Welcome to Kraft Kennedy

One of the shortcomings of Apple’s iOS devices (as of iOS 5.0.1) is the inability to recognize message priority flags.  So if a user with an iPhone receives a message that has been sent with high priority, there is no native feature in the iOS operating system that will alert the recipient to the fact that they have such a message.  However, for iOS users who utilize Microsoft Exchange for their corporate email, there is a way to bring special attention to messages sent with high priority via SMS.

The first step is to create a contact that will serve as the recipient for the SMS message.  You will need to consult the settings for your particular carrier to find the format for this address.  For AT&T users, the format will be [10-digit phone number]@txt.att.net.  Once the contact is created, create an email rule similar to the one below:

Continue reading…

Today, Microsoft has released Service Pack 2 for Exchange 2010: http://blogs.technet.com/b/exchange/archive/2011/12/05/released-exchange-server-2010-sp2.aspx

While there are a number of hotfixes and other items included, there is also some key new functionality being introduced as well:

1. Cross-Site Silent Redirection for OWA – This is a tremendous improvement over current functionality where, if a firm leverages redirection between Client Access Servers in different sites (the preferred approach for optimal performance and implementation flexibility), users are prompted with a link and second authentication prompt if they login to a CAS server in a different site than where their mailbox is currently hosted.  With this new functionality, Exchange can be configured silently to redirect users to the correct CAS server in this situation (without reauthentication or prompting).
2. Address Book Policies – Address Book Policies provide the long-awaited native functionality support for what is typically referred to as GAL segmentation.  Previously, if firms wanted selectively to exclude some users or contacts from the GAL for specific subsets of users, the firm would need to create and manage security ACLs directly within ADSI.  This was unsupported in Exchange 2003 and 2010 and only narrowly supported for Exchange 2007 (with Dave Goldman’s specific whitepaper).  Address Book Policies will provide an object and policy based method for providing this functionality.
3. OWA Mini – This will be a lightweight, text-only version of OWA targeted for use on mobile devices or in low bandwidth/resolution scenarios.
4. Hybrid Configuration Wizard – This wizard will significantly reduce the number of steps required to streamline the process for establishing rich coexistence between an on-premises Exchange 2010 environment and Office 365 (formerly BPOS).

Due to the nature of the new features included, there is an Active Directory schema update required for SP2.

I’ve worked with a few clients that, for various reasons, have modified the FQDN of the SMTP Virtual Server.  By default, an SMTP Virtual Server will respond to an EHLO with the FQDN of the server itself (e.g. NYMAIL01.client.local) but some clients have adjusted this to something entirely different (e.g. SMTP.client.com).  Most of the time, clients have changed this to mask the name of the underlying server responding to SMTP.

While modifying the FQDN of the SMTP Virtual Server certainly does mask this, the actual internal IP address of the server is still listed in the e-mail message headers and, as such, the identity of the server isn’t actually masked.  Furthermore, if a hacker were to compromise a perimeter firewall, not knowing the exact name of the server providing SMTP services will not deter much.
Continue reading…

Client throttling is a feature of Exchange 2010 that restricts simultaneous connections and processor utilization on a per user basis so that a single user or rogue process cannot exhaust precious resources on the Exchange server.  However, if not configured properly and adjusted to meet an individual environment’s needs, client throttling can lead to end user frustration and the inability to complete work functions.  Microsoft’s TechNet article here describes client throttling and details for each configurable parameter.  The most common issues associated with client throttling that I’ve seen in client environments are related to delegate mailbox access and third party integrated applications, which I discuss below.
Continue reading…

Once you have moved all of your mailboxes to Exchange 2010 and properly decommission your Exchange 2003 (move public folder hierarchies, transition mail flow, move OAB generation, etc.), you may see MSExchange Store Driver event ID 1020 errors like these:

The store driver couldnt deliver the public folder replication message “Hierarchy (PublicFolder@client.com)” because the following error occurred: The Active Directory user wasn’t found.

These errors likely coincide with some public folder replication issues but, more importantly, can also result in NDRs when messages are sent to mail-enabled public folders!  This issue occurs because, even if you properly decommission Exchange 2003, the Servers containers within your legacy Exchange 2003 Administrative Groups still exist within Active Directory, albeit empty.  Exchange assumes that, if a Servers container exists (even if it is empty), a System Attendant object will also exist somewhere inside of it but, if all of your Exchange 2003 servers have been decommissioned, those System Attendant objects actually do not exist.

This issue has been recognized as a bug within Exchange (see the MS Exchange Team Blog article here) and a fix a scheduled for an upcoming Update Rollup release (perhaps Update Rollup 5).  In the meantime, you can safely delete these empty Servers containers via ADSI Edit but make sure that these containers completely empty before doing so.

For more in my series on Exchange 2010 Notes from the Field, please click here.

One of my earlier Exchange 2010 deployments was at a client that had modified the default inheritance settings of Active Directory such that default security permissions did not apply to some Organizational Units (OUs).  This prevented ActiveSync from creating necessary objects and setting necessary attributes to provision iPhones for these users against their Exchange 2010 mailboxes.  Similar issues occur if you attempt to configure an ActiveSync device for a mailbox associated with a user that is a member of certain privileged groups within Active Directory (e.g. Domain Admins, Enterprise Admins, etc.).

To resolve this issue for the specific case at my client, we simply needed to enable inheritance on the OUs or users where it had previously been disabled.

Resolving this issue for members of privileged groups is a bit more complicated.  Basically, the lack of inheritance is by design for users that are members of privileged AD groups.  Every hour, a background process runs on domain controllers to apply the permissions assigned to the AdminSDHolder template object to all members of privileged groups.  You can review the permissions that will be applied by launching Active Directory Users and Computers, enabling Advanced Features within the View menu, and then reviewing the security permissions of the AdminSDHolder object within the System OU.

The true solution is to provide administrators with separate administrative-only accounts (e.g. JohnAdmin.admin) that are members of the required AD groups and have these administrators use normal, non-privileged accounts (e.g. JohnAdmin) for e-mail functionality.  In some environments, this may not be possible and, as a result, you have two workarounds.  First, you could modify the permissions on the AdminSDHolder template object to include the required Exchange permissions.  I don’t recommend this since you would be modifying a fairly important and engrained aspect of Active Directory for what should be a few isolated users.  Instead, you could temporarily enable inheritance on your administrative users and, as long as you configure these users’ ActiveSync devices before the next application of AdminSDHolder permissions, it will work just fine.  Once an ActiveSync device is provisioned for the user, these special Exchange permissions are no longer required.

For more information on AdminSDHolder, the associated default permissions, and instructions for modifying these permissions, please refer to http://policelli.com/blog/?p=136.

For more in my series on Exchange 2010 Notes from the Field, please click here.

In some cases, you may encounter an issue where you move a mailbox from Exchange 2003 to Exchange 2010 and, while the move request completed, you receive a warning stating “failed to cleanup the source mailbox after the move.”  All of the content is successfully moved, appropriate attributes are updated to point to Exchange 2010, and all new messages are delivered to the Exchange 2010 mailbox.  However, you will see disconnected mailboxes for the affected users in Exchange 2003 System Manager and you cannot purge the disconnected mailboxes.

The issue can be caused by search folder problems in the Exchange 2003 mailbox and similar issues were fixed in Exchange 2007 via Service Pack 2.  Microsoft describes ways to purge the disconnected Exchange 2003 mailbox at http://support.microsoft.com/default.aspx?scid=kb;EN-US;930363 but the workarounds involve either a number of manual steps or reducing your mailbox retention settings to 0 days and allowing normal Exchange online maintenance to purge the mailboxes.  The latter would also purge any legitimately deleted mailboxes that you may want to retain for some period of time so the safest workaround may be to just wait for your normal online maintenance procedures to purge the mailboxes for you (30 days by default).

For more in my series on Exchange 2010 Notes from the Field, please click here.

Named properties are a legacy mechanism by which Exchange reserves a property ID in a limited addressable space for use by applications.  The history of and issues with named properties are discussed in detail at the MS Exchange Team Blog here but the important note is that, with the explosion of Internet e-mail and numerous applications requiring Exchange to allocate named properties for debatably useful reasons, the number of named properties in Exchange can grow quickly toward predefined quota thresholds.  At this point users could be prevented from sending e-mail from Outlook.

Continue reading…

Every so often, you may encounter issues with DAG name and/or IP address resources going offline in your DAG Failover Cluster with the following (or similar) error code:

Cluster IP address resource ‘Cluster IP Address’ cannot be brought online because the cluster network ‘Cluster Network 2′ is not configured to allow client access. Please use the Failover Cluster Manager snap-in to check the configured properties of the cluster network.

Since all end user client connectivity occurs through the CAS role, this is generally not a user-facing issue but integrated applications that depend on the DAG name for connectivity would fail to connect in this case.  The most common example of an application that could potentially be affected is an Exchange-aware backup application.

Continue reading…

As I’ve discussed in a few previous blog posts, there are numerous reasons that make Exchange 2010 a compelling upgrade for firms running Exchange 2003 or even Exchange 2007.  Specifically, most of my clients have determined the general storage efficiency enhancements and high availability and site resiliency improvements of the Database Availability Group (DAG) to be so compelling as to warrant aggressive timelines for an upgrade.  As a result, since the beginning of 2010, I’ve been involved in over 12 separate Exchange 2010 projects through August 2010, from architecture consulting and design through deployment and transition.  While Exchange 2010 is a stable and robust platform, there are a few quirks or subtleties that I wanted to share for those that are planning or beginning an upgrade.

A list of topics that I plan to cover can be found below and links will be created to each post as it is released.  In addition, as I uncover additional topics to discuss, I’ll add to this list going forward.  Please check back often!

• RPC Encryption
• Multi-Site Database Availability Group Design
• Database Availability Group Name/IP Resource Failures & Maintenance
• Named Properties Quotas
• Mailbox Move “Failed to cleanup the source mailbox” Errors
• ActiveSync and Active Directory Permissions Inheritance
• Public Folder Replication and Mail Flow Issues
• Client Throttling and Max Concurrency
• SMTP Virtual Server Changes

I hope you find this topics useful as you plan for or begin your own upgrades!