Migrating from Exchange to Live@Edu - NOT a no-brainer

We've been getting a lot of email from people who are weighing the decision between on-premises Exchange and Live @ Edu. We got worried when we started picking up on two assumptions that a lot of them are making: that both Live @ Edu and on-premises Exchange 2010 are functionally equivalent and that should you decide to move between them it is a simple, no-brainer activity to shift from on-premises Exchange 2010 to cloud-hosted Exchange later on.

Disillusionment Time!

There are two things you need to be aware of at the outset:

1. Live @ Edu has limits compared to on-premises hardware (and this affects migrations disproportionately)
2. Going from on-premises hardware to Live @ Edu is just as major a migration as going from (say) Oracle Calendar Server to Live @ Edu.

We've dealt with the first issue already in this blog, including some differences from a coding perspective.
Now let's talk about going from on-premises to Live @ Edu:
First the voice of experience, in this case a user going from E2K7 to Live @ Edu:
http://nzschooltech.blogspot.com/2010/04/migrating-from-exchange-2007-to-liveedu.html
Yes, you CAN devise and execute your own migration process. But but do not plan on it being either simple or fast.
Second, we have the voice of authority, Microsoft, warning about this:
http://outlookliveanswers.com/forums/p/519/4961.aspx#4961
So Microsoft is working the IMAP mail migration angle (be sure to test how long it takes), but calendars, contacts, tasks are not included.

Third, we have the voice of Sumatra:
If someone is moving your calendars, ask if the meetings come over live with guest lists and responses intact.
Our general recommendation: If you're looking at migrating from a legacy system and considering going into Live @ Edu sometime down the road -- all indications are that it is better to make your end-point decision FIRST. It will save you tons of work down the road.

Disable Meeting Forward Notifications

Gentle reader,
When migrating calendars and re-creating their state, Ms. Calendars finds it very useful to disable meeting forward notifications. Otherwise, Ms. Calendars does not know where the heck the darned invitations are or what has happened to them and has no reasonable way in this level of reality to respond to them appropriately.
To do so:
Disable External Meeting Forward Notifications for a Single User
Set-RemoteDomain -MeetingForwardNotificationEnabled $false

Disable Internal Meeting Forward Notifications for a Single User
Set-MailboxCalendarSettings -Identity user email@yourdomain.com
-RemoveForwardMeetingNotifications $true

Google Wave is gone?

Google Wave is gone?
Darn -- now I'll never be able to figure out what it's good for.

Outlook Live: Bulk E-Mail and Daily Recipient Rate Limits

Folks looking to go into Outlook Live should check this out:

Bulk E-Mail and Daily Recipient Rate Limits

Because when you re-create calendaring state as we do in a migration you are very likely to find some people who are hitting into this limit.

We sometimes do get the question: Why do you need to send messages if you are migrating calendars?

(We do, oh we really do!)

The answer: because calendaring in Exchange is a message-based protocol (Duh). Single appointments do not fall under this limit, but meetings DO. And remember, with meetings there's the invitation AND the response.

Outlook Live and Outlook On-Premises Differences

You know.... there's a bunch of these differences between Outlook live and Exchange on-premises.
And like discovering land mines you're only going to know when you step on one of them.
Such is the case with Throttling Policies and the EWSFindCountLimit.
What does this have to do with calendar migrations? Just in our UNDO function (a prudent safeguard which many of you seem to find comforting).
Our QA team discovered weird behavior in Live @ Edu that does not exist in on-premises Exchange when we were trying to UNDO several test insertions at once. The default limit in ESWFindCOuntLimit is 1000 items (and this in our case includes things in the Deleted folder).
So some of our higher-end users were not being UNDO-ne.
We're fixing that and preparing for the next landmine.
Stay tuned.

Inserting into Live @ Edu vs. inserting into on premises hardware

We were working with a client doing a migration into Live @ Edu and wanted to get some absolute data on calendar migration performance on their machines versus everyone else. So in true Sumatra fashion we created a test database of 20 users and had them insert it in their test environment. It took 19 minutes.

And we then inserted the same database into our Exchange environment. That took 12 minutes (not surprising, we have good hardware and not an enterprise-level load)

Then we inserted the same data into Outlook Live @ Edu. It took 71 minutes.

Just to be sure we were not doing something really wrong we ran it twice and got the same manatee-like languid pace. We're used to measuring migrations with a clock, not a calendar.

We're sure we're not processor bound on our client system. The question is whether we're processor-bound on the server (likely) or network-bound (not as likely). The results are in any event troubling for anyone wanting to do a bulk calendar migration.

But wait -- there's even MORE BAD NEWS FOR calendar migrations!

According to Message, Mailbox, and Recipient Limits (tip 'o the hat to Duncan in London), there are limits of 30 messages per minute and 500 recipients per day. And the logs from London's test runs indicate they are already hitting this limit.

Taking calendar data over in a full-state method we re-create all of these and it is not unusual for the even moderately-scheduled user to hit these limits.

Stay tuned. We're working on creative solutions.
There is a ray of hope, though. This thread indicates others are running into the same absurd limits and Microsoft MAY be willing to make exceptions (check out the procedure at the end).

We suggest you folks who want to do a full-state calendar migration contact your Microsoft Rep and ask them if they can get these limits removed for the duration of your migration.

International characters going into Live at Edu migrations

Because we're nutcases about accuracy and dependability we checked international characters going into Live @ Edu migrations and found no problems.

So umlauts, acutes, cedillas, and various other characters should come out fine.

Setting Permissions for a Live @ Edu Migration

OKAY, you are serious about getting out of Oracle Calendar and into the Exchange Cloud. So you need to know how to set up your permissions on your Live @ EDU Admin account so that the migration application has access to all accounts to do what it needs.

 

You only need to do this once and you can remove these (rather generous but necessary) permissions after you have verified the integrity of your data and removed the Keyword.

 

1. Setup live@edu:
   
   1. Your domain must be Org-owned (you'll be setting RBACs….)
      
   2. Create a service account, e.g. deleg8@livetest.YOURDOMAIN.com
      
2. On your PC, connect your local instance of Windows PowerShell to Outlook Live
   
   1. Prerequisites:
      
      1. You'll need Windows PowerShell 2.0.
         
         1. Get it here: http://support.microsoft.com/kb/968929
            
         2. If you have windows XP x86 must upgrade to SP3+; 
            
         3. If you have windows XP x64 use the windows server 2003 x64 version
            
      2. Launch PowerShell: Start > All Programs > Accessories > Windows PowerShell > Windows PowerShell right-hand click and "Run-As administrator"
         
   2. Set the credentials for your Windows Live ID and Password for your Outlook Live account, then define a session
      
      1. $LiveCred = Get-Credential 
         
      2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
         
         1. If it fails to execute, then:
            
            1. Set-ExecutionPolicy RemoteSigned 
               
            2. …. Or unrestricted if you are brave
               
      3. Start a session to import the Outlook Live commands into your session.
         
         1. Import-PSSession $Session
            
         2. Setup RBAC impersonation using built-in role "ApplicationImpersonation"
            
3. Define RBAC impersonation in Powershell:
   
   1. New-ManagementRoleAssignment -Name EWSImpersonation -Role ApplicationImpersonation -User deleg8@livetest.YOURDOMAIN.com
      
   2. After you are done, disconnect Windows PowerShell from Outlook Live:
      
      1. Remove-PSSession $Session
         

Oracle Calendar to Exchange Live at Edu - the Video

We got a request for a video showing data migration from Oracle Calendar to Live @ Edu.

We put together an ad hoc committee to create the clearing for the conversation for possibility..... ah heck.... we just put some software up and did it.

Michael Moore has nothing to be afraid of.

You can also view it off our main site at http://www.sumatra.com/ocs-to-exchange.wmv

The melodious voice you hear is Zyg (whose role in Sumatra is the moody "Ben Affleck" character in contrast to Russ's "Matt Damon" persona).

Interested in trying it out? Our contact page is here.

Migrating Oracle Calendar Server into the Microsoft Exchange Cloud

The calendar gnomes have been busy.

We have gotten some requests to take Oracle Calendar Server into this Microsoft "cloud" thing (which last time I looked had a couple of different names).  Of course we started with Live @ Edu because that's where the first money is.

So if we look at Jimi's calendar in Oracle Calendar we see:

and if we look at his calendar in Sumatra's LIVE@ edu test system we see the exact same thing (minus the color which you cannot port anyway).

Some of you will notice the one appointment that's not there, which led us into looking at timing issues in Live @ Edu.  We found that changing our CAS and EWS URLs for the insertion to remove the "PSH" part removed the issue.

If your Outlook.com server is something like
PODnnnnnnPSH.outlook.com

use:
PODnnnnnn.outlook.com

instead on insertion.

... and Jimi's calendar comes out fine everywhere.  So in case you find yourself missing some data, check the URL you're pointing to.  We obviously don't have as much control over timing and performance in this scenario as we do in a native Exchange environment.  So the first few who go live with our tech are going to be taking the earliest risks for timing and the eternal X-Factor.

Oh yeah, this would work for Meeting Maker, Zimbra, Sun Java Calendar, anything else we can migrate.  But let's face it, Oracle Calendar Server is the one everyone is currently looking to drop ASAP.

This all involved minor changes to the SuExchange interface, mainly to specify Credentials to your CAS server.  Your Live admin account is the one to use:

This also means there's no need to "Run as..." with the Service Account.  Your  CAS credentials effectively ARE the Service Account.

There's also good news on conference rooms, which are looking like we can Accept and Decline them under our control but as always we want more field tests to make sure we're not drinking our own Kool-Aid: 

Keep in mind: our distinction is that we re-create meetings with guest lists and responses and re-create recurrence patterns in moving from OCS to Exchange, and that is the same whether going to the cloud or a native Exchange server.

So from the perspective of your end users it's a migration with results that make it act as though you've been using Exchange all along.

From the trenches: Exchange to Gmail

Ran into this and thought I'd pass it along.

CEO Of Company With 500 Employees: Here's Why We're Ditching Microsoft Outlook For Gmail

This is a corporation with only 500 users.  The number of companies we've seen with enterprise size considering ditching Google is easy to summarize: Zero.  There was one pathetic case we know of a company adopting Google then getting bought and having to drop it just as quickly, but my schadenfreude account is overdrawn this week.

Where we see a lot of Google Mail and Calendaring is in education and mainly for schools without a lot of endowment.  Note to readers: yes, that word has two meanings.

Updated May 26 to add this link:

Microsoft has a blog posting: Why are Businesses Leaving Google Apps?

Pick your Kool-Aid.

Add2Calendar Example from Facebook

It amazes me that Add2Calendar works when I least expect it.

In my Facebook updates I had the following:

I highlighted it and right clicked the IE8 Accelerator and this is what was immediately populated into Outlook:

Which I consider to be very cool.

Macintosh and Exchange: maybe no longer the horror it has been

If you've ever worked with us you know we want to deal with the Macintosh about as much as we want to spend our vacation at Chernobyl where we consider the radioactive waste level lower.

However, anecdotal evidence from some of our calendar buddies (Hi, Vince!) has given us indication of light at the end of the tunnel. Herewith is what we learned:

• If you want to use Apple mail, you should upgrade to OS X 10.6. Earlier versions were not all that good in terms of calendaring and mail. 10.6 has MUCH better mail handling.
• If you want to stay with Entourage, adopt the mantra "patch Entourage to the max" (12.2.3) then install the EWS patch: http://www.microsoft.com/mac/itpros/entourage-ews.mspx
• Go to Exchange 2010 (NOT 2007). OWA is MUCH better for Macintosh users in Exchange 2010. http://www.macworld.com/article/140257/2009/04/exchange2010_mac.html
• Finally, check out this link to the Mac 2011 Road Show: https://microsoft.crgevents.com/OfficeMac2011/Content/Home.aspx

This gets us as giddy with excitement as is possible given that we want to suffocate the whole Macintosh platform in the first place.

There's a few other places migrating Exchange Admins should check out if your Windows-phobic execs conform to Jobsian non-conformity.

Exchange 2010: OWA has a good summary of Outlook Web Access via Safari on a Mac.

Entourage Mac for Exchange Servers: Tips and Reports has the most comprehensive list of Entourage / Exchange issues I've seen (and while there are a LOT of them most are for previous versions).

ResourceWatch Error: The Service cannot be activated due to an exception during compilation

A client called after their ResourceWatch installation started to fail with this error:

Exception: System.ServiceModel.ServiceActivationException: The service '/ResourceDataService.svc' cannot be activated due to an exception during compilation. The exception message is: Could not load file or assembly 'App_Web_aza-n8ud, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies......

How odd----it's been running without issue for months.

There were two possible reasons for the failure:

1. The virtual directory was renamed, or
2. .Net Framework 3.5 was not installed

"Virtual Directory Renamed" When Sumatra The “Publish Web Site” deployment model in Microsoft’s Visual Studio hinges on the name of the web application mapping directly to the virtual directory name. Renaming the virtual directory without changing the ".compiled" directive causes the application to crash. If you don't have to rename the directory, don't. If you do, and it crashes, read Tom Fuller's post where he solves his 'Issue deploying WCF service to IIS 6 in non-updateable mode.'

".Net Framework 3.5" The other reason this fails is because .Net Framework 3.5 is not installed. (This is easily checked, and if you didn't rename the virtual directory, this is likely the problem.)

In this case, the app was moved to a different box, the virtual directories remained the same, BUT, .Net framework was not installed.

Managing Automatic Meeting Responses in Outlook 2010

An Oracle Calendar System migration client called because his end users were complaining ..... "Now that we have migrated how can we disable those irritating meeting invitations and responses?"

Keep in mind -- this is not about the migration process. This is about what happens when Oracle Calendar users transition from OCS to Exchange,

I'm not sure anyone has an answer for complaining end users, but I did come across a blog posting from Microsoft's Outlook team that talks about how to deal with meeting responses in Outlook 2010. (you know, the "I accept", "I decline" messages.....). The post describes how to create a rule to deal with those responses:

1. Keep meeting declines;
2. Keep all responses if they have a comment;
3. Otherwise, move tentative and accept messages into a sub folder (and out of the inbox!)
   

Read the blog post here!

The net result is that Exchange and Outlook will look more like what an OCS user community has been conditioned to expect over the years.

OWA bug fix - Change the start time of a recurring meeting with exceptions now works

When you change the start time of a recurring meeting series in Microsoft Exchange Server 2007 by using Outlook Web Access (OWA), any exceptions to individual meetings in the series are not removed. There's news to Sumatra's calendar customers. Their end users have dealt with this issue for several years.

Rejoice! Microsoft fixed it. For Exchange 2010. There is no joy in Exchange 2007 land - the fix is not for your servers. See KB 980051.

I'll update this post once I know the hotfix number or the rollup version.

"Add2Calendar" an IE8 - Web Accelerator

I receive one or two emails every day inviting me to attend some work, hobby, school, or sporting event. Many of these events, however, do not offer the "add this event to your Outlook calendar" functionality. If I want to add these events to my calendar, I have to do so manually - "cut and paste" the event details into a new Outlook appointment. Ok, it's not hard, it's tedious. It caused me to automate the process, via an Internet Explorer 8 "Web Accelerator".

I first learned about accelerators in an MSDN "Roadshow" put on by two Microsoft Developer Evangelists (Chris Bowen and Jim O'Neil.) They said it was simple to create one... I didn't believe them. I thought it was going to take several days to get started. It didn't. It was as simple as they said!

My accelerator parses highlighted text from the web browser, and return a calendar invitation "on-the-fly" that Outlook easily interprets. There are several ways of adding appointments to Outlook -- I chose iCalendar, since Outlook supports this open standard calendaring format.

What will the user see?

Here is an example of the accelerator in use. I received an email telling me about an upcoming Cambridge Science Festival event. The email directed me to "Boston.com" where I read the event details. I highlighted the event name and time, and right-hand clicked to launch the accelerator:

Here is what appeared in my calendar:

Voila! You can see Add2Calendar captured the event name, date and time, the event summary in the notes area, plus the URL of the event.
For the more technically inclined
This accelerator requires two components:

1. An XML file to define how the browser communicates with that service, and
2. A "URL-based service"

The process to create the XML file is well documented in MSDN. Here is the XML that defines how the browser communicates with the service:

<?xml version="1.0" encoding="UTF-8"?>
<os:openServiceDescription
xmlns:os="http://www.microsoft.com/schemas/openservicedescription/1.0">
<os:homepageUrl>http://www.sumatra.com</os:homepageUrl>
<os:display>
<os:name>Add appointment with Sumatra's Add2Calendar</os:name>
<os:icon>http://www.sumatra.com/images/favicon.ico</os:icon>
<os:description>
Highlight something on a web page and add the item into your calendar
</os:description>
</os:display>
<os:activity category="Appointment">
<os:activityAction context="selection">
<os:execute method="post"
action="http://www.sumatra.com/add2calendar/">
<os:parameter name="sel" value="{selection}" type="text" />
<os:parameter name="docURL" value="{documentUrl}" type="text" />
</os:execute>
</os:activityAction>
</os:activity>
</os:openServiceDescription>

I created my URL-service using PHP. The accelerator passes two parameters back to the PHP code ($sel and $DocURL). If those variables are not null, the PHP code can determine if it should show the "add the accelerator to your browser" page, or parse the selection string and return an iCalendar file.

The PHP code creates a form with a button to add the accelerator to the browser. There is also javascript to check if the accelerator exists:

<script language=\"JavaScript\">
window.onload = function()
{
if (window.external.IsServiceInstalled ('http://www.sumatra.com/add2calendar/add2calendar.xml','Appointment'))
{
document.getElementById('btnAdd2Calendar').disabled = true;
alert("Sumatra Add2Calendar accelerator is already installed!");
}
}
</script>
<BODY>
<h1>Welcome to Sumatra's Add2Calendar Web Accelerator.</h1gt;<br>
<h2>Overview:</h2><p>Not all web sites have an "add this event to your calendar" button....
<br><br><br><Please click the button to add the accelerator to your browser.<br>
<button id="btnAdd2Calendar" onclick="window.external.AddService('http://www.sumatra.com/add2calendar/add2calendar.xml')">Install Sumatra's Add2Calendar Accelerator</button>
<p>Copyright © 2000-2010 Sumatra Development LLC. All rights reserved.<br>

Hopefully this gets you started!

The accelerator doesn't parse everything, yet. It's work in progress. If you use the accelerator, and you have comments (and issues, too!), please post or email us: info AT sumatra DOT com

Ampersands in email addresses

Just ran a few thousand users from Oracle Calendar into Exchange (at a very security conscious site so we were not able to look at their mappings beforehand), and they had some problems with ampersands in email names.

Yep. Bad karma all around.

In fact, you should not be using most special characters for object names, as Microsoft documents here for Exchange 2003 and here for Exchange 2007.

Exchange Calendar Issues fixed with Rollups

Microsoft released rollups for its Exchange Servers on April 13, 2010:

• Update Rollup 10 for Exchange Server 2007 SP1 (KB981407),
• Update Rollup 4 for Exchange 2007 SP2 (KB981383), and
• Update Rollup 3 for Exchange 2010 (KB981401).

I want to report the calendar-related issues that these rollups fix:

Exchange 2007 (SP1 and SP2) - No calendar-related fixes in this rollup

Exchange 2010

1. RPC clients or MAPI on the Middle Tier clients may not receive responses from the mailbox server role on an Exchange 2010 server (KB981664)

Note: Microsoft recommends that you Clear the 'Check for publisher’s certificate revocation' for Outlook users. For OWA users, this rollup overwrites any customizations made to your "logon.aspx" pages.

New one-step mapping method OCS to Exchange

 

Mapping OCS Users & Resources to Exchange Accounts

First, we assume that you have already imported the "users.txt", "resources.txt", and "foreign.txt" into the database using the xCalReader.

There is really only ONE step: Run the query Q_Build_MM_Exchange_User_Map_From_Users

 

THAT'S IT!

We urge you to review the mapping table "MM_Exchange_User_Map" to ensure all accounts have been mapped, and that all accounts have an email address.

 

What happens if I want to change the email address for a few users in the Users table?

Edit the table User_Adjusted_Maps. You must copy the userid, UserNum, and mmLogin from the Users table, although we recommend you copy ALL fields. This makes review easier because you know who the accounts belong to! Add the exchange alias (exch_alias) and exchange SMTP address (exch_email). In the following example, we changed Peter W's email to peterw@nl.th....

 

 

 

What happens if users do not have email in the Users table?

Look in the "Exchange_email_Src" tab for "***Missing Email***", or look for unusual email in the exchange_email tab.

 

Is there a "query" to copy all users with blank emails in the Users table to the User_Adjusted_Maps table?

Yes. It's called "Q_Add_Users_with_Missing_Emails_to_User_Adjusted_Maps"

You will have to add the Exchange Alias and Exchange email address, AND the Exchange type. The choices are "Individual" for a user or group calendar account, and "Resource" for a conference room.

 

I do not see that query in my database?

You must have database version Blank_Conversion_DB_v8.13.0.0413.mdb or greater

 

Meeting Maker sites migrating to Exchange

You can use the exact same queries and methods above, but make sure the email you want to have in Exchange is associated with the MM account you are migrating using MM Admin.

Web-Based Meeting Schedulers via Mashable

I'm posting this up here for those of you who are interested.

Mashable has a review of four web-based meeting schedulers.

4 Web-Based Meeting Schedulers Reviewed

I actually tried Tungle and found it more trouble than it was worth (but that was at least a year ago). And why on earth would anyone name an app Doodle?

Since we deal with corporations I do not think this any of these are going to be high on the agenda among our loyal readers -- but you should see what the twenty-somethings in your organization are going to be trying to integrate with Exchange.

Migrating Large Oracle Calendar installations to Exchange by Subsets

Migrating Subsets of Larger Oracle Calendar Server Installations

April 9, 2010

Background: In re-creating meetings as live meetings from OCS, Sumatra uses the calendar of the meeting ORGANIZER as the definitive source for guest status. Since Exchange is a message-based system, it is crucial that in re-creating the calendar state calendar invitation come from the meeting owner. However, in the case where migrations must be done in phases, it is desirable to maintain as much as possible information from users external to the subset being migrated. This process deals with that.

As an example, let's say that we have an OCS installation in Europe that consists of about 2000 users in the Local users (NL) and 20,000 FOREIGN users (FR). Let's say the NL server is the first to migrate.

We have two issues, NL users as guests of meetings originated by FR users, and FR users as guests of meetings originated by NL users, as per the following table.

		As Owner
		NL	FR
As Guest	NL	OK	Case FR OWNER => insert as appointment in NL calendar?
	FR	Mail Contact	NOT YET MIGRATED

 

Process Change xCalReader Phase

1. Create an additional Users export file of the FOREIGN users and name it FOREIGN.TXT
   

1. Use the following command to generate this file from the FOREIGN OCS server:
   

uniuser -ls -format "%s%:%g%:%uid%:%id%:%node-id%:%email%:" -n 1 -p jimmorrison >foreign.txt

NOTE the additional %email% which will give us the email of that user as defined in OCS. We will need this information for the foreign users.

1. Place this file in the same directory as your USERS.TXT and UNICPOUTU export files. This means both of these files will be read and populated into the database at the same time before any calendar data.
   
2. You will have a new option in xCalReader to ANNOTATE calendar items from Foreign (FR) users.
   
3. Server NODE numbers MUST be different between the USERS.TXT and the FOREIGN.TXT files (see below – we want to assure that our created User ID numbers are unique – and NODE is one of the concatenated elements in this)
   

Notes In converting the users, invitations to NL users from FR users will be appointments in calendars. When the FR users who are OWNERS migrate, these will be overlayed with LIVE meeting data in Exchange. The user can then delete (or keep as they will) the appointment knowing that the meeting data will be updated with changes.

Using a mail contact has the following requirements and repercussions:

We do not (*think*) French users must be on NL server as MailContacts. Valid regular email addresses should be enough to generate invitation from NL owners to FR guests– but we want to encourage you to try it. French users will then receive Outlook calendar invitations to their mail accounts.

French users can accept/decline/ignore, Sumatra process does not create state for these users.

NOTE: this means there will be the original OCS meeting and the new meeting in their calendars, but the new Exchange/Outlook one will be the one updated when a NL user makes changes.

 

Code changes in xCalReader will act so as to

1. Automatically read FOREIGN users
   

1. Convert meetings from foreign users into appointments in guest calendars
   
2. Allow for an administrator defined "Tag" for foreign user originated meetings.
   

 

Process Change User Mapping Phase

User mapping proceeds as documented, except the FOREIGN users will need to be mapped as well. We're documenting this and will forward ASAP.

 

Process Change SuExchange2007

Code changes in SuExchange2007 will act so as to

1. Automatically validate foreign users
   
2. Not generate error messages for foreign user validation
   
3. Create FOREIGN users as guests
   

This will be transparent to current operation but will require testing.

 

 

Things we want you to be aware of

We already know we are not going to get access to any of your data – so we need you to be looking at it for us.

1. Once both USERS.TXT and FOREIGN.TXT are in – we need you to make sure there are no duplicated USER IDs in the USER table. We can tell you how to do this if need be.
   
2. We need you to test this first in miniature and then in full-scale as quickly as possible.
   
3. We could really use sample data from you "users.txt" and "foreign.txt", plus a user's export file that has foreign user meetings (both as an owner, and as a guest)
   

Resource Forest Redux

We just re-wrote the sections on our migration manual dealing with Resource Forests in Exchange 2007/2010 -- here's the early version

• The "User Forest" - I started with an existing AD 2003 Domain - ad03.herring.sumatra.local (windows server 2003)
  
  • Create a user account "Blarney Stone", alias = bstone in the herring.sumatra.local domain
    
• The "Resource Forest" - a new VM: "Resource" forest domain called Sherwood: ex07res.sherwood.sumatra.local. The CAS server is "ex07res"
  
  • In AD Domains & Trusts:
    
    • Ensure DOMAIN AND FOREST levels are windows 2003
      
    • Created a TWO-way: forest trust between the Resource & User forests (Sherwood to Herring) Note: A resource forest trust is a configured ONE-way trust between the Resource & User domains. If you do this, the service account won't be able to see AD, and thus won't be allowed to access anyone's mailbox.
      

Example of the TWO-WAY forest trust between the resource (Sherwood) and the user forest (Herring) (Shown from Active Directory Domains and Trusts)

• In AD Users & Computer on the RESOURCE FOREST ("sherwood"):
  
  • Added the computer ex07res to built-in group windows authorization access group
    
  • Create a service account deleg8 in the resource forest (A new USER account).
    
• Use Exchange Management Console to:
  
  • Create LINKED mailboxes "Blarney Stone" alias = bstone (in sherwood.sumatra.local) Linked to bstone (in herring.sumatra.local)
    
  • Remember to reconfigure IIS to use SSL and have OWA default site property (in the server configuration) to use forms-based authentication
    
• In AD Users & Computer on BOTH the RESOURCE FOREST ("sherwood") AND on the USER FOREST (herring):
  
  • Right-hand click on the domain, get properties, and in the security tab Grant Deleg8 FULL ACCESS to AD. You'll have to go into advanced and set these permissions "for this object & all child objects". If you don't see the security tab, turn on Advanced Features under the View menu.
    

Example of granting FULL Control to this object & all child objects (Deleg8 on Sherwood

(Shown from Active Directory Users & Computers)

• In Exchange Management Shell, on the Resource Forest (sherwood), run this against your CAS server, "ex07res"
  
  • Add impersonation between the (resource forest) service account AND the user account:
    
    • Add-AdPermission -Identity (Get-ExchangeServer -Identity "ex07res").Identity -User sherwood\deleg8 -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation, send-as, receive-as -accessrights genericall -inheritanceType All
      
    • Add-AdPermission -Identity "Blarney Stone" -User sherwood\deleg8 -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation, send-as, receive-as -accessrights genericall -inheritanceType All
      
  • Grant Full access to the (resource forest) service account AND the user account:
    
    • Add-MailboxPermission -Identity "Blarney Stone" -User sherwood\deleg8 -ExtendedRights fullAccess -InheritanceType All
      

      
      

• In the Sumatra UI on a 32-bit machine:
  
  • Run the code as the resource service account (sherwood\deleg8)
    
    • I assume you've already granted that account local login rights, and made it a local administrator so you can read/write from the disk)
      
  • The forest: "herring.sumatra.local"; the SMTP domain: "sherwood.sumatra.local"
    
  • CAS server: ex07res (https://ex07res/ews/exchange.asmx)
    
  • Access calendar using: IMPERSONATE
    
  • Test user: bstone (SMTP address: bstone@sherwood.sumatra.local)
    

    
    

• Other Notes and Deviations from the Sumatra documentation:
  
  • Something changed between Exchange 2007 RTM and SP1/SP2. we've had to change our process.
    
  • Microsoft's David Sterling said that EWS expects there to be some sort of AD object in the resource forest to represent the cross forest account, and unfortunately, a foreign security principal is not enough. He wrote out instructions here: http://msexchangeteam.com/archive/2008/04/18/448727.aspx. BUT it doesn't work because he recommends duplicating a SID between the User and Resource forests. That generates lots of AD errors for that service account, and breaks OWA access (as that service account).
    
  • The tool to set permissions on the RESOURCE forest (Sherwood) MIGHT cause you problems because it does not explicitly set permission inheritance. So the permissions might allow you to validate against the mailbox, but NOT insert calendar data. Here was the tool: http://msexchangeteam.com/files/12/attachments/entry447730.aspx
    

• Use the Get-Mailbox -resultsize unlimited add-mailboxpermission to set permissions for all accounts, e.g., Get-Mailbox -resultsize unlimited Add-AdPermission -User sherwood\deleg8 -ExtendedRights ms-Exch-EPI-May-Impersonate, ms-Exch-EPI-Impersonation, send-as, receive-as -accessrights genericall -inheritanceType All
  

  PowerShell example of using get-mailbox (you might see warnings if you've already applied the ExtendedRights to some mailboxes.
  

  
  

• We set AD access on both the RESOURCE and the USER forests
  
• We were able to add a test item using impersonation. Delegation was not working.
  
• After the migration:
  
  • Remove the service account's full access permissions in AD
    
  • Set the trust back to a one-way trust
    
  • Remove the service account
    

• Other fun facts about resource forests:
  
  • Full Disclosure: I am not a fan of Resource Forests. Yes, they offer additional security. At the cost of 4x the complexity. I apologize to you who have implemented them successfully and are happy Exchange Admins. I'm not alone in that opinion. How a resource forest can make you cry is Vermyndax's rant.
    
  • It's easy to implement the Resource Forest in a way that causes the end user's lots of pain. For example:
    
    • Every time the user logs in to Exchange, they have to enter their resource forest credentials. That's almost as bad as my car: it automatically locking the doors once the car starts moving. Great for safety. But, every time I want to exit the car, I either have to either unlock the door before I can open it, OR pull the door handle twice – the first time UNLOCKS the door, the second time OPENS the door. Great security design. Miserable user experience. But I digress. The way around this, by the way: You have to assign the account in the USER forest these additional rights:
      
      • "Read Permissions",
        
      • "Full Mailbox Access", and
        
      • "Associated External Account"
        
    • We had problems when some DELEGATES tried to access their boss' calendars and could not. We discovered those delegate mailboxes did not reside on the same server as their boss's mailbox. The solution: move the delegates mailbox!
      
    • There were access problems for customers who have public folders (you need them if you have Outlook 2003, or if your organization uses public folders). I couldn't figure out how to solve the access problem. Thankfully Jim McBee "Mostly Exchange Web Log" AND Jesper Bernle's Exchange Server blog wrote about how to solve it. Jim McBee found and fixed issues with permissions and delegate mailboxes.

Migrating by department. BION, somoene's doing it.

In the several hundred migrations we've done over the last decade we've adopted as an article of faith that the right way to move meetings is as a Big Bang. It preserves the connections among all the users you migrate and it's not hard to explain to end users. A win-win for the community, an intense time for the administrators, but they get the win-win for the community.

We've always told you though that if your user community mainly consisted of "islands" who tend to only meet internally you could get away with migrating a department (or island) at a time.

But nobody took us up on it.

UNTIL a university in upstate New York said "OK -- we'll try that."

Russ and Zyg sucked in their breath and said "All right then. But if things are not going well after the first few we're going to re-evaluate this, right?"

THREE separate group migrations into it, they seem to be going all right.

There's a few more to go and we're still looking at it, but the results so far are good and we want to give you a preliminary read on how they did it and what's making it work. We're also giving them the opportunity to add anything they want to share in this post.

1. It's relatively small (about 500 users).


2. They are able to identify very specific groups that meet together. The MM / Exchange administration team are doing this on their own without intense database analysis from us (which has helped keep their costs down).


3. Once the island is migrated those users are removed from the Meeting Maker user list. Since they're islands, this isn't usually a problem. As Russ put it, "They burned their bridges after they crossed over."


4. The migration team at the university gained experience early on in mapping users and after a proof of concept migrating their internal team they then proceeded to two other islands. Again, their motivation and competence here was key in keeping costs in control.


5. After three separate island migrations things are looking good to complete the rest on a staggered schedule.
6. The university adds that advance testing and end-user expectation communication made things go better.


7. We at Sumatra are happy to give credit whenever our clients are more clever than we are.

So our moral: It is possible, but start small and keep an eye on it as you move forward.

What's this look like from an end-user's perspective? The same as it would in a full migration. They walk in one morning and user Meeting Maker. They walk in the next morning and they're on Exchange. BUT: Any MM users not in the migrated group are now not on their guest lists. That's the price you pay for this staggered approach. In the immortal acronym of Robert Heinlein as morphed by Milton Friedman, TANSTAAFL.

Blast from the past

Look what Zyg found in the basement.

Meeting Maker 1.5 diskettes (DISKETTES!), back when it was Macintosh only. The video comes from a few years later after a bunch of est-heads (no joke) bought the company and decided to align themselves to the up-and-coming software powerhouse -- Novell.

Meeting Maker / Oracle to Google Calendar

The calendar elves have been working on a few things to move data from Meeting Maker into Google Calendar, and we thought we'd update you. It's not perfect yet, but it's well within striking distance. This will work for Oracle as well of course.

First let's take a look at a typical Meeting Maker 7 calendar (sorry, the company really won't sell us version 8 anytime soon so we're left with the trial version we've been using since 2001).


And here, using our current zinsert to create ICS files is what this looks like via an import in Google Calendar.

First thing to notice: the old MM DST code causes a shift (which if you update your server or get us to rebase your data will not happen), and banners are a little off (we can fix this).

But the good news is that it involves WAY less work than our previous versions.

This does work client-side (we're working on the XML for server-side, but we've gotten no pressure for it yet so it's just simmering away).

On MAJOR ICS datafiles (in this case 2.5 Mb), we've been getting this warning:

But all the data seems to go in. Our test was simple: is the last object in the file inserted? If so, we're fine, and it was.

Removing Outlook Holidays Server-Side

We get all kinds of requests on the Holiday insertion application.

One of the more recent ones is interesting enough to blog about.

The subject is the holidays Outlook client can insert for you and how to remove them SERVER-SIDE.

Turns out that the old Exchange 2003 Utilities could handle this as a matter of course, but our new version did not until last week.

Here's the slightly longer technical story about what's happening: The Outlook holiday capability inserts client-side and helpfully includes the Category "Holiday"

That's good - because I have no idea what corporate or university user needs to know when Groundhog Day is (who put this list together, a grade school teacher?).

Looking at it in OutlookSpy you can also see why the terminology "Keyword" got applied to this early on and stuck.

Anyway, in Exchange 2003 the Sumatra Utilities used only the Keyword field, but to be safer in Exchange 2007 when we moved to EWS we also used a couple of hidden fields including Mileage (not as uncommon a technique among calendar applications as you might imagine).

So we expanded the concept of UNDO to be both for Category only or Category AND Mileage.

The good news, we fixed it so if you want to remove data server-side you can.

AND REMEMBER: We require keywords so that you do not accidentally remove everything in a calendar. But you WILL remove everything tagged with "Holiday." So be careful! You have been warned.

Exchange 2007 Calendar Issues fixed with Rollup2

On 1.22.2010, Microsoft released Rollup2 For Exchange 2007 SP2.

Here are the calendar-related issues that Rollup2 addresses:

970817 An appointment is displayed incorrectly as an all-day event if you use a mobile device to synchronize the calendar in Exchange Server 2007

971177 The Auto Attendant 'Business Hours' schedule is not updated in Exchange Server 2007 when the DST setting is changed

971349 Exchange Server 2007 users intermittently cannot access an Exchange Server 2003 user's Free/Busy information in Office Outlook 2007

973969 Incorrect exceptions are generated for a recurring iCalendar message when an Exchange Server 2007 server processes an SMTP message that contains the iCalendar message part

974161 Some attendees cannot receive a meeting cancellation notification when the appointment recurrence pattern is changed by using EWS in Exchange Server 2007

974999 The "Task Owner" field is not set when you create a task in Outlook Web Access

975165 EWS proxying requests fail after you run Availability Service requests in a CAS to CAS proxying scenario in Exchange Server 2007

975404 An attachment of a meeting request cannot be opened when you use a CDO application to accept a meeting request in Exchange Server 2007:

975903 The RemoveDelegate operation of EWS fails, and then a "500 internal server" error response and event ID 4999 are logged in an Exchange Server 2007 server

976025 The free/busy information of an Exchange Server 2007 user is not displayed

977091 The time for an updated meeting request is incorrectly shown in an exception instance of a recurring meeting request on an Exchange Server 2007 environment

Zimbra Calendar / Tasks / Contacts to Exchange 2007/2010 Migrations

Update November, 2011.  If you're interested in Zimbra to Exchange calendar migration, see our newer posts on a faster, simpler method.  http://calendarservermigration.blogspot.com/2011/11/faster-easier-zimbra-ics-to-exchange.html


December was a busy time at the Sumatra HQ.

We averaged two migrations a week and got three inquiries about migrating calendars from Zimbra to Exchange -- one of which we consider credible in that they kept a dialog going.

So, after a few weeks of skunk works development (which is an oxymoron here), we've got Zimbra calendaring, tasks, and contacts migrating into Exchange 2007/2010, with full state information intact.

Of course, if you want to take calendar data INTO Zimbra we can still do that. But we are kind of psyched that this is the first calendar we'll take you into or out of.

Keep in mind, you could export your ICS files and import them into Exchange (try it and see if that preserves your guest responses) or you could just move PSTs (again, try it). Our process re-creates the guest lists and responses of the calendar data on the Exchange side and it does it server-side with no end user interaction.

Oracle Calendar Server Designate to Microsoft Exchange Delegate Migration

Trying to get Outlook Delegate Permissions:

from Oracle Calendar Server Designate Access Rights

can be tough.

We just made the Oracle Calendar DESIGNATE to Microsoft Exchange DELEGATE migration simpler (and removed PFDAVAdmin from the equation, while it worked it was a complicated pain in the neck).

Now under the processing stage check box in our insertion code is an option called "Set Delegates"

It takes a converted designates export file, as we've previously told you how to build, and will set those according to these rules:

• Users must be VALIDATED
• NO delegates are set to see PRIVATE items on Exchange
• NO delegates are set to receive Meeting Invitations
• There is no UNDO for Delegates
  

Here is the “get-mailbox fl” command that shows Russ has been set as Zyg's delegate

In the database:

If Delegate is true then the user is assigned as an EDITOR

If ReadONLY is set to true, then the user is assigned as a REVIEWER

If ReadONLY is set to FALSE, then the user is assigned to AUTHOR

Here is the commandlet to WIPE OUT ALL DELEGATES, regardless of who set them:

get-mailbox -ResultSize unlimited where {$_.Servername -like "Server" -and $_.GrantSendOnBehalfTo -ne {}} Set-Mailbox -GrantSendOnBehalfTo $null

(Remember to change “SERVER” to your server name!)

We suggest you use this in your TEST environment for verification purposes.

Insert Holidays Server-Side into Exchange 2007

Done.

Ship it.

The Sumatra Utilities for Exchange 2007 are now available for download.

Keep in mind, they won't just insert holidays for the 2010 calendar year, they'll also let you:

• Check for broken meetings in your conference rooms
• Gracefully remove terminated user meetings
• Extract resource use data you can then analyze in a spreadsheet (not full ResourceWatch but it gives you easy access to data that was hard to get before)
• And if you want to start using them to develop your own applications (we've got one business school that's done that and another evaluating), we can do that as well.

Sumatra Utilities documentation is out

A quick update on the Sumatra Utilities for Exchange 2007: we've field proven them in an East Coast medical school with over 8000 users.

Insertion of 10 holidays for these users took about three hours.

We consider that a success.

We're running our final regression testing on them now but we can give you the link to the documentation (Word format).

http://www.sumatra.com/Sumatra%20Utilities%20Manual.doc

Stay tuned.

Impersonation in Exchange 2010

Quick tip: Impersonation in Exchange 2010 has morphed from setting ACLs to Role Based Access Control (RBAC). It could not be easier to impersonate users in the entire domain:

new-ManagementRoleAssignment -Name:_suImpersonateRole
-Role:ApplicationImpersonation -User:'xxx@xxx.xxx'

Here is a link to a Microsoft TechNet article: Understanding Role Based Access Control

Sumatra Utilities for E2K7 available next week

We're not trying to drive you crazy -- just trying to make sure everything works and getting our legalese squared away.

The Sumatra Utilities for Exchange 2007 (including holiday server-side insertion capability) will be available next week.

Keep checking here for updates.

FullAccess fails with the error: The specified folder could not be found in the store.

I have been banging my head against the Exchange 2007 brick wall for the last month over the error: "The specified folder could not be found in the store."

Sumatra's conference room analysis tool's Exchange Web Service calendar folder "FindItem" request failed for about 5% of the rooms at one client. Other clients do not have this problem! The service account had FullAccess to all rooms. All conference rooms were on the same Exchange mailbox server, in the same OU, configured to autoaccept. Some had delegates, some did not.

The client could use the service account credentials to access the calendars via OWA. Was it a corrupted meeting? We changed FindItem's interval. No luck. Was EWS timing out over a large mailbox? Increased the HTTP timeout. No luck. Our FindItem requet uses the DistinguishedFolderID. We called GetFolder to find the FolderID. It failed on the inbox with the message "The specified object was not found in the store", and for the calendar folder with the message "The specified folder could not be found in the store".

Ahha! The permissions were not inherited. We added "InheritanceType: All" and it worked. Here is the syntax:

Get-Mailbox -filter {isResource -eq $True} -Resultsize unlimited
Add-MailboxPermission -User: xxxx -AccessRights: FullAccess
-InheritanceType: All

Holiday insertion server-side in Exchange 2007

Remember the Sumatra Utilities for Exchange 2003 and their beloved server-side holiday insertion capability?

And you remember how every year you ask us if we've done it for Exchange 2007?

Well, we (finally) rebuilt it for Exchange Web Services. Check out this example.

Friends of Sumatra can use this at no charge (you all know who you are) so just ask us and we'll send it out.

For everyone else we're actually going to charge for the capability this time.

Which brings me to the purpose of this posting: If you have any preferences on how we should do this -- drop us a line. If you do not know our emails you can use our contact form.

Oh yeah -- this is also going to include the broken meeting check, the terminated user utility, and the interface for managing conference room statistics (the full application for the last one will be a separate follow-on offering).

500 errors on test insertion into Exchange 2007?

When you get a "500" error on validation or a test insertion, please verify your:

1. CAS/MBX boxes are members of Windows Authorization Access Group
2. Impersonation permissions stuck (and are not denied) through Active Directory Sites & Services
3. Service Account is NOT a member of any Exchange Admin Group/Domain Admin group

Oracle Calendar / Meeting Maker to Google Calendar Migration

OK, for street cred, we did a Meeting Maker (it will work with Oracle or Sun Java Calendar as well) to Google Calendar migration extension.


Keep in mind, we'll morph this as it makes contact with the real world. Here's how it currently works.


We use our tools to produce ICS files. Not a problem for appointments, but for meetings the idea is to make them live.


Here's how we do it. We insert the emails of the attendees into the OWNER's agenda.

She or he can find these really easily after inserting into Google by searching for "(re-propose)" Open it and highlight the emails, copy / drag them into "Guests"

SAVE it and SEND it:
Voila, live meetings, simple, inexpensive, and done.

There's a few issues: I think we'll load all the To-Dos into an All-Day Event on the day of the migration (since Google doesn't have an import/export capability for Tasks yet).

We migrate Contacts via CSV files.

We looked at automated ways of uploading, but the Google Calendar API does not support uploading via ICS. So we're sitting on XML uploads via cURL until we have a corporate customer (which means we are not holding our breath).

We think it's more likely a corporate customer is going to want to get OUT of Google Calendar and into Exchange (you listening, Roche?).

NB: We only handle "re-propose" for meetings which have not yet ENDED -- any other meetings get turned into appointments in everyone's calendar.

Smartphones and your calendar server migration

We go over this a lot with folks and it's worth blogging about.

Let's say you're switching your calendar server and you've got BlackBerrys, Smartphones, ancient PDAs, whatever connected to your old server. And you want to use the same product when you're done in your NEW environment (let's call it Exchange).

Our recommendation is that as part of your migration process you blank out your calendars in your source system and re-synch completely on your target.

Why? Because the synch usually keeps track based on something called UIDs (or Universal Identification Numbers). You change your calendar server, you change your UIDs, and if you're not careful your Smartphone will get data from BOTH systems (and this is a hassle).

While migration is going on we strongly recommend turning off your BlackBerry server. Why? Sumatra generates a lot of email as part of re-creating end-user calendars in Outlook. While Sumatra’s insertion technology removes almost all of that email from end user’s in boxes, it can not remove those messages delivered to your device via the BlackBerry Exchange Server. So depending on your migration option your BlackBerry users will either be flooded with a lot of email (no EventSink) or some email (EventSink).

Since your BlackBerrys, Palms, or WindowsMobile PCs is synched with a system that is obsolescing – you will need to clear the calendars when you shut down your Oracle Calendar / Meeting Maker / Sun Java Calendar / etc. server, then have your users re-synch after the migration is completed.

BlackBerry

For clearing the calendar on the Blackberry – see the following webpage:
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/7925/8142/How_To_-_Reset_the_BlackBerry_device_calendar.html?nodeid=1201826&vernum=1

Palm

For clearing the calendar on a Palm OS, you might use the Purge function:
http://kb.palm.com/SRVS/CGI-BIN/WEBCGI.EXE?New,kb=PalmSupportKB,CASE=obj(5029),ts=Palm_External200173

Windows Mobile (Pocket PC)
For Windows Mobile, you can:
· Open ActiveSync
· Double Click on Calendar.
· Change the settings such that it syncs only 0 past and 0 future appointments.
· SYNC - this will clear all calendar items on the IPAQ / most other Pocket PCs.
Note: Some earlier ActiveSync versions attempt to interpret the default Sumatra Category as a date field. If you have Windows Mobile PCs you should remove the keyword AFTER you have done your quality assurance testing on the migration. Sumatra also has a COM add-in for Outlook that will accomplish the same thing on a user-by-user basis.

NotifyLink

Updated September 10, 2009 with info from Notify Technology.

Migration for NotifyLink Enterprise Server (NLES) Users with recent versions.

An administrator must:

1. Make sure the NLES server and device software are up to date.
2. Create the new mail and PIM servers
3. Open the user administration list and for each user to be moved, select the “Edit User” button.
4. On the “Edit User” page, switch the email and PIM servers to the new servers that were created.
5. This should all be done after the actual migration is complete on the server side. Notify Tech claims their software should handle the rest. It should re-prime accounts and issue full resynchronization commands. The device PIM stores will be automatically cleared and reloaded with the new account info.
   
   Earlier versions of their software ran a more complicated, non-automatic process.

"Run-As" for Vista/Windows Server 2008

Wondering how you can get the "Run-As" back in the context menus for Vista and Windows Server 2008? Thanks to Sysinternals Mark Russinovich and Jon Schwartz it's easy. Their tool ShellRunAs is located here: (http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx)

It's easy to use - Unzip and move shellrunas into windows\system32. Then type the following in the start/Run command line: shellrunas /reg. That's it. Right click on an item to see "Run as different user"

Russ

When the Cloud disappears why does everyone not fall to earth?

Gmail went down again on September 1, 2009.

My schadenfreude finally met my Weltanschauung.

Of course, I got THIS one at 3:43 PM PDT which was DARNED confusing:

So with everyone who's been looking to migrate into Google Calendar: be really careful what you ask for.

And to everyone already there: migrating OUT of Google Calendar into Exchange is a LOT easier than a real time server-side synch between the two.

Yes, we joined Twitter

You can now find us on Twitter:

http://twitter.com/sumatra_dev

We're sending all our future blog postings there, too.

Facebook is just not a natural match for us, though.