen below.

Now, an interesting item can happen if you try to set a mailbox limit, of lets say 5 GB on this mailbox database. Remember, these settings are done in KB, not GB, so we convert 5 GB to 5242880 KB. We will however receive an error message when attempting to apply these settings.
This error message, which you will get for all three warning levels, is telling you that Exchange 2003 only supports setting a mailbox limit of 2097151 KB which is 2 GB. Well now Microsoft, this is a little insane. Google, Yahoo and even Microsoft offer free public mailboxes that offer this amount of space and more, why do they limit their Flagship email program to this limit you ask? Remember, Exchange 2003 is five years old as of this writing, and the corporate email environment has changed dramatically. 2 GB would have been a tremendous email box five years ago. So, Exchange System Manager blocks you from even applying this limit, so how do you set this you ask? With some help from our old friend ADSIEDIT of course. ADSIEDIT is included in the Windows Server 2003 Support Tools found on the Windows Installation disc, or can be downloaded from here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

Once you’ve installed ADSIEDIT, navigate to c:program filessupport tools, and double click on the icon for ADSIEDIT.MSC, and you’ll be presented with this screen:
This is very raw Active Directory information!! You can see that it lists the separate partitions for Active Directory, Domain, Configuration and Schema. Since Exchange Server leverages Active Directory as its directory service, it stores all it’s configurations in Active Directory. So……this means that there is a corresponding value for the Exchange Mailbox Limits we set in ESM in Active Directory. Since ADSIEDIT lets you edit raw data, there is no warning in place, and it will let you set the value. Keep in mind though that since it lacks the built in protection of ESM, it will let you do extreme damage to your Exchange Organization and Active Directory installation, so be extremely careful when editing data in this utility!!

So first, we need to find the data value for Size Limits. So we are going to navigate to Configuration -> Services -> Microsoft Exchange -> Exchange Organization Name-> Administrative Groups -> Administrative Group Name -> Servers -> Server Name -> Information Store -> Storage Group.

Now, you’ll notice that this structure is similar to ESM. That’s because ESM attaches to the Configuration Partition, and reads this info and displays the results in an easier to manage display. On the right hand screen you’ll see your corresponding Mailbox and Public Folder Databases. Let’s right click on the Mailbox Store and select Properties. Now, you’ll have three columns, Attribute, Syntax and Value. We are looking for three values under the Attribute column.

  1. mDBOverHardQuotaLimit – This corresponds to the “Prohibit Send and Receive at” value listed in ESM. This is the most restrictive of the settings, so you can associate that with the Hard Quote Value
  2. mDBOverQuotaLimit – This corresponds to the “Prohibit Send at” value in ESM.
  3. mDBStorageQuota – This corresponds to the “Issue Warning at” value in ESM.

The way to edit these value’s are extremely easy. Simple select them, and press the edit button. Now, enter the value you want for the limit. Remember, the numbers here should be in KB, so we will re-enter the value of 5242880 here. Now hit apply, and this will set the limits that you want. I’ve changed the values slightly so you can see the corresponding differences.


You can see that the values that we set in ADSIEDIT are now showing in ESM. Done, right? No? Damn. There is a consequence of what we have done. You can no longer edit these values in ESM. In fact, we cannot edit anything on this tab of ESM. If you try to hit apply, you’ll get the same error we got in the beginning of the article. If you need to make any changes, either make them before making the edit in ADSIEDIT, or remove
the values, make your changes in ESM, apply them, and then re-make the changes in ADSIEDIT. That’s it, your done! Now remember, the Information Store Service caches information for a period of time. So if a user exceeds the limit, the limits you set don’t take effect immediately. It can take two hours, or if your doing this in a test lab, you can restart the Information Store Service. (Be careful not to do this in a production environment, as this will dismount the mailbox databases, and disconnect users from their mailboxes). When the service starts up, it will implement the blocking of any boxes over their respective limits.

Changing the Offline Address Book for a Specific User

Uncategorized

There may come a point one day in your Exchange Administration, where you need to specify an OAB for a specific user. Normally OAB’s are set on the Mailbox Database level, and the users of that database, use that OAB. But, for some reason, you may need to give one user his own specific OAB.

I have used this when troubleshooting OAB’s. For instance, one company I was at was having issues with their OAB. I created a new one, and wanted to make sure it was working. Since the database I was on had some 100 users, I did not want to assign the OAB in the middle of the day, and risk the users getting a message to restart Outlook. I simply assigned myself the OAB, and checked it out.

Here are the steps:

  1. You have to find the Distinguished Name of the Offline Address List that you want to assign to the user. The easiest way to do this is with ADSIEDIT.MSC. Open ADSIEDIT, go to the Configuration Partition -> Expand Configuration Folder -> Expand CN=Services -> Expand CN=Microsoft Exchange -> Expand the CN=Exchange Organization Name -> Expand CN=Address List Container and then select CN=Offline Address Lists
  2. Right click on the OAB that you want to use in the right side of the screen and select “Properties”
  3. Search for the Attribute DistinguishedName and select “Edit” (DON’T CHANGE THIS VALUE!!)
  4. Copy the whole value listed
  5. Now navigate to Domain Partion -> and find the user you want (note this area is grouped exactly like Active Directory is shown in AD Users and Computers
  6. Find the user you want and right click and select properties.
  7. Find the Attribute msExchUseOAB, select it and hit edit
  8. Right now its most has the value in it, not that you can return to this state (which means you inherit the OAB settings from the Mailbox Database again), by hitting the clear button at any time
  9. Paste the OAB Distinguished Name in here and select OK.

That’s it, have the user logoff and log back on, and now he/she will be downloading their brand new custom OAB!!