Prepare Active Directory for Exchange 2007

To prepare active directory for Exchange 2007 you need to perform the following actions:

On the Schema master using an account with appropriate privileges navigate to the root of the installation media and run the following from the command prompt:

setup /pl

The command above prepares the legacy permissions. Next run:

setup /ps

This prepares the AD Schema. Next run the following command, where ORGANIZATION_NAME is the name of your Exchange Organization:

setup /PrepareAD /organizationName:ORGANIZATION_NAME

This creates the necessary OUs and security groups for Exchange. Then run:

setup /pd

This prepares the local domain for Exchange.

References:

http://technet.microsoft.com/en-us/library/bb125224(v=exchg.80).aspx

Advertisements

Set an Exchange Activesync Policy for all users in a specific Company

Here is a command you can use to set a specific exchange activesync policy for all users in a specific company. This assumes that you have already set the company name in the ‘Company’ user attribute. Substitute YOUR_COMPANY_NAME with the company name the you have specified in the ‘Company’ user attribute for the users you wish to apply the policy to, and substitute YOUR_ACTIVESYNC_POLICY with the name of the activesync policy that you wish to set for this selection of users.   

Get-User -filter {Company -eq “YOUR_COMPANY_NAME”} | Set-CASMailbox -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy “YOUR_ACTIVESYNC_POLICY”).Identity

You can verify that the policy has been applied to the correct users by running the following command:

Get-CASMailbox | where{$_.ActivesyncMailboxPolicy -Match “YOUR_ACTIVESYNC_POLICY”} | ft Displayname, ActivesyncMailboxPolicy, Servername

If you want to view the activesync policies that are applied to all the users in your organisation simply run the following command:

Get-CASMailbox | ft Displayname, ActivesyncMailboxPolicy, Servername

 

Changing logging level using the Exchange Management Shell and Exchange Management Console

In this post I will describe how to set logging levels on your various Exchange logs. Earlier, I received event id 9327, with a source of MSExchangeSA in the event log on our Exchange server that is responsible for generating the offline address list. In order to find the offending entries in the address list, it was necessary to change the logging level for OAL generator:

Event ID: 9327 Source: MSExchangeSA Task Category: OAL Generator

There are 2 methods you can use to set this. The first is via the Exchange Management Shell. You can check the current logging levels for your various exchange logs by issuing the following command in the Exchange Management Shell:

Get-EventLogLevel

This will list logging levels for all Exchange logs, but will also give you the identities of all of the different Exchange logs, which you will need for the next step.

Output from the Get-EventLogLevel command

In this instance, we are interested in the OAL Generator which can be found towards the bottom of the list under ‘MSExchangeSA\OAL Generator’, which is also the identity which we will need for the next command. The logging level for this entry was set to lowest:

OAL Generator showing a logging level of lowest

To change the logging level you can issue the following command using the identity that you discovered in the step above:

Set-EventLogLevel -Identity “MSExchangeSA\OAL Generator” -Level Medium

You can then verify that the new logging level has been set by issuing the Get-EventLogLevel command again:

OAL Generator showing a logging level of medium

If you feel more at home using the Exchange Management Console GUI, the same result can be achieved by doing the following. First open EMC and expand ‘Mailbox’, under ‘Server Configuration’. Next right click on the server that you want to set the logging level for and choose ‘Manage Diagnostic Logging Properties’ as shown below:

Choosing 'Manage Diagnostic Logging Properties' using the Exchange Management Console

Finally, in the ‘Manage Diagnostic Logging Properties’ screen, find the service that you are interested in and set the necessary logging level as appropriate, as show below, then click ‘Configure’, and you’re done.

Setting the logging level using the Exchange Management Console

Get a users mobile device details using the Exchange Management Shell

Here is a quick command to get the details of a particular users mobile device or smartphone, including the device ID and the time it last synced, etc, using the Exchange Management Shell. When you type the command replace Username, with the name of the user that you wish to examine:

Get-ActiveSyncDeviceStatistics -Mailbox Username | Format-List

Display mobile device statistics using get-activesyncdevicestatistics

Ref:

http://technet.microsoft.com/en-us/library/aa996908(EXCHG.80).aspx

Could not load the file or assembly Microsoft.Web.Administration Version=7.0.0.0 when running the Exchange Management Console

Earlier today I received the following error message while using the Exchange 2007 32bit Admin tools on a Windows 7 client computer, when trying to access information under ‘Server Configuration’ in the Exchange Management Console:

 

“Could not load file or assembly ‘Microsoft.Web.Administration, Version 7.0.0.0, Culture=neutral,PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.”

Error message Could not load file or assembly Microsoft.Web.Administration

 

To correct this error I opened the ‘Turn Windows features on or off’ screen and enabled the Internet Information Services (IIS) Web Management Tools, as shown below:

 

Enabling the IIS Web Management Tools in Windows 7

 

I then restarted the Exchange Management Console and the desired functionality was restored.

Restrict or filter GAL access for OWA users using MSExchQueryBaseDN in Exchange 2007

When hosting Exchange 2007 mailboxes for use purely with Outlook Web Access (OWA) you may wish to limit access to the Global Address List (GAL), so that logged in users can only see a subset of the contacts in the GAL. This would be particularly relevant in hosting environments where mailboxes may be hosted for multiple companies in the same active directory, and you might want users to only see contact information from users for their company, rather than all companies.

A while ago we had a situation where this was a requirement. In our case there were several groups of users who would only be accessing email through OWA, and only needed contact information for a subset of staff. We were able to use custom address lists and the MSExchQueryBaseDN user attribute to solve this problem.

If you run adsiedit.msc and look at the properties of a user object you can scroll down the list of attributes to find MSExchQueryBaseDN.

The MSExchQueryBaseDn attribute in adsiedit

In order to limit which contacts a particular user or group of users can access, firstly you need to set up a new Address List either using the Exchange Management Console, or Exchange Management Shell. The address list should contain the contacts that you want the user or group of users to be able to view. Please note that you could point the MSExchQueryBaseDN attribute to an Organizational Unit, so it would filter contact information for just the users in that OU, but if you need the flexibilty to include contact information for users from various OUs in active directory, it may be easier to use a custom address list.

Once this is done you need to set the MSExchQueryBaseDN attribute of each of the users who you want to restrict to the distinguished name of the address list you created.

e.g.

CN=YOUR_RESTRICTED_ADDRESS_LIST,CN=All Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YOUR_DOMAIN,DC=local

Where YOUR_RESTRICTED_ADDRESS_LIST is the name of your address list and YOUR_DOMAIN is the name of your domain.

Obviously it would be too time consuming to set this attribute manually for hundreds of users so you could either use ADModify if you want to use a GUI:

Set MSExchQueryBaseDN using ADModify.Net

To reset to the default value using ADModify.Net use a value of ‘null’.

You could also use  to achieve this in Powershell if you would prefer to use the command line. Further details can be found here.

Please note: Using this attribute in Exchange 2010 SP1 may result in undesirable consequences. It has been reported that if this attribute is used you may find that users with the attribute set cannot view the contents of their address list, particularly in Outlook.

‘Run Cleanup Agent’ replacement in Exchange 2007

To view disconnected mailboxes immediately after deletion in Exchange 2003, you used to have to run the cleanup agent by right clicking on the mailbox folder in Exchange System Manager for the relevant server, and choose ‘Run Cleanup Agent’.

This changed in Exchange 2007, and instead you need to run the Clean-MailboxDatabase management shell command instead. To do this, on the server that contained the deleted mailboxes simply run the following command, where “Your_Mailbox_Database_Name” is the name of the relevant mailbox database:

Clean-MailboxDatabase “Your_Mailbox_Database_Name”