For some reason, Microsoft’s default configuration for Exchange 2007 and 2010 exposes the internal server name in the mail headers, which causes most reverse-record-checking sites to bounce your email.

##EXCHANGE 2007##
To address this issue, you must remove the “NT AUTHORITYAnonymous Logon”? permissions from the send connector. Open the Exchange Management Shell, and do this:
>get-sendconnector (this will show the name of the send connector.)
SEND CONNECTOR NAME

>get-sendconnector <send CONNECTOR NAME>? | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights ms-Exch-Send-Headers-Routing? -user "NT AUTHORITYAnonymous Logon"

## EXCHANGE 2010##
1. Go to Exchange Management Console
2. Under Organization Configuration, select Hub Transport
3. Select Transport Rules, then “New Transport Rule”
Give the Rule a name, then set the following:

Conditions: Sent to Users Outside the organization
Remove Header: Received
Exceptions: None

1. Go to the Windows SBS Console, click on Network Tab, then click the Connectivity Tab
2. Click on the certificate icon, then click the “view certificate properties” in the right pane. In the “General” tab of the new window, it will show the dates that the self-signed certificate is valid for.
3. In the “Connectivity Tasks” area, click “Set up your Internet address”, go through the wizard to renew your self-signed SSL certificate.
4. When you now check the certificate properties, you will see that it is now valid for another two more years.

Fire up SQL management studio express, and run this query:

DECLARE
@DisplayName VARCHAR(256),
@Authentication VARCHAR(256),
@AuthenticatorTypeId INT,
@AuthenticatorInstanceId INT,
@ExternalAuthenticatorId VARCHAR(255),
@EncryptedPassword VARCHAR(256)

/************************************************************
Start of editing required section
*************************************************************/

SET @DisplayName = ‘System Administrator’ — Display name (Not always used)
SET @Authentication = ‘BAS’ — ‘BAS’ for BAS authentication
SET @EncryptedPassword = ‘7B7ECF0DAF70D040345D8DD92607E274969F4BA5DFDFAEAC5DE775E5340CDF605D5762EC5D326498ADBE72E7434897025A8702D0237046F554DBCA5769B90154:7637B189’ — Encrypted string of password ‘blackberry’

/************************************************************
End of editing required section
*************************************************************/

IF @Authentication LIKE ‘BAS’
BEGIN
SET @AuthenticatorTypeId = 0 — Set to 0 for BAS
SET @AuthenticatorInstanceId = 0 — Set to 0 for BAS
SET @ExternalAuthenticatorId = NULL

IF NOT EXISTS (SELECT * FROM BASUsers WHERE LoginName = ‘admin’)
EXEC SetUpBASorADAuthentication @DisplayName, @AuthenticatorTypeId, @AuthenticatorInstanceId, @ExternalAuthenticatorId, @EncryptedPassword
ELSE
UPDATE BASUsers
SET LoginPassword = @EncryptedPassword
WHERE (LoginName = ‘admin’)

END
GO

DavMail Gateway allows you to use evolution to connect to Exchange 2007 and 2010. Super convenient! Remember, the default settings removes all mail from your Exchange mailbox, so uncheck that setting before you use it.

Recently, a client had issues with Office 2007 documents turning (supposedly) into .zip files.
Apparently, the .docx and .xlsx formats are actually compressed XML files, and when IIS doesn’t have a MIME type for them in the MIME map, it passes them through as .zip files. This is problematic, to say the least.
When this happens, you can run the following script against the web server, and add the necessary MIME types to the map.

The original article where the script was found is here.


' This script adds the necessary Office 2007 MIME types to an IIS 6 Server.
' To use this script, just double-click or execute it from a command line.
' Running this script multiple times results in multiple entries in the
' IIS MimeMap so you should not run it more than once.
' Modified from http://msdn.microsoft.com/en-us/library/ms752346.aspx

End Sub


Sometimes, too many people have messed with it.
Plain and simple.
People like to check boxes. And enable/disable things. it’s fun.
But when it’s your CAS server, it can be a real hassle to navigate the IIS interface, and reset all of those little “tweaks”, placed there by someone with apparently no business “tweaking” IIS.
You know who you are.
;P

In these cases, it’s much easier to let Exchange do it for you, and all you need to open is the Exchange Management Shell.

This will list all the current OWA-related virtual directories.

get-owavirtualdirectory

This will delete the OWA virtual directory for the Default Web Site.

remove-owavirtualdirectory -identity "owa (Default Web Site)"

This command will re-create the owa virtual directory under the Default Web Site in IIS.

new-owavirtualdirectory -OWAVersion "Exchange2007" -Name "owa (Default Web Site)"


This command will re-create the “Exchange” virtual directory under the Default Web Site in IIS.

new-owavirtualdirectory -OWAVersion "Exchange2003or2000" -VirtualDirectoryType "Mailboxes" -Name "Exchange (Default Web Site)"


When you run this command, if you get an error similar to the one below, it is possible that IIS is set to work in 32 bit mode and not the required 64 bit mode.

New-OwaVirtualDirectory : An error occurred while creating the IIS virtual directory ‘IIS://mailserver.yourdomain.com/W3SVC/1/ROOT/owa’ on ‘mailserver’.
At line:1 char:24
+ New-OWAVirtualDirectory <<<< -OWAVersion "Exchange2007" -Name "owa" -Website "Default Web Site"

To make IIS run in 64 bit mode, run the following in an administrative command prompt:

cscript %SYSTEMDRIVE%inetpubadminscriptsadsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0

THIS UPDATE WAS SHAMELESSLY RIPPED FROM http://my.opera.com/ravenoverride because if I have to spend another 2 hours searching for the correct command to add these to the proper site name, I’ll snap.

Remove-OWAVirtualDirectory -Identity “Owa (XXXXXXX)” -Confirm:$false
Remove-OWAVirtualDirectory -Identity “Exadmin (XXXXXXX)” -Confirm:$false
Remove-OWAVirtualDirectory -Identity “Exchange (XXXXXXX)” -Confirm:$false
Remove-OWAVirtualDirectory -Identity “Exchweb (XXXXXXX)” -Confirm:$false
Remove-OWAVirtualDirectory -Identity “Public (XXXXXXX)” -Confirm:$false
Remove-WebServicesVirtualDirectory -Identity “EWS (XXXXXXX)” -Confirm:$false
Remove-ActiveSyncVirtualDirectory -Identity “Microsoft-Server-ActiveSync (XXXXXXX)” -Confirm:$false
Remove-OabVirtualDirectory -Identity “OAB (XXXXXXX)” -Force:$true -Confirm:$false
Remove-UMVirtualDirectory -Identity “UnifiedMessaging (XXXXXXX)” -Confirm:$false
Remove-AutodiscoverVirtualDirectory -Identity “Autodiscover (XXXXXXX)” -Confirm:$false

To verify that the directories have been removed, run the following commands. You should receive no output:

Get-AutodiscoverVirtualDirectory
Get-OABVirtualDirectory
Get-OWAVirtualDirectory
Get-WebServicesVirtualDirectory
Get-ActiveSyncVirtualDirectory
Get-UMVirtualDirectory

To properly create these virtual directories, run the following commands (Please keep the information what you got earlier for XXXXXXX and change it here to):

– Open Exchange Management Shell with elevated permission
– Run the following commands (THE COMMANDS ARE A ONE-LINER. THE NEXT COMMAND IS SEPARATED WITH —————————–. So copy and paste it into notepad, check if it is one line, read it carefully and change the information you have to provide. Information you have to provide is in BIG LETTERS or XXXXXXX):

New-OWAVirtualDirectory -WebsiteName “XXXXXXX” -OwaVersion “Exchange2007”
-ExternalAuthenticationMethods Fba
—————————–
Set-OWAVirtualDirectory -InternalUrl “https://INTERNAL_FQDN_OF_EXCHANGE/owa/”
-ClientAuthCleanupLevel “Low” -LogonFormat “UserName” -DefaultDomain “NETBIOSDOMAINNAME”
-Identity “Owa (XXXXXXX)”
—————————–
New-OWAVirtualDirectory -WebsiteName “XXXXXXX” -OwaVersion “Exchange2003or2000”
-VirtualDirectoryType “Exadmin” -ExternalAuthenticationMethods Fba
—————————–
New-OWAVirtualDirectory -WebsiteName “XXXXXXX” -OwaVersion “Exchange2003or2000”
-VirtualDirectoryType “Mailboxes” -ExternalAuthenticationMethods Fba
—————————–
New-OWAVirtualDirectory -WebsiteName “XXXXXXX” -OwaVersion “Exchange2003or2000”
-VirtualDirectoryType “Exchweb” -ExternalAuthenticationMethods Fba
—————————–
New-OWAVirtualDirectory -WebsiteName “XXXXXXX” -OwaVersion “Exchange2003or2000”
-VirtualDirectoryType “PublicFolders” -ExternalAuthenticationMethods Fba
—————————–
New-WebServicesVirtualDirectory -WebsiteName “XXXXXXX”
-InternalUrl “https://INTERNAL_FQDN_OF_EXCHANGE/EWS/Exchange.asmx” -basicauthentication 1
-windowsauthentication 1
—————————–
New-ActiveSyncVirtualDirectory -WebsiteName “XXXXXXX”
-InternalUrl “https://INTERNAL_FQDN_OF_EXCHANGE/Microsoft-Server-ActiveSync”
-ExternalAuthenticationMethods Basic -InternalAuthenticationMethods Basic
—————————–
New-OabVirtualDirectory -WebsiteName “XXXXXXX” -InternalUrl “https://INTERNAL_FQDN_OF_EXCHANGE/OAB”
—————————–
Set-OabVirtualDirectory -PollInterval “30” -Identity “oab (XXXXXXX)”
—————————–
New-UMVirtualDirectory -WebsiteName “XXXXXXX”
-InternalUrl “https://INTERNAL_FQDN_OF_EXCHANGE/UnifiedMessaging/Service.asmx”
—————————–
New-AutodiscoverVirtualDirectory -WebsiteName “XXXXXXX”
-InternalUrl “https://INTERNAL_FQDN_OF_EXCHANGE/Autodiscover/Autodiscover.xml”
-BasicAuthentication 1 -WindowsAuthentication 1
—————————–
Set-ClientAccessServer -Identity “Servername”
-AutoDiscoverServiceInternalUri “https://INTERNAL_FQDN_OF_EXCHANGE/Autodiscover/Autodiscover.xml”
—————————–
Set-OfflineAddressBook “Default Offline Address Book”
-VirtualDirectories “ServernameOAB (XXXXXXX)” -Versions Version2,Version3,Version4)”

– To check if we were successful in creating the virtual directories correctly type in the commands:

Get-AutodiscoverVirtualDirectory
Get-OABVirtualDirectory
Get-OWAVirtualDirectory
Get-WebServicesVirtualDirectory
Get-ActiveSyncVirtualDirectory
Get-UMVirtualDirectory

For example, you should receive the following for Get-OWAVirtualDirectory

Name Server OwaVersion
——– ——- ———–

Owa (XXXXXXX) Server Name Exchange2007
Exadmin (XXXXXXX) Server Name Exchange2003or2000
Public (XXXXXXX) Server Name Exchange2003or2000
Exchweb (XXXXXXX) Server Name Exchange2003or2000
Exchange(XXXXXXX) Server Name Exchange2003or2000

– Then run the following commands to disable the Kernel Mode Authentication on EWS, Autodiscover, and OAB virtual directories (THE COMMANDS ARE A ONE-LINER. THE NEXT COMMAND IS SEPARATED WITH —————————–. So copy and paste it into notepad, check if it is one line, read it carefully and change the information you have to provide. Information you have to provide is in BIG LETTERS or XXXXXXX):

cd $env:windirsystem32inetsrv
—————————-
.appcmd.exe unlock config “-section:system.webserver/security/authentication/windowsauthentication”
—————————–
.appcmd.exe set config “XXXXXXX/ews” “-section:windowsAuthentication” “-useKernelMode:False” /commit:apphost
—————————–
.appcmd.exe set config “XXXXXXX/AutoDiscover” “-section:windowsAuthentication” “-useKernelMode:False” /commit:apphost
—————————–
.appcmd.exe set config “XXXXXXX/oab” “-section:windowsAuthentication” “-useKernelMode:False” /commit:apphost

– Run: iisreset /noforce

– You must rerun the Internet Address Management Wizard to stamp the new virtual directories with the proper external URL and maybe you have to check the certificates.

I found this *AWESOME* website while testing an Exchange 2007 server for an ActiveSync issue. Thanks, Microsoft!
https://www.testexchangeconnectivity.com/

For this particular exercise, let’s pretend that you are, once again, named Bob. You work for TailswimToys.com, and they use a Microsoft Windows Small Business Server 2008, running Exchange 2007 for email and collaboration services. You use Outlook 2007, and are very happy with it overall.

All of your customers know you as bob@tailswimtoys.com [eat that, spammers… ;) ]

Recently, TailSwimToys experienced a huge economic windfall, and acquired Fabrimak.com, whose main business model is appearing in test questions, under an altered name.

Anyway, bob@fabrimak.com needs the ability to communicate with Fabrimak’s customer base without letting them know that he is *also* bob@tailswimtoys.com, which they would view as silly, thus undermining their confidence in Bob. (And Bob’s company)

In order for Bob to send an email from an address other than his default email address, you need to do the following:

Note: You may want to stop all inbound email services while you do this. This way, anyone sending email to an address that you’re moving to a distribution group will not bounce, but will sit on their mail server in the retry queue, and will be delivered after you’ve created the group, and re-started the inbound mail services. (typically, you’ve got 12 hours before an email will expire from the queue and cause a NDR.)

This assumes that you’ve already configured your Exchange server to accept email for the Fabrimak.com domain, and all necessary DNS records have been created, as these are beyond the scope of this post.

First, open the Exchange Management Console, and delete all but the default email address from the user’s mailbox. (leave bob@tailswimtoys.com in there, this will be the email address used when Bob doesn’t specify an outbound address.)

Next, remove the Recipient Update Policy setting from the user’s mailbox in the Exchange Management Console. This is necessary so that the alternate addresses aren’t re-applied to the mailbox on the next run of the Recipient Update Service.

Then, create a Mail-Enabled Distribution Group named bob@fabrimak.com, and apply the secondary email address to it. (in this case, bob@fabrimak.com) Make the user Bob a member of this group. Also, you’ll need to grant Bob “Send-As” permissions to the Mail-Enabled Distribution Group, so he can “Send-As” from the Group. Another thing you’ll need to do is remove the Recipient Update Policy setting from the Mail-Enabled Distribution Group, as it’s enabled by default.

After these configuration changes, Bob will be able to compose a new email, select to show the “From:” field in Outlook, click “From:”, and select the Mail-Enabled Distribution Group named “bob@fabrimak.com”, and that is the only address for Bob that the receiving party will see.

We’ve recently run into a situation that we realized is no longer possible when running Exchange Server 2007 on Windows Server 2008.

You cannot choose an alternate email address from which to “Send-As”, because the Exchange server will resolve your user object against the Active Directory, and replace whatever alternate address you’ve chosen with your user object’s default email address, as listed in the Active Directory.

Here’s the scenario-
Fabrimak is a company with many divisions. All of these divisions function as individual companies, and as such, have their own corporate identities, domain names, URLs, etc. However, due to the current trend of downsizing and leaner operational costs, they share a core Active Directory domain namespace, running Windows Small Business Server 2008 Premium Edition.

I know this is starting to sound like a test question for an MCSE exam, but bear with me.

The domain names in use currently are as follows:
Fabrimak.local (internal domain)
Tailswimtoys.com (default Internet domain in Exchange)
Consoto.com
Northbound.us

So, when users of Fabrimak’s internal network open up Outlook 2007, and create a new outgoing email, manually select to show the “From:” field, and choose to use their ‘user@consoto.com’ address, the mail recipient sees that the email came from ‘user@tailswimtoys.com’. This is because the outgoing email address used is decided when Outlook resolves the user account used to log into Exchange against the Active Directory, returning whatever address is listed as the user’s default. (Usually managed in the Exchange Console with the Recipient Update Policy.)

Even if you choose to show the “From:” field, and select an alternate (albeit valid) email address, the Exchange server will change the outgoing address used to your user account’s default outgoing email address.

Apparently, this ability to “Send-As” was purposefully removed by Microsoft, during the codebase rewrite of Exchange server.

However, (with the help of some friends from Redmond) there is a workaround. Allowing this “Send-As” behavior *is* possible. The workaround entails the use of Mail-Enabled Distribution Groups, and the removal of the Recipient Update Policy from the user account.

Details coming in my next post.

This is a *very* excellent site for testing things like Exchange Server SSL configuration, and ActiveSync problems… Chances are, your configuration is incorrect… ;)

https://www.testexchangeconnectivity.com/