MSExchange.org Monthly Newsletter of February 2011 Sponsored by: Exclaimer

Welcome to the MSExchange.org newsletter by Henrik Walther, Exchange MVP, MCA: Messaging (Exchange Ranger) Apprentice, MCTS Windows Server 2008, MCITP Exchange 2007, MCSE 2003 Messaging/Security. Each month we will bring you interesting and helpful information on Exchange Server. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: henrik@msexchange.org

1. Exchange Hosting versus GAL Segregation and where we are today

Welcome to the February 2011 edition of the MSE Newsletter! So this month I want to get the record straight when it comes to the differences between Exchange Hosting and GAL segregation. Why? Because it seems like many folks out there in the Exchange communities believe Exchange hosting and GAL segregation is the same thing. Somehow I understand the confusion. You see all the way back since Exchange 2000 and up until Exchange 2010, there were three types of Microsoft customers out there that for one reason or another wanted to segregate address lists:

• Non-hosting service providers that want to do GAL segregation internally in the organization. I'll discuss this in further detail towards the end of this article.
• The hosted service providers (usually the medium and large ones) that use Hosted Messaging and Collaboration (HMC) which included the Microsoft Provisioning System (MPS). Among many other things, MPS includes a method to isolate address lists, so that one customer couldn't see another customer's address lists and vice versa. Behind the scene MPS really used an access control list (ACL) based method to isolate the address lists. More specifically an organizational unit (OU) is created for each hosted customer and all users within the specific OU are assigned list object permissions via an AllUsers@domain.com security group located in a sub OU named "_Private".
  
  
  
  
• The hosted service providers (usually the smaller ones) that don't use HMC but instead use miscellaneous tweaks to isolate customers from each other. In regards to address lists they followed the Exchange 2000/2003 KB articles that existed at that time (all of these were pulled some years ago). When the environment was upgraded to Exchange 2007, they used the methods described in the "Configuring Virtual Organizations and Address List Segregation in Exchange 2007" white paper even though the paper was specifically targeted at isolating (aka segregating) address lists between different groups of users within the same organization. Hosting service providers were not the target for this white paper. As a matter of fact using the included steps in a commercial "hosting" solution wasn't supported and if you screwed things up in such an environment there would be very little chance that you would be receiving support from Microsoft to clean out the mess.
  
  As those of you who have used the methods described in the white paper or just read it knows, this paper also uses an ACL-based approach to segregate address lists.

During the Exchange 2010 RTM period there were no supported methods to segregate address lists - not even for hosted service providers that used an HMC 4.5 based solution. Exchange 2010 RTM was simply not supported in an HMC environment. Those that didn't use HMC (whether that be hosted service providers or enterprises that wanted to aggregate address lists on department level etc.) were also stuck when it came to segregating address lists since the methods described in the "Configuring Virtual Organizations and Address List Segregation in Exchange 2007" white paper wasn't supported with Exchange 2010 RTM. If you follow the steps in the paper, you can actually break things (read more on David Goldman's blog).

Then came Exchange 2010 SP1 which introduced new functionality that made it possible to deploy Exchange 2010 SP1 in hosting mode. This is done by running setup with the "/hosting" switch. Exchange 2010 SP1 hosting is built on a true multi-tenancy model which is the same model that's used with Live@EDU and Exchange 2010 Online  which currently is in beta but will be included in the upcoming Office 365 offering that will be made available later this calendar year.

Exchange 2010 SP1 gave the hosted service providers a method to segregate address lists on an Exchange 2010 based infrastructure, but regardless of whether they currently use an HMC or a non-HMC hosted solution, they are required to migrate to Exchange 2010 SP1 in hosting mode. It's not supported to deploy Exchange 2010 SP1 in hosting mode into an existing Exchange organization. So obviously the task of getting on Exchange 2010 SP1 in hosting mode is far from simple. It should also be noted that there's a long list of stuff that's not supported when running Exchange 2010 SP1 in hosting mode (I maintain a list in this TechNet Wiki article).

Exchange 2010 SP1 in hosting mode creates a so called configuration unit per customer or tenant. 

Not only that, but each customer or tenant also gets their own configuration unit under the Microsoft Exchange container in the configuration naming context as shown below. As you can see there's a configuration container created in each configuration unit container which holds many of the Exchange related containers (such as the Address List container) that are in the default Exchange organization container. This provides a true out of the box segregation or isolation model if you will. This means that all the tasks you had to do using MPS (more specifically Provtest) in an HMC environment are no longer required.  

So Exchange 2010 SP1 in hosting mode is pretty cool when you're a hosted service provider, but what about the non-hosting service provider? They still don't have a way to segregate address lists since Exchange 2010 SP1 in hosting mode isn't targeted for non-hosting hosting service providers right?

Until a few weeks ago, these customers were still waiting for the "Configuring Virtual Organizations and Address List Segregation in Exchange 2007" white paper to be updated. Then suddenly an interesting blog post made it to the Exchange team blog. The upcoming Exchange 2010 Service Pack 2 will include a new feature referred to as Address Book Policies or in short ABPs. This feature will allow an Exchange administrator to create address list views via the Exchange Management tools. This means that non-hosting service providers no longer need to mess around with setting specific ACLs on OUs etc. in order to achieve address list segregation

Exchange 2010 SP2 will RTW later this year which is good for those that aren't in a rush. But what about those involved in Exchange 200x > Exchange 2010 projects where the lack of support for address segregation currently is a showstopper? Well, the news isn't exactly positive. First, as mentioned above Exchange 2010 SP1 in hosting mode isn't for non-hosting service providers. Secondly, the Exchange product group have decided not to update the "Configuring Virtual Organizations and Address List Segregation in Exchange 2007" white paper. Read more about this in this blog post on David Goldman's blog. So as a non-hosting service provider, you must have a little more patience until Exchange 2010 SP2 sees the light of day.

To sum things up:

• Exchange 2010 SP1 in hosting mode is for hosted service providers
• Exchange 2010 SP2 Address Book Policies are for enterprises that wish to segregate groups of users (based on department, country etc.
• Segregating GALs using an ACL approach is not supported and will never be supported

Until later,
Henrik Walther
Technology Architect/Writer/Vendor
MCM: Exchange 2007 | MVP: Exchange Architecture

Note:
Should you have any ideas for content in future editions of the MSExchange.org newsletter, you are more than welcome to shoot me an e-mail at Henrik@msexchange.org

2. Order Henrik Walther's Exchange Server 2007 book

3. MSExchange.org Learning Zone Articles of Interest

We have a great group of articles in the Learning Zone that will help you get a handle on your most difficult configuration issues. Here are just a few of the newer and more interesting articles:

• Using Forefront Script Kit with Forefront Protection for Exchange Server (Part 1)
• Rights Management Server and Exchange 2010 (Part 4)
• Podcast: Exchange 2010 Archiving (Part 1)
• SMTP Routing in Exchange 2010 (Part 2)
• Managing Distribution Groups in Exchange Server (Part 3)
• Rights Management Server and Exchange 2010 (Part 3)
• Planning, Deploying, and Testing an Exchange 2010 Site-Resilient Solution sized for a Medium Organization (Part 5)
• How to migrate from Exchange 2007 CCR to Exchange 2010 DAG on existing hardware (Part 2)        
  

4. KB Articles of the Month

Below you find the Exchange 2003, 2007, and 2010 related KB articles that were published since the last MSE newsletter.

Exchange Server 2010

• How to troubleshoot calendar issues in Microsoft Outlook, Microsoft Exchange Server 2007, and Microsoft Exchange Server 2010
• Exchange Unified Messaging Auto Attendant announces "the call cannot be transferred" before terminating a incoming call from the PSTN
• An excepted occurrence is not excluded from a recurring iCalendar message for an Exchange Server 2010 mailbox user
• Calling RpcAsyncCancelCall function breaks connection and causes MAPI_E_NETWORK_ERROR
• Exchange ActiveSync does not download attachments to Calendar items on mobile devices
• Outlook connection issues with Exchange 2010 mailboxes because of the RPC encryption requirement
• Meetings that are placed in an owner's calendar by a delegate do not display free/busy information for additional meeting
• Sending S/MIME encrypted mail from OWA returns the error "Outlook Web Access could not find your digital ID for encryption."
• You cannot add a new Exchange Server 2010 Mailbox database to DAG in a multi-site topology environment
• You cannot uninstall Exchange Server 2010 RTM after you install Update Rollup 2, Update Rollup 3, or Update Rollup 4 for Exchange Server 2010
• A hotfix is available that improves TCP loopback latency and UDP latency in Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7
• Description of a reliability update for the TCP Chimney Offload feature in Windows Server 2008 and in Windows Vista

Exchange Server 2007 

• How to troubleshoot calendar issues in Microsoft Outlook, Microsoft Exchange Server 2007, and Microsoft Exchange Server 2010
• Exchange Unified Messaging Auto Attendant announces "the call cannot be transferred" before terminating a incoming call from the PSTN
• XADM: Exchange Search Fails After Installing Exchange 2007 SP3
• Calling RpcAsyncCancelCall function breaks connection and causes MAPI_E_NETWORK_ERROR
• Exchange ActiveSync does not download attachments to Calendar items on mobile devices
• Meetings that are placed in an owner's calendar by a delegate do not display free/busy information for additional meeting attendees in Outlook
• Sending S/MIME encrypted mail from OWA returns the error "Outlook Web Access could not find your digital ID for encryption."
• Windows Server System software not supported within a Microsoft Virtual Server environment
• A hotfix is available that improves TCP loopback latency and UDP latency in Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7
• Description of a reliability update for the TCP Chimney Offload feature in Windows Server 2008 and in Windows Vista
• Cannot send or receive e-mail messages behind a Cisco PIX or Cisco ASA firewall

Exchange Server 2003

• Support for iSCSI technology components in Exchange Server
• Exchange Unified Messaging Auto Attendant announces "the call cannot be transferred" before terminating a incoming call from the PSTN
• Exchange Server 2003 Setup Does Not Re-Stamp Exchange Organization Permissions
• Exchange ActiveSync does not download attachments to Calendar items on mobile devices
• Meetings that are placed in an owner's calendar by a delegate do not display free/busy information for additional meeting 
• A meeting update message or a meeting cancellation message from an Exchange 2003 user is not delivered to an Exchange 2007 user

5. MSExchange.org News of the Month

• Exchange Server 2010 SP1 and Windows Server 2008 R2 SP1 Support
• How fragmentation on incorrectly formatted NTFS volumes affects Exchange
• UDP Notification Support Re-added to Exchange 2010
• GAL Segmentation, Exchange Server 2010 and Address Book Policies
• KEMP Technologies now on the list of Exchange 2010 Certified Load Balancer Vendors
• How Microsoft IT is Implementing a Hybrid Messaging Deployment
  

6. Ask Henrik Walther a question

QUESTION:

We have just upgraded from Exchange 2003 to Exchange 2010. Some of our users are still using Outlook 2003 so we have followed all your recommendations in the "Concern: Is having Outlook 2003 clients going to prevent me from deploying Exchange 2010?" you have written. However, users with many shared calendars added to their Outlook 2003 profile randomly get this error message when opening shared calendars:

"The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action."

Besides what you mention in the Wiki article, do you know of any other steps that are required in order to get this issue fixed?

ANSWER:

Now I don't know when was the last time you checked the Wiki? Anyway I recently added an additional step that is sometimes required to get rid of the above error message when opening shared calendars through an Outlook 2003 client. This is more a client-side issue than a server-side issue.

On those clients that still see the error message, you should try to open Outlook 2003 with the "/resetnavpane" switch. So go to start > Run and type "Outlook.exe /resetnavpane".

Bear in mind this will remove any shared calendars from the profile. So you would need to add them again or inform the user to do so.

TechGenix Sites