MCM Exchange 2010 Video Previews

Fame at last! Well not really, but here (http://blogs.technet.com/b/themasterblog/archive/2010/12/28/mcm-exchange-video-preview.aspx) is a video introducing the MCM Exchange class posted on the MCM Blog. The video is a 30 minute segment from the class without the interaction amongst the students that the class always has, and the reason for this lack of interaction is that it was recorded in the front room of my house.

Typically this content (the Header Firewall and Connector Permissions) could take one hour or more to cover when you include specific examples, a lab and all the different things to be aware of with regard to the subject.

GoDaddy SSL Certificate Approval with TXT Records

I had a bit of an issue with Go Daddy yesterday in that they took 5 days to approve a Subject Alternative Name change to a certificate, and as the usual route of adding a file to a website was unavailable to me I decided to prove ownership of the domain by the addition of a new TXT record to the domain.

Go Daddy’s instructions for doing this are only suitable for domains hosted at Go Daddy and there are no clear instructions for doing this if you do not use Go Daddy for your DNS hosting.

So how do you create an SSL approval with TXT record? You do it by creating a TXT record for a subzone. The subzone is DZC and the value of the record is the seven character string that Go Daddy sent you via email. For example dzc.domain.co.uk TXT AbCdEfG.

Once DNS has replicated to ALL of your DNS servers you can return to Go Daddy’s web form and approve your SSL certificate. You can check if all your DNS servers have your new data by using NSLookup or Dig, but preferred is the use of either of these two tools from an independent third party on the internet – for example www.kloth.net/services/nslookup.php or www.dnssy.com/lookup.php.

Unknown Error, Outlook 2003 and Exchange 2010

It’s a well documented issue with Outlook 2003 connecting to Exchange 2010 that means Outlook 2003 is not as responsive in Online mode as it was with legacy versions of Exchange Server (http://support.microsoft.com/kb/2009942).

What is less well documented is an odd error message that can appear because of this interaction.

Imagine the following scenario. User on Outlook 2003 has lots of messages to delete, and deletes them one at a time. Outlook will not refresh the display for up to 5 seconds (the lowest setting that you can tell Outlook to refresh, via the Maximum Polling Frequency registry key). The problem is that if the user deletes a message and it does not disappear from the screen and then (thinking its gone, and the highlight has moved onto the next message) presses delete again. Outlook generates “Unknown Error” – which is not exactly helpful, and could appear as often as every other message that is deleted.

How to fix: Cached mode (though in the scenario I came across the above it was Outlook on a Terminal Server, so that’s not an option), upgrade the client version of Outlook, or use Shift or CTRL select and delete all your emails in one go!

iPhone 4 and Exchange 2003/2010 ActiveSync Slow Performance

This is a well known problem now, and has been since the first releases of the iPhone 4 in July 2010. Later updates to iOS (4.1 and later) do not exhibit this problem, but if you are upgrading an Exchange 2003 organization to Exchange 2010 there comes a point where you switch over the endpoints that the users connect to. Its at this switchover that you will experience performance issues if there are any unpatches iPhones in your user population. But, and here is the catch, as you have yet to migrate these users to Exchange 2010 you cannot use the Allow/Block/Quarantine feature (ABQ) of Exchange 2010 to restrict the phones access attempts.

The phones will connect to Exchange 2010 and be proxied to Exchange 2003 and the performance issues will set in. So how do you stop the phones at Exchange 2010?

You use a feature of IIS instead, you can block query string values in the Request Filtering feature of IIS 7.5 (or installable add-on for IIS 7.0).

Add the following to the web.config in c:\inetpub\wwwroot to globally block iPhones, and once you have a list of bad specific devices you can expand this list some more.

<system.webServer>
  <security>
    <requestFiltering>
      <denyQueryStringSequences>
        <add sequence="DeviceType=iPhone" />
      </denyQueryStringSequences>
    </requestFiltering>
  </security>
</system.webServer>

Windows Search Across The Network

Windows 7 has Windows Search built in, but it will only index locations on the local PC or folders that you have made available offline.

What about the rest of your network? An error you might see because of this is “This network location can't be included because it is not indexed”. If the servers also get an install of Windows Search on them then Windows Search on the client can talk to the Windows Search instance on the server and produce one set of search results, covering all network locations and local folders.

How do you tell the client which servers to communicate with for search results? You need to add the folders that you are interested in querying the index for to your Libraries on Windows 7. Let’s walk through this process.

Install Windows Search on your servers

If you are running Windows 2008 then add the File Services/Windows Search Server role. You probably have some of the File Services role already installed, and in that case use Add Role Services to add the Windows Search Service role.

If you are running Windows 2003 Server then you can install Windows Search 4.0 as a download from Microsoft.

The installation in Windows 2008 will ask for the storage locations to index, and you need to include the drives that contain your shared folders.

Once installed the index for the search will begin to be created. This can take some time initially, and if you want to be able to index content other than the default content (see http://msdn.microsoft.com/en-us/library/bb233501.aspx for the default filters installed) then you should install these filters as soon as possible (to save the index needing to redo files it does not know first time around). Most importantly you need to install Adobe Reader iFilter if you want to filter .pdf documents and the Microsoft Office 2010 Filter Pack if you want to index the new file formats for Microsoft Office.

Adobe have a free filter (download the correct one based on the version of your server) and Foxit Software have a paid for one, which is more reliable than the Adobe one. Adobe are on version 9 at the time of writing and can be downloaded from http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025 for the x64 version (which is the one needed if you are running SBS 2008).

The Microsoft Filter Pack can be downloaded from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5CD4DCD7-D3E6-4970-875E-ABA93459FBEE&displaylang=en

Other iFilters for other document types exist. If you are running a 32bit version of Windows then an installation of Adobe Reader will include the 32bit iFilter. A search of Google for “iFilter” will show you others.

Finally, via Control Panel > Indexing Options > Advanced you can set the location where the search index data is to be stored. This can total up to 40% of the size of the indexed content and so should be placed on a suitably sized disk. You need to restart Windows Search to move this index.

Configure Windows 7

Once the search is configured, you can add the shared folders to the Libraries feature in Windows 7. To do this open Explorer to Computer and under Desktop you will find Libraries. Create a new Library called “Network” (or a name of your choice)" and add the shared folders on the server that is now indexed to the library. Note you cannot add shared folders that are not included on a server running search to a Library.

Now you can go to Start and type keywords into the Search bar and find documents on the local machine or on remote servers!

Configure Legacy Clients

Windows XP and Vista can have Windows Search installed, but do not support Libraries. For a legacy client to search a network location they need to open the network location (either via mapped drive letter or directly with the \\server\share UNC path format. The client will query the search server remotely and return quick results. There is no way on the legacy clients to do a single search from the Start Menu or Taskbar search box of all your locations in one go, unlike Windows 7.

If you have many servers then consider Microsoft FAST Search Server 2010 for SharePoint instead.

VirtualBox

I am presenting at Exchange Connections 2010 later this year, and I need to set up some demo machines. I need my demo to run Exchange 2010, which is a 64bit application and I do not have guaranteed internet access so I cannot run my demo’s via my lab machines in the UK.

But I cannot use Virtual PC 7 installed on my Windows 7 laptop. And I do not want to reinstall my laptop with Windows 2008 Server to allow me to run Hyper-V.

So I have installed Oracles VM desktop product, VirtualBox. And this blog is just to describe how to do what we know as base images and differencing files in Virtual PC/Hyper-V on VirtualBox, and to use the VHD disk format which VirtualBox supports so that I have the option of moving my virtual servers between Virtual PC (if it ever supports x64 guests), Hyper-V servers and VirtualBox.

So to create a new VHD hard disk for use in VirtualBox open a command prompt, change to the directory in which you installed VirtualBox (probably C:\Program Files\Oracle\VirtualBox) and run the following command:

VBoxManage createhd --filename "path\filename.vhd" --size 130048 --format VHD --variant standard --remember

This will create a dynamically expanding hard disk in the location specified, in the Microsoft VHD format, and 130048KB (127GB).

Next you create a new virtual guest in the VirtualBox application (or via the VBoxManage command line if you wish) that uses this existing disk.

Boot this virtual guest, and then install the required OS and patches etc. Once this guest is ready to be a base image you can shut it down. If you are going to use this base images as a Domain Controller then you need to reset the SID’s on the device using either NewSID from Sysinternals or Sysprep before you move onto the next step.

Now that you have the base image, you need to mark it as such in VirtualBox. This is done from the command line:

VBoxManage modifyhd "path\filename.vhd" --type immutable

And then you need to delete the virtual guest settings that you used to create this disk. This disk is not deleted.

To create the virtual guests that use the “immutable” disk (aka parent/base disk) in Virtual PC/Hyper-V you would need to make a second disk, but not in VirtualBox. Here you just use the same disk. As you have marked it as immutable a snapshot disk will be created (in the .VirtualBox folder of your profile) and all changes will be written to this disk instead.

Restrictive Throttling Policies in Exchange 2010

Exchange Server 2010 has the ability to limit user and administrative actions. But in testing this feature in a lab I set the default policy (which by default affects everyone, including the Administrator account) to a policy that stopped me undoing the policy again!

I ran Set-ThrottlingPolicy def* -PowerShellMaxConcurrency 1 -PowerShellMaxCmdletsTimePeriod 1000 -PowerShellMaxCmdlets 1 which had the effect of saying I could open one PowerShell session (that is okay - its my lab environment), run a single cmdlet (maybe a bit too low) and to run one cmdlet every 1000 seconds. I had not worked out that 1000 seconds is over 15 minutes.

The problem came two days later, starting Exchange Management Shell and connecting to the remote PowerShell endpoint obviously invokes more than one cmdlet. The second cmdlet is terminated, and so Exchange Management Shell cannot start - ever!

The error message I got was:

The WS-Management service cannot process the request. The user load quota of X requests per Y seconds has been exceeded. Send future requests at a slower rate or raise the quota for this user. The next request from this user will not be approved for at least Z milliseconds.

X is the value of PowerShellMaxCmdlets and Y is the PowerShellMaxCmdletsTimePeriod

So to fix I cracked open ADSIEdit - not to be done lightly, as it runs the risk of destroying the entire Exchange organization and Active Directory.

To fix this and reset the Throttling Policy connect to the Configuration Naming Context in ADSIEdit and navigate to CN=Global Settings,CN=organization name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain. Open CN=Default Throttling Policy_guid and edit msExchPowerShellThrottlingPolicyState to read:

v~0~con~18~cmds~-1~per~-1~que~-1~excmds~-1

Once Active Directory replicates you will be able to run PowerShell cmdlets in Exchange Management Shell. The first cmdlet I would run would be one to ensure that you are back to the default policy just in case you made a mistake in ADSIEdit:

Set-ThrottlingPolicy def* -PowerShellMaxConcurrency 18 -PowerShellMaxCmdletsTimePeriod $null -PowerShellMaxCmdlets $null -PowerShellCmdletQueueDepth $null