Tuesday, December 13, 2005

Log Parser

I came across a great article about Log parser from Exchange & Outlook Administrator (Windows IT Pro). It described the log parser tool and how to use it on a variety of logs.
The first thing I thought about was gathering statistics about OWA useage. I used the following query that I got from Technet:
logparser "SELECT TO_STRING(time, 'HH') AS Hour, COUNT(*) AS Hits INTO MyChart.jpg FROM ex*.log GROUP BY Hour ORDER BY Hour ASC" -i:IISW3C -o:CHART -chartType:ColumnClustered -chartTitle:"Hourly Hits" -groupSize:420x280
This outputs a great JPEG that shows you hits per hour.

I went to the Logpaerser forum to try and get some help in modifying the query so that I could get unique logons per hour. Here is what Daniel Einspanjer helped me develop Forum Link:

First, create the two sql files:
TO_STRING(time, 'HH') AS Hour,
COUNT(*) AS Hits,
FROM c:\owa_logs\*
(cs-username IS NOT NULL)
(sc-status = 200)
GROUP BY Hour, cs-username

SUM(Hits) AS Hits
INTO Authenticationv2.gif

Then execute them as follows:
c:\logparser>Logparser.exe file:QAuthenticationv2(1).sql -i:IISW3C -o:CSV | LogParser.exe -i:CSV file:QAuthenticationv2(2).sql -o:CHART -charttype:Columnclustered

Logparser Download
Log Parser Book

Wednesday, November 02, 2005

Exchange 2000 & 2003 - Message Tracking Logs

Two KB articles that help interpret Message Tracking Logs:
A website that Explains what the ID's in the Message Tracking Logs mean:
Finally, a script that will report on all the Message Tracking Logs
Outlook Exchange

Friday, October 21, 2005

Gmail Signature

Just wanted to post a link to a site that will create graphic signatures.

Here's the code for mine:

<a href="mailto:teoheras@gmail.com"><img alt="GSig" src="http://gsig.brightdev.com/2/teoheras.png" /></a>

Tuesday, October 18, 2005

Unable to move mailbox - access denied

I've found that I cannot move mailboxes using ESM or ADUC from my laptop. I get access denied. I know I have access because I can successfully move mailboxes when logged on to the Exchange server. I found this article online that explains and resolves this issue.



Monday, October 17, 2005

Urlscan Exchange 2003 Windows 2003 SP1

I finally fixed the problem I encountered with OWA and urlscan after installling Windows 2003 SP1. Basically I was getting page cannot be found errors. I found that owalogon.asp was being denied by the urlscan template that I copied from an MS KB article. Here are the KB articles that I would recommend to anyone installing URLScan:

How to configure the urlscan tool

URLScan tool may cause problems in Outlook Web Access

DO use the urlscan template listed here
Fine-tunning and known issues when you use the Urlscan utility in an Exchange 2003 environment

**Do NOT** use the urlscan template listed in this KB - This is what broke OWA with Windows 2003 SP1
IIS lockdown and URLScan configurations in an Exchange environment
In the authors defense, the template is for Exchange 2000. It worked fine with Exchange 2003 until I installed Windows 2003 SP1.

Wednesday, September 14, 2005

Exchange Administrator w/o local administrator rights

Someone posted a question asking how you could delegate the Exchange Administrator role but not make them a member of the local administrators group on the server. Exchange 2003 SP1 requires this other wise you get an error with ID no: c10308a2. Microsoft has released the following KB article that allows you to circumvent this.


Tuesday, August 23, 2005

Exporting and Importing Proxy addresses

We've been doing alot of modifications to the proxy addresses of our user accounts via scripts. We also had an ADC issue which caused roughly 1/3 of our mailboxes to become disconnected. This was especiallly problematic because when you reconnect a mailbox it's proxy addresses are re-generated and any custom/friendly addresses are lost. So, I think it's a good idea to document a simple way to export and import proxy addresses. This will also work for any other attribute.
Here's how:

Ldifde -d "DC=domain,DC=com" -s DC_Name -r "(&(mailnickname=*))" -l proxyAddresses -f proxies.txt

The query above will generate the following output to proxies.txt
----- Begin File: proxies.txt-----
dn: CN=Teo\, Heras,OU=Users,DC=lab,DC=microsoft,DC=com
changetype: add
proxyAddresses: X400:c=US;a= ;p=Microsoft;o=Lab;s=Heras;g=Teo;
proxyAddresses: SMTP:Teo_Heras@microsoft.com
----- End File-----

Additional attributes besides proxy addresses should be added next to "-l" (comma seperated).

Reimporting will require the manipulation of the output file as follows:
----- Begin File: proxies.txt -----
dn: CN=Teo Heras,OU=Users,OU=West Chester,OU=Corporate,DC=cablelab,DC=comcastlab,DC=com
changetype: modify <---- change from add to modify
replace: proxyAddresses <---- This was added
proxyAddresses: SMTP:Teo_Heras@Comcast.com
proxyAddresses: X500:/O=Comcastlaborg/OU=Lab-CDC/cn=Recipients/cn=theras0000
proxyAddresses: X400:c=US;a= ;p=Comcastlaborg;o=Lab-CDC;s=Heras;g=Teo;
- <---This is critical and the log file will tell you
----- End File -----

Finally, we'll import the file by doing the following:
c:\ldifde -i -f proxies.txt -s my_dc -j c:-i means import, -j c:\ is the path to log file

A large file may be hard to modiy, so I wrote a script that parses through the log file and writes the attributes back to AD. There are definately better alternatives (such as restoring AD to a lab and using VB to synchronize attributes), but it's useful to see how to parse through the output and use VBScript functions to pull the values you need.

'This script will parse through the ldif export:
'and write back the proxy addresses

Option Explicit
Const ForReading = 1
'Define Proxy address Array
Dim arrProxyAddresses
Dim arrToWrite()
Dim objFSO, objDictionary, objTextFile, strTextfile, arrTextFile, strTextLine, objUser, strPriMail
Dim strUsrDN,strProxyAddresses, colKeys, strKey, intsize, strProxyAddress, intPriMailCount
Dim strUserDNLen, intFirstPipeLoc, intSecPipeLoc, intProxyLength, strProxyAddressArr, intFullProxyLen

set objFSO = CreateObject("Scripting.FileSystemObject")
Set objDictionary = CreateObject("Scripting.Dictionary")
set objTextFile = objFSO.OpenTextFile("c:\proxies.txt", ForReading)
strTextfile = objTextFile.ReadAll
'Fills each array entry with a line from the LDIF export.
arrTextfile = Split(strTextfile, VbCrLf)

'Loop through array and fill dictionary object
For Each strTextLine In arrTextfile
'The logic below leaves strUsrDN populated until a blank line is detected
'A blank line means the next entry is being read.
If InStr(strTextLine, "dn:") Then
strUsrDN = strTextLine
Elseif InStr(strTextLine, "proxyAddresses:") Then

'Ensure that the line doesn't just contain proxyaddress: I've seen notepad break this line placing the value on the line below.
If Len(strTextLine) = 16 Then
MsgBox "Error on " & strUsrDN
End If

'Check for a primay smtp address
If instr(strTextLine, "SMTP:") Then
intPriMailCount = 1
End If

'As long as a proxy address is detected, append all proxy addresses found
'The loop begins by checking whether or not the strProxyAddresses field is blank
If strProxyAddresses = "" Then
'Write the first proxy address without the delimeter. Otherwise when we call the split
'Function we will have a null value for the firs one.
strProxyAddresses = strTextLine
strProxyAddresses = strProxyAddresses & "|" & strTextLine
End If
Elseif strTextLine = "" Then
'Check that the user object has a primary smtp address to apply
If intPriMailCount = 0 Then
MsgBox strUsrDN & " does not have a primary SMTP address."
End If
'When a blank line is detected it means the first LDIF entry has been read.
'write to the dictionary object and clear all variables
objDictionary.add strUsrDN, strProxyAddresses
'Clear out variables. When empty they are used for validation and they should be empty when the
'loop begins.
strProxyAddresses = ""
strUsrDN = ""
intPriMailCount = 0
End If


'Loop through dictinary object, parse content, and write to user account.
colKeys = objDictionary.keys
For Each strKey In colKeys
'Parse through the userDN value
strUserDNLen = Len(strKey)
strUsrDN = Mid(strKey, 5, strUserDNLen)
strProxyAddresses = objDictionary.Item(strKey)
arrProxyAddresses = Split(strProxyAddresses, "|")
intsize = 0
For Each strProxyAddress In arrProxyAddresses
'Strip "proxyaddress:" - the length of proxyaddress: is 17
strProxyAddress = Mid(strProxyAddress, 17, Len(strProxyAddress))
'Proxy addresses have to be written as an array, so after stripping out the
'proxyaddress: string we'll create a new array with the values needed
ReDim Preserve arrToWrite(intsize)
arrToWrite(intsize) = strProxyAddress
'Keep track of the primary proxy address so that it can be written to the mail attribute later
If instr(strProxyAddress, "SMTP:") Then
'Use Mid to strip out SMTP:
strPriMail = Mid(strProxyAddress,6,Len(strProxyaddress))
End If
intsize = intsize + 1

'Here's what I'll be writing to the user object
Set objUser = GetObject("LDAP://" & strUsrDN)
MsgBox "Writing to " & objUser.DistinguishedName
objUser.putex ADS_PROPERTY_UPDATE,"proxyAddresses", arrToWrite
objuser.put "mail", strPrimail

----- End Script -----

KB Articles:
How to Modify a User's E-mail addresses by Using Ldifde

How to import and Export Directory Objects to Active Directory

Friday, August 19, 2005

Running a Hard Recovery on a database

We recently had a scenario where an administrator had tried to restore a full and an incremental backup. He escalated the problem to us when he couldn't see the data from his incremental backup. It turned out that a hard recovery was ran after his full backup restored. Oddly enough, most vendors have the hard recovery process run by default after every recovery. On Backup Exec, for example, this process is identified as a check next to the box labled 'Commit Logs.'

A hard recovery is the process that brings a restored database back to a consistent state (administrator intervention is required). A typical hard recovery of a database is the restoration of a full backup or a full and differential backup of the information store. During the recovery process the administrator manually begins log file replay either through the ESEUTIL /cc command or the backup program interface (‘Last Backup Set’ in NTBackup). ESEUTIL /cc must be run from within the folder where Restore.env resides (eseutil /cc {restore.env path}). ESEUTIL /cc looks for instructions in the Restore.env file. Prior to beginning a hard recovery of a database, make sure that all database files and transaction logs have been backed up. If backups are not completing successfully, then it may be necessary to shut down the information store and copy the database and transaction log files to an alternate location. This way, if the database is damaged in any way, it can be restored to the same state it was before.

Once a hard recovery is performed, the database header is changed and all other log files will be useless. The hard recovery process changes the header information on the database and only the log files from this point forward can be re-played. For this reason, it is critical that the stores not be mounted until you are sure that there are no other restores that need to take place. If, after mounting the database, you find you need to restore other log files, you will have to restore the backups to an alternate location and EXMerge the data into the production database. Otherwise, you risk further downtime by re-running your restore process and loosing the data that was written to the database(s) once the stores were mounted. Once a satisfactory restore has been performed on a database, a full backup must be run.

Monday, August 15, 2005

CIS Benchmark for Exchange 2003

I just read on http://www.e2ksecurity.com/ (Paul Robichaux blog) that the CIS Benchmark for Exchange 2003 document has been released. It covers how to harden an Exchange 2003 server environment.


Tuesday, August 02, 2005

Overcomming Recovery Storage Group Limitation

The Recovery Storage Group (RSG) works great for recovering deleted items to a production database. The limitation is that the mailbox has not been moved or deleted (purged) from the original database. The Recovery Storage Group process compares two attributes before allowing a restore of mailbox items from the restored database to the production database: The msExchMailboxGUID (read only) one the mailbox and msExchOrigMDB on the database in the RSG.

Dealing with a deleted mailbox:
A mailbox's GUID (msExchMailboxGUID) is the same for the life of the mailbox. Restoring a deleted (purged) mailbox by recreating it will not not allow the RSG to connect the new maibolx to the mailbox that exists in the restored database. The new recreated mailbox has a new GUID and it cannot be changed to match the old one (the msExchMailboxGUID is a read only attribute). Microsoft recommends the following steps:
1. Add the database the mailbox was in before it was purged to the RSG
2. Restore the databse to the Recovery Storage Group
3. Mount and then dismount the database in the RSG (this will ensure that the database is in a clean shutdown state eseutil /mh databasename.edb
4. Create a new Storage Group and Database ensuring that the file names for the new database are identicle to those of the database in the RSG. Then dismount the database.
5. Copy the .stm and .edb files from the RSG location to the path of the new database.
6. In the properties of the new database (through ESM) place a check mark next to the box (this database can be over written by a restore).
7. Mount the database, connect mailbox to an AD account, Exmerge the data out of the recovered mailbox and into the new mailbox.

Dealing with a mailbox that was moved:
A database in the RSG will have an attribute called msExchOrigMDB set to the distinguished name of the original database. If a mailbox has been moved to another database the only backup available may be of the database before the mailbox was moved. To restore items Microsoft recommends the following steps:
1. Move the mailbox back to the original database
2. Modify the msExchOrgiMDB attribute so that it lists the DN of the database that now holds the mailbox in question.

Related KB Articles:

Tuesday, July 12, 2005

Messages appear in folder titled 'Top of Information Store'

We had an issue where serveral users had reached their mailbox limits but where reporting that they had manually cleaned their mailboxes. What we eventually found was that users had somehow dragged messages into the root of the Outlook hierarchy 'Mailbox - User Name.' We found this by searching for all messages larger than 1 KB (Advanced Search) and seeing that they resided in a folder named 'Top of Information Store.' Besides searching and deleting the messages (from within the search box) there is another way to see what messages exist in the 'Top of Information Store.'
1.Find mbdvu32.exe in the Tools\ExAllTools\MDBVU32 directory on the Exchange CD
2. Exedute mbdvu32.exe
3. Click OK to clear the first window that pops up.
4. Make sure that the correct profile is slected in the 'Choose Profile' windows
5. Click on the MDB menu option.
6. Click on the OpenMessageStore option.
7. Make sure that "Mailbox- [user's full name]" is selected and click on Open.
8. Click on the MDB menu option again.
9. Click Open Root Folder.
10. In the Child Folders box - double click on "Top of Information Store".
11. In the window to the right, titled 'Messages in Folder' you will be see all the messages that the user has dragged into the top of the Outlook hierarchy.

Thanks goes out to the people at MS Exchange Blog and their article below. It actually shows how to fix OOF problems using the same utility.

Wednesday, June 29, 2005

Places I've been

I found a cools site today that allowed me to color in a world map detailing the places I'be been.

create your own visited country map
or check our Venice travel guide

Tuesday, May 17, 2005

Moving Exchange Between OU's

I've had conversations in the past as to wether or not the computer account belonging to an Exchange 200x server can be moved between OU's. This can be the case if you add the server to the domain before creating the computer account. This causes the computer account to be created in the default computers OU. Another scenario is the restructuring of OU's either for security or Group Policy administration. Whatever the scenario is, the answer is that the Exchange computer account can be moved, but the System Attendant generates Event ID 9186 and Event ID 9187 errors. The KB article below explains how to resolve this.



Friday, May 06, 2005

Recommended Storage Group Configuration

Microsoft has come out with new guidance regarding the configuration of Storage Groups and database for Exchange 2003. The article below recommends that all 5 Storage Groups be created with a mailbox store in each one (if needed). This has changed from the old recommendation that a single Storage Group be filled with databases before creating other storage groups.


Monday, April 18, 2005


Microsoft has released a tool that provides the ability to gather real-time data bout the user experience when connected to Exchange. This tool should be especially useful when establishing a baseline and troubleshooting.


Tuesday, April 05, 2005

Remove delegated security

Once a user or group is delegated access, it's necessary to remove the access manually. Microsoft has released a tool that will undo the process that delegation goes through. DSRevoke.exe will traverse all the ACL's in the domain and remove access for the user(s) or group(s) specified.

Wednesday, March 30, 2005

ADModify.net saves the day

In the team I work in, alot of scripting is done. Today, we had a problem whereby a script was not successfully adding the X400 addresses to user accounts. The "drop dead time" came and when for these modifications, and we were going to have to do them manually. Luckily, we top a minute to look at ADModify.net and saw that it can modify any AD attribute, even multivalued ones. The X400 address addtions happened immediately, and a huge headache was avoided.

ADModify.net can be found here:

And just so it gets indexed: Mass modifications of proxyAddresses multivalue attribute

Exchange 12 in 2006

"Andy Lees, corporate vice president of marketing for Microsoft's server and tools business, revealed the ship date Tuesday."

Thursday, February 24, 2005

Entourage causes excess Exchange 2003 transaction logs

I found this in one of the mailing lists I subscribe to:

There is no external KB article at this time, as far as I know. The hotfix readme shows the KB article as http://support.microsoft.com/?kbid=889525, which doesn't exist. The hotfix number is the same -- 889525.

I am running Exchange 2003 SP1, don't know if one is in the works for Exchange 2000.

Thursday, February 10, 2005

KANA and Exchange SMTP Communication

We've finally resolved a problem we were having with our Kana software and our Exchange 2003 migration. The issue began when we replaced our Exchange 5.5 SMTP servers with Exchange 2003. Messages that would normally come in fine from our Kana web form began comming in garbled. At first we thought it could be the message format. Playing with the message format settings revealed that if we set the content type to plain text and the character type to ASCII then the message body would come in fine except for the xml code. At this point we were getting the xml code that was normally in the message body as an attachment.

What we were able to resolve is that by still having Exchange 5.5 servers as bridgehead servers, our messages where being spun through different protocols (SMTP to RPC to SMTP again). When we tried to use only SMTP communication the messages came in fine. We tested and verified this by putting the mailboxes that were receiving KANA emails directly on the SMTP servers (no more RPC communication).

Wednesday, February 09, 2005

Reprint of a great AD book

I just read that the book "Inside Active Directory" has a second edition comming out. I thought the first book was great and went into great detail about the inner workings of AD. The second book is going to cover the changes to AD in Windwos 2003. I would definately recommend the material to anyone who deals with AD on a day-to-day basis. It is however, too in-depth for just basic administration of accounts.

Here's the authors website:

Tuesday, February 01, 2005

Copy Exchange 5.5 Distribution Lists

There are many tools and scripts out there to copy multiple DL's (Distribution Lists) from one 5.5 org to another org (AD). However, if you come across a situation where you only need to copy one Distribution List here is a quick method. You can basically log into the Exchange Org using Outlook 2003 and choose the DL from the GAL. Then expand the group membership and copy all the members to the AD screen that you would use to create a new DL in AD.

Tuesday, January 25, 2005

Tranfer relay settings

Today we had a situation where we needed to transfer about 900 relay settings from Exchange 5.5 servers to Exchange 2003 servers. We were able to do this by using a script called ipsec.vbs from the exalltools download. This download is available here.
For just ipsec.vbs
For exalltools