Sembee

In recent months I seem to have spent longer with SBS deployments, rather than Exchange 2007 or 2010. Therefore I have had lots of time to get annoyed with how SBS 2008 works with SSL certificates.

Exchange 2007 is very dependant on SSL certificates, which is something I have posted about in the past. However throw in the customisations to IIS that SBS 2008 makes and it gets much harder.
The SBS team have attempted to simplify the process, but for most people they have actually made it worse.

The major problem with SBS 2008 and SSL certificates is twofold.
1. SBS 2008 presumes that your external DNS provider supports SRV records. Their DNS partners that are pushed in the wizard do of course, but most do not.
SRV records are one of the methods that Outlook 2007 can use for autodiscover. Autodiscover is connected to the availability service. Therefore that means if you are using Outlook Anywhere, without autodiscover working correctly, the client doesn't work.
It can also cause problems internally, but the wizard does actually make the required changes for that.

I can see why the SBS team used the SRV record method, as it allows a standard single name SSL certificate to be used - usually remote.example.com . The wizard then makes the requires changes to Exchange and the domain to allow this method to work correctly. Using a single name SSL certificate keeps the costs down, as anyone who has worked with SBS user will know - getting the typical customer to pay for a certificate can be difficult, particularly when there is a "free" certificate in the product.

The comments in this article from Sean Daniel clearly show the presumption of SRV records use. In my opinion this is a very poor decision from Microsoft, when the wizard could easily automatically enter the additional names that are required and generate the relevant request.
http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html

2. The second issue is that SBS 2008 sets up additional web sites and uses them for external traffic. If you install and enable the certificate in the usual way for Exchange 2007, then you break those sites. That causes a mess, which can be resolved, does make extra work.

However, it is possible to get the certificate in place, in a way that is acceptable to both Exchange 2007 and SBS 2008. Whatever you do, DO NOT use IIS to generate and manipulate the certificate.

Preparation Work

To ensure that you work with the common configuration for SBS 2008, some DNS entries need to be made on the internet facing DNS services (usually your DNS provider).
Specifically these are
remote.example.com and autodiscover.example.com

(where example.com is your domain after the @).

These should point to your public static external IP address. If you cannot use a static IP address, then use a dynamic DNS provider to setup a host. Then create a CNAME for each of the above hosts and point them to then dynamic DNS host name.

While you can use another host name instead of remote.example.com, but everything in SBS seems to be orientated towards that name. Therefore I usually also use that host name for the MX records for the server as well, and get the ISP to setup the reverse DNS (aka PTR) record.

Certificate Request Generation and Response Installation

To generate the request, follow my guide elsewhere on this blog: http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
However, add the name "Sites" to the list of domains that you include. That makes the full list:

remote.example.com
autodiscover.example.com
server.domain.local (the server's internal FQDN)
server (the server's NETBIOS name)
sites

When you get the response back from your provider, continue to follow my blog article up to the point about installing the response. DO NOT use the enable-exchangecertificate command.

By using the Exchange Management Shell to do the request you do not put the current self generated certificate at risk, because the request and response doesn't touch it. The certificate is only changed later on in the process.

Activating the Certificate

Now this is where things get different to Exchange 2007 full product installation.
In the SBS Management Console, start the SSL certificate. Select the option to use an existing certificate. Your new UCC certificate with the additional names should be listed. Select it and then complete the wizard. SBS will install the certificate in to the web sites correctly for you.
You should then be able to browse to https ://remote.example.com/remote and use the full feature set.

You can verify the certificate is installed correctly by using the Fix my Network wizard, which shouldn't touch the certificate installation - or by running the SBS Best Practises tool. The link to that is on my list of Exchange resources at http://exbpa.com/

Conclusion

With care, you can deploy a commercial certificate on to SBS server, without breaking any of the functionality of the server. This provides a more professional looking deployment for everyone involved, and no need to tell users to ignore certificate prompts.

Exchange 2007, SSL Certificates, Small Business Server Exchange 2007, SSL Certificates, Small Business Server

I have recently seen an issue with the POP3 connector which I haven't seen before, but will be very widespread. In this particular circumstance it caused the client's server to get blacklisted and have a server processing many thousands of messages which it shouldn't need to.

It is yet another reason why using the POP3 Connector is a bad idea. I have blogged on the POP3 connector being a bad option in the past: http://blog.sembee.co.uk/archive/2006/09/25/25.aspx .

This client was not only using a POP3 connector, but they were also using a catch all mailbox at the ISP - I have posted today why using a catch all is a bad idea here:  http://blog.sembee.co.uk/archive/2010/02/15/117.aspx (posting that item was inspired by this one).

The Problem

The actual problem was quite simple, and something that Exchange could have dealt with on its own if the server was setup for SMTP delivery. However it became a noticeable issue because of the way this particular server was configured.

The domain was subject to an NDR or directory harvest attack (I cannot tell which due to the nature of the SBS Connector) and ended up with large numbers of email messages in their queues.

What puzzled the client was that port 25 wasn't open to the internet, and they had followed my guides on recipient filtering and authenticated user relay so that the server was secure ( http://www.amset.info/exchange/spam-cleanup.asp ).
As I wrote in that article, messages can continue to appear in the queues for some hours after the initial clean-up due to the way Exchange displays the queues when there are a very large number of messages in the queues. However for this client, the messages continued to appear for weeks. Eventually, fed up with cleaning the queues daily, I was asked to look at the server.

What I found was that the messages in the queues were all from postmaster@ so had the classic hallmarks of an NDR or direct harvest attack, but the client was using the POP3 Connector.

Due to the way the POP3 connector works, messages that come in to the server through it are not subject to the recipient filter. The recipient filter works at the connection point, but the POP3 connector simply drops the in to the queue for delivery. This is the key point and the result was the same as a standard NDR attack through SMTP without recipient validation  - the messages that could be delivered were, and the messages with invalid external recipients, or where there was a delivery problem, hung around in the queues. As time went on, the server became blacklisted by most major ISPs for being a source of spam and back scatter.

Furthermore, the client also had the POP3 connector setup to send a copy of messages that could not be delivered to a valid user  in to a mailbox, so not only were the messages being delivered there (and the client had what they considered to be a major spam problem) but the NDRs were going out as well. The user concerned thought they were receiving large amounts of spam - when in actual fact they were receiving email that wasn't even addressed to them.

In short, it was a complete mess.

This will be a widespread problem

In many respects, the client was not to blame for this problem. This configuration is quite common, and would therefore affect everyone using the POP3 connector with a catch all mailbox. However you may not see the messages in the queues and therefore be unaware that your server is a source of spam or backscatter.

The most common configuration when SBS is used with a POP3 connector is to route email OUT through a smart host - usually the ISPs SMTP Server. If you are doing that in combination with a catch all mailbox then you wouldn't see the symptoms of this problem. When a smart host is used, Exchange is sending the email straight back out again and the smart host is responsible for the delivery of the email.

It was only because this client was using direct delivery rather than a smart host that the email messages were shown in the queue causing further investigation. The client had accepted large amounts of spam in the mailbox as something that happens - and asked me to look at that as another issue - not realising that it was all caused by the same thing.

If the server had been configured in the usual way for POP3 use, that is to use a smart host, then the first the client would have known there is a problem is when their ISP called to tell them - although many do not.

Furthermore the email messages also do not appear in message tracking logs as they do not pass through Exchange, but simply bounce off SMTP. The only messages that do appear in message tracking are those delivered to the user set to receive the messages that could not be delivered.
Therefore a server could be the source of back scatter and the administrators (whether in house or an external support company) would be completely oblivious to the issue.

I haven't been able to verify if the email messages showed in the volume reported by the SBS Reporting tool, because as with most SBS Servers I see, it wasn't turned on.

The Solution

Changing the client to SMTP delivery of email resulted in the spam level dropping immediately. In the 24 hours after the change, the number of messages the server dropped for non-valid recipients was measured in 1000s. The account which received a copy of the unmatched addresses from the POP3 connector saw the level of spam almost completely drop away - as most of the spam wasn't addressed to the user.

Conclusion

There is a very simple conclusion to this blog posting.
Don't use a catch all mailbox with the POP3 Connector. Ideally you shouldn't use the POP3 connector at all.

If you are using the POP3 connector and do not wish to move to SMTP delivery, then you should look at switching to user specific POP3 mailboxes instead of a catch all. While that is more tedious to setup, it does mean you are only downloading email that you may want, rather than lots of spam that you almost certainly do not, only for it to be rejected.

Exchange 2003, MS Exchange Server, Small Business Server, Anti Spam, Vamsoft ORF Exchange 2003, MS Exchange Server, Small Business Server, Anti Spam, Vamsoft ORF

At last Microsoft have released the installation tool for Exchange 2007 SP2 on SBS 2008.
Looks fairly straight forward to use, download the service pack as normal, download the tool and then run the tool.

You can get more information about the tool and download it from this KB article:  http://support.microsoft.com/?kbid=974271

Exchange 2007 has been rock solid in my experience and if you were put off installing it on your SBS 2008 machine because this tool wasn't released, now is your chance.

Exchange 2007, Small Business Server Exchange 2007, Small Business Server

Exchange 2007 SP2 has been released at last.
You can download it from here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4c4bd2a3-5e50-42b0-8bbb-2cc9afe3216a

The service pack is so large because it is the complete installation files. You can install a new server using this download only.

Release Notes are : http://download.microsoft.com/download/8/3/E/83E9DB24-0041-4F7E-A0DD-26043BBF7CAA/RelNotes.htm

The what is new document is here: http://technet.microsoft.com/en-us/library/ee221150.aspx

This update required Windows Installer 4.5 which you can download from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=5A58B56F-60B6-4412-95B9-54D056D6F9F4&displaylang=en 

If you using Exchange 2007 as part of SBS 2008, then you should take note of this blog posting from the SBS Team: http://blogs.technet.com/sbs/archive/2009/07/30/microsoft-exchange-2007-sp2-installation-is-blocked-on-windows-sbs-2008.aspx

(Blog post updated to include links to release notes and what is new)

Exchange 2007, MS Exchange Server, Small Business Server Exchange 2007, MS Exchange Server, Small Business Server

The database of an Exchange server is something that seems to raise a lot of questions with Exchange administrators. Many of the questions appear to be around the size of the database and its limits.
This article should help to increase the understanding of the database size and limits. I have also touched on the thorny topic of offline defrags.

First some terminology.
Where I mention VERSION, this is Exchange 2000, 2003, and 2007.
Where I mention EDITION, this is Standard or Enterprise. Where I mention Standard edition that also applies to the SBS variant.

Unless stated otherwise, references to Exchange 2003 also apply to Exchange 2000.
To the best of my knowledge at the time of writing, Exchange 2007 references also apply to Exchange 2010. However if I find that is not the case, I will update this article.

This is a background article, it does not tell you how to do anything (just in case you came here via Google expecting to be told how to do X with your database).

Myths of the Exchange Database

There are a lot of myths around the Exchange database size and limits which I hope this article will help to dispel

• The store will dismount when you hit a physical size of 75gb
• Adding up the mailboxes listed in ESM should equal the size of the database
• Regular offline defrags are required.

Then there is the confusion with many administrators that the database doesn't shrink in size, even after the users have deleted lots of data. I will cover that as well.

Exchange Database Basics

Lets start with some basics of the database.

With Exchange 2003, the database is made up of two separate files. An EDB and an STM file. These combined are referred to as a store and come in two flavours - Mailbox and Public Folder.
Mailbox and Public Folder stores can be grouped together in to Storage Groups.

The EDB file should be thought of as the MAPI database and will consist mainly of internal email.
The STM file should be thought of as the SMTP database and will consist mainly of external email.
Email sent by Outlook Express users or other internal non Exchange servers would be considered external email.
However some information from the mail in the STM file is held in the EDB file.

The two files should be treated as one.

Mailbox Store and Storage Group Capacities

With Exchange 2000 and 2003 Standard edition you can have one storage group consisting of one database of each type.
With Exchange 2000 and 2003 Enterprise edition, you can have four storage groups consisting of a maximum of four mailbox stores in each group.
With Exchange 2007 Standard edition you can have up to four storage groups with a single mailbox store  or public folder store in each, or a single Storage Group with four mailbox stores.
With Exchange 2007 Enterprise the  number of Storage Groups goes up to 50.

Database Size

The size of the database is a source of much confusion with newcomers to Exchange.
The simple fact with the PHYSICAL size of the database is that it will never shrink without intervention from the administrator. When content is removed from the database then the Exchange server marks that space as white space, and should use that space first for new content before increasing the physical size of the database.

However in practise, that often does not happen. What you will usually find is that if users are asked to clean out their email, more external email will be removed (spam etc) but more internal email is generated.

Database Limits

The database limits are probably the are that causes the most concern for the Exchange administrators, so lets clear that up to begin with.

Exchange 2000 Standard has a database limit if 16gb, which can be increased to 17gb via a registry hack.
Exchange 2003 Standard RTM and Service Pack 1 is also subject to the same limit.
Exchange 2003 Standard with Service Pack 2 has a soft limit of 18gb, which can be increased to 75gb via a registry change.
Exchange 2007 Standard has a soft limit of 50gb in RTM and 250gb in Service Pack 1 which can be removed/changed with a registry change.

Enterprise edition of all versions have a technically unlimited database size, although if you are picky it is 8TB with Exchange 2000/2003.

If you update Exchange 2003 from Standard edition to Enterprise edition, then the registry setting for the soft limit is not removed, so the database may still dismount when it hit the size stated. You need to remove the key completely for that to stop happening

Soft Limit

Soft limits are basically a way for an administrator to ensure that the database doesn’t get out of control. The Exchange server will react when a soft limit is reached by dismounting the store.

Database Limit Enforcement

The way that the database limit is enforced changed with Exchange 2003 Service Pack 2 and subsequent versions.
With Exchange 2000 and Exchange 2003 RTM and Service Pack 1, the limit was simply the physical size of the two database files combined.
With Exchange 2003 Service Pack 2 and later, the limit is now a logical limit. The limit is the physical size of the two files, minus the white space.

The white space is reported by event ID 1221 during the night.
The logical limit of the database is not reported by Exchange until you change the default limit of 18gb.

The registry keys for increasing the 18gb limit in Exchange 2003 are in Microsoft KB article 912375 (link at the end) however I suggest that you read the Technet Article on how to work with the limit and setting the registry key for the warnings.

When setting the check time, ensure that it is AFTER the maintenance window configured on your Exchange server (ie after event ID 1221 has reported) so that content removed that night is taken in to account.

If you hit the limit -whether it is a limit below 75gb or the maximum 75gb limit and the database dismounts, you can mount it again. However it will dismount again the next day.

Offline and Online Defragmentation of the Database

When it comes to the database size and reducing it, most Exchange administrators will be referred to an offline defrag. However Exchange also does an online defrag. While they are related there are some key differences to what they do. 

The online defrag is part of the nightly maintenance that Exchange does on its databases and is what finds and marks the white space for use. Its results are reported by event ID 1221. If that process does not run, the space gained by deleting content will not be used.

Am offline defrag will take the database and create a new one, consisting of the same data, minus the white space. Therefore the physical size of the database will be reduced. An offline defrag is the only way to reduce the physical size of the database.

The offline defrag is not risk free, and can take a considerable amount of time. The process speed is hardware dependant and can vary between 1 and 4gb per hour. Therefore if you have a 50gb store you could be looking at anything between 12 and 50 hours for the process to complete. Once started, it cannot be stopped. If it is, then both the source and the destination files are useless and a copy will need to be put in place.
The Exchange services have to be stopped while the process runs - so requires total downtime of the server. If you have multiple databases on the server then you can dismount the store you are working on and allow the others to run, however if you are in a position to run multiple databases, then you do not need to do an offline defrag, as I will explain below.

Some Exchange administrators  claim that a regular offline defrag is required to keep the server running at the peak of performance. This is not the case and Microsoft specifically state that an offline defrag should not be considered something that needs to be done regularly.

The reason why there can appear to be a performance gain is because an offline defrag creates a new database. As with many things, if you replace with new then you will see some performance gains. Minor imperfections in the database structure can be removed and things generally cleaned up. However because it will skip data that it cannot read, that can mean there will be data loss.

With Exchange 2007, and Exchange 2003 Service Pack 2, or Exchange Enterprise edition (any version) an offline defrag is not necessary and is a waste of time.

Why?
With Exchange 2003 SP2 standard, due to the way that the database is reported, you gain nothing by doing an offline defrag. All you could do is lose data during the process. If you hit the limit, you can remount the database and then remove content.

With Exchange 2007 (all editions) And Exchange Enterprise Edition  (all versions) the process is unnecessary. Simply create another mailbox store, move all of the mailboxes to that store and then drop the original one and delete the database file. You can then create a replacement and move the content back. Zero risk, zero downtime.

If the store you are replacing is the original first store, then it will also hold some system mailboxes. Those will be recreated in another database when the system attendant service is recreated, so you should do that as soon as possible after dropping the original store.

The only reason why you want to do an offline defrag is because you are tight on physical storage, however you will need considerable space to do the offline defrag (At least 110% the size of the store) which will mean additional storage somewhere, so you may as well add it to the original server.

Mailbox Size - Exchange 2000/2003 only.

Many Exchange administrators will be unaware that the list of mailboxes in ESM is not showing the true size of the mailbox. This is clearly shown by the number of questions on forums from administrators who add up the size of their mailboxes and then ask why there is a X gb difference between that total and the sum of their physical database sizes.

In Microsoft KB article number 828070 (link at the end), Microsoft state:

 "When you view the space that a mailbox uses in Exchange System Manager, the amount only includes the space that is used by the Priv.edb file. The amount does not include the space that the Priv.stm file uses."

Therefore a significant difference between the size of the mailboxes and the total of the physical database size should be expected.
This difference is further increased when you take in to account single instance storage and deleted item retention.

Single Instance Storage is a mechanism used within the Exchange database to keep the size of the database down. If you send an email with a 5mb attachment to 10 users, rather than using 50mb of space, it only uses 5mb. The attachment is only removed from the store when the last of those ten recipients removes it from their mailbox.

Deleted Item Retention (aka dumpster) is a feature of the Exchange database, where an item that is deleted from the mailbox or public folder (including removal from the Deleted Items folder) is stored in the database where it can be recovered.

Conclusion

Day to day administration of the Exchange database is not something that most administrators should fear or have any concerns about. As long as you monitor the size of the database regularly, then issues around the size should not come as a surprise.

References

Exchange Server 2003 mailbox store does not mount when the mailbox store database reaches the 16-GB limit
http://support.microsoft.com/kb/828070/

Database Size Limit Configuration and Management (Exchange 2003 SP2)
http://technet.microsoft.com/en-us/library/aa998066.aspx

How to increase the Exchange Server 2003 Service Pack 2 18-gigabyte database size limit
http://support.microsoft.com/kb/912375

How to Modify a Database Size Limit (Exchange 2007)
http://technet.microsoft.com/en-gb/library/bb232092.aspx

Related Articles

Recover Deleted Items: http://www.amset.info/outlook/recoverdeleteditems.asp

Exchange 2003, Exchange 2007, MS Exchange Server, Small Business Server Exchange 2003, Exchange 2007, MS Exchange Server, Small Business Server

Over the weekend one of my clients suffered an authenticated user attack on the SMTP interface of the Exchange 2003 server. This was detected by the monitoring tool I use, HoundDog (http://www.hounddogiseasy.com/referrer.html?code=YNPX) .

The attack was unsuccessful, as I have all of the authentication options disabled.

However what was interesting was the list of usernames that were tried. Some of them are to be expected, but others maybe not so. I have included the list at the end of this posting.

What this list tells you is the usernames that should be avoided, as some of them may well be used as test accounts, with basic or no passwords and therefore may well be easily compromised.
As authenticated user relaying is enabled by default on Exchange 2000 and 2003, if an account can be compromised, even with limited privileges, it can be used to relay spam through your server.

If you do not have anyone using POP3/IMAP accounts on your Exchange server, then authenticated relaying should be disabled completely. It is not required for the correct operation of Exchange with MAPI, Outlook RPC over HTTPS, Outlook Web Access and Windows Mobile or Blackberry use.
If you do have POP3/IMAP users then lock down the authenticated relay to those specific users only. I have added a link to my article on amset.info with instructions on how to do that below.

If you are a victim of an authenticated user attack then remember that most of them are not against you or your company directly, but a spammer wanting to use your bandwidth to send their messages, whether this is to sell something or a phishing attack.

Related Articles
Securing the authenticated relaying: http://www.amset.info/exchange/smtp-relaysecure.asp
Spam Cleanup: http://www.amset.info/exchange/spam-cleanup.asp

List of Usernames Targeted During Authenticated User Attack

webmaster
service
web
info
root
backup
tech
test
Administrateur
administrator
admin
tunnel
nagios
visitor
access
account
data
server
user

Exchange 2003, MS Exchange Server, Small Business Server Exchange 2003, MS Exchange Server, Small Business Server

A while ago I wrote a blog posting about creating a custom MMC which contained the Exchange 2007 Management Console, public folders, queue viewer and ADUC. This made them easier to find instead of going through the Toolbox in EMC. (http://blog.sembee.co.uk/archive/2007/11/06/60.aspx)

However you can create shortcuts for each of the icons in the toolbox and put them in the start menu to allow direct access.
The paths to the toolbox items are in the registry in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\v8.0\AdminTools\Toolbox

The icons, for when you create the shortcuts, can be found in this file:

C:\Program Files\Microsoft\Exchange Server\bin\Microsoft.Exchange.Management.NativeResources.dll

Create a new shortcut in the usual way, and paste the path exactly as shown. If you have installed Exchange application in a different location then you may have to adjust the path to match your environment.

Once the shortcut has been created, right click on it and choose Properties. Then choose change icon and select the icon that you want to use.

These shortcuts work on both Windows 2003 and Windows 2008 and also work with SBS 2008.

Full List of Shortcuts

Here is the full list of the toolbox items, including their paths.

• Best Practises Analyzer
  "C:\Program Files\Microsoft\Exchange Server\bin\ExBPA.exe"
• Exchange Performance Monitor
  mmc "C:\Program Files\Microsoft\Exchange Server\bin\ExchPrf.msc"
• Exchange Troubleshooting Assistant
  "C:\Program Files\Microsoft\Exchange Server\bin\ExTRA.exe"
• Database Recovery Management
  "C:\Program Files\Microsoft\Exchange Server\bin\ExTRA.exe" -AS -PS LaunchDatabaseRecoveryManagement
  (Icon available simply by pressing "Change icon")
• Mail Flow Troubleshooter
  "C:\Program Files\Microsoft\Exchange Server\bin\ExTRA.exe" -AS -PS LaunchMailflowTroubleshooter
  (Icon available simply by pressing "Change icon")
• Database Troubleshooter
  "C:\Program Files\Microsoft\Exchange Server\bin\ExTRA.exe" -AS -PS LaunchDatabaseTroubleshooter
  (Icon available simply by pressing "Change icon")
• Message Tracking
  "C:\Program Files\Microsoft\Exchange Server\bin\ExTRA.exe" -AS -PS LaunchMessageTracking
  (Icon available simply by pressing "Change icon")
• Performance Troubleshooter
  "C:\Program Files\Microsoft\Exchange Server\bin\ExTRA.exe" -AS -PS LaunchPerformanceTroubleshooter
  (Icon available simply by pressing "Change icon")
• Public Folder Management Console
  mmc "C:\Program Files\Microsoft\Exchange Server\bin\Public Folder Management Console.msc"
• Routing Log Viewer
  "C:\Program Files\Microsoft\Exchange Server\bin\RoutingView.exe"
• Queue Viewer
  mmc "C:\Program Files\Microsoft\Exchange Server\bin\Exchange Queue Viewer.msc"
  (Uses the same icon as the Routing Log Viewer, so use change icon and browse to the Routing Log Viewer executable location.)
• Exchange Details Templates Editor
  mmc "C:\Program Files\Microsoft\Exchange Server\bin\Details Templates Editor.msc"

Update March 17th 2009.
I have removed the download of the tools shortcut because of the prompt you get from Windows when trying to run files downloaded from the internet - each time you start the shortcut. You should create your own shortcuts instead.  

Exchange 2007, MS Exchange Server, Small Business Server Exchange 2007, MS Exchange Server, Small Business Server

One of the most common questions on forums is why does a user get a NDR (Non Delivery Report) report similar to the one below when they send an appointment to another person. The NDR will reference a user who is no longer part of the company and does not have an account on the system any longer.

Your message did not reach some or all of the intended recipients.
Subject: Sales Meeting
Sent: 8/22/2008 8:54 AM

The following recipient(s) could not be reached:
Another User on 8/22/2008 8:54 AM
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
<mail.example.net #5.1.1>

This is caused by delegates.
The user referenced in the NDR was a delegate on the recipient of the appointment.

However what you may find is that when you look at Delegates through Outlook, the user is not listed.
This is because the delegate system can get "stuck" and the information in Outlook and on the server are not in synchronisation.

To reset it, simply follow the procedure below.

1. Remove any delegates that are currently listed for the user.
2. Add a new delegate to the list. IMPORTANT - this new delegate must not have been a delegate to the user before. I will usually create a temporary mail enabled account for this process and then delete afterwards.
3. Wait at least 30 minutes for this change to be propagated to the server correctly.
4. Remove the new delegate from the list.
5. Wait at least 30 minutes again.
6. Add the preferred delegates back in to the list.

This works by replacing the complete list of delegates on the account.

If this still doesn't work then you will have to scan the domain using adsiedit.msc for references to the former user on the user's settings. I have only ever had to do that once, when Outlook wouldn't open the delegates tab. Otherwise the procedure outlined above has always worked for me.

Exchange 2003, Exchange 2007, MS Exchange Server, Small Business Server Exchange 2003, Exchange 2007, MS Exchange Server, Small Business Server

There have been a number of posts on forums about the database limits in various versions of Exchange. This post is a quick summary.

The limits shown also apply to Small Business Server, which has Standard edition of the relevant version installed.

Exchange 2000 Standard Edition: 16gb *
Exchange 2000 Enterprise Edition: Unlimited **

Exchange 2003 Standard Edition RTM and SP1: 16gb *
Exchange 2003 Standard Edition SP2: 18gb soft limit, 75gb hard limit ***
Exchange 2003 Enterprise Edition: Unlimited **

Exchange 2007 Standard Edition: 50gb soft limit, unlimited hard limit ***
Exchange 2007 Enterprise Edition: Unlimited **

* Exchange 2000 and 2003 Standard edition SP1 or older, can both be increased to 17gb as a temporary measure to allow the store to be remounted to remove content.

** The actual maximum possible size of the Exchange database is 8TB, effectively unlimited.

*** Exchange 2003 SP2 and Exchange 2007 have soft limits. This is a setting in the registry that limits the database to the size shown. It can be increased as required.
The idea is to stop run away store growth. Should something happen within the Exchange setup that causes rapid store growth, it will hit this limit and be dismounted.

With this introduction of a soft limit, the way that the database limit is enforced was changed.
With Exchange 2000 and 2003 prior to SP2 the database limit was the physical size of the store. The amount of white space in the store was not taken in to account. This meant that once you hit the limit you needed to do an offline defrag of the database to get it below 16gb, even after you had removed content.

With Exchange 2003 SP2 and later, this behaviour has been changed. The limit is now the physical size of the store, minus the amount of white space. Therefore if you hit the physical limit of 75gb on Exchange 2003 SP2 then an offline defrag is not going to help. Users need to actually remove content to create white space in the store.
Furthermore the database size is not checked in real time. It is checked once a day, by default at 5am (this can be changed via a registry modification). Therefore if the store dismounts because the limit has been breached, you can simply restart the service and the store will mount again.

However in my experience, once you hit the limits, even removing the content will only be a temporary solution. Either an investment needs to be made in an archiving solution that actually removes the content from the store, or an upgrade to Exchange 2003 Enterprise edition or Exchange 2007 Standard needs to be carried out.

Relevant Links at microsoft.com

Exchange 2003 Limit Changes: http://technet.microsoft.com/en-us/library/aa998066.aspx
Exchange 2007 Limit Changes: http://technet.microsoft.com/en-us/library/bb232092.aspx

Increase the limit of the Exchange 2000 database to 17gb: http://support.microsoft.com/kb/813051

Exchange 2003, Exchange 2007, MS Exchange Server, Small Business Server Exchange 2003, Exchange 2007, MS Exchange Server, Small Business Server

Something I have been doing frequently for the last 18 months of so is cleanups of SBS 2003 servers and their associated networks. I have a number of clients in the IT Support industry who ask me to clean up their client's servers. Two of them get a new client and the first thing they do is ask me to look at it and make recommendations.

In many cases it is minor cleanups or ensuring that everything is up to date. However one that I have done just recently deserves a blog posting on its own.

Background

New client for one of my IT Support clients.
They said that their client didn't think that there had been much maintenance done by the previous support company and the AV had expired. They were also looking to use Windows Mobile devices but were having problems getting it to work.
It had already been agreed to deploy AVG, so I was asked to look at the site and report what was required.

Seven users, one server, low level of email use apparently. Old school was the phrase that was used to me when describing the company.

I was shocked, to say the least.

Server

SBS 2003 RTM.
Thankfully I was sitting down when I saw that. No service packs, no automatic updates nothing.
DHCP was being run by the router, not the server.
DNS wasn't configured correctly.
The AV had indeed expired - 18 months ago. It was Symantec as well.
POP3 connector for email collection
Most of the wizards hadn't been run correctly.
Various other bits of junk on the server
The backup wasn't configured correctly, therefore the Exchange transaction logs were building up. There were four years of transaction logs.

Clients

I was able to get on to one of the clients.
Windows XP SP1
Office 2003 RTM
Same expired Symantec AV.
Adobe Acrobat Reader 6 (remember that?).

It was like the site was stuck in 2004. The site was deployed and never touched afterwards.

Anyway, I like a challenge.
Did I mention that the site was 350 miles away, and I was working on it remotely?

The positives?
I tried.
8mb ADSL getting 5mb on the bandwidth tests, which was ok. Plus it had a static IP address. The server had lots of space on it, it was a good configuration, multiple arrays, 2gb of RAM. It was a Dell system and the original suppliers had obviously installed it fresh as it didn't have the Dell issue of a 12gb root partition. However the rest of the server hadn't been done correctly.

So what did I do?

To begin with, over a course of two nights in the week, I downloaded the updates I needed

Windows 2003 SP2
Exchange 2003 SP2
Windows XP SP2 and SP3
SBS SP1
SharePoint Service Packs
WSUS 3.0 SP1
Office 2003 SP3
AVG Admin and the main Application
Adobe Acrobat 9.0

I asked my client to purchase an SSL certificate credit from https://DomainsForExchange.net/
I also asked for access to their domain name configuration, and web site.

Finally I asked that all the workstations be left on over the weekend and a tape left in the backup drive.

Before I started, I corrected the backup job.
This not only provided me with a backup of their data, it also flushed out almost 15gb of transaction logs, which made the server a little more snappier. Once the job was finished, I ejected the tape as a precaution.

With a successful backup, I could then begin the real work.

I started off by flashing the router firmware to the latest version, then reviewing its configuration.
Then started on the server, downloading the latest BIOS and drivers.
Windows Service Pack was first, then the driver updates.
Rest of the service packs as required, concluding with the WSUS installation. I then set that to sync and started on the workstations.
Symantec AV was removed and the AVG installation was setup and configured, ready for installs on the clients.

I moved the data around on the server as per the best practices.
Using the SBS Best Practises tool, cleaned up any issues that flagged and reset the backup job to backup correctly. 

Each workstation had the Symantec AV removed, the Adobe Acrobat removed and then was brought up to SP3. Rebooted as required.
Office 2003 service pack installed along with the new version of Acrobat Reader.
The workstations also got updated BIOS and drivers.

AVG was installed on the systems, updated and a full scan carried out.
They were very lucky. While a few things were found, they were not serious and

I setup the client with an OpenDNS account and changed the configuration of the server to use that. DHCP was removed from the router and moved to the server. However before I did that I carried out an IP Address scan and found a network printer. A nice HP LaserJet. Fortunately it was configured by defaults, so I was able to connect to it, update its configuration and firmware. Then downloaded the latest drivers from HP and installed them on to the server and shared the printer from there. On each client the printer was changed from direct to the shared printer.

The SSL certificate was deployed with a real name following some DNS changes, and the relevant port opened on the firewall (443). Yes I know SBS can do that for me, but I needed to retain control.
Configured a split DNS system so that the external name on the SSL certificate also worked internally.

I also downloaded and installed PRTG Traffic Grapher and configured that on the server to look at the router. Created a mini admin web site on the server, with PRTG on a web page, along with the AVG status page and a web page to manage the IMF quarantine emails.

By this time WSUS had synchronised, so a few group policy changes had the client talking to that. I ran a few scripts on the client to get them to call in correctly, then left them to download their updates for a few hours.

Once the updates were in and installed, and the systems rebooted, close to finishing.
Secured the server for SMTP email and then changed the MX records to point to their static IP address.

Tested Exchange ActiveSync from outside, along with RPC over HTTPS, OWA and confirmed it was working.

Finally set all systems to defrag. 

There were also a lot of very small changes that I do on every site which are simply too numerous to list (plus I can't remember them all).
I was also available on Monday morning for any issues that came up - there were none.

Rough tests on start up times of the server and workstations showed that I halved the time they took to start up.

The job took most of a weekend and basically involved three or more years of maintenance being done on the network in that time. Once it was complete I dropped an email to my client with a list of what I had done (pretty much what I written above), recommendations for future work and a bill for £2,000.

Probably the best bit was the feedback from the end users. It felt like they had a new network, everything worked, faster, things we where they should be etc. Overall everyone was very pleased.

Ultimately, they were lucky. As they had a router and their email traffic was so low, they didn't get hit by anything major that would have caused a problem. They were badly exposed though and if something had got in then it would have run amok.

The Sales Pitch

If you are in the UK and either a direct user of SBS or are supporting SBS Servers, then I can do something similar for you. Server cleanups start from £250 (+ VAT) depending on the work that is required. I will look at the server and tell you what is needed and quote on that basis. Additional bits (like SSL certificates, AV licenses etc) need to be purchased separately.

If you are a support company, then this type of work can give you a quick win and provide you with an immediate impact with the client. The simple change from POP3 connector delivery to SMTP delivery is normally enough, without the other background work.

In the vast majority of cases, this work can be carried out remotely, out of hours. It does not require a site visit, simply remote access is required (Log Me In is my preferred method).

Similar work can be carried out on the full product over multiple servers.

However, here is the interesting bit… the financials.
The client who I did this job for was prepared to buy additional hardware and software from their previous support company to resolve the problems - which the previous support company had caused by not doing the maintenance correctly. Someone suggested getting a second opinion, and that has saved them money. Their original outlay will now be fully utilised and they will see benefits. Since that work was carried out in mid September they have started to use Windows Mobile, and are now looking at laptop use. Productivity has increased - simply by investing some time in their existing infrastructure, rather than purchasing new and going through the headache of a migration. Despite everything I did for them, Monday morning they were able to come in and start work immediately, with no significant impact on their business, other than the "wow" factor.

Exchange 2003, MS Exchange Server, Networking General, Amset IT Solutions Ltd. / Sembee Ltd., Small Business Server Exchange 2003, MS Exchange Server, Networking General, Amset IT Solutions Ltd. / Sembee Ltd., Small Business Server