On June 6, O’Reilly author and Exchange Server expert Paul Robichaux took a hard look at tweaking Exchange Server and shared tips on how to stop little things from going wrong. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting.
On June 6, O’Reilly author and Exchange Server expert Paul Robichaux took a hard look at tweaking Exchange Server and shared tips on how to stop little things from going wrong. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
Welcome to the Guild Meeting!
MODERATOR: Good evening and welcome to tonight’s TechProGuild Guild Meeting. Tonight we are pleased to have Paul Robichaux, author of Managing Microsoft Exchange Server.
We also have two copies of this great O’Reilly book to give away. We have rules about these things, though, so I have to point out that if you’ve won a prize in the last 30 days, you’ll have to wait your turn.
Now, Paul, maybe you can say a few words about Exchange and how you got to write a book from my favorite publisher, and then we’ll hit the tech questions. In fact, there’s one already queued up.
PAUL ROBICHAUX: Super! I fell into doing an Exchange book accidentally. My editor at O’Reilly signed me to do a PalmPilot programming book. Unbeknownst to him, another editor had simultaneously signed Neil Rhodes & Julie McKeehan to do the same book. Chaos ensued, and I got the Exchange book as a consolation prize. But I wouldn’t have it any other way.
Good practices in Exchange 5.5
PAUL ROBICHAUX: Now is an exciting time to be involved with Exchange. Just because Exchange 2000 is in the wings doesn’t mean that your 5.5 knowledge is obsolete, so be of good cheer. Exchange 5.5 is pretty complicated because there are so many pieces and components to it. Worse, it looks simple until you start using it, then you find out that some innocent-looking buttons actually have dire effects when pushed. The biggest problem areas I typically see involve disaster recovery planning, accommodating remote users, and exchanging mail with the Internet. However, you might be amazed at the range of different problems that different people have asked me about. My favorite was my pal who downed his Exchange server to add a tape drive, so he could do backups. However, then, his server wouldn’t come back up.
So, here are useful best practices, in no particular order:
- · Don’t use POP3 connectors
- · Wear sunscreen
- · Close down SMTP relaying on your servers so that you won’t be a spam injector
- · Keep, and verify, a regular backup scheme
Another thing: I got asked about a zillion times at TechEd about whether Exchange 5.5 can run under Windows 2000. The answer: Yes, yes, yes.
Mail overload
MIKES_PROXY: We have had trouble with Exchange crashing due to large mailboxes. Do you have any advice on preventing that?
PAUL ROBICHAUX: Well, one way to prevent it is not to let your users have large mailboxes. Set storage limits to enforce a particular size. If Exchange is crashing, it’s most likely due to a malformed message in a mailbox.
If it ain’t broken
DICKAW: Paul I use your book often. My question is on performance optimizer. Should we adjust the settings?
PAUL ROBICHAUX: Perfwiz is your friend, but like the quote says: “If there’s nothing broken when you start tweaking, there will be when you get done!” I don’t advise adjusting things by hand (except as noted in the book and the KB) unless you’re really sure you need to.
TNEF blues
MODERATOR: Here’s my question: Exchange has a bad habit of turning attachments into the dreaded MS-TNEF format. This makes the attachments virtually unreadable to applications like Pine. Why does Exchange do this and how can it be turned off?
PAUL ROBICHAUX: Aieee! TNEF. I’m fighting that right now, because I keep getting messages from a friend at MS and my mail client can’t read ’em.
MODERATOR: There’s an application for Linux called ‘tnef’ that re-converts the attachments to their original format, but it’s so annoying.
PAUL ROBICHAUX: TNEF is a Microsoft-proprietary encoding format. It stems from the bad old days of MSMail, when there really was no standard way to encode binary content for mail attachments.
MODERATOR: According to what I’ve read, the only reason Exchange does this is to ensure that the mail goes where it’s supposed to go.
PAUL ROBICHAUX: You can configure the Exchange IMS to never use TNEF; that’s what I recommend you do. TNEF doesn’t have anything to do with message routing or delivery per se; it’s Microsoft’s way of wrapping attachments so that (in theory) the recipient will be able to get them.
MODERATOR: So how do I convince IT to configure the Exchange server not to use TNEF?
PAUL ROBICHAUX: Beats me. That’s a political question.
JLWALLEN: Is there any practical reason I can give to convince IT to shut that ‘feature’ off?
PAUL ROBICHAUX: Yeah—the practical reason being that you can’t read mail people send you. I’m not trying to be flippant, either. In this case your best card is the “but it’s incompatible with open standards” (which may be an ace or a deuce, depending on your IT organization).
JLWALLEN: If I mention ‘open standards’ around some of our IT people, I’d probably get flogged. So, on the other side of the coin, what benefit does the TNEF format bring to a mail server?
PAUL ROBICHAUX: TNEF brings the benefit that MSMail clients can read the attachment. That’s about it. It also allows rich text messages with 8-bit character sets, but then so does MIME.
JLWALLEN: Therefore, if you have no one using MSMail on a network, then there’s absolutely no reason to have the TNEF ‘feature’ set to on? Can I quote you on this?
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.
What to do with your new Exchange project
DICKAW: I just inherited an Exchange project when someone moved on to greener pastures.
MODERATOR: What kind of project?
DICKAW: This is a worldwide project for about 3,500 users. We are converting from TAO and putting the mainframe to sleep.
PAUL ROBICHAUX: That’s interesting, Dickaw. Lots of people inherit Exchange services. Sometimes I wonder if anyone ever wants to be an Exchange administrator, or if we have it thrust upon us.
MIKES_PROXY: Dickaw, how are you handling conversation between your old system’s mailboxes and Outlook? Or are you just deleting it all?
PAUL ROBICHAUX: I vote for deleting it.
DICKAW: We looked at a few conversion products and even purchased one. But the results have been unsatisfactory. The best we have done is to forward the mail to Exchange. The problem is converting the forms and not recreating them.
To date, recreating the vital forms has been killing me.
PAUL ROBICHAUX: Recreating forms is a big pain in the butt. There are consultants who specialize in migrating the mail, but I think your approach is the right one. Make people forward what they need, and then they won’t carry all that old gunk with them into the new world.
Safe surfing
MIKES_PROXY: Does setting up Web access present any difficulties, such as security problems?
PAUL ROBICHAUX: Web access is pretty straightforward. The OWA server needs access on port 80 (since it’s using HTTP). However, you really should get an SSL certificate so that you can safely allow plain-text authentication. That’s because not everyone is using Internet Explorer, and Netscape, Opera, et al don’t support NTLM-style authentication. If you enable SSL, then users with Netscape can still securely access your Outlook Web Access logon page without allowing an attacker to sniff their credentials.
DICKAW: With OWA is there a way to make the GAL visible and usable?
PAUL ROBICHAUX: No, unfortunately not. You can always export the GAL and turn it into a Web page; I’ll be demonstrating that on Thursday in my session at TechEd.
MIKES_PROXY: Can you use forms on the HTML interface?
PAUL ROBICHAUX: Sort of, there’s a MAPI form-to-HTML converter. OWA 2000 is a much better vehicle for form deployment on the Web.
VWJETTA: You were talking HTML interface, what about text-based Web browsers such as lynx. Will it support form to HTML?
PAUL ROBICHAUX: No, unfortunately not. OWA requires a browser with frames and JavaScript.
VWJETTA: So if you have a text browser, will it show up as errors or just not show the page?
PAUL ROBICHAUX: The server will send back a page that says “Sorry, you have to use frames and JavaScript.”
Accessing multiple mail accounts
MIKES_PROXY: I have a problem setting up Outlook to work on Exchange and also to pull in my other ISP accounts. I have to use a separate user profile for both. Has this changed in Outlook 2000, and is there some administration that will allow me to put all my accounts on the same profile?
PAUL ROBICHAUX: Normally you can create multiple services in a single profile. For example, my Outlook 2000 profile checks mail on one POP3 account, one IMAP4 account, and my Exchange server. What version of Outlook are you using, and in what mode?
MIKES_PROXY: Also, as far as the javascript, other than the authentication certificate, are there javascript problems between browsers?
PAUL ROBICHAUX: Not really. OWA works best with Internet Explorer (big surprise). I occasionally see script errors when using IE 4 or IE5 for the Mac. This has also been cleaned up considerably in OWA 2000.
Changing a password online
VWJETTA: With Outlook is there a way to change someone’s password with the online version? What I mean is if I’m trying to log in on the Web using Outlook without the client installed on my machine, can I change my password?
PAUL ROBICHAUX: Vwjetta—OWA SP3 (I think; maybe SP2) added the ability to change user passwords with Outlook Web Access.
VWJETTA: Does anybody know of any good book on Linux servers? I’m looking for one that discusses setup, managing, and that sort of info.
PAUL ROBICHAUX: Running Linux is decent. Lest anyone accuse me of promoting only O’Reilly books, I also think the IDG Linux Bible is pretty good, too.
VWJETTA: Is that a general Linux flavor, or is it specific to one flavor, such as Red Hat?
PAUL ROBICHAUX: Vwjetta, both are pretty general.
JHARVEY: Since we’re talking about books, if you’re interested in buying Paul’s book, here’s the link on Fatbrain.com: www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=1565925459&from=techrep
Clarifying Exchange’s identity
MIKES_PROXY: Here’s a silly question: Is Exchange really a server, per se?
PAUL ROBICHAUX: Sure. It provides services to end users and applications, so I’d argue that it is.
Brick-level backups
DICKAW: At present when our backups run, they attempt to back up mailboxes of users who have left the company and whose mailboxes have been deleted. Do I have a corrupt database?
PAUL ROBICHAUX: Not necessarily. When you delete a user account, the corresponding mailbox may not automatically be deleted.
DICKAW: Yet the mailbox does not appear in Exchange Administrator and the user is removed from the GAL.
PAUL ROBICHAUX: Dickaw, do you see that the mailboxes are backed up via the event log, or what?
DICKAW: No, ArcserveIT reports an error message that it tried to back up the mailbox.
PAUL ROBICHAUX: Dickaw, it sounds like you have some orphaned mailboxes. Are you using ArcserveIT to back up individual mailboxes?
DICKAW: Yes, the company wants a brick-level approach.
PAUL ROBICHAUX: I totally reject brick-level backups. Here’s why:
- 1. They’re waaaaaaaaay slooooooooooow.
- 2. You lose single instance storage on the backups.
- 3. None of the commercial brick-level products work very well.
Instead of bricking it, jack up the deleted item retention time; that allows users to recover what they need. Then make sure you have adequate mailbox backups and you’re golden.
MIKES_PROXY: What’s a brick-level backup?
PAUL ROBICHAUX: “Brick-level backups” are backup systems that back up individual mailboxes instead of the entire database.
DICKAW: The brick-level approach is slow. It takes about three to four times longer and sometimes more, but it has made individual recovery quicker.
PAUL ROBICHAUX: That’s true, and that’s the tradeoff. But how many backups do you do versus how many do you restore? Are you really saving anything?
DICKAW: I’m managing five Exchange servers from London to Hong Kong at present, and being able to restore an individual mailbox of a VP can be critical.
Exchange 2000’s bells and whistles
MIKES_PROXY: What can we expect in the next release?
PAUL ROBICHAUX: There’s so much stuff in Exchange 2000 that I can’t cover it all in an hour. I’m teaching a course (http://www.thechinookgroup.com/; use the password “Exchange2000”) that spends three full days discussing what’s new.
The biggies are that Exchange 2000 requires Windows 2000, uses Active Directory exclusively, and has SMTP as its core transport protocol. New routing engine, brand-new OWA, multiple databases on one server, vastly improved clustering, and an interface where you can finally right-click on things are other new features.
VWJETTA: What protocol will Windows 2000 support? Will it support all of them or are there any left out?
PAUL ROBICHAUX: Win2K supports SMTP, HTTP, HTTP with WebDAV, SSL, IMAP4, POP3, NNTP, and all the standards (DNS, DHCP, WINS) that you already know and love.
Exchange versus NetWare
JHARVEY: Do you ever get caught in the Exchange vs. NetWare debate? Do you have any thoughts on it?
PAUL ROBICHAUX: Not really. Exchange is an e-mail server, and NetWare is primarily for file and print sharing.
How many users is too many?
JLWALLEN: What is the user limit to a single Exchange server?
PAUL ROBICHAUX: Jlwallen, how long is a piece of string? Seriously, I’ve seen Exchange servers with 2,500+ users, but that requires a lot of prior planning and some hefty hardware.
Outlawing .exe attachments
MIKES_PROXY: Last question for me: our IT department has buttoned down Exchange by eliminating .exe and .vba attachments. It seems like a good strategy, but it’s a pain. Do you recommend this?
JHARVEY: Good question!
PAUL ROBICHAUX: For the time being, yes. The problem with executable attachments is that it’s really easy to mutate them so that your filters can’t catch my subtle changes—then you’re hosed.
VWJETTA: Ok, so .exe files can be changed to .bat files for virus purposes.
PAUL ROBICHAUX: Sure, or I could take the ILOVEYOU VBS and modify it to do something different. Most filters wouldn’t catch it.
MIKES_PROXY: The ILOVEYOU virus actually contained a VB script, but it called them .txt files, so does that get past the filter?
VWJETTA: Exactly.
PAUL ROBICHAUX: I’m not giving anything away when I say that Microsoft is aware of the problem and that they’re working on a longer-term fix than just turning the function off completely.
MIKES_PROXY: Do you know how that fix will operate? The latest patches were not that good, from a management point of view.
PAUL ROBICHAUX: If it were me, I’d figure out a way to use Java-like sandboxes. This is fairly easy to do under NT/Win2K, but more problematic under 95/98. It could be done, though.
DICKAW: Their announced filtering patch seems drastic. But I hear they may allow some flexibility.
VWJETTA: When you download a patch for you servers, do you download them the same day they come out, or do you wait a couple of days to see if they create more problems?
PAUL ROBICHAUX: It depends. If it’s a security patch, and I think there’s a risk to my servers, I’ll blast the patch on there ASAP. I always give service packs a while to bake before installing them, though!
Thanks for coming
MODERATOR: Let’s hear it for our speaker who did an outstanding job.
PAUL ROBICHAUX: Thanks for having me, Mike. Thanks to all y’all for your questions and participation!
MODERATOR: Look for the transcript of this session to be posted shortly and tell your IT pals about our Guild Meetings. Thanks for dropping by.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.