About Exchange — Windows Live

自定义列表


FC Sovelto Oyj

Blog of Mika Seitsonen

Blog of Ahti Haukilehto

You had me at EHLO (Exchange Blog)

日志

4月23日

Product releases

Several good tools have been released or updated recently!

- Exchange Best Practices Analyzer 2.6: www.exbpa.com

- ISA Server Best Practices Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

- MSH Beta 3.1 (and documentation): http://www.microsoft.com/downloads/details.aspx?FamilyID=239a1116-c0f5-4320-84fc-2ad625ebb910&DisplayLang=en

Windows Vista Build 5365 was released yesterday to Beta Testers. This is said to be the last build available for beta testing before Beta 2 which should be available in May 2006. When I get this build installed, I hope to write something about it. Until then...

1:41 | 添加评论 | 阅读评论 (1) | 固定链接 | 写入日志

Event 9548, disabled mailboxes and other stuff

Two questions I am asked over and over again by my consultation customers are:

- Can a disabled mailbox (a disabled mailbox enabled user) receive mail and otherwise function normally as a mailbox?

- Why is the Application log of my Exchange server filled with events with ID 9548 stating that a disabled user does not have a master account SID?

Even though it might sound that these questions have nothing to do with each other, they actually do. They both depend on the way that Exchange 2000/2003 handles disabled user accounts. But to get a better understanding, let me explain in a little more detail.

When you disable a user account that is mail enabled (owns a mailbox), Exchange assumes that an Active Directory attribute called msExchMasterAccountSid is set on the user object. Usually msExchMasterAccountSid does not have a value, as a value will only be set on the attribute when you define either another account (from different forest) or the self identity as the Associated External Account in mailbox rights. If a disabled user object owns a mailbox and msExchMasterAccountSid is not set, you will get the Event 9548 problem of the second question and you will probably also run into problems referring question one (mail may not be delivered to mailbox accordinly) as stated in KB article 319047 (http://support.microsoft.com/kb/319047/en-us).

What is the msExchageMasterAccountSid-attribute and why do I need it?

Disabled user accounts that own a mailbox are most commonly used during migrations. When a migration is done between two Active Directory forests (and two Exchange organizations) it is not uncommon that Exchange Services move to the new domain environment beforehand, but users still log on to the old forest for quite a while. In this kind of scenario users have two user objects, one that they use to log on in the old forest (enabled) and one that represents their mailbox in the new domain (disabled). If you think this scenario from a permissions point of view, if an Exchange user grants another user permissions to his/her calendar (or any folder in the mailbox for that matter), permissions should be granted to the account used for logon for access control to work as expected. The question is, how do I specify in Outlook to which user account permissions are granted? And the answer is, you can't, you always delegate permissions to recipient objects (Exchange/Windows just converts the permissions to user/group SIDs behind the scenes). This is where msExchMasterAccountSid comes into play. If it has a value and the user account with the mailbox is disabled, all permissions are automatically defined to the "logon account" (in other words the SID referred to in the msExchangeMasterAccountSID-attrbute value and as the associated external account).

Why is it such a big deal?

If msExchangeMasterAccountSid is not populated accordingly for disabled user accounts that have mailboxes, you run into various issues with permissions at the mailbox level. Delegates do not work as expected, you may not be able to post/read information from public folders and you might even be unable to receive mail to the mailbox in question (as stated earlier in this post). So to answer the first question, a disabled mailbox enabled user can receive mail just fine, as long as you make sure that msExchMasterAccountSid is set as expected.

There are several KB articles that discuss the problems mentioned: 247173, 278966, 300456 and 812276 to name a few.

How do I fix the situation?

If you are experiencing the kind of symptoms mentioned in this article, usually the cure is to define correct values to the msExchMasterAccountSid-attributes. To start off, run a LDAP query to your AD contents to find the recipients with missing attribute values (query string (&(objectclass=user)(objectcategory=person)(mailnickname=*)(!msExchMasterAccountSid=*)) will provide you with the list, note however that it does not make any difference between enabled/disabled users). Then use a tool called NoMas (you can get the tool through PSS), it will assist you by making the necessary changes to user object attributes. You can of course do this by hand as well, just define the correct account as the associated external account in the Mailbox Rights of the corresponding disabled mailbox enabled user object (ADUC - User Object - Exchange Advanced - Mailbox Rights).

For more information about the NoMas-tool, refer to msexchange.org (http://www.msexchange.org/articles/NoMAS-Tool.html)

Hotfix 903158 / 916783

During March of 2006, Microsoft released a hotfix for Exchange Store that changes the funcionality a little bit. Event 9548 will not be raised for disabled mailbox enabled user objects if msExchMasterAccountSid is not explicitly required. If you are currently struggling with the second question we started off from, because you might have a lot of resources defined as disabled user objects, installing the hotfix will make your life much easier!

3月24日

Exchange 12 - First look

I have been testing with Exchange 12 from December when it first came available to Beta program participants. If I would have to categorize my feelings on the product with just one sentence, I would say that the future of Exchange looks VERY, VERY promising. Many of the basic problems that Exchange 2000 and 2003 had, are now fixed (more or less), and the new functionality makes it possible to deploy Exchange in many scenarios that have previously required the use of shared storage clustering (continuous replication) or have been dominated by other SMTP implementations (Edge Transport Role).

What is a bit shocking from my opinion, is that most of the media coverage on Exchange 12 has been about it only being available as 64-bit version. Some talk has been on the new client capabilities (OWA and Unified Messaging (voice mail access, fax and so on.), but nobody has really expressed what a major architectural change Exchange 12 will be. Some examples on this:

Management is mostly done through MSH (Monad) CMDLets. Even the GUI tools use MSH as the driving force behind implementing changes. So learning MSH and command-line administration will be a must for future Exchange administrator.
Exchange 12 will not be dependant on IIS Services other than World Wide Web Publishing Service (needed for OWA and other HTTP based clients). So a new and very versatile SMTP stack (coupled with new version of IMF, attachment blocking etc.) is on the works.
Routing structure based on Active Directory Sites!
New server roles from which some can be implemented on servers that are not even members of Active Directory domain

Of course there are also new services provided to users/admins, from which my favorites are:

Autodiscovery Service: a way to automatically configure Outlook profile settings during first connection. A user doesn't have to know anything extra; username, password and e-mail address are sufficient to create a working profile.
Calendaring improvements: a new resource object for resource calendaring, always up to date Free/Busy (implemented via a new Web Service).
Document Access: a way to proxy requests to file shares and SharePoint document libraries through Exchange. Useful if mail messages contain links to internal file shares / WSS Sites.

To start gathering information about Exchange 12 on your own, you should review three webcasts from last week:

Overview of Exchange 12

Client Access and Web Services

Administration of Exchange 12

Message Security and Active Protection

23:19 | 添加评论 | 固定链接 | 写入日志 | Exchange

Presentation about securing access to Exchange from public networks

Microsoft Finland held their annual Technet PRO -seminar on 02.03.2006. I gave a presentation on how to secure Exchange access when clients are used through public networks. The slides of the presentation can be found here http://www.microsoft.com/finland/events/post/2006.asp#technet2006 . I will also be touring other cities in Finland during March as best pieces of the Technet PRO are also presented in Vaasa, Oulu, Kuopio, Tampere and Turku (my colleague Mika Seitsonen will be presenting in some of the cities).

22:50 | 添加评论 | 固定链接 | 写入日志 | Exchange

1月29日

MSH Beta 3

As I have been rather busy this January (mostly due to the merge of FCS Partners and Sovelto), some important releases almost slipped my attention.

Microsoft Command Shell (Codename Monad) Beta 3 has been published. You can download it here http://www.microsoft.com/technet/scriptcenter/topics/msh/download.mspx

There is also a new section in Windows Script Center talking about Scripting in Monad http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx

23:04 | 添加评论 | 固定链接 | 写入日志 | MSH

Running Windows Vista build 5270

I have switched my work laptop to run Windows Vista build 5270 (December CTP), and I have to say I'm really pleased on its performance. Of course I have run into some glitches here and there, for example Network Connection settings (especially VPN) seem to disappear every once and a while, but most of the usual stuff I use work fine. The problems that have haunted the earlier builds, Antivirus tools not working, problems with drivers, incompatibility of web sites using IE7 etc. seem to have been ironed out. All of the required drivers for my laptop hardware (IBM ThinkPad T42p) are supplied out of the box. And now I even have the glass effects in the UI!

I am anxiously waiting for the February CTP and of course Beta 2 after that.

Interesting talk about Vista by Jim Allchin can be found from http://www.winsupersite.com/showcase/winvista_jimallchin.asp

21:48 | 添加评论 | 固定链接 | 写入日志 | Windows Vista

11月22日

Exchange SP2 and customizing IMF

OK here it goes, my first BLOG posting. I have been actively working with the customization of Exchange SP2 version of IMF during the last few days. You know, the Custom Weighting feature, including a customized MSExchange.UceContentFilter.xml -file with our changes on how the SCL-values should be modified when certain strings are found either from the subject, body (or both) of the message. If you do this, there are some considerations you should be aware of:

- The sample file provided in SP2 Release Notes has a typo. The row that includes entry Type="BODY" Change=”5" Text="Special offer"/>, the quotation mark before the number five is not the correct character. It should be "

- When you create the XML, the file has to be saved as Unicode, otherwise it won't work. This is documented in KB article 907974 (http://support.microsoft.com/?kbid=907974).

- There may be a problem with the contents of the file even though you don't get a Transport Error with Event ID 7514 in the Application Event Log. I tested (amongst other things) with a file that had additional white spaces inside the XML and the filter did not work correctly (it did not stamp the SCL into the correct MAPI Property).

- Many sources claim that you have to reregister the msexchange.UceContentFilter.DLL library every time you make a change to the customization XML. I found this to be incorrect. Plain restart of the SMTP Virtual Server seems to do the trick.

On the other hand, now that you correct the abovementioned in the file, the filter works just as it should. It is a neat thing that you can customize the assignment of SCL:s!

个人资料

Jorma Bergius

存档