Microsoft Exchange and Blackberry Server Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Exchange 2007 SP1 Installation - Things to Check Before Starting Installation

Having installed Exchange 2007 SP1 on to a couple of systems in my home lab, a couple of things have caught me out, which I thought may be beneficial to share.

Remove language packs from UM

The first was that you need to remove any additional language packs from the server. I had the UK English pack installed. This is the TechNet article on how to remove a language pack.

http://technet.microsoft.com/en-us/library/bb124004.aspx

However I found that the command listed in that article didn't work. Instead I used a command prompt in the root of my local copy of the DVD (I copied the files off the original DVD to the machine so that they were always available) and then ran the following command:

Setup.com /RemoveUmLanguagePack:EN-GB

The language pack then removed for me successfully.

Reboot Pending Prompt

If you had installed something that asked for a reboot and had not rebooted then the service pack will not install. You will have to reboot and then try again. Fortunately the service pack itself does not seem to ask for a reboot.

You do not have to remove the rollups

If you have been keeping the server up to date and have the rollups installed, then you may recall that if you downloaded them manually you had to remove the previous rollups before installing the new ones. With the service pack you do not have to do that. This service pack effectively removes the installation files and then replaces them. The download is the complete Exchange 2007 installation set. After the installation of the service pack is complete the rollups have gone from the add/remove programs list.

Receive Connector Configuration

This last one caught me out and seems to be catching many others.
If you have modified the receive connector FQDN away from the default then it will stop the installation of the service pack. However this is NOT picked up during the initial check of the server at the beginning, but midway through. The service pack install stops and you are left with a server that is not running 100%. If you do forget to change it then the service pack will pick up from where it has started.

The receive connector should be set to either the server's FQDN, Netbios name or blank.
So for a server called EXCH-Server this would be exch-server.domain.local, exch-server or blank.

Why would you change this? When you telnet to the server it is the receive connector that is answering the call and you may want to change it so that the public name of the server is answered instead.

Exchange 2007 SP1 Released

Updated to include link to SP1 release notes.  

The eagerly awaited service pack 1 for Exchange 2007 has been released.
In a change from service packs for earlier versions of Exchange, you can install Exchange 2007 fresh from this download - therefore the download files are quite big.
Available in both 64 bit and 32 bit, although remember that 32 bit is not supported for production use. Evaluation only.

From the download page:

Overview

Microsoft Exchange Server 2007 Service Pack 1 (SP1) has been designed specifically to help meet the challenges of any business and the needs of all the different groups with a stake in the messaging system. Exchange Server 2007 SP1 is a mission-critical communications tool that enables employees to be more productive and access their information anywhere and anytime while providing a messaging system that enables rich, efficient access to e-mail, calendar items, voice mail, and contacts. For the administrator, Exchange Server 2007 SP1 provides advanced protection options against e-mail security threats, such as spam and viruses, as well as the tools to help manage internal compliance and high availability needs.

In Exchange Server 2007 SP1, several new features and improvements will extend the Anywhere Access capabilities of Exchange Server 2007 to help make employees more productive on whatever device they’re using, provide additional Operational Efficiency tools for administrators seeking a streamlined management and deployment experience, and enable advanced Built-in Protection for more robust high availability and compliance scenarios.

Improvements in Exchange Server 2007 SP1 include:

Anywhere Access

  • Integrated Exchange Unified Messaging functionality with Microsoft Office Communicator 2007 and Microsoft Office Communications Server 2007.
  • Outlook Web Access additions, including public folder access, S/MIME support, personal distribution lists, and mailbox rules editor.
  • Webready document viewer supports Microsoft Office 2007 documents in addition to Microsoft Office 2003 documents.
  • Extended language support in Outlook Web Access with Arabic and Korean spell checking.

Operational Efficiency

  • Support for Windows Server 2008 deployments, including benefits in flexible clustering, native virtualization, advanced networking, and simplified management.
  • Additional tools in the Exchange Management Console, including public folder management and configuration options for clustering and POP/IMAP access.
  • Improvements to the Exchange Management Shell syntax and import-export PST in the move-mailbox command.
  • Wider variety of web services for application development, including public folder access, delegate management, and folder level permissions.

Built-in Protection

  • Addition of Standby Continuous Replication (SCR) for site resilient high availability deployments.
  • Extended Exchange ActiveSync policies for mobile policy enforcement.
  • Information rights management pre-licensing by the Hub Transport role.
  • Secure Real Time Protocol (SRTP) support in the Unified Messaging role.
  • Support for IPv6 when using Windows Server 2008.


This is the link to download it. However you need to register, using a Microsoft Live ID:

http://www.microsoft.com/downloads/details.aspx?FamilyId=44C66AD6-F185-4A1D-A9AB-473C1188954C&displaylang=en

UPDATE:  

At the time of writing, the link to the release notes takes you to the RTM release notes, not the SP1 release notes. To see the SP1 release notes (gives you something to read while it downloads) go here: http://www.microsoft.com/downloads/details.aspx?FamilyId=5770BD59-376E-42EC-B940-BE6225CD97FF&displaylang=en 

Things you get asked at presentations - the custom MMC

I do quite a few presentations, in public and to small groups in private. After each one you always ask if they have any questions. Never asked the same questions twice, some want to know about OWA, others about Powershell or the management console.

At a recent presentation, the only thing they wanted to know about was this:

Exchange 2007 Custom MMC

When I build my demonstration environments, I always create a custom MMC console with the Exchange tools included. As I was demonstrating Exchange 2007 SP1, it included the main Exchange Management Console, as well as public folder management and the queue viewer. I then finish it off with some a few other settings to make it look professional. I then drop the finished item on to my desktop for easy access.

This is nothing new for me, I have been doing it for years. With Exchange 2003 I would have a custom MMC that had both ESM and ADUC in the same window.

So here is a quick guide on what I do.

  1. Click Start, Run and type mmc. This starts a new blank mmc console. Choose File, Add/Remove snap in and select the snap-ins that you want to add. Don't worry about the Public Folders snap in stating it is not connected to a server, that will correct itself when you start using it.

    Add/Remove Snap-in, with the Exchange 2007 snap ins included.
  2. After pressing OK, you will be returned to the main mmc interface which should include the snap-ins that you have just added.

    MMC with the Exchange 2007 snap-ins in place.
  3. Now to customise the look and feel.
    Choose File, then Options to be presented with the screen below.
    Change the name to something more appropriate - I have used Exchange Tools.
    I have also changed the console mode to "User Mode - Full Access" and enabled the option to "Do not save changes to this console". That gets rid of the annoying "Do you want to save changes" prompt that you get every time that you close a custom console. If you need to change it in the future, right click on the MSC file and choose Author.

    MMC options showing the default icon, custom name and other settings" title="MMC options showing the default icon, custom name and other settings
  4. To change the icon, click the "Change Icon" button. The file that you want to get the icon I have used is ExSetupUi.exe which is found (in a default installation path) in "C:\Program Files\Microsoft\Exchange Server\Bin\". Select the file and then you can choose the icon. Press OK.

    Select the path for the icon you wish to use."

  5. After pressing OK you will be shown the completed options screen as below.

    MMC options showing the icon, custom name and other settings

  6. Finally, after pressing OK, right click on "Console Root" and choose rename. You can then enter a more appropriate name.
  7. Don't forget to turn the Action Pane on. This is done by clicking on the button at the top of the MMC console - highlighted with the red box in the screenshot below:

    Custom Exchange 2007 Console with Action Pane enabled

  8. Choose File, Save As and save the file somewhere, with the extension of msc. I usually suggest on a network share. Then create a shortcut to the file.

The above technique also works for perfmon - so if you create a custom set of counters and wish to save it and not have the save prompt when you are finished, change the Console Mode. 

Windows Mobile Compatible Certificates

When you are deploying Windows Mobile in to your Exchange environment, you should be using an SSL certificate to secure the deployment.
However the number of SSL certificates that Windows Mobile trusts is much smaller than the number supported by Internet Explorer or Firefox on your desktop. This means one of two things.

1. You need to purchase a certificate from one of that small list.
2. You have to import the SSL certificate in to your device.

For the second option, I have instructions elsewhere: http://www.amset.info/pocketpc/certificates.asp

For the first option, which may be preferable if you are going to deploy a large number of the devices, you need to get a certificate that is issued by one of the roots supported by Windows Mobile.
The root certificates can be easily seen in the device, but the name of the certificate does not always match the name of the company who can issue the certificates. The root certificates have changed hands, companies have merged or simply changed their names.

Therefore what I have done is taken the list of root certificates from a standard emulator image, which is what Microsoft would have supplied the hardware suppliers as their base image and then found who is currently issuing the certificates.
You should check whether the root certificate list I have here is the same as what you have in your device, as there have been reports of some root certificates being removed.

Where it isn't clear who is the current owner of a root, I have put a question mark. Also note that not all providers are using the root certificates to issue NEW certificates - they may be using them for legacy support only. You should note that some issuers are using multiple roots and you may have to ask for a certificate to be issued from a specific root to get Windows Mobile support.

If you are deploying a mixture of Windows Mobile 5 and Windows Mobile 6 devices, then use the list of root certificates on Windows Mobile 5 to ensure maximum compatibility.
If you are tempted by wildcard certificates - remember that Windows Mobile 5 does not support any wildcard certificates.

Windows Mobile 6

Thawte Server CA (Thawte)
Thawte Premium Server CA (Thawte)
Starfield Class 2 Certification Authority (GoDaddy - http://www.certificatesforexchange.com/)
Secure Server Certification Authority (Verisign)
http://www.valicert.com (GoDaddy - http://www.certificatesforexchange.com/)
GTE CyberTrust Global Root (GlobalSign)
GoDaddy Class 2 Certification Authority (GoDaddy - http://www.certificatesforexchange.com/)
GlobalSign Root CA (GlobalSign - was InstantSSL.com)
Geotrust Global CA (Geotrust)
Equifax Secure Certification Authority (Geotrust)
Entrust.net Secure Server Certification Authority (Entrust)
Entrust.net Certification Authority (2048) (Entrust)
Class 3 Public Primary Certification Authority (Verisign)
Class 2 Public Primary Certification Authority (Verisign)
Baltimore CyberTrust Root (Cybertrust?)
AddTrust External CA Root (AddTrust)
AAA Certificate Services (Comodo?)
GTE CyberTrust Root (InstantSSL.com)

Windows Mobile 5

Thawte Server CA (Thawte)
Thawte Premium Server CA (Thawte)
Secure Server Certification Authority (Verisign)
http://www.valicert.com (GoDaddy  - http://www.certificatesforexchange.com/)
GTE CyberTrust Global Root (GlobalSign)
GTE CyberTrust Root (InstantSSL.com)
GlobalSign Root CA (GlobalSign - was InstantSSL.com)
Equifax Secure Certification Authority  (Geotrust)
Entrust.net Secure Server Certification Authority (Entrust)
Entrust.net Certification Authority (2048) (Entrust)
Class 3 Public Primary Certification Authority (Verisign)
Class 2 Public Primary Certification Authority (Verisign)