Now you can all get Xobni for your inbox

Well done to the team at Xobni - after 7 months of invite-only beta testing, it's now available for publicly for anyone to download.

You can get it here http://www.xobni.com/?friend=72198
Have a look at the video on their site if you still need convincing... it's good stuff.

Mail enabled Contacts in a Hosted Enviroment and the Offline Address Book.

Contacts in a Hosted Exchange environment can be tricky to implement succesfully, with 1) the way Exchange searches object attributes to create an Offline Address Book and 2) Active Directory not allowing 2 objects to have the same proxy address (which in all fairness is actually a great necessary check in the GUI to have – although this can be bypassed with LDAP manipulation! (ADSI too) – Note: having two objects with an identical proxyaddress will break delivery to that address and is considered attribute corruption of Active Directory).

So how does the Exchange 2003 System Attendant (using oabgen.dll) determine objects to be included for OAB generation? - It looks to see if the object has two attributes: a ‘proxyaddress’ and ‘mail’ attribute. It will further check to ensure the primary (SMTP in uppercase) ‘proxyaddress’ matches the mail attribute address.

So how does an Exchange Hoster get around 2 companies having the same contact of john@doe.com for example?

First let me explain the TargetAddress and ProxyAddress attributes on a mail enabled AD contact.

The TargetAddress is their actual email address, for example : bill@microsoft.com
The ProxyAddress is what RUS (if you use it – HMC disables all but Enterprise RUS (enabled for System Attendant operation)) stamps on the objects email addresses tab. RUS can of course be told to bypass objects by unchecking ‘Automatically update email addresses based on recipient policy’. You will find the primary proxyaddress will be the address of the contact, matching the targetaddress, and depending on RUS and Recipient Policy configuration it could well be stamped with further proxyaddresses.

So, john@doe.com – how can two customers have this contact in an HMC/Hosted Exchange environment?

The short answer is they can, but it cannot show up in the OAL. This is due to the Offline Address Book generation specifying proxyaddress attributes I mentioned earlier, rather than also considering targetaddress attributes.

99% of hosters won’t have this problem – and contacts will be generated with a proxy address (something HMC supports by default). However when you run into this problem it does cause customer grief.

One way of bypassing it is to give a bogus proxyaddress, for instance ‘HostedCompanyName.joe@bloggs.com’, where HostedCompanyName is the name of the Hosted Exchange customer.

This does work, but introduces other issues when a user outside the Org performs a ‘Reply All’. Take a look.

Here’s the properties of the contact from the GAL:

Here’s the contact from the AD, I have pulled the info from ADSIEdit:

You can see the highlighted proxyaddress and targetaddress attributes clearly:

When you send a message outside of the Org, and include the contact, if anyone that is also outside the Org does a 'Reply All', they will only see the incorrect proxyaddress and not the correct SMTP address of the contact, which is the targetaddress:

This of course will result in an NDR

The fix? Remove the proxy attribute altogether, removing the contact from OAB generation, or have the primary proxy address match the target address (standard Exchange2003/2007 behaviour) – but something that will cause mail flow issues when you get a customer with the same contact.


Oliver Moazzezi

MVP - Exchange Server

SharePoint as an application platform!

I've previously talked about the potential of Exchange and CRM as application development platforms and how the support of a provisioning platform opens these up for ISV application development.

What I haven't mentioned is the powerful and unifying platform of SharePoint;

• Sharepoint use a Windows platform running SQL Server and IIS6.
• SharePoint is a .NET application and provides a powerful platform for building .NET applications & solutions
• SharePoint is widely deployed and adopted by information workers providing a familiar interface
• Close integration with Microsoft Office applications

These are a number of features that Sharepoint does pretty well now, these being;

• SharePoint & WSS are pretty well known for their collaboration features - document libraries are probably the most widely used feature of SharePoint. With WSS3, the search functions improved to support this properly too
• Support for forms & InfoPath in SharePoint (MOSS) and business process automation, including workflows, which don’t require MOSS.
• Of course, SharePoint provides an intranet/extranet solutions with a Portal into other sites, and the personal/social elements of My Site
• The core functionality of document management is OK and supports basic requirements for compliance and information security. Note: there is no formal compliance support in Sharepoint. Beyond this the reporting and auditing features do not stand up and there is no support for HSM.
• The business intelligence (BI) features have improved greatly with the use of Excel Services, KPIs, and the Business Data Connector (BDC). Excel Services is pretty cool and renders Excel worksheets including charts and pivot tables, in SharePoint sites.

We are going to be developing some concept services that use the features of SharePoint, Exchange and CRM. If you're interested in this, or developing your own applications, see http://www.saas.co.uk/

thanks, Dan

Hosted Exchange for the world

Large Hosted Exchange providers can get bitten by scheduled maintenance – it will always be in everyones contract, but what happens when a certain percentage of your customers are outside your timezone? – worse still, substantially.

To expand your Hosted mailboxes you have to reach further than your own country – and a lot of Hosted Exchange providers can say they host mailboxes for companies across both the Americas, Europe and the Middle East/Asias.

Intelligence has to be added to your provisioning portal – otherwise your Hong Kong users from Company A could be put on the same Exchange Server (not necessarily the same Mailstore or even Storage Group) as the rest of Company A’s users from Europe. And what’s worse? The rest of the users on the Exchange Server are based in Europe. How is the scheduled maintenance justified to the Hong Kong contigent when it's happening during their working day?

So how does scheduled maintenance come into effect here?

Working out of hours to GMT isn’t going to cut it for the users in Hong Kong as their day is still in full swing – this is where careful planning and design is required. The ideal answer is to carve up the World Map into set zones, so whether a single company is from Dubai, or a single company has offices in Dubai, Europe and the USA you do not affect their respective core working hours. This requires a lot of Dev work - as although HMC supports provisioning to multiple stores for a customer, it doesn’t have the intelligence of splitting users between ‘time zone Exchange Server farms’ based on their location for example. This is where in-house or outsourced Dev work is required.

Suffice to say our current Exchange 2003 solution doesn’t have this feature – we support the provisioning to multiple databases – even across multiple Exchange Servers – however there is not the intelligence that is required for a Hosted Exchange supplier to rule all time zones and keep customers that have offices in some or all, happy.

Our Exchange 2007 platform will have this – it will be a phase II or III step and time zone provisioning won’t be available at launch, but it is coming. It is a needed solution for to successfully achieve 100,000 mailboxes and beyond.


Oliver Moazzezi

MVP - Exchange Server

Exporting email addresses from Active Directory

This seems to be a hot topic all the time in the newsgroups so....

Run this at the cmd prompt on one of your Windows 2000 and above servers.

ldifde -f C:\youremailexport.txt -l proxyaddresses

Replace C:\youremailexport.txt with whatever drive letter and text file name you want.

Here's a great kb explaining ldifde http://support.microsoft.com/kb/237677

Have fun!


Oliver Moazzezi

MVP - Exchange Server

Exchange as an application platform

I’m really happy to announce that Cobweb will be launching another major service later this year – Hosted Microsoft Dynamics CRM 4.0
We’ve made the purchase and scheduled the deployment, thus making our commitment to this.
This is made possible with the deployment of Parallels Automation (aka SWsoft PEM) into our hosted platform. Parallels Automation is key to the development of this platform, giving us an online shop and a suitable billing system for hosted per-user/per-month service subscriptions. Deploying CRM and connecting this to Exchange 2007 is really exciting for me. It’s going to finally unlock the power of the platform that we’ve build and developed. Our platform is about so much more than just an Exchange mailbox - it's an application platform.

The news was released today at the Microsoft Hosting Summit in Seattle – Mark and I are there at the moment, and it’s raised a few surprised eye brows that we'll be quick to market with this. We will be one of the first in Europe to be doing this in a way that connects this to Hosted Exchange. Parallels are pushing out some PR in the industry around this too - http://www.hostreview.com/news/press/080408SWsoft.html which is nice to see.

CRM4.0 is an in-demand service at the moment so exciting times lie ahead.

Windows 2008 Core Configurator Tool !

I came across this very cool tool to help configure a Windows 2008 Core server without needing to lookup all the CLI commands :-)

http://blogs.microsoft.co.il/files/folders/guyt/entry68860.aspx

Wayne Hollomby

Mutual authentication and URL Branding with an Outlook Anywhere / RPC over HTTPs connection

With Exchange 2007 not ‘officially’ supporting Forms Based Authentication nor Outlook Anywhere on more than one site (whether that’s the Default Site or not), it has become slightly more difficult to create URL branding for customers that require this within a Hosted environment. With Exchange 2003 you could create multiple sites and FBA was supported in all – Microsofts stance with Exchange 2007 is that if you need FBA on more than one site per CAS then you use ISA Server to support this. And another issue, although the use of ISA allows multiple sites with FBA enabled (albeit offloaded on the ISA server/s) still only one site is supported for the use of Outlook Anywhere (read: RPC over HTTPs). Again with Exchange 2003 it was simply a case of copying the RPC Virtual Directory to your other sites.

The advent of SAN (Subject Alternative Name) certificates have greatly helped our design of a Hosted Exchange 2007 infrastructure here at Cobweb. This has allowed us to implement cost effective Client Access Server design and support URL branding for the customers that require it – whilst minimising costs (dedicated CAS servers for every branding OWA URL we support or indeed take on with new business). For example an Exchange Hoster that wants to stay within a supported solution by Microsoft, that had say, 10 dedicated OWA URL’s would at a minimum have to deploy 10 CAS servers – and that doesn’t even take into account HA. To achieve that (at the most basic level without taking the numbers of users hitting each URL) you would need 20.

This is where SAN Certs come into their own. All branded OWA URLs can be appended to the certificate along with other Exchange services/protocols (autodiscover, POP3, IMAP4 etc). This helps a Hoster significantly as well as give benefits to normal in-house deployments.

There is one ‘gotcha’ however when using a SAN Cert for multiple OWA URLs for Outlook Anywhere access, if you enable mutual authentication for the session, you can’t connect on any of the Subject Alternative Names. This is due the client explicitly looking for a principle name in the certificate (which is matched to the Subject field of the cert):





















Mutual Authentication isn’t necessary as all client machines connecting to us are deemed non domain joined (they could very well be in their own domain however) and these clients machines are unlikely to have any certificates published to them from their own Certificate Authorities.

Once this checkbox was removed, Outlook Anywhere worked for any of the branded OWA URLs held in the Subject Alternative Name field of the certificate.

Here is the Subject Alternative Name field of a cert:


















Interestingly, the first OS to support Subject Alternative Names was Windows 98.

For Microsoft reference on creating Exchange Certificates and support for SAN certs with Exchange 2007 using the New-ExchangeCertificate PowerShell command see:

‘Certificate Use in Exchange Server 2007’ http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

‘Exchange 2007 lessons learned - generating a certificate with a 3rd party CA ‘ http://msexchangeteam.com/archive/2007/02/19/435472.aspx

‘Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007 ‘ http://support.microsoft.com/kb/929395




Oliver Moazzezi

MVP - Exchange Server

Microsoft Exchange Server 2007 SP1 Update Rollup

Earlier this month Microsoft released the first Exchange Server 2007 SP1 Rollup, which contains at least 32 post-SP1 updates and fixes! (Good to see these issues being fixed)

The KB article is here http://support.microsoft.com/?kbid=945684 with the download links etc. although it's available on Windows Update too

Note: you should only apply this rollup to Exchange 2007 environments with SP1 already installed. if you don't have SP1 then... you need it

Permissions for PST Import/Export via cmdlets

Importing and exporting mailboxes to/from PST files is a big deal for a lot of Exchange administrators. So it wasn't surprising when a great cry arose from the masses upon discovery that not only was this feature missing from Exchange 2007 RTM, but Microsoft had also stated they wouldn't support ExMerge running against a 2007 server. Your only option was to perform these tasks using an Outlook client, which is of course tedious and far too slow when dealing with more than, say, 1 mailbox. What was an overburdened Exchange admin to do?

Well if you're like this overburdened Exchange admin you waited for Service Pack 1 and the new cmdlets for handling PST import/export that came with it. Salvation!

But alas, these new cmdlets came with one big caveat that put a huge crimp in the way our company does migrations today. That crimp was the permissions requirements. Straight from the pages of Microsoft documentation:

"The user running the task must be an Exchange Organization Administrator or an Exchange Server Administrator on the server where the mailbox to export or import lives."

Argh! This was a huge pain for my company because the group of people that does ExMerge migrations all day every day were not actually Exchange administrators. They were Exchange view-only admins, and were simply granted Send As and Receive As permissions to the mailboxes they were migrating. I wasn't too keen on granting these people Exchange Server Admin so they could run amok. After all, the old way worked great with ExMerge, but now Microsoft was requiring administrator level permissions to perform the same function.

Or were they? Well, some testing revealed that Microsoft isn't quite correct about the requirements to run their import and export mailbox cmdlets. Administer Information Store, Send As, and Receive As were granted to our migration group on the Exchange 2007 Mailbox server databases, and what do you know... they can run the cmdlets just fine. Crisis averted!

On a final note, ExMerge works just fine against Exchange 2007 as long as the Mailbox server has a Public Folder database, but since it isn't supported our company has decided it's not worth the (infinitessimally small, I'm sure) risk of damaging a database and being told "you're on your own" by the boys in Redmond.

GAL lookups in Entourage

If you have a Mac and a mailbox on an Exchange Server you'll probably use Entourage to access it. You loose out on some features that are present in Outlook, but generally you can live without them.

Entourage uses LDAP to get directory information, but in most organisation this isn't going to be available over the internet. It is possible to deploy a secure LDAP server, but not many organisations and hosters make these over the internet.

Another solution is to extend Entourage using a script that connects to OWA and performs the lookup that way. Scripts are simple install and this one is easy to use whether you are creating an email or inviting people to a meeting.

To get the solution check out this site, http://www.entourage.mvps.org/exchange/exchangelookups.html.

Daniel Noakes

Adding a Windows 2008 Core Server to a Domain

To join a 2008 core server to a domain run the following command:





netdom join W2K8DC04 /domain:home.local /userd:yourusernamehere /passwordd:yourpasswordhere

Note: the account must have the correct priviledges to add a machine to the domain, also passwordd isn't a typo - and because this is the command prompt your password isn't hashed *******so make sure no one is looking over your shoulder ;-)

Update: you can just enter a single * and it will then prompt for a password that is hashed.

Once the server has rebooted you can verify this by running:

netdom verify w2k8dc04













Oliver Moazzezi

MVP - Exchange Server

Entourage 2008 reliabilty improvements

Microsoft released an update to Office 2008 for Mac yesterday, http://support.microsoft.com/kb/948057. There are a number of Entourage 2008 reliability improvements including contact and calendar synchronisation with Exchange server. This has been a problem for a lot of users, as contacts were not synchronising between Entourage 2008 and Exchange.

If have Entourage 2008 users you should think about installing the update.

Daniel

Hosted versus In-House

We recently came across an article that weighs up the pros and cons of each. I specifically wanted to address the questions for the Hosted Exchange provider.

The article is here:

http://theessentialexchange.com/blogs/michael/archive/2007/12/17/moving-from-in-house-exchange-to-hosted-exchange.aspx

The questions it poses are below; i've answered each one if taking the Hosted Exchange Solution provided by Cobweb.


1. Does the hosting environment allow multiple hosting clients to have contacts with the same e-mail address? (This question can be restated as: how does the hosting software deal with SMTP address collisions?)

The answer is yes _and_ no. Active Directory cannot support two objects with an identical proxyaddress, and unfortunately the OAL is built based on objects having this attribute. The solution is to remove the proxyaddress, giving the contact just it's targetaddress attribute. This allows the exact same contact to exist in multiple customers OU's, but will remove the contact from the OAL. We have been working with Microsoft on this issue, and a resolution to this is promised in the next version of Active Directory/Exchange.


2. Does the hosting environment allow you to share SMTP address space, either as a master or as a slave environment, with a hosted SMTP domain? (This question can be restated as: can you do a step-wise migration, or do you have to migrate all mailboxes at once?)

Yes we have supported this for around two years. We can share SMTP address space and either pass mail over VPN tunnels or over the Internet using SMTP over TLS. We also provide SMTP over the Internet for customers that are not concerned about potential internal mail being sent in clear text across the Internet. In all cases we suggest TLS/VPN solutions, which we manage with the customer and help setup.

3. Does the hosting environment support Deleted Item Retention? For how long? Does their deployment environment set the DumpsterAlwaysOn registry key for Outlook? (This question can be restated as: what happens when someone deletes something they didn't mean to!)

We support DIR for 14 days (two weeks), we also keep deleted mailboxes for 31 (effectively 1 calendar month), of course all mailboxes deleted after this time are still recoverable from our backups.

4. Does the hosting environment support Deleted Mailbox Retention? For how long? (Restatement: can I easily restore the mailbox if my company administrator deletes a mailbox by mistake?)

Answered above.

5. Does the hosting company do backups? How often and how long do they retain them? Can they do single mailbox recovery? (Restatement: if the hosting company has a "disaster" can they recover my mailboxes? Also, if the timeframe for Deleted Mailbox Retention has expired, can I recover the company president's mailbox from last month?)

Again partially answered above, we keep monthly backups for 7 years (yes 7 years). We can restore a mailbox to any given day in the past 4 week window - after that we keep one full backup per month.

6. Does the hosting environment support journaling? What are the data-retention options for the journal mailbox? Can I have an external interface to a journal solution?

Cobweb supports Journaling, we can Journal your mailboxes and send them to an external solution of your choosing (we have no control of this data - you ensure this provider can do the job), or we can Journal your mail ourselves. we use Zantaz EAS and support envelope journaling. We have default plans of 1, 2, 5 and 7 years. We can also provide custom retention policies. This is searchable using a built in Zantaz EAS plugin, which retrieves the archived mail from your own personal document store over SSL.

7. Does the hosting environment support catchall mailboxes? (This is simple a feature that some companies use. Others don't.)

We don't support this, we could but I can honestly say i've never had any customers require this

8. Does the hosting environment have a decent anti-spam solution? (More than the Outlook Junk Mail Filter!) Does the anti-spam solution support individual mailbox quarantines? If there is a false-positive, how can you get your file/message delivered?

We use MessageLabs as standard for all Hosted Exchange mailboxes. We also use Antigen for virus detection on the actual Exchange Servers themselves - supporting 4 AV engines.

9. Does the hosting environment allow you to truly white-label their services? (Restatement: can you have a custom OWA URL? Can you have a custom RPC/HTTP URL? When you connect to an SMTP virtual server, does it say YOUR domain name?)

Yes you sure can, although there is of course an extra cost associated with this.

10. Does the hosting environment allow you to have custom OWA themes? Does it support OWA segmentation

We support OWA segmentation, we base this around our own custom mailbox plans. We can support custom OWA themes but so far we have not had any customers require this.

11. Does the hosting environment support SPF and/or Sender-ID incoming? Does it require it outgoing? Can you decide or are you limited to their default?

MessageLabs support SPF, we don't use Sender-ID within the Exchange Org, we help customers setup their own SPF records.

12. Does the hosting environment support SSL for OWA? TLS for SMTP? Form-based authentication for OWA? Two-factor authentication for OWA and for Outlook?

SSL for OWA with FBA - Yes
SMTP over TLS - Yes
IMAPS - Yes
POP3S - Yes
RPC over HTTPS - Yes

We currently do not provide two factor authentication processes.

13. Does the hosting environment allow you to specify on a per-user basis who gets EAS (ActiveSync)? Blackberry services? Goodlink services?

Yes, which user gets what is entirely customisable via the customers Portal Administrators.

14. Does the hosting environment allow you to create custom address lists?

Currently no, this is something I want to bring into our Exchange 2007 offering. Support for 3 to 5 custom address lists is what I want to achieve.

15. Does the hosting environment allow you to force an Offline Address Book (OAB) update?

Yes, this is done simply by modifying a user in our Portal, we then automatically set instructions to rebuild your OAL.

16. How is disk space aggregated? Is each mailbox billed separately? Is the company/domain aggregated together? Can different mailboxes have different default allocations? Can you manage the limits? Can you get disk space reports? Can you create/manage a "Mailbox Manager" policy for your domain?

Whilst I cannot answer any billing questions, I can state mailbox size is highly configurable. Bought two mailboxes with the default of 200mb each for you and your secretary? Don't need that space for her? No problem, take space off her mailbox and assign it to yourself or your public folders.

17. What are the hard limits on mailboxes sizes?

We don't have any, we do warn (due to current limitations in certain administration tools and tasks) against going over 2GB.

18. Does the hosting environment run a gateway anti-virus solution? An information store anti-virus solution? A file-based anti-virus solution? If there is a false-positive, how can you get your file/message delivered?

MessageLabs for the gateway, Antigen on the servers. Customers get their own Spam Manager Portal to login and check any spam messages that have been quarantined.

19. Does the hosting environment support "Send As" permissions and "Send On Behalf Of" permissions? Can you manage this yourself?

We do support this yes, our existing Portal does not support this feature, our new Exchange 2007 Portal will support this.

20. Does the hosting environment support LDAP access to your address books?

No, however watch this space.

21. Do you have access to SMTP log files? Do you have access to message tracking log files?

SMTP protocol logging is turned on and off by Cobweb as/when there is any possible issue. In regards to access to Message Tracking, the answer is no. However this is something I want to incorporate into our Portal.

22. What is the maximum incoming message size? The maximum outgoing message size? Can you adjust it?

20MB, customers cannot adjust this currently no.

23. What is the maximum number of message recipients? Can you adjust it?

500, this is not configurable.

24. Does the hosting environment support public folders? How many? How big? Can you mail-enable public folders?

We support Public Folders yes. We also support mail enabling them.

25. Does the hosting environment support an interface to SharePoint services?

We current offer Sharepoint 2.0. We are launcing our new Sharepoint 3.0 service sometime over the Summer.

26. Does the hosting environment allow for external SMTP relays by IP address? What about by authorized users?

We support this yes.

27. Does the hosting environment allow for POP-3 or IMAP users to access Exchange mailboxes?

This is configurable by the customer within the Portal.

28. Does the hosting company offer a network Service Level Agreement (SLA)? Does the hosting company offer an Exchange SLA? Does the SLA have any teeth?

Check http://www.cobweb.com for our SLA, I believe currently it is 99.9%, which we meet.

Oliver

Oliver Moazzezi

MVP - Exchange Server

Playing with Windows Server 2008 Core

I have been playing around Windows 2008. Specifically with the Core version of the product, in regards to designing a solution to fully support Entourage clients in a Hosted Exchange enviroment.

There were a few hurdles to first overcome however..


First is assigning a static IP to your Core installation.

I first had to run the following command to list the network adapters (NICs) installed on the server:

netsh interface ipv4 show interfaces














I then had to specify which adapter I wanted to change the IP for, using the Idx variable.

The command to change the IP to static was:

netsh interface ipv4 set address name="2" source=static address=192.168.20.107 mask=255.255.255.0 gateway=192.168.20.1

(obviously disregard my network settings)














Once this was done and I logged back onto the server (although I noted my server wasn't pinging - icmp responses - more on that later) and a simply ipconfig showed the changes had been made:














I then had to manually assign DNS servers, the command for this was:


netsh interface ipv4 add dnsserver name="2" address=192.168.20.100 index=1


for primary and then:

netsh interface ipv4 add dnsserver name="2" address=192.168.20.101 index=2

For secondary .

Note: specifying the Idx '2' again and the index=1 or 2 or more, specifying it's another DNS server.

I was then in a position to rename the machine, you are assigned a random computer name during the installation.

This was performed using:

netdom renamecomputer W47C1k34FRG1 /NewName:W2K8DC03














Once the machine had rebooted (shutdown /r) using the command hostname showed the name had changed succesfully.














More to come later on joining the machine to the domain and making it a Domain Controller, as well as my ICMP issue.



Oliver Moazzezi

MVP - Exchange Server