Deployment of Exchange Server 2003 EE

Your existing firewall will probably be fine. Just change its configuration to allow SMTP traffic (port 25) in from the Internet.

The memory optimisation feature you are referring to is the /3gb switch
http://support.microsoft.com/default.aspx?kbid=823440
The boot.ini file is a hidden system, protected file, and you will need to enable the options to see it.

Your ISP needs to arrange to be a backup mail server. Ask them if they provide the service.
Once setup, you will need two MX records, one pointing to your site, with a low cost (say 5) and one pointing to the ISP, with a higher cost (say 10).

It takes 48 hours for MX records to replicate, so where possible, keep using both your existing and new solution for at least that time - I usually go for at least 60 hours (2.5 days) to catch everything.

If you are deploying OWA or RPC/HTTPS then purchase a certificate to secure the web server. One of RapidSSL starterssl certificates are fine. Get a trial certificate to play with.

Otherwise a new implementation is pretty straightforward - just follow the setup checklist that pops up when you insert the CD.

Simon.

Thanks for the quick reply,

I am not sure what you mean by cost. Can you clarify please? Also if I use ISP as the backup, then I would not have to worry about missing e-mails/replication right? Since my Exchange and the ISP will be running in tandem. Where exactly do the MX records go?

I do plan on deplyoing OWA, I am not familier with SSL certificates. Is there a cient install or it just resides on the server? What excatly is it? A file piece, software?

In the meantime I'm going to check out the link you forwarded to me.

OK, ISP took care of MX record for me so I'm all set there. All I need is some insight to the other questions I proposed in my last post.

Download the Exchange best practice analyzer and run a scan after your install to assit you with configuration.
http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-4BEE-4943-AC22-E2DDBD258DF3&displaylang=en

You will be fine with only one firewall since you are a small company and dont really have the funds. I use to work with many small companies and they have similar configuration.

You can also download IMF filter for a free spam filter from MS
http://www.microsoft.com/downloads/details.aspx?FamilyID=C1EA8CF1-48C9-4E43-A4EB-82D9A83FD4A7&displaylang=en

Sembee stated to your Boot.ini file is hidden the following link can walk you through this
http://www.microsoft.com/technet/prodtechnol/exchange/EXBPA/53d48a24-cd62-4c51-bcaa-70c3412fa5dc.mspx
 

SSL is a certificate that you install on to the server.
Most of the SSL providers have white papers that guide you through the entire process.
This is the one from Rapid SSL: http://www.rapidssl.com/resources/pdfs/iis_white_paper_v1.01.pdf
It is for IIS5, but that is almost identical to IIS 6 for this process.

If the ISP is providing you with backup MX service, they should have a way of getting that email to you - either via SMTP delivery or by using ETRN. They should be able to advise you accordingly.

Simon.

Apparently what happened is prior to this deployment, I was testing out Exchange on this box. I reformatted the hard drive and reinstalled Exchange, however the old Mailbox Store, etc still appears in the system manager and I cannot delete it because, I have several mailboxes on the store. The problem being that I cannot connect to the store to delete them since it really no longer exists. I'm thinking I will have to uninstall and reinstall to remove these old defaults or is there another way to resolve this. But my question is there must be a place in Active Directory that is pointing to this old server. Where excatly is it pulling this old information from and how can I remove it so that when I reinstall it only sees this new server which is my only Exchange Server.

Thanks in advance.

You cannot just format an Exchange server. You need to remove it in the correct way from the domain. If you don't do that then they hang around in the domain.

You will have to hack out Exchange by hand.
http://support.microsoft.com/?kbid=273478

Simon.

OK so far so good, I appreciate all of the great comments.

Had to do a little bit of back tracking but I hacked out the old server, etc. from AD following the KB docs from Microsoft (thanks Sembee). I have set up a test mailbox and I am able to send out e-mails but I cannot receive them. I contacted my vendor who is currently hosting our e-mail to go ahead and modify the MX record to point to our server. Maybe it hasn't propogated yet? Its been several hours. I'm wondering if they are even setting this up correctly because I had called them a couple of days ago and provided them with the cost you suggested (5 for our server and 10 for theirs). As I was testing the server I discovered that none of my clients could receive e-mails. I contacted them to verify that it was set up accordingly which they said it was. I though that in the event that my server went down the messageswould be routed through them? That defintely wasn't the case. Am I misunderstanding something here. Because if it doesn't work that way then I really don't need them and can eliminate them altogether. What do you guys think?

Secondly I need to have a little clarfication on how my clients will be configured. If I continue to use my vendor as a backup then I will have to configure 2 accounts on each workstation, the current POP account and the Exchange Account which will be the default, is this correct? Lastly will all folders (i.e., sent items, user created folders still reside on the workstation or will it reside on the server? If it still resides on the workstation is it possible to move it to the Exchange Server? Thanks in advance.

It can take 48 hours or more for settings to fully propagate round the Internet.
You can get an idea of how it is doing by using some of the online tools such as dnsreport.com to see what the Internet thinks is going on.

For the accounts on the workstations - you will need to leave both account types running for at least 48 hours, and possibly longer (another day will do no harm) to ensure that all email is collected from the old source. Once email going to the POP3 accounts has dried up you can remove that account.

With regards to content, it is usual for it to exist on the server within the mailbox. If the email is currently being stored on the workstation in a .pst file then you should import the content of that file to the mailbox using the import wizard. This will bring all the data in the standard folders. To move the content of the custom folders, open the PST file using File, Open and literally cut and paste.

Simon.

Hey Simon you are the man. That link to dnsreports helped me a ton. I found something very interesting when I ran a report on my test e-mail account. The idiots at my ISP mispelled the server name!!! Well I called them and had it corrected and low and behold I am able to send and receive e-mails from my test account!!! I am excited as heck!!! Thanks for your help.

I will follow your advice and have both accounts configured for now. As far as the pst's which all data is contained in, when you are refferring to File,Open, Cut & Paste. Is that from within Outlook? Otherwise what can I open a pst with to get the data over on Exchange?

Configure Outlook as normal to point at Exchange.
Then open the pst file from within Outlook using file, open.

There isn't a cut and paste in Outlook. The closest you will get is "Select All", then right click on the selected messages and choose Move. You will then get the option to choose the folder to move the items to. Choose the required folder in the Mailbox.

Simon.

OK. I have the migration portion of the project pretty much figured out. All I am going to do is export the current POP mailbox and reimport it into the Exchange Mailbox and I'm pretty much done. Tested it out yesterday and it worked fine. I am now working with standardizing Outlook 2003 clients via my existing GPO in AD. I have a question regarding this though. There are some menus that I would like to disable such as Help->Check for Updates since I already use WUS for my patch and update deployments. However in the GPO it asks for a Command Bar ID. I tried 'Menu|Check for Updates' and it didn't work. What exactly is the command bar ID for this and is there a list of them that I can find somewhere? This is probably the only custom one I have to do as most of the others are already predefined in the template. It would be nice to have a list though.

As I am getting near to the actual deployment I have several other questions regarding some of the collaboration features of Exchange 2003. One is how exactly do I go about creating a public Contact List where it is the default list that opens when they click on 'Contacts'. This is how it currently is with their locally stored mailbox. My organization has quite a bit of older users and the less clicks the better for them. On a test client it opens up the old local contact list, then there is an option to "Open Shared Contacts", then they have to click on Name, etc. I'd like to simplfiy this process if possible.

Secondly, I am contemplating the usefulness and effectiveness of Public Folders. Currenlty we do not have an intranet although it is being considered for the future. Users access most shared file through a network drive but I like the idea tht they can access these through one application (Outlook). I believe that in the interim Public Folders could probaly prove quite useful. I just wanted to get a sense of some of the opinions on Public Folders and how you use them in your organization if they are used at all and your experiences with them. Are they useful or is it something that gets out of hand where the next thing you know users are putting everything in there? I know you can create security options where users cannot create "Parent Folders" however I do not want to restrict it too much if we're going to use them only becasue I could see where it could become a nightmare to administrate. What is your take on Public Folders?

Thanks in advance guys, the project is coming along nicely due to all of your great feedback.

Lets work backwards.
Public folders are only really useful for public Outlook type data - so contacts, mail and calendars. For everything else MS would like you to use a shared network drive or Sharepoint.

I use public folders for the three items I have already mentioned. I like to use public folders as the permissions control is outside of the domain, allowing me to delegate full control to a non admin user.

Redirecting contacts in the client cannot be done. You can play with the default address book settings, however this is done on a client by client basis. I haven't seen any way to centrally set this (and believe me I have looked). One of my favourite tricks is to create a company wide contact list for external people (procedure: http://www.amset.info/exchange/companycontacts.asp). If I could automate setting that folder as an Outlook Address book, I would be very happy.

Command Bar IDs.
There isn't an official list anywhere, but a quick look round the MVPs dug up a spreadsheet on this page. http://www.sparnaaij.net/Downloads/
Can't vouch for the quality of the information, but the author is an MVP so you would hope that his information is pretty good.

Simon.

I read the article you sent me the link to (thanks) and I am more confused than ever on the whole public folder thing. In the Exchage System Manager, there is the "All Address Lists" under the "Recipients" directory. Here is listed 'All contacts', 'All Groups', 'All Users' and 'Public Folders'. Currently thers is no data in any of them. How do I add data to them? I would like to have a contact group that is sort of an employee directory if you will with their e-mail address, etc. Where should this information be stored and how do I go about even storing them there? How do you have you organization set up for this? I really only want 2 groups of shared contact across the organization one, All Employees and the other common external contacts, that alot of my users have in common this way it can be centrally managed by a small group of "admins". This has to be easy to do, no? Lastly how do you have your Calendar sharing set up and what excatlly is the process behind this?

Thanks in advance,

Nolan

Those address lists are auto generated from the GAL.

All Contacts would be any mail enabled contacts that you have put in the GAL.
All Groups would be any distribution groups that you have created.
All Users should be just users - no groups.
Public Folders would contain any mail enabled public folders that you have created.

Not usual for contacts, groups and public folders to be empty - if you haven't created any then there is nothing to show.

All Employees would be the GAL. Nothing further to configure there.
Common contacts - personally I would go with the process I have outlined in my article above. This will let you assign certain people to administrate contacts - rather than give them the Exchange and Domain tools to update Mail Enabled Contacts. More information can be kept in a public folder contact - which is in a format that the users are comfortable with.

The shared calendar I have inherited is a simple calendar called "Meeting Room Bookings". The receptionist updates it personally when someone calls.
The better way to do it would be via a resource mailbox (Google it) - but this particular client is old school and the thought of their staff booking their own meeting rooms horrifies them.

Simon.

So far so good with my testing of Exchange. Thanks for all the advice guys. I am now in the process of configuring and testng OWA. I have a problem with the interface though. When I initially log in to OWA none of the graphics display and when I click on certain icons (not really icons, just the active x box), it genrates script errors. I've looked around in my browser settings and haven't seen anything abnormal there, the same goes for IIS and Exchange System Manager. Any idea as to why this is happening?

Thanks in advance,

Nolan

The first thing to check is whether it does the same thing on OWA on the server itself:

http://localhost/exchange

This will confirm whether it is a server problem or not.

Simon.

Yes it does it on the server hosting OWA as well. No graphics or icons appear.

Check the authentication in IIS manager for the Exchange virtual directories:
/exchange
/exchweb
/public
/exadmin

All should be basic and integrated ONLY.
In addition, /exchweb should also have anonymous access. No others should have anonymous.

Simon.

I've said it before and I'll say it again. You are the man Simon. That was it alright. Wow does OWA look sweet! The interface is amazing without any customization. Another thing I'm trying to accomplish is I have also been trying to create a DNS record that will allow my users to acess OWA using a more friendly URL than the standard 'http://localhost/exchange'. However it does not appear to be working for me when I test out the new alias. How do I go about creating a new alias that will point to my OWA server?

Thanks in advance,

Nolan

What do you mean that it doesn't work?
As long as you have setup the DNS correctly it should work...

http://mail.domain.com/exchange

You need to look at your DNS configuration, and make sure that you are not using host headers within IIS.

Simon.

OK I've got everything working so far with the rerouting to a different domain/webpage so my users will not have to use the "/exchange" switch. What they will have to  do though is make sure they enter in https instead of http because of the SSL and the way I configured my firewall. I'm not going to bother setting up a second virtual server to reroute them in case they forget the 's'. I went with VeriSign on the SSL w/ 128 bit encryption. It should be here tommorrow.

The next component I'm working on is the sharing of calendars and contacts. Have you found this useful? If so how deep did you go into the security? I can see from the permissions tab when you click on "Share my Contacts/Calendar" administration could become a nightmare if you get too advanced so I am wondering if it is the same situation with "Public" folders where you're better off not even using it.

I'm going to do a Google on resource mailbox now to see about maybe something such as you described where Conference Room Bookings can be accessed but not entered by everyone. I'm also going to read the article your forwarded to me and start testing some collobaration features such as department directories. Besides deprtmanet directories and maybe a calendar to see conferenc room bookings I don't think there is too much in they way of collaboration from our discussion. It seems you really have to implement SharePoint to really take advantage of this. Any other recommendations / useful features to look out for are appreciated as well.

One other issue I have is I noticed when I restart my Exchange Server my settings that were causing the graphics, etc, to not show up in OWA were there in IIS again so I had to go back through the checklist. Is there a way to permanently set this?

Thanks in advance.

Nolan

OK so I went to test out my connectvity from outside my firewall and I cannot connect to OWA. I do not know what I'm doing wrong here. How do I go about configuring a user frinedly URL for my users to remember?

What I initially did was I created a forward lokup zone in DNS of 'mail.zyxins.com'. Next I added a "Host A" record pointing to my private IP address.

I then went into IIS and under the default website I added another website of 'mail.zyxins.com'. Under the "Virtual Directory" tab I specified that the "Content for this Resource Should Come From a Redirection to a URL" under which I entered '/exchange'.

I also checked off the boxes for "The Client Will Be Redirected to a Directory Below the URL Entered" and "Peramanent Redirection for this resource".

Under the "Directory Security" tab I have the following permissions "Integrated", "Anonymous" and Basic "Authentication"

Under the Default Wesbsite properties on the "Web Site" tab I have the private IP set and the standard ports of 80 and 443.

On my Firewall I mapped my Public IP to my Private one. I also opened up the 2 ports of 80 and 443.

I can't connect and now to make matters worse I am slo getting a "440 Login Timeout" error when I try to connect at all. I am lost here. It was at least working when I was connected from within the firewall now its not connecting at all. Can someone please help me on how to condigre the redirection to a more user friendly URL as I really don't knwo what I'm doing wrong here. Thanks in advance.

You created another web site? That is where you went wrong.
You either need to modify the default web site (which is what I would recommend) or use ESM to add the Exchange virtual directories to a new web site.

Simon.

Its actually uder the "default website" folder in IIS, is this wrong? So what you're saying is I should be modifying the properties of the "Default Website" folder. Okay so I deleted the website in IIS. I modified the properties of the 'Default Website' folder to "Redirection to a URL" and entered '/exchange' and I also checked off "Directory Below the URL Entered". The form comes up now but I still get the timeout error. Do I need to have anything under the HTTP Exchange Virtual Server? As far as connecting from ouside I won't know until tonight.

You need to get it working inside first. This ensures that OWA is working correctly before you put more potential problems in to the mix.

Was OWA working before?

What happens if you try it from the server itself, using http://localhost/exchange

Simon.

Still getting the "440 Login Timeout" error even on the server when I enter in the above URL. Yes it defintely was working from within the Firewall.

I think you have touched something that you shouldn't have within the virtual folders.

I would reset the virtual folders and start again.

http://support.microsoft.com/default.aspx?kbid=883380

Check that OWA works at every stage.

Simon.

OK, I've just realized what was causing this problem. It happens when I enable "Form Based Authentication" on the HTTP Virtual Server in the Exchange System Manager any idea on why this happening?

Could this have anything to do with it? On /exchweb properties -> Directory Security ->Autehentication Methids I have enableb Anuonymous Access, whis is "IUSR_SERVERNAME". However when I go into my AD, this account does not exist. What I don't understand is apparently by default, Windows 2003 creates these accounts as they exist for all of my other servers in my domain along with "IWAM_SERVERNAME" account for each of my servers. Is there a service, component, etc. that must be enabled in order for these accounts to be automatically created?

OK, what I did is just renamed a set of the existing ones to match the anonymous account that Exchange is using on /exchweb, and it still doesn't work.

Those accounts are only created in AD for domain controllers. If the server is a member server then they will be created in the local users and computers (find it in Computer Manager).

You should set the anonymous account back to these default ones so that Windows can control them. Make sure that the IUSER account hasn't been disabled.

Simon.

I will set them back to the default names since that did not even work. But why am I getting this "440 timeout" error when I enable FBA? Also this Echange Server is a DC so if what you're saying is true it should have created those accounts by default then which it didn't.

Also should I change the anonymous account that Exchange is using to one that exists in AD?

If the machine is a DC then you will not have a local users and groups... so the account must be created with the Active Directory. It should be called IUSER_<servername>. If you don't see that group in ADUC then I have to begin to suspect your IIS installation. The account is created by IIS, not Exchange.

What happens if you try to access the form directly...

http://<servername>/exchweb/bin/auth/owalogon.asp   ?

Simon

I get an error that the page cannot be found when I enter in the above URL. If I try connecting to https://slcorp-b/exchange (I have to use the https since I have it set to only accept SSL connections) I'm able to access OWA, but the above URL - no good.

Turn off the requirement for SSL for the moment. You have to go back to basics.

The URL I gave above is the location of the form, and does work on http. Modify the URL to change <servername> to your own server's name and see what happens.

Simon.

I get the error "acess is denied". I can log into OWA itself fine but not that form from the URL you gave me.

Straight away - or any username/password prompt?

Check the authentication on the /exchweb/bin virtual directory in IIS Manager. Don't change anything, just state what they are?

Simon.

Basic and in the default domain filed there is just a " / ".

This actually leads me to another question, when I set my authentication permissions for the directories you listed earlier when I was having a problem with the graphics showing up when I logged into OWA. They apparently reset themselves or something, becasue I always have to go back into the four of them to make sure the settings stick (integrated; basic only; correct domain; with the exception of /exchweb which also has anonymous access) Why is that?

That is the same as my working installation.
I do have something in default realm though - the fully qualified domain name of my AD domain.

As for your second question - you haven't got Sharepoint installed on this machine as well have you? Or Frontpage extensions?

Simon.

Just double checked and there is nothing in the realm field. Yes Frontpage extensions was loaded when I initially added the app server role in Windows 2003. Should I remove the role and not check off that box for Frontpage extensions?

I don't tend to use the roles feature within Windows.
I have seen Frontpage extensions cause problems in the past, particularly with the permissions. If the extensions are on the default web site, try removing them using the Frontpage admin tool.

However... do the REALM change first and just check that.

Simon.

OK, looks like we're ready to rock and roll here. I did several things over the last day to troubleshoot this problem (thanks for all your help on the troubleshooting). After looking over the MS documentation for using the /3GB switch I realized that it is NOT recommended to have the server as a DC controller when using the /3GB switch so I removed the DC role for good measure.

I also removed the role of App. Server and added it back in again removing the FrontPage Extensions but leaving ASP.Net since it is required for OWA. After this I checked over my security again (integrated; basic only; correct domain; with the exception of /exchweb which also has anonymous access).

I also had to check the "Application Name" and "Application Pool" since they were not set by default once I added in the role again.

Then I checked the /exchweb/bin directory and added in my domain name in the realm field. (*Note: I did try this first and it did not work).

 I also checked my "Local Users and Groups" and both <IUSR_server name> and IWAM_<server name> were in there automatically. Once I performed these steps I finally tried the URL you gave me and the OWA login screen come up with the "Domain/Username" field and the "Password field along with several Radio Button options. I've never even seen this login screen before and resembele the one from sevral Exchange Manuals I have. The other one is pretty much the standard Network Login window with the domain and realm (both the same) listed.

So what's next Simon as I do not want to get ahead of myself here?

It is also not recommended to change the role of the server after Exchange has been installed. Is Exchange working correctly?

However... all you need to do now is add the SSL certificate an enable FBA in ESM. There shouldn't be much else to do.

Simon.

I did not know that. Now you have me worried. Exchange seems to be a really sensitive application with all of these caveats. However it appears to be working fine. My test machines have been connecting fine to their mailboxes and I'm able to log in fine to OWA. Are there any other tests I should perform?

I'm going to configure SSL right now and see what happens. What is the correct way or the way that you would recommend to go about creating a redirection URL so that way it will be user friendly? Thanks in advance.

Nolan

Just to update: SSL with FBA is now properly working. I can log in to OWA just fine now. I'm just waitng for some feedback for the redirection to another URL.

Thanks,

Nolan

Exchange is very senstitive. It is a lot more robust than it used to be though.
As long as you follow the best practises from Microsoft then it will behave itself quite happily.

Redirection to another URL is probably best done using the technique I have on my web site:

http://www.amset.info/exchange/default-web.asp

Simon.

OK well I configured everything as per your instructions and made sure everything was configured properly on my DNS server and I'm able to connect to OWA fine with my new alias. So tonight I will try testing from the outside. This is what I did on my firewall the last time and it didn't work:

1) Added the public IP to resolve to the private IP
2) Made sure the HTTPS/SSL port 443 was allowed

Are there any other ports I need to open up as well? I've got a SonicWall firewall and it's pretty user friendly and I noticed it has some DNS ports in there so I'm wondering if any of these need to be opened up as well. This is actually our first "Web Server" if you will as our sites are all hosted for us. In the meantime I'm going to play around with the public folders some more as I'm still not sure where we should go with this.

No other ports need to be opened - just 443. If you can browse the Internet from inside then you don't need the DNS ports opened either.

Simon

Cool thanks. I'll let you know on Monday how it goes. On a side note, I'm looking at the sharing of individual calendars. In your experience how should this be configured? My users are not too saavy when it comes to these things and as I look at the permission on the Calendar, I can already see where they'll probably go crazy. Should all calendars be viewable by eveyone but not editable, or should I just not even bother with it? What I don't want is a milion calls to the help desk where it's "I want this person to view my calendar but not edit it", and so forth. I wish this was able to be centrally administered.

Thanks and have a good weekend,

Nolan

It all depends on the users.

With sharing calendars you have to be careful to make sure that the users know it is happening and learn where the "private" is. This allows them to put things in their calendar but keeping the content private.

Otherwise you can set it centrally using a tool called Setperm. This tool has disappeared from its original location, but can be found in various other places. Check this blog posting, but ignore the first link.
http://hellomate.typepad.com/exchange/2003/07/setting_calenda.html

I would tend to set the permissions for read only, and use your "All Staff" or equivalent group to set the permissions so that you don't need to adjust them when someone joins or leaves. Additional rights can then be set later for assistants etc who need to modify entries.

Simon.

Well I tried to access OWA from the outside this weekedn wioth some degree of success. My user firednly URL did not work. Howevr if I out just the public IP I was able to log in. It's fine from the inside but from outside the URL doesn't work. What am I missing here?

Thanks for the pointers on the Calendars. I'll be playing around with this and the Public Folders most of the day.

If the IP address worked but the name didn't then that is saying DNS.

When you entered the IP address, did you need to put the /exchange in after the IP address?
If not then Exchange is operating correctly, so it has to be a DNS issue.

From an outside machine ping the address that you want the clients to use and see whether it resolves to the correct IP address.

Simon.

I'm thinking DNS too but I've been looking at it today and I don't see anything wrong here. I did use the /exchange switch and I don't recall if I tested without it. I'll try it tonight along with the ping to see what happens. Thanks.

Nolan

Hey Sembee, I was doing some reasearch on this OWA name resolution issue I've been having and I came across an article pertaining to the Exchange "Internet Mail Wizard" and it was stating that if your server has dual NIC's which I do, that Exchange will create two virtual servers. One where you would assign the private IP for outgoing messgaes and the other the public IP for incoming messages. Is this a good way to set up Exchange? My only concern is that my firewall will be bypassed since I will have to use my ISP's gateway for the public IP. Righ now I'm onlu using th on NIC with my private IP. What is your take on this?

In most cases I don't deploy Exchange with dual NICs. I have found that it can cause lots of issues with Exchange.
My preference is to have a single NIC on the LAN and NAT the external IP address with the firewall. This protects Exchange and provides a single interface in to the server.

If the server has dual NICs then make sure that the other NIC that you aren't using is disabled. It can cause name resolution issues as the wrong name or IP address can be registered with your internal DNS servers, unless a lot of care is taken with the setup of both NICs.

Simon.

That's pretty much how I have it set up right now. In that case I think I'll stick with the one NIC. What about the Internet Mail Wizard. Is it useful? I didn't use it on my test machine but I'm wondering if I should this time around.

I don't use the Internet Mail Wizard, although I do know my way around Exchange well enough not to need it. If you know how to configure everything by hand, then do it that way. At least then you will know it was setup, rather than trying to guess what the wizard is doing.

Simon.

Yeah everything worked when I did it manually except for my name resolution from outside the firewall, which is what I'm still working on. I really don't know what the problem is here. Do you know of any good articles, etc. on DNS and name resolution?

In most cases you don't need to worry to much about external DNS - as this is handled by the ISP/Registrar. You will enter the details in to their configuration and 48 hours later this is propagated around the internet.

There are lots of articles about the problem, you'll find lots on this site as many issues that we cover are DNS related. However for external DNS they will not be much more help - unless you are managing your own DNS servers.

If you are having problems then I would speak to the registrar who looks after your domain name and seek their advice.

Simon.

Well I know its been a while, but heres an update to the project. After numerous rangling and back and forth phone calls I have finally got my ISP to configure their DNS records properly to cooridnate with the new zone and my OWA server that I have in house. dnsreport.com was an indispensable tool for troubleshooting what exacatly they were doing wrong. You would think this would have been pretty simple right? Apparently their technicians are not the best.

So I would have to call them and then they would tell me "It looks fine now" then of course I couldn't test it until I went home. And then it wouldn't work. Finally last night I successfully logged in!!! So it's getting there. I really have not done any other configuration only becasue I wanted to make sure I could get the core functionality working. So I'll be back on the public folders, etc, again. Is there any special configuration I will have to do to make them accessible from OWA? Once again thanks for all of your help Simon.

Nothing you need to do for the public folders to make them accessible - other than set the correct permissions within Outlook. If you can see them in Outlook then you should be able to see them in OWA.

If it is all fixed, don't forget to close the question.

Simon.

Hey Simon, I'm working on these public folders now. Just so I have this straight, I'm going to create these "Public Folders" or Company Wide Contact Lists completely through Outlook right? As oppossed to on the Exchange Server itself?

Yes. Create them in Outlook. If you create them in ESM then you don't have a choice on the type of folder. This is fine if you want to create a folder to contain just email messages, but if you want it to hold contacts, calendar or tasks then you need to use Outlook.

Simon.

So does that mean that for all of my users these Company Wide Contact Lists wil not be available in OWA?

If you have created them in public folders, then they are available to them to access - but you don't get them as a choice when choosing addresses in the same way that you can within Outlook.

Simon.

OK now this is starting to make sense. First I create the Public Folder (lets say I use the default Newsgroups) then I drag the Contact List into the Public Folder (Newsgroups)? Then this will allow all of my users to access that contact list.

However, in OWA it does not appear the same (I think I saw that during my outside testing over the weekend, it opens up a separate page) So my next question is should I just use this method and not worry about the directories in ESM under Recipients->All Address Lists? Under there you have 'All Contact's, 'All Groups', etc. But it looks like you could accomplish the same thing this way were discussing or am I wrong here? Any advantgaes/disadvantges over one way or the other? Incidentally I tried to create an Address List under 'All Groups' in ESM named Managers but I cannot see it in Outlook. What am I missing here?

Thanks in advance,

Nolan

I wouldn't touch the newsgroups, as this is newsgroups like you get on the Internet. Just create new folders by right clicking on Public Folders and choosing New, Folder. Remember to choose the right type.

The address lists in OWA will only show contacts in the GAL or the mailbox contacts. While you can create mail enabled contacts which will show up in the GAL, these have some drawbacks - the key ones being that the contacts show in the GAL and the Exchange admin has to administrate them - or grant users rights to Exchange and install the Exchange admin tools on to a workstation - with the risks that brings.

Simon.

Yeah I was just using the Newsgroups folder as an example. What I did is I right clicked on All Groups under All Address Lists and selected New Address List, added a couple of users to my newwly created list, when I hit preview in ESM the users show up but list doesn't show up in Outlook.

I'm thinking that creating the Public Folder, the adding the Contact List to it is probably the way to go then but that kind of stinks that the Address lists wont' be avaialble in OWA. So should I just create my depratment distribution list this way and forget about ESM or do you recommend for internal contact to still use it?

Thanks,

Nolan

Don't forget that Outlook 2003 uses the offline address list. This only updates once a day on the Exchange server and once a day on Outlook or when Outlook is restarted.

If you create distribution lists for internal people, then these will appear in the GAL. An interesting trick when creating distribution lists is to put a space in front of the names (display and actual) then they will appear at the top of the list.

Simon.

So it doesn't sort them alphabetically? Hmm, it only updates daily, I guess thats why I'm not seeing the new Address List yet, I'll see tommorrow. What do you recommend though create my Dist. List for internal people in ESM so they show up in the GAL or the other way we've been discussing? I guess it would probaly make sense though to do it in ESM so that way users can access these contacts in OWA.

Nolan

It does sort them alphabetically, but it means that you can put all your lists at the top of the GAL.

So

All Staff
Directors
IT Staff
Managers
etc
Then users

For internal lists, use ADUC on the Exchange server. Right click on the users, choose New, list and follow the wizard.

Simon.

Hey Sembee, well configuration and testing is complete with successful backups of the logs, mailboxes, etc succesfully performed. Monday is the day I demonstrate the system to the various managers and executives involved with this project. I'm putting toghether a walk through document and testing out everything to make sure when I present it everything works and for the most part it does. I can't thank you enough, it really looks great with all of the bells and whistles. I have one minor thing occuring though. When I'm in OWA and I go to send a new e-mail I cannot see the GAL or any groups I created in ESM for my internal users only.  You have to do a check names to find indicual users but it doesn;t even show you 'All Groups', etc like it does in Outlook. I don't believe thats the way it was before. I think you could see the users and Group by defualt in the drop down box. What am I missing here?

Thank in advance,

Nolan

You have to search for names etc. It doesn't just show them.

One work around is to hit the space bar then do a search and it will show you the first 100 contacts. Otherwise you are best off putting some criteria in.

Simon.

That stinks. So is it the same for my Groups (Distibution Lists) as well? I would at least like to get those to show up. Any way to get those to show up? Right now in the drop down is 'Contacts' and GAL'.

Nolan

Your groups should appear with all the other contacts in the GAL. What you might want to do is rename the groups to include a space in front of the display name " All Staff" instead of "All Staff". This makes them appear at the top of the GAL.

Simon.

The problem is when I hit the drop down box in the 'Find Names In' field all I see is 'GAL', not 'All Groups', etc. So I can't select any of my Dist. Lists. I created them under All Addresss Lists -> All Groups in ESM. Is there a way to get those additional categories to show up?  That trick worked by the way. At least when I put in the space I can see all of my individal users. Now if I can only do the same for Groups.

Nolan

That is where you went wrong.

Create the groups in ADUC by right clicking on Users and choosing New, Group. Step through the wizard to create the group. It will then appear in the GAL in the usual way.

Simon.

Ahhh, I see. So I assume the type will be Distribution. Then I'm not really using the ESM for Group creation at all then? And what I'm seeing in OWA is correct?

Don't use ESM for group creation. Do it all in ADUC.
Otherwise OWA appears to be working correctly.

Simon.

After I initiate the wizard, what do I want to set it as, Global or Universal? Do I also need to create an e-mail address for the group?

Nolan

Global Group.
The list will need an email address otherwise you cannot use it for email distribution. Make sure that you are using ADUC on the Exchange server or a machine with the Exchange System Tools installed.

Simon.

OK that was where I went wrong. I got the groups set up properly now. One thing I noticed, that trick to do a wild card search by entering in a space only works with the GAL and not Contacts. Is there a similar trick for Contacts? By the way, the trick to create the Groups with a space in the front of the name really comes in handy since everything is listed under the GAL.

Nolan

I am not aware of anything working for contacts. You will have to put the first letter in or something like that to search.

Simon.

OK. I have my meeting this morning to unveil this system and thats about it then as far as OWA. A few limitations but it's miles ahead of the web client they're using right now. I've also added in a few tweaks of my own. For instance, I modified the asp file so that users will not have to enter in the domain first and then their username. All they have to do now is put in the username and password and the domain is autmatically filled in for them. For some of my users, the easier the better. I'm lucky if some of them know what "right click/left click" means. You're probaly already aware of that trick as well but I though I'd share it with you just in case.

Nolan

The question on how to do that comes up quite often.

Personally I prefer to force the users to put the domain in. In a similar vein I force them to put https in the URL when they connect. Both increase security - the domain adds another layer of security to what a hacker needs to find to break in to OWA/domain.
It is amazing how quickly they learn when they have to do it often enough.

Simon.

Yes. Entering in the 'https' I didn't modify, although I came upon that trick as well, but I drew the line with that one. I will have to reexamine wheather or not I will have them enter in the domain though, as I did not realize that would decrease the security though. I saved the old file so I might just pop it back in then. But you're absolutely right, some things they have no alternative but to learn and accept. This whole change of thier e-mail system is one of them. Although I try to make systems as user friendly as possible, provide them with manuals etc, there are always the users who will want more and hate change. I'm sure to encounter more than "but we used to do it this way" when I hold the training classes. Of course my retort will be "tough sh.."  :) - Don't I wish.

Nolan

There is only so far that you make things easy for the users.
If the users had their way they wouldn't need passwords, or could use the same password all the time, which is a simple word like "password". Security is just a pain for most of them.

What you could do, with the manager's permissions is breach the security. Move some email messages etc. Then tell them that someone must have guessed their password. Leave them to sweat while you "restore from backup" and then put the messages back. Sneaky, but sometimes the only way that works.

Simon.

Ha! I like that idea. Well I had my meeting and it was a road I am familiar with but didn't expect for this project, "O this won't work and that won't work". Some of the managers harped on the minor things and went off on all these tangents for what was suposed to just be a demo of what it can and can't do.

For instance, there is a deposit list that gets e-mailed out to the whole company. My preliminary idea was to have a public folder where everyone could access it instead of sending out 60 different copies. On my demo, I had the default view when you open Outlook to go to "Outlook Today" and the Deposits Public Folder would be there on the right with the new message in bold: mouse over the hypelink, click it and theres the messgae - Simple right?

Well the one manager claims "Oh that won't work, when its e-mailed to them its right in their face so they have to open it"; "Chances are if they're going to be anywhere it will be their inbox so they'll remember to read it"; "The folder is way down at the bottom"; blah blah blah. I showed her that the folder could be moved higher up. But nooooo it's too much work. So then I asked her what safety measures are in place to ensure that they are in fact reading the e-mail. "There are none" is her reply (????) So what the hell is the difference.

You see part of my problem is I too come from a consulting background. In that realm if a client doen't like this or that fine so be it I get the check anyway. Here I take things a little more personal. And it kind of pissess me off when they spend all this money on something just so they can have e-mails stored in a central location. Granted they did like some things like OWA of course, and this was supposed to be just a demo so some things I will probably get through but other things that are so simple that they don't want to do is beyond me.

If you're a manager you should be able to train people and say "listen instead of your inbox click here to check the deposit". I mean that's ridiculous. But hey what can I do, I'm just an IT guy, right? I definitely have to take a look at your earlier comments and advice though and see, what I should just toss and what I should push to keep. But when I hear myself say that I'm just like, this is not a lot to this system and it's not too complicated to begin with. It's just a few more bells and whistles. I expected this BS from end users but not managers...

Nolan

With regards to your 60 copies of the message to all staff... that isn't an issue.
Exchange has a facility known as single instance storage. If you send a 5mb attachment to 60 people in the same email, then it takes up 5mb of space in the database, not 300mb. What you might want to do is have the message sent to a public folder so that you can have an archive.

I feel your pain with IT resources. I like to have automatic forwarding disabled on all Exchange servers, alone with OOTO message to the internet disabled. However the number of times I have been forced to turn them back on, usually because someone with clout has bought a toy that needs them...

Nothing we can do while they pay the bills.

Simon.

(Sigh) Yes this is true. It's so frustrating sometimes though how they always manage to find the needle in haystack. But I'll have a few drinks and be over it :) I was not aware of the single instance storage though. That's good news because that was my main concern that it would be taking up unneccessary memory. Excellent feature on Microsoft's behalf. Speaking of toys, I have a couple of Blackberry users who I guess I will have to turn on automatic forwarding for, right? It's something I have not even looked at yet, but will probably do so this week.

Nolan

Blackberry requires either automatic forwarding or the Enterprise server.
The enterprise server is very good. I am in the middle of deploying it for a client at the moment and while it had its quirks during the install, once done it has been very easy to work with.

Simon.

It is great. At my old job we had it deployed there and they loved it and the Blackberry in general. It's coolness has worn off on me though. I'm angling to get a Pocket PC after this project is over. The thing is doesn't it cost a couple thousand dollars? Right now there are only two Blackberry users and a hodgepodge of other PDA type of devices, so I don't know if it would justify the cost at this point. Eventually I want to get everyone on one platform though.

Nolan

Hey Sembee, out of curiosity what type of antivirus software are using on Exchange or would you recommend? I am having some serious issues with Symantec Antivirus and want to stay away from them. Thanks in advance.

Nolan

Current favourite is GFI Mail Security.

I used to be a fan of Sybari, but they were bought by Microsoft earlier in the year so their status is now "unknown".

I don't like any of Symantec's products and don't deploy them. Current favourite combination is GFI on the Exchange server and Grisoft AVG on the workstations. Depending on the client budget sometimes I put something else on the servers (so that the servers and workstations are different). Theory being that there are three levels of protection.

Simon.

I just posted a question for more feedback on AV sotware. I am so frustrated with Symantec right not. I detailed my porbelm with them in that post but your dead on with not trusting their products. To put it bluntly, it's crap. I never liked them at home and was quite disappointed when I arrived here ans saw that this is what they had deployed. I'm getting rid of it this week. Thanks for the insight though, I'm going to look into those suggestion right now. I'd like to mak a decisio by the end of tommorrow at the latest. A few of my frined that do consultng work have also raised that point of using two different kind os AV software on the server as well. Good call. I'm going to have to give that some more serious thought.

Sembeeeee! Are you still around? Well I've only now had the chance to start to deploy my Exchange Server and although I and a couple of other users have been using it with no problem. I went to create some new mailboxes but they dont show up in the ESM.

For the first several all I had to do was open up the AD, right-click their name and run through the wizard and the mailbox was created. It still runs through the wizard successfully but there is no mailbox that is created. I also noticed that the DB maint. although set to run at 1:00 to 5:00 AM daily has never run. Any ideas? Your help is greaty appreciated.

Nolan

The mailboxes are not physically created until an email message is sent to them, or some other activity takes place.
The key thing to worry about is whether the email addresses are being automatically stamped on the accounts. If that isn't happening then you have a problem with recipient update service.

For database maintenance, take a look through the event logs for any attempt to start, services stopping etc. I have seen all sorts of odd things happen... people stopping Exchange overnight, shutting down the server overnight, stopping the services to run file level backups etc.

Simon.

Thanks for the quick reply Simon,

That's excatly what happened. Normally it will automatically populate the SMTP and the X.400 addresses but it didn't for this account. How can I fix this?

I'm going to take a look at the logs in the meantime to see about the other issue. What service does the DB Maint run under?

Nolan

You need to look through the logs to see if there are any errors related to Exchange trying to access domain controllers.
First thing to check is Recipient Update Services in ESM. Make sure that it is pointing to a valid global catalog domain controller.

All Exchange tasks should run under Local System. Therefore you may have difficulties in actually spotting the maintenance results. One of those things where I know what I am looking for, but ask me what it is and I struggle.

Simon.

OK, I read a KB article that addresses the error I found in the logs pertaining to the automatic creation of the e-mail addresses as per the policy in ESM. All I had to do was make sure inhertiable permissions was checked in the container and object. It was missing on the object and that fixed it, on Monday I'll try to actuay set up the mailbox on the workstation.

I really couldn't find anything in the logs that relates to the DB Maint. I stopped and restarted a couple of services so I'll see what happens. Any ideas? In the meantime I'm going to keep sifting through KB articles.

Nolan

The classic number to look for is ID 1221. This is the result of the online defrag. You have looked in ESM to confirm that online maintenance is scheduled?

Simon.

I did find event 1221, the last time it ran was 10/8. The message reads "The database "First Storage Group\Public Folder Store (MAIL)" has 3 megabytes of free space after online defragmentation has terminated."

When I look at the mailbox store DB maintenance schedule it says that it is scheduled to run dail at 1-5 am but in the 'Time of last incremental backup' window it says "This type of backup was never performed."

Nolan

The message about backups is fine. I don't do incremental backups on any server that I look after - so every server has that message.

If you are getting event ID 1221 then maintenance is running correctly.

Simon.

So where does ESM get this 'backup information' from? From the native Win 2K3 backup utility? Also as I've been searching through the KB articles, alot of them talk about theese "Recovery Storage Groups", do you use them?

Nolan

Hey Simon, well I've almost migrated all of my users to Exchange (except for my CEO who has about 4,000 e-mails in his inbox) and so far so good. I'd like to express my gratitude for all of your help. I could not have done it without you and it's great to have people like you to learn from. It really has made a great improvement over our old e-mail system. I'm going to close this question now. I hope you're around to answer any future questions I may have.

One minor thing has cropped up though, on my Global Distribution Groups. Exchange has automatically assigned e-mail addresses to the lists itself. Lets say Dist. Group "TEST" for example. Now when a user sends a message to that Dist. Group they get an 'invalid recipient' message because there is no actual mailbox for that test@.... address. You can't delete the address either. Am I missing something here or did I not set up the goups properly? Thanks in adavance.

Nolan

Hey Simon are you still around?

Nolan

If you have mail enabled a distribution group then it gets an email address automatically. That is how Exchange works. The users should just select the list from the global address list and send away.

Remember that in Exchange, you have mail enabled objects - they don't have to be mailboxes. They can be contacts, lists or public folders.

If you are getting an NDR from the list then something isn't working correctly. You may want to try creating a new group from scratch and testing with that. If it still doesn't work, open a new question so that the other experts can see it.

Simon.