Configure Exchange 2007 or 2010 to relay email for an additional domain

Accepted Domain

There are 3 types of accepted domain in Exchange.  These are:

• Authoritative Domain –  This is used when the recipients are configured within the Exchange organisation, for example configuring users within your organisation with an additional e-mail address
• Internal Relay– This is used when you share contacts across different mail systems.  When this type of accepted domain is configured Exchange Server will receive the mail if there is no mailbox for that address in the Exchange Organisation it will forward it to another server for delivery.  This is often refered to as a Shared SMTP Namespace
• External Relay – This is used when the Exchange Organisation is responsible for receiving the email but then simply forwards the mail on to another system.  In this scenario there would be no mailboxes within the Exchange Organisation for this domain

The most common request is how to configure Exchange Server to receive and deliver mail for an additional domain name.  This could be because of a company merger, a change in name or you could simply be hosting multiple domains within a single Exchange Organisation. For this you would use an Authoritative Domain.

Authoritative Domain

To configure an authoritative domain we can either use the Exchange Management Console or the Exchange Management Shell.  This guide will use the Exchange Management Console.

Using the Exchange Management Console navigate to Organisation Configuration > Hub Transport > Accepted Domain.  In the action pane on the right hand side select New Accepted Domain.  This will start the wizard that will allow you to configure Exchange for a new domain.

Enter a name for your accepted domain. It doesn’t make any difference what this is but make sure you use a name that will allow you to identify it easily later.  If you have a large number it can be quite difficult to identify them.  Then in the accepted domain field, enter the domain name for which you want Exchange Server to accept mail from.  Click Next.

You will then be presented with a screen confirming your entries on the previous screen as below.  Click Finish

Internal or External Relay

 Once you have created an Internal or External Relay domain you need to configure a Send Connector so that Exchange knows where to route the emails for this domain.

To do this, using the Exchange Management Console navigate to Organisation Configuration > Hub Transport and in the Action pane on the right hand side select New Send Connector.  This will start the wizard that will allow you to configure your new connector.

Give the connector a name.  Again it doesn’t make any difference what this is but make it something that will allow you to identify the connector later should you need to.  From the drop down list of intended uses select Custom.  Click Next

On the screen above click the Add button and enter the domain name that you wish to be forwarded to another server, you can choose to click the box that includes all subdomains or not for example if you had a domain that was mail2.gkvirtualdomain.co.uk and you wanted this to go to the same place then check the box.  My personal preference would be to setup a separate send connector for this purpose rather than include it in this one.  Click OK and then Next.

On the next screen either enter the IP address of the system that you want to send the email to or the Fully Qualified Domain Name (FQDN).  Click OK and then Next.

The screen above is where you would enter any authentication that is required to connect to the other system.  This is dependent on the system you will be sending mail to.  Make your required choices and click Next.

On the Source Server screen you click the Add button and select from the list a server in your organisation that has the Hub Transport role or select an Edge Subscription.  Click Next.

The screen above just confirms the information you have entered in the previous screens, review this here and if necessary use the Back button to make any changes.  Once you are happy with the details click the New button.

On the final screen you receive confirmation of the Exchange Management Shell command that has been executed and if it’s been successful or not.  As with all wizards in Exchange 2007 & Exchange 2010 these completion screens can assist you in getting to grips with the Management Shell commands as it displays the full command that is used.  Click on the Finish button to close the Wizard.

E-mail address Policy

If you have configured an Authoritative Domain or an Internal Domain then you may want to automatically generate e-mail addresses for new and existing contacts.  I tend to use the Company field under the Organisation tab and simply enter the domain name that I want that user to belong to as illustrated in the picture below.  The one thing to note here is that if you are specifying a non-standard e-mail address and therefore need to modify the e-mail address policy before it is applied to your users do not enter any criteria here until you have done that as the policies do not remove e-mail addresses, it simply adds an additional ones.

You then need to configure an e-mail address policy to do this in Exchange Management Console navigate to Organisation Configuration > Hub transport and in the action pane on the right hand side select New e-mail address policy.  This will start the wizard to create a new policy.

Give the policy a name. As before it doesn’t matter what this name is but make sure it’s something that will allow you to easily identify the policy later if needed.  Click Next.

On the Conditions screen this is where you need to define the criteria for the recipients that will receive the new policy.  If you want the policy to apply to all recipients then do not define anything here.  If you are using the company field like I do then enter the criteria as displayed above.  Click Next

On the E-Mail Addresses screen you need to define what e-mail address will be used by this domain.  Select one of the default settings (if there is not one in the list that matches your requirements we can modify it later) then click the Browse button to select the domain you created earlier as an accepted domain.  NOTE if the domain isn’t listed then Exchange does not see it as an accepted domain.  Once you have selected the domain click OK.  Once back at the main wizard right click on the e-mail address it will allow you to edit the format of the address allowing you to define your own local part of the address.  The fields you require can be found here: http://support.microsoft.com/kb/285136

On the Schedule screen, select when you would like the schedule to run.  This process does not stop any services but if you have a large amount of users it could take some time to apply and may cause a slight degradation of service.  Click Next.

Check the details in the confirmation screen and if you are happy with it click New.  If there are any changes to be made click Back.

The final page of the wizard will confirm the Exchange Management Shell commands that have run and will advise if the creation of the policy and application to the recipients was successful. Click Finish to complete the Wizard.

DNS Configuration

The final part is the DNS Configuration.  You need to configure the MX record for the new domain to use the A record that matches your rDNS (PTR) record.  This is the only think that needs to be changed.  As your Exchange server will connect to recipient SMTP services using the same IP address regardless of what domain you are sending from you only need 1 rDNS record.  The DNS configuration for Exchange is explained in more detail in my post here: https://demazter.wordpress.com/2010/02/09/exchange-dns-configuration/

Migrate Windows 2000 to Small Business Server 2008

If your simply here to find out if this is possible then take it from me the answer is most definitely NO! Well not if you want a “proper” SBS installation anyway.  I tried this virtually with a clean installation of Windows 2000 and ALL updates, so it was a completely vanilla installation with nothing else that could possibly interfere.  So if that’s all you needed then you are done.  If you want to find out what I went through then read on.

Just to re-iterate It did not work, and I tried it 13 times!!!  Please DO NOT follow the steps in this Blog without reading the whole process first!

There are other blogs out there that will tell you that you have to do the SBS2008 installation manually if you want this to succeed.  I was able to get SBS 2008 to join to the domain, transfer all the FSMO roles and it seemed to have a working installation of Exchange 2007 (although because I was doing this virtually and my main aim was to see if I could actually complete the migration I didn’t thoroughly test Exchange) none of the other features that make moving to SBS2008 worthwhile were available.

Sure I had the option of running through the SBS Repair guide and performing all the tasks one by one to repair each and every function of SBS2008 but is it worth it? How long do we think that might have taken?  And would it have ever worked properly once it was done?

Warning Signs!

I should have known from the start when I couldn’t even use Windows 2000 to create the answerfile required to put the SBS2008 installation into Migration mode that I was off to a bad start.  But being as stubborn as I am I persisted, using my Windows 7 host to create the answer by running the SBSAFG.EXE from the SBS DVD.

So I preped my 2000 domain by raising it’s functionality to Native Mode and then run sourcetool.exe from the SBS DVD, the AD preparation ran through OK as I would have expected but it failed to launch the answerfile tool.  Warning sign number 2!!

So I now had my answerfile and I have booted my new VM with the SBS DVD and the answerfile, all seems to go well, it detects the answerfile (as I would expect) runs through the wizard, right up until the last screen when the wizard stops responding and you get the usual would you like to search for a solution online dialogue box.  On I think it was attempt 10 I did try this but it didn’t do me any good!

That was just the beginning!

After the crashed out SBS Migration wizard we are presented with a SBS2008 desktop.  The server isn’t a Domain Controller, no Sharepoint configured; Exchange appears to be installed and looks like it is configurable using the Exchange Management Console.  IIS hasn’t been configured as per an SBS installation, OWA doesn’t work.  And I also cannot get into the SBS Console.

First things first, regardless of all the “broken” items if SBS needs to be a Domain Controller and it MUST hold all 5 FSMO roles along with the Global Catalog role.  To achieve this we need to run DCPROMO.  Select advanced mode and check to install DNS during installation.  You can try this or you can take it from me that it will fail and move on to the next step.

DCPROMO will fail without some intervention.  To make it work run DCPROMO only this time once you have clicked advanced mode and moved to the next screen do the following:

• Start > Run > CMD <click OK>
• type CD\WINDOWS\SYSTEM32 <press ENTER>
• type COPY NTDS.DIT SBSNTDS.DIT <press ENTER>
• make sure you get “1 file copied”
• type EXIT <press ENTER>

Now you can complete the DCPROMO wizard.  Once finished and the server has been restarted log back in and transfer the 5 FSMO roles as per: http://support.microsoft.com/kb/324801

You will also need to make the server a Global Catalog server.  To do this open Active Directory Sites and Services, expand the SBS2008 Servername and right click on NTDS Settings, check the box to make it a Global Catalog.

That was the easy bit!!

Now we need to get into the nitty gritty.  If you launch Active Directory Users and Computers you will notice that we are missing the SBS specific Organisation Unit MyBusiness and all its sub OU’s

If you open Group Policy Management Console you will notice that none of the SBS Specific Group Policies exist.

You will also find if you try to run the SBS Console (where EVERYTHING in SBS should be configured) it will also fail to launch.

To repair the SBS Console got Start > Control Panel > Programs and Features, select Small Business Server and click Change.  On the dialog box select Repair (you will need the 2nd SBS DVD)

You will then need to run through each procedure in the SBS Repair Guide which can be found here: http://technet.microsoft.com/en-us/library/dd430085(WS.10).aspx 

Is it worth it??

My opinion NO! Because when you have done this which could take a day or two will it work as it should? I don’t know because after 2 days and 13 failed migration attempts (and believe me I tried everything I could think of, even a repair install of SBS2008 of the top of the failed migration) I decided it wasn’t even worth contemplating.

The way to complete the migration is to either do an in-place upgrade of your Windows 2000 Domain Controller to Windows 2003 or if you would rather not do this install a temporary Windows 2003 or Windows 2008 Server and make this a Domain Controller.

This will allow you to demote the Windows 2000 server, leave your domain in tact and then migrate from Windows 2003 to SBS2008 as per my guide here: https://demazter.wordpress.com/2010/02/12/migrate-windows-2003-with-exchange-to-small-business-server-2008/

503 Service Unavailable ESXi 4

After a complete SAN/ESX power down today, the first since upgrading the ESX hosts to ESXi 4 I came across the 503 Service Unavailable message when trying to connect to the Web Console to power up the host machines.  It turns out that since the upgrade to ESXi 4 the Web Service is not started by default.  Which of course presents a bit of a problem when your DNS servers are virtual machines on your VMWare hosts.

To resolve this you first need to gain access to the console by pressing ALT+F1 then run the following command to confirm the Web Service is not running:

service vmware-webAccess status          

If the service is not running then issue the command:

service vmware-webAccess start

Please note the capital A in the command as it is case sensitive, this will then allow you to use the web interface as normal

Backup Exchange 2010 Information Store using Windows Backup

There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 service Pack 2

Exchange 2010 includes a plug-in for Windows Server Backup that allows you to perform a backup of the Exchange data using the Volume Shadow Copy Service.

Preparation Tasks

With Windows 2008 R2 and Windows 2008 the Windows Backup feature is not installed by default so we first need to add this feature. To do this launch Server Manager, under Features select Add Feature. Locate the Windows Server Backup Features and put a check box in both options.

Now that the features are installed the plugin needs to be enabled. In the services snapin (Start > Run > Services.msc) locate the “Microsoft Exchange Server Extension for Windows Server Backup” set the service to automatic and start it.

Backup the store

From Start > All Programs > Accessories > System Tools select Windows Server Backup

In the task pane select Backup Schedule. When the wizard opens click Next on the first screen and then select either Full Backup if you want to perform a full system backup or Custom if you just want to select the items to be backed up. So if you just want to backup the information store then select Custom. Click Next.

On the following screen click Add Items and browse to the folder your information store files are stored in. By default with Exchange 2010 this is C:\Program Files\Microsoft\Exchange Server\V14\Mailbox there will then be a folder for each store called Mailbox Database (Database reference number)

Once you have selected the Mailbox Databases and have returned to the wizard screen click the Advanced Settings button and under VSS Settings select VSS Full Backup

Configure your schedule and set the destination on the following two screens and select Finish. This will backup your Exchange databases and flush the logs.

Migrate Windows 2003 with Exchange to Small Business Server 2008

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008.

You will need the following:

• Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-4BEE-4943-AC22-E2DDBD258DF3&displaylang=en
• Windows 2003 Support Tools: http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D

Before we can start the migration process there are a few things we need to do on the Windows 2003 server.

1. First and foremost make sure you have a SYSTEM STATE backup.  This can be done with the built in Backup tools or a 3rd party product, but this needs to be done PRIOR to any of the following steps and is probably the most important step of the whole process.
2. If the Windows 2003 server has more than 1 Network card then all apart from the LAN connection will need to be disabled.
3. The assumption is that this is a single server scenario and DHCP/DNS are also installed on the server you are migrating from.  Therefore please ensure that the Windows 2003 server has got ONLY it’s own IP address configured in the TCP/IP properties of the network card.  There should be no external DNS servers listed here.
4. The gateway should be the LAN IP address of your router.
5. If you have made any changes to the above configuration it’s best to restart the server so that DNS is updated and all the services are bound to the correct adapter.
6. Perform all available Microsoft Updates.  Windows 2003 should at a minimum have Service Pack 2 installed along with Service Pack 2 for Exchange 2003.  When you run Windows Update check the link across the top of the screen for Microsoft Update this will ensure you receive updates for all products.

Prepare the 2003 Server

Raise the domain Functional Level of the  Windows 2003 Domain.  In Active Directory Users and Computers, right click on the domain and select Raise Domain Functional Level. This needs to be set to Windows Server 2003. If it is not already then you will have the option to change it.

Raise the Forest Functional Level of Windows 2003 Forest.  In Active Directory Domains and Trusts right click Active Directory Domains and Trusts and select Raise Forest Functional Level.  This needs to be set to Windows Server 2003. Again if it’s not already you will have the option to change it.

Using Exchange System Manager right click at the top of the tree where it says Organisation Name (Exchange) and check that the Exchange Functional level is set to Native Mode (no pre-Exchange 2000 servers)

Once that’s done run the Exchange Best Practice Analyzer.  The test you need to run is the Exchange 2007 readiness check.  This scan will tell you if there is anything that needs to be resolved prior to the installation of Exchange 2007 which is performed as part of the Small Business Server 2008 install.

Prepare Active Directory

The first step of preparing for the installation of SBS2008 is to run sourcetool.exe.  This will prepare the forest and domain and change Exchange from Mixed mode to Native mode (Exchange 2007 will not install if it’s not in Native mode).

Insert the SBS DVD into the Windows 2003 Server (if you copy the sourcetool.exe to the Windows 2003 server make sure you copy the whole tools folder) and then from the tools folder run the sourcetool.exe.

The first thing you will be asked is to confirm you have a FULL backup, I cannot stress this enough this is where all the changes to your Active Directory start happening, so even if you took one at the start of this process, take another one now!

So check the box and click Next and the tool will run through and perform the required updates.

Once done you will be presented with a screen that tells you it has successfully prepared the server for migration and you will have the option to create an Answerfile.  I say ‘option’ because it will let you close the wizard without creating one, but if you don’t have an Answerfile you cannot put the SBS2008 installation into Migration Mode.

 

The message at the top of the screen indicates that the utility “Cannot prepare the Source server for migration” this is normal.  It is because it cannot execute WindowsServer2003-KB943494-x86-ENU.exe.  The screen indicates the location of the log file.  To confirm this is why it has failed open the log file and look for the entry:

     Current version: 5.2.3790.131072
     Service pack version = 2
     Running D:\tools\KB943494\WindowsServer2003-KB943494-x86-ENU.exe /quiet /norestart
     Package returned: 1603 (0x643)
     ProgressPage: Task Finished.  Succcess=False

I have highlighted the link to create an Answerfile because the very first SBS migration I did I missed it.  It doesn’t jump out at you and make itself obvious that it’s a link.  Perhaps this should have been a button to press?  Click the link and then fill the form in as below

The important sections of the Answerfile are:

1. Installation Type, make sure you select Migration from Existing Server (join existing domain) otherwise it won’t!
2. I personally like to uncheck “Run unattended” so that I can see what is going on
3. Select the Time Zone you will be using.  IMPORTANT if the time and timezones of both servers don’t match then the migration may fail.
4. Source and Destination Server information.  The destination server information is what will be set during installation and during the DCPROMO process so use the actual name the server will have.

Once you have filled in the required information scroll right to the end and click Save As.  This will create an SBSAnswerfile.xml file that will be used during the installation of SBS2008.  Copy this file to a USB pen drive or a floppy drive.

Small Business Server 2008 Installation

To install SBS2008 if your server has 2 network cards, make sure that one of them is disabled in the BIOS. If you don’t, this can cause communication problems with the 2 servers.  I have seen some have problems and others that don’t but personally I would rather be safe than sorry.

Set your boot device priority so that it’s First DVD/CDROM Drive and Second Hard Disk.  The important thing to make sure is it’s not going to try and boot from either the floppy drive or the USB drive.  Insert your disk/drive with the Answerfile on and boot from the SBS2008 DVD.

Follow the instructions to install SBS, it’s fairly self explanatory.  The installation will expand files and then reboot.  After the second reboot it will check for the Answerfile, either on the local storage, floppy drive or USB drive.  If it successfully finds one you will see this screen.

At this stage you will again be prompted to confirm you have a good backup and can then continue.  On the remaining screens confirm the information is correct for the new server and the existing server.  You will then receive the expanding files screen.

This section of the installation can take anything from 45 minutes to 2 hours.  A lot of that time it will look as if it hasn’t moved.  Whatever you do do not think it has failed and turn it off.  If it has failed it will tell you.  Once this section has finished the server will again reboot.  And the screen we all hope to see is this one.

 

You now have a Windows 2003 Domain Controller with Exchange 2003 installed and an SBS2008 server with Exchange 2007 installed.  The next step is the data migration from Exchange 2003 to Exchange 2007.

Data Migration

So that we can remove Exchange 2003 from the older server we need to migrate the user mailboxes and Public Folders to Exchange 2007, this would normally be done as part of the Migrate to SBS wizard but as the source server is not SBS we are not able to do this.

To move the mailboxes launch Microsoft Exchange Management Console and navigate to Recipient Configuration > Mailboxes.  You will see that all the mailboxes that reside on the Exchange 2003 server will be listed as a Legacy Mailbox.  Right click on the mailbox and select Move Mailbox.  Follow the wizard to move the mailboxes to the SBS2008 server.  You can bulk select all the users and the move wizard will then work through them 4 at a time.  This can take a while depending on how many users you have and how big their mailboxes are.

To move public folders on the Exchange 2003 server launch Exchange System Manager.  Navigate to Administrative Groups > First Administrative Group (or if you Exchange 2003 admin group has a different name select this one) > Servers > servername (your Exchange 2003 Server) > First Storage Group  > Public Folder Store (servername).  Right Click on Public Folder Store and select Move All Replicas select the SBS2008 server and click OK.  Once you have allowed to for the public folders to replicate right click the Public Folder Store in Exchange System Manager and select Delete.  A dialogue box will pop up informing you that this store is the default store for one or more Mailbox Stores, click OK to this dialogue and then select the SBS2008 server from the list and click OK.  Click OK to confirm the delete.

If the store has not finished replicating (as we are on Exchange 2003 Service Pack 2) you will not be able to delete the store.

Rehome the Offline Address book.  In Exchange System Manager on the 2003 server navigate to Recipients > Offline Address Lists and for each address list right click and select properties.  Click the Browse button next to Offline Address list server and enter the name of the SBS2008 server. Click OK.  Do this for each Offline Address List

If you use Recipient Policies that are Manage Mailbox policies then these will need to be removed and likewise if you have Recipient Policies that are used for both e-mail address definition and mailbox management the settings defined under Mailbox Manager Settings will need to be removed.  You DO NOT need to remove your e-mail address policies.

Using Exchange System Manager, navigate to Administrative Groups and right click on Exchange Administrative Group (FYDIBOHFSPDLT) and select New, then Public Folder Container.  Then under First Administrative Group, expand Folders and drag and drop the Public Folders container from First Administrative Group to the folder you have just created under Exchange Administrative Group (FYDIBOHFSPDLT).

The Recipient Update Service is not used in Exchange 2007 and is therefore not required so can be removed.  To do this you will need to use ADSI Edit.  This can be done by clicking Start > Run > mmc <click OK> Under File select Add/Remove Snap-in > Click Add and select ADSI Edit and click Add, then close and OK.  Right click on the ADSI Edit and select Connect to from the drop down under Select a well known Naming Context select Configuration and click OK

Expand Configuration > Services > Microsoft Exchange > Organisation Name > Address List Container > Recipient Update Services right click on Recipient Update Service (Enterprise Configuration) and select Delete.  There may also be a Recipient Update Service (ORGNAME) this also needs to be deleted.  Only delete the Recipient Update Service entries under the container DO NOT DELETE THE CONTAINER ITSELF OR ANY OTHER ENTRIES

The final step in preparation for uninstalling Exchange Server 2003 is to delete the routing group connectors that would have been created as part of the installation.  I have highlighted them in the image below.  Simply right click on each connector and select delete.

Remove Exchange Server 2003

Now that you have transferred all the mailboxes, public folders and offline address lists, it’s time to remove Exchange Server 2003.  To do this go to Start > Control Panel > Add/Remove Programs. From the list, select Microsoft Exchange and click Change/Remove.  When the Exchange wizard opens click Next and then from the Action drop down select remove.

Demote the Windows 2003 Server

Now that Exchange Server 2003 has been removed it’s time to demote the Windows 2003 server so that it’s no longer a domain controller.  This is not an essential part of the process and if the server is going spare and you have the license it’s always worth having a second domain controller on your network.

If you do decide to remove the domain controller then the following will need to be done:

1. Confirm the Windows 2003 server is not a Global Catalog server.  Open Active Directory Sites and Services navigate to Sites > Default-First-Site-Name > Servers > {name of 2003 Server} and then right click on NTDS Settings select properties and then uncheck the box for Global Catalog
2. From a command prompt run NETDOM QUERY FSMO to check that all 5 FSMO roles are now with the SBS2008 server.  This should have been done during the installation process of SBS2008 but it’s always good to check
3. Run DCPROMO. DO NOT select the option for “This Server is the last domain controller in the domain”

SBS Console Wizards

Once you have completed the migration and removed Exchange Server 2003 then you can continue through the SBS Console and complete the following wizards:

1. Connect to the internet
2. Set up your Internet Address
3. Configure a Smart Host for Internet e-mail
4. Add a trusted certificate (if you need a 3rd party SSL Certificate I would recommend buying a SAN/UCC certificate from http://www.exchangecertificates.com)

When running the Set up your Internet Address wizard it may fail. The reason for this is that some of the system Public folders are Mail Enabled by default.  To ensure that the wizard will run successfully in the Exchange Management Console navigate to Toolbox and double click on Public Folder Management Console.  On my System the folders highlighted below were mail enabled, by simply right clicking on them and selecting Mail Disable will then allow the Internet Address wizard to complete successfully

 

Tidy Up

There are a few other steps that need to be performed to make it a “proper” SBS 2008 setup.  The users and computer accounts need to be moved in Active Directory Users and Computers.  By default in a non Small Business Server environment all your users will be created in Active Directory User and Computers under the Users container for SBS they need to be located in the MyBusiness > Users > SBSUsers container.  You can simply drag and drop them into the correct location.

The Computer accounts should be moved from their default location in Active Directory Users and Computers, which is the Computers container to the MyBusiness > Computers > SBSComputers.

These 2 moves will ensure that the SBS Group Policies are applied to these computers/users and that they receive the correct permissions.

Users will also not appear in the SBS Console, this can be rectified by running the process explained here: http://blogs.technet.com/sbs/archive/2008/09/22/why-are-some-of-my-users-not-displaying-in-the-sbs-console.aspx under How do I use the “Change user rols for user accounts” wizard section.

Further Reading

How to remove the last legacy Exchange Server (already detailed above but here is the technet article): http://technet.microsoft.com/en-us/library/bb288905(EXCHG.80).aspx

Yahoo! Blocking senders

I am going to share a particularly frustrating experience with you.

A few weeks ago I had the misfortune of having to deal with Yahoo! blocking my own server from sending mail to their recipients.  I identified this in the end as a typo in my reverse DNS configuration which caused their bulk mailer system to highlight my server as a spammer.  The problem was that once I had corrected the issue, they don’t re-check.  So once you are blocked, you are blocked!!

Make sure your External DNS is configured properly, follow my guide here: https://demazter.wordpress.com/2010/02/09/exchange-dns-configuration/

If this happens you will need to apply to be excluded from their Bulk Sender list.  Copy the text below and paste it into a new email.  Do not use attachments as I completed the Word document that Yahoo! sent me and e-mailed it back to them (TWICE!) and their system seemed to strip the attachment.

Complete the IP address, SMTP header information and contact details (right at the end)

I would leave the rest the same. And then send it to: mail-abuse-bulk@cc.yahoo-inc.com

Be prepared to send it through at least 3 times before they will action it.  It took me nearly 2 weeks to get them to agree to remove my IP address, especially considering this was a brand new server with a new IP address and I had only actually sent 2 e-mails to a Yahoo! recipient.  I was not happy about having to complete a “bulk sender” application which may have prolonged the agony for me as I argued this fact with them.

I wish you all the best!

<——————  COPY THE FOLLOWING TEXT —————>

1. Please provide all ACTIVE IP addresses you are currently using to send mail:

Each IP address:
* IP Address:
* Mail Server Hostname:
* Primary Mail Server, Fail-Over Mail Server, Bulk Mail Server, Etc: Primary Mail Server

NOTE: At this time we can only consider active and correctly configured mail servers/IP addresses for possible addition to the whitelist.

2. Do you have a dedicated IP address or do you use a shared mail server/IP address (i.e., the mail server/IP address is hosted by a service provider and is also being used by organizations other than your own)? If you use a shared server, please specify which service provider you use.

It’s a dedicated IP address for this server.

3. Please indicate all types of email being sent from the servers above, e.g., personal/corporate emails, transactional mailings, mailing list postings, marketing messages, and/or newsletters? (Indicate which IP sends which type of mail, if applicable).

Personal/corporate e-mails

4. If you send periodic or subscription-based mailings, please indicate the means by which a user is signed up for your subscription list.

There is no mail of this type transmitted from this server

a. Do you take any steps to confirm that the subscription is valid, or was initiated by the true owner of the email address?

Not applicable

5. How many subscribers do you currently have? And approximately how many emails do you send on a monthly basis?

Not applicable

6. Do you remove email addresses from mailing list if emails to them bounce–i.e., for soft (4xx) and hard (5xx) SMTP response codes?

Not applicable there are no mailing lists held on this server

a. If yes, how many bounced emails are required before you consider an email address to be inactive and subject to removal from your list?

For soft bounces: Not applicable, I do not run a subscription service

For hard bounces: Not applicable, I do not run a subscription service

7. How long does it typically take for an email address to be removed from your list once an unsubscribe request has been received?

Not applicable, I do not run a subscription service

8. Please provide the URL for your web site and your Privacy Policy. If available, you may also provide URL links to your Affiliate Policy and/or Terms of Use, if applicable.

Not applicable, I do not run a subscription service

9. Please copy and paste a text-only example of a recent mailing, including the full Internet headers. Or, include the entire error message you’re seeing in your SMTP logs if email is being deferred or blocked.

I cannot provide you with internet headers because the message is being bounced by my mail server because it cannot connect to your server to send the message.

10. Where possible, Yahoo! uses DomainKeys to determine the original sender of a message. Do you plan to or currently use DomainKeys to authenticate your mailings?

Not applicable, I do not run a subscription service

(NOTE: Signing emails with DomainKeys does not guarantee whitelist status or inbox placement. It may, however, make your mailings eligible for our Complaint Feedback Loop (CFL) program. Basically, when you’re enrolled in the CFL program, you will be forwarded a copy of the sent email every time a Yahoo! Mail users clicks on the “Spam” button for any of your DomainKey-signed mail. Each complaint should be reviewed and appropriate action should be taken to reduce your complaint rates).

11. Please provide the following contact information:

Company name:

Contact Information (Name and Phone Number):

Postal Address:

Email address:

 <——————  END OF COPY TEXT —————>

Then after around 48 hours you will recieve the following in an e-mail:

Thank you for writing to Yahoo! Mail.

We have made appropriate changes to the IP address you have submitted within our database. However, we cannot fully exempt your mail server from our SpamGuard technology. This should help with delivering mail to the appropriate Yahoo! folders.

Please be aware that Yahoo! Mail users are able to set their own preferences for the manner in which they receive your mailings. If the recipients of your messages want to ensure they receive your emails in their Inbox, you may want to ask them to set up a filter in Yahoo! Mail specifically for your emails, or have them add your email address(es) to their Yahoo! Address Book.

Please refer to the Help page below for more information on our recommended best practices for sending mail from any mail server to Yahoo! Mail users.

Exchange 2010 OWA IIS Error

Today I came across this error when checking the IIS Authentication configuration with Exchange 2010 and Windows 2008 R2.

The reason this is happening is because the authentication method is being set in both the web.config file and in IIS. To fix it follow these steps:

• on your Exchange server, navigate to: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa
• make a copy of the web.config file and save it somewhere else.
• modify the original one and remove the entry on line 30 that reads:
• then save the file

This will then elleviate the problem and you will be able to manage your authentication in IIS.

Migrate to Exchange 2007/2010 on same hardware

Method of upgrading to Exchange 2007/2010 on the same hardware as you currently have Windows 2003/Exchange 2003 installed in a single server environment. (It is assumed that DNS/DHCP/Exchange/DC are all installed on the same server).

NOTES:
This method is not suitable for migrating Small Business Server (SBS). (Article coming soon!)

Never run DCPROMO on a server that currently has any version of Exchange installed on it, it will break Exchange. The reason for this is that both Exchange and running DCPROMO make changes to IIS and the way that it functions therefore running DCPROMO on an Exchange server will result in at the very best a re-install of Exchange

It is recommended that Exchange is not installed on a Domain Controller for the reasons documented here:http://technet.microsoft.com/en-us/library/aa997407(EXCHG.80).aspx with this in mind as you are rebuilding a server you may want to consider, and I would highly recommend using a virtualisation product to seperate your Exchange Server and Domain Controller. Free products like VMWare ESXi http://www.vmware.com/products/esxi/ and Microsoft Hyper-V Server http://www.microsoft.com/hyper-v-server/en/us/default.aspx make this much more realistic and will help seperate your servers with little additional hardware cost.

TERMS:
GC = Global Catalog Server
DC = Domain Controller
VM = Virtual Machine
PM = Physical Machine

To be able to upgrade Windows 2003/Exchange 2003 on the same hardware you first need a temporary server, this can either be a Virtual Machine (VM) or a reasonable specification workstation or an old server that is no longer being used. In this example we are going to use a VM and I am going to call it TEMPEXCH.

You can either use VMWare Server, http://www.vmware.com/products/server/overview.html or Microsoft Virtual PC http://www.microsoft.com/windows/virtual-pc/support/virtual-pc-2007.aspx

The process I will outline below is introducing a new Windows 2003/Exchange 2003 server into your infrastructure, the reason for this is because Exchange 2007/2010 requires a 64bit platform for installation which limits the options for VMs and older physical machines.

1. Using either of the 2 Virtualisation products above, or another product of your choice, create a new VM (or use your Physical Machine) and install Windows 2003.

2. Configure the networking so that your TEMPORARY Exchange Server is using the CURRENT Exchange Server for DNS

3. Run DCPROMO on your TEMPORARY Exchange Server and select the option to Install an Additional Domain Controller, complete the remaining wizard screens with the default settings

4. Make sure that TEMPORARY Exchange Server is also a Global Catalog Server: in Active Directory Sites and Services, expand the DC and right click NTDS Settings and check the box (allow at least 15 minutes for the Global Catalog data to be built and the server to begin advertising as a GC).

5. Install the DNS role on TEMPORARY Exchange Server and update the network configuration so it is now using its own IP address for DNS. If it is an AD integrated zone, DNS will replicate automatically. If it’s not an AD Integrated DNS then do the following to change this:

• In the DNS Console right click on the forward lookup zone and select properties
• Where it says Type click Change
• And then ensure the check box for “store this zone in Active Directory is checked”

6. Install Exchange 2003 server onto the TEMPORARY Exchange Server and migrate all your mailboxes, public folders etc, over to the TEMPORARY Exchange 2003 server (do not DCPROMO the current server whilst Exchange is on it) as per: http://support.microsoft.com/kb/822931 (Don’t follow the “Remove the first Exchange Server 2003 Computer section yet)

7. Update your firewall/router rules to ensure that port 25 for SMTP and port 443 for Outlook Web Access are configured to TEMPORARY Exchange Server

8. Leave both exchange servers running for a day or 2 to allow all clients to update then decommission the CURRENT Exchange Server as per the “Remove the first Exchange Server 2003 Computer section in the following article: http://support.microsoft.com/kb/822931.

9. Once Exchange is uninstalled from the CURRENT Exchange Server move all the FSMO roles to the server that will remain when you rebuild as per: http://support.microsoft.com/kb/324801

10. DCPROMO CURRENT Exchange Server to remove Active Directory, then remove it from the network and rebuild with Windows 2008 or Windows 2008 R2. This must be the 64-bit version; there is no 32-bit version of Exchange 2010, and the 32-bit version of Exchange 2007 is not supported for use in production.

11. Run DCPROMO to make the new server a Domain Controller, clicking the Advanced link on the first screen to Install DNS as part of the configuration.

12. Install all pre-requisites for Exchange 2010 as per http://technet.microsoft.com/en-us/library/bb691354.aspx. Please note the different script for a Server 2008 R2 host system.

13. Install Exchange 2007/2010 move all mailboxes, replicate public folders etc.

• Move mailboxes as per: http://technet.microsoft.com/en-us/library/bb124495.asp
• Move Public Folders as per: http://technet.microsoft.com/en-us/library/bb331970(EXCHG.80).aspx

14. Update firewall rules to ensure that port 25 for SMTP and port 443 for Outlook Web Access point to the new Exchange 2007/2010 Server.

15. Leave both servers running together for a few days to allow clients to update then decommission your TEMPORARY Exchange 2003 server as per: http://technet.microsoft.com/en-us/library/bb288905(EXCHG.80).aspx

Further reading:

Upgrading to Exchange 2010: http://technet.microsoft.com/en-us/library/aa998604.aspx

Publish Exchange Services with ISA2006

The following procedure will provide you with the steps required to publish Exchange services (OWA/HTTP-RPC/ActiveSync) with ISA2006. The procedure will work with all versions of Exchange you will just see slightly different options depending on which version you choose.

First thing is to launch ISA Server Manager, and in the Task Pane on the right hand side click Publish Exchange Web Client Access

Firewall Policy Tasks

You will then see a screen asking you to give your rule a name, I use something like “OWA Publishing Rule”, it makes no difference what you put in here but it just makes it easy to identify later if you use a sensible/descriptive name.

On the screen pictured below you need to choose which version of Exchange you are using (note that Exchange 2010 is not listed, you need to select Exchange 2007)

With Exchange 2007/2010 it will not allow you to specify more than one service within the wizards so you will need to create a rule for each service. Click Next

Select to Publish a Single Website or Load Balancer (In Exchange 2007/2010 you will use a CAS server to proxy for all your Exchange Servers if you have more than one), if you only have the one server then you will just direct requests to that.

On the next screen select SSL, it will work if you choose non-secured but all your login credentials will be sent in plain text.

On the next screen below enter the internal fully qualified domain name of your Exchange Server that is running the Client Access Role, and the internal IP address to ensure that if names resolution fails that the request is completed.

You will then need to enter the public name that will be used to access your server, for example owa.companyname.com, this name must match the certificate that is used on both the CAS server and installed on the ISA server.

On the Web listeners page click new to create a new listener for OWA and give it a name, again it really doesn’t matter what this name is it just needs to be something you can easily identify at a later date. I am going to call mine OWA-Listener. On the next screen specify which network you will be listening on. As part of the ISA setup you will already have an External and Internal Network configured. You will need to select the External network for most applications however you may want to add the internal network as well if users inside your network will be accessing OWA through the ISA server as well.

If you have multiple external IP addresses configured to the Network Card that represents your external network then clicking the Select IP Addresses button will allow you to choose which IP address your requests will be coming from. This is important, if you have more than one service being published with port 443 going to different servers then you will need more than one external IP address.

Once that’s done you will need to select the certificate you will use, again this must match the certificate that is installed on the Exchange server and it must be installed in the Computer store on the ISA server not the User store. Select HTML Form Authentication (we will turn the Exchange FBA off later – otherwise you will end up with 2 login prompts) and uncheck the SSO box on the next screen (unless you are using SSO for other published resources).

You will then return back to the Publish wizard and select the listener you have just created, click Next and accept the defaults on the next 2 screens and then you have finished with your publishing rule. All thats left to do with ISA is to apply the settings you have just set.

Disable Exchange FBA

For the publishing rule you have just created to work effectively you need to disable Form Based Authentication on the Exchange server that the rule is publishing. The reason for this, if you don’t disable it the ISA server will provide you with a form for credentials and then so will the Exchange server.

To disable FBA in Exchange 2007 and 2010 you will need to do the following:

Open Exchange Management Console and navigate to Server Configuration > Client Access and select the Outlook Web Access tab (in Exchange 2010 they have renamed this to Outlook Web App), right click on OWA and select properties and then check the box for “Use one of more standard authentication methods” and select Integrated Authentication as per the screenshot below. You will then need to run IISRESET from a command line.

To disable FBA in Exchange 2003 you need to open Exchange System Manager and navigate to Administrative Groups > First Administrative Group > Servers > Servername > Protocols > HTTP > Right click on Exchange Virtual Server and select properties. Select Settings and uncheck the box that says “Enable Forms Based Authentication”. You will then need to run IISRESET from a command line.

Exchange DNS Configuration

I have seen a number of question over the past few months regarding DNS configuration for an Exchange Server, incorrectly configured DNS can cause your server to be rejected by receiving servers that are performing certain types of checks on the mail it receives.

One of the most common of these is the rDNS lookup, basically checking that the server sending the message actually exists.

I will try to cover the correct configuration here for hosting your own mail server and sending mail out via DNS rather than a smarthost, this configuration is not as important if you send via a 3rd party relay.

MX Configuration

The MX record(s) for your domain provide systems sending you e-mail with the correct path for your mail server, if your using a relay/SPAM service then your MX record will be configured to use their servers hostnames. If your hosting your own server then the MX record will be configured with your servers IP address.

Step 1

Confirm the External IP address your server is using, this can be achieved by simply going to http://whatsmyip.org from your Exchange server, at the very top of the screen this will provide you with your IP address.

Step 2

Create an A record in the DNS that controls your EXTERNAL domain name, this is the part after the @ in your e-mail address. I always use mail.domainname.com but you don’t have to, it doesn’t matter what you use as long as it’s consistent.

Step 3

Configure the MX record to use the A record you have configured in Step 2. Don’t use IP addresses or CNAME records as this can throw up errors on DNS lookups. If you only have 1 a single connection to the internet then only setup 1 MX record, and avoid giving it a value of 0, use 5 or 10 this will be your PRIMARY MX.

If you have a second connection to the internet that has a different IP address that you use for backup purposes in case your main line goes down then add a secondary MX with an A record that is configured for this IP address with a higher value, of say 20.

If you only have a single server, avoid the temptation to setup multiple MX records either setting up two MX records pointing to the same IP address as this is a complete waste of time, or one pointing to your own server and one pointing to a backup MX server hosted for you as this will get targeted by spammers and you will be forwarding spam from your secondary MX to your Exchange server.

Step 4

Contact your ISP, you will need to configure a Reverse DNS, also referred to as a PTR (pointer) record. This is against your IP address so can only be done by the company that provide your internet connection. Whilst a generic rDNS record will work, any systems doing strict lookup will fail your server if it doesn’t match the A record configured in Step 2 so therefore it is best practice to configure your rDNS to use mail.domainname.com

Step 5

Modify your send connector/SMTP Connector. Depending which version of Exchange Server you are using this process will be different.

In Exchange 2007 & 2010 the Send Connector will need to be modified.
Open Exchange Management Console, navigate to Organisation Configuration > Hub Transport > Send Connector and right click on the send connector configured for internet usage and select properties.

On the first screen you will see a FQDN box this should match the A record you created in Step 2. For consistency you may also want to do the same on the Internet Receive Connector which is located under Server Configuration > Hub Transport and by default it will be the one that starts with Default

In Exchange 2003 you will need to modify the properties of the SMTP Virtual Server.
Open Exchange System Manager, navigate to Administrative Groups > First Administrative Group > Servers > Servername > Protocols > SMTP and right click on the Default SMTP Virtual Server select properties.

Under the delivery tab click Advanced and enter the A record you created in Step 2 for the Fully Qualified Domain Name

Summary

In summary then your DNS configuration should look like this:

• A record mail.domainname.com configured for IP address of your server
• MX record for domainname.com configured to use A record mail.domainname.com
• rDNS configured to use mail.domainname.com
• Send Connector/Receive Connector in Exchange 2007 FQDN set to: mail.domainname.com
• SMTP Virtual Server in Exchange 2003 FQDN set to: mail.domainname.com