Monday, May 03, 2010

My Blog is Moving…

I know there are like 2 people (including myself) that actually read this blog, but due to the Spam filters that hate and because of a bit better flexibility found elsewhere, I will be moving this blog to very soon.  My new blog is located at


Feel free to subscribe to this in your favorite RSS reader by using the link

Tests Prove: Windows 2008 R2 Much Better for Exchange 2010!

Well, Microsoft has just released a new blog post showing their test results comparing Windows 2008 SP2 and Windows 2008 R2 and Exchange 2010 when under an Outlook Anywhere load.  Lets face it, Outlook Anywhere is the way of the future!  I know for me, I have to be able to work anywhere, anytime, and I don’t want to worry about VPN solutions and firewalls, so Outlook Anywhere is the answer. 

So, how does R2 help you say?  It provides 10 times smaller CPU usage for the same number and type of OA users, thanks how.  This appears to be due to the significant performance improvements made to the RPC/HTTP feature in R2.  And in case your wondering, this should also benefit Exchange 2007 SP3 (when it becomes publicly available). 

Another way to look at this, as pointed out by the Microsoft blog post is that using identical hardware for both OS versions, R2 supported 14,000 OA users, while SP2 only supported 6,500!


Check out the source at:


Monday, April 19, 2010

Office 2010 RTM’ed

I received an email from Microsoft last Friday (4/16/10) exclaiming that they have Released to Manufacturing Office 2010.  I have been using a pre-release beta for many months since I have been part of the thousands Beta-Testing this release and I can tell you that it is a fantastic product.  In the release I have been using, and I mean using every day all day long, I have had no issues to report.  I mean none, zero, no crashes, no compatibility problems, no problems at all!  I HIGHLY recommend that organizations still stuck on Office 2003 or earlier upgrade immediately once this becomes publicly available.  The email from Microsoft is included below, for your enjoyment.

Office 2010 RTM Email

Thursday, April 08, 2010

Exchange 2010 SP1 Coming…

So, I have been waiting and waiting and waiting to finally start talking about what is coming in Service Pack 1 for Exchange Server 2010.  Although the NDA I am held to will not allow me to tell you everything that is coming in SP1, I can still talk a bit about the features already revealed by this

First of all, what can we say is coming in SP1?

  • Feature enhancements to OWA
  • Mobile user and management improvements
  • EMC UI enhancements
  • Online Arching and Discovery enhancements
  • Server side PST export/import (without Outlook)
  • Message Records Management (Retention Tagging) tool improvements in EMC
  • ActiveSync Enhancements including tether-free IRM support
  • The usual hotfix inclusions
  • And so many more (that darn NDA!)

There are so many changes and improvements, that I hardly know where to start.  So, I will just dive right in and start at the top of this list.

Outlook Web App

This set of changes is the most visible to end users and is a very welcome set of updates.  To start with, OWA once again has themes.  These themes are many and varied and are selectable right from the main OWA page by clicking on “Options”

theme change in SP1 Within OWA, you can also select multiple messages for action (similar to Gmail or your iPhone/iPAD).  Exchange CAS server will also allow for your browser to pre-fetch message content within OWA so that actions users take will feel instantaneous and will not slow down their browsing experience. 

The entire interface has been simplified and cleaned up a lot.  I showed the new interface to my children (ages 15 – 7) and they felt right at home in the new interface without much instruction from me at all.  One of the most asked about feature in OWA was to once again enable the reading pane to be placed at the bottom or the right side (RTM only enabled the right side).  This has been updated in SP1. 

Archiving and E-Discovery

To start with, we can now create the Online Archive mailbox on a different database than the users primary mailbox (YEAH!!).  This enables us to design the system with tiered storage and availability policies.  And to go one step further, if you provision the archive with the intention of consuming the users PST archives, we can now import the PST file directly into the Archive right on the server and without Outlook being installed on the server.  Once last note, Microsoft is also planning on releasing an update to Outlook 2007 that will enable it to see and participate in the Online Archives.

On the E-Discovery front, a few changes exist there as well, including search preview and search result de-duplication.  Also, when reviewing the search results, you can now add annotations to your review to make your task more efficient.

Archiving and E-Discovery

Since many administrators prefer to use the Exchange Management Console (EMC) instead of Powershell (EMS), Microsoft has placed a great deal of emphasis on UI improvements in SP1 including those in EMC and ECP.  Some of the improvements are:

  • Create/configure Retention Tags + Retention Policies in EMC
  • Configure Transport Rules in ECP
  • Configure Journal Rules in ECP
  • Configure MailTips in ECP
  • Provision and configure the Personal Archive in ECP
  • Configure Litigation Hold in ECP & EMC
  • Configure Allow/Block/Quarantine mobile device policies in ECP
  • RBAC role management in ECP
  • Configure Database Availability Group (DAG) IP Addresses and Alternate Witness Server in EMC
  • Recursive public folder settings management (including permissions) in EMC


    So, to close this blog post, I have to say that this Service Pack is one of the best ones in recent memory and since I know for a fact that most of what it contains are a direct consequence of the feedback many customers and architects like myself have provided. 

    I sincerely thank the Exchange Product Group for listening and taking what your customers say to heart and then doing what is needed to make the product that much better.

    As time and my NDA permits, I will blog on more features and improvements coming in SP1.  Until then, you can look forward to obtaining your own copy of Exchange Server 2010 Service Pack 1 beta around the TechEd timeframe in June. 

  • Microsoft Releases Exchange 2010 Installation Guides

    Microsoft has officially released (on 4/7/2010) the Exchange Server 2010 Installation Guide Templates.  These are beginning points for organizations to use to create server built procedure documentation.  These are well written and a great starting point for any organization to begin their install docs from!

    You can download them at:

    Thursday, March 18, 2010

    Free/Busy Federation Troubleshooting

    I have had the pleasure of being the administrator of the very first organization to implement the new Exchange 2010 Free/Busy Federation (from now on I will call it F/B Fed) infrastructure last year during the Exchange 2010 TAP (Technical Adaption Program).  In doing so, I have been given the opportunity to work directly with a couple of the Microsoft Exchange Product Group members (thank you Ladislau and Matthias!!!) that guided me through the initial implementation and troubleshooting of Free/Busy Federation when it occasionally went awry.  I could probably write a small whitepaper on what I have learned, however for the purposes of this blog post, I wanted to delve into the latest issue I had. 

    Recently, the public certificate we had been using for OWA, etc… and therefore for F/B Fed was going to expire and the cert vendor had made some changes to the UC certs they offered so we had to make a cert change, not just a renewal.  After we installed the new certificate and began using it for all the other web services (OWA, OA, EAS, etc…), we turned to F/B Fed and ran two commands with the intent of rolling to the new certificate.

    Set-FederationTrust -Identity MyFederationTrust -Thumbprint <your new cert thumbprint here>

    Set-FederationTrust "MyFederationTrust" –PublishFederationCertificate

    The problem is, it didn’t work.  The new certificate didn’t get rolled to as it should have.  Instead, I received the error shown below.

    An error occurred accessing Windows Live. Detailed information: "The request failed with HTTP status 403: Forbidden.".

    + CategoryInfo: ResourceUnavailable: (:) [Set-FederationTrust], LiveDomainServicesAccessException

    + FullyQualifiedErrorId: 7CDAC73F,Microsoft.Exchange.Management.SystemConfigurationTasks.SetLiveFederationTrust

    Next, I validated that the new certificate was in fact valid and that the certificate was enabled for Server Authentication.

    server-auth-sample So Far, everything looked ok, but we still couldn’t roll the cert properly and federation had stopped working as well.  ARGH..

    After a bit more trial and error, it had seemed like the Set-FederationTrust command shown earlier had finally worked, at least it didn’t give me an error when I ran it, however, F/B Fed still wasn’t working and when I ran Test-FederationTrust –Verbose, I received the following error in response.

    RunspaceId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    Id         : OrganizationPreviousCertificate
    Type       : Error
    Message    : Certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object is expired.

    With the help of Matthias, I ran the following script in order to attempt to push the old certificate completely out of the Federation system.

    $a = Get-FederationTrust

    Set-FederationTrust -Identity $a.Identity -Thumbprint $a.OrgPrivCertificate

    Set-FederationTrust -Identity $a.Identity –PublishFederationCertificate

    Unfortunately, when I ran the second command, I received a new error.

    Federation certificate with thumbprint "C54359E291F10213…" must have a unique Subject Key Identifier.  The Subject Key Identifier "1A29F0C8C62971EA524BE4…" is already used by the certificate with thumbprint "C54359E291F10213…".

    + CategoryInfo: InvalidArgument: (:) [Set-FederationTrust], ProvisionerConfigException

    + FullyQualifiedErrorId: 4CFC5CA6,Microsoft.Exchange.Management.SystemConfigurationTasks.SetLiveFederationTrust

    So, it seemed at the time that the issue was more of a security one due to the beta we are running for Service Pack 1, so we tried a different approach.

    $a = get-federationtrust

    $b = "LDAP://" + $a.DistinguishedName

    $c = [ADSI]$b

    If ($c.msExchFedOrgPrevPrivCertificate -ne $null) { $c.PutEx(1, "msExchFedOrgPrevPrivCertificate", 0) }

    If ($c.msExchFedOrgPrevCertificate -ne $null) { $c.PutEx(1, "msExchFedOrgPrevCertificate", 0) }


    I ran that script (without error) and waited for AD to replicate.  Afterwards, I ran Test-FederationTrust –Verbose again, this time with a slightly different error, yet still related to the “msExchFedOrgPrevPrivCertificate” attribute.

    RunspaceId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    Id         : OrganizationPreviousCertificate

    Type       : Error

    Message    : Unable to find certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object.

    Hmmm…  that is interesting, now I don’t have a value in that attribute at all!  So I checked that by running Get-FederationTrust | fl and sure enough, this attribute was empty from Exchange’s point of view.  However, not fully convinced, Ladislau recommended I run the script below just to ensure it really was missing from AD.

    $a = get-federationtrust

    $b = "LDAP://" + $a.DistinguishedName

    $c = [ADSI]$b

    $c | fl * -force

    And of course, it was actually missing from AD as well….

    Come to find out, I had hit a new unknown bug on cert rolling and had to run this final script to set the msExchFedOrgPrevPrivCertificate attribute and get F/B Fed working again.

    $a = get-federationtrust

    $b = "LDAP://" + $a.DistinguishedName

    $c = [ADSI]$b

    $c.msExchFedOrgPrevPrivCertificate = $c.msExchFedOrgPrivCertificate


    Now, when I run Test-FederationTrust –Verbose I get a “Success” on all tests!  And our users are happy because Free/Busy Federation is once again working as advertised.  I hope these little insights are helpful to others when they use their favorite search engine to find answers to their own Federation issues. 

    Until next time…   

    Wednesday, February 17, 2010

    Download the updated E2010 Mailbox Server Role Calc!

    Well, the boys in Redmond (thanks Ross and the soon to be Greg) for another fantastic update to the Exchange 2010 Storage Server Role Calculator!  There are a bunch of fixes in this version since the release of version 3.5.  According to the Version Notes, these include:

    Version 3.6 - Fixed Number of Mailboxes per Database (I/O Driven) calculation formula to round down thereby adding additional IO buffer in the max number of mailboxes per database that could be supported in JBOD scenario (Perry Thompson); comment fixes
    Version 3.7 - Fixed processor core calculations for secondary datacenter that resulted in error when only lagged copies are deployed; formatting fixes
    Version 3.8 - Fixed number of lagged copy server calculation to round (Justin Brown)
    Version 3.9 - Fixed required mailbox core CPU calculations to take into account that certain site resilient scenarios result in neither datacenter supporting a single server failure
    Version 4.0 - Fixed /DAG LUN Size calculation to calculate based on number of servers and not total number of database copies (Wilfried van Oosterhout)
    Version 4.1 - Added better explanation in JBOD scenario when disk selection falls short either via capacity or IO reasons (Jeremy Gagne)
    Version 4.2 - Added Restore LUN RAID parity options (Robert Gillies and Rick Shire)
    Version 4.3 - Conditional Formatting fixes (Robert Gillies)
    Version 4.4 - Added minimum number of global catalog cores (James Reed)
    Version 4.5 - Improved formatted capacity calculation formula (Kyryl Perederiy)

    Lets just say it is well worth the download!  So… What are you waiting for….

    Thursday, January 28, 2010

    OCS 2007 R2 Workload Architecture Poster

    I ran into a poster that Microsoft published a few days ago that details the traffic flow of protocols and ports used in each workload within Office Communications Server 2007 R2 (OCS 2007 R2). OCS 2007 R2 supports the following workloads: IM and Presence, Conferencing, Application Sharing, and Enterprise Voice. These filtered views can assist you in architecting your deployment of Communications Server 2007 R2. The different server roles are described along with server certificate requirements. Firewall and DNS configuration requirements are also described.

    Get your copy at:

    Friday, January 22, 2010

    Newly updated Exchange 2010 Mailbox Requirements Calculator

    Microsoft (thank you Ross and Matt!) have released a much needed update to the Exchange 2010 Mailbox Requirements Calculator. 

    This version includes the following improvements and new features:

    • Added processor core guidance for Hub Transport and Client Access server roles.
    • Added the ability to define a custom number of databases that you would like to implement in the solution.
    • Added support for 2-node site resilient Database Availability Groups.
    • Added 1 and 6 processor cores as selectable options.
    • Improved breakdown of the activation scenarios in a site resilient solution.
    • Improved breakout of the role requirements section.
    • The Storage Design tab now indicates that when you select a custom RAID configuration that the calculator ignores RAID-5 and RAID-6 for 5.xK and 7.2K spindles due to performance concerns.
    • Updated processor utilization results to show the processor utilization even if it is above the recommended threshold.
    • Made conditional formatting improvements throughout the calculator to warn you when you have a configuration that will not work.
    • Improved various cell comments.

    This version also corrects the following bugs:

    • Fixed LUN Requirements tables to accurately reflect space requirements when database copies are deployed as each server may not host all database copies.
    • Fixed conditions that resulted in -1 lagged copies.
    • Improved the active database copies after first/second server failure calculations:
      • We now calculate and expose the worst case scenario (the server that has to host the most active databases) is used in sizing memory and CPU.
      • We now ensure that the secondary datacenter calculations only consider double server failures when there are 3+ HA copies located in the secondary datacenter.
    • Removed maximum memory stipulation in the minimum ESE cache memory calculation.

    For more information on this new update:

    You can download the update from:

    Friday, January 15, 2010

    Exchange Server 2010 Deployment Assistant Expanded

    In November, Microsoft launched the Exchange Server 2010 Deployment Assistant. In the initial version of the Deployment Assistant, content was available for customers upgrading from Exchange 2003. Microsoft has now announced that they have  released content for the following scenarios to

    • Upgrading from Exchange Server 2007
    • Upgrading from a mixed Exchange Server 2003/2007
    • New Exchange Server 2010 installation

    The Deployment Assistant allows you to create Exchange 2010 deployment instructions that are customized to your environment. The Deployment Assistant asks a small set of questions, and based on your answers, it provides a set of instructions that are designed help you install and complete a basic configuration on Exchange 2010. Instead of reading dozens of topics in the Exchange 2010 Technical library, you simply answer a few questions, and the Deployment Assistant gives you customized content to install Exchange 2010. 

    I would recommended however that you also read the Technical Library later on as the instructions provided are basic and may not meet all of your needs if you already have an older install of Exchange that isn’t a standard installation or if you have another mail system such as Lotus Domino or GroupWise.

    Thursday, January 14, 2010

    New uses for DiskPart CLI

    So, here I am, reading new email (at 10pm I might add) from within the Exchange Master and Architect Community when I came across a thread started by one of the other long time Exchange Masters (thanks Derrick!) around the topic of using DiskPart for automation.  Now, many of us remember using DiskPart or DiskPar in older versions of Exchange when we were running it on Windows 2003 and earlier Operating Systems.  We used to use it to align the disk offset with the recommended settings from the disk subsystem manufacturer, often 64 or 128 instead of the default for Windows back then of 63.  And to be honest, I haven’t really thought much about DiskPart lately since we don’t require it for Windows 2008 (the default now in Windows is 64 – Yeah!).  

    As the email pointed out, DiskPart now supports a Command Line Interface (CLI) that can be used for automation of Disk subsystem configuration and management.  Way cool eh!?

    Microsoft has posted a TechNet article called “DiskPart Command-Line Options”.

    So, what is new in the current release of DiskPart?  Read on:

    1. One nice addition to diskpart scripting file is they finally have the NOERR parameter, so when a single typo dumps you out like before causing the user to create a second file with the fixed entries minus everything that worked.  Major Pain.

    Ex: assign [{letter=d|mount=path}] [noerr]

    2. Format: you can now format from inside Diskpart.  So the need for a second script file to Format all those drives is no longer needed. 


    3. AUTOMOUNT: be careful.  This could really mess up clustering (if not in exchange) if used at the wrong time.

    How does this make your life simpler?  If you have lots of drives, having to do each one manually, creating partitions, then assigning mount points through disk manager UI takes forever. Formatting through the UI (selecting each drive and waiting) also takes forever.  Now it all can be done in one place, and you are sure that you are selecting the correct drive for naming since its in the same command set.

    To run the answer file with diskpart


    Diskpart answer file example: 

    select disk 10

    online disk noerr

    attributes disk clear readonly noerr

    create partition primary noerr

    select partition 1

    assign mount C:\EXCHANGE_MOUNT_POINTS\MDB1 noerr

    FORMAT FS=NTFS unit=65536 LABEL="New Volume" QUICK noerr




    Tuesday, January 12, 2010

    Exchange 2007 SP2 RU1 – Raising diagnostic logging for “Message Access” causing calendar issues for users

    Microsoft posted yesterday a new issue that administrators can cause with user calendaring just by increasing the diagnostic logging for “Message Access” to anything other than “Lowest”.  This seems to impact Exchange Server 2007 Service Pack 2 implementations up through Roll Up 1.  A KB article is not available yet, but appears to be in the works.  Based upon , the following information has been released on this issue. 

    What the users may see

    Symptoms before applying the pending update:

    • Access to recurring appointments (which have attachments for the instances) is broken - Outlook in online mode receives an "Item cannot be opened" error.
    • Sending an embedded message in cached mode results in the attachment being stripped.
    • Availability is not shown for some users.

    The following symptoms may persist, even after applying the update or manually setting the Message Access diagnostic level back to Lowest:

    • Certain users show no availability information from Outlook or OWA scheduling assistant.  Also, event id 4009 for MSExchange Availability is logged on servers with the CAS role

    Exception returned:

    Microsoft.Exchange.Data.Storage.ObjectNotFoundException: Cannot open embedded message.

    • Delegates viewing calendars receive the error:

    Cannot read on instance of this recurring appointment. Close any open appointments and try again, or recreate the appointment

    • Messages are sent to ActiveSync devices with the following text:

    Microsoft Exchange was unable to send the following items to your mobile device. These items have not been deleted. You should be able to access them using either Outlook or Outlook Web Access.

    • When accessing Calendar from OWA, the day, week or month viewing will fail with the error:

    The item that you attempted to access no longer exists.

    We have determined these symptoms are primarily due to calendar items affected between the time logging was increased and when the pending update or workaround is implemented. Recurring calendar items with no end date that have had an occurrence modified seem most susceptible.  A quick method to find these visually is to look for the circling arrows with a line through it.

    Does this apply to you?

    Before the release of the pending update, if any Exchange Server 2007 SP2 server with the Mailbox role has the following new event log level raised from Lowest, this applies to you.

    MSExchangeIS\9000 Private\Message Access

    How to check your Organization for the problem

    You can determine if your MBX servers are at risk by looking in the following places:

    1) The new GUI introduced in SP2 - in the Exchange Management Console under Server Configuration, Mailbox, select the server and choose Manage Diagnostic Logging Properties...

    2) In the registry for each MBX server [Lowest = 0]

    3) Run the following Exchange CMDlet to find all Exchange 2007 MBX servers and this specific diagnostic logging level for Message Access:

    Get-MailboxServer | foreach {Get-EventLogLevel -id ($ + "\MSExchangeIS\9000 Private\Message Access")}

    How to correct the problem

    If any MBX server is found to have logging above the default before the pending update is applied, you should reset it to Lowest manually.  Note which MBX servers are configured with the non-default level and then run this CMDlet to ensure they are all set to "Lowest"

    Then either remount the databases or restart the Information Store service.

    Get-MailboxServer | foreach {Set-EventLogLevel -id ($ + "\MSExchangeIS\9000 Private\Message Access") -Level "Lowest"}

    A sample PowerShell script is available here to track down calendar items contributing to the symptoms that persist after applying the workaround detailed above.  This script will identify the day containing problem appointments and can be run against a specific mailbox or all Exchange 2007 mailboxes.  The requirements for running the script are detailed in the script comments. The sample script uses the $true argument to enumerate all Exchange 2007 mailboxes and to initialize the Autodiscover portion of the Web Services object:

    [PS] C:\Powershell\scripts> .\Find-BadCalendarItems.ps1 $true
    Checking mailbox:
    Checking mailbox:
    Checking mailbox:
    Checking mailbox:
    Failed: 11/30/2009 - 12/30/2009
    Error: Mailbox logon failed., inner exception: Cannot open embedded message.

    Day failed: 12/2/2009
    Checking mailbox:
    Failed : 11/30/2009 - 12/30/2009
    Error: Mailbox logon failed., inner exception: Cannot open embedded message.

    Day failed: 12/23/2009
    Checking mailbox:
    Checking mailbox:
    Problems found: 12/2/2009 12/23/2009

    Now that 12/23/2009 has been identified as the problem date for user, you can use Outlook to find any recurring calendar items with no end date that have had an occurrence modified on that day. Copy that occurrence [either to a temporary Calendar folder or even to a different time that day] then delete just that occurrence. Moving the copy back or manually recreating the instance will resolve the symptom for that user.