The Exchange Server Troubleshooter - 05 Jun 2000
Read some tips about CDO libraries, DL ownership; public folder links and searches, moving users between sites, Offline Address Books, SMTP encryption, IMAP clients and licenses, Lotus Notes synchronization, and mailbox access restrictions.
June 5, 2000
What's the most recent version of the Collaboration Data Objects (CDO) library?
At first, I thought the answer was the version that comes with Exchange Server 5.5, Service Pack 3 (SP3). However, I discovered that the most recent version of cdo.dll is 5.5.2651.91, and the most recent version of cdohtml.dll is 5.5.2651.70. These libraries fix several bugs that SP3 introduced. (For a description of these bugs, see the Microsoft article "XADM: Exchange Server 5.5 Post-SP3 Collaboration Data Objects Fixes Available" at http://support.microsoft.com/support/kb/articles/q258/6/34.asp.)
By the way, if you're interested in or involved with CDO programming, drop by Siegfried Weber's CDOLive Web site (http://www.cdolive.com) for plenty of sample code and useful information. Microsoft recommends that you use CDO 1.21 for client-side code and CDO 2.0, which comes with Windows 2000, for server-side use. Exchange 2000 Server includes a new server-side-only version of CDO (i.e., CDO 3.0).
I have a distribution list (DL) in one site, and I want to assign as the owner a user in a different site. Outlook won't let me make the change. Why not?
Sorry, but you can't make this assignment directly. Objects have write access to other objects only in the same site (they have read-only access to objects in other sites), so Exchange Server restricts DL ownership to users with mailboxes in the same site as the DL. You can find another owner for the DL, or you can create a dummy mailbox in the DL's site and assign the mailbox to the user account of the other site's user. Of course, the user must connect to the dummy mailbox to administer the DL.
At the 1999 Microsoft Exchange Conference, the CommNet machines had documents and Web pages with URL links to public folders. How can I configure public-folder links?
The task is easy when you use Microsoft Outlook. Microsoft has added a new URL type, called outlook, that configures this type of link. For example, to launch Outlook and open the Current public folder (a child of the Sales folder), specify a URL that points to outlook://public folders/all public folders/sales/current. To open a document within the folder, specify the document and place a tilde (~) in front of the document's name (e.g., outlook://public folders/all public folders/sales/current~may-sales.doc). However, non-Microsoft browsers might not be able to use this technique to open documents.
How can I make my public folders' contents searchable?
To make your public folders searchable without pulling their content into another format (e.g., HTML), use Microsoft Site Server. Site Server understands public folders and can crawl through a set of nested folders to retrieve and index their contents.
Setting up Site Server isn't for the faint of heart. (For more information about this task, see "Integrating Microsoft Site Server Search with Microsoft Exchange" at http://www.microsoft.com/siteserver/site/deployadmin/integrateexchange.htm.)
As an alternative, you might consider outsourcing your search and data indexing jobs to a search service, such as Atomz.com (http://www.atomz.com). As a third option, upgrade to Exchange 2000, which includes full-text indexing—a nice feature.
I have two Exchange Server 5.5 servers and two sites that I've connected with a site connector. How can I move all users from one site to the other so that I can retire one server?
The only way to move users between sites in Exchange Server 5.5 is to manually move the mailbox and mail. (You can't use the Tools, Move Mailbox command because Microsoft Exchange Administrator lacks the code to rebuild the moved objects' and messages' attached internal X.400 addresses.)
One conceptually simple but logistically difficult method is to export the target mailbox contents to a personal store (.pst) file, delete the mailbox from the original site, recreate it in the new site, and import the .pst file's contents. A better method is to use the Exmerge tool, which automates the process. You can get Exmerge from Microsoft Product Support Services (PSS—Thanks to reader Ron Brown for this question).
We want to use Offline Address Books (OABs) for our remote users, but when our users open OABs, they see only addresses from their home site. How can we expand an OAB?
This OAB behavior is intentional. Each site has a recipient container. Microsoft designed a site's OAB to contain recipients from that site only. When you have more than one site, you run into the problem that you describe. To build an OAB that includes the entire organization's Global Address List (GAL), open the DS Site Configuration object in your site's Con-
figuration container. Select the Offline Address Book tab, then click Add and select the containers that you want to include in the OAB. Click Generate Offline Address Book Now, and wait for the OAB to percolate out to your clients.
How can I encrypt SMTP traffic that passes between our Exchange servers?
The Simple Authentication and Security Layer (SASL), which the Internet Engineering Task Force (IETF) defines in Request for Comments (RFC) 2222, lets you secure connections between two SMTP hosts without passing usernames or passwords as clear text. SASL provides standards-based authentication that clients can use to authenticate themselves to an Exchange server without sending plaintext username/password pairs over the Internet.
Because the Exchange Server implementation of SASL also uses Secure Sockets Layer (SSL), you'll need a server certificate for each server (just as you need with SSL). The Microsoft article "XFOR: Connecting Internet Mail Service (IMS) to IMS with Simple Authentication and Security Layer (SASL)" at http://support.microsoft.com/support/kb/articles/q174/7/54.asp explains the steps to obtain and install a certificate for use with SASL. After you follow these steps, you can use the RFC 2222-defined option set to turn on SASL.
To use SASL with Exchange Server, you need to configure the Microsoft Certificate Server that comes with Microsoft IIS and register its certificate with a public Certificate Authority (CA), such as VeriSign, or with your private CA. Then, you can follow these steps to turn on SASL authentication:
Open the IMS Properties dialog box, and select the Security tab.
Select the domain for the target IMS with which you want to talk securely. If a domain entry for that IMS doesn't already exist, click Add to create one. If the entry exists, select it and click Edit. The Edit E-Mail Domain security information dialog box will appear.
Click SASL/SSL security. If you want to permit plain SASL, select the SASL/AUTH check box and enter the account name of the remote IMS's administrator. Better still, leave SASL/AUTH turned off and select the SSL encryption check box instead.
We recently moved some non-Outlook users, who all use IMAP clients, to our Exchange server. Since they've joined us, we keep getting licensing-error messages from Exchange Server, even though we have enough client-access licenses for our user base.
Not all IMAP clients are created equal. Microsoft's IMAP products (Outlook and Outlook Express) open IMAP connections to a server one at a time. These products occasionally add a temporary second connection, but usually they act like Outlook in Messaging API (MAPI) mode: one user, one connection. Other clients, such as Pine and Eudora, frequently open multiple connections. This habit makes these clients somewhat more efficient, but because the Exchange Server security association (SA) counts each concurrent IMAP connection as a unique entity, many simultaneous IMAP connections can suck up all your licenses. You have three choices: Add more licenses, switch to per-seat (instead of per-connection) mode, or switch IMAP clients.
We're trying to implement directory synchronization between our Lotus Notes servers and the prototype Exchange Server implementation in another business unit. Can we customize how Lotus Notes and Exchange Server attributes map back and forth?
Yes. The Lotus Notes connector for Exchange Server uses four control files that tell it what to synchronize and which attributes to carry as part of the process. These files can use rules that you write to complete fairly complex transformations; for example, you can easily convert a system's mail addresses from firstname.lastname to firstname_lastname. The process is too involved for me to explain here, but the Microsoft article "XFOR: Customizing Directory Synchronization Between Exchange and Notes" at http://support.microsoft.com/support/kb/articles/q180/5/17.asp covers it in detail.
We're trying to split up administrative tasks so that some of our Help desk staff can manage mailboxes. How can we restrict their access to mailboxes on one server?
To restrict access easily, you need Exchange 2000. Exchange Server 5.5 defines permissions at the organization, site, and configuration level, so you can't put permissions on just one server. Exchange 2000 lets you use fine-grained permissions. If you can't use Exchange 2000, you have two alternative methods:
Put users in recipient containers, then assign permissions on the containers. I don't like this alternative because it increases the difficulty of moving users.
Put each server in a separate site. Because you can assign permissions at the site level, you control permissions on each server—at the cost of some extra management overhead (e.g., you must manually add connectors to enable intersite messaging and replication).
About the Author
You May Also Like