Microsoft Exchange and Remote Desktop Services Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Blog - All Change

Its all change here on blog.sembee.co.uk and I have an apology to make to visitors.

First the change. If you aren't reading this on the RSS feed, then you will have noticed things look a little bit different. This is because I have changed the blog engine that I am using.

Since I started blogging in 2007 I have used Community Server, nursed back to life after two server failures, plus version upgrades. However with the change of my underlying OS to Windows 2008 R2, I decided it was time to switch to something a little more basic. I only used the blogging functionality of Community Server, nothing else. Plus I wanted to drop the SQL database dependency.

Therefore I have switched to BlogEngine.net. The change was relatively painless, I was running with it on a private URL in less than 30 minutes. What took the time was putting redirect files in to place so that URLs were redirected to the new format. That is now complete (I hope).

You might find that the theme changes, I am still looking for one that I am 100% happy with, and may end up creating my own, or getting one created for me to match the other sites that I have through Sembee Ltd. I haven't quite decided. The content will stay the same.
The HTML code is a bit odd in places, which I will correct as I find the postings, but that is a display issue, nothing more.

Comments are still turned off, because I have seen then turn in to support forums before, and blogs are a really bad way for that kind of thing - use a forum instead. 

Now for the apology.

If you sent a message through the Contact option in the previous Community Server based blog format, then I didn't receive it. I had thought I had disabled all of the options for contact via the blog itself, preferring to receive direct email messages. However when I started to pull the original installation of Community Server apart, I found 70 pages of contact attempts in a location I had never looked at before - called "Feedback". Most of it was spam, and was deleted, but there were still seven pages of legitimate messages, dating back to 2008. I hadn't seen of them.

Big oops.

I am not going to reply to the lost messages now, as they will be very old and no longer relevant. However if you sent me a message via the blog and did not get a reply, it wasn't intentional. They simply went in to a location I didn't know was there.

Google Custom Search and IE Accelerators

For some time, I have had a web site called <removed>, which was created a few years ago when I first discovered Google Custom Search. It was a result of playing with this new (at the time) service from Google and creating search engines for some IT vendor knowledgebase.
The site was rather basic and I didn't do anything with it.
The site wasn't published, but Google found it, and it has had a trickle of traffic ever since - usually much less than 100 visitors a day.

However at the end of last year I started to split off some of the content from amset.info out to their own sites. This was content that wasn't core Exchange or Outlook related, but was responsible for a significant proportion of the traffic. A page I wrote six years ago as a getting started guide to the Command Prompt received more visits a day than the next five pages put together. It now has its own site at http://dosprompt.info/
With these additional sites, I implemented a common core design across them all. This design needed to be applied to others, and it was then I realised how poor it was and that the site needed some attention.

At around the same time, I was starting to play around with Windows 7 in some more depth, including the accelerators that are built in to Internet Explorer 8. The Google search tool was very useful, but there wasn't one for the UK version of Google. I found one for Canada, so I pulled it apart and modified it for the UK.

I therefore wondered if I could combine this newfound knowledge of IE search Accelerators with my <removed> site.  The reason for this was that I had created a custom search that was simply a web search engine, so that I could search Google without getting results that were mangled with their tracking information when you copied the result. An example of the URL that is returned is this:

<removed>

The custom search is here: <removed>

I found that you could indeed create an IE search accelerator for a Google custom search engine. What this means is that I can take a term and search for it through my own version of Google.

I have written exactly how here:
http://www.amset.info/ie/custom-search-accelerator.asp
And the resulting accelerators are to be found here:
<removed>

This post has been modified to remove links that are no longer valid. 

BES 5.0 Cannot Delete or Select User: The Request Could Not be Completed

Currently migrating a client from BES 4.1 to BES 5.

All going well, except a few users didn't migrate correctly using the transporter suite. When selecting the user, it returned an error "The Request Could not be Completed". This stopped me from doing anything with the user account, including deleting them so I could reactivate them.

However a clever trick was shared with me, which I hadn't seen anywhere else, which allowed me to delete the troublesome user.

Select Manage Users, then Search. At the bottom of the page, choose manage multiple users. Select the user with the problem and then choose Delete User at the bottom of the list. You will get asked if you are sure. After selecting yes the user is then deleted and can be added back in again and go through the regular activation process.

A simple fix for an annoying problem.

SBS 2008 Certificate Installation

21st April 2011

An Updated and revised version of this article can be found on our main site here: http://exchange.sembee.info/2007/install/sbs2008ssl.asp


In recent months I seem to have spent longer with SBS deployments, rather than Exchange 2007 or 2010. Therefore I have had lots of time to get annoyed with how SBS 2008 works with SSL certificates.

Exchange 2007 is very dependant on SSL certificates, which is something I have posted about in the past. However throw in the customisations to IIS that SBS 2008 makes and it gets much harder.
The SBS team have attempted to simplify the process, but for most people they have actually made it worse.

The major problem with SBS 2008 and SSL certificates is twofold.
1. SBS 2008 presumes that your external DNS provider supports SRV records. Their DNS partners that are pushed in the wizard do of course, but most do not.
SRV records are one of the methods that Outlook 2007 can use for autodiscover. Autodiscover is connected to the availability service. Therefore that means if you are using Outlook Anywhere, without autodiscover working correctly, the client doesn't work.
It can also cause problems internally, but the wizard does actually make the required changes for that.

I can see why the SBS team used the SRV record method, as it allows a standard single name SSL certificate to be used - usually remote.example.com . The wizard then makes the requires changes to Exchange and the domain to allow this method to work correctly. Using a single name SSL certificate keeps the costs down, as anyone who has worked with SBS user will know - getting the typical customer to pay for a certificate can be difficult, particularly when there is a "free" certificate in the product.

The comments in this article from Sean Daniel clearly show the presumption of SRV records use. In my opinion this is a very poor decision from Microsoft, when the wizard could easily automatically enter the additional names that are required and generate the relevant request.
http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html


2. The second issue is that SBS 2008 sets up additional web sites and uses them for external traffic. If you install and enable the certificate in the usual way for Exchange 2007, then you break those sites. That causes a mess, which can be resolved, does make extra work.

However, it is possible to get the certificate in place, in a way that is acceptable to both Exchange 2007 and SBS 2008. Whatever you do, DO NOT use IIS to generate and manipulate the certificate.

Preparation Work

To ensure that you work with the common configuration for SBS 2008, some DNS entries need to be made on the internet facing DNS services (usually your DNS provider).
Specifically these are
remote.example.com and autodiscover.example.com

(where example.com is your domain after the @).

These should point to your public static external IP address. If you cannot use a static IP address, then use a dynamic DNS provider to setup a host. Then create a CNAME for each of the above hosts and point them to then dynamic DNS host name.

While you can use another host name instead of remote.example.com, but everything in SBS seems to be orientated towards that name. Therefore I usually also use that host name for the MX records for the server as well, and get the ISP to setup the reverse DNS (aka PTR) record.

Certificate Request Generation and Response Installation

To generate the request, follow my guide elsewhere on this blog: http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
However, add the name "Sites" to the list of domains that you include. That makes the full list:

remote.example.com
autodiscover.example.com
server.domain.local (the server's internal FQDN)
server (the server's NETBIOS name)
sites

When you get the response back from your provider, continue to follow my blog article up to the point about installing the response. DO NOT use the enable-exchangecertificate command.

By using the Exchange Management Shell to do the request you do not put the current self generated certificate at risk, because the request and response doesn't touch it. The certificate is only changed later on in the process.

Activating the Certificate

Now this is where things get different to Exchange 2007 full product installation.
In the SBS Management Console, start the SSL certificate. Select the option to use an existing certificate. Your new UCC certificate with the additional names should be listed. Select it and then complete the wizard. SBS will install the certificate in to the web sites correctly for you.
You should then be able to browse to https ://remote.example.com/remote and use the full feature set.

You can verify the certificate is installed correctly by using the Fix my Network wizard, which shouldn't touch the certificate installation - or by running the SBS Best Practises tool. The link to that is on my list of Exchange resources at http://exbpa.com/

Conclusion

With care, you can deploy a commercial certificate on to SBS server, without breaking any of the functionality of the server. This provides a more professional looking deployment for everyone involved, and no need to tell users to ignore certificate prompts.

Vamsoft ORF Update Available - Exchange 2010 Support

My favourite antispam tool Vamsoft ORF has had an update and now supports Exchange 2010, as well as Windows 2008 and Windows 2008 R2 IIS based SMTP.

While support was available for Exchange 2010 in the previous version, a patch was required, this has now been integrated.

The support for Windows 2008 and 2008 R2 is important because of the changes in IIS.
With Exchange 2003, Exchange used the SMTP engine from IIS. This meant that the product worked with and without Exchange.
With Exchange 2007 and 2010, Exchange has its own SMTP engine and you do not install the IIS SMTP engine on to the server at all. Vamsoft ORF worked with the Exchange SMTP engine, but not the IIS engine that was part of Windows 2008/2008 R2. This update corrects it.

What that means is that you can now use Windows 2008/2008 R2 as an SMTP gateway, as I have outlined in this article on amset.info: http://www.amset.info/exchange/gateway.asp

More information on this update is here: http://www.vamsoft.com/orfee_changelog.asp

For the price of $239 per server, this product is very cost effective.

Some of the background to my liking for Vamsoft ORF, particularly with the latest version can be found elsewhere on my blog here:

Truly Spectacular Results from Vamsoft ORF
http://blog.sembee.co.uk/archive/2009/11/16/112.aspx
Real Time Blacklisting
http://blog.sembee.co.uk/archive/2009/09/26/108.aspx