Testing access to your Exchange services with Microsoft Exchange Remote Connectivity Analyzer
The Microsoft Exchange Remote Connectivity Analyzer is perhaps the best tool I’ve used in a long time for troubleshooting Exchange external access – it just works! On the forums and websites I read, it doesn’t seem to get the coverage that I’d expect, so I thought I’d give it a mention.
Useful commands for troubleshooting Exchange 2010 routing with Exchange 2003/2007
The environment is a single AD domain with 4 sites, Site1, Site2, Site3 and Site4. In Site1, Site2 and Site3 there are 3 Exchange 2003 servers, one per site. In Site4 there is an Exchange 2007 SP2 server (CAS, Mailbox, HT). All the connectors required worked as expected, and inter-site routing works as expected.
I introduced into the mix a 2010 Enterprise server (CAS, Mailbox, HT) to Site1 as a prelude to a full upgrade of the site to Exchange 2010. When a test mailbox from Exchange 2010 attempts to send to a mailbox in Site1 Exchange 2003, it routes via the Site4 Exchange 2007.
Exchange ActiveSync fails on iPhone after upgrade to iOS4
I’ve spent a fair bit of time today trying to sort out my iPhone sync to my Exchange Server, failing miserably. It used to work, pre-upgrade to iOS4, but for some reason fails to sync.
- iPhone fails to sync, generic timeout error (or is very slow)
- https://www.testexchangeconnectivity.com/ successfully tests the mailbox access
The server was configured as per http://support.microsoft.com/kb/817379/en-us to allow OWA/ActiveSync with SSL on OWA.
The iPhone was configured to accept the SSL certificate on the Exchange Server.
My brother Tom sent me this Apple KB (http://support.apple.com/kb/TS3398) which he’d found from the other side – Exchange servers he was managing were under very heavy load, which is another symptom of this issue.
I installed the new configuration as per the article, restarted the phone and the issue was fixed!
Exchange 2010 “New Local Move Request” and “New Remote Move Request” missing when you right-click a user’s MailBox
I’m currently testing an Exchange 2010 server for the organisation prior to a migration project, specifically testing moving mailboxes backwards and forwards. Something that confused me slightly for a few minutes was this: if there is an existing Move Request (pending, in progress, failed or completed) you will not see the “New Local Move Request” or “New Remote Move Request” –
Fortunately this is very simple to counter – simply clear the old “Move Request” and the options will be back in the Mailbox options:
Fixing “Outlook(R) Mobile Access is supported only on Microsoft(R) Exchange Server 2003. Currently your mailbox is stored on an older version of Exchange server.” on Outlook Mobile Access under Server 2003
So I was testing the configuration on my Exchange 2003 server in preparation for the roll out of some Windows Mobile devices when I recieved the following error:
Outlook(R) Mobile Access is supported only on Microsoft(R) Exchange Server 2003. Currently your mailbox is stored on an older version of Exchange server. Please contact your system administrator for additional assistance.
"That's odd", I thought, "I only have Exchange Server 2003 in my organisation, how can I have an older version of Exchange?" It turns out that this has nothing to do with the version of Exchange you are using. I have set up my Exchange OWA to require SSL (see previous article on SSL and Integrated Authentication) and apparently this can cause issues for OMA.
The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories
cannot access the contents of the user's mailbox if the Exchange virtual
directory is configured to require SSL. The Microsoft-Server-ActiveSync and
Outlook Mobile Access virtual directories only try to connect with the Exchange
virtual directory over TCP port 80 (HTTP), not over TCP Port 443 (HTTPS).
To resolve this, you need to follow these steps from MSKB 817379
|1.||Open Exchange Manager.|
|2.||Expand Administrative Groups,
expand the first administrative group, and then expand Servers.
|3.||Expand the server container for the Exchange Server 2003 server
that you will be configuring, expand Protocols,
and then expand HTTP.
|4.||Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.|
|5.||Click the Settings tab, clear the
Enable Forms Based Authentication check box, and
then click OK.
|6.||Close Exchange Manager.|
|7.||Click Start, click Run, type IISRESET/NOFORCE,
and then press ENTER to restart Internet Information Services
Additionally, you must use Internet IIS Manager
to create this virtual directory for Exchange ActiveSync and Outlook Mobile
Access to work. If you are using Windows Server 2003, follow these steps:
|1.||Start Internet Information Services (IIS) Manager.|
|2.||Locate the Exchange virtual directory. The default location is as
Web Sites\Default Web Site\Exchange
|3.||Right-click the Exchange virtual directory, click All Tasks, and then click Save
Configuration to a File.
|4.||In the File name box, type a name.
For example, type ExchangeVDir. Click OK.
|5.||Right-click the root of this Web site. Typically, this is Default
Web Site. Click New, and then click Virtual Directory (from file).
|6.||In the Import Configuration dialog
box, click Browse, locate the file that you
created in step 4, click Open, and then click
|7.||Under Select a configuration to import
, click Exchange, and then click OK.
A dialog box will appear that states that the
|8.||In the Alias box, type a name for
the new virtual directory that you want Exchange ActiveSync and Outlook Mobile
Access to use. For example, type exchange-oma.
|9.||Right-click the new virtual directory. In this example, click
exchange-oma. Click Properties.
|10.||Click the Directory Security
|11.||Under Authentication and access
control, click Edit.
|12.||Make sure that only the following authentication methods are
enabled, and then click OK:
|13.||On the Directory Security tab,
under IP address and domain name restrictions,
|14.||Click the option for Denied access,
click Add, click Single
computer and type the IP address of the server that you are
configuring, and then click OK.
|15.||Under Secure communications, click
Edit. Make sure that Require
secure channel (SSL) is not enabled, and then click OK.
|16.||Click OK, and then close the IIS
|17.||Click Start, click Run, type regedit, and then
|18.||Locate the following registry subkey:
|19.||Right-click Parameters, click to
New, and then click String
|20.||Type ExchangeVDir, and then press
ENTER. Right-click ExchangeVDir, and then click
NoteExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article,
|21.||In the Value data box, type the
name of the new virtual directory that you created in step 8. For example, type
/exchange-oma. Click OK.
|22.||Quit Registry Editor.|
|23.||Restart the IIS Admin service. To do this, follow these steps:
Exchange 2003 Email Size Delivery Restrictions…how confusing can it be?
I thought this would be fairly common knowledge by now, Exchange 2003 being quite mature in it's 5th year, but it's not something I've had a problem with before and therefore I'm going to write about it!
So a big email comes in; lets say it's 8MB. Your Exchange 2003 server, set to it's defaults for size restrictions, rejects the email. Why? Take a look at this Exchange TechNet article:
When the 8MB message crossed the routing group boundary through SMTP and arrived at the destination server, it was approximately 33 percent larger than the original message because of the inter-routing group SMTP increase…The final message had a content size equal to 11,594,558 (11 MB), and the message exceeded the 10-MB Global Limit, thus returning the 5.2.3 delivery status notification.
Please keep in mind that message send [sic] through SMTP could grow about 10-20 percent because of format conversion (MIME and UUEncode)
For a standard Exchange Server installation, this is how the process of checking the email size goes (see the diagram below for full details):
- Does the email exceed Global Max submission content length?
- Does the email exceed the per-user Max Delivery Length for the recipient?
- If the email is not delivered locally, does the email exceed the Virtual Server SMTP limit?
- If the email is not delivered locally, does the email exceed the Connector limit?
You can set message limits at the following objects:
- Global settings
- System Policy
- Individual mailbox
- Individual message limit
- Distribution list
- Public folder
- Virtual SMTP Server
Create a 100Mb file for testing transfer speeds
We have a Bonded ADSL solution for our servers to provide the necessary upstream transfer speeds for the applications we host. We have bonded ADSL because our exchange still doesn't support SDSL, and a leased line is overkill. Theoretically, we should have 28.1 Mbps download and 3.2Mbps upload – what I am actually seeing is about 1.7Mbps down and 1.9Mbps up. I have tested this on various servers, over various times and file sizes, there is no doubt that the performance is POOR.
Anyway, on to my point. I wanted to create a file that was exactly 100MB to test transfer speeds. Windows XP, Vista, 2003 and 2008 all have a command line utility called FSUTIL.exe which has a subset of commands to manipulate files, with which you can create a file that is exactly 100MB…like so:
FSUTIL FILE CREATENEW 100MBTest.mdb 1048576
Usage: FSUTIL FILE CREATENEW [Filename] [Size in bytes]
Outlook Web Access over SSL using Forms Based Authentication AND Integrated Authentication
Outlook Web access is a fantastic tool for our company, providing on-the-go
access to people's mailboxes – which is of course secured by SSL and uses Forms
Based Authentication. Internally, we have an intranet portal that allows us to
access the various systems – one of which is OWA. One of the stipulations for
this internal portal is that it is all Single Sign On using NTLM authentication
– integrated authentication. This is where the problem lies because enabling OWA
with Forms Based Authentication over SSL disables Integrated Authentication. So
our choice is to have users enter their credentials twice (not acceptable) or to
disable FBA and have external users log on with the annoying pop-up.
You can create a copy of the /Exchange and /Public Virtual Directories and
configure them to use Integrated Authentication. You can also restrict access to
them by IP…here's how:
I'm assuming you've already set up OWA with SSL on your Exchange server. If you need to do that, try How
do I configure OWA to use SSL? at Daniel Petri's site
- Log onto your Exchange Server, and open up the IIS control panel. Locate
your /Exchange and /Public virtual directories.
- Right click /Exchange, select "All Tasks" and then "Save Configuration to a
- Go through the dialogue, save to a file and if you're worried about security, add a password.
- Once you're done, right click any white space in the root web site (or the exchange web site) and select "New", then select "Virtual Directory (from file)…"
- You will be presented with the "Import Configuratio" dialogue, click "Browse…" and select the file you've just created. Click "Read File" and select the Exchange location underneath
- Click "OK" and you'll be asked to provide a new name, or replace the existing Virtual Directory – select create a new one and put an appropriate name (I uses ExchangeIA)
- Now, this step is optional, but read on anyway because you might want to think about it. I only want to allow people on my network to access this using Integrated Authentication, no one else, so I am going to restrict access to the Virtual Directory that I've just created to my IP subnet. To do this right click the newly created Virtual Directory (ExchangeIA) and select the "Directory Security" tab. Under "IP address and domain name restrictions" click "Edit". Now select "Denied access" to deny anyone other than the exceptions, then click "Add.." and enter the details of your network to allow those computers access.
- Now head back to step 1 and repeat for the /Public folder, if Integrated Authentication is required for Public Folders.
Exchange 2007 and Outlook 2007 remove categories from emails, tasks, calendar etc.
It seems that the nice people at Microsoft were looking out for us, lest the evil people in the world see how we categorise our email, and decided to strip away any category information from sent and received objects by default. Sure, I understand if you were categorising emails from someone as "sneaky git" or "numbnuts" then you might not be too happy about sending those out…but really it should be your choice right?
Did you know, for example, that In your Outlook 2007 rules there is a sneaky little enabled by default rule that clears the categories?
Removing that is an obvious first step!
The next step involves editing the registry, so make sure you know what you are doing before editing, always back the registry up first
There are also some registry keys you'll need to add, so open up Regedit and in HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Preferences, create DWORD keys SendPersonalCategories and AcceptCategories with values of 1. You'll need to restart Outlook for them to apply.
Finally, as per this TechNet article, log on to your Exchange server as an Exchange Organisation Administrator and run the following command in the Exchange Management Shell
Set-TransportConfig -ClearCategories $False
You should be able to send and receive emails, appointments, tasks and any other Exchange object that supports categories, complete with category intact.