Zeros & Ones

In using Exchange 2007 Server, sure we have multiple DL and we may want to restrict who has access to the any of the distribution list.

By doing that you keep your mail flow in the safe side and prevent anyone from accidentally sending a private message to everyone on the server and you can prevent people from responding to an all-employees distribution creating annoying spam.

1. Open your EMC
2. Navigate to Recipients Configuration
3. Navigate to Distrubution Groups
4. Right Click the group you want to restrict access to and choose Proprieties
5. Press Mail Flow Setting Tab
6. Double Click Mail Delievery Restriction and edit your Scope

This is a good articale in MSExchange team blog

http://msexchangeteam.com/archive/2007/02/12/435171.aspx

The situation is you have two separate Exchange servers in two sites and they share the same public domain name.

So the question is how does the exchange server in the first site know to forward emails to the exchange server in the second site for second site user’s?

i.e., if you have user on server 1 called user1@domain.com and user on server 2 called user2@domain.com and the MX record point to server 1.

if you send mail to user1 it will arrive to his mail box but if you send to user2 it will not arrive as his mail box is not on server 1 ( the one that the MX record point to ).

So the question is how does the exchange server in the first site know to forward emails to the exchange server in the second site for second site user’s?

Here you are the solution.

Exchange Configuration

1. You have to choose a primary site for your public name. This primary site is the one that will receive all the email. In this example, Cairo is Primary, Alex is secondary.
2. Setup MX records for your primary domain pointing to these servers.
3. Create a recipient policy on each server for your primary domain. Make sure that the option about exchange being responsible for all email delivery to this address is enabled. It should be the primary recipient policy.
4. Create sub domains for each site in the DNS of each server.
   Therefore if you had two sites of Cairo and Alex then you would have
   • Cairo.domain.com
   • Alex.domain.com
5. While working in the internal DNS of each server, create MX records with the external IP address of the other server.
   Therefore the Cairo site will have DNS zones for Alex.domain.com and in this zone will be a DNS entry for mail.Alex.domain.com. Each of those would also be set as MX records.
   These MX records do NOT appear on the Internet, but traffic will flow on them because your local machine is looking up the MX records from the location DNS.
6. On each server, add a new additional recipient policy – but don’t make it default. This new recipient policy should match the location.
   Continuing with our example:
   • In Cairo, it would be Cairo.domain.com
   • In Alex it would be Alex.domain.com
7. The key is that it should NOT be the default policy on any site.

The result of this should be that all users have two email addresses – the default one ending in domain.com and a secondary one that ends location.domain.com.

NOTE: It is important that your DNS is configured correctly. The server should be configured to use your active directory domain controllers for DNS – no external DNS servers should be used.
If you need to use external DNS servers for performance reasons then configure these as forwarders on the active directory DNS servers.

Adding the Remote Users

On the primary server create a mail enabled contact for all users located on the other servers. When creating the contact, initially put in the email address for its home address (Cairo.domain.com). Once created, wait a moment for recipient policy to stamp the account. You should find that the contact now has two email addresses, @domain.com and @Cairo.domain.com. Do not add local users as they will already have an email address.

Repeat on the other server.

• Cairo will have mail enabled contacts for Alex.
• Alex will have mail enabled contacts for Cairo.

Sanity Check

As this can cause an email loop if not configured correctly, there is a sanity check that you can make to ensure that you have it correct.
On the properties of the contact, click on the tab “Exchange General”. In the email address box, it should say SMTP then username@location.domain.com. If it says username@domain.com then it is wrong and needs to be changed.
On the email addresses tab, the default email address should be @location.domain.com

End Result – Features and Benefits

The net result of this procedure is

• Email for your primary domain can be delivered to any server and it will be routed correctly this is useful for backup queuing of email if the other server is down.
• Users can type in the full public email address (username@domain.com) from any site and it will be routed correctly.
• Users from all three sites will appear in the GAL.
• You can create distribution lists on all three sites with the same membership.
• By using mail enabled contacts the email destined for the other sites is not stored on your server – taking up no storage space on the server.
• The sites only need an internet connection – no direct site connection required.

It can take a while to initially configure, but once done, very easy to maintain if you have limited servers.

For any inquiries Kindly don’t hesitate to contact me directly.

The operation could not be performed because the object ‘Microsoft.Exchange.Data.Directory.SystemConfiguration.ResourceBookingConfig’ could not be found <Domain_Controller_Name>.

This problem occurs because the Resource Schema object under Global Settings in Active Directory directory service is missing.

To solve this problem you have to manually create it.

1- Click Start, click Run, type adsiedit.msc, and then press ENTER.

2- Locate the following location:

3- Right-click CN=Global Settings, click New Object and then click Next.

4- Click msExchResourcesChema, and then click Next.

5- In the Value field, type Resource Schema.

6- Right-click the Resource Schema object, click Properties, and then click msExchVersion.

7- Set the value of the msExchVersion attribute to 4535486012416.

8- Retry Setup /prepareSchema It should work fine

Two weeks ago client called me and was screaming that he has clients facing problem with their mail.

The error when we sent mail to them was:

Subject: Undeliverable: Subject

Delivery has failed to these recipients or distribution lists:

‘<User>’
This recipient e-mail address was not found in the recipient e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the recipient e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

Sent by Microsoft Exchange Server 2007

Diagnostic information for administrators:

Generating server: Servername.domainname.com IMCEAEX_O=FIRST+20ORGANIZATION_OU=FIRST+20ADMINISTRATIVE+20GROUP

_CN=RECIPIENTS_CN=user@domainname.com
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

Original message headers:

Received: from Servername.domainname.com ([192.168.3.20]) by Servername.domainname.com([192.168.0.1]) with mapi; Fri, 11 April 2008 06:24:22 -0400
Content-Type: application/ms-tnef; name=”winmail.dat”
Content-Transfer-Encoding: binary
From: User2 Displayname <user2@domainname.com>
To: ‘User Displayname’
<IMCEAEX_O=FIRST+20ORGANIZATION_OU=FIRST+20ADMINISTRATIVE+20GROUP

_CN=RECIPIENTS_CN=USER@domainname.com>

The users have valid mailboxs and all the rest are alright.

After some times I discovered that the system admin disconnect those clients before and recreate their mailboxs instate of reconnect them.

so I made small test .. open my OWA and send those users mail… so guess what happen??? yes.. they got it.

the problem is that the rest of users are caching the old accounts and is using autocomplete in Outlook, which is resolving to the old e-mail address
because their cache has that old address, The OWA do not cache names so I can send via it to users new mailbox.

So what is the solution?? It can be done by two ways:

1- Delete current mailboxs and create users accounts and reconnect them .

2- Outlook maintains a “nickname” list that is used by both the automatic name checking and the AutoCompletion features. The nickname list is automatically compiled as you address email messages. If the nickname cache becomes corrupt, Outlook may not be able to identify recipients, may offer incorrect recipients, may send to an incorrect or old email address, or may send the message to the wrong person.

If you are having problems with a single recipient, you can easily delete the one cached entry as shown in the following section, “Delete a single cached entry”. Otherwise, proceed to the section titled “To delete your Nickname Cache file” further below.

To delete a single cached entry

1. Open Outlook
2. Open a new message window; go to the File menu and choose New – Mail Message.
3. Type one or more letters of the recipient name or address; this will show memorized (cached) entries in a drop-down list. Use the arrow keys on your keyboard to select the entry to be deleted. With the entry highlighted, press the DEL or DELETE key or your keyboard.

This removes the entry from your autocompletion cache.

To delete your Nickname Cache file.

Use the following steps that are appropriate for your version of Microsoft Windows to reset the Outlook nickname cache. After you restart Outlook, Outlook generates a new nickname cache.

Microsoft Windows XP

1. Exit Outlook.
2. Start Microsoft Windows Explorer.
3. On the Tools menu, click Folder Options, and then click the View tab.
4. Under Advanced Settings, select the Show hidden files and folders check box.
5. Click OK.
6. Click Start, point to Search, and then click All files or folders.
7. In the Search Companion box, type *.NK2 in the All or part of the file name box.
8. In the Look in box, select your local hard disk drive.
9. Click Search.
10. Right-click the .NK2 file with the name of the profile that you want to reset, and then click Rename.
11. Rename the file to profile name.bak, and then press ENTER.
12. Exit Windows Explorer.
13. Restart Outlook.

1. Microsoft Windows Vista

Exit Outlook
Click the Start Menu
Click Search
Click Advanced Search
Check the box for ‘Include non-indexed, hidden, and system files (might be slow)
Search for *.NK2 in the ‘Name’ field

I have an Edge Server deployed in a DMZ. I generated and imported the edge subscription w/o errors. But when i run test-EdgeSynchronization on the Hub transport server i get “No Edgesync credentials were found for edge transport server…” I also receive error 1032 MSExchange EdgeSync “no credentials for edge server” in the Hub transport servers app log.

After some investigation I found out what was the cause of this problem and fixed it. It was a certifacte mismatch between the Hub Transport server and the Edge Server. Actually exchange 2007 see mismatch credential in case that Exchange self signed certificate is missing (corrupted
or deleted by mistake).

Steps to check the certificate problem:

1. Verify that Hub is able to communicate with Edge on port 50636.
2. Run “Get-ExchangeCertificate” cmdlet on Hub and see if there are any
certificates.
3. If there are no certificates found,then regenerated Exchange self signed certificate.
4. In the Exchange Management Shell, run the “New-ExchangeCertificate”
cmdlet.
5. It throws a warning and creates a new Exchange Server Certificate.
6. Restart the Transport Service on the Hub.
7. Verify that the thumbprint of the new certificate now matches with the
version stored in AD .
8. Remove the present Edge Subscription from the Hub and restart Transport Service.
9. Run “Remove-EdgeSubscription” on the Edge and restart Transport Service.
10. Create a new Edge Subscription on the Edge using “New EdgeSubscription” cmdlet and import the xml file to Hub.
11. Re-subscribe the Edge using the new Subscription file.
12. Initiate synchronization using “Start-EdgeSynchronization” CMDlet.

Now the EdgeSync shall work fine.

I face problem with Exchange server mail flow.

My client has PIX firewall facing the Internet and ISA 2006 behind it.

I placed my edge server in the DMZ zone and 2 HUB and 2 CAS and SCC mailbox in the internal domain. Suddenly all mail flow stopped and stuck in the Queue in the HUB and the Edge servers.

On the hub server, the get-queue | fl command give the following output

Identity : HUBCAS01\4
DeliveryType : SmtpRelayWithinAdSiteToEdge
NextHopDomain : edgesync – so1-moi to internet
NextHopConnector : 1758a6af-6ef1-4b74-a978-494f28088105
Status : Retry
MessageCount : 1
LastError : 451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted
failover to alternate host, but that did not succeed. Eithe
r there are no alternate hosts, or delivery failed to all al
ternate hosts.
LastRetryTime : 4/7/2008 1:18:59 PM
NextRetryTime : 4/7/2008 1:23:59 PM
IsValid : True
ObjectState : Unchanged

Identity : HUBCAS01\Submission
DeliveryType : Undefined
NextHopDomain : Submission
NextHopConnector : 00000000-0000-0000-0000-000000000000
Status : Ready
MessageCount : 0
LastError :
LastRetryTime :
NextRetryTime :
IsValid : True
ObjectState : Unchanged

You can make these changes to work around a specific problem.

1.Establish a Telnet session to log on to the Cisco PIX firewall. Alternatively, use the console to log on to the Cisco PIX firewall.

2.Type enable, and then press ENTER.

3.When you are prompted for your password, type your password, and then press ENTER.

4.Type configure terminal, and then press ENTER.

5.Type no fixup protocol smtp 25, and then press ENTER.

6.Type write memory, and then press ENTER.

7.Reload the Cisco PIX firewall.

The PIX Software Mailguard feature filters SMTP traffic. This feature was also referred to as Mailhost in earlier versions. In PIX Software versions 4.0 and 4.1, you use the mailhost command to configure Mailguard. In PIX Software version 4.2 and in later versions, you use the fixup protocol smtp 25 command. Mailguard allows connections to an e-mail host only through Transport Control Protocol (TCP) port 25. It logs all SMTP activity. Additionally, it allows only the minimum SMTP server commands found in Request for Comments (RFC) 821, Section 4.5.1.These SMTP server commands are the following seven commands:

•HELO

•MAIL

•RCPT

•DATA

•RSET

•NOOP

•QUIT

Note In addition to the Cisco PIX firewall, there are several firewall products that have SMTP Proxy capabilities that may produce the issues that are described earlier in this article.