JasonSamuel.com

Yes, you can get Exchange 2003 ESM tools working with both Windows 7 x64 and x86 OSes! Microsoft does not seem to want to support Windows 7 and Exchange 2003 system management tools. They have not released ESM for Windows 7 so you have to work around it. Many companies out there are still using Exchange 2003 so I’m not sure why they don’t allow for backwards compatibility.

To get ESM for Exchange 2003 to work on BOTH Windows 7 32 bit and 64 bit OS flavors, perform the following:

1. Download and install RSAT Tools for Windows 7 (Remote Server Admin Tools) here, select x86 (x86fre_GRMRSAT_MSU.msu) or x64 (amd64fre_GRMRSATX_MSU.msu) depending on what flavor of Windows 7 you are using – http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en

2. Download Exchange System Manager for Windows Vista here (ESMVISTA.EXE) but don’t install it yet (see step 3) – http://www.microsoft.com/downloads/en/details.aspx?familyid=3403d74e-8942-421b-8738-b3664559e46f&displaylang=en

3. Do a silent install of ESM. This circumvents the OS check and allows you to install ESM for Vista on Windows 7. You can do this by opening a command prompt and typing this in the directory you downloaded ESMVISTA.MSI to:

ESMVISTA.MSI /q

4. If you are using Windows 7 x86, you are done and you can open up Active Directory Users and Computers (ADUC) and you will see the Exchange tabs for your users.

5. For Windows 7 x64, it’s a little tricky. It just won’t display Exchange tabs in ADUC when you open it. It took my some trial and error for a few hours before I figured it out. You have to run an MMC snapin in 32 bit mode to get the tabs to work. You can do this by opening a run prompt and typing:

mmc /32

then adding the “Active Directory Users and Computers” snap-in (should be the 3rd option). I am thinking this is because the ESM for Vista package was not designed for x64 and some level of compatibility is missing. Evidence for this is that if you check the target for the ESM or ADUC shortcuts, you will see this which clearly shows it’s installed in the x86 Program Files folder:

C:\Program Files (x86)\Exchsrvr\bin\exchange system manager.msc
C:\Program Files (x86)\Exchsrvr\bin\users and computers.msc

Now the problem is that everytime I added the ADUC snapin in an MMC window, the text for it would disappear and I would get an error saying “MMC cannot initialize the snap-in” followed by the MMC crashing. I checked the application event log and found the following:

Faulting application name: mmc.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3f1
Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b29c
Exception code: 0xc0150010
Fault offset: 0x0008454b
Faulting process id: 0x98c
Faulting application start time: 0x01cb970a650fbae3
Faulting application path: C:\Windows\SysWOW64\mmc.exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: aac5fead-02fd-11e0-9946-005056b64915

So obviously a core Windows 7 x64 system file is the culprit, ntdll.dll. Luckily, there is a release candidate for Windows 7 SP1 available for download here (windows6.1-KB976932-X64.exe):

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c3202ce6-4056-4059-8a1b-3a9b77cdfdda

I assumed that the service pack might fix whatever the issue was with ntdll.dll since it is a core system file. Turns out I was right, after installing Windows 7 SP1, I can now successfully open an MMC window in 32 bit mode and add the ADUC snapin. Now all my Exchange tabs show up in ADUC (Exchange General, E-mail Addresses, Exchange Features, & Exchange Advanced). See screenshot below:

Now I’m not advising you deploy a release candidate service pack into your environment. But for systems admins, we typically have a bit more leeway on our systems than end users so if you are under no policy restricting installing a release candidate on your workstation, then go for it. You can even install it in a VM temporarily until SP1 is released so you don’t have to jeopardize your workstation with an RC build. Let me know how it works out for you!

A simple way to test if your MTA (mail transfer agent such as Exchange) is accepting email is to build the message by hand and watch the response codes from the server.  You can run this from the server console from a command prompt or remotely if you have the SMTP port to the server open.  Remember, once you are in the telnet session, don’t use backspace if you misspell something!  You’ll get an unrecognized command error if you do.  Just press enter and retype your command correctly if you do misspell something.

telnet localhost 25

This will open a telnet window to the server on SMTP port 25 and the server in return will send a 220 response code, the FQDN (Fully Qualified Domain Name), mail server version, and typically a time stamp as well.  Next you type:

helo

The mail server will respond with 250 response and it’s FQDN and say “Hello”.  You can also use:

ehlo

There is no difference using the commands except that EHLO returns info about the mail server’s capabilities along with the 250 response code such as the maximum SIZE of a messsage for example.  It’s useful to see exactly what your mail server is going to accept from a client.  EHLO is the more recent command by the way.  Pretty much all MTAs out there are going to accept either command nowadays.

This means the mail server is ready to accept more commands.  Now it’s time to begin composing your email:

mail from: joeblow@gmail.com

You should get a 250 response code and say the Send is OK.  Now type who you are sending it to:

rcpt to: joeblowsfriend@gmail.com

You will get a 250 response for the email address.  You can add more recipients by just typing additional lines like above.  Next it’s time to build the body of the message.  Type:

data

and you will get a 354 response code saying you can begin input.  First type a subject line for your message:

subject: Test email

Remember, type this on the very first line and then press <Enter> twice.  Now you can start typing your message body.  Once you are done with your message body, press <Enter> to start a new line and type nothing on this line except for a period.  Then press <Enter> again and you will exit out of the message body and immediately submit the email to the MTA’s queue for delivery.  You should get the test email within seconds if your mail server is working properly!  Make sure to check your Junk E-mail folder just in case your mail server marks your test email as spam.  To exit your telnet session, just type:

quit

and press <Enter> and you’re done.  Simple, right?

Outlook 2003 has a feature called “RPC over HTTP” which allows a remote user to use their Outlook client with an Exchange 2003 server over the Internet without the need for a VPN. The connection is made using RPC calls through port 80 (http) and 443 (SSL). Outlook 2007 has the same feature for Exchange 2007 but it is called “Outlook Anywhere” now. The version of Outlook you have is interchangeable with the version of Exchange you are running so it will work in any combination.

One of the problems users often complain about is getting a login box asking for their domain credentials every time they open Outlook 2003 or Outlook 2007. In theory, since the credentials should be cached on the client end, this should not happen but unfortunately, this is not often the case in real world scenarios.

To force your Outlook client to save the credentials and not prompt you with a login box, do the following:

1. Verify that the RPC over HTTP settings on the Outlook 2003 or Outlook 2007 client are set to NTLM authentication. By default, it uses Basic authentication which will prompt you for a login box every time. This option is found in:

Click Tools > E-mail Accounts > Account Settings > Double click on your Exchange account > More Settings > Click the Connection tab > Exchange Proxy Settings > Set the Proxy authentications settings to NTLM authentication

Press OK twice and you will be prompted to restart Outlook. Hit Next and then Finish to exit out of the setup, then close and reopen Outlook. Now try and check you email and see if it still prompts you for a login box. If it does, move on to step 2.

2. Open regedit (Start > Run > regedit) and find the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

In the right window to the right, open the lmcompatibilitylevel key and change the value to 2. Press Ok, close the registry editor, then restart your computer. Now try and check your email. If it still prompts you, move on to step 3.

3. Click Start > Control Panel > User Accounts > Click the Advances tab > Manage Passwords. Verify your domain login is there in the following format:

domainname\username

If it is not, click Add and enter your user name in the above format and type in your password. Now check open Outlook and see if it still prompts you (make you click on “Remember password” in the login box if you get that option).

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing pleasure .  I can’t tell you how many times I have walked into a new environment only to find that the previous server admin had not been taking advantage of Exchange 2003′s built in spam filtering or had completely misconfigured the server to where it was barely blocking anything at all. If you do not have any 3rd party spam filtering in place, there is no reason not to use Exchange’s built-in filtering. It works very well if configured properly.

Here is a basic mail filtering setup guide for a small business environment running Exchange 2003 that I like to use (and yes, I will do a separate write up for Exchange 2007 content filtering in another post). Remember, this is just a basic setup and different environments will have different needs.

Let’s start assuming you have a brand new Exchange 2003 server setup. Make sure your Exchange server has been updated to SP2 before you do anything.

Then, in Exchange System Manager (ESM), drill down to Global Settings and right click on Message Delivery.

CONNECTION FILTERING
Now click on the Connection Filtering tab. Here, you can tell Exchange to go out and check RBLs (realtime block lists) to verify if mail coming into your Exchange server should be marked as spam or not. Here are the 2 that I like to use. Anymore than this and you’re making your block list strategy too redundant plus it holds up delivery of your email and increases overhead as your Exchange server queries each list. Make sure they are in this order by using the arrow tabs on the right to adjust:

zen.spamhaus.org
cbl.abuseat.org

(I also used to like using sbl.spamhaus.org and xbl.spamhaus.org but zen.spamhaus.org combines these all to one list as well as their pbl.spamhaus.org list. Just use zen.spamhaus.org so there is less overhead on your Exchange server.)

RECEPIENT FILTERING
Next, click on the Recipient Filtering tab. By default, there is nothing in there but way at the bottom, you will notice that the box for “Filter recipients who are not in the Directory” is left unchecked. Check this box. This will prevent email not addressed to someone in your organization to be dropped. Spammers often like to use a dictionary attack when sending out spam to your organization like “joebloe@yourdomain.com” which your Exchange server will process unless you check this box.

INTELLIGENT MAIL FILTERING (IMF)
Next, click on the Intelligent Mail Filtering tab. This is the heart of your spam filtering so you must make sure to configure it properly. SCL ratings (spam confidence levels) are rated on a scale of 1-10. Exchange automatically assigns this rating to every message that it gets. A message with a rating of 1 means the message is not considered spam. A message with a value of 10 is definitely spam (think Viagra ads).

I like to set the Block level to 7, Archive as the block action, and Move messages with an SCL rating of greater than or equal to 4. This is usually pretty good for most environments but you should tweak the settings depending on your environment and feedback from your users overtime.

SENDER ID FILTERING
Next click on the Send ID Filtering tab and leave the default to Accept. The reason is a lot of mail servers don’t have an SPF record since this is a mostly Microsoft iniative so the default setting is fine. You don’t want to accidentally block email from a valid email.

APPLYING YOUR NEW SETTINGS TO YOUR EXCHANGE SERVER
Now on to the part a lot of people miss. You have setup everything but now you need to actually apply it to your SMTP virtual server or nothing is going to happen.

Click on Administrative Groups > First Administrative Group > Servers > the name of your Server > Protocols > SMTP > then right click Default SMTP Virtual Server

Next to the IP Address, you will see the Advanced button. Click on it and you will see something like the below.

This shows the SMTP virtual server. Click Edit and then check everything you see. Click OK through all the windows and when you’re back in the ESM, right click on the Default SMTP Virtual Server and hit Stop. Once it stops, right click on it again and hit Start. You can also just go into Services and restart the SMTP service from there as well.

CONFIGURING WINDOWS UPDATE FOR IMF UPDATES
Now it’s time to configure Windows Update on your server to download IMF updates (these are released by Microsoft twice a month). You have to make a registry change for this to happen. Click Start > Run > type regedit > press Enter. Now drill down to HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange. Right click in the right pane and Add a new DWORD called “ContentFilterState”. Right click on ContentFilterState and change the value from 0 to 1.

Now run Windows Update manually (using the Custom option instead of Express) and you will see the latest IMF definitions as part of your patches you need to install (if you don’t, restart the SMTP service and scan for updates again). Go ahead and install the latest update once you see it.

MANAGING IMF AND YOUR EMAIL MARKED AS SPAM
Okay, so now you have some pretty good filtering setup but is it working? How do you manage mail that is marked as spam?

The answer begins with installing IMF Companion (a free IMF management utility) that you can get at:

http://stoekenbroek.com/imfcompanion/default.htm

Install it and setup the Pickup and Archive directories correctly. On a default Exchange install (we’re going to use the C: drive for this example), the locations should be:

C:\Program Files\Exchsrvr\Mailroot\vsi 1\Pickup

and

C:\Program Files\Exchsrvr\Mailroot\vsi 1\UceArchive

Just to explain what these directories are, Pickup is the directory that Exchange stores messages that it is waiting to deliver and UCE Archive (Unsolicited Commercial Email Archive) is where Exchange dumps email it thinks is spam. This directory can get really big really fast so you want to setup a script to clear it once in a while.

When you open IMF Companion, you can see all the blocked messages in the UCE Archive in the top pane. Notice how the SCL rating column is missing? This is because you have to tell the Exchange server to store archive messages with their SCL rating. To do this, create this registry key if you don’t see it already:

HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\ContentFilter

Then create a new DWORD key value under it called “ArchiveSCL” and set the value data to 1. Now restart the SMTP service and when you open IMF Companion again, any new messages that come in will have their SCL rating displayed.

In addition to IMF Companion, you can also use the built in Windows Performance Monitor (perfmon) to keep an eye on Exchange.  If you don’t see the IMF performance objects, just reboot the server and they will show up in the drop down list.