Spring 2006 Connections Conference Template

Download Report

Transcript Spring 2006 Connections Conference Template

Book Drawing

Make sure you leave me a business card or a piece of paper with your name on it for the drawing at the end of the session.

Exchange 2003

Your Top Questions Answered

Jim McBee ITCS Hawaii [email protected]

• • • • •

Jim McBee – Shameless self promotion

 Consultant, Writer, MCSE, MVP, and MCT – Honolulu, Hawaii Principal clients USPACOM J2, USARPAC G6, Dell, and Microsoft Author – Exchange 2003 24Seven (Sybex) Contributor – Exchange and Outlook Administrator Blog – Mostly Exchange – http://mostlyexchange.blogspot.com

Audience Assumptions

• • • • Level 200 session You have at least a few months experience running Exchange 2000 or 2003 You have worked with Active Directory You can install and configure Windows and Exchange

Session’s coverage

• • • • ● Presentation – About 65 minutes Answers to common questions ● Tips and tricks ● Best practices for running Exchange 2003 Book give away – Drop off your business card or write your name on a slip of paper Questions and answers – 10 – 15 minutes Catch me afterwards also, I’m here all week

Generic questions

• Customize notification messages • Disclaimers • Catch-all mailboxes • Tar pits • Directory sync • Windows 2003 R2 • Mobility / ActiveSync

Can I customize system messages?

• No (shhhh, yes) • System messages in the MDBSZ.DLL

• You need the RLTools ● http://tinyurl.com/88ash • Not supported ● Microsoft will disavow you • Service packs overwrite!

How do I add a disclaimer?

• Exchange does NOT do this • Many third party products that do this including some antivirus / message hygiene products • Any time a server component modifies a message, it may damage S/MIME signatures • Will not work with S/MIME or ERM encrypted messages.

• For more information: ● ● ● KB 317327 and 317680

http://tinyurl.com/bjn8a

- My take on this

http://tinyurl.com/6dja

- Product lists

How do I create a “catch all” mailbox?

• Catch-all mailbox accepts all mail that is not addressed to valid recipients • See KB 324021 • TurboGeeks’ MailBasketMD is very nice and simple • Careful, this can be a giant spam magnet

What is a SMTP tar pit?

• Windows 2003 SMTP configuration • Delays return of “550” error code when sending system tries to deliver a message to an invalid recipient • Makes “directory harvesting” and bulk spamming more difficult as well as less efficient • See KB 842851 • Tar pit values between 15 and 60 seconds are common

How do I get more than 16GB of storage with Exchange 2003 Standard Edition?

• Exchange 2003 SP2 raises the maximum database size to 18GB • Can be increased up to 75GB with Registry value ● See KB 912375

What does Windows 2003 R2 do for Exchange servers?

• Nothing

What tools can I use to troubleshoot SMTP?

• TELNET • NSLookup • DNSStuff ● http://www.dnsstuff.com

• SMTPDiag ●

http://tinyurl.com/8sfs8

What is the recommended disk configuration?

• NTFS file system • Each storage group’s transaction logs on a separate physical set of hard disks (RAID 1 is better than RAID 5)

How do I get Windows Mobile 2005 FP?

• Windows Mobile 2005 FP nifty new features: ● Direct push ● ● Remote Wipe Managing remote device security ● See http://www.windowsmobile.com

• This comes from your device provider, not Microsoft.

• Mobile Admin (remote wipe feature) from Microsoft ●

See http://tinyurl.com/7rson

Does Outlook have to use the same Global Catalogs that the Exchange server uses?

• Outlook can be configured to use the closest GC ● See KB 319206 • Exchange server can be configured not to give out referrals (handles queries itself) ● See KB 282446

Operations and Maintenance

• Daily tasks • Brick-level backups • Open file agents • Recommended disk configuration • Backup schedule • Mailbox manager • Storage limits

What should I do daily?

• Daily tasks include: ● Review the event log ● ● Check available disk space Check inbound / outbound queues ● Verify backup ran successfully • Implies you are DOING daily backups!

● Verify antivirus software is updated and running • Consider recording daily stats like store size, disk space used, and viruses detected • Avoid the urge to “over administer” Exchange

Backup questions

• Should I do “brick-level” backups?

● ● No, much slower and takes up more space Some mailbox “metadata” is lost on restore ● Recovery Storage Group makes mailbox restore simpler • Can I use my software’s Open File Agent to backup Exchange?

● ● No Database will be inconsistent if Exchange APIs are not used ● May even corrupt database • What is a recommended backup schedule?

● ● Daily (nightly) – Normal or differential backup Don’t overlap with online maintenance window (1:00AM – 5:00AM by default)

What are some common uses for Mailbox Manager?

• Users *hate* to have their mail deleted.

• Do this only after notification to user community.

• I purge Deleted Items and Junk E-mail folders ● Notice, you can Add additional folder names • Items purged with Mailbox Manager cannot be retrieved • Don’t forget to set schedule on each server

Can I manually delete transaction logs?

• No • See KB 240145 • If you run out of disk space on a transaction log disk, copy the oldest files off to another disk, then run a incremental backup to purge them.

• The only exception is if you have to reset the log file generation.

● ● Dismount all stores Confirm all stores consistent using ESEUTIL /MH ● Delete all E*.LOG files including

Why is Exchange taking so long to shutdown/reboot?

• A well configured Exchange server should not take more than 5 – 10 minutes to shutdown • Running on a domain controller can slow this down • Stop all Exchange and IIS services manually prior to shutting down the server.

What does the database file size not shrink?

• After the space deleted items take up is reclaimed, the “white space” is reused. At any given time, the database will probably have empty space.

● Deleted items finally purged during online maintenance ● See Event ID 1221 for estimate • The only way compact the database is to perform an offline defrag • Online maintenance not running will cause the database to continually grow. ● Backup overlapping is most common cause.

How often should I perform an offline defrag?

• Never (well, almost never) • Online maintenance will keep the database tidy and efficient • Only perform offline defrag if you have deleted a large amount of mail or mailboxes.

● Wait for mailboxes and/or items to be purged by online maintenance • 7 days for deleted items • 30 days for deleted mailboxes

What is an optimal mailbox store size?

• Base this on your ability to restore data ● The time it takes to restore • Recommendations vary between 35GB and 100GB • 100GB is about the largest recommended store size

What are common mailbox limits?

• • • • • Based on organization requirements Varies from organization to organization Probably grow in the future ● META Group estimates legitimate mail volume grows 15 – 25% annually. ● ● Could increase with Unified Messaging Could decrease due to archival systems Calculate based on your tolerance for maximum store sizes and backup/restore times Meet your users needs or get more disk space and faster backups!

What are common sender limits?

• Default message size limits are good for most organizations • I think maximum recipients should be dropped to about 100 for organization and overridden for VIPs.

How do I perform archiving?

• Built-in solution sends copy of all messages (sent and received) as well as delivery / read recipients on the specified store.

● Requires manual management of archive mailbox • ArchiveSink from Exchange downloads ● http://tinyurl.com/bj3ha

How do I perform archiving? (Part 2)

• Many third party solutions ● Archive specific mailboxes ● ● Different content types and rules Usually leaves a “place holder” message in the mailbox indicting the message was archived, how to retrieve, or a link to the message.

● Requires storage (SAN, NAS, DAS, optical, tape, etc…) • See http://tinyurl.com/u0oi

Active Directory

• Bulk changes • Generating e-mail addresses • Replicating directories

How can I replicate recipients between two Exchange organizations?

• This is an “Active Directory” problem • Tools: ● Microsoft’s MIIS or IIFP (free, kinda) ● ● CPS Systems SimpleSync HP’s LDAP Directory Synchronizer

How do I make bulk changes to the Active Directory?

• Scripts / LDIFDE • ADModify ● http://tinyurl.com/5ruog ● Very nice!

• Joeware ADMod ● http://www.joeware.net

Outlook Web Access

• OWA logon page • OWA security • Attachments • Customization

Can I securely allow Internet access to OWA?

• Allowing direct access to OWA is okay if all patches are applied and SSL is used.

• Best solution is to use “reverse proxy” (such as ISA Server) • Best protection for OWA, ActiveSync, and RPC over HTTPS clients • See: ● ● KB 837354 http://tinyurl.com/ba2tj

How do I create an OWA logon page?

• This is called Forms Based Authentication (FBA) ● ● ● Enabled on HTTP virtual server properties Requires SSL Provides connection timeouts ● LOGON.ASP can be customized • See KB 830827

How do I customize Outlook Web Access?

• Outlook Web Access Admin • Configures common OWA registry settings: ● ● ● ● ● Password change Junk E-mail Attachment handling Spell checking Client notifications ● Client timeout values • Download from: ●

http://tinyurl.com/9cpt6

How do I customize Outlook Web Access?

• Logo in upper left corner can be customized ● logo2.gif file ● 179 by 36 pixels ● • Custom themes can be created, too ● Default found in \exchsrvr\exchweb\themes\0

http://tinyurl.com/3z9oe

How do I do restrict OWA features?

• Segmentation ● Done per user or per server ● Turns off certain features • Public folders • Calendar/Contacts, etc..

• Use OWA Admin per server • Use ADSIEdit per user • See KB 833340

Why can’t I open PDF files in OWA?

• If some PDFs are not being recognized, define a global MIME type ● Global Settings -> Internet Message Formats properties -> General -> MIME Content Types ● Add Type:

application/pdf

and

Associated Extension: pdf

• PDF files may be blocked by Level 1 or Level 2 attachment settings in Registry: ● ● HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeWEB\

OWA

Check Level1MIMETypes and Level2MIMETypes values • If exist, remove application/pdf ● Add application/pdf to KnowContentTypes value • See KB 873138

Why do some messages not open?

• Message can’t be opened or viewed in the Preview Pane • Generates a 404 error • URLScan or IIS Lockdown probably applied to OWA server • In the [DenyUrlSequences] section of the URLScan.ini, it denies URLs with certain characters. The subject line of the message is part of the URL and thus if it fines these characters in the subject, the message will not open.

● Default characters are: • .. ./ \ % &

What is the Junk E-mail configuration report?

• Feature of OWA 2003 • Requires registry key ● Apply using OWA Admin • Include in URL /?cmd=junkemailreport

Speaking of spam

• Using Real-time Block Lists (RBL) • Intelligent Message Filter (IMF) • Sender ID

How do I use a Real-time Block List?

• Configure Message Delivery options • Configure SMTP virtual server

Which RBL is best?

My favorites ● ● ● ● Spamhaus - sbl-xbl.spamhaus.org

Spamcop – bl.spamcop.net

ABUSEAT CBL – cbl-abuse.org

ORDB – relays.ordb.org

• Usually use two or three in combination • Some RBLs are too aggressive ● The more aggressive you are with RBL usage, the more likely you will reject valid e-mail.

Should I use the Intelligent Message Filter?

• It’s free • Basic and not very configurable • Exchange 2003 SP2 filter is pretty accurate • Updates every other week • I use it and am happy with it for smaller organizations

What are the best SCL settings for the IMF?

• Depends on the organization • I use: ● ● Gateway Blocking – 6 and Archive Store Junk E-mail – 4 • Archive or reject?

● Managing archive becomes an issue • This may require some observation and tuning

How can I view the IMF Archive?

• IMF Archive Viewer ● http://tinyurl.com/5w5pr • IMF Archive can be directed to alternate location ● http://tinyurl.com/8oro2 • View, Delete, Resubmit, Report ● Report spam to [email protected]

How do I configure the IMF for automatic updates?

• Requires Exchange 2003 SP2 ● IMF v2 • Windows must be configured with Microsoft Updates or use WSUS • Create Registry key • See KB 907747

Can I customize what the IMF thinks is spam?

• Yes, it is called the custom weighting feature • Create MSExchange.UceContentFilter.xml

file ● File defines message subject and body content that is or is not spam • See http://tinyurl.com/ctqc8

Can I see how the IMF is doing?

• IMF performance statistics

What is the deal with Sender ID?

• Reduce spam by authenticating sender’s server • Two parts to this technology ● DNS SPF record • Servers receiving mail from your servers use this ● Mail server SPF record lookup • Your servers receiving mail from others use this • To be verified, create a DNS SPF record ●

http://tinyurl.com/dd38m

• To use SPF records ● ● Configure IP addresses of your entire internal infrastructure or servers that process mail for you.

Configure E2K3 SP2 to lookup sender ID ● ● Recommend Accept but process further • Mis-configuring can result in lots of missed mail ● Use IMF (or other technology) to further rank Mail you send or mail you receive

Security

• Front-end servers in the DMZ • Restricting Outlook versions • Blocking attachments • File-based virus scanners

Should Exchange front-end servers be in the DMZ?

• No, too many ports have to be opened between the front-end server and the internal Exchange servers and domain controllers.

• Reverse proxy solution (such as ISA Server) in the DMZ is more secure

How can I restrict the Outlook versions connecting to my Exchange server?

• Exchange 2000/2003 allows you to restrict clients with older MAPI versions • See KB 328240 and 288894 for instructions • See http://tinyurl.com/8mpgw version information for build and • E2K3 SP2 allows forcing Outlook 2003 SP2 clients in to local cache mode ● http://tinyurl.com/92vep

What files should be blocked by perimeter virus scanning?

• Most dangerous file types: ● exe, vbs, wsh, shs, wsc, bat, pif, com, cmd, reg, scr, msi • Microsoft Level 1 attachments ● See http://www.slipstick.com/outlook/esecup.htm

• Media files?

● MPG, MPEG, MP3, WMV, WMA, AVI, MOV • Compressed files?

● ZIP, CAB, RAR, JAR

Should I put a file-based virus scanner on an Exchange Server?

• Many people do, but this can be a dangerous practice • Ensure beyond a shadow of a doubt that you exclude: ● %windir%\system32\inetsrv ● All Exchange EDB, STM, LOG, and CHK files ● Exclude SMTP queues ● Exclude Exchange-aware antivirus quarantine folders

Book Giveaway

• Has everyone given me something to draw from?

Questions?

• You can always catch me this week if you don’t get your questions answered. • Thanks for attending!

• My blog is Mostly Exchange – http://mostlyexchange.blogspot.com

• Copies of these slides will be posted at the end of April 2006 on my blog