Ramblings from The Montopolis Group

We stopped supporting BES (Blackberry Enterprise Server) and Exchange a long time ago due to its cost, stability, and complexity.  We know lots of folks are fans of Blackberry’s so we looked all over for an alternative.

AstraSync is what we found and have recommended to our clients for years.  It works well and our Blackberry users seem to be happy with it.

Hopefully one day Blackberry will just license ActiveSync like Apple’s iPhone did, but for now, AstraSync works great and is cost-effective considering the alternative.

So if you need your Blackberry to talk to Exchange, get AstraSync and move on to more interesting things

If you want to use a GoDaddy UCC certificate with Exchange 2010, you’ll run into a few problems using the new certificate GUI tools.

Since GoDaddy does not provide a PFX certificate to download, you have to use the PowerShell command line.

Though you can use the new GUI to assist you in determining which SAN names you need if you want.

MY ADVICE:  make your common name just your top level domain name!  (ex. montopolis.com)  This way you can change out your SANs easily and rekey when needed.

Go to DigiCert’s Exchange 2010 CSR Tool which is just supper handy (GoDaddy really needs to make a version of this tool).

Enter all of your information and click Generate.

Copy the PowerShell code provided into Notepad.

In front of the code you pasted put in “$Data=” (without quotes).  Example:

$Data=New-ExchangeCertificate -GenerateRequest -KeySize 2048 –SubjectName…………………

On the next line enter the following (without quotes)

set-content -path “mycommonname.com.csr” -Value $data

Now paste these two lines into your Exchange Management Shell.

You should now have a mycommonname.com.csr file!

Open this file in notepad so you can copy & paste this for GoDaddy.

Go to https://certs.godaddy.com and request a new UCC certificate.  When asked paste your CSR.

Wait for GoDaddy to issue your cert and download it for Exchange 2007.  Copy the contents of the ZIP into the directory where your CSR is located.

From the Exchange Management Shell type in, replacing mydomain.com.csr with your filename:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path mydomain.com.crt -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services “IIS”

Don’t worry about the services enabled right now.  We just want to enable one.

Now start your Exchange Management Console –> Server Configuration.  You should now see your new certificate listed.  Select it and click Assign Services to Certificate from the Actions menu.

Now assign the certificate to the services you want and voila!

I wasted a couple hours going the wrong way so I hope this saves someone else some time and frustration.  Good luck!

I also could not get a clean Test-OutlookWebServices in Exchange 2007 SP1 as Joel Stidley mentions on his post here. 

But prior to that I was getting “403: Permission Denied” errors.  Nothing I tried worked. 

So I ended up removing just the Exchange Web Services or EWS with Remove-WebServicesVirtualDirectory and recreating it with New-WebServicesVirtualDirectory.  This restored EWS to its defaults.  That fixed my 403 problem quickly.

Then I started getting the “401: Unauthorized” as Joel mentions on his post.  I opted for Method 2 (no reboot). 

After that, my EWS came up without any issues…

I tested inside and outside hosts with Outlook and Communicator, all passed.

Test-OutlookWebServices ran clean. 

Outlook connection status (ctrl-right click on running icon) and Test Autoconfiguration all were clean and reconnected quickly. 

Event logs were all clean to boot!!!!!

To make things even better, I was then able to switch Outlook RPC/HTTP authentication to NTLM and it worked flawlessly!  For some reason previously it only worked in Basic mode, and under some circumstances would annoy outside users with unnecessary credential checks. 

We in IT are responsible to enforce the fewest credential checks necessary, while not compromising anyone’s security.   Credential checks should also use the most secure and resilient form of communication available at the time of that check.

So if your Outlook RPC/HTTP and/or Communicator are complaining about communicating with Exchange, my first step would be to rebuild EWS. 

Before you install the Unified Messaging Role in Exchange 2007, you’ll need to have the following updates already installed.

Windows Media Encoder 9 Series x64 Edition
Fix KB917312. Info on fix here.

All of the system and role requirements are listed in the Exchange 2007 System Requirements document.

After the UM role is setup, you can enable integration with Office Communications Server 2007 by running “exchucutil.ps1″ from the scripts directory of your Exchange 2007 install media/directory.  Run this from the Exchange Management Shell.  Then reboot your OCS server. Verify all is working by looking at the events with source “OCS Exchange Unified Messaging Routing” in the OCS category in your Event Log.

When building a Query-based Distribution Group in Exchange 2003/2007, the GUI does not allow you to filter out disabled users or hidden users.

This has greatly limited the effectiveness of such groups for my work, until now!

Using ADSIEDIT.MSC you can modify the LDAP filter easily to resolve this issue.

Steps:

1. start ADSIEDIT.MSC
2. under the Domain branch, find the group your created through the Active Directory Users and Computers (ADUC)
3. double-click on the group
4. find the msExchDynamicDLFilter attribute and edit it
5. just in the last ‘)’ add the following: (!userAccountControl:1.2.840.113556.1.4.803:=2)(!msExchHideFromAddressLists=TRUE)
6. go back to ADUC and find your group, and run the preview and make sure it works
7. fin!