Exchange Federated Free/Busy doesn’t work in one direction

In an earlier article I explained How to Configure Exchange 2010 SP1 Federation.  Buried within that article are the steps to solve federation issues that stem from Exchange 2003 migrations.  Here, I’m listing just those steps.



When federation doesn’t work in one or both directions, you may see any of the following errors in Outlook or Outlook Web App:

No Information (Error code: 5009)

The attendee’s server couldn’t be found. For more information, please contact your helpdesk. (Error code: 5039)

No information. No free/busy information could be retrieved. The external recipient’s server could not be determined. Contact your administrator.



Here’s how to fix it:

  • Ensure that the ExternalURL property is set for the Exchange Web Services virtual directory for the federated domains. Use the following cmdlet to check:



Get-WebServicesVirtualDirectory | fl name,server,InternalURL,ExternalURL





If the ExternalURL property is not set, remote domains will be unable to connect to your CAS servers to get federated free/busy information.  Set it using the following cmdlet:



Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalURL https://mail.companyabc.com/EWS/Exchange.asmx


Replace mail.companyabc.com with the same external FQDN used by that company to access OWA.



Test federation again.  That may be all that you needed to do.



  • Configure the TargetSharingEPR property of the organization relationship on the remote domain that cannot view federated free/busy information.  Usually this is only needed on Exchange 2003/2010 mixed environments or when federating with Office365.  Run the following cmdlet to configure it:

Set-OrganizationRelationship “CompanyABC” -TargetSharingEpr https://mail.companyabc.com/EWS/Exchange.asmx/WSSecurity

Test federation again from Outlook or OWA.  You can also use the Test-FederationTrust and Test-OrganizationRelationship cmdlets.



BTW, neither of these changes require that you run IISReset – they go into effect immediately.

Tips for Attending Exchange MCM Training

I’ve gotten the following tips about attending the Exchange Microsoft Certified Master (MCM) training in Redmond from previous attendees.  I plan to update this list after my own experience.



Logistics

  • Stay at the Homestead Suites – Redmond.  It’s supposed to be pretty bad (paper thin walls, sparse rooms, terrible Internet access), but it’s within walking distance of Building 41 and offers a basic kitchen and full size refrigerator.  It also has coin operated laundry on site.
  • Arrive at least a day before training starts and scope out where the grocery stores, convenience stores, and restaurants are.  Stock up the refrigerator with food and drinks.  There will be plenty of snack food and caffeinated beverages in the training room, so you won’t need that.
  • Bring two or three canvas grocery bags for hauling groceries back to your room and for shuttling clothes back and forth to the laundry.
  • Bring lots of quarters for laundry.  The front desk won’t make much change for you.

Preparing

  • Study the Exchange 2010 SP1 CHM file, which contains the offline version of the Exchange 2010 SP1 documentation available on TechNet.  Just as importantly, understand it’s layout so you can quickly access it for reference.
  • Study the Hub Transport pipline diagram.  Know all its pieces and parts.
  • Learn to use OneNote for note taking.

Words of Wisdom

  • If you don’t pass any of the three exams that lead up to the qualification lab, shrug it off and move on.  You will have the opportunity to retake the exam.  Don’t get hung up on it.
  • There is no such thing as a stupid question.  If you don’t understand something as well as you’d like, ask the trainers.
  • Listen closely to the trainers for hints about the Qual Lab.
  • Work as a team to create a huge OneNote for the Qual Lab (which is open book).
  • Figure out your study style.  Some like to join study groups with their classmates.  Others prefer to study alone.  Find out what works for you.
  • If you stay at the Homestead Suites, head back to the training room to study.  It’s a lot more comfortable.  And walk everywhere you need to go – it’ll help clear your head.
  • Don’t plan on doing ANY other work while you’re there.  It’s not possible.
  • Try to get out on a Saturday evening to maintain your sanity.
  • There’s no real guideline for attire.  Be comfortable – you’ll be in a classroom for 11-12 hours a day.  Be aware this is Redmond and it can rain at anytime.

Fix for SMExchangeStoreDriver – Event 1020 in Exchange 2010




I ran into a new problem today with an Exchange 2010 SP1 migration.  The customer migrated a few years ago from Exchange 2003 to 2007, and I’m now migrating their pure Exchange 2007 SP2 environment to Exchange 2010 SP1.  The customer has several Public Folder servers, so I need to migrate those as well.



I created the Public Folders databases on the new Exchange 2010 SP1 UR4 servers, but the hierarchy and folders would not replicate to the new servers.  The Application event log shows the following error:



Log Name:      Application
Source:        MSExchange Store Driver
Date:          8/24/2011 3:30:02 PM
Event ID:      1020Task Category: MSExchangeStoreDriver
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      E2010MB01.domain.com
Description:
The store driver couldn’t deliver the public folder replication message “Folder Content (PublicFolderDatabase2@domain.com)” because the following error occurred: The Active Directory user wasn’t found..





It turns out that this happens when the Exchange 2003 removal process doesn’t remove the empty CN=Servers container under the old Exchange 2003 Administrative Group.  You can use ADSIEdit to remove this empty container:

  • Run ADSIEdit.msc
  • Open the Configuration naming context
  • Navigate to CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=OrgName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
  • Delete the empty CN=Servers container, as shown below.  This is safe to do as long as there are no Exchange 2003 servers in the environment.




If the CN=Servers container is not empty and you don’t have any Exchange 2003 servers in your environment, you’ve probably got bigger problems from a botched removal of Exchange 2003.  In this case read How to remove Exchange Server 2003 from your computer, or you might want to call PSS.



Once you’ve removed the empty CN=Servers container allow time for the change to replicate throughout the domain’s domain controllers, and then issue the following command from the Exchange 2010 management console:

Get-MailboxServer -Identity EX2007 | Update-PublicFolderHierarchy

Where EX2007 is an Exchange 2007 that hosts the Public Folder database. You should see the hierarchy almost immediately on the new Exchange 2010 servers using the Exchange 2010 Public Folder Management Console.



MCM Update – Studying

So, I’ve taken to reading the Exchange 2010 SP1 online documentation, line by line, to get ready for my MCM training next month.  It’s rather slow going, but I expect to hit a rhythm and power on through it.



Once you have an account setup on the Microsoft Advanced Certification portal, you can post messages on the community page.  Not a lot of activity there, but I offered to start a studying group via Lync online meetings.  It’s too bad there isn’t a DL or anything for tentative students to communicate with each other.  I have no idea who else will be attending with me in three weeks.

How to clear the ‘Save my Password’ checkbox in the Lync Client

I was asked by a reader how to clear the “Save my password” checkbox in the Lync 2010 client recently.  Turns out that this not quite a trivial thing to do.



The first time a user signs into Lync from a computer they have the option to click Save my password, as shown below:






If the user clicks the checkbox and signs in succesfully, the Lync server will generate a digital certificate for the user to store in their personal store.  That certificate is used for future authentication attempts from the Lync client without having to supply a password, and the Save my password checkbox is not displayed again.



This article explains how to get the Save my password check box back.  You may want to do this if a user clicked the check box on a public computer, for example.



There are two things that control the appearance of the Save my password check box:

  • The SavedPassword DWORD value in the HKEY_CURRENT_USER\Software\Microsoft\Communicator registry key exists and is set to 1
  • There is a Lync user certificate in the user’s personal store that matches the user’s SIP address




Both the registry value and the user certificate need to be deleted to return the Show my password check box.  The following two commands will delete these items when run from an elevated command prompt on the affected computer:



reg add HKCU\Software\Microsoft\Communicator /v SavePassword /d 0 /f
certutil -delstore -user my sipaddress



For example,






Now run the Lync client and you will see the Save my password check box again.

Finding users who have Send-As or Full Access permissions to mailboxes

Pat Richard posted a couple of nice one-liners to determine users who have Send-As or Full Access permissions to mailboxes.  He posted this over at UCBlogs.net.



The following one-liner lists all mailboxes where another user has Send-As permissions, and who that user is:

Get-Mailbox -Resultsize Unlimited | Get-ADPermission | ? {($_.ExtendedRights -like “*send-as*”) -and -not ($_.User -like “nt authority\self”)} | ft Identity, User -auto



And this one-liner displays all mailboxes where another user has Full Access permissions, and who that user is:



Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | ? {($_.AccessRights -match “FullAccess”) -and -not ($_.User -like “NT AUTHORITY\SELF”)} | ft Identity, User


Both of these one-liners are very useful to determine who has access to other people’s mailboxes.

Exchange MCM Rotation Dates

I’ve paid my dues ($18,500 worth) and will be entering the September 12 – October 1, 2011 rotation for the Exchange Microsoft Certified Master program in a few weeks.



There’s quite a bit of prep just leading up to the class.  For example, here’s the current pre-reading list that you’re expected to have read and understand before you even attend the three week course.  Plus you need to arrange for travel and hotel while you’re there.



I will be staying at the glamorous Homestead Suites – Redmond, which sports a two-star rating, queen size bed, kitchenette, work area, and paper-thin walls.  Not like I plan to spend any time there except to (hopefully) sleep.  I’ve been promised 10-14 hour days of cranium-stuffing information 5 days a week.  That leaves the weekend to… Study more! And do laundry. And study. And prepare for the next exam.



To get a leg up, I’ll be reviewing the pre-reading list, above, and studying the Exchange 2010 SP1 Transport Pipeline.





Exchange 2010 SP1 Quorum Configuration Doesn’t Failback to Node Majority

Fellow MVP and work colleague, Tom Pacyk, wrote about a problem we’ve seen with Exchange 2010 SP1 UR3 where the quorum configuration does not change back to Node Majority after all odd numbered DAG members are online.  You can read Tom’s article, File Share Witness and Datacenter Failback, here.



This seems to occur when the alternate file share witness (FSW) is invoked during a complete datacenter failure in the primary site.  The DAG quorum configuration switches to Node and File Share Majority in that case, but does not switch back to Node Majority automatically for some reason when the primary datacenter comes back online.



As Tom writes, the fix is to run the Set-DatabaseAvailabilityGroup DAGName cmdlet without any other parameters.  Exchange realizes that the quorum configuration is not correct and fixes it.

Fun with NSLOOKUP

Microsoft Exchange and Lync Server use TXT and SRV records in DNS to publish domain and service connection point information.  Exchange 2007 and 2010 use TXT records for federation and Sender Protection Framework (SPF) records.  Lync 2010 uses SRV records for automatic client sign in and protocol configuration.  Often these records are published in both internal and external DNS zones.  It’s important to know that these records are configured properly and have propagated throughout the Internet.  This article explains how to use the Windows built-in tool, nslookup, to confirm the records.



Nslookup can be used both as a single line query or in interactive mode.  It normally returns results for A or CNAME (alias) records.  To view TXT, SRV, or MX records, you must change the nslookup type.  The following single line query looks up the TXT records for a domain:

nslookup -q=txt domain.com



This example shows all the TXT records for the domain theguillets.com:






Note that this query was run against the primary DNS server, 192.168.1.1.  What if you want to run the query against another external DNS server?  Try the following command:

nslookup -q=txt domain.com 8.8.8.8

where 8.8.8.8 is the FQDN or IP address of the DNS server you want to query.  8.8.8.8 is one of the Google DNS servers and returns the following:






This is a good way to check that your DNS data is propagating across the Internet.  On a side note, I’ve found that Google’s DNS servers sometimes take a long time to update.  I use it as my worst case propagation test — If it’s propagated to 8.8.8.8, it’s probably propagated everywhere.  Of course, you can substitute the query type ( -q=txt ) with SRV or MX in the command above to lookup those record types.



You can also run queries in interactive mode.  This is useful when you want to look the same query type for several domains.  You start interactive mode by just entering nslookup at the CMD prompt, setting the query type, and entering the domain(s) to query.  The following example displays the SRV records for theguillets.com according to the remote Google DNS server:



C:\>nslookupDefault Server:  UnKnown
Address:  192.168.1.1


> server 8.8.8.8Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8


> set type=srv> _sip._tls.extrateam.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
_sip._tls.theguillets.com SRV service location:
          priority       = 0
          weight         = 0
          port           = 443
          svr hostname   = edge.theguillets.com
> _sipfederationtls._tcp.theguillets.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
_sipfederationtls._tcp.theguillets.com    SRV service location:
          priority       = 0
          weight         = 0
          port           = 5061
          svr hostname   = edge.theguillets.com
> exit

C:\>

Notice that I changed from the default primary DNS server to Google’s using the server 8.8.8.8 command and I set the query type to SRV using the set type=srv command.