Thursday, January 27, 2011

Exchange 2010 SP2 - Enhanced Address List Segmentation

Exchange 2010 SP2 is expected to be released by Microsoft second half of 2011. With the release of SP2 the way GAL segmentation will work has been changed.

GAL segmentation allowed administrators to optimize address lists in large companies, creating smaller 'virtual' organizations, with users only able to see the users they need to see.

In previous versions of Exchange GAL Segmentation was ACL based on a permission structure.

With Exchange 2010 SP2 GAL Segmentation will be delivered using an "Address Book Policy" assignment model.

Microsoft's intended audiences for this feature are organizations that:
- Require some form of sub-divided address book or who wish to create several 'virtual' organizations within a single Exchange Organization.
- Enable users to share some resources between these segmented user populations
- Seek to control which objects are visible to a user when they open their address book picker.

I will post more information on the new GAL Segmentation feature when given the thumbs up from Microsoft.

Additional reading:

VBS - Find if logged on user is member of group

This script finds out if the logged on user is a member of a group. This is very handy for logon scripts.

' Find the user logged in
Set WSHShell = CreateObject("WScript.Shell")
UserLoggedIn = WshShell.ExpandEnvironmentStrings("%username%")

'Run the functions if the user is a member of the group
Set oGroup = getobject("WinNT://kbomb.local/" & "Domain Admins")
For Each oMember in oGroup.Members
If lcase(oMember.Name) = lcase(UserLoggedIn) Then
End If

Function RunRegModifications()
wscript.echo "reg modification code here"
End Function

Function RunFileModifications()
wscript.echo "file modification code here"
End Function

Find User Currently Logged In VBS

In VB Script the following code shows you which user is logged in:

Set WSHShell = CreateObject("WScript.Shell")
UserLoggedIn = WshShell.ExpandEnvironmentStrings("%username%")
wscript.echo UserLoggedIn

Very handy for logon scripts

Wednesday, January 26, 2011

Outlook on an Exchange 2007/2010 Server

Is outlook supported on an Exchange server? The answer is Yes!

It is supported to install Outlook 2007 on the same computer on which you have installed Exchange 2007.

Why install Outlook on the Exchange server?

In Exchange 2007 (RTM, SP1, SP2 and SP3) and Exchange 2010 RTM, Outlook was a requirement to use the import/export from/to PST files powershell cmdlets as it used API's from Outlook to perform these operations.

In Exchange 2010 SP1 Outlook is no longer a requirement to use the import/export PST cmdlets in powershell.

For small organisations installing Outlook on the Exchange server is ok!

For large organisations it is best practice to install the exchange management tools on a Windows 7 PC or management server with Outlook.

Monday, January 24, 2011

Exchange 2003 Setup Error 0xc0070002

When Installing Exchange 2003 SP2 management tools on an Exchange 2003 SP2 mailbox server the following error was experianced.

Setup failed while installing sub-components Exchange System Management Snap-ins with error code 0xC0070002 (please consult the installation logs for a detailed description). You may cancel the installation or try the failed setup again.

After the setup process EventID 1002 was logged from MSExchangeSetup in the Application logs.

Exchange Server component Microsoft Exchange System Mangement Tools failed.
Error: 0xc0070002 - The system cannot find the file specified.

Microsoft has documented two possible causes to this problem here:

This problem can also occur if you try install Exchange 2003 SP2 management tools without Exchange 2003 management tools installed.

1. To resolve this reinstall Exchange 2003 with management tools - hit yes everytime prompted to replace any SP2 files.
2. Reinstall Exchange 2003 SP2 with SP2 management tools.
3. Reinstall SP2 security updates

Wednesday, January 19, 2011

Cross-Forest Migration and Exchange 2010 "hosting mode"

I'm consulting for a large company with 2 forests (Forest A and Forest B) running 7 domains - all Exchange 2003.

I am creating a new forest, Forest C.

All users, groups, computer objects and contacts are being migrated from all domains in Forest A and Forest B into a new domain in Forest C.

My customer wanted to know if it was possible to move the users mailboxes "into the cloud" during the migration a forth forest, Forest D by an Exchange hosting provider running Exchange 2010 "hosting mode".

Here is a copy of the response I received from Microsoft on the matter:

Hi Clint,

Thanks for your update.

So, here I would like to re-understand your concern: there are four forests A, B, C and D(D forest is installed with hosting mode Exchange 2010 ). You want to confirm that whether it is possible to migrate user accounts, groups, computer accounts and other Active Directory objects from forest A, B to forest C while migrating mailboxes to forest D. Please let me know if there is any misunderstanding.

If my understand is correct, I would like to let you know that it is not recommended migration because of the following reason:

1. If we migrate the mailbox and Active Directory account to different forest, we have to create linked mailboxes. However, Exchange 2010 which is installed in hosting mode don't support "resource forest". For example, based on the result of many tests, if we create a mailbox in forest D for the user in forest C, this user is not able to see others in Global Address List while others are able to see him/her in Global Address List.

2. Hosting mode Exchange server is designed for multi-tenant. It is designed for those companies and organizations which haven't Active Directory and Exchange. So if we migrate mailboxes to the forest which holds hosting mode Exchange server, I believe there will be a lot of unexpected issues and inconvenience.

For your reference, I would like to share the following article with you:

Multi-Tenant Support

Please feel free to let me know if you have any concerns. I'm looking forward to hearing from you.

Best regards,
Leo Qin
Partner Online Technical Community

Hope this sheds some light on the matter for anyone facing the same scenario.

Thursday, January 13, 2011

Invoke or BeginInvoke cannot be called

When running SQL 2008 setup I received the following error.

SQL Server Setup has encountered the following error:

Invoke or BeginInvoke cannot be called on a control until the window handle has been created..

Weirdly enough when I closed my Explorer window which I used to browse to setup.exe it stopped the error from being generated.

Wednesday, January 12, 2011

How to find the SPECint2006 Rate Value for CPU.

How to find out your SPECint2006 Rate Value CPU rating when filling out Ross Smith's Exchange 2010 Mailbox Server Role Requirements Calculator.

Navigate to the following SPEC website and bang in the CPU or System you to recieve the SPECint2006 Rate Value for:

Counting Number of Public Folders

Below I will show you a method to count the number of public folders you have in your Exchange organisation for both Exchange 2003 and Exchange 2007/2010.

Exchange 2003

For Exchange 2003 download PFDavAdmin from the following location:

In PFDavAdmin click Tools --> Options. Enable logging to a file.

Then click Tools --> Content Report. Select All public folders for the scope.

Specify a location where to save the report.

When the report finishes generating you will have on your screen the total number of public folders residing on the server.

Exchange 2007/2010

Exchange 2007/2010 has native powershell support. Chris Schrimsher has produced a script that will automatically count the number of public folders you have in your organisation. To get a copy of his script please view the following link:

SQL System Databases

Master Database


Core system database to manage the SQL Server instance. In SQL Server 2005, the Master database is the logical repository for the system objects residing in the sys schema. In SQL Server 2000 and previous editions of SQL Server, the Master database physically stored all of the system objects.

Prominent Functionality

- Per instance configurations
- Databases residing on the instance
- Files for each database
- Logins
- Linked\Remote servers
- Endpoints

Additional Information

- The first database in the SQL Server startup process
- In SQL Server 2005, needs to reside in the same directory as the Resource database

Resource Database


The Resource database is responsible for physically storing all of the SQL Server 2005 system objects. This database has been created to improve the upgrade and rollback of SQL Server system objects with the ability to overwrite only this database.

Prominent Functionality

- System object definition

Additional Information

- Introduced in SQL Server 2005 to help manage the upgrade and rollback of system objects
- Prior to SQL Server 2005 the system related data was stored in the master database
- Read-only database that is not accessible via the SQL Server 2005 tool set
- The database ID for the Resource database is 32767
- The Resource database does not have an entry in master.sys.databases



Temporary database to store temporary tables (#temptable or ##temptale), table variables, cursors, work tables, row versioning, create or rebuild indexes sorted in TempDB, etc. Each time the SQL Server instance is restarted all objects in this database are destroyed, so permanent objects cannot be created in this database.

Prominent Functionality

- Manage temporary objects listed in the purpose above

Additional Information

- Each time a SQL Server instance is rebooted, the TempDB database is reset to its original state

Model Database


Template database for all user defined databases. This is the template that is used when creating a new database.

Prominent Functionality

- Objects
- Columns
- Users

Additional Information

- User defined tables, stored procedures, user defined data types, etc can be created in the Model database and will exist in all future user defined databases
- The database configurations such as the recovery model for the Model database are applied to future user defined databases

MSDB Database


Primary database to manage the SQL Server Agent configurations

Prominent Functionality

- SQL Server Agent Jobs, Operators and Alerts
- DTS Package storage in SQL Server 7.0 and 2000
- SSIS Package storage in SQL Server 2005

Additional Information

- Provides some of the configurations for the SQL Server Agent service
- For the SQL Server 2005 Express edition installations, even though the SQL Server Agent service does not exist, the instance still has the MSDB database



Primary data to support SQL Server replication.

Prominent Functionality

- Database responsible for the replication meta data
- Supports the data for transaction replication between the publisher and subscriber(s)



Primary database for Reporting Services to store the meta data and object definitions.

Prominent Functionality

- Reports security
- Job schedules and running jobs
- Report notifications
- Report execution history



Temporary storage for Reporting Services

Prominent Functionality

- Session information
- Cache

Exchange Public Folder Tools

pfadmin 1.3
Available at: for: imports, or interactively
Works with: Exchange 5.5, 2000, 2003
Description: This is the original pfadmin from the Exchange 5.5 days. The most typical use is for running permissions imports that were generated with pfinfo 3.x, which are made up of SETACL command lines. You can also use it interactively to run SETACL and SETREPLICA commands. Pfadmin lets you view the current permissions and replicas using LISTACL and LISTREPLICAS respectively. However, these dumps can not be imported since they don't use SETACL or SETREPLICAS command format.

pfinfo 3.x
Available at:
Used for: exporting permissions in pfadmin 1.3 command syntax, also reports certain properties
Works with: Exchange 5.5
Description: This is the original pfinfo from the Exchange 5.5 days. The most typical use is for running permissions exports, which are actually just a list of SETACL commands. These can be imported using pfadmin 1.3. Pfinfo also generates a report that includes various other properties of the folder, such as item count and folder size. The property export can not be imported. You can try running this against Exchange 2000 and 2003, but you will find that in some cases subfolders will appear as root folders in the export, because pfinfo gets the folder path from the directory object, which is not always populated in 2000 and 2003.

Available at: for: imports
Works with: Exchange 2000 RTM only
Description: This is an updated pfadmin for Exchange 2000, but it is not widely used due to several shortcomings. First, its command and permissions syntax is completely different from pfadmin 1.3, meaning you can't import your old pfinfo exports with the new pfadminE2K. Second, with E2K Sp1 and later, most operations fail. It only works reliably with the RTM version of E2K.

Available at:
Used for: exporting permissions in pfadminE2K command syntax, also reports certain properties
Works with: Exchange 2000 RTM only
Description: This is the updated pfinfo for Exchange 2000, which was also not widely used for similar reasons. The new permissions export format made it incompatible with any tool except pfadminE2K, and it only works reliably with E2K RTM.

Available at:
Used for: exports permissions in pfadmin 1.3 command syntax
Works with: Exchange 5.5, 2000, 2003
Description: This utility accesses Exchange via a MAPI profile, and thus it works with any version of Exchange. It generates permissions exports in pfadmin 1.3 SETACL command syntax.

Available at:
Used for: exporting and importing permissions and replica lists in pfadmin 1.3 command syntax, version 2.3 and later exports properties
Works with: Exchange 2000, 2003
Description: PFDavAdmin accesses the information store through webDAV, thus the name, and was originally written to correct non-canonical DACLs on public folders. Its features eventually expanded to include imports and exports of permissions and replicas in pfadmin 1.3 command syntax. Version 2.3 and later can also export properties such as item count (PR_CONTENT_COUNT) and folder size (PR_MESSAGE_SIZE) into a tab-delimited file similar to the old pfinfo output (which also can not be imported, just like the old pfinfo output). In addition, it can be used to propagate single permissions and replicas down a tree of subfolders, instead of overwriting as ESM does. It has other features as well, which are discussed in the included doc.

Available at:, as part of the E2K3 deployment tools
Used for: adding and removing replicas for all folders on a server, site consolidation
Works with: Exchange 2000, 2003
Description: Pfmigrate is especially useful for Exchange 2003 Sp1 site consolidation, since it changes the legacy DN of a public folder, which no other utility does. Site consolidation is outside the scope of this article. However, pfmigrate can also be used to simply add replicas of all folders on one server to another server, and remove replicas of all folders from the original server.

Available at:, as part of the E2K3 deployment tools
Used for: besides other things that exdeploy is used for, the /pubfoldcheck switch is of interest in regards to public folders as /pubfoldcheck runs a part of the DS/IS Consistency Adjuster that removes the unknown accounts from public folder ACLs. Those unknown accounts, if unhandled, could then get replicated to Exchange 200x servers as zombie users, thus causing problems. Exdeploy /pubfoldcheck can be scripted and run against multiple servers. NOTE: earlier version of exdeploy help stated that /pubfoldcheck also synchronized the public folder store and the Exchange directory (which could possibly cause public folders to be rehomed). This is however incorrect and it has been fixed in the new version of help file available with the tool at the above link.

ExFolders - Exchange 2010 RTM
Available at: is the ExFolders tool, an Exchange 2010 (RTM) compatible replacement for the PFDAVAdmin tool.

ExFolders - Exchange 2010 SP1
Available at: is the ExFolders tool, an Exchange 2010 (SP1) compatible replacement for the PFDAVAdmin tool.

More about the new Exchange 2010 ExFolders tool:

This is an updated version of Bill Long's article. The original article can be found here:

Exchange Jetstress

Use Jetstress 2010 to verify the performance and stability of a disk subsystem prior to putting a Microsoft Exchange Server 2003, 2007 and 2010 server into production. Jetstress helps verify disk performance by simulating Exchange disk Input/Output (I/O) load. Specifically, Jetstress simulates the Exchange database and log file loads produced by a specific number of users. You use Performance Monitor, Event Viewer, and ESEUTIL in conjunction with Jetstress to verify that your disk subsystem meets or exceeds the performance criteria you establish. After a successful completion of the Jetstress Disk Performance and Stress Tests in a non-production environment, you will have ensured that your Exchange disk subsystem is adequately sized (in terms of performance criteria you establish) for the user count and user profiles you have established. It is highly recommended that the Jetstress user read through the tool documentation before using the tool.

You should always run Jetstress on your new Exchange 2003/2007 or 2010 server before putting it into production.

Download the x86 version here:

Download the x64 version here:

Tuesday, January 11, 2011

Microsoft-Windows-GroupPolicy Event ID 1006

I had a very frustrating issue today with group policy at a client on a few member servers running Windows Server 2008 R2.

A quick google showed DNS as a cause - I checked my DNS configuration and it was correct so I discarded this as the reason.

A few member servers were receiving the following error:

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 12/01/2011 11:51:40 AM
Event ID: 1006
Task Category: None
Level: Error
Computer: torwmg832.domain.local
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

On the details tab I was getting ErrorCode 49.

The following TechNet article from Microsoft says Error Code 49 is the following:

Error code 49 (Invalid credentials)
This error code might indicate that the user's password expired while the user is still logged on the computer.
To correct invalid credentials:
1. Change the user's password.
2. Lock/unlock the workstation.
3. Check if there are any system services running as the user account.
4. Verify the password in service configuration is correct for the user account.

This error code description from Microsoft completely threw me off track diagnosing the computer account passwords, rejoining PC's to the domain and diagnosing the Kerberos Key Distribution Center (KDC) service.

All tests against the domain using nltest for the computer account were passing successfully!

/SC_QUERY: - Query secure channel for Domain on ServerName

I was confident it was nothing to do with authentication!

There were so many forum posts on the Internet leading to DNS as being the cause for this error. I decided to revisit my name resolution even though DNS was working correctly.

I checked the local host file. It was full of entries.

Removed these entries and the problem was resolved. A very simple fix for such a painful problem.

Hopefully this post will stop others from going through my pain!

Monday, January 10, 2011

Exchange 2010 Storage Planning and Testing

I have been arguing with clients for the last 2 years against purchasing expensive SAN's and RAID solutions to run their Exchange 2010 infrastructure. I explain to them a mailbox server or a disk is not important. Set your infrastructure up so you can remove any server from the equation and allow users to continue to receive email!

I get IT professionals and and Solution Architects look at me like I'm an idiot when I say things like "you don't even need RAID on your cheap mailbox servers in many cases".

Before purchasing expensive storage infrastructure to run Exchange 2010 please read the following article:

A big thank you to Robert Gillies from Microsoft for taking the time to document Exchange 2010 storage and giving me some backup in my arguments with customers.

Exchange Cloud Based Archives with Office 365

Exchange Server 2010 RTM released archives allowing you to archive the users mailbox within the same Exchange mailbox database.

Exchange Server 2010 SP1 made it possible to store your archive mailboxes in a different mailbox database on the Exchange 2010 server.

With Office 365 beta, we can now enable organizations to store archive mailboxes in the cloud, while maintaining the primary mailbox on your on-premises Mailbox servers running Exchange 2010 SP1. Users can seamlessly access their primary on-premises mailbox and their archive in the cloud using Outlook 2010, Outlook 2007 and Outlook Web App (OWA).

Thursday, January 6, 2011

Exchange Journaling Questions

Is it possible for my email to get journaled more then once by a single hub transport server?

Yes it is. With Exchange 2010, it's possible to have that message journalized several times because of the way the transport expands the Distribution List. The transport will try to send the message as soon as possible, so it "chips" the DL into chucks of 1000processes each chuck with any enabled transport agents (including the journal agent) then sends the first chuck of 1000. If you have a DL of, say, 4500 members, you'd get 5 messages in the journal. You can change the size of the "chip" to a value large enough that no DL would have more than the value of the "ExpansionSizeLimit". You have to make that change in the file edgetransport.exe.config on each HT server and then restart the transport service.

This is explained on the following link:

If an email passes through multiple Hub Transport servers is it journaled more then once as it's being processed by multiple transport agents? Hub Transport servers marked as Hub Sites can cause emails to be processed by multiple Hub Transport servers along the way.

No emails are only ever processed by one journal agent. Once an email passes through the first Hub Transport server the Transport Agent or Journal Agent "stamps" the email as being processed in the message header with X-MS-Exchange-Organization-Processed-By-Journaling x-header, so other Hub Transport servers can determine it’s already journaled. This prevents the Journal Agent or Transport Agent from processing it more then once.

Email gets Journaled Multiple times for Large Distribution Lists

With Exchange 2010, it's possible to have that message journalized several times because of the way the transport expands the Distribution List. The transport will try to send the message as soon as possible, so it "chips" the DL into chucks of 1000processes each chuck with any enabled transport agents (including the journal agent) then sends the first chuck of 1000. If you have a DL of, say, 4500 members, you'd get 5 messages in the journal. You can change the size of the "chip" to a value large enough that no DL would have more than the value of the "ExpansionSizeLimit". You have to make that change in the file edgetransport.exe.config on each HT server and then restart the transport service.

A big thankyou to Rich Matheisen [MVP] for explaining this to me.


The following comment was made from Ross Smith from Microsoft:

We don’t recommend changing the chipping size as it is a feature to help with memory management. Sure you can manipulate a knob and increase the number, but ultimately either a) there will be performance issues (undefined) or b) a message will still contain more recipients than the custom number entered. In other words, there is no guarantee a single message will always be used when generating the journal report.

Exchange 2010 Group Metrics

Every organisation only contains one mailbox server responsible for generating the Offline Address Book. This server is known as the OAB Generation server. The OAB Generation server then distributes the OAB to Client Access Servers for distribution to Outlook clients. I explained this process on a previous blog post.

Please see:

The mailbox server running OABGen also has another role, to generate group metrics. Group metrics counts the members of all groups periodically on mailbox servers, and uses Exchange File Distribution to get the group metrics files out to CAS servers. Exchange File Distribution is the same method used in OAB distribution.

The Exchange 2010 mailbox server will have a share called \\mailboxserver\GroupMetrics where your group metrics are generated. If you're not seeing that on any mailbox servers, you're not generating group metrics. When you look in that share, make sure the files in it have been changed within the past 24 hours. Restarting the Exchange Service Host will generate a fresh file; that process may take minutes or hours depending on the number of groups in your organization. Also, make sure the Exchange File Distribution service is running on Client Access servers and Mailbox servers, and that your CASes can connect to \\mailboxserver\GroupMetrics.

It is possible to separate the mailbox servers generating OABGen and Group Metrics. To configure a different server to generate Group Metrics use the following command:

Set-MailboxServer -GroupMetricsGenerationEnabled $true

I do not recommend this however as both the OABGen and Group Metrics generation roles cannot be clustered or made highly available in anyway. As a result it is best to put both these tasks on the same box so your mentally aware of the single point of failure (SPOF).

What are Group Metrics used for?

Group metrics counts the members of all groups periodically on mailbox servers. Group metrics is used by a Mail Tip which counts the number of users your about to send an email to.

Recover Deleteded Items and Mailbox Quota's

An item that is often asked about is does the Recover Deleted Items folder contribute to the users mailbox quota? The answer is No. Microsoft has documented this on TechNet under a bazaar location.

Items in the Recoverable Items folder aren't calculated toward the user's mailbox quota. In Exchange 2010, the Recoverable Items folder has its own quota. When a user's Recoverable Items folder exceeds the warning quota for recoverable items (as specified by the RecoverableItemsWarningQuota parameter), an event is logged in the Application event log of the Mailbox server. When the folder exceeds the quota for recoverable items (as specified by the RecoverableItemsQuota parameter), users won't be able to empty the Deleted Items folder or permanently delete mailbox items. Also copy-on-write won't be able to create copies of modified items. Therefore, it's critical that you monitor the Recoverable Items quotas for mailbox users placed on litigation hold.

For mailbox databases, the default RecoverableItemsWarningQuota and RecoverableItemsQuota values are set to 20 Gb and 30 Gb respectively. These settings are usually sufficient for storing several years of mailbox data when on litigation hold. To modify these values for a mailbox database, use the Set-MailboxDatabase cmdlet. To modify them for individual mailboxes, use the Set-Mailbox cmdlet.

Wednesday, January 5, 2011

DAG Failover and Journaling

DAG Failover and Journaling is not an area highlighted on TechNet. If you configure journaling on a mailbox database and a failover of that mailbox database occurs what happens with the journaling? Does it still work?

The answer is Yes... Let me explain.

When a journal rule is created it is stored in Active Directory. The journal rule is replicated to all domain controllers throughout your infrastructure and applied to all Hub Transport servers in the Exchange 2010 organization.

When a mailbox database fails over from Site1 to Site2, the hub transport server in Site2 will still have the journal rules applied as it was replicated using Active Directory replication. The store driver on the hub transport servers in Site2 will pull the emails from the failed over database as it would in Site1. The journal agents on the hub transport servers in Site2 would then process the journal rules.

It doesn't matter what location the mailbox database is located, it will always be journaled if the rule is configured!


If you journal all emails coming in and out of a mailbox database the the disk I/O will be two times the typical disk I/O. It is recommended that a separate server be setup to act as a journaling server and to hold the journal recipient mailboxes. If your journal recipient mailbox is located in Site1 and the mailbox database being journaled is located in Site2 due to a DAG failover then all journal emails will be replayed back to Site1 which can cause WAN link congestion.

Journal Rule wont work right away on Groups?

You have created a journal rule which you have applied to a distribution/security group. Every email sent through this distribution/security group. However when you add a user to this distribution group the email they send or receive is not journalled for sometimes up to half a day. Why is this?

Each Hub Transport server caches distribution group membership. This reduces load on your Active Directory domain controllers. By default, entries in the expanded groups cache expire in four hours.

I don't want to wait the 4 hours?

If you want to make group membership changes immediate so journaling takes effect right away you must restart the Microsoft Exchange Transport service on each Hub Transport server. This will force an immediate update of the recipient cache. You must do this for each Hub Transport server where you want to forcibly update the recipient cache.

For more information on journaling take a look at: