BES Express Installation on Exchange 2010 SP1 – MaxSessionsPerUser key?

So, “where has the MaxSessionsPerUser key setting in the microsoft.exchange.addressbook.service.exe.config file gone”, I hear you asking?

Research in Motion’s current (as of today) documentation for BES Express 5.0.3 tells us that we need to increase the maximum number of connections to the Address Book service in Exchange 2010 by modifying a key value in a file. To quote the document, they say:

By default, Microsoft® Exchange 2010 limits the maximum number of connections from the BlackBerry® Enterprise Server Express Express to the Address Book service to 50. To permit the BlackBerry Enterprise Server Express Express to run, you must increase the number of permitted connections to a large value (for example, 100,000).

1. On the computer that hosts the Microsoft Exchange CAS server, in :\Program Files\Microsoft\Exchange Server\V14\Bin, in a text editor, open themicrosoft.exchange.addressbook.service.exe.config file.
2. Change the value of the MaxSessionsPerUser key to 100000.
3. Save and close the file.
4. Restart the Address Book service.

Now this as I have found, is no longer applicable to Exchange 2010 SP1 (and above of course). Apparently, Microsoft have moved this functionality to the Throttling policies in Exchange 2010 SP1. This means we’ll need to modify (or at least check) the Throttling policy that is applied to our “BesAdmin” user instead to ensure that certain settings are null / blank (i.e. meaning there is no limitation on them).

So if you notice you don’t have the MaxSessionsPerUser key in your file as per RIMs instructions, or you know straight off that you are on SP1, do the following to check using the Microsoft Exchange Management Shell.

1. Check the Throttling Policy called “BESPolicy” that you would have created earlier in the management shell as per the RIM documentation. Run: Get-ThrottlingPolicy BESPolicy

Your output will look like the following if the settings are correct (i.e. null):


2. Ensure that all the “RCA” Values listed are NULL – i.e. blank (refer to the screenshot in this post for a sample of the output I got when running the command). If they are not, then run the following:
3. (Run this if the RCA values are not NULL): Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null

This “BESPolicy” should be the Throttling policy which is applied to your “BesAdmin” user, as per RIMs installation instructions for BES Express and shouldn’t really be applied to any other users or groups in your organization.

Following the above instructions should allow you to continue along with your BES Express installation alongside Exchange 2010 SP1. Hope this helps!

Securing your Microsoft Exchange 2010 Server / services with an SSL Certificate

Exchange 2010 has definitely simplified the process of applying SSL certificates to your mail services such as Outlook Web Access/App and Exchange ActiveSync. No more muddling about with IIS is required and you can do everything via the Exchange Management Console (GUI) too. I’ll also list a cmdlet at the end for generating a CSR if you wish to go the Exchange Management Shell way.

Exchange Management Console steps:

 

  • Open the Management Console and from the summary / home tab click on “Manage databases”. Now on the list in the left of the Management Console, select “Server Configuration”, then in the list of Actions on the right look for “New Exchange Certificate” and select this.

 

 

  • A wizard will popup and you can begin setting up your new Certificate Signing Request (CSR). Fill in a Common / Friendly name for the certificate. I used the same name as would be used for the actual certificate itself so that I can easily identify it.

 


 

  • Continue the wizard. I won’t be using a wildcard certificate so I will leave the “Enable Wildcard Certificate” selection unchecked.

 

 

  • The next section allows you to select the services you want to use with your SSL / describe the Exchange configuration for the CSR that we are going to generate. Expand out the sections and you’ll see that some are pre-populated for you. Check over this information and tick any services that you want to use. I want this SSL certificate for Outlook Web App and Exchange ActiveSync for mobile devices, so I checked the options for “Outlook Web App is on the Internet” and “Exchange Active Sync is enabled”. In each of those cases, I entered the A name record for the services (The external name used to connect to the services) – i.e. mail.shogan.co.uk – this is important and it is what your SSL certificate will be securing, so double check that it is correct.

 

 

  • Continue by entering some administrative / contact details for your company, choosing a location to the save the CSR request file, then finishing the wizard off. Now, go to your SSL provider’s site and purchase a new SSL certificate. I am using a basic SSL123 certificate in this case from Thawte.

 

  • Go through the steps of purchasing the certificate, and you’ll get to a point where they ask you for the CSR – paste the exact text of your CSR generated in Exchange’s Management Console into the CSR text box on the website and get your certificate ordered. When it is approved and emailed back to you, save the .cer certificate file on your Exchange server.

 

  • Go back to the management console, select “Server Configuration”, select the certificate under the “Exchange Certificates” tab and in the Actions view on the side, select “Complete Pending Request”. Browse for the completed SSL certificate your certificate issuer sent you and finish by completing this wizard.

 

 

  • You now just need to highlight the certificate under “Exchange Certificates” once again, and under the “Actions” panel, click “Assign Services to Certificate”. In this wizard, select your relevant Exchange server name, then click next. On the next screen, select “Internet Information Services”, then “Next”. Check the summary page looks correct then finish the wizard.

 

Your SSL certificate should now be configured and ready for use. Browse to the URL of your Outlook Web App service via https. You should find that you don’t get a certificate warning, and clicking the security icon in your web browser to view the site certificate should show that it is valid and providing encryption.

 

Generate a CSR using the Exchange Management Shell.

 

You can also generate a CSR using the cmdlet below. Just substitute the relevant values with your own. Be sure you aren’t putting any incorrect values in when using this though as you don’t have a nice GUI to explain things to you as you do with the Exchange Management Shell.

 

Set-Content -path “C:\mail_shogan_co_uk” -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName “c=gb, s=London, l=London, o=Shogan.tech, ou=IT, cn=mail.shogan.co.uk”  -PrivateKeyExportable $True)

 

The above cmdlet will save the CSR file to C:\mail_shogan_co_uk. You would then copy and paste the text of that file into your SSL certificate provider’s site as part of your SSL purchase process. The cmdlet uses some values that will need to be unique to your organisation – here are the value explanations of parts of the above cmdlet:

 

c = country code
s = city
l = province/state
o = organisation name
ou = organisational unit
cn = common name the SSL certificate is to be provided for

The cmdlet won’t give you any output if it works correctly, but you’ll be able to see the CSR in the Exchange Management Console if you refresh it at this stage.

That is basically it – the steps above should help you secure some Exchange services such as OWA or ActiveSync with an SSL certificate from a trusted authority.

 

PST file importing hell – A better way to import PST files into Exchange

A short while ago I wrote an article for the SysAdmin section on Simple-Talk.com. The article covers a bad experience I had importing PST files into Exchange mailboxes specifically to get them archived by some specialist archiving software. A short while afterwards I was introduced to Red Gate’s PST Importer (via an early access program). After trying out the PST importer I was happy to report that the headaches involved with doing PST imports had basically been solved by this excellent bit of Software.

So if you are interested in reading the article, please hop on over to Simple-Talk.com and have a read!

My first Simple-Talk.com article – The Great PST Migration

Blackberry (BES) user able to receive e-mail but can’t send

There can be many different causes for the problem where a Blackberry user can receive e-mail, but cannot send out. A good place to start troubleshooting is the Application Event log on your BES Server.

In this case we have a user who is unable to send e-mail but they can still receive e-mail. After some inspecting the event logs, I found some event ID “20000” logs, which read as follows:

Event Type:    Warning
Event Source:    BlackBerry Messaging Agent BES01 Agent 1
Event Category:    None
Event ID:    20000
Date:        03/03/2010
Time:        18:43:00
User:        N/A
Computer:    BES01
Description:
{useremailaddress@domainname.com} Send() failed: ERR_MAILBOX_FULL, Tag=173571

It is quite clear that this is indicating a full mailbox (or at least a restriction on the mailbox which only allows the user to receive e-mail and not send once this limit has been reached). Your next steps should be to get the user to clear out their mailbox to free up some space, or to increase their mailbox size limit or send limit size in Exchange.

Blackberry Technical Documentation describes this event error in more detail as follows:

The BlackBerry device user has reached the mailbox storage limit and is not permitted to send email messages until the Microsoft Information Store size returns to an acceptable range. The Blackberry device user can receive email messages, but cannot send email messages. Troubleshooting: Delete email messages from the BlackBerry device user’s mailbox and empty their Deleted Items folder.

So clearing out the user’s mailbox or increasing their exchange mailbox size limits should clear this issue up. If you are experiencing the same symptoms, but are not getting this particular event ID message, there are other avenues to go down with regard to troubleshooting. One that I often check is to ensure that the BES admin account has got full “Send As” permission on the user’s account in Active Directory. (You’ll need to view Active Directory in Advanced Mode to see the permissions tab on the user object though).

If all else fails doing a wipe of the user’s BlackBerry device, followed by a new Enterprise Activation is a good fallback point. Provided everything else is working correctly (and all other users seem to be sending and receiving OK) this should clear up any issues for the user in question. Of course you should just about exhaust all other avenues of investigation before trying this though!

Create new mailboxes / AD objects using Powershell & Exchange 2007

Here is something new I learnt today. Using powershell scripting can potentially save you a lot of time performing common day to day tasks. In this example I use Powershell to create a new mailbox and Active Directory user object with Exchange 2007 running in my test environment.

1. First off start by opening the “Exchange Management Shell”. This will load a powershell window for you.

2. Now we need to create a password variable and assign a password string to this in the form of a “SecureString”. Issue the following command in your shell window :

$Password = ConvertTo-SecureString -string “TryPassword123” -asPlainText -Force

3. If you now type “$Password” and press Enter, you should get a prompt back saying “System.Security.SecureString”. This means you your plain text password is now stored as a SecureString variable and is ready to use.

4. Next we will run the command to do all the work (That is add the user and mailbox to Active Directory / Exchange 2007). Issue this command next (substituting the values relevant for your situation of course! :

New-Mailbox -Name “John Smith” -Database “First Storage Group\Mailbox Database” -Password $Password -UserPrincipalName John.Smith@youremaildomain.co.uk -Alias John.Smith -DisplayName “John Smith” -FirstName “John” -Initials “JS” -LastName “Smith” -OrganizationalUnit “Home Users”

You should get a prompt back giving you a summary of what has been done.

This screenshot illustrates the above few steps :

5. After you have run the New-Mailbox command successfully, run “Get-Mailbox” to get a list of current mailboxes residing on your Exchange 2007 server. This should now show your new mailbox.