When managing Exchange environments, having a large and versatile set of tools is a must. When you consider that Exchange 2003 is a combination of very different technologies—some related to storage and others to transport—and that it is tightly integrated with Windows, IIS, and Active Directory and wholly reliant on healthy and correct name resolution services, it is easy to see why Exchange administrators need to be prepared for anything and everything. For example, if the Active Directory global catalog is not constantly available to Exchange 2003, it will break; if DNS is unavailable or configured incorrectly, Exchange 2003 will break; if a hardware fault occurs, it can corrupt your Exchange databases.
Microsoft has taken more than 20 tools, updates, and applications and packed them together into a single download package called EXALLTOOLS.EXE (ExAllTools). This package contains some of the tools discussed in earlier chapters, including the following:
- Exchange 2003 Management Pack Update
- Exchange Deployment Tools (ExDeploy)
- Exchange Server Stress and Performance (ESP) 2003
- Load Simulator (LoadSim) 2003
- Mailbox Merge Wizard (ExMerge)
(Footnote3: You can download these tools individually or in the (currently 22MB) all-in-one package by visiting https://www.microsoft.com/en-us/exchange/updates or https://www.microsoft.com/en-us/ exchange/tools/2003.asp).
Add Root Certificate tool for Pocket PC 2002 devices
The Add Root Certificate tool, ADDROOTCERT.EXE, is used to add an internal root certificate to a Pocket PC 2002 device to enable it to use SSL to communicate with Exchange features such as ActiveSync, which requires SSL. All Pocket PC 2002 devices come preloaded with root certificates from four certification authorities (CAs): Verisign, Cybertrust, Thawte, and Entrust. If you are using your own internal CA, you can use the Add Root Certificate tool to add a root certificate from your internal CA to the Pocket PC 2002 device. The Add Root Certificate tool can be used to install only root certificates; it cannot be used to install any subordinate or intermediate certificates. In addition, this tool is meant for use only on Pocket PC 2002 devices. Pocket PC 2003 devices include their own mechanism for installing certificates.
To install your own root CA, export it to a .CER file, and then copy both ADDROOTCERT.EXE and the .CER files to your Pocket PC 2002 device. Execute ADDROOTCERT.EXE on the device and install the .CER file. For more information, consult the Read Me file included with this tool.
Exchange Address Rewrite tool
The Address Rewrite tool, EXARCFG.EXE, is a tool you can use to rewrite P2 addresses on messages sent into Exchange from foreign messaging systems that are destined for and external or Internet address. P2 addresses, as defined in RFC 822, include the FROM, REPLY TO, and SENDER fields for a message. EXARCFG.EXE is very similar to the RerouteVia Store registry entry used in Exchange 5.0 and Exchange 5.5 to reroute all SMTP messages through the Exchange information store. It pushes the message into the information store, invalidates all existing MIME information, and forces a conversion of the message from MIME to MAPI. Converting from MIME to MAPI causes the address to be rewritten as configured. Once the rewrite is complete, the message is rerendered and sent off to its destination.
Before using this tool, you should understand its effects on your messages. First, all messages submitted via external SMTP will undergo the content conversion process, even if addresses do not need to be rewritten. Second, unless you route all of your internal messages through external SMTP servers, you cannot use this tool to rewrite internal addresses. EXARCFG.EXE is implemented as a command-line tool; Table 10–2 presents the command-line switches.
For more information on using the Address Rewrite tool, including details on how to also enable it by configuring an attribute in Active Directory, see the Read Me included with this tool.
Table 10–2 Command-Line Switches for the Address Rewrite Tool
|/?||Displays the list of command-line switches|
|-d||Disables address rewrite. Use with the –s (required) and –v (optional) switches. If –v is not specified, the first SMTP virtual server is used.|
|-e||Enables address rewrite. Use with the –s (required) and –v (optional) switches. If –v is not specified, the first SMTP virtual server is used.|
|-1||Lists the settings for all servers in the domain. User with –s to list the settings for a specific server.|
|-s: Server||Specifies a specific server when used with other switches.|
|-v: #||Specifies the instance number of the SMTP virtual server you want to configure.|
The Exchange 2003 Archive Sink tool
The Exchange 2003 Archive Sink is a combination of a Visual Basic script and a companion module (DLL) file used to enable message archiving. The Archive Sink is not new to Exchange 2003 (it was also available for Exchange 2000), but it has been improved in Exchange 2003. Specifically, it includes a new feature that can save all message envelope information, including BCC recipient information (which the Exchange 2000 version could not do). In addition, the updated version fixes a bug in the Exchange 2000 version that required you to remove the sink if you wanted it to stop working. In Exchange 2003, you can disable the sink without removing it.
The script is used to copy and register ARCHIVESINK.DLL on an Exchange server, and by default BCC archiving is disabled. Once the DLL has been registered, you need to configure a registry entry and then restart IIS on the mailbox store server for the change to take effect. To enable BCC archiving, check the box labeled "Archive all messages sent or received by mailboxes on this store" on the General tab of the Mailbox Store Properties dialog of the desired mailbox stores.
For more information on using the updated Archive Sink, see the Read Me included with this tool.
The updated Exchange Authoritative Restore tool
The Authoritative Restore tool, AUTHREST.EXE, is used to force a directory database that was restored from backup to replicate to other servers. It is used in Mixed Mode Exchange environments that run Exchange 5.5 and the Exchange 2003 Site Replication Service. AUTHREST.EXE is not new to Exchange 2003—it has also been available with all previous versions of Exchange—however, it has been updated for use with Exchange 2003.
This tool is generally needed only in a scenario where a directory server containing data older than the production directory needs to be restored and the missing data must be backsynchronized to the other production servers. This scenario happens if valid directory data is accidentally or intentionally deleted. If directory information does go missing from your organization, you have two choices. If you have a backup of the directory information, you can restore it and then use AUTHREST.EXE to backsync it (i.e., replicate the missing data back into the directory). If you don't have a backup, you will need to recreate all of the data.
For more information on using the updated version of the Authoritative Restore tool, see the Read Me included with this tool.
The Disable Certificate Verification tool for Exchange mobile devices
The Disable Certificate Verification tool, CERTCHK.EXE, is used to enable or disable certificate verification checking on Pocket PC 2002, Pocket PC 2003, and Smartphone devices for testing purposes. When verification has been disabled, the mobile device will still use SSL to communicate with Exchange; it just won't verify the root CA against the device's certificate trust list. Instead of providing you with any warnings about the certificate, the mobile device will simply use the certificate. This is particularly useful if you have not yet used the Add Root Certificate tool to add your organization's internal root certificate to a mobile device but you want to test SSL connectivity from the device to Exchange.
For more information on using CERTCHK.EXE, see the Read Me file included with it; however, do keep in mind that this tool is for testing purposes only and should not be used in production environments.
The Exchange DNS Resolver tool for Windows 2003
The DNS Resolver tool, DNSDIAG.EXE, simulates the internal name resolution code inside the SMTP transport stack and provides diagnostic output regarding the DNS resolution process. This command-line tool, which can be used only on Exchange servers running on Windows 2003 or Windows 2003 systems running the IIS SMTP service, is designed to run on the system experiencing name resolution problems. Table 10–3 lists he command-line switches for DNSDIAG.EXE.
When the tool is executed, it will provide return codes that are set at the error level so that you can script this tool in batch files. For more information on using DNSDIAG.EXE, including a list of the error return codes, see the Read Me file included with this tool.
Table 10–3 Command-Line Switches for the DNS Resolver Tool
|-a||Specifies that all DNS servers should be queried in the test.|
||Specifies which protocol to use (TCP,UDP, or DEF). Cannot be used in tandem with –v.|
||Specifies a list of IP addresses for the DNS servers you want to use. If you do not use this optional switch, the locally configured DNS servers are used. IP addresses can be delimited by using a space or a tab. Cannot be used in tandem with –v.|
||Specifies a particular SMTP virtual server in instances where more than one exists on the same server.|
The Error Code Lookup tool for Windows
The Error Code Lookup tool, ERR.EXE, is used to translate errors reported by Windows and to provide you with an explanation of their meanings. ERR.EXE is another command-line tool, and it can resolve errors in a variety of formats:
- Hexadecimal (e.g., 0x31c or 31c)
- Numeric (e.g., 1723)
- String (e.g., UNKNOWN_FAILURE or INTERNAL_UNKNOWN_FAILURE)
Many of these same error messages can also be translated using the NET HELPMSG command found in Windows, as well as the Visual C++ Error Lookup tool that ships with Visual Studio; however, you may still find ERR.EXE to be useful. For more information on using ERR.EXE, see the Read Me file included with this tool.
The update Exchange 2003 GUIDGen tool
GUIDGen is a user interface–based tool that enables you to generate GUIDs you can use for anything that requires a GUID. GUIDGen can create GUIDs using several different formats, enabling you to create GUIDs for automation, programming, scripts, and other purposes. As shown in Figure 10–1, GUIDGen also includes a Copy button you can use to copy a newly generated GUID to the Windows clipboard for quick pasting in your application, your source code, or wherever you want to insert the GUID.
GUIDGen is not new to Exchange 2003; previous versions of Exchange also included this tool. For more information on using GUIDGen, see the Read Me file included with this tool.
Figure 10–1 GUIDGen user interface
The Microsoft Importer for Lotus cc:Mail archives
The Microsoft Importer for Lotus cc:Mail Archives, CCMARCH.EXE, is used to import data from Lotus cc:Mail archive (.CCA) files into an Exchange public folder or personal store (.PST) file. In addition, CCMARCH.EXE can also import cc:Mail addresses from a private directory (PRIVDIR.INI) to a personal address book (.PAB) file or to the Outlook Contacts folder (see footnote4).
CCMARCH.EXE is a wizard-based tool that steps you through the import process. Before using it, I recommend reading its documentation, especially the compiled HTML help (.CHM) files included with it, which describe the tool's underlying concepts as well as how to use the tool.
(Footnote4: Note, though, that Outlook 2000 and later clients can natively import Lotus cc:Mail data and therefore do not need this tool).
The Exchange Information Store viewer
The Information Store Viewer, MDBVU32.EXE, also known as the Message Store Viewer, is used to view and configure message storage files in a mailbox store, a public folder store, a .PST file, or an offline store (.OST) file. MDBVU32.EXE uses MAPI 1.0 calls to connect to a MAPI-based message store. As illustrated in Figure 10–2, you can use it to view or delete messages, folders, rules, and scripts; access system mailboxes; and change raw data.
Figure 10–2 Message store database properties displayed in Message Store Viewer
When you encounter this tool, you might get a chuckle out of its icon, which is a flaming drum of toxic nuclear waste. This should be your first clue that this tool can be very hazardous to a message store. Because it provides write access to raw message store data, a wide variety of problems can occur if the wrong item is changed or deleted. More importantly, the tool has no "undo" feature, so you should make sure you have a current full backup of your message store(s) before using this tool.
For details on how to install and use MDBVU32.EXE, consult the Read Me file included with this tool.
The updated Exchange Inter-Organization Replication tool
This is another tool available in prior versions of Exchange that has been updated for use with Exchange 2003. This tool consists of two programs–the Replication Configuration program (EXSCFG.EXE), which is shown in Figure 10–3, and the Replication service (EXSSRV.EXE)—and is used to replicate public folder content and Free/Busy information between two Exchange organizations. It enables users in each organization to coordinate meetings and appointments and to share contact and public folder data.
This tool is very useful for companies undergoing mergers or acquisitions, for companies with separately administered Exchange organizations, or in any scenario in which you have two separate and distinct Exchange organizations. It can be used to replicate data between an Exchange 2003 organization and another Exchange 2003 organization, or with an Exchange 2000 or Exchange 5.5 organization. If you do plan to use this tool with Exchange 2003 and a legacy Exchange organization, be sure to use the Exchange 2003 version of this tool.
Figure 10–3 Replication Configuration program user interface
One of the advantages of this tool is that it does not need to run directly on an Exchange server. It can be used on any system running ESM. Note, though, that this tool may not be sufficient for everyone's inter-organizational replication needs. If you have complex replication needs, you may find Microsoft Identity Integration Server (MIIS) 2003 better suited to your needs (see footnote5). For more information on using the Inter-Organization Replication tool, consult the Read Me file included with it.
(Footnote5: For more information on MIIS).
The Exchange Message Transfer Agent Check tool
The Message Transfer Agent (MTA) Check tool, MTACHECK.EXE, is a command-line tool used to analyze and correct MTA database consistency problems. The MTA database is quite efficient and normally performs well. However, like any database it can become corrupt. When that happens, one of several events will be logged in the Application event log on the Exchange server. An example of such an event is shown here.
Event Type: Error
Event Source: MSExchangeMTA
Event Category: None
Event ID: 9405
Time: 9:34:07 AM
Description: An unexpected error has occurred which may cause the MTA to terminate. Error: <error code>
Several other possible events can be logged when the MTA is corrupt. This event is just one example. If you receive one of these events, or if you suspect corruption, you can use MTACHECK.EXE to verify database integrity and fix the problem. MTACHECK.EXE can be launched without any startup switches (in which case it runs with only minimal logging), or it can be launched using one of the command-line switches listed in Table 10–4.
A couple of important steps need to be performed before MTACHECK. EXE should be run. For more information on these steps and the MTA Check tool itself, consult the Read Me file included with this tool.
Table 10–4 Command-Line Switches for the MTA Check Tool
||designates a file for logging output.|
|/rd||Deletes directory replication messages from the MTADATA directory.|
|/rl||Deletes link monitor messages from the MTADATA directory.|
|/rp||Deletes public folder replication messages from the MTADATA directory.|
|/y||Runs MTACHECK.EXE with verbose logging. Can be used in combination with /f.|
The Exchange 2003 SMTP Internet Protocol Restriction and Accept/Deny List Configuration tool
If you specifically block or allow computers to access your Exchange SMTP virtual server, this tool is for you. The SMTP Internet Protocol Restriction and Accept/Deny List Configuration tool is a combination of a Visual Basic script (.VBS) file and a companion module (.DLL) file that enables you to programmatically manipulate SMTP virtual server connection control and relay control settings, including the Accept and Deny List settings. Despite their names, the script file (IPSEC.VBS) and the DLL file (EXIPSEC. DLL) are not related to the IPSec protocol. It's just a naming coincidence.
You can use the script to add, delete, list, or completely clear IP address restrictions set on an SMTP virtual server or on the Global Accept or Global Deny lists. EXIPSEC.DLL can be used against Exchange 2000, but Global Accept and Deny List manipulation is supported only on Exchange 2003 servers. For more information, including the available command-line switches for IPSEC.VBS, refer to the Read Me file that ships with this tool.
The Exchange Up-to-Date Notifications Troubleshooting feature
As I wrote in Chapter 9, Exchange includes a feature called Always Up-to-Date (AUTD), which notifies a user's mobile device that data has changed on the Exchange server. Exchange sends a control message to the device, which causes it to commence a data synchronization session, thereby keeping the device up-to-date. In a perfect world, these messages are always correctly received and processed by every mobile device you have. However, in the real world, this is not necessarily true.
Table 10–5 Information Available from the AUTD Troubleshooting Tool
|Address||Displays the IP address of the mobile device.|
|Carriers||Displays the number of carriers listed in Active Directory.|
|Delivery||Displays how notifications will be delivered to the mobile device.|
|Device||Displays the name of the mobile device.|
|Exchange server||Displays the name of the Exchange server that contains the user's mailbox.|
|Expires||Displays the expiration date/time for the device if it stops syncing. Once expired, AUTD notifications will no longer be sent to the mobile device.|
|Send mail||Sends a test message to the mobile device to verify message flow from Exchange to the mobile device.|
|Username||Displays the name of the Exchange user whose mailbox you are troubleshooting.|
Because many of the problems you may encounter will be the result of external issues (or other issues beyond your control), the AUTD Troubleshooting tool may not be able to solve every problem you encounter. However, it will help isolate and identify problems and let you know whether the problem is on your end (e.g., with Exchange) or external (e.g., with a mobile communications provider). For more information on the AUTD Troubleshooting tool, including how to install and use it, refer to the Read Me file included with this tool.
The updated Exchange WinRoute tool
WinRoute is another tool available in prior versions of Exchange that has been updated for use with Exchange 2003. This tool, WINROUTE.EXE, is used to examine the link state routing information currently being used by the routing master in an Exchange site.
As shown in Figure 10–4, WinRoute is a user interface–based tool that displays link state routing information in three window panes.
Figure 10–4 WinRoute user interface
- The tree view pane displays the organizational routing table.
- The address space pane displays all known address spaces, including type, cost, restriction, connector, and source Routing Group and Administrative Group information.
- The raw routing data table pane displays (for information purposes only) the current routing information being used by Exchange.
As Microsoft states in the WinRoute documentation, this should be the first (or one of the first) tools you use when troubleshooting message routing problems. For more information on using this tool, refer to the Read Me file included with it, as well as Microsoft Knowledge Base article 281382.
Additional Exchange 2003 tools and updates
On the same pages (see footnote6) where you'll find the tools mentioned earlier and the all-in-one package, you will also find some additional tools and updates that can provide additional functionality or help diagnose and resolve problems that affect your Exchange infrastructure. For example, the .NET Framework Device Updates (DUs), which provide support for additional mobile devices for OMA and ActiveSync, will be available from those pages. At the time of the Exchange Server 2003 Launch (October 22, 2003), Exchange 2003 included DU2, and DU3 was available on those pages. DUs are anticipated to be released every six months.
(Footnote6: See https://www.microsoft.com/en-us/exchange/updates or https://www.microsoft.com/en-us/exchange/ tools/2003.asp).
The Microsoft Baseline Security Analyzer (MBSA) tool is also linked from the Exchange Tools page. MBSA is a free security sweep tool that can scan Windows NT 4.0 and later systems for configuration settings that are considered security risks. In addition, MBSA can check for missing security patches and updates for Windows NT 4.0 and later, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer 5.01 and later, Exchange 5.5 and 2000, and Windows Media Player 6.4 and later. As you can see in Figure 10–5, MBSA looks very similar to Microsoft Windows Update.
Figure 10–5 Microsoft Baseline Security Analyzer Welcome screen
MBSA is one of the tools that can be used to implement Microsoft's Secure in Deployment strategy described earlier in this book. One of the many reasons that administrators struggle with the act of applying patches to all of their systems is that having too many systems and too many patches makes it difficult to tell what needs to be patched and why. MBSA is designed to cut right through the problem and identify which systems need to be patched (and what patches are needed) and which systems should be reconfigured (and how to do that). If you are not using MBSA already, I strongly encourage you to download it and give it a try (see footnote7).
(Footnote7: For questions, comments, and assistance with MBSA, I recommend visiting the microsoft.public.security.baseline_analyzer newsgroup on Microsoft's news server).
Finally, administrators and developers who build applications on top of or inside of Exchange will also find a link to the latest Exchange SDK. The SDK includes a wealth of information and sample applications that demonstrate how to programmatically access, use, and manipulate Exchange storage and transport resources (see footnote8).
(Footnote8: The Exchange 2003 SDK is on a quarterly update schedule and is freely downloadable).
7 tips in 7 minutes: Exchange Server 2003 tips and tricks
Tip 1: Tuning Exchange Server 2003 overview
Tip 2: Exchange 2000 vs. Exchange 2003 tuning parameters
Tip 3: Exchange 2003 tuning parameters -- Outlook Web Access
Tip 4: Exchange 2003 tuning parameters -- Microsoft Outlook
Tip 5: Exchange 2003 tuning parameters -- Exchange Server
Tip 6: Must-have Exchange Server 2003 tools
Tip 7: Exchange Server administration resources and links
|This chapter excerpt from Microsoft Exchange Server 2003 Distilled by Scott Schnoll, is printed with permission from Addison-Wesley Professional, copyright 2004.|