Yesterday we released an xml update for ExBPA suite of tools. The update applies to the tools shipped with Exchange Server 2007 systems with Service Pack 1 applied. It is currently only available for English language servers at this time.

The following tools have received an updated set of rules:

1. Best Practices Analyzer
2. Disaster Recovery and Performance Troubleshooter

What is contained in the update?
The update contains mainly bug fixes for the above tools.

The BPA tool is also run automatically during setup and readiness checks. We have updated the prerequisites XML file for setup. So any Exchange setup launched on a machine connected to the Internet will download the updated prerequisites file to check for the correct prerequisites.

How do I obtain the update for the Best Practices Analyzer tool?
Start the Best Practices Analyzer tool from Exchange Management Console. If you have previously selected the option to check for updates on startup, you will be prompted to update the tool automatically. If the option to check for updates on startup is not selected, click on the Updates and Customer Feedback link from the application and check for new updates. (Note that this process only updates the Best Practices Analyzer tool and not the other tools. If you need the update for other tools they must be started up separately and checked for updates.)

What files are included in this update?

For the Best Practices Analyzer tool
ExBPA.PreReqs.XML
ExBPA config XML
ExBPA.Readiness.XML
ExBPA.CHM

For Disaster Recovery and Performance Management Tool

ExDRA config XML
ExTraceMan.Config.XML
ExTRA.CHM

Thanks!
-- Ananth Ramanathan

Share this post :

Please go to our Mailbox Server Role Storage Requirements Calculator updates tracking page to see what is in this new version!

A blog post explaining the calculator (updated for this new version) is here. The download is here.

Comments welcome!

- Ross Smith IV

Share this post :

This is just a quick note that the regularly scheduled Exchange Server 2003 Intelligent Message Filter update that was set to be released on 1/7/2009 will not be happening. The next release for this update will be on 1/21/2009.

For those that might not know, this update is released on the first and third Wednesday of every month except for the month of December. December will see only a release during the first week of the month.

Thanks,

- Scott Roberts

Share this post :

The larger the organization the less it seems that the Exchange Administrators talk to or work with the Active Directory Administrators. This is usually a two-way street. This lack of understanding can severely impact your Exchange environment. The purpose of this blog post is to educate YOU the Exchange Administrator on what you need to understand about Active Directory (AD), a few AD basics, and a few tips. Hopefully this knowledge will allow you to proactively talk to your AD Administrator(s). It would be great if you read this before you implemented Exchange Server 2007, but we can't have it all, can we? Finally, I hope by the end you will understand why we need Active Directory (we already know they need us - everyone needs email right?).

DNS

No discussion of Active Directory would be complete without talking about Domain Name Servers (DNS). I am not going to go deep on this topic, but I do want one thing made very clear. Your organization may decide to dynamically update DNS or do it manually, either will work for Exchange - just make sure you have all the proper DNS Service Resource Records (SRV RR) as explained in RFC 2782. SRV record Priorities determine the order in which servers will be used (lowest priority first), Weights determine the load balancing to servers with same priority. The Microsoft default for Domain Controllers priority/weight is 0/100.

Tips & Tricks: To prevent clients from discovering a server (maybe the PDC emulator), increase its priority. To lessen the likelihood clients will choose it, lower its weight.

Don't panic, you really don't have to read the RFC, though I have and it is not that bad. What we care about here is AD Sites SRV records (more on this topic later).

Run "DCDiag /test: registerindns /dnsdomain: FQDN /v" from a DC to verify the records are in DNS.

Domain controllers running Windows Server 2003/2008 register SRV records in the _msdcs subdomain in the following format:

_ldap._tcp.DnsDomainName

_ldap._tcp.SiteName._sites.dc

_msdcs.DnsDomainName

_gc._tcp.DnsForestName

_gc._tcp.SiteName._sites.DnsForestName

_kerberos._tcp.DnsDomainName

_kerberos._tcp.SiteName

_sites.DnsDomainName

Tips & Tricks: use DnsAvoidRegisterRecords registry key in hub/spoke environments to manage what SRV records are registered.

A great DNS utility is DNSLint; the best part - it's a free download from Microsoft. It will provide you with a detailed listing of your DNS environment. You can also use it to troubleshoot AD, see How to use DNSLint to troubleshoot Active Directory replication issues for details.

You can install DNS on a Read-Only DC (RODC), but just like the DC component, it will be read-only. If a write request/update comes into a Read-Only DNS server, a referral is made to a writeable copy of the appropriate application partition, and the record is replicated back to the application partition stored on the RODC DNS server.

Domain Controller Defined

Domain controllers store data and manage user and domain interactions, including user logon processes, authentication, and directory searches. DCs are used by several Exchange Server directory components, such as Directory Service Access (DSAccess or ADAccess), Directory Service Proxy (DSProxy), Offline Address Book (OAB) and the Message Categorizer use domain controllers or global catalog servers.

Read-Only Domain Controller (RODC)

An RODC is an additional domain controller for a domain that hosts read-only partitions of the Active Directory database. An RODC is designed primarily to be deployed in a branch office environment. Branch offices typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and little local IT knowledge. Exchange requires a write-able Domain Controller and cannot use a RODC or Read-Only Global Catalog (ROGC).

Global Catalog Defined

A global catalog (GC) stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. To optimize network performance in a multiple-site environment, consider adding global catalogs for select sites. In a single-site environment, a single global catalog is usually sufficient to cover common Active Directory queries. However, in a multiple-site environment it is recommended that you use global catalogs in each site. Exchange Server 2007 loves global catalog servers, all distribution groups should be Universal Groups now. Universal groups are stored in the GC and replicated throughout the forest.

Tips & Tricks: To avoid excess replication traffic, keep Universal group membership changes to a minimum (Windows 2003 Interim/Forest Functional Mode helps this because it use Link Value Replication (LVR)).

32-Bit or 64-bit Domain Controllers?

As you probably already know a 64-bit machine and operating system (OS) is a requirement for Exchange Server 2007 in production. What about the Domain Controllers (DCs)? You probably already have 32-bit Domain Controllers; do you need 64-bit? The best practice answer is YES. 32-bit machines have several memory limitation and constraints, 64-bit have much larger limits that most of our customers will never hit. With a 64-bit DC and right amount of memory you can store your entire AD in RAM. Exchange loves talking to DCs, and you get a big bang for your buck from 64-bit DCs - the increase in lookup response times can be staggering. See Guidance on Active Directory design for Exchange Server 2007 for more information. The bottom line is update/upgrade your DCs to 64-bit before installing Exchange 2007 or after reading this if you have not already.

Windows Server 2003 or Windows Server 2008 Domain Controllers?

Let me state right off the bat that Exchange Server 2007 SP1 works with either version of the OS on your DCs. You can even install Exchange Server 2007 SP1 on Windows Server 2008 (see Exchange Server and Windows Server 2008 and Exchange Server and Windows Server 2008, Part II for more details). With that said, if you are updating your DCs to 64-bit I would seriously look at Windows Server 2008. Here is a simple list to discuss with your AD Administrators before deciding to use Windows Server 2008 or stay on Windows Server 2003:

· If you deploy Windows Server 2003 today, what is the life of that computer? 3, 4, even 5 years? Will Microsoft support you during that entire span? In 2013 will you really want to be running Windows Server 2003?

· New hardware, new OS - it's just that simple J

· Dozens of enhancements have been made to 2008. See http://www.microsoft.com/windowsserver2008/en/us/active-directory.aspx for a short list. Restartable Domain Services is awesome and will allow your AD Administrators to apply patches or do an offline defrag all without a reboot.

· Server Core is a great option for a DCs and DNS servers. On the plus side it's more secure.

Windows Schema Update for Exchange

Your AD Administrators might give you a hard time about running a schema update, believe me it happens. The reason is that when a DCs learns about a schema update, but has not replicated it yet, the DC will stop all other forms of AD replication until there schema is up to date. No single attribute is expected to be more than 500 kilobytes (KB). No single object is expected to be more than 1 megabyte (MB). Have them test the update in a lab, but the process should go quickly in most environments.

Make sure they understand that Exchange has two versions of the schema - RTM and SP1. The SP1 version includes the RTM changes. If they used the RTM update, they will have to rerun it with SP1. See How to Prepare Active Directory and Domains for more details.

Active Directory Replication

All DCs (expect RODC's) maintain a writeable copy of the AD database. Replication is the process by which DCs keep each other up to date.

Tips & Tricks: Use repadmin /showreps (Windows 2000) or repadmin /showrepl (Windows 2003/2008) to view replication status. Use repadmin /replsummary to view replication health.

Active Directory Sites

Active Directory sites are a very important topic and yet are commonly misconfigured. A site is a combination of the physical (wires, cables, routers, etc.) and the logical (Active Directory configuration, IP Subnet, etc.). A site may span one or more domains. A site needs to be able to allow all the domain controllers within it to replicate to each other in a timely fashion. Clients will treat all DCs in the site as equals.

Common Configuration errors include:

· not defining a client's subnet within sites, this will cause clients to seek out a DC, which could be anywhere in the forest

· not having enough sites or improper site chaining, this will cause extra replication traffic on the site bridgeheads

· having sites that span too large of an area, this will cause replication slowness

Exchange Server 2007 uses AD sites to route and send emails; it does not manage its own routing topology any more. This change makes AD sites very important to the health of Exchange Server 2007. The Client Access Server (CAS) role is very heavily dependent on AD sites as well, for things like Autodiscover, calendar assistant, etc. Lastly, Exchange Server 2007 won't install unless it is in an AD Site that contains a GC.

Dedicated Active Directory Site for Exchange

To dedicate or not to dedicate, that is the question. For most the answer is not to dedicate, unless you can't control application access to the DCs or you have another valid business reason. Testing is the best way to figure out if you really need a dedicated site for Exchange. Mike Lee wrote a great blog post about our Guidance on Active Directory design for Exchange Server 2007.

ADAccess

Active Directory Access (ADAccess) is a core component of Exchange. ADAccess performs auto discovery using cached information to reduce lightweight directory access protocol (LDAP) requests for your Active Directory topology; which means it detects domain controllers and global catalog servers in your environment on a regular interval.

Tips & Tricks: You can turn up logging for ADAccess, see this TechNet article.

DSProxy Referral

Directory Service Proxy (DSProxy) is the process used to provide either referrals or proxy requests to a GC on behalf of Outlook clients. This process is the same for Exchange Server 2007.

Where does Exchange store data in AD

If I had to a put a percentage on Exchange's use of AD, I would say Exchange Server 2007 is 70% Active Directory, where Exchange Server 2003/2000 was 40%. In the chart below you can clearly see Exchange stores information in several naming contents - Domain, Configuration, and Schema. Remember Exchange Server 2007 uses AD Sites for routing.

Active Directory Tweaks worth looking into

Here is a list of some common, but important tweaks for Active Directory. As always please test changes in a lab first before deploying to production.

• MaxQueryDuration

- Default is 120 seconds - too long in some cases, Microsoft IT is 45 seconds

• Reduced for better end user experience (response time)

• MaxActiveQuery

- Default is 20, Microsoft IT is set to 32

• Allows for more concurrent LDAP queries
  

• DS Heuristics

- ANR search behavior (among many others)

- Forest wide settings

- Microsoft IT is set to 0001 - pre-emptive nickname resolution

Active Directory Troubleshooting

I would like to end with troubleshooting. Below are just a few things to look into.

Registry

• HKLM\SYSTEM\CCS\services\ntds\diagnostics

- 24 diagnostics registry keys

• Verbosity 0-5 :: 0-Off, 1-Lowest Verbosity, 5-Highest Verbosity

- "3 ExDS Interface Events"

- "4 MAPI Interface Events"

- "6 Garbage Collection"

• Set to 1 on all DC's - creates two added events every 24 hours
• Event ID 1646 displays available white space recoverable with offline defrag

- "9 Internal Processing"

- "15 Field Engineering"

• Identifies expensive and inefficient queries
• Thresholds can be managed via the registry

Tips & Tricks: Never leave at any value other than 0 (zero) unless troubleshooting. A value of 5 can fill up the Directory Service Event Log in a matter of minutes!!!

Server Performance Advisor (Download for Windows Server 2003, built into Windows Server 2008 - under Reliability and Performance Monitor - Data Collector Sets & Reports)

o Server performance Reports

o Resource utilization information

o Identify offending clients

o Identify bottlenecks

o Workload Stress

Replication

o Typically caused by DNS or network issues

o Replication latency depends on topology and settings

o Use Repadmin to identify the source of the problem

o Increase Diagnostic keys to track significant events

Tools

o Repadmin.exe is the primary tool for identifying and resolving all replication issues

o DCDiag provides overall "health" of a domain controller

o Risk Assessment Program for Active Directory (ADRAP) is an ideal delivery for identifying current issues

Conclusion

My hope is that reading all of the above has shed a light on why you as an Exchange Administrator needs Active Directory. An even more important goal is to point out why Exchange requires a healthy Active Directory environment. My goal was to give you enough AD information so that you can talk to your AD Administrators and help get your AD into shape, so that Exchange can live a long and healthy life.

For more information on AD please see our Directory Services Community page.

- Rod Fournier

Despite our attempts at documenting various break/fix scenarios, it can often be frustrating when trying to locate the information you need to resolve an issue as quickly as you would like. I decided to share this information in an attempt to help you resolve the majority of issues that can prevent your users from successfully logging on to Outlook Web Access. It won't resolve 100% of the issues and it's not intended to. It's also not intended as a "complete" with step-by-step instructions for each scenario. Rather, in most cases it will help you approach the issue logically and determine your best course of action and which resources to review to learn more about the scenario as well as how to fix your issue. In any event, it's a good resource to peruse before picking up the phone to speak with technical support.

The following should guide you through eliminating the most common root causes for this type of scenario. If nothing else, working through these steps should provide you with enough information such that you can minimize your time on the phone should you still find it necessary to call technical support.

Probing questions

Before you can effectively troubleshoot this issue you should know, or confirm, the following information:

1. If users are receiving an error, what is the exact wording of the error message and does it include an HTTP (IIS) status code that can help you isolate root cause?

2. If a call stack is provided when clicking Show Details, does the exception provide any clue that can help you isolate root cause?

3. Is everyone affected or only some users? For instance, does the issue affect only users connecting from outside the network or everyone regardless of their location? If only users connecting over the Internet are affected, then there's a high probability that Exchange is fine and the cause of the issue is related to a firewall, proxy server, or hardware device like an SSL Accelerator or load balancer. NOTE: Another good test to run if you suspect root cause might be your firewall or network is to try logging on to OWA from the console of the Client Access Server itself.

4. If only some users are affected, does the issue happen from multiple workstations using the same user account? This should help you determine if the issue is user specific or machine specific.

5. If you still have Exchange 2003 mailbox servers in your org, does the issue affect Exchange 2003 and/or Exchange 2007 users who try connecting through the Exchange 2007 CAS?

6. Is the server users connect to a standalone Client Access Server or is the Mailbox role also installed on the same machine?

7. How many Active Directory sites are there? If more than one, which site has the Internet-facing CAS server?  Which site has the mailbox server where affected users are homed?

8. Is the CAS server in a perimeter network or DMZ?

9. Did it ever work? If yes, what changes have been made in the environment, i.e.
software updates, service packs, rollups, new hardware, firewall changes, etc?

Troubleshooting

Now that you have a clearer understanding of the issue and environment, let's eliminate the low hanging fruit.

1. If you're in a mixed environment with Exchange 2003 or 2000 and only users homed on Exchange 2003 are unable to log on, read the following with special attention to the Deployment Scenarios section:

Outlook Web Access and Exchange 2007, Exchange 2003, and Exchange 2000 Coexistence

http://technet.microsoft.com/en-us/library/bb885041.aspx

2. If Exchange 2003 users connecting through Exchange 2007 receive, "Page cannot be displayed", followed by, "Cannot find server or DNS error", and the CAS role is co-located with the Mailbox role, then you will need to deploy a standalone Client Access Server. This is also documented in the coexistence documentation above and is necessary if you intend on having Exchange 2003 users use OWA to connect to their mailbox across the Internet.

3. If Exchange 2007 is deployed across multiple Active Directory sites with an Internet-facing CAS server in one site and other CAS servers in "proxy" sites, read our Redirection and Proxy documentation. Briefly, when you configure your CAS servers for this scenario you must have an external URL entered for the /owa virtual directory in Exchange Management Console. Authentication will typically be either forms-based (FBA) or basic auth. However, the CAS servers in the proxy sites need to be configured quite differently. The InternalUrl for the /owa vdir in the console should be the internal FQDN of the server and the External URL should be blank, or null. Authentication for /owa MUST be set to Integrated Windows Authentication which means you cannot enable FBA on the CAS servers in the proxy sites. If this isn't set up correctly and users with mailboxes in the proxy site are unable to connect, then you should see an event ID 41 for source MSExchange OWA on the Internet-facing CAS.

4. Several different issues can cause a 440 Login Timeout error. If users are seeing this, read the following Knowledge Base article:

941201          Error message when you try to log on to Exchange 2007 by using Outlook Web Access: "440 Login Timeout"

http://support.microsoft.com/default.aspx?scid=kb;EN-US;941201

5. If users see "Service Unavailable" when they try to connect, it's possible you intentionally or inadvertently installed the 32-bit version of the.Net Framework. To resolve this issue, refer to the instructions for Asp.Net version 2, 64-bit, in the following Knowledge Base article:

894435          How to switch between the 32-bit versions of ASP.NET 1.1 and the 64-bit version of ASP.NET 2.0 on a 64-bit version of Windows

http://support.microsoft.com/default.aspx?scid=kb;EN-US;894435

6. If users report seeing a blank page when connecting to OWA, this might be due to
a recent rollup being applied that didn't install correctly. For more information,
see kb 935490 which applies to all rollups and not just Rollup 2.

935490          Description of Update Rollup 2 for Exchange 2007

http://support.microsoft.com/default.aspx?scid=kb;EN-US;935490

I hope this helps! As I mentioned earlier, this won't help you resolve every single OWA logon issue. But it's a good place to start and some of the procedures may lead to solutions that aren't documented here.

- Joe Turick

Mike, one of our readers, sent us the link of a funny story how an out of office reply got printed on a bi-lingual traffic sign. Thought that it was pretty funny:

http://news.bbc.co.uk/1/hi/wales/7702913.stm

That got me thinking of some of funny OOF messages that I have seen over time. After performing a quick search, I ran into few places that had a few funny OOF replies written up and posted. Some randomly picked examples here, here and here.

Did you want to share some of the funny OOF replies that you saw or wrote up yourself? Creativity of some people is really amazing when it gets to those!

(And, by the way - in case you do not yet know how come that "Out Of Office" came to be abbreviated as "OOF" - you might want to read this.)

- Nino Bilic

Share this post :

We noticed the following in the Wikipedia article about ESE:

Well, here's your citation for you - and we added a few names:

Developers who have contributed towards the success of JET Blue include Cheen Liao, Stephen Hecht, Matthew Bellew, Ian Jose, Edward "Eddie" Gilbert, Kenneth Kin Lum, Balasubramanian Sriram, Jonathan Liem, Andrew Goodsell, Laurion Burchall, Andrei Marinescu, Adam Foxman, Ivan Trindev, Spencer Low and Brett Shirley.

- KC

Share this post :

I got a lot of great feedback for the recent post I wrote about the Microsoft Certified Master Program, and not unsurprisingly there were some comments posted about the price.

Given the state of the world's economy, and knowing that costs for things like training are often one of the first things that get cut, we have listened to the feedback given, sharpened our pencils and have decided to offer a discount to fill the remaining seats we have in March (March 16th to April 4th) and May (May 4th to May 23rd). In uncertain economic times, having unrivalled skills won't do anyone any harm in the job market and if you read the comments following my last post, you will see no one there doubts this training is worth it.

So I'm posting the announcement below here first; the MCM Web site will go live with this announcement later this week, as it is likely the successful candidate in the Program is reading this blog. So if you want to do this, go sign up. Really, go sign up now. Half the seats in March are already filled. I want to fill the class, so I hope you take advantage of this offer.

Microsoft Certified Master (MCM) program now offers 30% limited time discount to get trained and certified! (Offer Expires on February 14th!)

Today, Microsoft provides additional support to its customers and partners by offering a limited time 30% discount (US$5,550) for the Microsoft Certified Master programs allowing to you to save on your training investment.

If you're a seasoned IT professional focused on the Microsoft platform, it's time to differentiate yourself from your peers while bringing further IT efficiency to your organization. The Microsoft Certified Master (MCM) advanced training and certification programs have opened their classroom doors for candidates from around the world in Redmond, Washington, United States. The classes are designed for IT professionals with approximately 10 years of experience in the industry and focus on one of the following core Microsoft Server technologies: Microsoft Exchange Server 2007, Microsoft SQL Server 2008, Windows Server 2008 - Directory, Microsoft Office SharePoint Server 2007, and Microsoft Office Communications Server 2007.

A recent survey of program graduates reported increased productivity and billable rates for some certified individuals.

• Learn more about the Microsoft Certified Master Program
• See the full schedule of classes and register

Apply now, and upon acceptance provide payment by February 14th, 2009, to save US$5,550 on the Microsoft Certified Master program of your choice (30% discount)!

Note: training classes in beta have a 50% discount which cannot be combined with this offer.

-- Greg Taylor