Outlook 2013 Security Update breaks Out of Office for Exchange 2007 Mailboxes

Just what the title says:  Outlook 2013 Security Update breaks Out of Office in Exchange 2007 Mailboxes.  The link tells you what to do about it.

Server-side Holidays for Microsoft Exchange cmdlet

OK, we'll let you use the cmdlet for server-side holidays.

It works with Exchange 2007, 2010, and 2013, as well as Office 365.

You will have to set permissions to be able to access calendars.

You can download it here.  

Update December 10, 2013: Link removed while we consider alternates for the holiday cmdlet.
Update December 17, 2013:  We created an open-source cmdlet project on CodePlex.

SuHoliday cmdlet and Exchange 2007

We've gotten a few inquiries about running the SuHoliday cmdlet on Exchange 2007 instead of Exchange 2010.

Short answer: Yes you can do it.  Nothing the the was we use the EWS API is specific to Exchange 2010 to the exclusion of Exchange 2007.

However, setting Permissions in Exchange 2007 IS VERY different from Exchange 2010, so you will have to adjust for that.  Taking all of the Exchange 2007 permissions stuff out of the documentation made it substantially shorter and clearer,

If you need help look at posts in this blog involving Permissions and Exchange 2007.

Retiring Exchange 2007 Migrations

As of now we're retiring migrations into Exchange 2007.

There's been exactly ONE this year (which actually started in 2008 -- long story).

So unless you have a really good story or a really fat checkbook -- look to 2010 or 2013.

When a user has 15,000+ unread items in the inbox....

We *thought* huge mailboxes (as measured by disk space) could wreak havoc during a migration. Perhaps we are wrong. This is a story about huge inboxes and unread email (the harbinger of problems that plague email systems.)

Last week we moved a client into Exchange 2010 (on-premesis). BUT the Sumatra Exchange insertion tool hung while inserting one user. For hours. Restarting the tool and rebooting boxes didn't help. After much digging we found the problem: that end user had 15,000+ unread emails in her inbox. What was the issue? (no, not why would we migrate a user with 15,000 unread emails in their inbox who probably left the company three years ago....)

The client hit an Exchange threshold. The issue is described in a Microsoft Technet article: Understanding the Performance Impact of High Item Counts and Restricted Views.

The article says: ...In Exchange 2007 ... an acceptable user experience can still be maintained with item counts as high as 20,000 items. We're still researching if that limit changed for Exchange 2010. Our client hit that wall in Exchange 2010.

So who are these big-bad-inbox-boys and girls? Here's a powershell command: (note, I've set a conservative threshold of 10,000 items for just user mailboxes.)

Get-Mailbox -filter {RecipientType -eq "UserMailbox"} -ResultSize unlimited Get-MailboxFolderStatistics where {($_.name -eq "Inbox" -or $_.Name -eq "Calendar") -AND $_.itemsinfolder -ge 10000} sort-object ItemsinFolder -Descending ft Identity,ItemsinFolder,FolderSize

-Russ

BlackBerry Enterprise Server - Stay on Top of It!

If you are planning on migrating and use the BES server. Please stay up to date with your BES versions.
How to Enable BlackBerry Enterprise Server 5.0 Sp1 and SP2 to use Microsoft Exchange Web Services is required reading.
Here's the issue: BES still relies on CDO 1.2.1, which is a little like a 2011 model year hybrid still needing a Model T crank. BES requires pretty much the same kinds of permissions we do in order to act on calendar objects in Exchange, so after migrating if you flip on BES and notice issues with setting up or responding to meeting invitations as a Delegate -- the first place to look is your BES configuration.

Shared calendar items are shown incorrectly in Exchange 2007 (Fixed in SP3 RU1)

Sumatra enterprise clients use shared calendars to allow Managers to look at employee calendars, employees to access common calendars (e.g., the 'vacation' calendar, or to look at conference rooms (when free/busy doesn't contain enough information.)

Unfortunately, the calendar events are often shown at the wrong time.

Microsoft KB 976100 offered a hotfix for this issue. It was also included in the Exchange 2007 SP3 Rollup 1 (KB 2279665)

For clients who share calendars -- apply this rollup.

OWA bug fix - Change the start time of a recurring meeting with exceptions now works

When you change the start time of a recurring meeting series in Microsoft Exchange Server 2007 by using Outlook Web Access (OWA), any exceptions to individual meetings in the series are not removed. There's news to Sumatra's calendar customers. Their end users have dealt with this issue for several years.

Rejoice! Microsoft fixed it. For Exchange 2010. There is no joy in Exchange 2007 land - the fix is not for your servers. See KB 980051.

I'll update this post once I know the hotfix number or the rollup version.

Ampersands in email addresses

Just ran a few thousand users from Oracle Calendar into Exchange (at a very security conscious site so we were not able to look at their mappings beforehand), and they had some problems with ampersands in email names.

Yep. Bad karma all around.

In fact, you should not be using most special characters for object names, as Microsoft documents here for Exchange 2003 and here for Exchange 2007.

Exchange Calendar Issues fixed with Rollups

Microsoft released rollups for its Exchange Servers on April 13, 2010:

• Update Rollup 10 for Exchange Server 2007 SP1 (KB981407),
• Update Rollup 4 for Exchange 2007 SP2 (KB981383), and
• Update Rollup 3 for Exchange 2010 (KB981401).

I want to report the calendar-related issues that these rollups fix:

Exchange 2007 (SP1 and SP2) - No calendar-related fixes in this rollup

Exchange 2010

1. RPC clients or MAPI on the Middle Tier clients may not receive responses from the mailbox server role on an Exchange 2010 server (KB981664)

Note: Microsoft recommends that you Clear the 'Check for publisher’s certificate revocation' for Outlook users. For OWA users, this rollup overwrites any customizations made to your "logon.aspx" pages.

Resource Forest Redux

We just re-wrote the sections on our migration manual dealing with Resource Forests in Exchange 2007/2010 -- here's the early version

• The "User Forest" - I started with an existing AD 2003 Domain - ad03.herring.sumatra.local (windows server 2003)
  
  • Create a user account "Blarney Stone", alias = bstone in the herring.sumatra.local domain
    
• The "Resource Forest" - a new VM: "Resource" forest domain called Sherwood: ex07res.sherwood.sumatra.local. The CAS server is "ex07res"
  
  • In AD Domains & Trusts:
    
    • Ensure DOMAIN AND FOREST levels are windows 2003
      
    • Created a TWO-way: forest trust between the Resource & User forests (Sherwood to Herring) Note: A resource forest trust is a configured ONE-way trust between the Resource & User domains. If you do this, the service account won't be able to see AD, and thus won't be allowed to access anyone's mailbox.
      

Example of the TWO-WAY forest trust between the resource (Sherwood) and the user forest (Herring) (Shown from Active Directory Domains and Trusts)

• In AD Users & Computer on the RESOURCE FOREST ("sherwood"):
  
  • Added the computer ex07res to built-in group windows authorization access group
    
  • Create a service account deleg8 in the resource forest (A new USER account).
    
• Use Exchange Management Console to:
  
  • Create LINKED mailboxes "Blarney Stone" alias = bstone (in sherwood.sumatra.local) Linked to bstone (in herring.sumatra.local)
    
  • Remember to reconfigure IIS to use SSL and have OWA default site property (in the server configuration) to use forms-based authentication
    
• In AD Users & Computer on BOTH the RESOURCE FOREST ("sherwood") AND on the USER FOREST (herring):
  
  • Right-hand click on the domain, get properties, and in the security tab Grant Deleg8 FULL ACCESS to AD. You'll have to go into advanced and set these permissions "for this object & all child objects". If you don't see the security tab, turn on Advanced Features under the View menu.
    

Example of granting FULL Control to this object & all child objects (Deleg8 on Sherwood

(Shown from Active Directory Users & Computers)

• In Exchange Management Shell, on the Resource Forest (sherwood), run this against your CAS server, "ex07res"
  
  • Add impersonation between the (resource forest) service account AND the user account:
    
    • Add-AdPermission -Identity (Get-ExchangeServer -Identity "ex07res").Identity -User sherwood\deleg8 -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation, send-as, receive-as -accessrights genericall -inheritanceType All
      
    • Add-AdPermission -Identity "Blarney Stone" -User sherwood\deleg8 -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation, send-as, receive-as -accessrights genericall -inheritanceType All
      
  • Grant Full access to the (resource forest) service account AND the user account:
    
    • Add-MailboxPermission -Identity "Blarney Stone" -User sherwood\deleg8 -ExtendedRights fullAccess -InheritanceType All
      

      
      

• In the Sumatra UI on a 32-bit machine:
  
  • Run the code as the resource service account (sherwood\deleg8)
    
    • I assume you've already granted that account local login rights, and made it a local administrator so you can read/write from the disk)
      
  • The forest: "herring.sumatra.local"; the SMTP domain: "sherwood.sumatra.local"
    
  • CAS server: ex07res (https://ex07res/ews/exchange.asmx)
    
  • Access calendar using: IMPERSONATE
    
  • Test user: bstone (SMTP address: bstone@sherwood.sumatra.local)
    

    
    

• Other Notes and Deviations from the Sumatra documentation:
  
  • Something changed between Exchange 2007 RTM and SP1/SP2. we've had to change our process.
    
  • Microsoft's David Sterling said that EWS expects there to be some sort of AD object in the resource forest to represent the cross forest account, and unfortunately, a foreign security principal is not enough. He wrote out instructions here: http://msexchangeteam.com/archive/2008/04/18/448727.aspx. BUT it doesn't work because he recommends duplicating a SID between the User and Resource forests. That generates lots of AD errors for that service account, and breaks OWA access (as that service account).
    
  • The tool to set permissions on the RESOURCE forest (Sherwood) MIGHT cause you problems because it does not explicitly set permission inheritance. So the permissions might allow you to validate against the mailbox, but NOT insert calendar data. Here was the tool: http://msexchangeteam.com/files/12/attachments/entry447730.aspx
    

• Use the Get-Mailbox -resultsize unlimited add-mailboxpermission to set permissions for all accounts, e.g., Get-Mailbox -resultsize unlimited Add-AdPermission -User sherwood\deleg8 -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation, send-as, receive-as -accessrights genericall -inheritanceType All
  

  PowerShell example of using get-mailbox (you might see warnings if you've already applied the ExtendedRights to some mailboxes.
  

  
  

• We set AD access on both the RESOURCE and the USER forests
  
• We were able to add a test item using impersonation. Delegation was not working.
  
• After the migration:
  
  • Remove the service account's full access permissions in AD
    
  • Set the trust back to a one-way trust
    
  • Remove the service account
    

• Other fun facts about resource forests:
  
  • Full Disclosure: I am not a fan of Resource Forests. Yes, they offer additional security. At the cost of 4x the complexity. I apologize to you who have implemented them successfully and are happy Exchange Admins. I'm not alone in that opinion. How a resource forest can make you cry is Vermyndax's rant.
    
  • It's easy to implement the Resource Forest in a way that causes the end user's lots of pain. For example:
    
    • Every time the user logs in to Exchange, they have to enter their resource forest credentials. That's almost as bad as my car: it automatically locking the doors once the car starts moving. Great for safety. But, every time I want to exit the car, I either have to either unlock the door before I can open it, OR pull the door handle twice – the first time UNLOCKS the door, the second time OPENS the door. Great security design. Miserable user experience. But I digress. The way around this, by the way: You have to assign the account in the USER forest these additional rights:
      
      • "Read Permissions",
        
      • "Full Mailbox Access", and
        
      • "Associated External Account"
        
    • We had problems when some DELEGATES tried to access their boss' calendars and could not. We discovered those delegate mailboxes did not reside on the same server as their boss's mailbox. The solution: move the delegates mailbox!
      
    • There were access problems for customers who have public folders (you need them if you have Outlook 2003, or if your organization uses public folders). I couldn't figure out how to solve the access problem. Thankfully Jim McBee "Mostly Exchange Web Log" AND Jesper Bernle's Exchange Server blog wrote about how to solve it. Jim McBee found and fixed issues with permissions and delegate mailboxes.

Exchange 2007 Calendar Issues fixed with Rollup2

On 1.22.2010, Microsoft released Rollup2 For Exchange 2007 SP2.

Here are the calendar-related issues that Rollup2 addresses:

970817 An appointment is displayed incorrectly as an all-day event if you use a mobile device to synchronize the calendar in Exchange Server 2007

971177 The Auto Attendant 'Business Hours' schedule is not updated in Exchange Server 2007 when the DST setting is changed

971349 Exchange Server 2007 users intermittently cannot access an Exchange Server 2003 user's Free/Busy information in Office Outlook 2007

973969 Incorrect exceptions are generated for a recurring iCalendar message when an Exchange Server 2007 server processes an SMTP message that contains the iCalendar message part

974161 Some attendees cannot receive a meeting cancellation notification when the appointment recurrence pattern is changed by using EWS in Exchange Server 2007

974999 The "Task Owner" field is not set when you create a task in Outlook Web Access

975165 EWS proxying requests fail after you run Availability Service requests in a CAS to CAS proxying scenario in Exchange Server 2007

975404 An attachment of a meeting request cannot be opened when you use a CDO application to accept a meeting request in Exchange Server 2007:

975903 The RemoveDelegate operation of EWS fails, and then a "500 internal server" error response and event ID 4999 are logged in an Exchange Server 2007 server

976025 The free/busy information of an Exchange Server 2007 user is not displayed

977091 The time for an updated meeting request is incorrectly shown in an exception instance of a recurring meeting request on an Exchange Server 2007 environment

Zimbra Calendar / Tasks / Contacts to Exchange 2007/2010 Migrations

Update November, 2011.  If you're interested in Zimbra to Exchange calendar migration, see our newer posts on a faster, simpler method.  http://calendarservermigration.blogspot.com/2011/11/faster-easier-zimbra-ics-to-exchange.html


December was a busy time at the Sumatra HQ.

We averaged two migrations a week and got three inquiries about migrating calendars from Zimbra to Exchange -- one of which we consider credible in that they kept a dialog going.

So, after a few weeks of skunk works development (which is an oxymoron here), we've got Zimbra calendaring, tasks, and contacts migrating into Exchange 2007/2010, with full state information intact.

Of course, if you want to take calendar data INTO Zimbra we can still do that. But we are kind of psyched that this is the first calendar we'll take you into or out of.

Keep in mind, you could export your ICS files and import them into Exchange (try it and see if that preserves your guest responses) or you could just move PSTs (again, try it). Our process re-creates the guest lists and responses of the calendar data on the Exchange side and it does it server-side with no end user interaction.

Oracle Calendar Server Designate to Microsoft Exchange Delegate Migration

Trying to get Outlook Delegate Permissions:

from Oracle Calendar Server Designate Access Rights

can be tough.

We just made the Oracle Calendar DESIGNATE to Microsoft Exchange DELEGATE migration simpler (and removed PFDAVAdmin from the equation, while it worked it was a complicated pain in the neck).

Now under the processing stage check box in our insertion code is an option called "Set Delegates"

It takes a converted designates export file, as we've previously told you how to build, and will set those according to these rules:

• Users must be VALIDATED
• NO delegates are set to see PRIVATE items on Exchange
• NO delegates are set to receive Meeting Invitations
• There is no UNDO for Delegates
  

Here is the “get-mailbox fl” command that shows Russ has been set as Zyg's delegate

In the database:

If Delegate is true then the user is assigned as an EDITOR

If ReadONLY is set to true, then the user is assigned as a REVIEWER

If ReadONLY is set to FALSE, then the user is assigned to AUTHOR

Here is the commandlet to WIPE OUT ALL DELEGATES, regardless of who set them:

get-mailbox -ResultSize unlimited where {$_.Servername -like "Server" -and $_.GrantSendOnBehalfTo -ne {}} Set-Mailbox -GrantSendOnBehalfTo $null

(Remember to change “SERVER” to your server name!)

We suggest you use this in your TEST environment for verification purposes.

Insert Holidays Server-Side into Exchange 2007

Done.

Ship it.

The Sumatra Utilities for Exchange 2007 are now available for download.

Keep in mind, they won't just insert holidays for the 2010 calendar year, they'll also let you:

• Check for broken meetings in your conference rooms
• Gracefully remove terminated user meetings
• Extract resource use data you can then analyze in a spreadsheet (not full ResourceWatch but it gives you easy access to data that was hard to get before)
• And if you want to start using them to develop your own applications (we've got one business school that's done that and another evaluating), we can do that as well.

Sumatra Utilities for E2K7 available next week

We're not trying to drive you crazy -- just trying to make sure everything works and getting our legalese squared away.

The Sumatra Utilities for Exchange 2007 (including holiday server-side insertion capability) will be available next week.

Keep checking here for updates.

FullAccess fails with the error: The specified folder could not be found in the store.

I have been banging my head against the Exchange 2007 brick wall for the last month over the error: "The specified folder could not be found in the store."

Sumatra's conference room analysis tool's Exchange Web Service calendar folder "FindItem" request failed for about 5% of the rooms at one client. Other clients do not have this problem! The service account had FullAccess to all rooms. All conference rooms were on the same Exchange mailbox server, in the same OU, configured to autoaccept. Some had delegates, some did not.

The client could use the service account credentials to access the calendars via OWA. Was it a corrupted meeting? We changed FindItem's interval. No luck. Was EWS timing out over a large mailbox? Increased the HTTP timeout. No luck. Our FindItem requet uses the DistinguishedFolderID. We called GetFolder to find the FolderID. It failed on the inbox with the message "The specified object was not found in the store", and for the calendar folder with the message "The specified folder could not be found in the store".

Ahha! The permissions were not inherited. We added "InheritanceType: All" and it worked. Here is the syntax:

Get-Mailbox -filter {isResource -eq $True} -Resultsize unlimited
Add-MailboxPermission -User: xxxx -AccessRights: FullAccess
-InheritanceType: All

Holiday insertion server-side in Exchange 2007

Remember the Sumatra Utilities for Exchange 2003 and their beloved server-side holiday insertion capability?

And you remember how every year you ask us if we've done it for Exchange 2007?

Well, we (finally) rebuilt it for Exchange Web Services. Check out this example.

Friends of Sumatra can use this at no charge (you all know who you are) so just ask us and we'll send it out.

For everyone else we're actually going to charge for the capability this time.

Which brings me to the purpose of this posting: If you have any preferences on how we should do this -- drop us a line. If you do not know our emails you can use our contact form.

Oh yeah -- this is also going to include the broken meeting check, the terminated user utility, and the interface for managing conference room statistics (the full application for the last one will be a separate follow-on offering).

500 errors on test insertion into Exchange 2007?

When you get a "500" error on validation or a test insertion, please verify your:

1. CAS/MBX boxes are members of Windows Authorization Access Group
2. Impersonation permissions stuck (and are not denied) through Active Directory Sites & Services
3. Service Account is NOT a member of any Exchange Admin Group/Domain Admin group

Smartphones and your calendar server migration

We go over this a lot with folks and it's worth blogging about.

Let's say you're switching your calendar server and you've got BlackBerrys, Smartphones, ancient PDAs, whatever connected to your old server. And you want to use the same product when you're done in your NEW environment (let's call it Exchange).

Our recommendation is that as part of your migration process you blank out your calendars in your source system and re-synch completely on your target.

Why? Because the synch usually keeps track based on something called UIDs (or Universal Identification Numbers). You change your calendar server, you change your UIDs, and if you're not careful your Smartphone will get data from BOTH systems (and this is a hassle).

While migration is going on we strongly recommend turning off your BlackBerry server. Why? Sumatra generates a lot of email as part of re-creating end-user calendars in Outlook. While Sumatra’s insertion technology removes almost all of that email from end user’s in boxes, it can not remove those messages delivered to your device via the BlackBerry Exchange Server. So depending on your migration option your BlackBerry users will either be flooded with a lot of email (no EventSink) or some email (EventSink).

Since your BlackBerrys, Palms, or WindowsMobile PCs is synched with a system that is obsolescing – you will need to clear the calendars when you shut down your Oracle Calendar / Meeting Maker / Sun Java Calendar / etc. server, then have your users re-synch after the migration is completed.

BlackBerry

For clearing the calendar on the Blackberry – see the following webpage:
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/7925/8142/How_To_-_Reset_the_BlackBerry_device_calendar.html?nodeid=1201826&vernum=1

Palm

For clearing the calendar on a Palm OS, you might use the Purge function:
http://kb.palm.com/SRVS/CGI-BIN/WEBCGI.EXE?New,kb=PalmSupportKB,CASE=obj(5029),ts=Palm_External200173

Windows Mobile (Pocket PC)
For Windows Mobile, you can:
· Open ActiveSync
· Double Click on Calendar.
· Change the settings such that it syncs only 0 past and 0 future appointments.
· SYNC - this will clear all calendar items on the IPAQ / most other Pocket PCs.
Note: Some earlier ActiveSync versions attempt to interpret the default Sumatra Category as a date field. If you have Windows Mobile PCs you should remove the keyword AFTER you have done your quality assurance testing on the migration. Sumatra also has a COM add-in for Outlook that will accomplish the same thing on a user-by-user basis.

NotifyLink

Updated September 10, 2009 with info from Notify Technology.

Migration for NotifyLink Enterprise Server (NLES) Users with recent versions.

An administrator must:

1. Make sure the NLES server and device software are up to date.
2. Create the new mail and PIM servers
3. Open the user administration list and for each user to be moved, select the “Edit User” button.
4. On the “Edit User” page, switch the email and PIM servers to the new servers that were created.
5. This should all be done after the actual migration is complete on the server side. Notify Tech claims their software should handle the rest. It should re-prime accounts and issue full resynchronization commands. The device PIM stores will be automatically cleared and reloaded with the new account info.
   
   Earlier versions of their software ran a more complicated, non-automatic process.