justin ho

Problems connecting Entourage to Exchange?

Apparently, the solution is to export the full certificate path, AND your private key to your SSL certificate on your Exchange Server, then import that to all your client machines!  Why didn’t I think of that?

http://www.themachelpdesk.com/modules.php?op=modload&name=News&file=index&catid=&topic=19

For a brief overview, read Understanding Anti-Spam and Antivirus Mail Flow [4].

Publish SPF Records for your domains.  Do everyone a favour.

http://www.openspf.org/

If you don't have an Edge Server, install the filters on your Hub Transport Server.  How to Enable Anti-Spam Functionality on a Hub Transport Server [6]

The Install-AntispamAgents.ps1 script is copied to the %system drive%/Program Files\Microsoft\Exchange Server\Scripts folder. You must run the script from this location

./install-AntispamAgents.ps1

Restart-Service MSExchangeTransport

Set the Junk, Quarantine, Delete thresholds [7].  I only set the Reject threshold; I don't want a central quarantine to sort through, nor do I want my server silently deleting emails.

Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 8
Set-ContentFilterConfig -SCLDeleteEnabled $true -SCLDeleteThreshold 9
Set-ContentFilterConfig -QuarantineMailbox someaddress@somewhere.com
Set-ContentFilterConfig -SCLQuarantineEnabled $true -SCLQuarantineThreshold 7

 For email that isn't rejected, I set Organization-level spam settings so that messages with a score of 5 or over are put into Junk Email folders.  Then users can sort through their own spam.

Set-OrganizationConfig -SCLJunkThreshold 5

Set SCL Junk threshold on all mailboxes [2] - for specific settings/more granular settings beyond the org-level.  Set this on all your mailboxes initially and you can tweak individual mailboxes as necessary.  I usually just leave this as 5, since Outlook will auto-add recipients/contacts to the safe senders list which bypasses this.

Get-Mailbox | Set-Mailbox -SCLJunkEnabled $true -SCLJunkThreshold 5

If you have a SMTP server that all inbound mail passes through first, you want to add them to the Internal SMTP Servers list so that they are ignored by the SPF filter.  The SPF filter will then look at the NEXT hop, which should be the source/sending/external server.  If you don't do this, all your SPF checks will fail since your internal server 192.168.1.1 (in this example) will keep being tested for all inbound SPF queries and keep failing/soft-failing.  [3]

Set-TransportConfig -InternalSMTPServers 192.168.1.1

If the external SMTP server does spam filtering as well (like a Barracuda appliance), and adds a header like "X-Spam-Status: yes", you can configure transport rules to stamp a SCL score on the message, so that it will get processed by Exchange properly and get put into Junk folders [1].

1. Fire up EMC | Organization Config | Hub Transport | Transport Rules tab
2. Click on New Transport Rule in the Action pane
3. Give the new rule a name, add a comment if you wish
4. In the Conditions page, select the condition when a message header contains specific words
5. In the Step 2 edit box, click on the message header link
6. Type X-Spam-Status | click OK
7. In the edit box, click on the specific words link
8. Type yes | click OK | click Next
9. In the Actions page, select the action set the spam confidence level to value
10. In the rule description, click on the 0 link and add a value that's above your SCLJunkThreshold | click Next
11. On the Exceptions page, click Next if you do not want any exceptions to this rule
12. Click New | click Finish to close the wizard

Exchange Shell equivalent:

$condition = Get-TransportRulePredicate HeaderContains
$condition.MessageHeader = "X-Spam-Status"
$condition.words = @("yes")
$action = Get-TransportRuleAction SetSCL
$action.SCLValue = 5
new-TransportRule "Stamp SCL" -condition @($condition) -action @($action)

Enable Antispam updates and the IP reputation updates [5].  This is important.

Enable-AntispamUpdates -Identity SERVER01 -IPReputationUpdatesEnabled $True -MicrosoftUpdate Configured -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True

Create a Receive Connector just for Internet mail, and ensure you have the necessary permissions set on it.  Be sure that any POP3 connectors have their own Receive Connector configured with the appropriate permissions.

http://justinho.com/blog/preventing-external-spoofed-spam-from-authoritative-address-spaces-or-domains/

[1] http://exchangepedia.com/blog/2008/01/assigning-scl-to-messages-scanned-by.html

[2] http://technet.microsoft.com/en-us/library/bb123559(EXCHG.80).aspx

[3] http://technet.microsoft.com/en-us/library/bb124151(EXCHG.80).aspx

[4] http://technet.microsoft.com/en-us/library/aa997242(EXCHG.80).aspx

[5] http://technet.microsoft.com/en-us/library/bb125199(EXCHG.80).aspx

[6] http://technet.microsoft.com/en-us/library/bb201691(EXCHG.80).aspx

[7] http://technet.microsoft.com/en-us/library/aa995995(EXCHG.80).aspx

Symptoms:

Some of my users are unable to change their passwords via OWA on Exchange 2007 on Server 2008.  My DCs are running Server 2003.

Argh.

Since most ISPs block unencrypted SMTP (tcp port 25) outbound connections, I've configured my managed mobile clients to connect to my mail server on port 465 (SMTPS) and use TLS to authenticate to "phone home".

This allows these clients, even on untrusted client IP segments to authenticate over a secure connection, and deliver email as to their current whereabouts (IP address.)

First, configure RemotelyAnywhere to use port 465, and force TLS/SSL.  (Obviously, you'll have to provide a username/password etc. here.)  I created a dedicated mailbox/user for this purpose.

Next, on the Edge Transport machine, create a new receive connector for port 465.  You'll have to rearrange your existing connector(s) to ensure there's no port/scope overlap:

• Edge Transport
• New Receive Connector
• port 465, enable TLS
• Allow exchange users ONLY
• In the Shell: Get-ReceiveConnector server\connector | add-adpermission -user USERNAME -extendedrights ms-Exch-SMTP-Accept-Any-Sender

Replace USERNAME with the dedicated user.  Replace server\connector with the identity of the connector.  To get the name, do "Get-ReceiveConnector" by itself, and pick the appropriate entry.  Note that this will force the Exchange Edge server to permit ONLY current Exchange Users (ie. not anonymous/unauthenticated users) to submit mail via SMTPS on port 465.

So now, I have machines that can check their local IPs every X minutes, open a secure connection to my email server, and send an email with its current IP address, on any internet connection that permits tcp port 465 (SMTPS) outbound.

Background:

I'm running Exchange 2007 SP1 with UR1 on Windows Server 2008 x64.

Problem:

The UI seems to have a few bugs in it.

I opened:

• Microsoft Exchange Management Console
• Organization Configuration
• Hub Transport
• New Remote Domain...
• Double click on new Remote Domain... (Properties window)

Weird:

• The title of the tab looks wrong
• "sender's" has a strange character in it

Abstract:

Even with Exchange 2007 SP1 installed, some users are still unable to edit rules in Outlook Web Access (OWA).  The problem appears to be caused by rules that are present that OWA cannot handle; removing the problematic rules appears to restore access.  The logging is quite poor as the UI doesn't really provide any reason for the failure.

Potential Causes:

• Remove any rules that contain "and stop processing more rules"
• Remove any rules that contain "clear message's categories"

• Rules that have the toolset icon next to them, as above, are not editable in OWA.
• First log on in OWA after mailbox is moved may result in rules not being editable.  Log off and log back on.
• Ensure Rules are Enabled in Exchange System Manager (Server Configuration, Client Access, Right click on OWA directory, Properties, Segmentation tab)

The Microsoft Transporter Suite is a set of interoperability and migration tools to migrate content from Lotus Domino servers or Generic POP/IMAP servers. For Lotus Domino the suite contains a set of tools for Directory and Free/Busy interoperability between Lotus Domino 6 or 7 and Exchange Server 2007 and Windows Server 2003 Active Directory. In addition for Lotus Domino the suite contains migration tools to migrate users, groups, personal address lists, mailboxes, personal mail archives, and applications from Lotus Domino 5, 6 or 7 to Active Directory, Exchange Server 2007, and Windows SharePoint Services 3.0. For generic POP/IMAP servers the suite contains a set of tools to bulk migrate mailboxes from any generic email servers that support the POP3 or IMAP4 protocol to mailboxes in Exchange Server 2007

http://www.microsoft.com/downloads/details.aspx?FamilyID=35fc4205-792b-4306-8e4b-0de9cce72172&displaylang=en

Abstract:

My quest to eliminate the Dell CERC 1.5/6ch SATA (due to its poor performance) from my production environment has been a long one as I opted to wait for Windows Server 2008 and Exchange 2007 before migrating to my 3Ware card.  This post contains a summary of all the issues I encounter, and will be updated as I proceed.

Solutions:

• Backup headaches - Setting up Exchange 2007 to back up on a Windows 2008 Server:
  "Exchange 2007 Aware Backups on Windows Server 2008"
  http://blog.justinho.com/2008/03/10/Exchange2007AwareBackupsOnWindowsServer2008.aspx
• CAS problems with RPC proxy - Some tweaks are necessary to get Outlook Anywhere to work with Exchange 2007 on Server 2008
  "Outlook Anywhere RPC over HTTPS Proxy on Windows Server 2008 Fails to Communicate with Exchange 2007"
  http://blog.justinho.com/2008/03/10/OutlookAnywhereRPCOverHTTPSProxyOnWindowsServer2008FailsToCommunicateWithExchange2007.aspx
• More to come...

Abstract:

Outlook Anywhere may not work properly on a Windows Server 2008 machine with Exchange 2007.  The DSAccess RPC proxy listens on ports 6001 and 6002 on the IPv6 stack, and listens on ports 6001, 6002, and 6004 on IPv4.  The missing listener on port 6004 causes connectivity to fail.
A workaround exists and is documented which gets this working, regardless of where the RPC proxy is installed (on the Exchange box, or otherwise.)

Details:

If your RPC proxy is on 2008, but not on the same box as Exchange 2007, remove the IPv6 binding to force the proxy to communicate with Exchange on IPv4.

Otherwise, modify your host file, as per: http://weblog.bassq.nl/?p=79

• Comment out the line “:::1 localhost”
• Add the following two lines:
  <IPv4 address> <hostname of the computer>
  <IPv4 address> <FQDN of the computer>

So, for my server, I have:
10.0.0.5 servername
10.0.0.5 servername.subdomain.domain.com

To confirm functionality:

Open telnet to localhost 6004

Sources:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2975122&SiteID=17

Abstract:

Exchange 2007 SP1 on Server 2008 can't back up using in-box tools.  Either use DPM, or a 3rd party tool ($$$), or hack NTBackup to run on 2008 Server.  A workaround/hack is provided that allows NTBackup to run on Server 2008 x64 with Exchange 2007 SP1.

Background:

The Exchange Team Blog has the following text:

Unlike previous versions of Windows, Windows Server 2008 does not include a backup utility that supports the Exchange ESE streaming backup APIs. The Windows 2008 backup application, Windows Server Backup, cannot be used to take backups of Exchange.

Exchange still includes the ESE streaming backup APIs, but the absence of an Exchange-aware backup application in Windows may come as a surprise to many. Another change we made that may also affect you is the removal of remote streaming backup support on Windows 2008.

This leaves you with two choices for taking Exchange-aware online backups when running Exchange 2007 SP1 on Windows 2008:

1. Move to a Volume Shadow Copy Service (VSS)-based backup application. You can use Microsoft System Center Data Protection Manager (DPM) 2007 or a third-party backup application that supports Exchange-aware VSS-based backups of Exchange 2007 SP1 on Windows Server 2008. Windows Server Backup in Windows 2008 is a VSS-based backup application, but it does not include a VSS requestor for Exchange, which is a necessary component in order to use VSS to take an Exchange-aware backup.
2. Use a Third-Party application that supports ESE streaming backups using a local backup agent on the Exchange server. Because the ESE streaming APIs remain in Exchange 2007, you can still use them to backup Exchange. But to do that, you must use a third-party backup application that runs a local agent on the Exchange server so that the streaming backup is made locally, and not remotely. You cannot take remote streaming backups of Exchange 2007 SP1 on Windows 2008 with or without a third-party product. Any streaming backups that are performed must be performed locally on the Exchange server.

Annoyances and anger aside, NTBackup (the old utility) can be made to run on Server 2008.  I found this: http://cs.thefoleyhouse.co.uk/blogs/karl/archive/2008/02/10/how-to-backup-exchange-2007-on-server-2008.aspx

To Install and use NTBackup on a Server 2008 Machine to Backup Exchange 2007 SP1:

1. Install NTBackup, as per http://www.petri.co.il/installing_windows_xp_ntbackup_on_windows_vista.htm
   1. Copy these files from a 2003 server (C:\Windows\System32\) to Server 2008 (C:\Program Files\NTBackup\):
      1. ntbackup.exe
      2. ntmsapi.dll
      3. vssapi.dll
2. Install the Removable Storage Manager from Server Manager.  (Features, Add Features, Removable Storage Manager.)
3. Copy Exchange DLLs to access Exchange (as per http://support.microsoft.com/kb/275876).  You need to copy esebcli2.dll from 2003 (C:\Program Files\Exchsrvr\Bin) to 2008 (C:\Program Files\NTBackup)
4. Run regedit and change the esebcli2 key from C:\Program Files\Micrsoft\Exchange Server\Bin\esebcli2.dll to C:\Program Files\NTBackup\esebcli2.dll

Discussion:

I would seem that several product groups at Microsoft have failed to do comprehensive use-case analyses of customer requirements.  This has happened with Vista (poor file copy performance, poor video card gaming performance, 4GB RAM BSOD with RTM, to name a few), and with Exchange 2007 (Exporting to PST in 2007 requires a 32-bit box, Server 2008 CAS does not work properly with single server deployments since DSAccess fails to listen on the IPv6 on port 6004, and Server 2008 does not provide an in-box backup solution for Exchange 2007.)

What is PowerGUI?

PowerGUI is an extensible graphical administrative console for managing systems based on Windows PowerShell. These include Windows OS (XP, 2003, Vista), Exchange 2007, Operations Manager 2007 and other new systems from Microsoft. The tool allows to use the rich capabilities of Windows PowerShell in a familiar and intuitive GUI console.

How much does it cost and is registration required?

PowerGUI is a freeware product thanks to the support we are getting from Quest Software. You can download the product and access all information on this site absolutely for free and without any registration or login. You will have to register only if you want to post information to the discussion forums or library, or subscribe to notifications by email (RSS subscription does not require registration.)

What are the system requirements?

The main system requirement is Windows PowerShell (which in its turn requires .net framework 2.0). If you don't have this installed on your computer PowerGUI setup will detect that and open a web page from which the system can be downloaded. In terms of operating systems we support Windows XP, 2003, Vista, and Longhorn; both 32- and 64-bit. Particular snapins may add their specific system requirements. For example the Exchange 2007 snapin we ship today naturally requires Exchange 2007 or its administrative tools.

What can I do with PowerGUI?

Pretty much anything that the underlying system permits. You can browse through the system, filter/sort what you get, select the columns, perform actions on selected objects, change their properties, export data to clipboard, Excel, xml, or just html reports, and much more. And if you don't believe this is all being done by Windows PowerShell just switch to another tab and you'll see the PowerShell code behind what you've been doing.

Download: http://powergui.org/downloads.jspa

This white paper provides the information that you need in order to configure Microsoft Exchange Server 2007 with multiple address lists so different groups of users can have their own address list and secure those address lists so that groups of users can only see their specific address list.

Much of the information in this white paper originally appeared as individual Help topics in the Exchange Server 2007 Help. In this white paper, we have consolidated the information that you need to deploy and manage segregated address lists in one central location. We have also provided sample scripts, which can be modified to fit your environment, to help automate the provisioning of virtual organizations and users.

http://technet.microsoft.com/en-us/exchange/bb936719.aspx or
http://technet.microsoft.com/en-us/library/bb936719(EXCHG.80,printer).aspx

More technical papers: http://technet.microsoft.com/en-us/library/cc164340(EXCHG.80).aspx

How to obtain the latest update rollup for Exchange 2007

http://support.microsoft.com/?kbid=937052

What will support Windows Server 2008 at RTM?

• .NET Framework 2.0 (installed)
• .NET Framework 3.0 SP1 ( part of Application Server role )
• .NET Framework 3.5
• Dynamics CRM 4.0
• Exchange Server 2007 SP1
• Forefront Security Server 1.0
• MOSS SP1 ( installation notes for Windows Server 2008)  http://support.microsoft.com/kb/936988
• SQL Server 2005 SP2
• System Center Data Protection Manager 2007
• System Center Configuration Manager 2007 (Formerly SMS)
• System Center Operations Manager 2007
• Windows Sharepoint Services 3.0 SP1 ( installation notes for Windows Server 2008 ) http://support.microsoft.com/kb/936988
• Visual Studio 2008
• WSUS 3.0 SP1

What are we planning to support in the first half of 2008?

• We will ship the Hyper-V technology 180days after RTM
• Dynamics AX 2009
• MOM SP1
• SCCM 2007SP1
• System Center Essentials 2001
• Forefront Client Security SP1

What are we planning to support in the second half of 2008?

• Application Virtualization 4.5
• Commerce Server 2007 SP2
• HIS 2006 SP1
• MOM 2005 SP1
• SQL Server 2008
• System Center Essentials 2001
• Windows System Center VMM 2.0
• Windows Essential Business Server
• Windows Home Server vNext
• Windows HPC Server 2008

So what will not be supported?

• SMS 2003
• System Center Reporting Manager
• Internet Security and Acceleration Server 2006 and earlier

Source:

http://blogs.msdn.com/neilhut/archive/2008/02/07/microsoft-server-and-tools-support-for-windows-server-2008.aspx

Assigning SCL to messages scanned by 3rd-party antispam filters

The Unix/Linux/Security folks in your organization don't trust Exchange to do the filtering. They insist on using open source anti-spam software, such as SpamAssasin on the non-Exchange SMTP gateways. After tweaking it for a number of weeks, they are able to make it work the way they want it to, or are close to it.

Their solution is to insert an X-header in messages that looks like this:

X-Spam-Status:yes

That's it. Their job ends there.

As the Exchange team/administrator, your job is to ensure messages with that header end up in users' Junk Mail folder.

Now what?

http://exchangepedia.com/blog/2008/01/assigning-scl-to-messages-scanned-by.html

Exchange.2007.Assigning.SCL.to.Messages.Scanned.by.3rd.Party.Filters.pdf (164.02 KB)

Max PST size limit is 20 GB, as this uses the Outlook provider.  See http://support.microsoft.com/kb/830336/

• Export/Import to PST must be run from a 32 bit client machine with Exchange Management Tools installed (Version Exchange 2007 SP1 or later). The 32bit requirement comes from a dependency with the Outlook client.
• Either Outlook 2003 or Outlook 2007 must be installed on the client machine.
• The user running the task must be an Exchange Organization Admin or an Exchange Server Admin on the server where the mailbox to export/import lives.

Export-Mailbox –Identity <mailboxUser> -PSTFolderPath <pathToSavePST>

PSTFolderPath must be a full path pointing either to a directory or to a (.pst) file. If a directory is specified a PST file named after the mailbox alias will be used as the target of the export. Note that if the PST file already exists the contents of the mailbox will be merged into it.

• To export multiple mailboxes to their respective .pst files at once you can pipe in the identities of those mailboxes to the export task. Notice that when bulk exporting the PSTFolderPath parameter must forcefully point to a directory since one .pst file will be created for each mailbox.
  Get-Mailbox -Database 'MDB' | Export-Mailbox -PSTFolderPath D:\PSTs
• Just as with the export to PST scenario, when bulk importing mailboxes the PSTFolderPath must forcefully point to a directory and the task logic will try to match mailboxes alias with the .pst file names under that location. If no match is found for a particular mailbox, that mailbox will be skipped.
  Get-Mailbox -Database 'MDB' | Import-Mailbox -PSTFolderPath D:\PSTs

Running a scheduled task is a two step process:
 1) Create the powershell script and save it as a .ps1 file.  E.g:
     get-mailbox | export-mailbox -PSTFolderPath:'C:\' -Confirm:$false

 2) Create the scheduled task to run powershell and load the exchange snappin; then run your script.  The action of your scheduled task should look like:

powershell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\Bin\ExShell.psc1" -Command ". 'C:\script.ps1'"

"My mailbox size is 7.4GB. I send/receive around 200 emails a day; so that 7.4GB of email goes back several years. I don't use too many rules so most of my email ends up in my Inbox (30k items).

My background is in software performance (especially storage performance); so I couldn't live with the status quo. I was stuck, I needed my large mailbox; but I also needed a great/fast user experience so I could effectively process my mailbox. All of my machines had sufficient memory (2GB or more) so I couldn't solve the problem by adding memory (to provide the Windows System Cache with more memory to buffer the OST IO's). "

Continued: http://msexchangeteam.com/archive/2007/12/17/447750.aspx

Summary:

1. Make a set of folders containing content that is over a year (or two) old - so that your mailbox size becomes manageable.
2. Separate the content in these folders chronologically.  2004, 2005, 2006, 2007, 2008, etc.
3. Set Outlook not to sync these archive folders to your devices.  While online, you have access to this content; offline, you can't access anything older than 2 years.

This maintains the following:

1. Your large mailbox, allowing you to keep all your email online in Exchange for backup and quick access (via a web browser).
2. No PST usage.  No management of pesky PST files, and you don't have to worry about backup - the Exchange is stored on a RAID set, and backed up frequently.
3. Good laptop/desktop/workstation Outlook 2007 cached user mode experience.
4. Ability to search entire mailbox.  Open Outlook in online mode, or open up OWA.
5. Low processing on the server.  Working in offline mode means that the basic mail processing is done locally on my machine, not on the server.

Problem:

Exchange 2007 SP1 Will Not Support the Searching of Content Within Office 2007 Attachments in Messages Until the Respective Office 2007 Search Filters are Installed

Because Exchange 2007 SP1 does not include the search filters from the 2007 Microsoft Office release, Exchange 2007 SP1 cannot index Office 2007 attachments in mailboxes. Therefore, users who have mailboxes on Exchange 2007 SP1 Mailbox servers will not be able search their mailboxes for content within Office 2007 attachments in their messages. However, as soon as the Office 2007 search filters are available, installed, and integrated with your Exchange SP1 installations, this search functionality will be supported.

2007 Office System Converter: Microsoft Filter Pack
This download will install and register IFilters with the Windows Indexing Service. These IFilters are used by Microsoft Search products to index the contents of specific document formats. This Filter Pack includes IFilters for the following formats: .docx, .docm, .pptx, .pptm, .xlsx, .xlsm, .xlsb, .zip, .one, .vdx, .vsd, .vss, .vst, .vdx, .vsx, and .vtx.
http://www.microsoft.com/downloads/details.aspx?FamilyId=60C92A37-719C-4077-B5C6-CAC34F4227CC&displaylang=en

How to register Filter Pack IFilters with Exchange Server 2007
http://support.microsoft.com/default.aspx?scid=kb;en-us;944516

More information:
Exchange 2007 SP1 Release Notes
http://download.microsoft.com/download/5/e/6/5e672458-592a-44a2-b489-11cec19d3c82/RelNotes.htm

Summary: http://technet.microsoft.com/en-us/library/bb125236.aspx

1. Export XML data.  http://technet.microsoft.com/en-us/library/aa997590.aspx
   New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"
2. Import XML data. http://technet.microsoft.com/en-us/library/bb123538.aspx
1. Open the Exchange Management Console. Expand Organization Configuration, select Hub Transport, and then in the result pane, click the Edge Subscriptions tab.
2. In the action pane, click New Edge Subscription. The New Edge Subscription Wizard starts.
3. On the New Edge Subscription page, in the Active Directory Site: drop-down list, select an Active Directory site.
4. On the New Edge Subscription page, click Browse. Locate the Edge Subscription file to import. Select the file, and then click Open.
5. On the New Edge Subscription page, click New.
6. On the Completion page, click Finish.
3. Force synchronization if necessary.
   http://technet.microsoft.com/en-us/library/bb123512.aspx
   If running RTM: Start-EdgeSynchronization
   If running SP1: Start-EdgeSynchronization -Server <Hub Transport server name>

Background:

Installing Exchange 2007 SP1 gives an error on the Mailbox Role.

Error:

Unable to remove product with code 6574fdc2-40fc-405a-9554-22d1ce15686b.  Unable to remove product with code 6574fdc2-40fc-405a-9554-22d1ce15686b. Fatal error during installation. Error code is 1603.
Fatal error during installation

Solution:

1. Stop the "Microsoft Exchange Search Indexer" service and the "Microsoft Exchange Transport Log Search" service.
2. Remove the Microsoft Full Text Indexing Engine for Exchange using msiexec.exe /X {6574fdc2-40fc-405a-9554-22d1ce15686b}
3. Refer to http://consumer.installshield.com/kb.asp?id=Q111019 for additional causes.

Background:

Installing Exchange 2007 SP1 on a Client Access Server gives the error "A failure occurred while trying to update metabase properties. The system cannot find the path specified."

Error:

Event Type: Error
Event Source: MSExchangeSetup
Event Category: Microsoft Exchange Setup
Event ID: 1002
Description:
Exchange Server component Client Access Role failed.
Error: Error:
A failure occurred while trying to update metabase properties.
The system cannot find the path specified.

Further, the Exchange 2007 SP1 log contained:
[2] [WARNING] IIS://<fqdn>/W3SVC/1/ROOT/EWS was not found. Please make sure you have typed it correctly.

Cause:

Note: The SP1 log is located at <system drive>:\ExchangeSetupLogs\ExchangeSetup.log

1) Ensure there are no orphaned virtual directories in the Exchange metabase, as per http://technet.microsoft.com/en-us/library/aa998589.aspx.

2) Ensure all the necessary CAS virtual directories are present.  Browse the IIS metabase using the IIS Resource Kit Tool, creatively named "Metabase Explorer".  http://support.microsoft.com/kb/840671 has a download link.
The Client Access Server virtual directories are as follows:
/W3SVC/1/ROOT/Autodiscover
/W3SVC/1/ROOT/EWS
/W3SVC/1/ROOT/owa
/W3SVC/1/ROOT/Microsoft-Server-ActiveSync
/W3SVC/1/ROOT/Exchange
/W3SVC/1/ROOT/ExchWeb
/W3SVC/1/ROOT/Public
( as per http://technet.microsoft.com/en-us/library/bb201672.aspx )

3) For directories which are not present in IIS Manager and/or missing from the IIS metabase, remove the Exchange directory, and recreate it.
For example, in the case of my error, I did a "Get-WebServicesDirectory | fl" which revealed the /ROOT/EWS entry - with the missing IIS metabase entry.  Thus, I removed the EWS directory using the Remove-WebServicesDirectory cmdlet ( http://technet.microsoft.com/en-us/library/bb124231.aspx ) and recreated it using the New-WebServicesDirectory cmdlet ( http://technet.microsoft.com/en-us/library/bb125176.aspx .)

You can check all the access directories: (via Exchange Shell)
Get-WebServicesDirectory | fl
Get-OabVirtualdirectory | fl
Get-ClientAccessServer | fl
Get-OabVirtualdirectory | fl
and look for any directory that is missing.

4) Reattempt installation.  Pull the log as necessary and keep Googling error messages, or try to understand the errors. =)

5) Verify Exchange installation - http://technet.microsoft.com/en-us/library/bb125254.aspx

6) Since we messed with them, make sure the web services are functioning: Test-OutlookWebServices -identity administrator | ft * -AutoSize -Wrap

An Exchange Server message routing myth forever being propagated (including by me):

If 2 SMTP Connectors (or Send Connectors in case of Exchange Server 2007) exist, one with a more specific address space, like exchangepedia.com, and one for a more generic address space like *, messages are always routed over the Connector with the more specific address space.

http://exchangepedia.com/blog/2008/01/smtp-connector-myth-messages-are-always.html

The error message:

Event Type:        Warning
Event Source:    MSExchangeTransport
Event Category:                TransportService
Event ID:              12017
Description:
A direct trust certificate will expire soon. Thumbprint:<thumbprint>, hours remaining: <some number>

Summary Solution:

1. Make a new Exchange certificate, and enable it for SMTP transport.
   1. If the error is logged on the hub transport server:
      1. Create the cert on the HT where the warning occurred - http://technet.microsoft.com/en-ca/library/aa998327.aspx
      2. Restart the EdgeSync service to update certificate information on the edge transport servers which are subscribed to the organization
      3. Run Start-EdgeSynchronization
   2. If the error is logged on the edge transport server:
      1. Create the certificate on the ET server - http://technet.microsoft.com/en-ca/library/aa998327.aspx
      2. Resubscribe the ET server to the Exchange organization - see http://blog.justinho.com/2008/01/20/SubscribingResubscribingMicrosoftExchange2007EdgeTransportServersToAnExchangeOrganization.aspx
   3. If you're not using the EdgeSync service, and you have things configured manually: http://technet.microsoft.com/en-ca/library/bb232082.aspx

More information: http://technet.microsoft.com/en-us/library/bb217963.aspx

More information:

To resolve this warning, you must use the New-ExchangeCertificate cmdlet to create a new internal transport certificate (also referred to as a direct trust certificate) on the computer that returned this Warning event. Running the New-ExchangeCertificate cmdlet with no arguments creates an SMTP-enabled internal transport certificate for direct trust. For more information, see New-ExchangeCertificate.

If this warning occurred on a Hub Transport server, you must create the internal transport certificate on the Hub Transport server where the warning occurred. After you have created the certificate, restart the Microsoft Exchange EdgeSync service to update the certificate information on the Edge Transport servers that are subscribed to the organization.  (I also ran Start-EdgeSynchronization on my hub server to be safe.)

If this warning occurred on an Edge Transport server, you must create the internal transport certificate on the Edge Transport server where the warning occurred. After you have created the certificate, resubscribe the Edge Transport server to the Exchange organization to update the certificate information in Active Directory.

Summary:

You get a message that the Transport Service is unable to offer STARTTLS SMTP verb for "fqdn.yourdomain.com".  So tell it to use the certificate for SMTP as well.

Problem Description:

Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name FQDN.domain.com in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of FQDN.domain.com. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

Solution:

Fire up the Exchange shell. =)

1. Identify the certificate currently installed, selecting for information we care about:
   Get-ExchangeCertificate | fl CertificateDomains, Services, thumbprint, status, isSelfSigned
   (we are looking for the FQDN certificate, that is valid, active, and presumably not self-signed.  We want the thumbprint of said certificate.  You can also use a filter of * to get all properties/attributes.  ie. Get-ExchangeCertificate | fl *)
2. Now find the thumbprint of the certificate in question and enable it for SMTP.
   Enable-ExchangeCertificate -services IIS, UM, SMTP, IMAP, POP -thumbprint XXXXXXXX

Further reading:

http://msexchangeteam.com/archive/2007/07/02/445698.aspx

Problem

ActiveSync devices, and Outlook clients happily sync against an Exchange 2003 server.

Then you migrate to Exchange 2007.  "Error 0x80072f0d" starts appearing on the devices.  If you publish (via ISA) your RPC directory without HTTPS/SSL encryption, everything works fine.

No matter how you install your CA cert - it doesn't work.  Same error message.

Discussion

The reason behind this is because in Exchange 2007, the Autodiscover service – which is used to find things like free/busy, OOF, Automatic e-mail profile configuration, OAB, etc for Outlook 2007 clients – requires SSL. Therefore, the certificate used needs to have the FQDN of Autodiscover added as a Subject Alternative Name.

As you may know, when you create a certificate there's a 'common name' associated with that certificate...usually in the form of something like "mail.domain.com."

The Subject Alternative Name field is used to add additional DNS names to the certificate. So if it doesn't have an SAN for autodiscover.domain.com it means that it won't validate requests to the Autodiscover service. If you would be using Outlook 2007 clients connecting remotely using RPC/HTTPS and purchasing a 3rd party certificate then you will need to contact your certificate vendor for a certificate that includes the Subject Alternative Name. Instructions for generating a certificate request that can be sent to a 3rd party or Microsoft CA - which includes the SAN for autodiscover is documented as below.

Please note that  the new certificate from your 3rd party Certificate vendor  or Internal CA  should contain the “Subject Alternative Name” (SAN) with the below DNS values.
 
The entries that the “SAN” should contain are as below:
 
DNS Name = Internet Published OWA URL
DNS Name = CAS machine NETBIOS name
DNS Name = CAS machine Full Computer  Name
DNS Name = Internal Domain Name (FQDN )
DNS Name = autodiscover.<InternalDomainName>
DNS Name = autodiscover.<ExternalDomainName>

Please note the first DNS name should always be the Internet Published OWA URL. The order of the other DNS name don’t matter.

Summary

An error occurs while migrating mail from mailboxes on a legacy Exchange 2003 server, when moving to an Exchange 2007 mailbox server.

Error
The mailbox has been moved, but an unexpected error occurred while trying to apply policies or clean source mailbox: An Exchange 2007 server on which an address list service is active cannot be found.

An Exchange 2007 server on which an address list service is active cannot be found.

A dump is being generated.

Solution

• Start Microsoft Exchange System Attendant
• If the service repeatedly bombs out, verify functionality of your DCs - and the global catalogs
• Run "netdom query fsmo" (from Support Tools)
• Next, run "dcdiag /s:SERVER /v" where SERVER is each of the servers handling roles above, and all of your DCs.
• Run "netdiag" on each of your DCs as necessary to verify that the NICs are functional.  Ensure the NICs are configured to register themselves in the DNS.

Background

While installing first Exchange 2007 server in an Exchange 2003 domain, setup fails during /PREPAREAD

Error Message

Preparing Exchange Setup
No server roles will be installed

Performing Microsoft Exchange Server Prerequisite Check
    Organization Checks              ......................... COMPLETED
Configuring Microsoft Exchange Server
    Organization Preparation         ......................... FAILED

The object 'CN=All Groups,CN=All Address Lists,CN=Address Lists Container,CN=<name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<name>,DC=<name>,DC=<ending>' already exists.

This can also happen to "All Contacts" and "All Users", and is likely inherited from an Exchange 5.5/2000/2003 upgrade.

Solution

1. Access ADSIEdit (available via Support Tools on Server CD, \SUPPORT)
2. Open Configuration, Configuration Folder, Services, Microsoft Exchange
3. Open Domain folder (ie. "Company Name")
4. Address List Container, All Address Lists
5. Right click on each of All Contacts, All Groups, All Users and choose Properties.
6. Locate the property, "purportedSearch", of type "Unicode String" and verify their contents as follows:
   All Contacts
   Replace (& (| (mail=*) (proxyAddresses=*) (textEncodedORAddress=*)) (| (& (objectCategory=person) (objectClass=contact)) ))
   with (& (mailnickname=*) (| (objectCategory=group) ))
   All Groups
   Replace (& (| (mail=*) (proxyAddresses=*) (textEncodedORAddress=*)) (| (objectCategory=group) ))
   with (& (mailnickname=*) (| (objectCategory=group) ))
   All Users
   Replace (& (| (mail=*) (proxyAddresses=*) (textEncodedORAddress=*)) (| (& (objectCategory=person) (objectClass=user)) ))
   with (& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))
   
   Be careful with wraparound.
   Update: http://support.microsoft.com/kb/936907/en-us may have more information that you may find useful!
7. Re-attempt setup /prepareAD

Background

A ADC was previously used in a domain to migrate from Exchange 5.5.  The server was formatted/lost without removal of the ADC, leaving ghosted AD entries in the metabase.

Error message

     One or more Active Directory Connectors have been found. Please remove all Active Directory Connectors before installing Exchange 2007.

Solution

1. ADC was installed and uninstalled from Exchange 2003 media.  \ADC\i386.
2. Replicate all DC connections in Sites and Services.
3. Next, access ADSIEdit - install from \SUPPORT on Server 2003 disk if necessary.
4. Open the Configuration container, the the Configuration folder, CN=Services.
5. Open the Microsoft Exchange folder, and the Active Directory Connections folder.
6. Only the default ADC policy should exist - DELETE any references to Exchange 5.5 in a secondary connector.
7. The image below shows a fully functional configuration, with the EXCH/5.5 connection removed.
8. Replicate all the AD connections via Sites and Services before reattempting installation.

If, during installation, you are not connected to the Internet, use this checklist to ensure you have the necessary prerequisites installed prior to installing Exchange Server 2007. These checks are done automatically when connected to the Internet during installation. By completing this checklist, your system will be better prepared to deploy Exchange Server 2007.

http://www.microsoft.com/technet/prodtechnol/exchange/2007/deploy/prereqs.mspx?wt.svl=preparing

http://www.microsoft.com/downloads/details.aspx?FamilyID=e4f8c697-3a33-445e-a7c2-a2df53c40f85&DisplayLang=en

Problem

A bug exists in Exchange 2007 when a message with 'inline' attachments is delivered. This bug causes Outlook 2003 to not display the message attachments correctly.

Source

http://knicksmith.blogspot.com/2007/03/exchange-2007-and-outlook-2003-where.html

Workarounds

One of the following:

• Open the message and save the attachments: This one is a little counter-intuitive. Even though Outlook 2003 doesn’t display the attachments, it can still access them. By selecting the ‘Save Attachments’ option from the ‘File’ menu will allow you view and save the attachments.
• Forward the message: This gives you 2 options. 1) Forwarding the message to yourself will display the correct attachment information in the new message. 2) When composing the forwarded message you will see the attachments.
• Flag the message: ‘Flagging’ the message will cause Outlook 2003 to write information about the message to the Exchange database. This process will cause Outlook 2003 to set the appropriate information so that it displays attachments correctly.
• Upgrade to Outlook 2007
• Have the sender send 'real attachments': Since the problem only exists with 'inline' attachments the sender can change their mail client to send ‘real attachments’ and avoid future problems sending attachments to your organization. **Note: Mozilla mail clients send ‘inline’ attachments by default when composing HTML email. Instructions for changing this behavior can be found here: http://kb.mozillazine.org/Send_attachments_as_real_attachments .
  

/owa /exchange and other virtual directories in Exchange 2007: The key difference between CAS and FE is that CAS contains the business logic and renders the OWA UI. This presented us with a challenge: how do we allow Exchange 2007 CAS servers to coexist with Exchange 2007 Mailbox and Exchange 2003/2000 Mailbox servers? The solution depends on how the server is configured.

Continued: http://msexchangeteam.com/archive/2007/02/07/434523.aspx

Exchange Server 2007's Cluster Continuous Replication (CCR) feature provides a way to set-up geographically-dispersed clusters to protect against data center failure (aka "site failure"). Though the documentation provides plenty of detail on how to set up CCR clusters in a single data center - where both cluster nodes and the computer hosting the File Share Witness are in the same data center - the documentation on how to set this up across data centers has been skimpy, or even non-existent.

http://msexchangeteam.com/archive/2007/04/25/438185.aspx

See also:

http://exchangepedia.com/blog/2007/04/ccr-over-wan-failover-and-fsw-questions.html
http://exchangepedia.com/blog/2007/02/exchange-server-2003-sp1-bag-of-goodies.html

The anti-spam agents in Exchange Server 2007 log their actions in agent logs. By default, agent logs reside in \Exchange Server\TransportRoles\Logs\AgentLog. Each agent log is 10 Mb in size. The size of the directory is capped at 250 Mb, the age of a log to 30 days. (Logs are flushed when they "age" up to 30 days or if the directory size reaches 250 Mb - whichever happens first).

There's only one configuration option for the agent log - that to enable or disable it. This is done by editing the EdgeTransport.exe.config file, located in \Exchange Server\Bin folder on Edge and Hub Transport servers. To disable agent logging, insert the following string under in the config file:

<add key="AgentLogEnabled" value="FALSE"> </add>

You can parse the agent log using the Get-AgentLog command from the shell. By default, this parses the agent log residing in the default location. If you've copied a bunch of agent logs at an alternate location, you can specify the alternate location using the following syntax - in this example the agent logs have been copied to Z:\Antispam Agent Logs directory:

Get-AgentLog -location "Z:\AntiSpam Agent Logs"

Here's what an entry in the agent log looks like - note the different fields and their values:

Timestamp : 4/16/2007 12:39:49 AM
SessionId : 08C948C83FB951AC
IPAddress : 72.46.133.113
MessageId :
P1FromAddress : ret@noncornelan.com
P2FromAddresses : {}
Recipients : {foo@yourdomain.com}
Agent : Connection Filtering Agent
Event : OnRcptCommand
Action : RejectCommand
SmtpResponse : 550 5.7.1 Recipient not authorized, your IP has been found on a block list
Reason : BlockListProvider
ReasonData : Spamhaus SBL-XBL
Diagnostics :

As you can see, the logs provide adequate information for reporting on anti-spam activity, as well as for troubleshooting anti-spam issues like the the instance where a user comes in complaining a message from an internet sender hasn't been received.

Getting to know the agent logs will make troubleshooting such issues much easier.

By default, the Get-Agent log returns all the entries in the agent logs. It can be constrained to a particular date and time - the recommended way to perform most agent log searches, unless you want to immerse yourself in 30 days (or 250 Mb) of anti-spam goodness! This is done using the -StartDate and -EndDate parameters:

Get-AgentLog -StartDate "4/16/2007" -EndDate "4/17/2007"

You can also constrain it further by adding time of the day:

Get-AgentLog -StartDate "4/17/2007 8:00 AM" -EndDate "4/17/2007 2:00 PM"

Though the Get-AgentLog command only takes these 3 parameters - location, StartDate, and EndDate, you can further filter the logs using most of its logged fields.

To filter the log to show messages to a particular recipient:

Get-AgentLog -StartDate "4/16/2007" -EndDate "4/17/2007" | where {$_.recipients -like "foo@yourdomain.com"}

To search for messages from a particular sender:

Get-AgentLog -StartDate "4/16/2007" -EndDate "4/17/2007" | where {$_.P1FromAddress -like "aqe@easymoney2u.com" -or $_.P2FromAddresses -like "aqe@easymoney2u.com"}

To filter by the anti-spam agent that acted on a message, e.g. Connection Filtering Agent:

Get-AgentLog -StartDate "4/15/2007" -EndDate "4/17/2007" | where {$_.Agent -eq "Connection Filtering Agent"}

Similarly, you can filter by other agents that write to the agent logs: 1) Content Filter Agent 2) SenderID agent 3) Sender Filter agent 4) Recipient Filter agent and 5) Edge Rules agent.

To filter agent logs by the sending host's IP address, use the following command:

Get-AgentLog -StartDate "4/15/2007" -EndDate "4/17/2007" | where {$_.IPAddress -eq "72.46.133.113"}

The reason field in each log entry specifies the reason supplied by the anti-spam agent that takes the action. For instance, as seen in the agent log entry shown earlier in this article, the agent that acted on the message is the Connection Filtering Agent, the reason is BlockListProvider (i.e. "RBL" or "Real-time Block List"). The ReasonData field actually gives you the name of the IP Block List Provider, as configured in Exchange. In the above agent log entry, it is "Spamhaus SBL-XBL". To constrain the search for messages blocked by IP Block List Providers:

Get-AgentLog -StartDate "4/15/2007" -EndDate "4/17/2007" | where {$_.Reason -eq "BlockListProvider"}

You can also look for messages blocked by a particular IP Block List Povider:

Get-AgentLog -StartDate "4/15/2007" -EndDate "4/17/2007" | where {$_.ReasonData -eq "Spamhaus SBL-XBL"}

As shown in the above examples, you can use the Get-AgentLog command and pipe the data to filter it based on the fields logged. You can get more details about agent logs - including the fields logged, from the Managing Agent Logging section in Exchange Server 2007 documentation.

Source: http://exchangepedia.com/blog/2007/04/managing-and-filtering-anti-spam-agent.html

Background:

Exchange 2007 complains that your outbound and inbound emails are too large.  As you send them, you're told that you should "make the message smaller" by "removing attachments".  By default, the limit is set at 10 MB.

#550 5.3.4 ROUTING.SizeLimit; message size exceeds fixed maximum size for route ##

Solution:
Fire up the Exchange console and get a listing of your connectors with their current size limits:
get-receiveconnector | select identity,maxmessagesize

Then change the limit:
set-receiveconnector "Connector Name" -maxmessagesize 30MB

All Edge-Sync Servers will need to download their configuration again from the DCs.  Run this on all EdgeSync bridgeheads:
start-edgesynchronization

Update:

As mentioned, you may also have issues with the transport limit.

get-transportconfig | fl *

If the limit is set to "unlimited", you will need to explicitly put a limit in:
set-transportconfig -MaxRecieveSize 30MB

More information:

http://technet.microsoft.com/en-us/library/bb310771.aspx

Migrated from Exchange 2003 to Exchange 2007. I have a mix of clients in Outlook 2003 and 2007 - and I'm not convinced anyone is running the update tool.

1. Granted my Administrator account Send-As access:
   Get-mailboxserver EXCHANGE | add-adpermission –user Administrator -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin
   (Where EXCHANGE == Exchange server name, Administrator == user to grant access to.)
2. Dismount and mount mailbox store (during maintenance, of course.)
3. I notified all users to patch their systems  (OS and Outlook patches).  Print paper copies of calendar items.  Deploy patches as necessary.
1. OS patches http://support.microsoft.com/kb/931836/en-us
2. Office patches.
4. Make sure server OS patches are installed.
5. Find a machine with Outlook 2003/2007 on it, NOT the Exchange server.
   1. Download TZMove http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=E343A233-B9C8-4652-9DD8-AE0F1AF62568&displaylang=en
   2. Download the Exchange Calendar Update Tool (just a wrapper) http://www.microsoft.com/downloads/details.aspx?amp;amp;displaylang=en&familyid=a9336886-4b28-4010-9416-36d38429438d&displaylang=en
6. Run MsExTmzCfg.exe, answer questions, which will generate a BAT file for you.
7. Run the BAT file to update all appointments on servers.  If you get errors, check the INI file to make sure the /O= line is updated with the appropriate server path in the AD.

As an aside, if you're on Exchange 2003 SP2, you'll need to patch your Exchange server as well in step 4: http://support.microsoft.com/?kbid=926666

I set up an Exchange 2007 Edge Transport server recently, and when I tried to put my volume license key into the Edge Transport server, I was told that I had "attempted to perform an unauthorized operation."

This edge transport server sits behind my ISA server; inbound mail goes to it, then heads to my Exchange 2007 Hub Transport server for routing.  It has 1 internal NIC.

• Remote Registry service was enabled, and it was enabled on all GCs/PDCs/DCs
• TCP/IP was bound to all NICs (this one only had 1 NIC)
• I tried logging in as local admin and domain/enterprise admin

What worked?

Went into Active Directory Users and Computers on my GC.  Found the OU "Microsoft Exchange Security Groups" and the "Exchange Servers" security group therein.  I added the new Edge Transport server to this security group (since it wasn't a member!) and then restarted my Edge Transport server.

Key accepted.

Configuring firewalls and name resolution for Edge Transport servers

ConfigureAdam.ps1 -ldapport:5000 -sslport:5001

This update is required if the Offline Address Book (OAB) generation is moved from an Exchange 2007 server to an Exchange Server 2003 Service Pack 2 (SP2) server. It resolves issues which are caused due to changes in the OAB version 4 in Exchange 2007.

This update is also recommended if the OAB is generated on an Exchange Server 2003 SP2 server after Exchange 2007 is deployed in the Exchange organization.

Download update: http://www.microsoft.com/downloads/details.aspx?amp;amp;displaylang=en&familyid=B217A4C9-4AAD-49B9-92DD-10754AF1029E&displaylang=en

Error message when you try to change the offline address list server from Exchange Server 2007 to Exchange Server 2003: "The target server cannot support OAB"
http://support.microsoft.com/?kbid=922817

This topic explains a new feature in Outlook Web Access in Microsoft Exchange Server 2007: integration of Microsoft Windows SharePoint Services and Windows file shares. Windows file shares are also known as Universal Naming Convention (UNC) file shares. The integration of Windows SharePoint Services and Windows file shares in Outlook Web Access gives users read-only access to documents on centralized or personal Windows SharePoint Services document libraries or Windows file shares. Users cannot change files that are stored on Windows SharePoint Services document libraries or Windows file shares when they retrieve them by using Outlook Web Access.

http://technet.microsoft.com/en-us/library/bb123700.aspx

Some nice sources of Exchange 2007 Information:

Microsoft documentation
http://www.microsoft.com/technet/prodtechnol/exchange/2007/downloads/documentation.mspx

Microsoft Exchange Server 2007 Transport Server Role Architecture Diagrams
http://www.microsoft.com/downloads/details.aspx?familyid=612F811D-2953-4C08-945E-833C17150083&displaylang=en

Exchange Management Shell Quick Reference
http://www.microsoft.com/downloads/details.aspx?familyid=01A441B9-4099-4C0F-B8E0-0831D4A2CA86&displaylang=en

Exchange 2007 Transport Permissions Model
http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/315d9c42-1ab4-4ef4-9292-12cdcb9c98cf.mspx?mfr=true

Receive Connectors
http://www.microsoft.com/technet/prodtechnol/exchange/e2k7help/17751a60-39fe-433f-84d2-bfc14ff4ba51.mspx?mfr=true

Allowing servers to relay off EXchange 2007 (Sharepoint, IIS, etc.)
http://msexchangeteam.com/archive/2006/12/28/432013.aspx

Install antispam agents on single Hub Transport server - with no edge transport
http://blog.justinho.com/PermaLink,guid,bb75cfa8-b76a-48e7-afed-d593693dc135.aspx

If you're using Exchange Server 2007 in a topology with an Edge Transport server, the anti-spam agents - Connection Filtering, Content Filter, Sender ID, Sender Filter, Recipient Filter, and Protocol Analysis - are installed on the Edge server. You do not need these agents installed on the Hub server(s).

In environments without an Edge server role, these need to be installed manually on the Hub Transport server(s).

To install anti-spam agents on a Hub Transport server, start Exchange Management Shell and change directory to "\Exchange Server\Scripts" (by default C:\Program Files\Microsoft\Exchange Server\Scripts), and run:
./install-antispamagents

After the anti-spam agents are installed, you can see the Anti-spam tab in Organization Configuration - Hub Transport node in Exchange Management Console. (If your console was open during installation, you will need to restart it).

"A problem occurred while trying to use your mailbox" proclaims the OWA page, after the mailbox is moved from an Exchange 2003 SP2 server to a 2007 server.  After moving a user's mailbox to the new 2007 mailbox store, I get this nice exception when trying to login:

Exception
Exception type: Microsoft.Exchange.Data.Storage.StoragePermanentException
Exception message: There was a problem accessing Active Directory.

Call stack

Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostLocally(OwaContext owaContext, OwaIdentity logonIdentity, CultureInfo culture, String timeZoneKeyName, Boolean isOptimized)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchLanguagePostRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.PrepareRequestWithoutSession(OwaContext owaContext, UserContextCookie userContextCookie)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.InternalDispatchRequest(OwaContext owaContext)
Microsoft.Exchange.Clients.Owa.Core.RequestDispatcher.DispatchRequest(OwaContext owaContext)
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.ADOperationException
Exception message: Active Directory operation failed on <DC>. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Call stack

Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32& retries, Int32 maxRetries)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)
Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
Microsoft.Exchange.Data.Storage.ExchangePrincipal.Save()

Inner Exception
Exception type: System.DirectoryServices.Protocols.DirectoryOperationException
Exception message: The user has insufficient access rights.

Call stack

System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation)
Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADRawEntry entry, DirectoryRequest request, ADObjectId originalId)

Update: Fix 'em permissions

If your Exchange 2007 OWA is failing for a user after the mailbox is migrated from Exchange 2003 to Exchange 2007, the user account should be checked on the security tab under advanced to see if it has "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here."

1. Open up Active Directory Users and Computers
2. Go to the View menu, Advanced.
3. Locate the user in AD, right click, properties.  Jump to the security tab.
4. Click "Advanced" next to the "For special permissions or for advanced settings, click Advanced.
5. Click "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here." Check box and apply.
6. Click OK and OK again.

Once changed and replicated OWA works. This is checked by default but is turned off for accounts with administrative privileges.

So how does this get turned off? Well if the account is an administrative account or was ever an administrative account previously. It will be turned off automatically. Reference the following.

XADM: Do Not Assign Mailboxes to Administrative Accounts
http://support.microsoft.com/kb/328753