|
(I noticed there was no general Exchange thread, just people posting specific issues in their own threads. I don't know if there's enough of a market for an exchange-specific thread to last, but we'll see.) e: If there's enough interest for this thread not to dive straight to archives, I'll post a blurb about Exchange. After I figure out why roughly half of our AD profiles are autocorrupting themselves. We have a request for a set of shared calendars for car booking, which would normally be no problem. Except they're very specific on their security requirements: Create a group "Car Admins" (to contain the receptionist and a couple of the secretarial staff), that group to have full rights to the calendar (create/update/delete) for all bookings. Everyone else is only to be able to edit their own bookings (and not have them overlap with pre-existing ones - actually, make it so no-one can overlap them). Is this possible/feasible with Exchange calendars, some other F/OSS (has to link in to AD), or should we roll our own? (I know C#, the other dude knows PHP, so we should be able to figure something out) (We have some other calendars shared in Exchange for booking training rooms - everyone has full access to those. I do (Office politics: the pettier the issue is, the more vicious the fighting gets.)
|
# ? May 5, 2011 22:04 |
|
|
# ? May 19, 2024 15:44 |
|
From memory, you can set the permissions on an Exchange public calendar so that users can only edit/delete items they have created themselves. So this should be possible out of the box.
|
# ? May 5, 2011 22:11 |
|
Thel posted:Except they're very specific on their security requirements: Create a group "Car Admins" (to contain the receptionist and a couple of the secretarial staff), that group to have full rights to the calendar (create/update/delete) for all bookings. Everyone else is only to be able to edit their own bookings (and not have them overlap with pre-existing ones - actually, make it so no-one can overlap them). We do this with conference rooms. Make a room mailbox, turn on the auto attendant and it's first-come, first-served to make an appointment. Give the Car Admins group full access permissions and they can remove/add appointments as needed. I'm pretty sure there's a setting on a room mailbox (you may have to set it via PowerShell) that will auto-reject anything that overlaps. It's pretty easy stuff.
|
# ? May 6, 2011 03:24 |
|
We used to have a couple dozen calendars in public folders, and we moved most of them to Sharepoint. It's much easier to deal with to be honest.
|
# ? May 6, 2011 03:48 |
|
My favorite part is when Exchange mangles headers of emails and there's no indication of why. Can anyone here explain that? Example: we do spam filtering for our customers and sometimes we hand off to an Exchange server and it does the craziest poo poo with the emails. We look at the headers on the customer's computers and cannot figure out why so many things are missing.....
|
# ? May 6, 2011 04:04 |
|
This seems like as good a place to put this as any. I'm running into issues at one of my clients where I'm unable to add permissions to shared (Public) contacts and calendars. I create the user, and the name simply does not show up. I had one finally show up after an hour, another after a week, and two other that haven't shown up as available names in the two weeks since I've created them. There has been no change in our process of adding them, it just went wonky a month ago or so. Server is a 2008 R2, Exchange 2010, for whatever its worth. End users are generally on Office 2007, with a 2010 here and there.
|
# ? May 6, 2011 04:14 |
|
Accounts need to be in the GAL for them to show up in Exchange permissions. You either have an issue with their account or with the GAL generation that's causing them not to show up. If some show up and others do not, their account is likely to blame. If none show up, the GAL generation is likely failing. There might be events to look at depending on your logging level. A common issue with Accounts is the "e-mail" field not matching the primary Exchange SMTP address. I usually copy/paste it from the Exchange address to the e-mail field to make sure - even if it looks exactly the same this will sometimes fix the problem. I'm not familiar with Exchange 2010, unfortunately, so some of this may have changed, but the ideas are the same.
|
# ? May 6, 2011 04:55 |
|
LoKout posted:Accounts need to be in the GAL for them to show up in Exchange permissions. You either have an issue with their account or with the GAL generation that's causing them not to show up. If some show up and others do not, their account is likely to blame. If none show up, the GAL generation is likely failing. There might be events to look at depending on your logging level. I believe that's still dead-on for 2010. I ran into some issues related to the GAL when I was migrating from 2003 a couple weeks ago (amongst some other truly hosed up stuff involving the hidden/buried permissions on actual AD objects that I have no idea how the previous IT person managed to gently caress up so badly). 2010 is nice. I can't wait to roll out the archiving, and OWA is amazingly usable.
|
# ? May 6, 2011 05:19 |
|
Looking for anybody with 6 or more digit Exchange implementations, how doable is it?
|
# ? May 6, 2011 08:32 |
|
marketingman posted:Looking for anybody with 6 or more digit Exchange implementations, how doable is it? As in 100K+ users? It's not difficult but has to be designed from the ground up properly. Poorly designed exchange environments are usually the issue with big deployments. Hell Microsoft hosts millions of mailboxes in the cloud. edit: I would suggest hiring a company that does this kind of rollout on a regular basis. Make sure to check their references. If your deploying 100K users on Exchange, you should have no issue getting consulting and PS money. Make sure the consulting company gets you a dedicated project manager, and their engineers do a proper knowledge transfer to your staff. The good news is 2010 is way easier to deploy edit2: hurf durf, 6 digit is 100K skipdogg fucked around with this message at 15:44 on May 6, 2011 |
# ? May 6, 2011 15:31 |
|
skipdogg posted:As in 10K+ users? 6 digits is 100k The US Navy supposedly has 700,000 mailboxes in Exchange (and on VMware), there's a white paper out there about it. Bob Morales fucked around with this message at 15:40 on May 6, 2011 |
# ? May 6, 2011 15:38 |
|
Bob Morales posted:6 digits is 100k It's a good thing corrupted mailboxes can't sink ships.... I hope.
|
# ? May 6, 2011 21:35 |
|
Bukakke-san posted:It's a good thing corrupted mailboxes can't sink ships.... I hope.
|
# ? May 6, 2011 21:45 |
|
Bob Morales posted:6 digits is 100k This is very interesting to me. I need to scope out how a multi-million mailbox Exchange setup might be achieved. Links? Searching hasn't yielded any results for me.
|
# ? May 7, 2011 09:21 |
|
I would like to exchange my left testicle for the ability to apply share permissions to mailboxes AND PARENTS in outlook. For example, if I need access to a colleague's email folder, I need to create myself as a reviewer/whatever there, then make myself able to view each of the parent folders back to his original mailbox (i.e: above the inbox, sent, etc.) individually. If I don't, I can't access it. Please tell me I'm retarded and there's a way to easily do this.
|
# ? May 7, 2011 09:43 |
|
Nam Taf posted:I would like to exchange my left testicle for the ability to apply share permissions to mailboxes AND PARENTS in outlook. There's an Exchange tool which allows you to apply permissions down a tree. It's called.... ummm.... PFDAV Admin? http://www.microsoft.com/downloads/en/details.aspx?FamilyID=635BE792-D8AD-49E3-ADA4-E2422C0AB424&displaylang=en
|
# ? May 7, 2011 10:27 |
|
marketingman posted:There's an Exchange tool which allows you to apply permissions down a tree. It's called.... ummm.... PFDAV Admin? http://www.microsoft.com/downloads/en/details.aspx?FamilyID=635BE792-D8AD-49E3-ADA4-E2422C0AB424&displaylang=en PFDAVAdmin is a lifesaver. Doesn't work on 2010 though. Instead, use ExFolders (which is basically PFDAVAdmin, updated to work properly). http://blogs.technet.com/b/exchange/archive/2009/12/04/3408943.aspx It can do all the fancy ACL work you need on Public Folders.
|
# ? May 11, 2011 01:52 |
|
Fuuuuck Exchange. Just got dragged into the aftermath of a botched migration (initially it was going to be from 2003 to 2007, now we're just trying to get it working any way possible). OWA works, and outlook can connect if I feed it the new server settings (can't autodetect). ... and the new sysadmin has just made everything work. I think. Except you have to remove your old email settings from control panel/mail, and readd from there. What the gently caress. I hate exchange soooo much. (that's "new sysadmin" as in 'started last month; prior qualification is cable jockey at an ISP', not 'new sysadmin started yesterday after the previous one was ritually executed for botching the mail migration'. Just to clear that up.)
|
# ? May 24, 2011 03:34 |
|
Sounds like the autodiscover stuff got jacked up. Not uncommon, and I'm guessing it probably got missed in DNS and/or on the certificate. You can run the e: I'm tired. Cavepimp fucked around with this message at 06:49 on May 24, 2011 |
# ? May 24, 2011 06:45 |
|
Thel posted:Fuuuuck Exchange. Imagine having to actually type the server name in. That sounds horrible.
|
# ? May 24, 2011 10:24 |
|
roarshark posted:Imagine having to actually type the server name in. That sounds horrible. *thinks nothing of compiling from source, editing xml config files*
|
# ? May 24, 2011 14:21 |
|
Thel posted:Fuuuuck Exchange. From someone who is a co-owner of IT company and TPM that has done hundreds of Exchange 2007 and 2010 implementations, Exchange 2007 and 2010 suck massive elephant cock. Also, gently caress PowerShell in its loving rear end. Sorry for the generalized rant, had to blow off steam. A recent implementation has gone awry yet again (certificate issues) and is causing massive grief, thank goodness this is a parallel spin-up to an existing 2003 environment. R-Type fucked around with this message at 16:37 on May 24, 2011 |
# ? May 24, 2011 16:30 |
|
I'm really liking 2010 so far, it seems like they're slowly adding functionality back into the GUI which is nice.
|
# ? May 24, 2011 17:32 |
|
This is probably a good place to post this weird problem our guys haven't been able to figure out (I personally haven't looked at it, but they already checked a few things I told them to look at and it's still acting up). We have a client with an SBS 2003 environment, using a public folder calendar as a general "office calendar". When this one user creates stuff in the calendar, the changes don't show up for everyone else. She has the same permissions as everyone else in the office. It's almost like she's Read Only, and it's not giving her an access denied message when changing things. Anyone else seen this before?
|
# ? May 24, 2011 17:47 |
|
roarshark posted:Imagine having to actually type the server name in. That sounds horrible. I have no problem with typing in a server name. It's when I have to reconfigure ~400 TS profiles one by one that I'll start having problems. Is there an easier way to reconfigure outlook settings for Terminal Services users?
|
# ? May 24, 2011 20:22 |
|
R-Type posted:From someone who is a co-owner of IT company and TPM that has done hundreds of Exchange 2007 and 2010 implementations, Exchange 2007 and 2010 suck massive elephant cock. Also, gently caress PowerShell in its loving rear end. I don't know how somebody with this amount of exposure to exchange 2007 and 2010 could have such a negative view of it. When I very first started performing 2003 to 2007/2010 migrations I was thrown for a loop on a few minor details (looking at you, msExchOwningPFTree), but 2010 especially is incredibly simple to manage, especially in multi-server environments. It's really goddamned stable, easy to troubleshoot, and I don't know how else to put this except to say that powershell loving owns. If you absolute want to avoid it in 2010 you can, except for maybe performing some diagnostic tasks when something breaks. I also work for an outfit that has done hundreds of exchange implementations, and compared to anything prior, 2007/2010 is a goddamned dream to work with. Things I do not miss from 2000/2003: horrible diagnostics framework, ~*~IIS dependencies~*~, poo poo message filtering (requiring horrible 3rd party products), public folder syncing horseshit, front-end/back-end coexistence seemingly a complete afterthought. I mean in 2010 configuring RDP over HTTP takes like 2 clicks to enable and you are done with it, in previous versions you had to jump through so many hurdles. I get that it's easy to hate on Microsoft, but Exchange 2010 is about as good as you can hope for when it comes to managed mail services.
|
# ? May 24, 2011 23:09 |
|
Thel posted:I have no problem with typing in a server name. Autodiscover really isn't troublesome to configure at all, just remember to include the URL for it as a subject alternate name in your cert. If you've moved mailboxes to another server in the site then the outlook client should automatically reconfigure itself.
|
# ? May 24, 2011 23:11 |
|
Linux Nazi posted:Autodiscover really isn't troublesome to configure at all, just remember to include the URL for it as a subject alternate name in your cert. I'm not an exchange expert by any stretch, I'm a DBA that's been press-ganged into helping clean up the fallout. (I laugh because otherwise I'd have to cry ...) So when you say put the URL for it as a subject alternate name in your cert, I assume that's something I'd do on new-mail-server? old-mail-server doesn't actually exist any more.
|
# ? May 24, 2011 23:56 |
|
Thel posted:I'm not an exchange expert by any stretch, I'm a DBA that's been press-ganged into helping clean up the fallout. Exchange 2010 basically requires a SSL cert, if you are cheap you can go to a site like godaddy or certificatesforexchange.com for a cheap-o starfield cert that is going to be accepted by every web browser or mobile device, or use a self-signed cert (or one supplied via a PKI if you have one already configured.) Godaddy / C4E will walk you through the issuing process, just be sure to add autodiscover.maildomain.com as one of the SAN entries. You can use powershell or the management interface to generate the initial CSR. Then: Exchange team blog how-to for setting up autodiscover. It's a lot of but honestly there isn't much to it, especially for a single-server configuration. You don't have to take the server down so even for somebody new, there is little risk to configuring it. Then, of course, the connectivity test site for when you are done: http://www.testexchangeconnectivity.com/
|
# ? May 25, 2011 00:12 |
|
Linux Nazi posted:Exchange 2010 basically requires a SSL cert, if you are cheap you can go to a site like godaddy or certificatesforexchange.com for a cheap-o starfield cert that is going to be accepted by every web browser or mobile device, or use a self-signed cert (or one supplied via a PKI if you have one already configured.) Heh. Uh, after our exchange 2007 migration blew up spectacularly (irreparably corrupted mail store, or something along those lines), we went back to 2003. Which looks like it doesn't have autodiscover. FML. (Don't ask me I don't make the decisions. Either way, no autodiscover, should I go back to pushing a .prf file?) e: 1.5 days to migrate from 2003 ... to 2003. And we still haven't sorted the terminal services issues out yet (a day after we got people on laptops working).
|
# ? May 25, 2011 00:23 |
|
Thel posted:Heh. Uh, after our exchange 2007 migration blew up spectacularly (irreparably corrupted mail store, or something along those lines), we went back to 2003. Which looks like it doesn't have autodiscover. FML. Eek, I get if it is out of your control, but I can't imagine deploying an exchange 2003 server in the year 2011. That being said, if the mailboxes currently live on the current 2003 server, when you move them to the other 2003 server then the outlook client should reconfigure itself without you having to do anything. Occasionally a client hiccups, but 99% of them should point to the new host without issue. Also how did you manage to get a corrupt mailstore on the 2007 server? When you migrate, the install basically drops a inter-site connector for the purpose of the migration, and you can gracefully move the mailboxes from the old server to the new mail store. It isn't as if you need to schlep the EDB files over and mount them in the 2007 server or anything, you populate an empty mailstore on the 2007 with the migrated data when you move the mailboxes.
|
# ? May 25, 2011 00:40 |
|
Linux Nazi posted:Eek, I get if it is out of your control, but I can't imagine deploying an exchange 2003 server in the year 2011. I don't know. I just don't know. (I wasn't actually here when they did the migration over the weekend. All I heard when I came in on Monday was "it's all hosed up and we can't fix it. Trying to get mail back on to a 2003 server, but that's not working either".) So now we have a new mail server that has all the mailboxes on it, the old server has disappeared (we still have a copy of the VM but we can't bring it up except in safe mode ), and none of the clients pick up the new server automatically. Laptops is fine because we can configure those ourselves, but our TS GPOs don't allow TS users to access control panel->mail, and when they open Outlook they get an error "default mail store unavailable" or something along those lines, Outlook closes immediately.
|
# ? May 25, 2011 00:55 |
|
Thel posted:I don't know. I just don't know. You could try to loosen the GPO restrictions on accessing the mail control panel icon and instead install the office 2007 resource kit, add the Outlk12.adm admin template, and apply the "prevent users from adding e-mail account types" policy. This should let you effectively let users access the mail panel but not add any personal e-mail accounts.
|
# ? May 25, 2011 01:17 |
|
Linux Nazi posted:You could try to loosen the GPO restrictions on accessing the mail control panel icon and instead install the office 2007 resource kit, add the Outlk12.adm admin template, and apply the "prevent users from adding e-mail account types" policy. Thanks for that. Turns out the users that are having problems have mailboxes in the exchange server, but don't show up in any of the address lists. The only solution we've found is to delete and recreate their accounts (losing all of their settings aside from whatever we save). In short: Fuuuuuuck.
|
# ? May 25, 2011 01:25 |
|
Thel posted:Thanks for that. Turns out the users that are having problems have mailboxes in the exchange server, but don't show up in any of the address lists. The only solution we've found is to delete and recreate their accounts (losing all of their settings aside from whatever we save). By "deleting their accounts" do you mean just deleting their outlook profile? If so, give manually downloading the OAL a shot first? If they are in cached mode then the OAL is where the client looks for the GAL. Hopefully your global address list / OAL isn't hosed up due to the migration so far. It's pretty easy to get hosed up due to the stupid way it's tied to the public folder replication, which is almost certainly broken considering how ungracefully the old server seems to have been ripped out. Blame Pyrrhus fucked around with this message at 01:38 on May 25, 2011 |
# ? May 25, 2011 01:35 |
|
While I don't use Exchange, I figure this is the best existing thread to ask... I have 4 IMAP accounts configured in Outlook 2010. One is work and three are personal. Occasionally I'll be in my "personal" mailbox and send a new message to co-workers, not pay attention to the sender address, and end up sending them a work-related message from a personal account. It's probably a tall order to compensate from my inattention, but does Outlook have any warning system that can be enabled to say, "Hey hoss, you usually send message to joeuser@work.com from yourname@work.com, not yourname@hurfdurfvanity.com. Continue?"
|
# ? May 25, 2011 14:43 |
|
Going into my 8th year of Exchange Administration - currently have about thirty clients, each running a number of different configurations and different Exchange versions, from 2003 to 2010. While I see so many co-workers and people whine about the difference between 2003 to 2007+, the new Exchange interface and powershell are huge improvements in admin usability. It is hilarious to see people try to implement or upgrade 2003 environments without reading about the differences between 2003 and 2007. I've seen some real horror type situations that I've had to come in and fix up. Usually the type of IT people that cause these disasters are the same ones who are hell-bent on keeping Windows XP as the primary operating system in their networks... I'd be very interested in reading that whitepaper on the Navy's setup. The largest Exchange install I've done is a school with about 3,000 users, which was pretty fun. I'd love to see how a larger organization does that. Some things/gotachas I've found since Exchange 2007: - Splurge on a SAN SSL certificate for your new Exchange install. Do this even if you have a good single domain certificate. This will save you hours of troubleshooting and headaches related to Autodiscover/OAB/etc. Basically, SAN certs let you get one cert for multiple subdomains, such as mail.domainname.com and autodiscover.domainname.com - Autodiscover issues can be a result of improper DNS SRV records on the domain controller(s). Exchange usually creates these during setup, but if you're putting a new Exchange server in and have older 2003 DCs, I've seen it be a problem. - On Outlook 2007, you can press control and right click on the Outlook tray icon and select "Test Autodiscover Settings" - this lets you test internal Autodiscover repeatedly, make sure all the settings resolve correctly, etc. It also helps you track down Certificate errors. - Read the prereqs for Exchange 2010 and make sure to install them all - http://technet.microsoft.com/en-us/library/bb691354.aspx - also the ifilters (basically integrates Windows Search with 2010 almost seamlessly) - http://technet.microsoft.com/en-us/library/ee732397.aspx
|
# ? May 25, 2011 17:00 |
|
Gyshall posted:- Read the prereqs for Exchange 2010 and make sure to install them all - http://technet.microsoft.com/en-us/library/bb691354.aspx - also the ifilters (basically integrates Windows Search with 2010 almost seamlessly) - http://technet.microsoft.com/en-us/library/ee732397.aspx The SP1 download for 2010 can be used to perform a fresh install, and as part of the new setup process it includes a checkbox that will automatically add all of the required roles and services for most vanilla setups. It is literally the best thing ever if you have to repeatedly perform installs.
|
# ? May 25, 2011 18:35 |
|
Yeah. The other sweet thing about most 2007 and onwards Microsoft Products is that you can install them fully functional for X amount of days before they need to be activated. Very handy for testing/stingey rear end clients.
|
# ? May 25, 2011 19:10 |
|
|
# ? May 19, 2024 15:44 |
|
So this seems like a reasonable thread to post this: Managing exchange mailboxes, please tell me how you do it. It's not my decision on how we do it in our place, but if you haven't read the ticket came in thread, our exchange server died and the CIO wasn't happy with how my line manager, manages mailboxes (say that out loud ) Specifically, we run exchange 2003, it used to be standard edition and we nearly hit the 65gb limit. At this point my boss went round some of the biggest mailboxes and archived all their mail into personal folders on a network share. The he realised the info store wasn't going down in size because he needed to do an offline defrag. This was going to take longer than a weekend so he never bothered. Eventually we hit the limit and used the email crash as a way of getting an order for exchange 2003 enterprise signed off... So now we pretty much just let users have big mail boxes. - I'd say we have around 300 users and a mailbox store of 160gb, which from what I have discussed elsewhere isn't that big. However refer to the above about the CIO not being happy - he said he wanted us to reduce it by 50%. His reasoning will be that he does a lot of work with the company that own us, and because they own us our policies on basically everything have to be in line as possible with theirs - their mailbox policy is 10mb of space each or 40mb if you are an exec. Archive or delete anything else. (though they have around 600k users worldwide, I'm not sure how that breaks down regionally, but I guess that is why they are a touch on the militant side perhaps?) As much as it isn't my decision on how we change our policy, I can see 'buying enterprise and ignoring the problem' isn't a solution. There is a 'post-server-crash' meeting this week and I'd at least like to look half informed when I open my mouth. So any knowledge would be appreciated
|
# ? Jun 6, 2011 01:02 |