John Lan's Notes

Manager sends the meeting request and the attendees accept it and immediately they get and NDR stating "The following recipient(s) could not be reached" with a deleted user account's name in it.

This can happen if the deleted user had been delegated access to the managers mailbox and the check box which states "Send meeting requests and responses only to my delegates not to me" had been checked in outlook delegates tab.

In certain cases you would still see the check box ticked and grayed out even after the delegatee has been removed from the outlook setting. You could add someone else as a delegatee and then remove the tick and then remove the delegatee again to clear the checkbox.

SMTP Tar Pitting in Windows 2003 SP1

What is SMTP tar pitting?

Tar pitting is the practice of deliberately inserting a delay into certain SMTP communications that are associated with spam or with other unwanted traffic. To be effective, these kinds of communications typically rely on generating a high volume of traffic. By slowing an SMTP conversation, you can dramatically reduce the rate at which automated spam can be sent or at which a dictionary attack can be conducted. Legitimate traffic may also be slowed by tar pitting.

The tar pit feature is available in Microsoft Windows Server 2003 and in several third-party SMTP servers. The tar pit feature in Windows Server 2003 works by slowing all responses that contain SMTP protocol 5.x.x error codes.

Tar pitting is a feature of Windows 2003 so Exchange 2000 can benefit too.

http://support.microsoft.com/default.aspx?kbid=842851

Dec 29, 2006

Scripting WMI Tasks: Accounts and Domains

Link

Dec 7, 2006

Can you trust ADU&C ?

Yesterday I was surprised to realize that ADUC won't report complete group membership, dsget and ldp report results ok.

This is explained in KB833883 and supposedly fixed in Windows 2003 sp1. However, while this hotfix is included in sp1, it's still needed to make the registry changes outlined in the same KB to make the hotfix work. Not entirely know why couldn't MS include that registry change altogether in sp1.

Please see the usernet thread I raised in details.

Dec 5, 2006

Required Active Directory Attributes for Email Delivery

--- copied from “Exchange 2003 Transportation and Routing Guide”

When you are troubleshooting an NDR, verify that all mail-enabled attributes that Message Categorizer requires exist for that recipient in Active Directory. In Exchange 2000, multiple attributes must be correct for messages to be categorized:

homeMDB
homeMTA
legacyExchangeDN
mail
mailNickname
msExchHomeServerName
msExchMailboxGuid
msExchMailboxSecurityDescriptor
proxyAddresses

This list of required attributes is valid only if the recipient is a mailbox-enabled object in Active Directory (for example, an Exchange 2003 recipient). However, if the recipient is an Exchange Server 5.5 recipient, the only attributes that have to be present are:

legacyExchangeDN
homeMDB
homeMTA

For mail-enabled objects (for example, a custom recipient) and alternate addresses, the targetAddress attribute is required. If the targetAddress attribute is not present, the fallback is to the mail attribute.

If an e-mail message is missing any of the required attributes or if they are incorrect, the message may remain in the categorizer, and no events are created in Event Viewer. If you track the message, it appears in Message Categorizer or it generates an NDR, depending on which attribute is missing. If you want to check these attributes for a user in Active Directory, use the LDP tool or ADSI Edit. For more information about the LDP tool or ADSI Edit, see the Windows online documentation.

Dec 4, 2006

Why outlook shows only sender email address instead of Display Name?

There are many possibilities. One of them is a by-design mechanism to prevent spoofed emails.

To prevent spoofing, Exchange 2003 requires authentication before a sender’s name is resolved in GAL. So be alarmed when you see SMTP address instead of display name in the sender field when the sender is supposed to be an internal user.

How To Setup Exchange To Receive Emails For A Shared SMTP Domain

Assume that we have 2 Exchange organizations, one is responsible for *@MainCompany.com emails (MainOrg), the other is responsible for *@subCompany.com emails (SubOrg). Now we want MainOrg to receive emails on behalf of SubOrg, meaning all emails that are sent to *@subCompany.com address should go to Exchange server in MainOrg.

Note: SubOrg doesn't have to be Exchange, it could be any mail system

1. For all users in SubOrg, create contacts in MainOrg
2. Create a Recipient Policy that will generate exactly same @subCompany.com email addresses for contacts you created in step 1. This Recipient Policy should NOT be authoritative for subComapany.com
3. Change public MX record of subCompany.com so it now points to MainCompany Exchange server instead of subCompany Exchange server
4. Create a SMTP connector on MainOrg Exchange server, specify subCompany.com as its space
5. Enable "relay for this domain" on the connector created in step 3, forward all mail to subCompany exchange server (subOrg Exchange as smart host)
6. Restart Routing Engine and SMTP services

Caution: subOrg must be configured as "authoritative" for @subCompany.com

Nov 29, 2006

Exchange routing considerations

- Internal messages always go for shortest route available
- A connector will be considered off ONLY when all bridgehead server(s) on that connector are down
- For external messages, a route is chosen with closest SMTP name space matching first regardless the cost. For example, an email destined to *.net will go to connector that is responsible for *.net even it has higher cost than the one that is responsible for * space.
- Routing does not fail over from a connector with a specific address space to a connector with a less specific space. So when there is problem with all *.net connector(s), emails will be queued up in *.net connector(s)
- The above 2 rules don’t apply to user who doesn’t have permission to the specific connector. Consider connector that a user doesn’t have permission as non-exist when routing his emails.

Nov 27, 2006

SMTP Virtual Server vs. SMTP Connector

SMTP Virtual Server vs. SMTP Connector
1. SMTP virtual server is the protocol stack that actually does the work - sending/receiving SMTP emails. SMTP virtual server alone gives you ability to send/receive Internet emails.
2. SMTP Connector is built on the top of virtual server and provides you more control - such as dispatching emails to different domains to different routes, applying different restrictions, etc.
3. SMTP virtual server only sends/receives emails to/from the IP address it is bound.
4. As for DNS, either specify external DNS servers on SMTP virtual servers or specify forwarder on DNS server that Exchange server uses.
5. The benefits of SMTP Connector are 1) ease of administration; 2) to simplify troubleshooting when issue surfaces.
6. You can either have your SMTP connector delivery the emails directly (given that the connector is able to resolve external domain names - using one of 2 settings in item 4 )
- or -
You can have your SMTP connector forward all emails to a smart host. Although you can specify a smart host on an virtual server, it’s better to set it on the connector. The smart host setting on the connector overrides any smart hosts on the virtual server.

Nov 21, 2006

VBscripting tips

To make sure you fetch the output only after the command finishes, add the following between shell.exec and stdout.all
Do While oExec.Status = 0
WScript.Sleep 100
Loop
To pipe output from one process to another
Dim oUserDN

set oShell = createobject("wscript.shell")
mystr = "dsquery user -samid %username% -o dn dsget user -memberof"
set oUserDN = oShell.exec("%ComSpec% /c """ & mystr & """")
Wscript.Echo oUserDN.StdOut.readall

Oct 31, 2006

Troubleshooting 1030/1058 event ID error - one of the many cases

Userenv event ID 1030/1058 pair are very common errors that could be caused by various things. Common causes would be secure channel broken, domain account corrupt, client side group policy extension issue, etc. A brutal but simple solution will be quit/rejoin domain provided you are VERY sure your network and DCs are working properly. If DC or client side extension are in question, you would most likely want to enable userenv log as per KB 221833.The example below is certainly not the most difficult one but shows typical troubleshooting tools when the network is in doubt.

1030/1058 pair in application log, GP not applied

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 10/31/2006Time: 10:09:28 AM
User: NT AUTHORITY\SYSTEM
Computer: server1
Description:Windows cannot access the file gpt.ini for GPO cn={B8F49320-CB4A-4660-9BF5-806926B63906},cn=policies,cn=system,DC=samle,,DC=com. The file must be present at the location <\\sample.com\SysVol\sample.com\Policies\{B8F49320-CB4A-4660-9BF5-806926B63906}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

- nltest /sc_query:shortDomainName OK (to rule out security channel issue)

- netdiag /v: DC List Test failed. (The DC is down)Trust Relationship test failed

Note: if you open a cmd as local system, the domain membership test will be failed in netdiag - this is normal

The following 3 commands to test connectivity

ping shortDomainName OK
portqry test against all required ports OK
ping -l oversizePacket -f OK

Further troubleshooting:

Suspected NetBIOS was not enabled, went into TCP/IP setting, but it's ticked
Nslookup: Short domain name not resolved.
Action: change suffix then flush DNS cache
Result: short domain name resolved, but "DC list test" still failed
Found another symptom: Couldn't log into this box via TS, error "RPC server is not available". Check the RPC service and RPC Locator service, found the later was not running while this was a W2k member server.
Action: start RPC Locator service
Result: not difference
Checked application log again, 1030/1058 started on Oct 26. Checked System Log to see if there was anything happened at that day, it reported "tcp/ip NetBIOS helper" service terminated unexpectedly". This service is NetBIOS over TCP/IP itself.
Action: started it.
Result: netdiag came back clean

Actually I should have checked services status before even begun troubleshooting. Those set to "automatic" should be running - this is a quick way to find problems sometimes. But anyways, this can serve as an example of using different tools when network is in doubt.

Oct 26, 2006

How To User Mailbox Management Policy

Define a policy in "Recipient Policies" container. Make sure you have correct filters and actions defined.
Apply the policy immediately/manually or wait for RUS kicks in overnight
Define a Mailbox Management schedule on *ALL* involved servers
At this point, you can wait for the scheduled Mailbox Management process to launch or manually run it by selecting ?Start Mailbox Manager?

Note: Mailbox Management policy is not the same as System Policy that applies to either mailbox stores or servers. Mailbox Management policy is defined in Receipient Policy container while System Policy is defined under server object.

Oct 25, 2006

DNSBL - email block list

A DNS-based Blackhole List (DNSBL, also known as Real-time Blackhole List or RBL), is a means by which an Internet site may publish a list of IP addresses, in a format which can be easily queried by computer programs on the Internet. As the name suggests, the technology is built on top of the Internet DNS or Domain Name System. DNSBLs are chiefly used to publish lists of addresses linked to spamming. Most mail transport agent (mail server) software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.

How Block List Providers Match Offending IP Addresses

After you set up your connection filter, when an e-mail message is sent to your organization, Exchange contacts the block list provider. The provider checks for the existence of an A (host) record in its DNS. Exchange queries for this information in a specific format. For example, if the connecting address is 192.168.5.1, and the block list provider's organization is contoso.org, then Exchange queries for the existence of the following record:

;. IN A 127. 0.0.x

which, in this case, is:

1.5.168.192..RBLprovider.org

If this IP address is found on the provider's list, the provider returns a 127.0.0.x status code that indicates an offending IP address and the type of offense. All block list providers return a response code of 127.0.0.x, where x indicates the type of offense. This number varies, depending on the block list provider.

Although few people object to the principle that mail-receiving sites should be able to reject undesired mail systematically, many have voiced objections to specific DNSBLs for the following reason:

For Joe Blow to refuse emails is legal (though it's bad policy, akin to "shooting the messenger"). But if Joe and ten million friends all gang up to make a blacklist, they are exercising illegal monopoly power.

Tips:

After a filter is defined, it will not take effect until it's applied to a smtp virtual server
Recipient filtering rules apply only to anonymous connections. Authenticated users and Exchange servers by pass these validations
Likewise, connection filters apply only to external connections. Connections made by Exchange servers within the same organization will not be affected.

Search This Blog

Mar 20, 2007

Mar 9, 2007

Feb 4, 2007

Jan 31, 2007

Jan 23, 2007

Jan 15, 2007

Jan 9, 2007