Exchange SSL certificates for IMAP and SMTP

If you’ve got an Exchange Server 2007 implementation, have you installed certificates for SMTP and IMAP (if you’ve enabled IMAP)?  Exchange will generate self-signed certificates (good for one year), but you’d be better off putting your own certificates on to prevent client application errors related to invalid or expired certificates.  Since IMAP is made available through the Client Access Servers, you can easily add an additional Subject Alternative Name (SAN) for IMAP, such as imap.mail.mycompany.com, to the Unified Communications certificate that you’ve already got installed to cover Outlook Web Access and Autodiscover. 

If you’ve got the Hub Transport role on the same server, then you can easily add another SAN to the same certificate…otherwise, you’ll need another certificate for your Hub Transport servers.  I’d recommend using a Unified Communications certificate here as well, so you can include both the individual server names and an alias such as smtp.mail.mycompany.com.

MS KB 929395 details the Unified Communications certificate providers that Microsoft has recognized.  I’ve personally been using Digicert with great results.  You can find some information about how to create the Exchange Server 2007 Unified Communications CSR here and how to install the certificate here.

Disabling Active Directory User Accounts, Part 2

As a followup to the Disabling Active Directory User Accounts, Part 1 post, here’s a Powershell script that will disable multiple accounts for you by using a CSV input file.

Scipt features:

• The username of the the administrator running the script is recorded in the text file that lists all of the groups the account was removed from.
• An email is automatically created and sent to the configured recipients (such as the AD Administrators group and/or Information Security…), which is fantastic from an end-to-end accountability and auditing point of view (who did it, when did they do it and why…)
• Disables the specified AD account
• Hides the mailbox from the Global Address List
• Removes the account from all groups it was a member of
• Creates a text file log of all groups the account was a member of
• Sets the password to be changed at the next login
• Sets the disable date in the “Title” field (an unused field in my organization)

Just find the following variables in the script and change them accordingly:

• $SourceFile = “\\MYSERVERPATH\account_disables_input.csv”
  • This is the full UNC path to the CSV input file
• $EmailReportFile = \\MYSERVERPATH\Account_Disables_Report.txt
  • This is the full UNC path to where you want the report saved (this is what is emailed out)
• $domain = “LDAP://dc=DOMAIN,dc=local”
  • The LDAP bind URL for your domain…
• $To = “someone@mycompany.com”
  • SMTP addresses, comma seperated, of who you want the report emailed to
• $SmtpClient.host = “smtp.mail.mycompany.com”
  • The SMTP host name to handle your email report (your Exchagne 2007 Hub Transport server(s) or Exchange 2003/2000 front-end server(s) typically, make sure you can perform anonymous relay internally though….)

 Download the script here…

  Disable-ADAccountsMultiple.zip (3.2 KiB, 1,318 hits)

Exchange 2007 Ops Mgr MP Updated

Version 6.0.6363.0 of the Exchange 2007 MP was released in late July (with no fanfare that I noticed).

You can download it here.

Oddly though, the only fix reported in the update is listed as being for Exchange Server 2003?

Fixed an issue where clustered Exchange 2003 mailbox servers were discovered as being of type Ex.Common. Please see the Known Issues section for more information on how to resolve this issue.

Disabling Active Directory User Accounts, Part 1

For a few years now I’ve been using a custom VBScript to disable AD accounts when employees leave the organization.  The script was pieced together from some things I knew how to do and others I was able to find elsewhere.  The script performed the following tasks:

• Disabled the specified AD account
• Hid the mailbox from the Global Address List
• Removed the account from all groups it was a member of
• Created a text file log of all groups the account was a member of
• Set the password to be changed at the next login
• Set the disable date in the “Title” field (an unused field in my organization)
• Set the RAS settings to disabled

After our upgrade to Exchange Server 2007 earlier this year I noticed that the script was not functioning fully the way it should have.  Specifically, the hiding of the mailbox from the GAL was not occurring.  Sure, if you looked at the mailbox of an account that had been disabled using the script in the Exchange Management Console, the check box to hide the mailbox from the GAL was checked, but just the same the mailbox was not really hidden from the GAL.

So to correct this issue, I wrote a new script in Powershell (requires the Exchange Management Shell snapin) script that would perform all of the same actions except setting the RAS attribute to disabled.

Both scripts are attached, and annotated where I remembered where certain portions of the script or ideas came from.  The VBScript should be able to be run without any changes unless you want to change what it does.  The Powershell (Exchange Management Shell) script should only require one change in the variable $domain as shown here:  $domain = LDAP://dc=mydomain,dc=local.

VBScript version: 

  disable_accounts_single.zip (1.7 KiB, 1,409 hits)

Powershell (Exchange Management Shell) version: 

  Disable-ADAccounts.zip (1.8 KiB, 1,200 hits)

Exchange Server 2007 MP for Ops Mgr Updated

The Exchange Server 2007 Management Pack for Operations Manager 2007 SP1 was finally updated in the past week.  This release is very welcome, I’m sure, by many Operations Manager and Exchange Server admins alike.  You can download the updated MP from the MP Catalog here.

Also, there is a discrepancy in the requirements for the first hotfix.  The information in the documentation included with the MP indicates you are to installt he hotfix on all of the Exchange servers being monitored by Ops Mgr:  “Install the agent update specified in Knowledge Base article 950853 on all Exchange-based servers managed by Operations Manager before importing the Exchange Server 2007 Management Pack. This update addresses an agent memory leak issue.“  The hotfix KB article indicates the hotifx is to be installed on the Ops Mgr servers:  “You must apply this hotfix on all Operations Manager Management Server computers.“  From the notes inside the hotfix (emphasis added):

Note: This patch applies to SCOM 2007 SP1 Only

Summary

A problem has been identified with SCOM 2007 SP1 agent, which leaks memory when processing rules/monitors specific to exchange 2007 MP. This hot-fix resolves this issue.

Symptoms

When affected by this issue, SCOM 2007 RTM agents will leak memory aggressively only if you have imported Exchange 2007 into your Management group.

After applying this fix the issue should go away.

Installation
This hotfix must be applied to each computer that meets the following criteria:

• Hosts a Microsoft Operations Manager Management Server 

The updates and prerequisites are below (emphasis added), copied from the included documentation (a nice change to have included documentation!).  Pay special attention to the three items below in red.  Note that the 950853 hotfix is not publicly available yet…so you’ll either need to call in and get it or, if you have a Premier Support contract, you can download it from the Premier Support portal.  The other two hotfixes do have a download available.

The May 2008 update to the October 2007 version of the Exchange Server 2007 Management Pack, version 6.0.6278.12, includes the following changes:

• All updates included in the 08.01.0240.001 version of the Exchange Server 2007 SP1 Management Pack for Microsoft Operations Manager 2005, except updates relating to reports.
• Overrides were documented in the Management Pack Guide for the LDAP Search Time and Failure DSNs Total rules and monitors.
• The management pack was updated to support the renamed performance counters in Exchange Server 2007 Service Pack 1. Performance counters for the Database object were renamed to MSExchange Database.
• The management pack was updated to support non-default names of the Reporting data warehouse.
• The OWA Connectivity performance view was updated to show performance data.
• Fixed an issue where cluster virtual servers where discovered as type Microsoft Exchange 2007 Mailbox Servers Installation.
• The Management Pack was updated so that alerts are correctly generated for events logged by physical cluster nodes in an Exchange Server 2007 cluster.
• Fixed an issue where the Exchange cluster virtual servers were discovered as type Microsoft Exchange 2007 Mailbox Servers – Physical Computers Installation.
• The Microsoft_Exchange_Server_Exchange_2007_Mailbox_Replication_Health_Test_ReplicationHealth_Events view was updated to target the Microsoft.Exchange.2007.Microsoft_Exchange_2007_Mailbox_Servers___Physical_Computers_ComputerGroup.
• The reports were updated to support non-US locales on the Reporting Server.
• The date/time picker was added to the reports, allowing for more flexibility in report scheduling.
• The Failure and Delay DSNs Total monitors were updated to look for deltas. Previously, the monitors measured the averages for the sampling interval.
• Fixed an issue where the cluster virtual servers were discovered as type Microsoft Exchange 2007 All Servers Installation.

Before You Import the Management Pack

Before you import the Exchange Server 2007 Management Pack for Operations Manager 2007 Management Pack, note the following limitations of the management pack:

• There is no support for agentless monitoring.

Before you import the Exchange Server 2007 Management Pack for Operations Manager 2007 Management Pack, take the following actions:

• Ensure that all systems running Exchange Server 2007 that are managed by Operations Manager use Local System as the Agent Action Account.
• If you are monitoring Exchange Server 2007 clusters, ensure that all physical nodes of the cluster are monitored by Operations Manager 2007 and that Agent Proxy is turned on for each physical node in the cluster.
• Install the agent update specified in Knowledge Base article 950853 on all Exchange-based servers managed by Operations Manager before importing the Exchange Server 2007 Management Pack. This update addresses an agent memory leak issue.
• Install the update specified in Knowledge Base article 951979.  This update contains an updated agent restart script and fixes issues with cluster discovery.
• If you are monitoring Exchange Server 2007 clusters, ensure that you have installed the agent update specified in Knowledge Base article 951380 on all Exchange Server 2007 cluster nodes managed by Operations Manager. This update addresses an issue with cluster discovery.

Note:  The agent updates require System Center Operations Manager Service Pack 1. If you do not install the above updates before you install the Exchange Server 2007 Management Pack for Operations Manager 2007 Management Pack, your installation will not work optimally.

The relevant KB articles for the referenced hotfixes:

• A memory leak occurs when you monitor Exchange Server 2007 by using the MOM 2007 agent in System Center Operations Manager 2007
• Problems occur on a management server that is running System Center Operations Manager 2007 Service Pack 1 when certain management packs are installed
• Some computer properties for a cluster node may not be collected by the discovery process in System Center Operations Manager 2007 Service Pack

• 

• Translator

• Categories

  • Active Directory (13)
  • Certification (2)
  • Data Protection Manager 2007 (7)
  • Exchange Server 2007 (26)
  • Microsoft Office Communications Server 2007 (1)
  • Networking (3)
  • Operations Manager (24)
  • PKI & Certificate Services (2)
  • Powershell (10)
  • Server Hardware (5)
  • Storage (4)
  • Visual Basic Script (3)
  • Windows Server 2003 (6)
  • Windows Server 2008 (4)

• Tag Cloud

  • Active Directory | AD LDS | ADAM | Agents | Alerts | antivirus | bug | C-Class Blades | CCR | Certification | Cisco | Cluster | Clustering | Data Protection Manager 2007 | Data Warehouse | DBCreateWizard | dbdsutil | DHCP | DNS | Doh! | Error 5 | EVA | Event Logs | Exchange | Exchange Server 2007 | Fibre Channel | ForeFront | HBA | Health Service | HP | iLo | IMAP | Management | Management Pack | MOSS | Operations Manager | Overrides | PKI & Certificate Services | Powershell | Printers | Reboot | Recipients | Registry | robocopy | Root Server | SAN | Scripting | SDDL | secedit | Self Tuning Threshold | Servers | Sharepoint | SMTP | SSL | strange | Terminal Services | Tools | Updates | Virtualization | VPN | VSS | Whitepaper | Windows Server 2008 |

• Blogroll

  • Ramblings of the Mad Cow

• Archives

  • September 2009
  • August 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008

• Users Online

  • 6 Users Online