Ok…for whatever reason you break your Exchange servers secure channel to the domain and you have exhausted all avenues to get it back (Netdom/NLTest), your last resort might be to remove the Exchange server from the domain and rejoin it. Well…that just sounds like I want to shoot myself in the foot.
This happened to me and I thought Microsoft was nuts in recommending it. But after we tried everything…we figured that we had nothing to lose. The Exchange server could see the domain but no machines in the domain could connect to the Exchange. When you tried to browse the Exchange server, you would get a message “The target account name is incorrect”.
So…here…we…go…
I made sure that all the stores were stopped. Set all the Exchange services to disabled and just for the fun of it ran an eseutil /mh against the databases. Lo and behold, they were all in a “Dirty Shutdown” state. Great!!
Anyway…we removed it from the domain, rebooted, logged in with local administrator, rejoined the domain, rebooted and logged in with domain admin rights. (Took much less time to write than actually do).
Then we opened Services and started the SA. Its good!! Then the IS. Its good too. (Geez…this is awesome). Then the MTA, Management, and all the others. Its all good!! Well I’ll be a monkey’s uncle. We tested to see if mail was flowing internally and externally and its all good.
Another great save!!!!
Over and out from Bermuda…
Wednesday, September 20, 2006
How to check if a mail server is on a Blacklist
Have you ever had to check a domain name to see if its on a blacklist? I like to use www.dnsstuff.com . It works great but reports back on every blacklist available. And sometimes if the server is busy, it could take up to a day to report back. Well that does you no good if you need a report right now.
What if you are using SPAM software that you get to list specific blacklist. There is an easy way to check…here are the steps.
1. Get the Internet header from the message that bounces back.
2. Locate the IP address of each mail server that the message has passed through.
3. Once you have a list of all the IP addresses of mail servers the mail has passed through, you need to check whether any of these are listed as blocked by one or more of the DNS blacklists you have enabled in your configuration. This can be checked using one of the following procedures:
Using Ping: At the command prompt type ping (reversed IP).(relay blacklist)
Example: If the mail server address is 24.222.0.10 and you are checking it against the blacklist relays.ordb.org the command would be:
ping 10.0.222.24.relays.ordb.org
Good Results: Ping request could not find host 10.0.222.24.relays.ordb.org. Please check the name and try again would indicate that the IP address being checked is not in relays.ordb.org. You can proceed to check the IP address with the other DNS Blacklists enabled, or check the other IP addresses found in the email header.
Bad Results: Pinging 10.0.222.24.relays.ordb.org [127.0.0.2] with 32 bytes of datawould indicate that the IP address is found on the DNS Blacklist being check. Note that you do not need to check that you get a reply to your ping request. You just need to check that the host (10.0.222.24.relays.ordb.org) resolves to an IP address (127.0.0.2 in this case). Note also that the IP address to which it resolves is not important either.
Using NSLOOKUP: At the command prompt type nslookup (reversed IP).(relay blacklist)
Example: If the mail server address is 24.222.0.10 and you are checking it against the blacklist relays.ordb.org the command would be:
nslookup 10.0.222.24.relays.ordb.org
Good Results: DNS Server can’t find 10.0.222.24.relays.ordb.org: Non-existent domain: indicates that the IP address is not in relays.ordb.org. You can proceed to check the IP address with the other DNS Blacklists enabled or check the other IP addresses found in the email header.
Bad Results: Would be as follows:
Non-authoritative answer:Name: 10.0.222.24.relays.ordb.orgAddress: 127.0.0.2indicates that the IP address is found on the relays.ordb.org blacklist
Hope that helps your search…
What if you are using SPAM software that you get to list specific blacklist. There is an easy way to check…here are the steps.
1. Get the Internet header from the message that bounces back.
2. Locate the IP address of each mail server that the message has passed through.
3. Once you have a list of all the IP addresses of mail servers the mail has passed through, you need to check whether any of these are listed as blocked by one or more of the DNS blacklists you have enabled in your configuration. This can be checked using one of the following procedures:
Using Ping: At the command prompt type ping (reversed IP).(relay blacklist)
Example: If the mail server address is 24.222.0.10 and you are checking it against the blacklist relays.ordb.org the command would be:
ping 10.0.222.24.relays.ordb.org
Good Results: Ping request could not find host 10.0.222.24.relays.ordb.org. Please check the name and try again would indicate that the IP address being checked is not in relays.ordb.org. You can proceed to check the IP address with the other DNS Blacklists enabled, or check the other IP addresses found in the email header.
Bad Results: Pinging 10.0.222.24.relays.ordb.org [127.0.0.2] with 32 bytes of datawould indicate that the IP address is found on the DNS Blacklist being check. Note that you do not need to check that you get a reply to your ping request. You just need to check that the host (10.0.222.24.relays.ordb.org) resolves to an IP address (127.0.0.2 in this case). Note also that the IP address to which it resolves is not important either.
Using NSLOOKUP: At the command prompt type nslookup (reversed IP).(relay blacklist)
Example: If the mail server address is 24.222.0.10 and you are checking it against the blacklist relays.ordb.org the command would be:
nslookup 10.0.222.24.relays.ordb.org
Good Results: DNS Server can’t find 10.0.222.24.relays.ordb.org: Non-existent domain: indicates that the IP address is not in relays.ordb.org. You can proceed to check the IP address with the other DNS Blacklists enabled or check the other IP addresses found in the email header.
Bad Results: Would be as follows:
Non-authoritative answer:Name: 10.0.222.24.relays.ordb.orgAddress: 127.0.0.2indicates that the IP address is found on the relays.ordb.org blacklist
Hope that helps your search…
Wednesday, August 23, 2006
Configuring Exchange Active Sync
Ok…so I have now configured EAS a few times and each time I had the same error come up. It has to do with EAS running on the same server as the Exchange mailboxes. In a front-end back-end configuration this would not happen. The issue is the Exchange directory in IIS on the OWA web site. When you install SSL, it sets SSL on the Exchange directory. When using OMA or EAS, SSL cannot be enabled on the Exchange directory. The MS link before explains how to create another directory in IIS for just OMA and make a registry change to point to this folder for EAS.
http://support.microsoft.com/kb/817379/
http://support.microsoft.com/kb/817379/
Tuesday, August 1, 2006
Wednesday, July 12, 2006
Sharing an SMTP E-mail Domain between Exchange Organizations
First, the official word from Microsoft on how to do this. They will explain in more detail. See the following KB article and associated linked articles:
http://support.microsoft.com/kb/321721/
For example, if ABC Company (ABC.COM) and XYZ Company (XYZ.COM) want to both use the SMTP domain called ABCXYZ.COM then this is how you do it:
My example is between two Exchange organizations. Only one Exchange organization can be authoritative for the new domain. The authoritative Exchange organization will send a NDR back for any unresolved addresses. Which Exchange organization you pick to be authoritative depends on many factors such as:
- which organization will hold the majority of objects using e-mail addresses in the shared SMTP domain
- one organization is taking over another
Let’s assume ABC Company will be authoritative and the MX record for new SMTP domain has been configured.
On the ABC Company’s Exchange Server, add in a recipient policy to accept mail for ABCXYZ.COM. Make sure you check the box stating “This organization is responsible for all mail delivery to this address”. On the recipient policy, you can choose to add a filter so that new objects that qualify automatically get an e-mail address in ABCXYZ.COM address space.
Before proceeding, you should verify mail flow in and out of your Exchange environment using e-mail addresses in the shared SMTP address space.
It might be worthwhile to set up a direct connection for mail flow between the two organizations. Otherwise, mail flow will go out over the Internet and you may not be able to control the routing of messages. This can be done with an SMTP Connector. You will probably need to deal with firewall rules, IP addresses of bridgehead servers on both sides. The SMTP connector on ABC Company’s Exchange will have an address space of *.XYZ.COM. A similar SMTP connector on XYZ Company’s Exchange will have an address space of *.ABC.COM.
Now we are ready to add the second Exchange organization to the mix. Since ABC Company’s Exchange is authoritative for ABCXYZ.COM, it needs to know about EVERY e-mail address in ABCXYZ.COM — even those in the other Exchange organization. This is done with the use of mail-enabled contacts in ABC Company’s Active Directory. The contact will have two e-mail addresses - anyuser@XYZ.COM and anyuser@ABCXYZ.COM. Make whatever e-mail address you want to be the primary SMTP address. In order for mail for anyuser@ABCXYZ.COM to reach the other mailbox in the other organization, you need to modify the target address of the contact. The target address is the e-mail address showing up on the Exchange General tab of object. Just make sure you still have two e-mail addresses under E-mail Addresses tab - using ADSIEdit to modify the target address is the easiest way. Think of the target address as a forwarding address for contact - i.e. where you want the mail to go - i.e. to anyuser@XYZ.COM mailbox on XYZ Company’s Exchange. Don’t forget to add anyuser@ABCXYZ.COM as an e-mail address on mailbox on XYZ Company’s Exchange!! Now, any mail addressed to anyuser@ABCXYZ.COM will get re-directed to anyuser@XYZ.COM over ABC Company’s dedicated SMTP Connector.
To control mail routing for ABCXYZ.COM from XYZ Company’s Exchange, you should set up an SMTP Connector with an address space of *.ABCXYZ.COM on XYZ Company’s Exchange. Also, the recipient policy for ABCXYZ.COM on XYZ Company’s Exchange should not be checked as authoritative.
As a side note, you will need to have some discussion between the organizations on the distribution of e-mail addresses in the new address space. For example, if ABC Company uses the e-mail address sales@ABCXYZ.COM and XYZ Company uses the same e-mail address. ABC Company will get all the messages addressed to sales@ABCXYZ.COM from the Internet since it is authoritative.
That’s about it. To see how to do this with a non-Exchange mail system, check out the Microsoft article.
http://support.microsoft.com/kb/321721/
For example, if ABC Company (ABC.COM) and XYZ Company (XYZ.COM) want to both use the SMTP domain called ABCXYZ.COM then this is how you do it:
My example is between two Exchange organizations. Only one Exchange organization can be authoritative for the new domain. The authoritative Exchange organization will send a NDR back for any unresolved addresses. Which Exchange organization you pick to be authoritative depends on many factors such as:
- which organization will hold the majority of objects using e-mail addresses in the shared SMTP domain
- one organization is taking over another
Let’s assume ABC Company will be authoritative and the MX record for new SMTP domain has been configured.
On the ABC Company’s Exchange Server, add in a recipient policy to accept mail for ABCXYZ.COM. Make sure you check the box stating “This organization is responsible for all mail delivery to this address”. On the recipient policy, you can choose to add a filter so that new objects that qualify automatically get an e-mail address in ABCXYZ.COM address space.
Before proceeding, you should verify mail flow in and out of your Exchange environment using e-mail addresses in the shared SMTP address space.
It might be worthwhile to set up a direct connection for mail flow between the two organizations. Otherwise, mail flow will go out over the Internet and you may not be able to control the routing of messages. This can be done with an SMTP Connector. You will probably need to deal with firewall rules, IP addresses of bridgehead servers on both sides. The SMTP connector on ABC Company’s Exchange will have an address space of *.XYZ.COM. A similar SMTP connector on XYZ Company’s Exchange will have an address space of *.ABC.COM.
Now we are ready to add the second Exchange organization to the mix. Since ABC Company’s Exchange is authoritative for ABCXYZ.COM, it needs to know about EVERY e-mail address in ABCXYZ.COM — even those in the other Exchange organization. This is done with the use of mail-enabled contacts in ABC Company’s Active Directory. The contact will have two e-mail addresses - anyuser@XYZ.COM and anyuser@ABCXYZ.COM. Make whatever e-mail address you want to be the primary SMTP address. In order for mail for anyuser@ABCXYZ.COM to reach the other mailbox in the other organization, you need to modify the target address of the contact. The target address is the e-mail address showing up on the Exchange General tab of object. Just make sure you still have two e-mail addresses under E-mail Addresses tab - using ADSIEdit to modify the target address is the easiest way. Think of the target address as a forwarding address for contact - i.e. where you want the mail to go - i.e. to anyuser@XYZ.COM mailbox on XYZ Company’s Exchange. Don’t forget to add anyuser@ABCXYZ.COM as an e-mail address on mailbox on XYZ Company’s Exchange!! Now, any mail addressed to anyuser@ABCXYZ.COM will get re-directed to anyuser@XYZ.COM over ABC Company’s dedicated SMTP Connector.
To control mail routing for ABCXYZ.COM from XYZ Company’s Exchange, you should set up an SMTP Connector with an address space of *.ABCXYZ.COM on XYZ Company’s Exchange. Also, the recipient policy for ABCXYZ.COM on XYZ Company’s Exchange should not be checked as authoritative.
As a side note, you will need to have some discussion between the organizations on the distribution of e-mail addresses in the new address space. For example, if ABC Company uses the e-mail address sales@ABCXYZ.COM and XYZ Company uses the same e-mail address. ABC Company will get all the messages addressed to sales@ABCXYZ.COM from the Internet since it is authoritative.
That’s about it. To see how to do this with a non-Exchange mail system, check out the Microsoft article.
Tuesday, July 11, 2006
Problems with Change Password Button for OWA (IIS 6.0)
Hotfix is included in Windows 2003 SP1. However, you must register the dll mentioned after SP1 is installed.
http://support.microsoft.com/?id=833734
http://support.microsoft.com/?id=833734
Tuesday, July 4, 2006
Thursday, June 29, 2006
ADFIND - what it can do for you!!
Great tool for finding things in Active Directory. Download it at http://www.joeware.net/win/free/tools/adfind.htm
Example 1:
Find out if an SMTP address is in use and where it is:
Your AD Domain namespace is domain.local. You are trying to find someone@myemailaddress.com.
adfind -b dc=domain,dc=local -f proxyaddresses=smtp:someone@myemailaddress.com
More to come….
Example 1:
Find out if an SMTP address is in use and where it is:
Your AD Domain namespace is domain.local. You are trying to find someone@myemailaddress.com.
adfind -b dc=domain,dc=local -f proxyaddresses=smtp:someone@myemailaddress.com
More to come….
Friday, June 23, 2006
Making a Windows 2003 R2 server a DC
This is going to start being an issue when upgrading new servers to domain controllers. If you have Windows 2003 R2 installed on a machine and you try to run DCPROMO, you will get an error message saying that the schemas do not match. HUH?
So it says to run ADPREP with the \forestprep switch…no problem. But when you run it from the R2 CD it says that it has already been run. Now what?
Some history…at this point your Active Directory should be a version 30…and you need version 31 of the schema to upgrade a R2 server to a DC. So this is what you need to do.
Pull out the Windows 2003 R2 CD2 and drill down to \CMPNENTS\R2\ADPREP\adprep.exe with the \forestprep.
This will bring your AD up to version 31 and you can now DCPROMO the R2 server.
Side note…who knew you actually needed the second CD for anything.
http://support.microsoft.com/?kbid=917385
So it says to run ADPREP with the \forestprep switch…no problem. But when you run it from the R2 CD it says that it has already been run. Now what?
Some history…at this point your Active Directory should be a version 30…and you need version 31 of the schema to upgrade a R2 server to a DC. So this is what you need to do.
Pull out the Windows 2003 R2 CD2 and drill down to \CMPNENTS\R2\ADPREP\adprep.exe with the \forestprep.
This will bring your AD up to version 31 and you can now DCPROMO the R2 server.
Side note…who knew you actually needed the second CD for anything.
http://support.microsoft.com/?kbid=917385
Thursday, June 22, 2006
Shutdown script for Exchange 2003 on a Domain Controller
Exchange needs to be shut down before rebooting a server that is also a Domain Controller (DC). Here is a link with a simple shutdown script and how to set it up as a Group Policy.
http://www.msexchange.org/articles/Automating-Quicker-Exchange-2000-2003-DC-reboot.html
http://www.msexchange.org/articles/Automating-Quicker-Exchange-2000-2003-DC-reboot.html
Subscribe to:
Posts (Atom)