The following versions of Cisco Unified Communications Manager has been qualified for Direct SIP integration with Microsoft Office Communications Server 2007 (It has been working with some restrictions for quite a while, but is now a tested and “qualified” solution)-

4.2[3]sr3a, 5.1.3.3000-5 & 5.1.3.1000-12 and not least 6.1.1.3000-2

Note that interoperability requires the August 2008 Update Package for OCS 2007 as described in KB952780 and also KB952783 although the latter it is not listed on the UC OIP page. KB957280 is for the Mediation Server role and KB952783 are for all the other roles (Automatically delivered through Microsoft Update). Also the Office Communicator 2007 client update KB954439 is required according to KB957285 (This upgrade currently has to be requested directly through PSS).

The fixes (that we have been waiting for quite a while) allows you to select to break some of OCS 2007 RFC 3966 compliant use of E.164 numbers for interoperability with “certain” PBXs (Read Cisco but it may also apply to other vendors) that do not correctly use or understand the + sign in a E.164 number.

Following are the changes as explained in KB92785 “Outgoing calls from Communications Server 2007 Mediation Server may not be routed correctly” -

By default, Microsoft Office Communications Server 2007 Mediation Server uses a plus sign (+) to prefix E.164 numbers in the Request Uniform Resource Identifier (URI) for outgoing calls. However, certain private branch exchanges (PBXs) do not accept numbers that are prefixed by using a plus sign (+). Therefore, an outgoing call may not be routed correctly. Additionally, the "From" headers for incoming calls from certain PBXs do not comply with Requests for Comments (RFC) 3966, "The tel URI for Telephone Numbers." In this case, Office Communicator does not resolve the number to the correct user.

To make sure that Mediation Server operates correctly together with PBXs, update 952780 adds a new Mediation Server configuration file setting for Communications Server 2007. This configuration file is called RemovePlusFromRequestURI, and it contains one of two settings, YES or NO. If your PBX does not accept numbers that are prefixed by using a plus sign (+), the setting in the configuration file should be YES. The YES setting causes Mediation Server to remove the plus sign (+) from a Request URI for outgoing calls. It also removes the plus sign (+) from the "To" header and the "From" header. If the configuration file setting is set to NO, Mediation Server will not change the Request URI, the "To" header, or the "From" header.

Note that you will have to manually force the Mediation Server to strip of the + sign using the intelligently named configuration file “RemovePlusFromRequestURI”.

Update 952783 introduces functionality for Communications Server 2007 to remove the plus sign (+) from the "From" header when it is not E.164-compliant. If this action does not create an E.164-compliant number, Communications Server 2007 introduces a "P-Asserted-ID" header that has a phone-context value of "enterprise." This header enables the user lookup functionality in Communicator 2007. Additionally, Communications Server 2007 bypasses the server normalization logic if the header contains a phone-context value of "enterprise."

It’s good to see the list of Qualified PBXs expanding; now we can only hope that the Dual Forking scenarios will follow troop with Cisco and all the other vendors who has promised to deliver Interop (E.g. Alcatel, Avaya, Ericsson, Mitel, NEC and Siemens).

I recently updated our lab environment and it is now running Windows Server 2008 and Hyper-V. During that process we finally updated our test CS100o to rel 5.5 and that required some updates that are different from the ones listed on the MS UC OIP site (Which are also outdated both 943083 and 943085 has been superseeded) and the ones listed in the Nortel documentation for rel. 5.5 .

In the following I have listed the "Required" patches according to Nortel's documentation and the "Actual" based on the current version of the hotfixes

OCS 2007 Front End
Required - Standard Edition RTM version 6362.0 plus hotfix KB 942872
Actual – Standard Edition RTM version 6362 plus hotfix 945055 (Includes Apiem.dll and Sipstack.dll in version 3.0.6362.17, which 942872 introduces)

Office Communication Server 2007, Mediation Server
Required - December 17, 2007, Version 3.0.6362.36 plus hotfix KB943086 and KB944285
Actual - December 17, 2007, Version 3.0.6362.36 plus hotfix KB943086 and KB944285

OCS Application Proxy Server
Required - OCS 2007 – Standard Edition RTM version 6362.0 plus hotfix KB 942872
Actual – Standard Edition RTM version 6362 plus hotfix 945055 (Includes Apiem.dll and Sipstack.dll in version 3.0.6362.17, which 942872 introduces)

Office Communicator 2007 Client
Required - December 17, 2007, Version 2.0.6362.36 plus hotfix KB 943083
Actual - December 17, 2007, Version 2.0.6362.64 including hotfix KB 951662 that supersedes 943083 (And replaces all files in 6362.65 version)

Georgina has been busy working on our Calendar of events for the next few months and has published the list.  Click on the links for more information and to register:

13 August 2008, London: Microsoft Virtualisation and Management Technologies

21 August 2008, Liverpool: Microsoft Virtualisation and Management Technologies

2 September 2008, Reading : TechNet: the Microsoft Vision for Unified Communications

9 September 2008, Reading: Microsoft Virtualisation and Management Technologies

10 September 2008, Reading: SQL Server 2008 Unleashed

10 September 2008, London: Microsoft 'After Hours' - The Sequel

11 September 2008, Edinburgh: Microsoft Management and Virtualisation Technologies

2 October 2008, Reading: An Introduction and Overview of Microsoft Licensing

7 October 2008, Manchester: TechNet: SQL Server - Under New Management

14 October 2008, Birmingham: TechNet: Windows PowerShell: Around the Data Centre in 80 Scripts

16 October 2008, Edinburgh: Windows Server 2008 - What's New and Exciting

21 October 2008, Reading: Understanding Microsoft's Server Product Licensing in a Virtual Environment

22 October 2008, Bristol: Taking Care of Business Every Day with Small Business Server 2008 and Essential Business Server 2008

23 October 2008, Exeter: TechNet: SQL Server - Under New Management

29 October 2008, London: Recipient Management, Policies and Permissions in Exchange Server 2007

29 October 2008, London: Taking Care of Business Every Day with Small Business Server 2008 and Essential Business Server 2008

3-7 November 2008, Barcelona: TechED EMEA IT Professionals

Technorati Tags: TechNet,Events

We've recently encountered a small handful of customers who reported mailflow problems shortly after running Exchange 2007's /prepareAD, or after they installed their first Exchange 2007 role (which auto-launches the pre-requisite prepareAD process).  Through determining root cause, we found that this problem might affect a larger set of our customers that have (or have ever attempted) e-mail domain name sharing and use the "forward all mail with unresolved recipients to host" option.

What happens?

Some of the Exchange 2000/2003 mailflow problem symptoms include:

- Messages eventually accumulate in deferred delivery queues - mostly on bridgeheads.

- In some cases, message tracking shows some messages routing back and forth a small number of times between the same Bridgeheads and mailbox servers.

Why does this happen?

The e-mail domain name that users primarily use was ambiguously nonauthoritative. /PrepareAD does not expect this condition when enumerating recipient policies, and attempts to "fix" the Exchange 2000/2003 mis-configuration by making e-mail domain(s) consistently non-authoritative on recipient policies. A few other things occur behind the scenes, but eventually mail will queue-up.  If you only have a handful of recipient policies, here's how to determine whether or not you are at risk of a mailflow outage:

First, navigate in Exchange 2000/2003's system manager, and pull-up the recipient policies. Here is a screenshot of the recipient policies in the Contoso lab organization. Since we know that "contoso.com" is present on multiple recipient policies, we need to check each occurrence for the authoritative setting.

In the site01 policy, we can see that there is an occurrence of contoso.com. When you double-click (or edit) the contoso.com entry, the popup-dialog box on the right indicates that it is authoritative. I've also included an ldifde output to illustrate how the GUI maps to the raw data from Active Directory.

In the site08 policy, we can see that contoso.com doesn't have the checkbox, and thus is nonauthoritative. Since this setting differs from the instance of contoso.com within the site01 policy, prepareAD would detect this mis-configuration, and subsequently converts any authoritative occurrences of contoso.com to non-authoritative. The recipient policy change(s) would eventually cause all Exchange servers in the organization to remove contoso.com from their own metabases, and transport on such servers are in an "in-between" state until IIS is restarted.

Notice that the screenshots show recipient policies which are appropriately-named for this blog. However, in real-world environments, they are rarely named descriptively. Another challenge is that not all of the policy objects (such as pure mailbox-manager policies) will have visible e-mail settings, in which case you would need to temporarily enable the "e-mail addresses" property sheet to expose the addresses written to those policies when they were created (which could have been years ago). Lastly, an admin would be prone to error if he/she were to check hundreds of policies in a large environment. Therefore, Marc Nivens took our requirements and wrote a read-only script to assist you in detecting ambiguously authoritative e-mail domain names. Seeing that you might not have any Exchange 2007 servers in the org yet, all you need is a machine that has Powershell 1.0 installed, and you can copy the script to run it. (Do note that you will need to change your execution policy. If you don't feel comfortable changing your execution policy, you can always author your own script by creating a .ps1 file with notepad and paste-in the contents of our code.) After invoking the script in this lab environment, the contoso.com domain (among others) was found to be ambiguously authoritative:

What do you do?

If you have not yet executed prepareAD: As you've seen above, the corrective action is to check to see if there's an e-mail domain name that exists on multiple recipient policies. If so, double-click on each occurrence of that domain to make sure the checkbox for "This organization is responsible..." is either consistently checked or unchecked across all occurrences of that domain. If you intended for all occurrences of the e-mail domain name to be nonauthoritative, you need to uncheck the checkbox from all occurrences of that domain. On the other hand, if you intended for all occurrences of the e-mail domain name to be authoritative, you need to check the checkbox from all occurrences of that domain. Any changes to the "This organization is responsible..." checkbox (i.e. msexchnonauthoritativedomains) do not affect address generation, and thus will not produce the pop-up dialog requesting to update all recipient e-mail addresses. You can use the attached PowerShell script for detection, but the corrective steps are manual. The PowerShell script may be used again to double-check your corrections after AD has replicated.

If you have already executed prepareAD and are experiencing a mailflow issue with one of your e-mail domain names: Restart IIS on all servers in the Exchange organization. This is because the metabase on all servers exists in an in-between state that doesn't fully recognize the route change. In some cases, restarting IIS will alleviate the mailflow outage, but it doesn't necessarily resolve the issue if you truly intended for the domain to be authoritative. Additionally, Exchange System Manager will not accurately reflect the nonauthoritative state of the e-mail domain names. This is due to /prepareAD having populated a lowercase value of "smtp" into msexchnonauthoritativedomains. If the gatewayproxy attribute has the uppercase "SMTP" then ESM doesn't see the case match, and will misleadingly render the domain as "authoritative" in the GUI. The chart below illustrates the before-and-after changes:

Policy name<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

msexchnonauthoritativedomains

ESM GUI "This Exchange organization is responsible..."

Default policy (authoritative for contoso.com)

<not set>

checkmark (grayed-out)

Site08 policy (nonauthoritative for contoso.com)

smtp:@contoso.com

no checkmark

Site01 policy (authoritative for contoso.com)

<not set>

checkmark

Additionally, the metabase shows a domain key for contoso.com with routeaction=32.

During /PrepareAD execution, the recipient policies are changed at the same time the following entries are logged to the file ExchangeSetup.log:

[9/2/2008 12:24:32 PM] [2] [WARNING] The SMTP address template 'SMTP:@contoso.com' is invalid because it references a domain that is not an accepted domain.

[9/2/2008 12:24:32 PM] [2] [WARNING] Found 'contoso.com' in NonAuthoritativeDomains but did not expect it. Run Set-EmailAddressPolicy to correct this.

After SP1 /prepareAD succeeds, the changes (in red) are apparent:

Policy name

msexchnonauthoritativedomains

ESM GUI "This Exchange organization is responsible..."

Default policy

smtp:@contoso.com

checkmark (grayed-out)

Site08 policy

smtp:@contoso.com

checkmark

Site01 policy

smtp:@contoso.com

checkmark

At this point, if you dump the IIS metabase on any Exchange server in the organization, you will no longer see the local route; contoso.com actually gets removed from the metabases. And since gatewayproxy is capitalized whilst msexchnonauthoritativedomains is not, the ESM UI will mis-lead administrators to believe the e-mail domain names are authoritative.

Long-term solution if you have already run /PrepareAD: You will need to edit your recipient policies to re-write the authoritative/nonauthoritative status for each occurrence of that shared e-mail domain name, and restart IIS on all servers after AD replication has completed. If you wish to make the domain authoritative, you will need to uncheck the checkbox next to "This organization is responsible...", hit apply, and re-check it, and hit "apply" to correct any lowercasing issues in the raw data to force ESM to reflect an accurate checkbox. For reference, article 321721 mentions two methods for namespace sharing and recommends against configuring SMTP virtual servers having been configured with "forward all unresolved mail to this host".

What if I already ran /prepareAD and didn't notice a problem? Check your ExchangeSetup.log on the machine where you ran /prepareAD. If you skipped /prepareAD, you need to open the exchangesetup.log file on your first Exchange 2007 server role). Search for the existence of "in NonAuthoritativeDomains but did not expect it" (without quotes) and make a note of the referenced e-mail domain(s) preceding occurrences of that text string. As long as you're aware of the ESM GUI display issue described above, you can ignore this entire post if:

- The referenced e-mail domain name isn't used, or planned to be used.

- The referenced e-mail domain name is used, but you intend for it to be an internal relay domain. (/prepareAD will have copied that domain name to the list of accepted domains as an internal relay domain)

- You have already migrated resources from Exchange 2000/2003 to E12.

- You do not find the text string.

In conclusion, if an e-mail domain name is intended to be non-authoritative, then make sure it's non-authoritative on ALL recipient policies (even mailbox-manager-only policies). The opposite also holds true: If an e-mail domain name is intended to be authoritative, make sure it's consistently authoritative on all policies. So any e-mail domain name that is ambiguously non-authoritative (i.e. authoritative on one policy and non-authoritative on the other) will cause prepareAD to modify the authoritative setting (msexchnonauthoritativedomains) on recipient policies. We are trying to work on a BPA pre-requisite block setup, as well as a normal (healthcheck) BPA rule to detect this setting in an Exchange 2000/2003 environment since the ambiguously authoritative domains have also caused routing issues outside of any Exchange 2007 operations.

Hope this has been helpful. We are working on a better solution for this problem but in the mean time, you can use the script to help you identify this situation.

You can download the script from the following link.

Note: this script is not officially supported by Microsoft. Please see the script for more details.

File: chkpolicyconflict

- Vincent Yim

Share this post :

Many companies and users consider mobile access to Exchange data an essential feature.  Exchange ActiveSync (EAS) is very popular as it allows this access and many devices have licensed and implemented EAS (including Windows Mobile).  Some companies use remote servers to access Exchange data and push it out to their mobile clients that aren't EAS enabled. Of course these mobile access options can be a little concerning when you think about the security implications. Evaluating these devices (and servers) to make sure they comply with data protection policies is a necessary step for a lot of companies that want to protect their messaging data.  This post will details some of the options available to companies that want to limit access to a specific set of supported devices. 

The first question we usually get is, "How do you stop unapproved devices and servers from accessing Exchange data?"  In general, I hear people talk about three ways to block devices:

1. Use an ISAPI filter (Not recommended)
2. Set policies that only the devices you care about can implement (Better)
3. Block the devices at the firewall (Recommended!)

Let me describe each method in a bit more detail.

Custom ISAPI filter:
Since creating a custom ISAPI filter is both time consuming (you have to write custom code) and not a best practice, I'm not going to talk too much about it except mentioning that it is a possible solution. More details can be found here for those interested in exploring this option.

Policies as a blocking agent:
Using policies is a very easy way to do this (by unchecking the box titled "Allow non-provisionable devices" (image below) and then setting a policy that the particular device doesn't support. A list of which policies are enabled with which version of the server (and thus which generation of clients) is listed below. You may need to test a device to see which version of the policies are implemented as it varies by licensee). 

The challenge with this method is that many of today's devices are upgradable and thus may implement a policy in the future while still not providing the security you want (for example, if you want to make sure the device and storage memory are encrypted by at least 128-bit encryption (WM 6+ uses AES 128-bit encryption for storage card encryption but another device might simply do 40-bit encryption).  Because of this discrepancy, it is important to understand what devices are connecting to your network, and which ones can connect, so that you can decide if your organization is ok with this level of control.

Using ISA Server 2006 to block unwanted clients:

Finally, you can block at the firewall.  This is by far the best solution and is really easy to implement with ISA Server.  Below, I list out, and describe, the steps of how to configure your ISA server so that you can block by device type (using the User-Agent string of the device to identify and block it), and by server type (using the IP address range of the server).

Blocking by User-Agent String in ISA Server 2006:

Blocking a particular device from accessing EAS is easy to do if you filter by the device's User-Agent string at the firewall.  You can create a rule for each device type you want to block. 

In ISA Server you should already have an EAS rule set up (if not follow the wizard that the "Publish Exchange Web Client Access" takes you through).  Simply right click on that rule (pictured below) and then select "Configure HTTP".

From here, you'll get the below dialog to appear. Make sure you select the last tab named "Signatures".

When you hit OK you will go back to the main ISA Server screen but at the top it will ask you if you want to apply or discard the changes you made. (see below)  When you accept the change you are done.

Some mobile access methods work though an Internet service as opposed to directly from the device itself.  This method might be of concern to certain organizations because they have no idea what devices are connecting to their servers, how many devices are using the service or what control (policies) they have on the phone (in many cases, none at all).  These services usually have users enter their login and password and then save that on a remote server.  The remote server then logs into OWA for that user, scrapes out the information and then pushes the data down to the user's device.  In these cases, user credentials and data have left the organization and there is no control over it, or even knowledge of where it is. 

From the mail ISA screen, click on the "Create Access Rule" link. (shown below)

This will bring up a wizard that will take you through the process.  In this case we will block the fictitious servers of "Bad Site".  On the first page you will Name the rule; let's say we call it "Block Bad Site".

On the next screen we will be asked if we want this to be an Allow or Deny rule.  Since we want to keep these servers from accessing our Exchange Server, we will select Deny.

The next screen will ask us what traffic we want to block.  This is where the wording can be a bit tricky if you're not familiar with ISA Server.  In this case you want to choose "All outbound traffic".

You now need to define who this rule applies to.  Select "Add" if the group you want isn't already listed (for this example I'll assume nothing has been created or set up yet).

You will get a dialog that lets you pick who you want to apply their access rule to; select New and choose Computer Set as we are going to specify a range of IP addresses.

 

Now we need to name this new computer set (we'll call it Bad Site Servers for this example).  You can also add a description in the bottom of the dialog if you want.  Then click "Add" and select "Address Range".

 

You now can specify the address range of the server.  If the service you are blocking has more than one range of IP addresses, you will enter more than one of these (we'll go through an example of two).  You need to enter a name and the starting/ending IP addresses (shown below is just an example).  The description is optional.  Then click OK.

You can repeat this process (clicking on Add and adding another address range) as many times as there are Address ranges.  Below you can see our example has two IP address ranges.  When all of them are entered, click OK.

You will now notice that in the "Add Network Entities" list (under Computer Sets) you have the set you just defined (Bad Site Servers in this case).  Select the new Computer Set that you defined, click Add, then click Close.

Your access rule now applies to the computers you specified (in this case the Computer Set of Bad Site Servers).  You can add additional sources if you wish or click Next to move on.

You now need to define the destination for this traffic.  In this case, ISA Server (localhost) is the destination of this traffic.  Select Add to bring up your options to make this selection.

Under Network, you can select Localhost, then click Add and then click Close.

In this case Localhost is our only destination so we can select Next.

Now select who this applies to add "All Users" and then click Next.

You're done creating the access rule.  Just click Finish to take you back to the main ISA Server view.

When you hit OK you will go back to the main ISA Server screen but at the top it will ask you if you want to apply or discard the changes you made. (see below)  When you accept the change you are done.

The following dialog will appear once your changes have been applied.  Click OK.

You're done.  Below you can see that there is now a new firewall policy rule that you created to block the server you didn't want to access your site.

Note: In general, "Deny" rules should precede any "Allow" rules, although there are exceptions to this. You will need to be familiar with ISA Policies Best Practices to understand the fine points of ISA rule definition.

And there you have it; how you can block by device type (User-agent string) and how you can block by server (IP address).  New devices and services come online all the time so it's tough to have a comprehensive list but some of the more common User-Agents are:

Symbian devices: "Symbian" http://www.developershome.com/wap/detection/detection.asp?page=userAgentHeader

Motorola: "mot-" http://www.developershome.com/wap/detection/detection.asp?page=userAgentHeader

Samsung: "sec-" or "samsung" http://www.developershome.com/wap/detection/detection.asp?page=userAgentHeader

LG: "lg-" http://www.developershome.com/wap/detection/detection.asp?page=userAgentHeader

Siemens: "sie-" http://www.developershome.com/wap/detection/detection.asp?page=userAgentHeader

Nokia Devices: "Nokia" http://discussion.forum.nokia.com/forum/showthread.php?t=83267

BlackBerry Devices: "BlackBerry" http://na.blackberry.com/eng/developers/resources/journals/mar_2007/profile.jsp

Apple Devices: "Appl" (no e on this one as Device ID starts with Appl so this covers all cases) Note: if you just want to block only the iPod Touch, or only the iPhone, you can just block on "iPod" or just "iPhone". http://forums.macrumors.com/showthread.php?t=361166

Some of the common Servers that try and access Exchange Server are below (with links to their docs that list their server IP address ranges):

BlackBerry Internet Service: http://www.blackberry.com/btsc/articles/644/KB11036_f.SAL_Public.html

Good Mobile Messaging (GoodLink): http://www.goodlink.com/documentation/GoodAdminGuide_exchange.pdf

For those that want more info on HTTP filters in ISA server, there are a lot more detail here.

- Adam Glick

Share this post :

I've just seen this video of our new commercial showing Bill Gates in a shoe shop.

Look out for more in the coming months...

I just love the wiggle...

 

The Exchange Server documentation team is pleased to announce updates to the Exchange Server content.

To see what content has changed for Exchange Server 2007 with Service Pack 1, take a look at Exchange Server 2007 Documentation Updates.

To see what content has changed for Exchange Server Analyzer, take a look at Exchange Server Analyzer Topic Updates.

In particular, we would like to highlight the following new or updated topics:

• Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments: This topic provides the Microsoft support policies for running currently supported versions of Microsoft Exchange Server in production in a hardware virtualization environment. This topic also provides recommendations for running Exchange Server in production in a hardware virtualization environment.
• Common Criteria Evaluation of Exchange 2007 SP1: This document and the downloads that are associated with it contain important information about the evaluation and certification of Microsoft Exchange Server 2007 with Service Pack 1 (SP1), Enterprise Edition according to the Common Criteria (CC) for information technology security and the ISO 15408 Toolkit.

You can see these articles and other Exchange Server documentation content in the Microsoft Exchange Server TechCenter.

The following downloads are also available for SP1 content:

• Microsoft Exchange Server 2007 Service Pack 1 Help
• Microsoft Exchange Server 2007 Service Pack 1 Shell Help

BTW, all our topics in the Exchange Library have a "Topic Last Modified" date at the top of the topic. And, if you wonder which topics apply to Exchange Server 2007 with Service Pack 1, we now have an "Applies to" tag for Exchange 2007 content.

You can now annotate topics in the Exchange Server 2003 and Exchange Server 2007 documentation. Scroll to the Community Content section at the end of any topic in the Exchange Server Library, and click Add Community Comment. You'll be asked to sign in with your Windows Live ID and to register as a participant. Then, share your insights with the Exchange community.

-Cathy Anderson, Content Release Manager, Exchange User Documentation

One of the most amazing and geeky things I’ve seen at tech.ed Australia is the RFID tags and avatars.  As you walk into a room for a session, the count goes up, we know how many people are in the room – we can see their avatars – and we can see instantly what they like when they registered their preferences.  (I blogged about this the other week) So I could tell how many people in the session like rock, blog, use twitter or see the type of avatar they’ve loaded.  All in real time.  Here are a few screenshots:

These are avatars leaving the hall – the display behind shows attendance at previous tech.ed’s by the avatars actually in the Exhibition hall at the moment.

Someone else leaving the hall and a different display scrolling round.  There weren’t too many people around at this time as these shots were taken during a session.

Two way traffic.  Sometimes there were loads of people emptying and leaving – unfortunately not a the right time to show the scrolling!

Here’s the web view of a live room which is filling up at the moment.

As attendees walk in, the screen changes showing how many seats are free, what the audience split is, what social networking sites they use.  Fascinating stuff.

What’s really geeky is the fact that all you have to do is flash your badge around as you’re going around the Exhibition hall and your avatar pops up – and your preferences too. 

 

Here’s Norbert, the leader of the Evangelism group here in Australia, showing all of the information that appears when you put your badge down on surface and scrolling right down from world level, country, street level – then showing the image of the convention centre using Live Earth.  Just an ad hoc demo, but showing the capabilities of Surface, the RFID application and just how well everything integrates.  He looked like he’d been using Surface for ages – not just a few minutes…

So this collection of technologies has really blown me away.  This would be great if it was rolled around the tech.ed’s around the world as for me it’s been the most fascinating part of the conference.  The “boiler room” where the RFID ops room is, has been open all week, so anyone can walk in and out and see how things work, and watch the live displays of the avatars going in and out of the main hall, the rooms etc.  Totally brilliant.  totally innovative.  Lost of Silverlight. Lots of Surface

More please in other tech.ed’s …

Technorati Tags: tech.ed,silverlight,australia,surface

Hi from Alabama. This is a follow-up to my last post, which was about building a lab with Exchange 2007 on Windows Server 2003 using a PowerShell script. This post is about building the same lab using Exchange Server 2007 SP1 on Windows Server 2008. I just got a new server and started playing with 64-bit Windows Server 2008 guests in Hyper-V, and that gave me the tools I needed to build the new lab.

This lab is exactly the same lab (from the Exchange viewpoint) as the one referenced in my earlier post. Same servers, same IP addresses, same naming convention, etc. For a refresher on those, please see my previous post. I did change the lab domain name to contoso.com. Not that it affects anything in the lab - make your domain anything you want it to be.

On Windows Server 2008, I found that the pre-Exchange setup steps were much simpler than on Windows Server 2003. Of course, there are some steps that are exactly the same, but much of the installation of pre-requisites (IIS, ADAM, failover clustering, etc.) is handled by the script.

Also, there are some significant differences in the scripts and some slight changes in the CSV files, so a careful comparison of the Windows Server 2003-based script and CSV files could be helpful. Lab Diagram

Here's a diagram of the lab that we will be using (same lab diagram as Exchange 2007 on Windows 2003, I just added it here for your convenience):

Lab Configuration

I found that the lab build-out was much easier on Windows Server 2008. There was very little I had to do to prepare the base operating system install for my script.

Here are the steps you need to take to prepare your lab:

• Ensure that all machines in the lab are connected to the same network. If you want to update these machines to the latest patch levels, this network should connect to the Internet.
• Put a base operating system using Windows Server 2008 Enterprise Edition on each server. 64-bit or 32-bit both work (with the understanding that 32-bit Exchange 2007 is just for labs and demos, of course).
• In my labs, I disable User Account Control (UAC). Whether you want this in your environment or not is up to you. See this TechNet article for details on how to disable UAC.
• Make sure that Powershell is loaded on all servers. You could do this in your base operating system build, or you can add it after Windows 2008 is installed. Use the following command (at the command prompt) to install PowerShell.
  • ServerManagerCmd -i PowerShell
• Run DCPromo - I typically allow DNS to be installed by DCPromo process in labs where I'm only going to have a single DC.
  • On the DC, add Active Directory Domain Services (ADDS) remote management tools by running the following command:
    • ServerManagerCmd -i RSAT-ADDS
• Reboot the DC after installing the ADDS remote management tools.
• Add a reverse lookup zone to your DNS server. This is not strictly required, but I just like to have it.
• Join all machines to the domain except for the Edge Transport server.
• Make sure that the Site configuration is set such that the local subnet defines the Site. This is critical if you are going to have an expanded lab with multiple Sites and subnets. For our simple one-Site, one-subnet lab, it isn't as important.
• Pre-create the machine account for your cluster using the name labhsv-xcl001. For the File Share Witness (FSW), we need to add some rights so that the cluster machine account can access the share used for the FSW. Make sure you also disable the cluster machine account. Note - I should really do this in my script. If you happen to have the code to do this, send it on!
• Log in as the Enterprise Administrator on the DC (to ensure Schema Admins permissions).
• Insert the Exchange 2007 SP1 DVD in the DC, and execute this command from the DVD:
  • Setup.com /PrepareAD /OrganizationName:Contoso
• While still logged in as the Enterprise Administrator on the DC, execute this command from the DVD:
  • Setup.com /PrepareDomain
• Create an Exchange Administrator user account (ExchAdmin) and configure it to be a domain administrator. This allows the account to be a local administrator on all domain machines so that installing Exchange is easier.
• Remove this account from the Domain Users group, and then add the account to the Exchange Organization Administrators group.
• Set the domain suffix on the Edge Transport server to "contoso.com" to match the internal domain name for the lab.
• Add the IP address of the Edge Transport server as a host record on the internal DNS server.
• Configure the network on both CCR nodes:
  • Add a second network to both CCR nodes.
    • Second network adapter should be a cluster-use only network that does not connect to the Internet.
    • This network should not have DNS servers or default gateway configured.
    • This network should not register itself with DNS.
    • Manually configure the network on the second NIC as follows:

Node Name IP Address Subnet Mask Node1 10.1.1.101 255.255.255.0 Node2 10.1.1.102 255.255.255.0  

• On each cluster node, add the entry for the other system to each Hosts file (C:\windows\system32\drivers\etc\hosts):
  • 10.1.1.1 labhsv-xcl001r1 (added to Node2's Hosts file)
  • 10.1.1.2 labhsv-xcl001r2 (added to Node1's Hosts file)

NOTE: That says "R1" and "R2" on the end, not "N1" and "N2". This is for the "Enable-ContinuousReplicationHostName" cmdlet where we need unique names for cluster resources to configure continuous replication across a redundant network.

• Ensure that the network connection order is correct. In Network Connections, choose Advanced and then Advanced Settings. Move the public network to the top and the private network below the public network.

Definition of the CSV Files

The CSV files for this lab are very similar to the Windows 2003-based lab, but there are some differences. Be careful to use the right set of CSV files with the right operating system. Each of these files is detailed below by describing what each element is. The actual format, as CSV files, is that the descriptive name of each element is in the first line of the file, with the various attributes to be given to the install script on each line below. Take care to ensure that the right attributes line up in the same order as the "header line" in the first line of the file. ScriptSettings.csv Descriptive Name (from file) Description Example ProductKey This is a product key for Exchange Server 2007 that will be applied to each and every server in the environment. 12345-12345-12345-12345-12345 GCServer

This is the short name of a single global catalog server that will be used on all of the commands in the script that write to the Active Directory. This will ensure that when we have writes to Active Directory followed quickly by a read that Active Directory replication delays will not affect execution of our script.

labhsv-dc001 FirstPFServer This is the short name of the first Hub Transport server installed in the organization. Could be used in the future to facilitate replication of public folders. labhsv-xhb001 FSW.csv Descriptive Name (from file) Description Example HTName

This is the name of the Hub Transport server where the file share witness (FSW) share will be hosted. This was added to allow for FSW creation on two different Hub Transport servers in two different data centers with the same data file.

labhsv-xhb001

CMSName

This is the name (not necessarily the FQDN) of the clustered mailbox server (CMS) for which given FSW is being created.

labhsv-xmb001

Share

This is the share name that will be created on the Hub Transport server and later utilized by the CMS (the specific CMS in this row) as the FSW share.

fsw-labhsv-xmb001

ClusterServer

This is the account (in domain\account format) that represents the cluster machine account.

corp\labhsv-xcl001

ClusterInfo.csv

Descriptive Name (from file) Description Example CMSName

This is the name (not necessarily the FQDN) of the CMS for which given FSW is being created.

labhsv-xmb001

ClusterAddr

This is the TCP/IP address of the cluster represented by the CMSName that defines this row.

192.168.0.182

CMSAddr

This is the TCP/IP address of the CMS that defines this row.

192.168.0.183

Node1ReplName

This is a host name used by the Exchange cluster to define replication on a redundant network. This name is specific to the first cluster node, and should be the same as the cluster node with the "n" node designator replaced with "r". For the example here, the cluster node would be labhsv-xcl001n1.

labhsv-xcl001r1

Node1ReplAddr

This is the TCP/IP address of the Node1ReplName on this row.

10.1.1.1

Node2ReplName

This is a host name used by the Exchange cluster to define replication on a redundant network. This name is specific to the second cluster node, and should be the same as the cluster node with the "n" node designator replaced with "r". For the example here, the cluster node would be labhsv-xcl001n2.

labhsv-xcl001r2

Node2ReplAddr

This is the TCP/IP address of the Node2ReplName on this row.

10.1.1.2

SCRInfo.csv

Descriptive Name (from file)

Description Example SCRName

This is the name (not necessarily the FQDN) of the SCR target server.

labhsv-xsc001

SourceCMS

This is the name (not necessarily the FQDN) of the CMS that will act as an SCR source.

labhsv-xmb001

If the lab is built with the machine names and IP addresses listed above, the included CSV files will work without modification. Execution of the Script

During execution of the script, it is assumed that the CSV files are located in the same directory as the script itself.

You should deploy this lab in the following order:

• labhsv-xet001
• labhsv-xhb001 (required before the cluster nodes)
• labhsv-xcs001 (in production you need CAS before Mailbox roles)
• labhsv-xcl001n1 (required before node 2 and SCR)
• labhsv-xcl001n2
• labhsv-xsc001

On each server where Exchange will be deployed, follow these steps:

• Mount your Exchange 2007 SP1 CD
  • SP1 is required for the Enable-ContinuousReplicationHostName cmdlet.
• Open Windows PowerShell, change to the directory where you stored the script and CSV files, and then execute the following command to allow scripts to run:
  • Set-ExecutionPolicy RemoteSigned
• Execute the script with a command line similar to the following:
  • .\E2K7onW2K8Install.ps1 installdir:d:

As with my last blog, you can download the scripts for the Windows 2008-based lab from http://msexchangeteam.com/files/12/attachments/entry449730.aspx.

- Robert Gillies

Elan contacted me via my blog regarding the director role and in conversing he shared his blog. He writes about Exchange and OCS and I wanted to call out this thread on OCS deployment, I chose to start with the fifth in the series as he provides links to 1-4 in the beginning -

http://www.shudnow.net/2008/08/18/office-communications-server-2007-enterprise-deployment-part-5/

LCSKid

I was in a bit of a quandary when I was asked to do a Unified Communications session at Tech Ed Sydney.  Do I take 7 VM’s, a shuttle with 12Gb memory, worry about all of the software, hardware and images? Take a RoundTable device, build Exchange, OCS. OC, Live meeting?

Or do I just show how we really use the system internally?  Easy option of course.  But really really scary if our real live system doesn’t perform as expected, or the network goes down, or my laptop power fails etc etc etc…

So when I actually demoed  Office communicator on stage I noticed Andrew and Viral were on line so I called them up on IM and switched to Live meeting and round table using the icon in communicator. 

Andrew was dressed in a dinner jacket, holding a clock up to the webcam (at 0540hrs).  Viral was asleep at the keyboard with his underwear hanging on the clothes drier in the lounge.  it got a big laugh.  Kevin had stayed up to midnight to say hi to everyone – but he wasn’t in his pyjamas…

So there’s me, walking round the stage demoing the functionality of RoundTable and the fact that it follows you  as you travel around the room, there’s Andrew and Viral, showing how daylight is breaking in the UK and they’re not actually hiding here in Australia pretending, and there’s Kevin, yawning in the mid west of the US at midnight waiting for me to finish my demo so he can get to bed.  Real life scenario, real people, no smoke and mirrors either. No virtual machines. a really compelling thing to see them working together – and it all worked as it should. As it does here at Microsoft.

It’s a shame I didn’t think to do a screen capture of the event, which would have been really cool.  But the sight of Viral’s smalls hanging on the line behind him totally threw me and I forgot :-)

Viral – that was FAR TOO much information for me…!

But thanks to all of my demo chaps who really made for an authentic demo.  I owe you all lots and lots of beer…

Technorati Tags: Office Communicator,Office communications Server,RoundTable,Live meeting 2007,Viral Tarpara,Kevin Remde,Andrew Fryer

 

Well TechEd Australia has started with the pre-conference day – and all the speakers are congregating in the speaker room with white coats on.  They’ve given out Lab coats for MVP’s and speakers at the Ask the Experts and it looks like a University Science Lab in the exhibition hall.

I had a walk round the Conference centre and I’m really amazed at how much this place feels like a close community – much more than any of the other TechEd’s that I’ve been to – similar to TechEd NZ actually – but not like TechEd US or EMEA at all.  Much more “intimate”, more friendly somehow.

This picture made me smile though.  This is one of the surface devices that they’ve managed to get into Australia – they’re the only 2 Surface devices outside of the US.

And I couldn’t get anywhere near either of them.  The people you see playing with Surface are the set up crew, the vendors, partners, everyone was shoving in trying to have a go – which is why the photo is a little blurry :-)

I’ll try and get my hands on to have another go later on – if I can get anywhere close to it…

Technorati Tags: Teched Australia,Surface

So it is official now. Office Communications Server 2007 R2 (Wave 13) will support 64 bit OS as the only Operating System (So no 32 bit support).

Within the MVP community there has been a lot of discussion about the good/bad in this design decision, but personally I think that most of our customers are 64-bit ready due to Exchange 2007 and in general won't see this a big issue. Yes, it will mean that we will have to migrate our servers, but as a consultant I would (almost) never suggest using in-place upgrades anyway.

What is your opinion about this ?

Read more here Next release of OCS to support 64 Bit OS (x64).

Well I said I liked IE8.  I really LOVE the suggested sites feature.

Very community focused and interactive.  So I get to see what you like which saves me lots of searching around.

Brilliant…

Technorati Tags: IE8,beta

Often times customer have a need to create bulk contacts for their organization, but have business requirements to hide these contacts from the global address list. I am just listing two simple ways that you can hide them from the address list. These ways can be as complex as you want them to be depending on your powershell scripting.

You can create your bulk contacts by running the following command in powershell:

New-MailContact -ExternalEmailAddress 'SMTP:TestUser@YourCompany.com' -Name 'Test' -OrganizationalUnit 'YourDomain.com/Contacts/YourCompany' -FirstName 'Test' -LastNane 'User'.

Now that the contacts have been created the second part of this is to hide them from the global address list. There are a few different ways to do this and I only listed two (by searching the entire or or by DN).

General Filter: get-mailcontact * | set-mailcontact -hiddenfromaddresslistsenabled $true

By DN: get-mailcontact -OrganizationalUnit "DC=YourDomain,DC=COM,OU=TargetOU" | set-mailcontact -hiddenfromaddresslistsenabled $true

Dave

 

I’ve been worrying about all of the stuff I need to do before I fly off to Sydney tonight for TechEd Australia.  There’s my 2 session decks to finalise, the first draft of my Women in Games conference keynote to polish off, there’s my Australian Visa to organise, my long term car parking to book, my final checks of the stuff I need to take (including my Diving certification in case I have some free time to dive).

And I’ve been worrying about the length of the list of things that I’m worried about too.  So Pauls blog post about how worrying won’t get you anywhere has made me stop and think about things.

I love the last paragraph:

Stop making excuses. Worrying isn’t going to solve anything anyways. Start spending your time working on other things. When and if something bad actually happens, just get started on the solution. Seriously, it works.

I’ll try.  It takes my mind off the length of the list anyway!

See you in Sydney…

Technorati Tags: worrying,personal development,teched australia

Well I posted yesterdays post too early.  We now released IE8 beta 2 and I’m even more impressed than I was yesterday.

how about trying out the Accelerators - Highlight an address in a web page, click the blue button and hover over “Map” or try Right Clicking a Page and Choosing Translate with Windows Live. Check out the new IE Gallery that has cool accelerators and slices from Digg to FaceBook to Ebay

More later. I’m off to do some browsing…

 

Technorati Tags: ie8,beta Test

Just wanted to post a quick note that yesterday we have released a new Scalable Networking Pack (SNP) hotfix rollup package for Windows Server 2003.

This is all in relation to a blog post on the subject that we have posted a while ago. Mike has posted an update about this new rollup hotfix on his blog, you can check it out here:

http://blogs.technet.com/mikelag/archive/2008/08/28/scalable-networking-pack-rollup-released.aspx

- Nino Bilic

Share this post :

I’m usually loath to install really early versions of our dogfood software.  As a manager, I need to make sure that all of my line of business tools are available in case I need to do some team admin, planning or validating Expenses claims – things like that.

But I installed the Beta version of IE8 and so far, I’m impressed. it’s actually the developer preview too.  It makes the web page much more interactive somehow.  The activities are particularly cool.

Activities are contextual services that provide quick access to external services from any webpage. Activities typically involve one of two types of actions:

• "Look up" information related to data in the current webpage

• "Send" content from the current webpage to another application

So here’s an example of an activity tag that appeared on a blog page I was looking at.  I clicked on the green arrow that appeared and got the following drop down

These are my Activities and they also appear if I right click anywhere on a web page too

So straight away I have a more responsive and interactive web site.  I can add more Activities using the web page.

The media seem to like IE8 too.  Here are some of the stories I’ve read so far…

Web browser to get 'privacy mode'

Microsoft plans Internet Explorer privacy mode

Microsoft to protect furtive web searches

Microsoft's IE 8 puts giant web hole on notice

Microsoft planning IE privacy mode

IE 8 looking like a November release

IE 8 Beta 2: Privacy is about more than cookies

 

So when Beta 2 arrives – perhaps you’d like to take a closer look?  So far I’m impressed with what I’ve seen and for me to be this impressed by a Beta 1 product, then the final result is going to be amazing…

 

Technorati Tags: IE8,Developer preview,beta

A new feature in Exchange 2007 is the ability to connect to internal file servers from OWA. I have not heard many companies using this feature however thought I would put togethor a blog on this topic.

I have configured file share access from OWA and found it works well for small files but any large files seem to timeout making access to them unusable.

So how can you configure this feature?

To enable remote file share access there are a number of locations which configuration needs to be made.

1. Open EMC (or EMS) Server Configuration and select CAS


2. On the OWA virtual directory right click and select properties

There are 2 locations we can edit for these setting Public/Private computer file access however I am going to just focus on Private as we most likely do not want to allow this from computers that select the public option.

3. Select the Private Computer file access



4. If not checked, check the box Windows File Shares


5. Click Apply
6. Select the Remote File Server Tab


Lets take a look the option that are available under this tab


The first option is to specify a block list, this will set a explicit deny so that user cannot access these servers via the web interface and will take precidence over the allow list.


Next we have our allow list which specifies the servers which users can access


The Unknown Server option specifies how any server that is not explicity on the block or allow list should be handled


The domain suffix lists specifies what name space will be treated as internal and allowed to be accesses.

Example: Domain = Domain.local


select configure and input domain.local

**Please note this configuration is per OWA Virtual Directory **

Now its time for the user to configure thier end......


1. Logon to OWA
2. Select Documentation from the menu



3. Click "Open Location"



4. Input the UNC Path too the file share you want to access