Exchange 2003 2007 

Exchange 2007 SP1 which was released in November 2007 brings together improvements for Exchange 2007 in the following areas:  Client Access Improvements, Protection & Availability improvements, Transport Improvements, Mailbox Role Improvements, and Unified Messaging Improvements.

An interesting fact is that unlike a traditional Service Pack Exchange 2007 SP1 is only available as a full slipstreamed package (Full install and Exchange 2007 SP1 are integrated) giving you the administrator the option to either perform a new Exchange 2007 SP1 install or an in-place upgrade from either Exchange 2007 RTM or Exchange 2007 SP1 Beta 2 (Beta 2 upgrade only if member of Exchange 2007 SP1 TAP or RDP program).

I hear you ask so how about the new features and improvements in Exchange 2007 SP1?

Protection & High Availability Improvements, in Exchange 2007 SP1 include

Standby Continuous Replication (SCR)

Exchange 2007 SP1 Standby Continuous Replication is basically an availability feature that allows an organization to recover quickly from a data center disaster. The technology works by having this Exchange 2007 SP1 Standby server which is constantly receiving log shipped mailbox data from its peer, this ensures the SCR standby partner has exactly the same mailboxes and messages that exist or existed on the original mailbox server. If there were ever a data center disaster the Exchange 2007 SP1 standby node can be activated and immediately start serving users their mailboxes.

Exchange 2007 SP1 improvements with Windows Server 2008

Exchange 2007 SP1 now allows Exchange 2007 to be installed on Windows Server 2008, giving you the following high availability features, including the new disk and file share quorum models, DHCP IPv4, Multi-subnet failover clusters and support for IPv6

Other improvements include transport dumpster, reporting and monitoring and Continuous replication (redundant cluster networks in a CCR environment) Improvements.

Another interesting fact is that Exchange 2007 SP1 can only be installed on a fresh Windows Server 2008 install, you cannot upgrade Exchange 2007 to Exchange 2007 SP1 then upgrade your operating system from say Windows 2003 server to Windows Server 2008, also you cannot upgrade your operating system to Windows Server 2008 then upgrade from Exchange 2007 to Exchange 2007 SP1.  

Mailbox Role Improvements in Exchange 2007 SP1 include

Mailbox Management

Import and export of mailboxes into and out of PST files

Previously when wanting to either import or export mailboxes into and out of PST files you either needed to make use of Microsoft Outlook or Exchange Exmerge tool, with Exchange 2007 SP1 Mailboxes can be imported into and out of PSTs via the use of the new Export-Mailbox and Import-Mailbox Management Shell Cmdlets.

Mailbox management

Some of new features found in Exchange 2007 SP1 include both the Manage Send-As and Manage full access permissions wizard allowing and administrator to grant or remove Send As or Full Access permissions on a mailbox.

Another Mailbox management feature that administrators will appreciate is the ability for mailboxes to be created in bulk for existing user accounts.

Public Folder Features

Public folder Referrals can now be maintained from within the Exchange Management console, the new public folder administrator role which is used for administering public folders and can be granted to a user or group.

Improvements in Monitoring of Online Defragmentation include two ESE performance counters to monitor online defragmentation effectiveness and efficiency, and additional information for Event 307.

Client Access Improvements

Client access feature improvements in Exchange 2007 SP1 include Exchange ActiveSync, Outlook web access light, Outlook Web access premium and POP and IMAP 4 Improvements.

In the area of Outlook Web Access Light, user’s sessions are monitored so that during a long message composition the user’s session does not time out.

With the Outlook Web Access Premium client users can now create and edit personal distribution lists and server side rules, access to the dumpster, viewing of some Office 2007 file formats via WebReady, A new Monthly Calendar View, Move and copy commands, Public folders supported thru the /owa virtual directory, S/MIME support added, and some customization features.

For IMAP/POP various settings such as port, authentication, connection and messages settings can be changed.

Transport Improvements

Exchange 2007 SP1 delivers transport improvements in the Edge Transport server and Hub transport Server roles and some additional core transport enhancements.

Core Transport enhancements include back pressure monitoring that allows the system to better handle systems that are under high resource use. Also now more transport settings can be configured from the Exchange Management console.

Edge Transport improvements in Exchange 2007 SP1 include, the Star-EdgeSynchronization and Test-EdgeSynchronization cmdlets to kick off ADAM edge synchronization from a remote PC, and check the synchronization results for individual users

Hub Transport improvements in Exchange 2007 SP1 include priority queuing where the priority assigned to a message by a user is used by the Hub Transport server when categorizing a message.  Transport rules can now be applied to unified messaging messages.

The new MaxMessageSize parameter can be found on the Set-AdSiteLink, New-RoutingGroupConnector and Set-RoutingGroupConnector cmdlet allows an administrator to limit the size of a message that is relayed between Active Directory sites (Set-AdSiteLink) and restored the size of messages relayed between Exchange 2007 HTS server and Exchange 2003 and Exchange 2007 bridgehead servers (New-RoutingGroupConnector and Set-RoutingGroupConnector cmdlets).

Unified Messaging

The most notable Unified Messaging improvements found with the introduction of Exchange 2007 SP1 include, access to Outlook Voice Access via Office Communicator without the need for a pin number, Subjects and priorities can now be assigned to voice messages, Integration of missed calls notification email messages in Office communicator 2007, along with Quality of Service (QOS) support, and Secure Real-time Transport Protocol support.

As you can see Exchange 2007 SP1 is an extreamly feature rich update, there should be something in it for everyone, and it is an update that should not be taken lightly, testing an planning are the keywords here, because of the complex nature of Exchange 2007 and this service pack planning is essential before even thinking of letting Exchange 2007 SP1 loose on your production environment.

In today’s secure corporate WAN networks one common issue I see on a regular basis is Exchange connected Outlook clients not working because of corporate firewall changes or misconfiguration.

Properly the quickest way to check if a firewall is blocking or filtering rcp traffic between you outlook client and an exchange server is to use the PortQry.exe tool. This Windows Server Support tool sends packets to specified ports and looks to see if that port has been blocked (filtered).

To begin install the Server Support tools from your Windows Server CD for your version of Windows Server once installed, or download the new version PortQry version 2 from the following location.

PortQry Version 2 Download

If you are a GUI type person you can also download the PortQueryUI tool from the below location

PortQueryUI PortQry GUI Download location

Using the PortQry or PortQueryUI tool returns the below values depending on the state or filtered state of the destination servers port

Listening                             Some Process is running on the port you have queried

Not Listening                     No process is running on the port you have queried      

Filtered                                                The port queried has been blocked (filtered)

To use PortQry to check for filtered rpc ports we first need to understand how rpc works, firstly an initial connection is made over port 135 after which a random port between 1024 and 65535 is negotiated for the main communication.

If you were issuing checking a standard ports status you would run the following command from the command prompt:

portqry -n ServerName -e 135

Figure 1 "Output from PortQry Tool"

It is most likely that port 135 will be listening and not filtered, but one of the endpoints  between 1024 and 65535 are blocked, so now you need to check the output above taking note of each of the endpoint ports, after this you can use portqry again using the -o switch to specify each of the individual endpoint ports.

portqry -n ServerName -o 1117,1118,6001 

Once you have ran the above command the status of each of ports will be listed, either Listening, Not listening or Filtered. If any of the ports are listed as Filtered then it fairly much rules out a Windows and/or Exchange service issue, and is something you can take to your Network/WAN specialists to fix for you.

You have been busy and have not had the time to check your backups recently, all of a sudden your all of the Exchange Databases go offline, after some investigation you realise your full backup has not ran for several weeks and the drive that houses these transaction logs is now full. This is an extremely common issue, and I see it in the real world on a regular basis, a lot often than I should.

We are lucky as the quickest and easiest way to get your Storage Group and its Information Stores back online is to move the committed Exchange Transaction Logs files to another location.

How do I know which Transaction log files aren’t committed?

One of the features of Eseutil is its ability to read the header information of an Exchange Database or a Checkpoint file to give you various information including the transaction log files that have not yet been committed.

How to read the Log Required value of an MDB or STM file

 In order to read the header information for each edb and stm file in the storage group that has stopped, but as your Database file/s have become dismounted because of a full volume, this is not an issue. The command to show the Log Required value is:

Eseutil /MH <database_name>

Performing this command will display the header information similar to shown in figure 1 below:

Figure 1: The Exchange Database header information

From the Example in Figure 1 the Log Required Value is 0-0 which basically means my database is in a clean shutdown state and all log files are committed. This value specifies the log files required for the Exchange Database to mount and means if the value of Log Required was anything other than 0-0, you can move log files that are lower than the lowest value of this field.

In any version of Exchange Pre Exchange 2003 SP1 you will need to convert this decimal value to a Hexadecimal value but with Eseutil from Exchange 2003 SP1 and above this value will already be in Hexadecimal.

You should never move the latest log file as this will prevent log files from being played back in a recovery scenario. This rule should always be followed even if the databases are in a clean shutdown state.

It is highly recommended that you perform a full backup after this procedure; if this backup is successful you can safely delete the transaction log files that were moved.

Eseutil /p - This article is the second part of my original article titled Eseutil – A quick and easy tutorial, in which I gave readers an overview of the Eseutil tool, some basic guidelines along with a look at Eseutil /d (defrag). In this article I will talk about Eseutil /p, the mode that can get you in the most trouble if correct procedures are not followed. So if you have not already please read my previous article where I outline some basic safety steps.

The Eseutil /p command is known as the repair mode and is used to repairs a database at the page and ese table level of the database. It should be noted that this repair process may leave your database incomplete, as to repair it may be required for Eseutil  to delete rows and tables to repair the database.

Eseutil /p should be used as a last resort,  so if you cannot restore and replay or fully replay your transaction log files, and if possible the database should be restored from backup to the most recent date then the corrupt database repaired and merged into the restored database using a recovery storage group. If possible never put only a repaired database back into production.

When using Eseutil /p you should always follow up the use of this tool with the use of the following two commands Eseutil /d to rebuild the indices and defrag the database ISInteg to repair the database at the application level.

If the database that you want to run Eseutil /p against is in a dirty shutdown state the Eseutil /p cannot be performed, and the database must be shutdown cleanly if this is not possible then the Eseutil /r  switch (recovery) must be ran to perform a soft recovery and put the database back into a clean shutdown state.

Now for the syntax of Eseutil /p

ESEUTIL /p <database name> [options]

/s<file>     Streaming file location (Optional default is not to use)

/t<db>      Temporary Database Location and name default is: TEMPREPAIR*.EDB

/f<name>    Prefix for database report files, the default is: <database>.integ.raw)

/i           bypasses the mismatch error check on database and streaming file

/g           To run the integrity check before repairing database

/createstm   Creates and empty stm streaming file if this is missing

/8           To set the 8k database page size (default: auto-detect)

/o            suppress logo

Running the eseutil /p command with only the basic default options looks like this:

eseutil /p  "C:\Program Files\Exchsrvr\MDBDATA\priv1.edb"

Figure 1 below shows the command running, and the warning says that this command should only be ran against a corrupt database and may cause data (pages and tables) to be deleted.

Figure 1: The Eseutil /p command (Repair) warning

A screenshot of the completed output of the tool is shown in figure 2 below:

Figure 2:The output of the completed Eseutil /p command

As stated above Eseutil /D should be ran followed by Isinteg, the database should now be backed up.

I hope this article enlightened you to the use of Eseutil /p, if you have any questions, comments or suggestions about this tool please post a comment. You could even start a new post in the forums above.

My next post will be on the /r mode of this tool the recovery mode.

To purchase or transfer a domain name look here:

In part one of this two part series I will discuss the  process of installing configuring running the Active Directory Migration Tool V3 (ADMT) with the objective of performing and Exchange Interorg migration which is what I was outline in the second part to this series. 

At least once in the life of a IT Administrator you will be faced with the situation of an Active Directory and Exchange Inter-org migration, this could be because a company is taking over another company, a business unit needs to be migrated into your AD forest/Exchange Org. For someone who has not performed this type of migration before it might seem like a daunting task, but if you follow the steps outlined in my article there is not much that can go wrong
 
The following is high level overview of the of steps that should be taken in order, to perform a success fully inter-org AD migration. 

•  Pre Migration steps
  •  Check/Raise domain functional level of target domain
  •  Setup trust relationship between forests
  •  Install ADMT 3.0
  •  Grant appropriate administrative privileges
  •  Setup & configure Password Export Server (PES)
•  Perform migration  

A few important notes before I get started:

• if you are performing Migrations from an NT 4.0 domain please read The Active Directory Migration Tool’s help guide, section Configure the Source and Target Domains to migrate SID History as there are additional steps that need to be performed for migration from an NT 4.0 domain
• Decrypt any files in the source domain that have been encrypted with EFS or access will be lost.
• The time should be synchronized in each forest
• Do regular backups and have a recovery plan

Check/Raise domain functional level of target domain
To perform domain migrations the target domain should be in at least Windows 2000 Native Domain functional level. You should check and change if required by following the steps below:
Open Active Directory Domains and trusts for your target domain | Right click on the domain (in my case NewDomain.Local) | select Raise Domain Functional Level, I have chosen to raise domain to Windows Server 2003 domain functional level (see figure 1) 

Figure 1 “Raise Domain Functional Level: Windows Server 2003”

Setup trust relationship between forests 

This involves creating a one way trust relationship in which the source domain trusts the target domain. 

To begin open Active Directory Domains & Trusts for your target domain Right click properties on your target domain (in my example NewDomain.local) | Select the Trusts tab | Click New Trust (figure 2)

- At the Trust Name window enter the DNS name of the source domain, Next (figure 3)
- At the Direction of Trust window select One-way incoming, Next (figure 4)
- At the Sides of Trust window select Both this domain and the specified domain  (figure 5)

Figure 2 “Domain & Trusts NewDomain.local properties”

Figure 3  ”Trust Name DNS name of source domain”


Figure 4 “Direction of Trust: One-way incoming”


Figure 5 “Sides of trust window: Both this domain and the specified domain”

Install ADMT 3.0 

The ADMT 3.0 install process is fairly straight forward and you should be fairly right to go with the defaults, unless you want to import data from an Existing ADMT 2.0 database or run centralized databases with multiple ADMT consoles hosted in SQL 2000/2005, instead of the default Microsoft SQL Server Desktop Edition (WMSDE). In Figure 6 I have selected Use Microsoft SQL Server Desktop Edition (Windows) In figure 7 I have chosen not to import data from a previous ADMT V2 database


Figure 6 “ADMT V3 Install User SQL Server Desktop Edition”


Figure 7 “Import data from and ADMT v2 database”

Grant appropriate administrative privileges

To successfully perform migrations & migrate SIDHistory the account performing these migrations should be a member of at least the Builtin\Administrators group in the source domain and Domain Admins group of the target domain.For the purposes of this exercise I will run the migration as the administrator in the target domain


Password Export Server (PES)

This service needs to be installed on a DC source domain and is required if you intend on also migrating passwords with accounts into the target forest. The Servie requires an Encryption key that is generated in the target domain, to export this key from the target domain the following ADMT syntax is used, admt can be found in the following location (C:\WINDOWS\ADMT)

admt key /option:create /sourcedomain: SourceDomain /keyfile:KeyFilePath /keypassword:{password|*}

It is recommended that the PES Encryption key is created to floppy
 
Before you install the service on the source domain you will need to create an account that will be used for the PES Service to run under, this should be an account in the target domain, and will require the Log on as a service right in the source domain To install password Export Service in Source Domain, perform the following procedure:

Insert the floppy containing the PES Encryption key generated in the target domain into the DC in source domain that the service will be installed in .
Login to this DC/PES server, and execute the following msi C:\WINDOWS\ADMT\PES\Pwdmig.msi
You will first need to specify the path to the PES key you generated earlier (If it is anything other than the default A: ) see Figure 8 below.

Next you will need to specify the password you created on the key, figure 9 

The final Window you need to enter data into is the specify a service account window, figure 10 below.

Figure 8  “The ADMT Password Migration DLL – Specify encryption file Window”

Figure 9 “ADMT Password Migration DLL – Specify encryption key password”

Figure 10 “Specify the account the ADMT Password Migration DLL service will run under”

Now that the PES service has been installed and configured in the source domain, we can move on the next task performing the migration. 

Perform the migration

**Before getting started one tip for large migrations, users should be migrated in batches, each batch should contain users from the same business units, and/or users that access the same resources, this particularly important when migrating users who share Exchange resources such as delegates to mailboxes. 

To begin the AD account migration process Launch the Active directory Migration tool in the target domain,  in the console window that opens up right click on Active Directory Migration Tool and select User Account Migration Wizard, this will launch the User Account Migration Wizard

The first window of significance that you will see is the Domain Selection window (figure 11 below) were you specify the source domain and domain controller then the target domain and domain controller.

Figure 11 “the ADMT User Migration Wizard’s Domain Selection Window”

The next window the User Selection Option window(figure 12 below), gives you the choice of choosing users from a selection window or to read the users out of an include file, I am going to go with the first option Select users from domain.

Figure 12 “ADMT User Migration Wizard’s User Selection Option window”

In the User Selection window (figure 13 below) you will need to click add to  specify the users you wish to migrate, by clicking on the advanced button you can search for as well as select multiple users in the source domain.

Figure 13 the ADMT User Migration Wizard’s User Selection window

You should now see the Organizational User Selection Window (figure 14 below), here you specify the OU you would like accounts to be migrated into.

Figure 14 “the ADMT User Migration Wizard’s Organizational Unit selection window”

The Password Options window, asks questions regarding the migration of passwords for the migration, the most obvious selections are to Migrate passwords but not for existing users as seen in figure 15 below, additionally you will need to specify the DC that has the Password Export Server Service installed on it.


Figure 15 – ADMT User Account Migration Wizard’s – Password Options Window.

The next window the Account Transition Options window (figure 16 below), is where you specify the various options in regard to the status of the source and target accounts, in most migrations the Target Account State would be set to Target same as source, there may be  reasons such as migration of accounts into a resource forest where you would want accounts to be disabled, or if you wanted to control when users could login to target domain. 

In the Source Account Disabling Options section of the window, you use these checkboxes if you wanted accounts to either be disabled once the account had been migrated or after a specified number of days.
Note the Migrate User SIDs to target domain checkbox, this is required to successfully migrate exchange mailboxes to a separate forest and therefore will be required.

So what is SID History
SID History is an attribute and is not normally populated, but it is populated on the target account by tools like ADMT during migration, this attribute is populated with is the SID of the source account, and allows the target account to access resources in the source domain as if it were the original account, in affect like having two SIDs. The SID History attribute is also used by the Exchange Migration Wizard to determine the account an exchange mailbox should be linked to during the Exchange mailbox migration process.

To use SID History the target domain must be in native mode!

Figure 16 “ADMT User Account Migration Wizard’s Account Transition Options Window”

Note: one little quirk with ADMT, all accounts that are migrated to the target domain are set “User must change password at next logon”, when these accounts are created in the target domain, regardless of the option you chose in figure 16 above. I am assuming this is a security measure.

The next window you see will depend if you have previously created the group that is required in the source domain to migrate SIDs, if not created this security group SourceDomainName$$$ in my case OLDDOMAIN$$$ a window (figure 17 below) will be displayed asking if I want this group to be created in order for user SIDs to be migrated to the target domain.

Figure 17 “ADMT User Migration Wizard error/prompt create group for migration of SIDs”

Next you will be prompted (figure 18 below) to enter the account for a user with appropriate rights to the source domain so that SID history will be migrated, because we have a trust relationship in place in which the source domain trusts the target domain and the administrator account from the target domain is a member of the the local admins group in the source domain, you can either specify  the administrator in the target domain or the source domain.

Figure 18 “ADMT User Account Migration Wizard’s Specify User Account”

On the User Options window (figure 19 below) go with the defaults, this will ensure Profile translation is performed, groups that users are members of are migrated and permissions/group membership is retained.

Figure 19 “ADMT User Account Wizard’s User Options window” 

If you want to exclude any specific user object attributes/properties from being migrated, the Object Property Exclusion window (figure 20 below) is where you would exclude them, I am sticking with the default and migrating all User Objet attributes.

Figure 20 “ADMT User Migration Wizard’s Object Property Exclusion window”

The final window with options is the Conflict Management window (figure 21 below) and gives the administrator the option not to migrate an object if a conflict is found in the target domain, or to migrate and merge conflicting objects if a conflict is found. Again I am going with the default, which is not to migrate the source object if a conflict is detected.

Figure 21 “ADMT User Migration Wizard’s Conflict Management window”

If you are happy with the options you selected then proceed with the migration by clicking on the finish button at the Completing the User Account Migration Wizard.
The migration progress window (figure 22 below) will display progress of the migration in real time and alert you of any errors.

Figure 22 “ADMT User Migration Wizard’s Migration Progress window”

Once complete click on the view log button to view any migration anomalies and follow them up before proceeding finally check your migrated accounts in the target domain.
I hope you have learnt something out of this article, my following article will wrap this series up by outlining the inter-org exchange mailbox migration process. 

I encourage you to post any questions comments or suggestions, till next time.