1. Ensure that ActiveSync is enabled both at the organization leve (global settings) and at the use level.
2. Ensure that a valid certificate is imported in for the Server ActiveSync Virtual Directory in IIS.
3. If you are using a certificate from an internal Windows CA, ensure that the PDA either has imported the CA's root certificate or is not verifying the validity of certificates (disablecertchk.exe).
4. Ensure that the certificate is issued to the Exchange server's name (you will run into the same issue with RPC over HTTP, certificate name must map to the FQDN of the Exchange server)
5. Ensure that the ServerActiveSync Virtual Directory is NOT set to Require SSL.
6. Ensure that the web site hosting the Exchange serverdirectories is NOT using host headers (this one might only be specific to going through an ISA server, not 100% sure if its needed without ISA)
7. Import the Exchange server's certificate into the ISA server and create a new Web Listener in ISA. Associate the new Web Listener to the new access rule for HTTPS.
8. Ensure that the FQDN on the cert can be resolved through external DNS.

Once all of this is done, configure the profile on the PDA to point to the FQDN on the certificate and start syncing!!!

• Beta 1: Q4 2005
• Beta 2: Mid-2006
• RTM: Late 2006 / Early 2007

So which one will it be 2006 or 2007. Let the pool begin... I'm betting on March 2007.

At TechEd last week, I noticed that over half of the attendees carried blackberries. Today, almost all my clients incorporate BES servers into their messaging infrastructures. This means one thing for me, i need to know more about troubleshooting BES servers and their communication with AD and Exchange. So look for more Bberry info in this blog in the future. Here's an issue I just encountered this week.

When a mailbox is moved from one Exchange server to another. the BES server needs to be told. If not, the BBerry device is useless. You need to run a utility called handheldcleanup.exe with an –m parameter to update moved mailboxes. You can run the tool in a verification mode only first to identify moved mailboxes before applying the change. The tool will update the DN name of the mailbox in the BES database. You can find this utility in this directory on the BES server C:\>Program Files\Research In Motion\BlackBerry Enterprise Server\Utility

I recently came into a memory fragmentation issue on a large Exchange server. As most of you already now, large Exchange mailbox servers have little to gain from more than 4GB of physical memory. Manufacturers that ship preinstalled servers with more than 4GB of physical memory often enable the PAE switch in boot.ini to allow access to that additional memory to the operating system. Additionally, some hardware automatically enables Physical Address Extensions (PAE). Exchange Server 2003 is not compatible with the PAE boot.ini switch.

To ensure that PAE is not enabled in your hardware, ensure that you add the /NOPAE switch to your boot.ini file.

UPDATE: SEEMS LIKE THE PAE SWITCH WILL BE SUPPORTED ON EXCHANGE SERVER 2003 SP2. I will update more later about this.

***UPDATE: Alright, that's what happens when you don't check your blog for a couple of months. Like Russ kindly stated, the PAE switch is now supported ***AND RECOMMENDED*** on Exchange Server 2003 running on Windows Server 2003 SP1 (Patch required for Windows Server 2003 pre-sp1).

Since I just uploaded a link to my to the teched blogger site, I figure its about time i update my blog. I've been extremely busy with projects and have not had anytime for this. So I got some questions from students today and I think many will benefit from the answers.

If you want to automate the creation or management of Exchange recipients, you have (at least) for methods you could use:

1. Use the Exchange Task Wizard from ADUC, highlight multiple recipients and select Exchange Tasks or Properties, depending on what you want to do.
2. Use LDIFDE.exe to export the directory, modify the text file (LDF file) and import it back with LDIFDE -i -f filename.
3. Use a VB script. In order to find an appropriate script, search the Microsoft website, they've got tons of sample scripts. If that fails, google it.
4. CSVDE - See next paragraph

CSVDE.exe - This tool can be used to import objects into Active Directory, in the form of a .CSV file. The file can be created by exporting information from another directory or database. CSV is a pretty standard format. The key with CSV files is getting a good "Header" file with the appropriate LDAP attributes you want to add to the objects. If you want to create mailboxes, here are the headers you can add to your csv file, then populate it with the appropriate information.

DN,objectClass,cn,mailNickname,displayName,sAMAccountName,userAccountControl,

msExchHomeServerName,homeMDB

Caution: Make sure the CN value in the DN is identical to the CN value two attributes down the line.

When the file is all nice and ready, import it with CSVDE -i -f filename

See you at TechEd!

I've been researching this for a client for an upcoming migration from Exchange 2000 to Exchange 2003. We will be moving from a stand-alone server to a two node A/P Exchange 2003 cluster. I mentioned to the client that some Exchange features are not available on the cluster and that they should be aware of those, but I did not have a comprehensive list. Here's what I came up with, if anyone has any more information, i'm all ears/eyes:

1. Internet Mail Wizard (cannot be run)

2. Intelligent Messaging Filter (IMF)

3. Active Directory Connector (ADC) (Does not impact my client, but worth a mention)

4. Site Replication Service (SRS) (Still no impact for my client)

5. /Disasterrecovery setup switch.

6. Cannot be the first Exchange 2k3 server in the 5.5 site (mostly because of #4)

Can anyone think of something else?

This one is not going to occur after a default installation of Service Pack 1 (W2K3), it will only cause issues to MAPI clients if you decide to lock down the server with the Security Configuration Wizard (SCW).

http://support.microsoft.com/?id=896742

Just a heads up... If you're running Exchange Server 2003 in a clustered configuration, Outlook Web access will generate Internal Error - 500 after an installation of SP1 for Windows Server 2003. This is caused by a security feature in SP1 that blocks certain HTTP calls. Administrators will not experience this problems.

Here is the link to download the patch http://support.microsoft.com/kb/841561

Last year, a conversation with a client (We implemented their AD and Exchange 2003 - Multi-site)went like this (it always stuck with me, I know it's old news;)):

Client (far from an Exchange specialist): Our Exchange servers got hacked.

Me: No they didn't, I monitor them remotely and everything is fine.

Client: They've been hacked.

Me: No they haven't.

Me: Alright, why do you think you've been "hacked"?

Client: Well I just fired one of my network admins and added his smtp address to my mailbox properties, to recieve mail destined to his address. Now, when I open my OWA, the IE status bar (bottom left) displays http://myexchangeserver/exchange/MYFIREDADMIN (replace MYFIREDADMIN with the mailNickname value for the "fired admin".) I never liked him and now he's hacked into my mailbox and set his name in my IE properties. Our security has been compromised, and I can't bare to look at his name on my desktop. Fix it!

Me: First of all, your security has not been compromised, so lets cool it. I just looked into it, and it seems OWA displays the status bar based on alphabetical order. Your name starts with "X" his name starts with "A". I'll create another mailbox for the fired admin, with a secured account password and have it forward to your mailbox. No worries.

Client: You can do that?

Me: Good bye!

Well, version 2.0 of our favorite Exchange server tool, Exchange Best Practices Analyser, has just been released. Here are some updates to existing features from the previous version:

• Integration with MOM 2005. Exbpa can initiate notifications to MOM administrators about misconfigurations in Exchange
• A "Best Practices" category has been added to warn administrators about urgent issues
• Performance sampling and analysis
• Scheduling capabilities
• A DNS collector to verify the existance of necessary records in DNS

Download the new EXBPA V.2 at this location.

I was asked a question today that made me dig deep in my memory and try to find a solution that I knew existed, but couldn't find anymore. I was trying to figure out how to prevent certain versions of MAPI clients from connecting to an Exchange server. I remembered it to be a registry modification on the Exchange server, but could not find any reference to it. After turning to one of my trusted Exchange sources (thanks Yan!), I've got the link to the article. Requires a restart of the Information Store, but besides that, pretty easy mod.

A couple of weeks ago, I blogged about the upcoming release of "Exchange 12" and mentioned some of it's new features, including the breakdown of the continuous rumour of SQL integration. Yesterday, the Exchange Team blogged about some of the new features and inspired me to do a little recap of what we DO know about the next version of this Notes killer ;)

• The database engine will not be based on SQL
• There will (probably) be some Unified Messaging integration with corporate PBX's. If you're wondering what that would like, check out a (montreal based) company that's been offering it for years.
• Much more integration with other MS technologies, maintaining a full collaboration vision(quoting Dave Thompson VP for Exchange). Sharepoint workspace access through OWA, amongst others.
• Support for 64-bit platform, both for W2k3 and longhorn.
• No more OMA, better ActiveSync.
• Database replication mechanism (DT mentioned that SAN's/shared storage would no longer be necessary to configuring clustering in Exchange) Now if this ends really happening, would be a major design change and could bring us closer to the alusive "Continuous availability" Russ was blogging about last week.
• More "edge services" adding to what will trickle in along the way. (E2k3SP2 will include support for the much discussed SendID anti-spam feature)
• Lots of integration with "Office 12"

Many more improvements I'm sure will be discussed in the months to come, leading up to a probable RTM around late 2006.

There are quite a few misconceptions about Exchange technologies, it seems like the same ones keep on coming back, time after time. Maybe MS should do a better job at clarifying these concepts to their client base. Or maybe I should stop whinning and teach this stuff clearly...

1. A mail-enabled user is not the equivalent of a custom recipient in Exchange 5.5. A mail-enabled contact is.
2. Exchange Server 2003 still requires NETBios name resolution. DNS is not enough.
3. You don't need an SMTP connector to send SMTP mail to the internet.
4. 2 SMTP Virtual Servers will not speed up your outbound or inbound SMTP traffic.
5. You should not run ESEutil.exe to compact your database every month. Check your application log, it will tell you if you to what extend your database is "fragmented" and whether or not you need to run it.
6. You do not have to put the /3GB in the boot.ini, if you have 1GB of physical memory. Well maybe you do, but there's a lot more to it.
7. A mailbox is only created in the database when the user logs on for the first time, or receives his first mail message. NOT WHEN THE SMTP/X400 ADDRESS SHOWS UP ON THE EMAIL ADDRESSES TAB!
8. The M: drive is not "gone" in Exchange 2003, but merely hidden. You can make it visible again with a little registry key modification.

I'm sure there are many more, but I'm going to leave it at that for now...

I was faced with a question from a student this week, to which I did not know the answer. They wanted to segregate a portion of remote users from displaying the default GAL filter in Outlook Web Access. After a lot of digging, i found this article for Exchange 2000; I tried it on Exchange 2003 and it worked as expected...

The article basically describes the procedure to modify the MsExchQueryBaseDn in ADSIEdit for the user account. The modification will establish the scope of the query to a selected OU. That OU will generate the GAL for the user when querying from OWA.

I've been too busy these days to update with anything of interest, so I'll just refer to an interesting blog entry I just read. Russ Kaufmann is one of those guys that I drop a line to when I have an Exchange question. Along with Rod, he's got tons of first hand experience with clustering technologies. To put it simply, I think he's a pretty smart guy...

This blog entry was his take on the whole Active/Active vs Active/Passive configuration of Exchange Server 2003.

If you're supporting small scale environments and have decided to implement the Intelligent Mail Filter(IMF) to prevent spam, you might notice that the number of spam has increased over the past few weeks. There's a good reason for that, the IMF has not been updated since the day it was released.

Today Microsoft released an update to the IMF charasteristics.

Download it here.

As most experienced Exchange engineers know, one of the the trickiest portions of a migration from Exchange 5.5 is the manipulation of the Active Directory Connector. So, in a way, one of the worst things that could happen during a migration is a loss of an ADC server. Of course backing up the ADC server is important, but I just ran into a bit of information that may be interesting during a restore process. Since ADC stores information in AD, it's not surprising to see that to restore an ADC server, you may have to manipulate some information using ADSIedit. As this KB article describes the CA's become orphaned when the old ADC server is removed, and they have to be re-assigned to the new ADC by modifying the msExchHomeSyncService attribute.

I've been lucky enough never to run into this, but I was wondering who else here has run into it...