Ant Drewery

Here are some screenshots from the Exchange 12 installation process. Click on the images for a larger view.

Technorati Tags: Exchange 12

Ok, our first Exchange 12 server is up and running. As this is a test environment and we are using slightly dated hardware we installed the 32 bit version. There is an excellent post at You Had Me At EHLO that talks about choosing Exchange 2003 hardware that can be reutilised for Exchange 12.

We installed on to a Windows 2003 R2 member server. This was part of a domain where we had raised the domain and forest functional levels to Windows Server 2003 Native. This is achieved via Active Directory Domains and Trusts. One of the pre-requisites in the Exchange 12 Release Notes is to have a domain functional level of Windows 2000 Native or greater. The default is Windows 2000 Mixed.

Other pre-requisites included Microsoft .Net Framework 2.0 (found under Optional in Windows Update) and Microsoft Management Console 3.0 (found here). We also assumed the Exchange 2003 pre-requisites of ASP.NET, IIS, SMTP and NNTP but our first attempt at installation failed because NNTP must not be installed.

After running setup and accepting the licence agreement we were presented with a choice of server roles. These were:

Bridgehead
Allows the routing between Active Directory Sites (it appears routing groups and admin groups have been dropped).

Mailbox Server
Provides the backend functionality including mailbox and public folder stores.

Gateway Server
Runs in your DMZ to provide ‘messaging hygiene’. I figure that’s virus scanning and spam filtering.

Client Access Server
Provides client connectivity for methods other than Microsoft Outlook e.g. OWA, ActiveSync.

Unified Messaging Server
Integration with the corporate phone system.

For this server we chose Mailbox Server as we have a second server to be built which will take the Bridgehead and Client Access roles.

I noticed that there were no /domainprep or /forestprep commands to be run. This appears to be covered in an installation step called Organisation Preparation.

So after 3 unattended steps (Copy Files, Organisation preparation and Server Roles) the installation was complete…

Note: I’ll update this post with some screen shots from our second installation.

Technorati Tags: Exchange 12

We’re just beginning a pilot/test implementation of Exchange 12 beta running on a global Windows 2003 R2 Active Directory. This is a sandpit environment separate from our production AD.

The initial infrastructure will have routing groups in the UK, US, Canada, Australia, Brazil and possibly New Zealand. Each site will start with a domain controller, front-end server and back-end server but this will expand as we manage to source additional hardware or make use of virtual servers. I hope to be able to add clusters and possibly storage area networks to the environment.

I’m installing the first Exchange server today so expect posts on Exchange 12, Active Directory and Monad over the next few weeks.

Technorati Tags: Exchange 12, Monad

There are situations where you may want to manually test SMTP connectivity. Some of the common ones for me are:

• When messages are queuing for delivery to or being rejected from a particular domain.
• When I have an application that uses SMTP for notifications but none are being sent.
• Running a basic open relay test.

In the case of queued/rejected messages I’ll first check the MX records for the problem domain via www.dnsstuff.com. For small companies you often see the primary MX record pointing to their server and a secondary record pointing to their ISP. It’s been my experience that the ISP’s mail server is often not configured to store and forward for the domain and instead rejects the message as a relay attempt. This becomes an issue when the primary MX record is unavailable (perhaps the company’s server or Internet connection is down).

So here’s my troubleshooting process in detail:

• Check the MX records for the problem domain via www.dnsstuff.com.
• From the mail server that connects to the destination server (in our case a MailSweeper box) open a command prompt.
• Type telnet mailhost 25 (Mailhost is the host name found in the MX record e.g. myserver.mydomain.com)
• If the mailhost is available you should get a response similar to “220 mydomain.com” followed by some text that identifies the email server software. It is also possible that you get a simpler response designed not to give away any information to potential hackers. If you telnet to my company’s external mail servers you’ll simply get “220 SMTP Relay”.
• If the connection fails you may want to take some additional troubleshooting steps like verifying that the mailhost resolves to an IP address. If you still cannot connect then try the next MX record in order of priority as this is what your mail server would do.
• Once you get a response you need to say hello by typing helo.
• The receiving server should respond with “250 mydomain.com yourIPaddress” or something similar.
• Now you have to simulate sending a message from your domain. To do this first type mail from:youremailaddress e.g. mail from:ant@mycompany.com.
• You should see a response similar to “250 Sender OK”. If you get a rejection it will hopefully give you some additional information to identify why.
• Now enter the destination email address by typing rcpt to:destinationemailaddress.
• You should get a response like “250 desinationemailaddress” although this is often the point where you’ll get an “unable to relay” message if there’s a configuration issue or if you are genuinely trying to relay a message through a closed server.
• Next we need to enter the subject and body text so type the command data which should respond with something like “354 Start mail input; end with .”
• To add a subject you need to type Subject:my_subject_text followed by a carriage return.
• You can then type the body text. When you are finished start a new line type a full stop then hit return.
• You’ll see something like “250 message queued for delivery”.

Following this process through allows me to see at which point it fails and hopefully to obtain a clue as to why.

If I’m troubleshooting an application that should be sending SMTP notifications I would run the commands on the same box as the application and telnet to the SMTP server used in the application settings.

If I’m testing one of my boxes to ensure it’s not an open relay I would telnet to it but use an external email address for both the From address and the To address. I would expect to see a rejection after the RCPT TO: command.

Technorati Tags: Exchange, SMTP, telnet

I was asked today if it’s possible to customise the text in the non-delivery reports that Exchange 2003 sends. To the best of my knowledge this can’t be done if you are just using Exchange. However, if you run a product like MailSweeper you could intercept outbound NDRs that match a particular criteria then modify the content before allowing to be delivered. That’s how I would tackle it if we had the requirement in our organisation.

Technorati Tags: Exchange, NDR, Mailsweeper

I first started working with Exchange in 1998 and up until a couple of years ago usually avoided installing a file level real-time anti-virus scanner on a dedicated Exchange server. (The exception to this is where an Exchange server has other functions like file sharing, or is a Small Business Server.) Unfortunately with the growing number of nasties in circulation a file level (and memory resident) AV scanner has become a precautionary requirement.

If you do use file level anti-virus scanning you should exclude the databases, logs and SMTP Mailroot folders. Failure to do so could leave you with possible log/DB corruption and excessive CPU time on your AV processes. In fact, I’d recommend excluding all Exchange folders from scanning. This also applies to scheduled and manual scans.

Technorati Tags: Exchange, Anti-Virus

So you’ve got your nice front-end/back-end topology and you have an application that needs POP3 access to a mailbox. You enable POP3 on the front-end but your application still can’t connect? There seems to be a common misconception (and one that I had when I first started working with Exchange 2000) that in a front-end/back-end environment you only need to enable POP3 on the front-end servers. This isn’t the case. You also need to enable POP3 on any back-end servers that will be hosting the mailboxes that you require access to. This also applies if you are using IMAP4.

Keeping the above in mind the front-end/back-end principle works perfectly. We have several shipping applications that use POP3 to access mailboxes. By pointing them to the network load balanced address of our front-end servers we don’t need to reconfigure the application if we move the mailboxes around. We still have to follow strict change control with any move but it makes our lives and those of the application admins a whole lot easier.

To enable POP3 on a regular back-end mailbox server just enable the Microsoft Exchange POP3 service in the Services MMC console and ensure the POP3 Virtual Server is started in Exchange System Manager. Depending on your policy settings you may also need to enable POP3 on the Exchange Features tab of the user object in Active Directory Users & Computers. However, if the mailbox resides on a cluster server there are a few more steps to follow:

Firstly enable the Microsoft Exchange POP3 service on all nodes. I speak from bitter experience when I say that if you leave it as disabled when you add a POP3 cluster resource the cluster will be unable to bring it online and will try to fail over.

Next you need to add the cluster resource. In Cluster Administrator right click on your cluster group and select New > Resource. Complete the required information making sure you select the correct Resource Type.

On the next screen select the nodes to be the possible owners.

Finally select the Microsoft Exchange System Attendant as a dependency. Once the setup of the resource is complete you should be able to bring it online successfully.

Technorati Tags: Exchange, Cluster, POP3, IMAP4

A DMZ (de-militarised zone), also known as a perimeter network, is an area of network between the Internet and your internal LAN. It is commonly used to place servers that are accessible from the Internet in an effort to protect your internal infrastructure.

There are differing opinions on how a DMZ should be used with your Exchange/messaging environment. Some feel that Exchange front-end servers should be placed within the DMZ which requires some configuration on the servers and firewall. Others, including myself, feel that port forwarding/filtering on a good firewall is sufficient and the front-end servers can be placed on the LAN, which is a more convenient approach. Microsoft offer a guide on front-end/back-end topology including the use of a DMZ. You can also find information on hardening your front-end servers here.

My ideal topology, and one we have implemented here, is to have a 3rd party mail gateway in the DMZ that then forwards to front-end servers on the internal network. This allows for multiple layers of defence and should prevent the majority of viruses and malicious payloads reaching the internal servers/network. Services like OWA, RPC-HTTP and ActiveSync are offered by port forwarding from the firewall to the front-end servers. In my opinion this approach offers a good balance between administrative overhead and security.

Technorati Tags: Exchange, Firewall, DMZ

If you have an enterprise and/or high volume environment you may want to consider load balancing your front-end servers to improve resilience and performance. In the current organisation that I manage we use three HP blade servers as load balanced front-end boxes in each routing group. We use the load-balanced addresses for offering OWA, HTTP-RPC and ActiveSync, as well as for SMTP and POP3.

Microsoft provide an excellent FAQ on load balancing with Windows 2000/2003 which includes information on configuration and best practices.

Some points worth considering:

• You need to specify the ports that you wish to load balance so if you are going to use it for SMTP, POP3, HTTPS etc you’ll need to know the port numbers. You can configure a range of ports but I prefer to be specific.
• A host entry for the load balanced address is not automatically created in DNS.
• Your routing group and SMTP connectors don’t support the load balanced address as a bridgehead so you’ll have to specify your front-end servers individually.
• As touched on in a previous post you may have issues when accessing a load balanced address through a firewall. Specifically, one particular server is favoured and if it goes offline then the other nodes do not take over. These issues have been documented by Cisco.

We’ve been running in mixed-mode for some time and occasionally come across a user that was migrated from NT4 with two accounts in Active Directory. This is often flagged because they cannot log in to Outlook Web Access. On inspection only one of the user accounts has a mailbox associated with it. A closer look shows that the account without the mailbox has the correct user ID (the one they log in with), whereas the account with the mailbox has a garbage user ID that has been auto-created by the Active Directory Connector. We therefore need to swap the mailbox association and delete the incorrect account. Here’s the process that we use:

• In Active Directory Users & Computers note SMTP addresses, group memberships, address and phone details of the account currently associated to the mailbox.
• Note the current mailbox store.
• Remove the Exchange attributes from the account.
• Rename the account to have a prefix of ‘Disabled –‘. Disable the account and move to the Disabled Accounts OU (this is an OU we have created in our AD).
• Connect Exchange Admin to the Exchange 5.5 server at the other end of the relevant connection agreement.
• Delete the mailbox entry in Exchange Admin.
• In ESM find the correct mailbox store. Expand and right click on the Mailboxes folder and select ‘Run Cleanup Agent’.
• Refresh the view and the mailbox should now have a red cross on it.
• Right click on the mailbox and select ‘Reconnect’. Select the correct account when prompted.
• In ADUC add the necessary SMTP addresses, groups, address and phone information.
• Update Custom Attribute 15 with you initials, date and comment saying corrected account/mailbox mapping (this is part of our process for any changes made to mail-enabled objects).
• Create a new Outlook profile for the user.