Outlook Web Access tips and tricks

Posted on By Mark Wilson

After I installed Exchange Server 2003 last weekend, I found that accessing Outlook Web Access (OWA) didn’t prompt for any authentication – it simply displayed the contents of the currently logged on user’s mailbox (if it was homed on Exchange Server 2003) or redirecting to the old Exchange Server 5.5 OWA server (where the mailbox had not yet been migrated). In order to allow users to authenticate with a username and password, it was necessary to enable forms-based authentication (Daniel Petri’s description also includes the process of configuring SSL).

Once this had been enabled, HTTP requests were greeted a normal browser authentication dialog; however HTTPS access was be greeted with a much more pleasant OWA logon screen.

OWA authentication via HTTP

OWA authentication via HTTPS

It is also possible to change the username format for OWA forms-based authentication from domainname\username to a simple username.

Finally, Microsoft knowledge base article 319878 describes the process to make OWA the default website on an Exchange Server, avoiding the need to access the server as http://servername/exchange/ or https://servername/exchange/.

Some more about what to expect in Exchange Server 2007

Posted on By Mark Wilson

A few months back, I wrote a bit about what to expect in the next version of Microsoft Exchange Server. Since then, I’ve learned a lot more about Exchange Server 2007 (formerly codenamed E12) but couldn’t repeat much of it. The following highlights are some of the additional information that was made public in Eileen Brown‘s presentation at last week’s Microsoft Technical Roadshow, starting with Exchange Server product progress (since the launch of Exchange Server 2003):

Key new features with Exchange Server 2007 (some of which I’ve written about previously) include:

  • The use of 64-bit server technology facilitates a reduction in input/output operations and hence allows more databases (with larger mailboxes) to be placed on each server.
  • High availability enhancements, allowing increased data and service availability: database continuous replication (either local or clustered) allows daily full backups to be replaced with weekly full backups and daily incrementals the second copy of the database plays the transaction logs from the first as they are written, meaning that it is never more than once transaction log behind the first; and there is now support for geoclustering.
  • Improved mobile e-mail, including push e-mail, policy-based provisioning and security.
  • Improved system management tools: a new MMC 3.0-based Exchange System Manager and the Exchange Management Shell (running on Windows PowerShell).
  • Automatic client configuration.
  • Encrypted and signed intra-organisation e-mail (by default) and encryption at the gateway (where supported) for business-to-business e-mail with no additional client requirements.
  • New message hygiene functionality.
  • Message journalling at the transport level with new data retention rules and a new content indexer, allowing a multiple-mailbox search with low CPU impact and fast re-indexing.
  • Improvements in Outlook cached mode operation.
  • Integration with SharePoint folders.
  • New AD schema extensions for resource mailboxes (room or equipment) as well as an all rooms address list.
  • Meeting requests can now be accepted or declined within a preview (no need to open the message).
  • A to-do bar allowing tasks to roll over to the next day if they have not been completed.
  • Ability to view multiple calendars overlaid on one another.
  • An improved scheduling assistant that provides hints to the best times for all meeting attendees as well as tentatively accepting new requests, automatically handling updates to meeting information and removing out of date meeting requests/updates.
  • Calendar sharing is now more granular, with the ability to deny all access, show time and free/busy status only, show time, subject, location and free/busy status, or show full details, even down to a per-user level.
  • Schedules can be set for out of office replies.

From a client perspective, Outlook 2007 provides the richest user experience (when connected to Exchange Server 2007, although it will also work with previous versions); however Outlook Web Access (OWA) is now almost as good. There’s also Outlook Mobile for Windows Mobile 5.0 and the ability to interact with Exchange’s unified messaging functionality from a phone.

Exchange Server 2007 offers significant improvements over 2003 and earlier versions; however it will be interesting to see if these improvements are enough to entice the many companies that are still running basic e-mail services using Exchange Server 5.5 to upgrade their systems.

Exchange Server 5.5-2003 migration gotchas

Posted on By Mark Wilson

I’ve not been doing as much work with Exchange Server as I’d like in recent years; so when a friend asked me to help out with carry out an Exchange Server 5.5 to 2003 migration for one of his contacts I was happy to get involved (although I was slightly nervous as this was effectively a refresher course for me being carried out on his production system).

I’m not going to make this a “how to do it” post as I posted an article about migrating from Exchange Server 5.5 to 2003 a couple of years back and one of the areas where the Exchange Server team have really excelled is in the creation of the Exchange Server Deployment Tools which guide an administrator through each step of the process, running diagnostic and setup utilities as they go. For further information, the Exchange Server Deployment Guide is also worth a read.

This article highlights simply some of the issues I came across (on what was a fairly simple migration – Outlook Web Access and Exchange Server 5.5 on two separate servers to a new Exchange Server 2003 server in the same organisation and site) and how to resolve them:

  • The first problem came when Exchange Server setup detected that the installation was being performed on a Windows Server 2003 service pack 1 (SP1) computer (Windows Server 2003 R2 is effectively the same as Windows Server 2003 SP1) and advised that this has known compatibility issues with Exchange Server 2003. After reviewing the Exchange Server system requirements it turned out that it’s not a problem on a non-clustered server if Exchange Server is also running SP1 or later so Exchange Server service pack 2 (SP2) was installed immediately after Exchange Server setup had completed.
  • The Active Directory Connector (ADC) is probably the most difficult part of an Exchange Server 5.5 upgrade but the latest version of ADC includes tools to guide an administrator through the process of creating connection agreements between the Active Directory and Exchange Server directory services and verifying replication. In this case, the ADC Tools highlighted an issue which meant it was necessary to grant Full Control NTFS permissions to the Exchange Server 5.5 service account on the C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Active Directory Connector folder (as described in Microsoft knowledge base article 820268). Further problems with objects reporting as not replicated (as described in Microsoft knowledge base article 842142) were resolved by reinstalling the ADC, using the version supplied with Exchange Server 2003 SP2.
  • After installing Exchange Server 2003, one shutdown took an extended period of time; however this is a known issue, described in Microsoft knowledge base article 555025.
  • One of the great features of Exchange Server has always been the referral mechanism that allows MAPI clients to update their profiles when a mailbox is moved between servers; however, on this occasion, some Outlook 2003 clients failed to update their MAPI profiles. This is a known issue and is resolved by installing Office 2003 SP2, as described in Microsoft knowledge base article 914855. No such problems were experienced with Outlook 2002 (XP) clients, although the site replication service (SRS) did hang on one occasion and needed to be started before clients could successfully remap their profiles.
  • When accessing Outlook Web Access (OWA), requests to http://exchange2003servername/exchange/ appeared to be diverting to http://exchange55servername/exchange/; however it was later discovered that the referral was only taking place where the currently logged on user (domainname\Administrator in my case) had a mailbox that had not yet been migrated. Once all mailboxes had been moved across, OWA stopped redirecting access.
  • Many Exchange Server 5.5 administrators are used to being able to access all objects (including the contents of other user’s mailboxes) using the Exchange Server service account; however with Exchange 2003, even when an account is delegated Exchange Full Administrator rights over the Exchange organisation it is unable to access other mailboxes as inherited permissions apply an explicit deny over certain rights. This is by design but can be overridden as described in Microsoft knowledge base article 821897 to give an account full access to all objects in a particular store. In this case I delegated Exchange Full Administrator rights to a global security group called Exchange Admins (and added that group into the local Administrators group on the Exchange server), then granted another account full control over all objects in the mailbox store. This mean that I had a group over which the membership could be edited as required to grant rights to administer the Exchange organisation, plus another account (I should really have made this a group too) that could view the contents of other user’s mailboxes.

In all, the migration was reasonably successful, although I do still need to decommission Exchange Server 5.5 (it was left in place to allow the Outlook profiles to update as users log in to the system) and some HTTPS publishing issues with Proxy Server 2.0 need to be resolved before I can call the job complete. In fact, those HTTPS publishing issues turned out to be the cause of much panic on Monday morning when Exchange seemed to be falling down around us. One of the methods we had tried to proxy inbound SSL was using the Winsock proxy client on the Exchange Server as described in Microsoft knowledge base article 184030. Although the SSL proxying hadn’t worked, the Winsock Proxy Client had been left installed on the Exchange Server – it didn’t seem to be causing any issues on Sunday night but by Monday morning the Exchange System Manager and Active Directory Users and Computers administration tools were inaccessible, which Microsoft knowledge base article 325322 suggests is related to a DNS problem. It was purely by chance that I managed to trace this back to the Winsock proxy client (as described in Microsoft knowledge base article 280833) and once this was uninstalled, all services became available.

One final issue left to resolve was to restore access to mailboxes for BlackBerry users, caused by the problems publishing OWA via HTTPS (although any change to the URL used to access OWA externally would have caused this). The resolution was to remove existing account details from users’ Vodafone Mobile E-mail profiles and recreate them using the new address as described in BlackBerry knowledge base article KB-03133.

Finally, for all Exchange Server admins, whether migrating to a new version of Exchange or administering an existing system, there are many tools for Exchange Server 2003 available for download from the Microsoft website.

Configuring and troubleshooting services and applications with Proxy Server 2.0

Posted on By Mark Wilson

I’ve spent a lot of time over the last few days struggling to configure a Microsoft Proxy Server 2.0 running on Windows NT 4.0 and Internet Information Server (IIS) 3.0 to reverse proxy (i.e. publish) an HTTPS website. Eventually I had to admit defeat (I’m trying to convince my client to upgrade to ISA Server 2004); however I did find a useful resource for Proxy Server 2.0 information that should be worth a look next time I’m trying to administer/troubleshoot a Microsoft Proxy Server configuration.

Tracking Windows server product licenses

Posted on By Mark Wilson

I just had a call from a client who was concerned that he couldn’t add client access licences (CALs ) for his new Exchange Server in the Licensing administrative tool. I’ve never really used this tool so I had to do some research before I could answer his question. Microsoft knowledge base article 824196 describes the license logging service (LLS) but the key points to note are all in the article summary:

  • LLS was originally designed to help administrators manage licenses for Microsoft server products that are licensed on a per-server basis (the server CAL model).
  • LLS was introduced with Windows NT Server 3.51 but it is disabled by default in Windows Server 2003.
  • Because of design constraints and evolving licencing terms, LLS cannot provide an accurate view of the total number of per-user CALs purchased, compared with the total number of CALs that are used on a single server or across the enterprise.
  • LLS will not be included in future versions of the Windows operating system.

Basically, it seems that LLS is a hangover from Windows NT and nowadays there is no real reason to use it in Windows Server 2003.

Updating Windows Defender Beta 2 using WSUS

Posted on By Mark Wilson

Last year I blogged that Microsoft were pushing updates to their Windows AntiSpyware Beta, to extend the expiry date past the end of July 2005. Since then, there have been a number of updates (including renaming the product to Windows Defender) and even though Windows Defender is included in recent Windows Vista builds, my XP clients have still been running Windows AntiSpyware Beta v1.0.701 (which expires at the end of July 2006).

That started to change tonight, when one of my XP machines updated itself to Windows Defender Beta 2, and although the product is now at v1.1.1347 (engine v1.1.1303.0), the definitions went backwards from update 5841 (5 May 2006) to a new definition numbering scheme (v1.0.0.0), dated 25 January 2006. Strangely, checking for updates reported that there were no updates available for download.

Microsoft knowledge base article 915105 describes an issue with Defender does not download updates but the resolution didn’t work for me; however, I did discover that Windows server update services (WSUS) now supports Windows Defender (Microsoft knowledge base article 915597 has more details of the update delivery mechanism).

After enabling Windows Defender updates in WSUS and synchronising, I found that there were three definition updates waiting for me to approve – v1.14.1408.8 (25 April 2006), v1.14.1410.10 (27 April 2006) and v1.14.1436.4 (3 May 2006). A few minutes later, checking for updates resulted in a successful download from WSUS.

Windows Defender seems to be in an extraordinarily long beta program (considering the original Giant Company product that Microsoft bought was so well regarded), but it seems pretty solid to me. Let’s hope that the US DOJ and the EU don’t force Microsoft to unbundle important security features like this from Windows.

Refreshing the CD-ROM drive in Virtual Server

Posted on By Mark Wilson

I’ve been installing Exchange in a virtual machine this evening and ran into an interesting issue with Virtual Server and CD/DVD access. The virtual machine in question had a virtual CD/DVD drive was attached to the host computer’s CD-ROM drive but each time I switched CDs, the guest seemed unaware of the change.

I found a workaround on the microsoft.public.virtualserver newsgroup. It’s clumsy, but by releasing the guest’s virtual CD/DVD drive (connect to no media) and reconnecting to the host’s physical CD/DVD drive I was able to force the virtual machine to recognise the new disk (Virtual PC users can release and recapture the CD drive within Virtual PC).

Duplicating virtual machines using SysPrep

Posted on By Mark Wilson

One of the joys of virtualisation is the flexibility afforded by the ability to copy virtual machine files around the network for backup purposes or just to create a new machine (especially with Microsoft’s new Virtual Server licensing arrangements). Unfortunately, just as for “real” computers, simple file copies of Windows-based virtual machines can cause problems and are not supported (see Microsoft knowledge base article 162001).

All is not lost though, as Microsoft does support the duplication of virtual hard disks using the system preparation tool (SysPrep) and Megan Davis has written about sysprepping virtual machines on her blog. I tested it today and it works really well – basically a 3 step process of:

  1. Install and configure a source virtual machine as required (i.e. operating system installed, virtual machine additions installed, service packs and other updates applied), making sure it is in a workgroup (i.e. not a domain member).
  2. Locate the appropriate version of the Windows deployment tools (I used the ones from the \support\tools\deploy.cab file on a Windows Server 2003 CD) and create an answer file (C:\sysprep\sysprep.inf). Then copy the sysprep.exe and setupcl.exe deployment tools to C:\sysprep.
  3. Run SysPrep to reseal and shut down the guest operating system, then copy the virtualmachinename.vhd file to a secure location (make it read-only to prevent accidental overwrites, but also apply appropriate NTFS permissions). This file can then be duplicated at will to quickly create new virtual machines with a fully-configured operating system.

For anyone who is unfamiliar with SysPrep, check out Killan’s guide to SysPrep (which, despite claiming not to be written for corporate administrators or OEM system builders, seems like a pretty good reference to me).

Toshiba PX1223E-1G32 320GB External Hard DiskIncidentally, there are major performance gains to be had by moving virtual machines onto another disk (spindle – not just partition). Unfortunately my repurposed laptop hard disks were too slow (especially on a USB 1.1 connection), so I had to go out this afternoon and buy a USB 2.0 PCI adapter along with a decent external hard disk (a Toshiba 320GB 7200 RPM external USB 2.0 hard drive with 8MB data buffer) – that speeded things up nicely.

Problem adding a virtual machine to Virtual Server 2005 R2

Posted on By Mark Wilson

I’ve just been struggling to add a virtual machine back into the Virtual Server administration website (after I changed the search path). Each time I tried, Virtual Server highlighted the .VMC file as a known configuration file but then reported that:

The virtual machine configuration could not be added. A configuration with this name already exists.

Luckily enough, I found Mohammed Adenwala’s problem adding a virtual machine in Virtual Server 2005 blog post which described my problem exactly. After deleting C:\Documents and Settings\All Users\Application Data\Microsoft\Virtual Server\Virtual Machines\virtualmachinename.lnk I was able to add the virtual machine to the administration website and run it.

Today is National Work from Home Day

Posted on By Mark Wilson

Recently, with the introduction of new flexible working legislation, there has been more and more attention paid to the subject of home-based working and on the way home this evening I heard that today has been designated National Work from Home Day by Work Wise UK.

As someone who frequently works from home, I don’t need to be convinced of the benefits for me personally (less time commuting; less money spent commuting; less money spent on snacks at work; potential reduction in waistline measurements by not buying up large sections of the Marks and Spencer food hall each lunch time; and actually getting to see my family for a short time each day) but there are also benefits for employers (I’m more productive when I work from home; they don’t need to provide as much office space – just some “hot desks” for the days I am in the office; and my travel expenses are reduced) as well as for the nation as a whole (fewer commuters means less congestion).

Working from home is not for everybody though and some people may find it difficult (particularly if away from the office for long periods, or even on a full-time basis). When my wife left a busy public relations consultancy, to set up her own business working from home, she missed the office “buzz” at first (although now she finds the flexibility to be a major advantage). Personally, I find a quiet environment more conducive to work. What can be difficult though is remaining highly motivated and disciplined to keep up the work momentum when you are on your own all day. Some days I find that I can’t get going – more often I find myself putting in extended hours because I’m “on a roll”. Indeed, whilst the break from distractions is initially welcomed, without the movement of others around it is all too easy for the hours to slip by and it can become hard to separate work and private lives. This can be hard enough in a demanding job, but can be even more difficult when home is also the work place so its still important to plan breaks away from work.

One way to compensate for a lack of human contact whilst spending all day working at home can be making a conscious effort to get out after work (using all that commuting time that has been regained, perhaps taking up a hobby or sport).

It’s also possible to keep in touch with colleagues or clients by phone and email on a regular daily basis but this contact cannot replace face to face contact – a lot of information gets passed on informally when people bump into each other in the office and so it’s important to make an effort to keep in contact with the right people.

Of course, some jobs just cannot be done from home, but as the UK moves from a manufacturing-led economy to a service-led economy there are more and more opportunities for home-working – especially with the expansion of in broadband Internet connectivity and consequential growth in associated technologies like voice over IP.

Unfortunately (for those who have dinosaur managers who insist in staff being present at their desk for a fixed number of hours and at certain times each day) and fortunately (for those who could finish work at the end of the day without spending hours in traffic), we had a mini-heat wave in the UK today and I’m sure not everyone would have heeded the message from Work Wise UK that:

“National Work from Home Day is not intended as a holiday, or an extension of the weekend. Its aim is to let staff, and employers, see just how it could work – how productive we all can be.”