Wednesday, September 30, 2009

Troubleshoot Exchange 2007 Out of Office

http://www.pro-exchange.eu/modules.php?name=News&file=article&sid=686

http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/

Configure Exchange 2007 Web Services URLs

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html

Configuring Exchange Server 2007 Web Services URLs

Author: Anderson Patricio

Exchange Server 2007 has a new feature called AutoDiscover which provides Outlook 2007 with configuration information. This is sent as an XML file and contains all the information needed to create the profile automatically as the URLs used by Outlook 2007. The following services can be set up through the AutoDiscover service:

  • Offline Address Book (OAB)
  • Unified Messaging
  • Out of Office (OOF)
  • Availability Services

Internally the Exchange Server 2007 works out of the box, just using the self-signed certificate that comes in the Exchange Server 2007 installation process. The built-in certificate contains two names: the NetBIOS name of the Exchange Server box like srv-cashub1 and a second one using the FQDN (Full Qualified Domain Name) like srv-cashub1.apatricio.local. The built-in certificate can be viewed using the local machine Certificate snap-in, as shown in Figure 01, or using the Get-ExchangeCertificate cmdlet.


Figure 1: The built-in certificate created by the Exchange Server 2007 installation process

In this scenario we will allow the internal joined workstations to be configured by the AutoDiscover service. The internal clients will receive a Certificate error pop-up when they access the OWA address, as shown in Figure 02.


Figure 2: The certificate does not have a trusted Certification Authority on the client because it was self-signed

Okay, we can avoid this kind of issue by using a certificate by a Certification Authority that is trusted by all clients. This certificate might be issued by an internal or external Certification Authority. Let’s create a request using the Internal CA and using the certificate name mail.apatricio.local and we are going to create a DNS entry for mail using the CAS IP address as well.

Now, we can use https://mail.apatricio.local in any workstation and we should not get any certificate error.

Configuring the Outlook URLs

Now, after installing our certificate all Outlook 2007 clients will receive the following error message the next time that they open Outlook, as shown in Figure 03.


Figure 3: Security Alert error when we change the certificate on the Client Access Server

What’s happening? Exchange Server 2007 works out of the box with the self-signed certificate, when we change the AutoDiscover certificate we start getting this error.

Outlook 2007 has a built-in tool that allows us to validate the current URLs we are using. This tool is called Test E-mail Autoconfiguration. We can access it by opening the Outlook 2007 client, holding the Ctrl key and right-clicking on the Outlook icon located on the systray.

In the tool we can uncheck Use Guessmart and Secure Guessmart Authentication and click on Test. Then, we will receive all the current URLs set up for Outlook 2007 clients. As you can see in Figure 04, our clients have been receiving the initial configuration that points them to the FQDN name of CAS Server using HTTPS. But we have just deployed the certificate using the name mail.apatricio.local.


Figure 4: The default configuration of the Web Services URLs on Outlook 2007

Okay then, let’s change our URLs to the correct address.

AutoDiscover

The internal clients that belong to the domain will use the SCP (Service Connection Point) object to retrieve the Web Services URL information. We can manage the Autodiscover URL through a couple of cmdlets. To set this, use the following procedures (the entire process is shown in Figure 05):

  1. Check the current configuration.
    Get-ClientAccessServer | Select Name, *Internal* | fl
  2. Define the new URL.
    Set-ClientAccessServer –Identity -AutoDiscoverServiceInternalUri:
  3. Execute step 1 again to validate the changes.


Figure 5: Setting up the AutoDiscover URL to use the correct address

OAB

The OAB URLs can be set up by either the Exchange Management Console or the Exchange Management Shell. To configure using the Exchange Management Console, the following steps are required:

  1. Open the Exchange Management Console.
  2. Expand Server Configuration.
  3. Click Client Access.
  4. Select the Client Access Server.
  5. Click the Offline Address Book Distribution tab, and click Virtual Directory below.
  6. In the Actions Toolbox, click Properties, and then click on the URLs tab (as shown in Figure 06).


Figure 6: Changing the URL value for the OAB virtual directory

This setting is per server; if you have more than one CAS server you have to configure the other servers as well.

We can also use Get-OABVirtualDirectory and Set-OABVirtualDirectory to list and set up the OAB URLs, as shown in Figure 07.


Figure 7: The OAB Virtual Directory

Web services

The Web Services are responsible for the Availability Service and OOF URL items in the Outlook 2007 configuration. We can set them up through the Web Services Virtual Directory; the following procedure can be used to accomplish this task (the entire process is shown in Figure 08):

  1. List the current values for Internal and External URLs.
    Get-WebServicesVirtualDirectory | Select name, *url* | fl
  2. Configure the Internal URL to use the new address.
    Set-WebServicesVirtualDirectory –Identity “” –InternalUrl: https://url.domain.local/EWS/Exchange.asmx
  3. List the configuration of the Web Services Virtual Directory and check the new values.


Figure 8: Setting up the Internal URL attribute in the Web Services Virtual Directory

Unified Messaging

Now it’s time to set up the Unified Messaging Service URL, we can do that using the following procedure (the entire process is shown in Figure 09):

  1. List the current values of the UM Virtual Directory.
    Get-UMVirutalDirectory | Select Name, *url* | fl
  2. Configure the Internal URL attribute of the UM Virtual Directory (per server).
    Set-UMVirtualDirectory –Identity: “” –InternalURL:


Figure 9: Setting up the UM Virtual Directory Internal URL

Validating the changes

Okay, we have worked on the URLs for Outlook 2007, we can now check the results through the Test E-mail AutoConfiguration feature, as shown in Figure 11.


Figure 10: The new Web Services URLs

Just to make sure that our clients are using Web Services, go to an Outlook 2007 client, click Tools / Send/Receive / Download Address Book, and click OK in the new window. Now check the IIS log files, and you should see the connection made by Outlook 2007 to retrieve the OAB through web services, as shown in Figure 11.


Figure 11: The OAB download process by an Outlook 2007 client

Configuring the URLs’ Outlook Anywhere clients

Until this point we have just set up the Internal URLs for Outlook 2007 clients; now we are going to configure Outlook 2007 URLs for Outlook Anywhere clients.

When you enable the Outlook Anywhere feature on the CAS Server (Figure 12), you can define the External host name and the authentication method; both these parameters are available through AutoDiscover services.


Figure 12: Enabling OutlookAnywhere on a CAS Server

Now, we can check the tool again in the Outlook 2007 client and we will see a new configuration set called Exchange HTTP which is designated for the Outlook Anywhere clients. By default the values are the same as the Exchange RPC section, as shown in Figure 13.


Figure 13: New set of configuration to be used by the Outlook anywhere clients

Now our task is to change those values to be accessible for the Outlook anywhere clients (usually external clients). How can I change those values? It’s easy! We use the same cmdlets used for the Exchange RPC Section but instead of the -InternalURL parameter we will change to -ExternalURL.

Summary of cmdlets used to configure Outlook 2007 Web Services

Okay, we have just seen how to configure the Exchange Server 2007 Virtual Directories using Internal and External URLs. We would have to go through this process when we have a CAS NLB (Network Load Balancing), or define a new URL to use either internally or externally.

The following table summarizes the cmdlets that are used to define the Web Services URLs, permission required, and the internal/external parameters.

Item

Cmdlet

Internal Parameter

External Parameter

Permission Required

OAB

Set-OabVirtualDirectory

InternalURL

ExternalURL

Exchange Server Administrator role and local Administrators group for the target server

Web Services / OOF

Set-WebServicesVirtualDirectory -

Unified Messaging

Set-UMVirtualDirectory

Table 1

Conclusion

In this article we saw how to configure the Web Services URL to be used by Outlook 2007. This is important during the Exchange Server deployment process because it is used by all clients running Outlook 2007.

Monday, September 28, 2009

Set home folder permissions using ICACLS

Updated code using ICACLS instead of XCACLS.

previous post: http://nusak.blogspot.com/2009/09/reset-home-folder-permissions-for.html

DIM Commando, Counter, Domain
DIM Folder, iReturn, objFSO
DIM objShell, objSysInfo, rootFolder
DIM strFolder, strUser, SubFolders

' INSTANTIATING AN OBJECT PART1
SET objSysInfo = CreateObject("ADSystemInfo")
SET objFSO = CreateObject("Scripting.FileSystemObject")
SET objShell = wscript.createObject("wscript.shell")

' ASSIGNING VALUES TO VARIABLES
strFolder = Lcase(Inputbox(Ucase("Enter path Home folder") &VbCr &VbCr _
&"Use the following syntax:" &VbCr _
&"D:\Users\","Home-Folder","D:\Users\"))
Domain = objSysInfo.ForestDNSName & "\"

' INSTANTIATING AN OBJECT PART2
SET rootFolder = objFSO.GetFolder(strFolder)
SET SubFolders = rootFolder.SubFolders

' ASSIGNING VALUES TO CONSTANTS
' INFO: You can find the possible permissions in the comment
CONST Usr1 = "Domain Admins"
CONST UsrPerm1 = "F"
CONST UsrPerm2 = "F"

'================================CODE=========================================

IF objFSO.FolderExists(strFolder) THEN
FOR Each Folder In SubFolders
strUser = replace(Lcase(Folder),strFolder,"")
commando = "icacls """ &Folder &""" /grant ""System"":F ""Creator Owner"":F ""Domain Admins"":" &UsrPerm1 _
&" """ &Domain &strUser &""":F /T /C"

iReturn = objShell.Run("%comspec% /K" & commando)
Counter = Counter + 1
' This sleep is specially done to not overload the system with
' xcacls screens.
wscript.echo commando
wscript.sleep 6000
NEXT
wscript.echo "Finished!" &VBCR &Counter &" folders are reset."
ELSE
wscript.Echo "Folder: " &Ucase(strFolder) &" doesn't exist." &VbCr _
&"Verify the location and try again."
END IF

SET objSysInfo = NOTHING
SET objFSO = NOTHING
SET objShell = NOTHING
SET rootFolder = NOTHING
SET SubFolders = NOTHING
'=============================END=OF=CODE=====================================
wscript.quit

Sunday, September 27, 2009

Folder Redirections - Best Practice

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24713938.html

http://technet.microsoft.com/en-us/library/cc785925%28WS.10%29.aspx

http://blogs.technet.com/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

Reset home folder permissions for multiple users

http://wasteil.blogspot.com/2007/04/reset-permissions-home-folder.html


'============================================================================
' VBScript Source File
' NAME: Permissions Home Folder
' AUTHOR: Ruudvdh (WASTEIL)
' WEBSITE : http://wasteil.blogspot.com
' DATE : 19-3-2007
' COMMENT: This script changes the permissions of all the subfolders in the
' specified folders. It uses the folder name and matches this with a username
' in Active Directory. Therefore the foldername must be equal to the username.
'
' Permissions (See CONST UsrPerm1 & UsrPerm2:
' R = Read
' C = Change (write)
' F = Full control
' P = Change Permissions (Special access)
' O = Take Ownership (Special access)
' X = EXecute (Special access)
' E = REad (Special access)
' W = Write (Special access)
' D = Delete (Special access)
'
' !!!NEEDED PROGRAMS!!!
' XCACLS.EXE
' This program is part of the Support Tools
' DOWNLOAD:
' http://support.microsoft.com/kb/892777
'
'============================================================================

' DECLARING VARIABLES
Option Explicit
DIM Commando, Counter, Domain
DIM Folder, iReturn, objFSO
DIM objShell, objSysInfo, rootFolder
DIM strFolder, strUser, SubFolders

' INSTANTIATING AN OBJECT PART1
SET objSysInfo = CreateObject("ADSystemInfo")
SET objFSO = CreateObject("Scripting.FileSystemObject")
SET objShell = wscript.createObject("wscript.shell")

' ASSIGNING VALUES TO VARIABLES
strFolder = Lcase(Inputbox(Ucase("Enter path Home folder") &VbCr &VbCr _
&"Use the following syntax:" &VbCr _
&"D:\Users\","Home-Folder","D:\Users\"))
Domain = objSysInfo.ForestDNSName & "\"

' INSTANTIATING AN OBJECT PART2
SET rootFolder = objFSO.GetFolder(strFolder)
SET SubFolders = rootFolder.SubFolders

' ASSIGNING VALUES TO CONSTANTS
' INFO: You can find the possible permissions in the comment
CONST Usr1 = "Domain Admins"
CONST UsrPerm1 = "F"
CONST UsrPerm2 = "RWC"

'================================CODE=========================================

IF objFSO.FolderExists(strFolder) THEN
FOR Each Folder In SubFolders
strUser = replace(Lcase(Folder),strFolder,"")
commando = "xcacls " &Folder &" /g ""Domain Admins"":" &UsrPerm1 _
&" """ &Domain &strUser &""":" &UsrPerm2 &" /T /C /Y"
iReturn = objShell.Run(commando)
Counter = Counter + 1
' This sleep is specially done to not overload the system with
' xcacls screens.
wscript.sleep 1500
NEXT
wscript.echo "Finished!" &VBCR &Counter &" folders are reset."
ELSE
wscript.Echo "Folder: " &Ucase(strFolder) &" doesn't exist." &VbCr _
&"Verify the location and try again."
END IF

SET objSysInfo = NOTHING
SET objFSO = NOTHING
SET objShell = NOTHING
SET rootFolder = NOTHING
SET SubFolders = NOTHING
'=============================END=OF=CODE=====================================
wscript.quit



For error checking of the subfolder loop, I put in iReturn = objShell.Run("%comspec% /K" & commando) to see the
individual CMD screens.