Email is one of the most important communications tools for businesses. When it stops working, people start to get nervous.

While there are many things that a user can do to mess up their email, many of these problems can be resolved with a restart of the software or the computer.

However when the old standby of restarting doesn’t work, it is time for the email administrator to start looking into the issue a bit more deeply.

Here are some of the more common errors found in Outlook 2007 along with some of the ways you can make things right again:

1. Error message that reads: “Cannot open your default e-mail folders. The information store could not be opened.”

This issue can be fixed by first locating Outlook.exe that can be found here: C:\Program Files\Microsoft Office\Office12.

Next, right click Outlook.exe and then click on Properties.

On the Compatibility tab, clear the check box that reads ‘Run this program in compatibility mode’. Then click Ok and restart Outlook.

2. Error message that reads: “Your Microsoft Exchange Server is unavailable.”

This error is a bit trickier to resolve only because there can be many different causes.

No data connection – test your SMTP connection using telnet. If you are unsure how to do this, Microsoft has provided a guide on their TechNet site that walks you through this process: http://technet.microsoft.com/en-us/library/bb123686.aspx.

Office Outlook files are locked – there are times when .ost and .pst files are accidentally, or purposefully, set to read only. Check the permissions of these two files by navigating to:

C:\Users\<username>\AppData\Local\Microsoft\Outlook\ for .pst files and C:\Program Files\Microsoft Office\Office12\ for .ost files. Make sure that neither is set to read only.

Third party applications are interfering with Outlook – many programs, including anti-malware solutions, can interfere with Outlook connecting to the Exchange Server. To check to see if this is the cause, start Outlook in safe mode.

Outlook files are corrupted – this can happen after an upgrade is applied to Outlook. If any of the .dat files listed below are present they should be deleted or renamed.

• Extend.dat – Located in C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook\
• Frmcache.dat – Located in C:\Documents and Settings\<username>\Application Data\Microsoft\Forms\
• Views.dat – Located in C:\Documents and Settings\<username>\Application Data\Microsoft\Outlook\
• Outcmd.dat – Located in C:\Documents and Settings\<username>\Application Data\Microsoft\Outlook\

All the files, with the exception of Outcmd.dat will be re-created. The Outcmd.dat file saves customized toolbar settings so if it is removed these settings will have to be re-applied.

3. Office Outlook will not open personal folders or personal folders do not show up in Outlook.

Personal folders are often the root of many problems related to Outlook. Microsoft has published the Inbox Repair tool, Scanpst.exe, that can be used to scan .pst and .ost files for errors in the file structure. If this is not intact, it will reset the file structure and rebuild the headers.

This tool will only work on the files that reside on your computer’s hard drive, not the files on the Microsoft Exchange Server.

This will also help to resolve the error message: “Cannot open your default e-mail folder. The file c:\users\owner\documents\software info\outlook.pst is not a personal folders file”.

4. Error messages that read either: “The action cannot be completed. The connection to the Microsoft Exchange Server is unavailable. Your network adapter does not have a default gateway” or “Your Microsoft Exchange Server is unavailable”.

This error occurs when Outlook is unsure of the default gateway address. The former is the error message that shows when the Outlook profile is configured automatically and the latter appears when the profile is manually configured. Both have the same fix.

To repair this you will need to edit the registry so clicking on Start and then Run is necessary. Then, enter regedit in the Open box and click OK.

Next, navigate to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\RPC. On the Edit menu, point to New, and then click DWORD Value.  Type DefConnectOpts, and then press ENTER. Now, right-click DefConnectOpts, and then click Modify. In the Value data box, type 0, and then click OK.

5. None of the authentication methods supported by this client are supported by your server.

This happens to people when they use their computer in multiple locations. For example, a laptop is taken home and connected to the home network or perhaps a computer is taken on the road. Basically, it comes from authentication rules for the SMTP server.

When this error occurs go to the Account Settings tab and click on Change then More Settings. Now select the Outgoing Server tab.

The option that reads: “My outgoing server requires authentication” and the one that reads: “Log on to incoming mail server before sending mail” should both be looked at. If there is a check in the option box remove it.

5 Common Outlook Errors and How to Fix Them

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

I want you all to go grab your favourite marketing person and make them read this post. You know the ones I am talking about. The one that doesn’t understand why they have to take the 3600dpi 8GB PDF that could be blown up to the size of the Empire State Building without looking grainy, and reduce it for sending over email to a customer. The one who came in early last week to send an email blast to a 1000 person customer list that they bought from a guy they know, which resulted in your corporate network being placed on every RDNS blacklist on the planet. The one who doesn’t understand why when he sends an email, the customer doesn’t have it open to read before he lets goes of the mouse. The one whose laptop you secretly want to replace with an Etch-a-Sketch.

You know the one I am talking about… the one who just doesn’t “get” what you keep trying to tell him. I want you to share this blog post with him…maybe even forward it to him </wink>. This blog post is a list of seven things that non-technical folks should NOT do in email, unless of course, the objective is to lose customers and infuriate people.

1. Create form letters without testing them
   Here’s an example of something I got in my email today:
   
   And here’s the first thing I zoomed in on and clicked.
   
   If you are going to send out bulk email, either address it to “valued customer” so we’re at least honest about how impersonal it is, or test your program on your own personal account and a few of your cow-orkers before you fill your customers’ inboxes with junk.
2. Email an attachment that should have been the body of the email
   How many times have you gotten an email with an attachment and had to open the attachment to find that it either could have been incorporated in the body of the message, or left on a webserver and the email should have just included the link? That just wastes everyone’s time, and bandwidth, and also raises the chance your message will be blocked before the user even sees it.
3. Use a fixed width format that cannot be viewed on a mobile device
   If I have to scroll back and forth or pinch and zoom to read your message, I’ll probably just delete it unless it was something I specifically asked for. When you are trying to get your message out, make sure it can be received on any of the myriad devices your (potential) customers might use; full PC mail client, smartphone, e-reader, tablet, etc.
4. Use micro-fonts
   The saying is that 12 is the new 10. As devices get smaller, and as folks’ eyes get worse from staring at screens all day, one very bad thing you can do to people is make them squint to read your message. Yes, of course they can zoom in; but they could have also gone to your website instead of reading your email. Any extra effort or inconvenience is that much more reason for someone to delete you message unread.
5. Send read-receipt requested email
   If you want to know for a fact I got something, deliver it in person. Anything else is invasive and rude. When people do that to me internally, I make it a point to go over to their office and read the message out loud to them from my phone, asking for help with the big words. When sales people do it on unsolicited messages, I add them to the junk senders list.
6. Send an email to a large list of people where the only thing they have in common is that they’re in your address book or on your list
   It’s called BCC, and if you aren’t using it, you’re doing a huge disservice to your customers by exposing their information to people they’d just as soon not have their contact details. Hey admins? Why aren’t you limiting recipients per message to prevent the “mistakes” from happening?
7. Do not include your phone number in your email
   If you don’t want to take a customer call, you can always let it go into voice mail, but if you actually got our attention, and maybe we want to talk to you about what you’re selling, don’t make us hunt for your telephone number!

Readers, this is a chance for you to sound off about the things people do in email that drive you up a wall. Leave a comment (you don’t even have to register) and share your horror stories, pet peeves, or the worst affronts you’ve personally witnessed. Hello Internet, I’m listening.

How to Lose Customers and Infuriate People

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When starting out, many small businesses set up their email using one of the free accounts available to them. Services like Gmail by Google, Hotmail from Microsoft or Yahoo!’s mail service, provide a working email address with almost no maintenance for a business just getting its feet wet.

However this may not be the best way to make a first impression with your potential customers.

Listed below are seven reasons why you need to ditch the yourcompany@freeemail.com and go with an address that better reflects the image you want your company to have.

1. Free email looks less professional

People associate free email services like Gmail or Hotmail as a personal accounts. Businesses, on the other hand, should have an email address that looks more professional. In fact, a study by Visible Logic in Amsterdam found that 70 percent of people view email messages coming from free email services as less professional when used by a business.

2. Free email looks spammy

Over the years, people have been burned so often by spam that they have become very adept at spotting shady looking emails in their inbox. One way to spot an email that may have malicious intent is by looking at the address. If you email address doesn’t look legitimate, your messages may be overlooked by overly cautious recipients.

3. Free email looks cheap

When people receive an email from your company and it has the @freeemail.com trailing it, your company looks cheap. For less than five bucks a month, you can set up an email address with your company’s domain. Sometimes you can even get a few of these for free when you host your company’s website. Customers who see that you are unwilling to spend a few dollars on this are often left to wonder what else your company may be skimping on.

4. You lose credibility when you use free email

A legitimate, professional looking email address tells your customers that you are here to stay.

Not only that, but having multiple email addresses such as: info@yourcompany.com, sales@yourcompany.com or service@yourcompany.com shows others that you are a well structured organization. The impression one gets when there is one, free email as the sole contact is that one person is handling everything for a company. This may scare larger clients away for fear that the company cannot handle their needs.

In today’s business atmosphere, trust is everything. Especially when it comes to online sales. Every little thing your company can do to establish trust and credibility will help your business grow.

5. Free email is less secure

Remember the old saying: there is no such thing as a free lunch? Well that applies to email as well.

True, Google, Yahoo!, Microsoft and the other free email providers do everything they can to make sure that their email services are as secure as possible, but things can slip through the cracks.

To pay for “free” email, users are subject to advertisements. While these help pay for the servers and storage space, they also have been linked to spam and hijacking. There have been several cases where businesses have had bank accounts and other confidential information compromised by cyber criminals who intercept email messages of companies that use free email services.

6. Free email may put you out of compliance

Nowadays, there are regulations and laws that govern so many industries and their record keeping that many large companies have entire legal teams dedicated to just compliance related issues.

But smaller companies are not immune to compliance. Companies of all sizes need to be aware of HIPPA when it comes to healthcare, PCI DSS when dealing with credit cards, and CAN-SPAM Act when it comes to marketing.

Free email likely does not offer you the tools required to be in compliance with any of these, or the many other, laws or regulations for email use.

7. You miss out on marketing your brand

Having your website’s domain name in every email you send out gives you the opportunity to build your company’s brand. Info@yourcompany.com puts your web site address in the minds of your customers. They know where to turn to when they need your services because they are so used to seeing your domain in every communication from you.

7 Reasons to Ditch That Free Email Address

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

BYOD can give administrators a headache.

More and more organizations are finding their employees using personal devices to access company data. Without some measure of control, those workers can create serious security problems for their employers.

As much as some administrators would like to block the use of personal devices in the workplace, that’s unlikely to happen for a number of reasons. For example, many employees are already using their own devices at work, as a recent survey by IDC shows. That poll found that 95 percent of workers use one personally purchased device on the job.

In addition, businesses are demanding more and more productivity from their workers, and that’s what they can get by allowing employees to use their own gadgets for work. One study by iPass, for instance, showed that employees using personal devices worked 240 more hours a year.

Not many companies would want to part with that kind of productivity, and they’re not going to, according to a Gartner analysis. To do so, that report noted, corporations will be embracing the practice by placing their apps on their workers’ devices. In fact, by 2014 Gartner predicts that 90 percent of all employee-owned devices will have corporate apps running on them.

Other cultural and technology trends are also making opposition to the Bring Your Own Device futile. Hardware makers are finding they need to produce products with a consumer bent if they want to stay in business.

Virtualization and cloud computing encourage access to corporate technology resources whenever worker wants to access them and with whatever they want to access them with.

Meanwhile, as the line between work and non-work becomes more and more obscure, the case for creating a clear line of demarcation between work and home devices becomes weaker and weaker.

To address issues created by the use of personal devices in the workplace, companies have begun to adopt BYOD policies. Before adopting such a policy, here are some questions an organization might want to consider.

• Should data be classified to determine what can and can’t be downloaded by personal devices?
• What happens to company data on a personal device when an employee leaves the company?
• What happens if a personal device is lost or stolen?
• Do personal devices need to be configured in any special way?
• How can an acceptable password policy be implemented on a personal device?
• What forms of encryption should be acceptable?
• What personal devices are acceptable for use with corporate resources?
• Should employees be allowed to jailbreak or root their devices, as doing that may make the device more susceptible to security risks.
• Should employees be required to sign the BYOD policy before they’re granted access to the company’s network?

Some of those questions were considered by Unisys when it formulated its BYOD policy. Among the requirements of that policy is that Unisys has the right to confiscate a device if it’s needed for litigation purposes.

That policy requires employees to accept a digital certificate to be installed on their personal device. It authenticates the device to Unisys’s systems, and it allows the company to analyze access behavior. Knowledge of that behavior can be used to identify abuse of access privileges.

The certificate gives an employee access to email and calendar functions on the system. Access to other functions can require additional authentication.

Another requirement of the policy, and one most administrators will find desirable, is the installation of a program on the device that enables all data to be remotely wiped on a unit that is lost or stolen.

What Should Be in Your BYOD Policy?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

You may have read the stories about how Atos Origin, a French IT services company, is looking to make their offices an email-free workplace by the year 2013 to eliminate what they call email pollution.

By turning to collaborative social medial tools, such as the Atos Wiki, employees have already seen a 20% reduction in “email pollution” six months after this initiative went into practice.

Volkswagen has also attempted to cut back on after hour’s emails being sent to and from employees Blackberrys in a similar effort. However, while cutting back on emails like Atos is trying to do may seem trend setting, it hardly seems to be a realistic goal.

Not only because of how many workplaces have become reliant on emails to get work done, but rather how these people use email to get work done.

As we all know, emails are not only used to deliver electronic messages. People in office buildings all over the world have found ways to “hack” their email accounts to do much more than send and receive messages.

Let’s take a look at some of the most creative, but common, ways email is used for things other than email.

Instant Messaging

Instant messaging is still taboo in many corporate settings. For some reason, IMs still conjure up images of the old AOL chat rooms in the eyes of most managerial types. So instead of embracing the technology, it becomes banned in the workplace.

Creative employees have learned that they can send a quick message to a coworker using the subject line alone. For example, sending a message with a subject that reads I have the research for your project EOM tells the recipient everything they need to know and lets them know that your subject line is the entire message (that is what the EOM, or End of Message, means).

Online/Portable Storage

There is hardly a person with an office job who hasn’t found themselves working on something that they needed to take home to complete. When they reach for that trusty USB portable hard drive they remember it is sitting on their desk at home still plugged into their laptop.

Email becomes a quick replacement as you can simply attach the document, spread sheet, etc to an email message and send it to yourself. Problem solved. Of course you would want to be extra careful when doing this with content that is considered sensitive or confidential.

File Transfer

Sending files to other people, or even yourself, can be tricky in the workplace.

Many companies block executable files from being attached to email messages to prevent malware from being spread via email.

However many employees have realized that they can get around this by changing the file extension from .exe to something that is permitted, like .docx. The recipient then needs to simply rename the file extension when they download it.

Setting Reminders

While most email clients have some sort of calendar that allows us to set reminders, we don’t always have access to them.  We may remember something late at night that we need to remind ourselves to do when we get to the office in the morning. If you can’t get to your calendar, you can always send a reminder to your work email. That way, when you are sifting through your morning emails you will remember what it is you have to do.

The same can be done in reverse.

Saving Hyperlinks

Bookmarking interesting or useful websites is great if you only use one computer. Using a solution like Evernote or Thirsty solves this, if your company allows these services through the firewall that is.

Then there are those who copy links and paste them into an email message. Sending this email to themselves almost assures them of the fact that they will be able to find these web sites at another time.

This little email hack is applied to just about anything found online. Sites, videos, presentations, etc. are all saved by cutting and pasting into email messages.

Of course, all of these tricks just add to the scourge of email pollution that companies like Atos are trying to get rid of. But hey, if they make your employees work easier, and better, and they don’t violate any acceptable use policies, is there really any harm?

5 Creative Uses For Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

If you’ve been working with Exchange for several years, you might remember a little thing from Exchange 2003 called Outlook Mobile Access. This HTML only version of browser-based access to your Exchange mailbox was developed at a time when smart phones were mostly a dream, but web browser capable phones, Palm Pilots, and Windows CE devices ruled the portable space. In a world where bell bottoms are once again popular, it should come as little surprise that OMA is back, this time courtesy of Service Pack 2 for Exchange 2010.

The Exchange Team at Microsoft decided to bring back the mini version of Outlook Web Access because apparently there is still a large demand for mobile access to Exchange email in parts of the world where web capable, but not fully “smart” phones, are still in use. These devices have less horsepower, fewer features, and only a basic HTML web browser, but cost less and require less bandwidth as well, making them perfect for area with less infrastructure, and very popular amongst prepaid plan customers.

What is OMA?

Outlook Mobile Access (OMA), or more accurately in Exchange 2010 Outlook Web Access Mini (OWA Mini), is built on a series of forms and requires only HTML and cookie support in the mobile browser. To provide maximum compatibility, it is based on HTML 2.0.

What do you get in OWA Mini?

OWA Mini includes the following features:

• Mailbox access, including all subfolders
• Calendar access
• Contact list access
• Task list access
• GAL access
• Meeting request processing
• Timezone
• OOF

How do users access it?

There is no client detection for OWA Mini. In fact, it is just a vdir called \OMA under the \OWA virtual directory. Unless you provide users a better way to get there, they will have to enter the full URL https://mail.example.com/owa/oma, which is pretty lame, so do your users a favour and create a mobile friendly URL that will redirect them to the OWA Mini path. Try http://m.example.com and have that do a 301 or use a refresh tag to direct mobile users to the full HTTPS path.

Other things to know

OWA Mini uses basic authentication only, so you must support that in your IIS instance. If you are publishing OWA Mini through TMG, you won’t be able to use FBA. There is no authentication cookie or Javascript involved, so there is no logoff button in OWA Mini. It does use the “Public” timeout for sessions, so yes, users can go right back into their mailbox after closing their browser without authenticating again if they are quick enough. You can also enable or disable OWA Mini using the Exchange Management Shell. Use the Set-OWAVirtualDirectory cmdlet with the –OWAMiniEnabled Boolean parameter to turn it completely on or off, or use the Set-OWAMailboxPolicy cmdlet with the –OWAMiniEnabled Boolean to turn it on or off on a per user/group basis with policies.

OWA Mini may have limited use for a company that has Windows Mobile, Droids, Blackberries, and iPhones, but if your users are global, or just prefer less expensive web phones, OWA Mini is a great way to provide them access to their email while on the go.

No smartphone, no problem. Meet SP2’s OMA.

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Despite the claims of one CEO of a major global high tech company, many workers believe their internal email is important enough to scrutinize when they should be kicking back and being jolly during the holiday season.

In a poll of some 1000 people with full-time jobs in the United Kingdom, surveyors found that nearly half of the workers (46 percent) intend to check their office email either frequently (15 percent) or intermittently (31 percent) during yuletide. About a third of the sample (34 percent) said they’d totally resist the temptation to check their email during their stay at home during the festive period.

Younger workers (18-24 year olds) were more likely to check their email during the holidays that older ones (50 years old or older), according to the survey conducted by OnePoll and sponsored by SecurEnvoy, a firm specializing in two-factor authentication without tokens.

While 21 percent of the respondents said that there was no expectation or compulsion by their employers to have them check emails while at home, 20 percent felt they’d be at a competitive disadvantage at the office if they failed to do so. Nevertheless, nearly half (46 percent) of the respondents told the pollsters that if they were contacted by their employer during the holidays, they’d be “very angry” (28 percent) or “really annoyed” (18 percent).

No doubt, along with any office nuggets in their inboxes, employees will find one of these scams making the rounds right now:

• Offers for free screen savers never seem to lose their appeal to scammers or their allure to victims, who want to give their computer displays a festive look during the holidays.
• Gift cards have become popular with gift givers, as well as with Net grifters. Typically, they’ll offer a gift card from a popular store at a discount. That’s because the card has been stolen or is bogus. Gift cards are best purchased directly from the store that issues them.
• An assortment of deals, special offers and discounts tied to the season. While these may have the appearance of legitimacy—scammers have become very adept at mimicking the official mail of banks, retailers and such—these missives usually contain malicious links aimed at conning personal information from a target or infecting their computer or smartphone with malware.

While many workers are thinking of checking email during the holiday out of a concern, either real or imagined, for keeping their jobs, few are thinking about protecting themselves or their companies from cyber criminals. Nearly half (46 percent) of the survey sample polled by OnePoll admitted that they don’t use any kind of security on their mobile phones, not even a simple personal information number (PIN), even though they acknowledged that they’d be reading emails on them that could include sensitive information and unencrypted documents.

“If you’re accessing the corporate network to retrieve emails, using a password or hardware token that’s left next to your PC just isn’t adequate,” warned SecurEnvoy CTO Andy Kemshall. “Should Santa, his elves or someone a little more sinister drop by and liberate you of your token or copy your password, they could be stealing vast amounts of critical company data,”

Cell phones can be a great alternative to passwords and custom tokens for accessing corporate systems because unlike custom tokens, most people always keep their phones with them and are diligent about keeping tabs on them. They’re even a better alternative if access to them is protected by a PIN or password.

Santa Checks His List; Everyone Else Their Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

For those of you who haven’t heard of Loggly, Loggly is cloud based service for complete application intelligence for app developers.  Loggly uses log data to collect, analyze, troubleshoot and monitor your applications. They are a heavy user of Amazon’s Web Service hosting, and recently experienced a truly stellar outage of massive proportions. You can read about that on a Loggly blog post here which I encourage you to do. However, I am not here to talk about lessons learned about hosting and availability, and putting eggs in consolidated baskets. Nor am I planning to talk about on premise versus hosted, and the perceived dangers of the cloud. It’s what happened to Loggly and how they went unaware of the impending freight train heading their way that I want to discuss, because there are some great lessons to learn from that little subset of their blog post.

Here’s the bit that prompted this post:

Originally we stated we had not received reboot notices from Amazon, but the truth is that (4) of the staff here, myself included, received two separate vague notices, one from about 10 days ago, and another from 3 days ago, which stated ‘some or all’ of our instances were scheduled to be rebooted.  These notices were found in our spam folders on Gmail, placed there with a very large red notice reading: “Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.”

In summary, AWS did send notice in advance, but those notices went unread. One of my favourite John Wayne movies is “Big Jake” and one of my favourite quotes comes from that movie. It is quite appropriate here, if somewhat shortened for context.

Anything goes wrong, anything at all…your fault, my fault, nobody’s fault…it won’t matter

And the fact is that it won’t matter at all that AWS notifications to Loggly got flagged as spam and therefore filed in the next best thing to the bit bucket. It doesn’t matter that Loggly is using Gmail, which strikes me as somewhat strange for a business, though perhaps they meant Gmail for Domains. It also doesn’t matter at all that whatever AWS sent in those email notifications, it caused some spam filter somewhere to flag the messages as spam, and even worse, as a potential phishing message. What matters is notice of reboots were sent, they weren’t read, and full outage resulted. Oops.

So here’s where I think the fix lies. With Amazon. NOT THE BLAME, just the fix, and this is the lesson I want us all to take away from what happened to Loggly and with the perspective that as a service provider, we should do better for our customers.

1. Establish a single email address to send out service notifications from.
2. Ensure it is monitored and checked regularly for replies, NDRs, etc.
3. Encourage customers to use a D/L for our notifications that helps ensure key personnel within our customers’ orgs receive all notifications.
4. Monitor the popular DNSBL services to make sure we’re not listed by mistake.
5. Follow up on any NDRs to make sure customers are able to receive notifications.
6. Test that by making new customers receive and acknowledge they have received a test notification email.
7. Make sure that the email address is properly formatted and from your domain.
8. Use valid SPF and DKIM and ensure that alert emails are sent from a compliant system.
9. PGP or GPG sign all messages sent from this account to provide further authenticity.
10. Keep links and additional content that could be misinterpreted as spam to a minimum.
    Okay the above make a lot of sense, and are probably already being done by most of you, but here’s where we as service providers should take things to the next level.
11. Maintain an email account on the popular services (Hotmail, Gmail, Yahoo, AOL, etc.) and send notifications to those accounts regularly to test for deliverability.

That last step is where I think Amazon should take a closer look, and any of us who are service providers should too. I like Gmail, and I trust Gmail, and if they find something in an email that makes them flag it as a phishing message (indicated by the Loggly blog post when they copied the “Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information”) then there is something in that email that set off all the alarms, failed the sniff tests, and was probably just a bad idea not really adding any value to the notification. Maybe the source address was different from the reply to (and in a different domain) or maybe the notification had links to a number of obsfucated URLs. Whatever the reason is, if I had seen a message in my spam folder that was flagged like that, I would have ignored it too.

When we, as service providers, need to notify our users of important things, like maintenance windows, changes to our terms of service, our outages, we need to make darn sure that users get them.

What about you? Have you ever missed a key notification because it fell victim to a false positive, or do you have any better ways to keep communications open with your customers?

Lessons Learned from the Loggly Outage

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.

I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.

I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that:

• I use strong passwords and phrases
• I change my passwords frequently
• I don’t use the same password over and over
• I update my anti-malware software regularly
• I run anti-malware scans regularly (ironically, I had just run a scan the day before)
• I am careful about what sites I visit
• I am careful about clicking links in emails
• I am careful about what I download, even checking the MD5 hashes when available.

However after I realized what had happened I didn’t make the classic mistake of denial that this could happen to me. After all, people much smarter than me have had their systems compromised. Driven by a classic saying in computer security, “The only way to ensure that a computer is 100% secure is to unplug it from everything and seal it up in a box,” I moved ahead with fixing the problem.

Steps taken

When I opened up my personal email account there were over 100 mail delivery subsystem errors and Out of Office replies waiting for me.

At first I thought that my email address had possibly been spoofed. After all, most of the sites I write for include it as a way to contact me so I am sure it comes up quite often when people are mining the Internet for email addresses.

However looking at a few of these messages I noticed that the spam messages were being sent to every address that I had ever sent an email to, not just my contacts. What this said is that:

A) My email address had not been spoofed.

B) It wasn’t malware that was abusing my contact list. This was the result of my account credentials being compromised.

It may appear that the first step anyone should take in this situation is to change the password immediately. Not entirely true.

Most passwords are captured from a keystroke logger installed on your computer. If you go ahead and change your password, you are simply letting the attacker know what your new one is.

Instead, I went ahead and attempted to update all of my anti-malware definitions. Since I had just run a scan the day before, there was nothing to update. The next step was to run all of these scans again.

The three scans from Malwarebytes Anti-Malware, TDSSKiller Antirootkit utility and Ad-Aware all came up clean so I went ahead and changed the password on my account. Even after I changed the password, more delivery error messages came up but looking at the headers, these were delayed as the original message sent from my account occurred between 6:48 AM and 6:54 AM so everything looked clean.

Digging deeper

Once I was sure that everything was cleaned up, curiosity got the better of me and I decided to look a bit deeper into the emails that were being sent out from my address.

To make sure I didn’t infect my computer once again, I created a virtual machine and loaded it up with my three favorite anti-malware tools and ran a scan using each just to ensure the new “computer” was clean.

Then I clicked on the link just to see where it went. Of course, the link was spoofed and redirected to cretep.ru registered out of Russia advertising for an herbal Viagra clone, Viagrow. Of course, by their claims it had been featured in Men’s Health, Maxim, MSN, Esquire and other media outlets.

After closing out the site, I fired up all of the anti-malware software to see what really happened when I visited this site. The first scan found two installations of PUP.FunWebProducts and one installation of Adware.MyWebSearch.

Even as the so-called experts when it comes to email, we have to realize that as threats escalate in sophistication we too are vulnerable. Following the best practices and taking the proper measures to secure our email accounts certainly help, but there is no way that any of us can assume that our accounts are 100% safe.

Yes, My Email Account Was Compromised

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

You might have heard by now that Exchange 2010 SP2 has been released, and if you are looking to migrate some or all of your on-premise email to hosted email from Microsoft’s Office 365, two of the best things about SP2 are the New Hybrid Configuration Wizard and the Manage Hybrid Configuration Wizard.

The New Hybrid Configuration Wizard is designed to make establishing a hybrid coexistence relationship between your on premise Exchange organization and another Exchange organization as easy as possible. Scenarios where you would need to establish a hybrid deployment can include Office 365 or another cloud provider, where you will have some mailboxes on premise and others in the cloud either in the short term during migrations, or permanently when you want to keep some mailboxes on premise and move others to the cloud. Hybrid deployments let you:

• Share an SMTP namespace
• Share a unified GAL
• Share free/busy
• Centralize mailflow
• Use a single OWA URL
• Securely route mail between on premise and cloud mailboxes
• Move mailboxes between on premise and cloud with automatic Outlook configuration,
• and more.

Whether you want to move all of your email services to the cloud, or just a subset, one thing you should understand up front is that this will not be a point and click operation. Email is complicated, and email coexistence can be even more so, but SP2’s new Hybrid Configuration Wizard takes the approximately 50 manual steps required to set up hybrid configuration, and boils them down to a simple and wizard driven process.

The Hybrid Configuration Wizard has three main pieces:

1. A new wizard in the Exchange Management Console that provides step by step guidance through the entire hybrid deployment process.
2. New Exchange Management Shell cmdlets which are executed in the background by the wizard, but also available to you for administration and scripting.
3. Better and simplified management of many of the hybrid features.

When you run the wizard to establish a hybrid configuration, the wizard will handle many of the testing and verification steps that used to be manual processes, including:

1. Verified all prerequisites for hybrid deployment.
2. Creates the federation trust between your on premise environment and Office 365.
3. Creates the mutual organization relationships between your on premise Exchange and Office 365.
4. Makes the necessary email address policy modifications needed for moving mailboxes from an on premise server to Office 365.
5. Takes care of both mailtips and free/busy calendar sharing, as well as message tracking for easy interaction between on premise and cloud users.
6. Sets up the secure mail flow (TLS) between your on premise and Office 365, and configures mail routing to meet your requirements in case you have on premise DLP or other services.
7. Enables online archiving for on premise mailboxes if you have subscribed to that feature.

The Exchange 2010 SP2 Manage Hybrid Configuration Wizard enables you to manage this hybrid deployment easily, making your Exchange organization seem like a single management entity, even though some of your mailboxes are in the on premise infrastructure, and others are in the cloud at Office 365 datacenters. With a hybrid deployment, users won’t notice (or care) whether another user within the company has their mailbox on premise or in the cloud; they all look like they are a part of a unified Exchange organization. Mailbox moves between on premise and cloud are easy and can be done with minimum interruption to the user. If they are using Outlook 2010, they can even stay connected to their mailbox until the last few moments of a move, and will only need to close and restart Outlook to connect to their mailbox; no client reconfiguration, no download of a new OST.

If you are considering Office 365 as a part of your email service offering, be sure to look at the benefits of the SP2 Hybrid wizards. Managing email won’t become an end user task, but these wizards will sure make our lives easier!

First Look At The SP2 Hybrid Configuration Wizards

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Or is it? In a move that will have technology professionals first aghast, and then scratching their head, and finally a little jealous, Thierry Breton, the Chief Executive Office of the French information technology company ATOS has enacted a policy of “zero email”, in essence, banning internal email.

With more than 74,000 employees in 42 countries and 2010 revenues of $11.5 billion, this is not a small statement or a simple change in corporate culture.

Stating that his company’s employees receive on average two hundred emails per day, Thierry estimates that only twenty could be considered useful, thirty-six are considered spam messages, and the rest are so much noise generated internally that could as easily be handled using an Intranet portal, instant message, or phone call. ATOS is increasing its internal use of instant messaging applications, and the use of an internal “Facebook-like” portal.

Breton is no stranger to being a stranger to email. The former French finance minister took over as head of ATOS, and has not sent an email, since he started in November 2008. In a statement announcing the policy in February, Thierry said

“We are producing data on a massive scale that is fast polluting our working environments and also encroaching into our personal lives”. “At [Atos] we are taking action now to reverse this trend, just as organizations took measures to reduce environmental pollution after the industrial revolution”.

ATOS expects that by 2013, more than half of all digital content will come from updates to existing content.

ATOS uses Microsoft Corporation’s Office Communicator for instant messaging, which enables user to user and multi-party instant messaging, video conferencing and application sharing. They also use a wiki type approach to information sharing, easily enabling all users to create or contribute data online to their internal portal.

A statement from ATOS spokesperson Caroline Crouch to ABC News emphasized that this policy is focused on internal emails, and that external email with customers and partners will continue as normal.

Considering the amount of time I personally spend on email every day, and how much of that is “broadcast” type data that could be placed on the intranet home page, I am starting to see a certain appeal to this. Even with the widespread deployment of SharePoint, too many users still look at email as a file transfer system, forwarding Word docs to me even after I put them in a document library and send them a link to view and edit the file within SharePoint. We use Microsoft Lync (the latest version of Office Communicator) and a WordPress theme called P2 for a lot of our internal communications, but they are currently enhancements to, rather than replacements for, email. Certain teams (following IT’s example) are using private Twitter accounts for some team communications and manager-to-team broadcasts, and we’re always looking at other means to improve communications, but we’ve never looked at eliminating email (and, as an email admin, I hope we never do!)

Of course, there are security considerations to take into account, especially when using external services, and we’re also trying to narrow down on platforms to reduce the number of different systems we have to maintain. So far, we have a lot of interest, but no clear direction one way or the other.

ATOS’ new policy does have a certain appeal to it, if you can change the cultural approach to email, and provide enough guidance to uses about when to go to email, or when to go to other technologies for internal communications. I’d envision the following:

• File sharing of any type: SharePoint
• Simple question and answer, informal updates, dialogs that are in near real time but do not require a “paper trail:” Instant Messaging
• Short broadcast type updates: Private Twitter feeds (or SMS)
• Longer broadcast type updates: Blog posts on SharePoint
• Collaborative discussions: WordPress with P2 or SharePoint wiki
• Formal internal communications, more involved questions, private updates: email
• External communications: email

What about you? Do you see any appeal in reducing the volume of email internally? Do you use any other type of communications internally already, like instant messaging, wikis, etc.? What works for you, and what tips can you share with the other readers?

No Email at Work? Inconceivable!

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Some $87 billion in wasted time a year could be saved in the United Kingdom alone simply by enforcing  better email management by corporate directors and senior managers.

That’s the conclusion reached by a U.K.-based training company after its surveyors discovered that directors and managers waste an hour a day on their jobs because they manage their email poorly.

The estimate from the study conducted by training company Emailogic is based on an average director making $140,000 a year and there being some 4.5 million private companies in the United Kingdom.

An hour may not sound like much, but that’s 20 hours a month, or half a work week, that could be used to increase a highly paid individual’s productivity and further fatten a company’s bottom line.

“This is highly significant because it is 20 hours per month of senior executive time—this is key personnel time being lost every day and will be having real impact on business productivity,” Emailogic Managing Director Marc Powell.

The survey was based on a study of 115 senior managers, directors and partners from a variety of industries—pharmaceuticals, banking, law and retail. Based on a comparison between the time spent by the executives on email before and after they completed their email management training, the surveyors found that they saved 59 minutes a day from their email regimen.

One of the tips that email management trainers give their students is to avoid checking their inboxes every time a new message arrives. Doing that, they contend, creates productivity leaching interruptions. They recommend turning off all audio alarms—no more “You’ve got mail!”­—and checking mail at defined intervals.

From Emailogic’s survey findings, the study participants took that tip to heart because, as a whole, they were checking their inboxes 39 percent less often after finishing their training.

More advice offered to the execs was to let people know when they send you a copy of information that you don’t need and to write clear and meaningful subject lines.

That advice, too, appears to have been embraced by the execs because they told surveyors that irrelevant emails in their inboxes had been reduced by 22.5 percent and the amount of email in those inboxes had fallen by 33 percent.

An added benefit of those reductions in email, the surveyors maintained, was the ability by the execs to keep the list of messages in their inbox confined to a single screen. That gave them a feeling of greater control of their inboxes and changed their attitudes toward email which, prior to taking the management training, they described in a number of unflattering ways, including irritating, love/hate, frustrating, overwhelming and horribly addictive.

While the training may have made the execs more efficient in using email, it may have encouraged inefficiencies in other areas. For instance, the execs reported that they were using their phones more often. That doesn’t sound like a more efficient use of time to many of us.

Without a doubt, Emailogic’s survey is self-serving—after all, they’re in the business of email management training—but that doesn’t make their findings any less revealing or recommendations less useful. If execs want to take their email management training to the next level, however, they may want to rethink their view of email, from looking at it as merely a communication tool and transforming it into a productivity tool, as Jeff Orloff outlined in his blog item here last month.

Better Email Management can Save Companies $87 Billion a Year

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The other night, I had a dream that I was on the television game show Jeopardy. I was doing rather well, when we reached the Final Jeopardy round. The category was “Arcane Exchange Knowledge”. Feeling quite good about this, I wagered everything during the commercial break, and when we came back on the air the answer Alex presented was “generated once every 24 hours, this enables disconnected users to look up user information.” Just as I was about to write down “What is the Offline Address Book?” my dream changed, and I was in my old high school taking my final exam in an Energizer Bunny costume. Hey, give me a break. I said it was a dream. It was that dream that inspired me to write this post on the Offline Address Book (or OAB to its friends) as this is one of those things that just kind of works, until of course, it doesn’t, and that our road warrior users may depend upon. A little knowledge goes a long way, and this post should get you to the corner store and back when it comes to dealing with the OAB.

What is the OAB?

Jeopardy questions aside, the OAB is what enables users running Outlook in cached mode, or when not connected to their Exchange infrastructure, to look up recipients within their company when composing emails without having to perform a GAL lookup. Think of it as a GAL cache and you won’t be far off, though it is a set of files generated and updated by a mailbox server which is then made available for clients to download, instead of something cached in RAM. It contains one or more address list. It is updated daily by a mailbox server based on changes within the GAL, which are of course changes in Active Directory. The OAB can be out of sync with the GAL, since it is only updated automatically once daily, and it needs to be stored where clients can download it, since it is a pull from the client that gets it there, not a push from the server. In earlier versions of Exchange, the OAB was stored in a public folder. Exchange 2007 and 2010 store the OAB in the \OAB virtual directory under the default website, which is where currently supported versions of Outlook will look for it. If you still have to support legacy Outlook clients, you can also store the OAB in a public folder. Unless you change things, the OAB will be generated by the first mailbox server in your organization. You can view the properties of the OAB using either the Exchange Management Console, or the Exchange Management Shell. In the EMC, access Organization Configuration, Mailbox, and you will see the OAB tab. In the EMS, you can use the get-offlineaddressbook | fl command to see all of your OABs (yes, you can have several) and their properties.

Creating an OAB

The OAB is created automatically on the first mailbox server in your organization, and contains the Global Address List, which is the only address list you have by default. Since the OAB can contain multiple address lists, you can remove the GAL, or you may want to create additional OABs if you need users to have a subset of the GAL. In the EMC, browse to Organization Configuration, Mailbox, and click New Offline Address Book. You give it a name, select the mailbox server you want to generate it, choose whether or not to include the GAL and/or any other address lists, select web-based distribution for current clients and specify the virtual directory, check the Public Folder option if you have legacy clients, and then click New. In the EMS, an example command would be new-OfflineAddressBook -Name ‘MyOAB’ -Server ‘MBX1′ -AddressLists ‘\Default Global Address List’ -PublicFolderDistributionEnabled $false -VirtualDirectories ‘MBX1\OAB (Default Web Site)’

Storing the OAB

The OAB is made up of several files, stored under c:\Program Files\Microsoft\Exchange Server\V14\ExchangeOAB\. Each OAB is identified by its GUID, which you can view using the Get-OfflineAddressBookcmdlet mentioned above. Creating and updating an OAB also generates several temporary files, which will be stored in your server’s %TEMP% directory. While OABs and their temp files are particularly large, you don’t want to skimp on disk space for C: (I’m looking at those VMs you created) and you want to make sure both of these directories are exempt from real-time anti-virus scans.

Distributing the OAB

For modern Outlook clients, distribution uses the OAB virtual directory on the CAS server, and should be downloaded using HTTPS. You can control that using the set-OABVirtualDirectorycmdlet, though the defaults should be left alone. If you must support Outlook 2003, you will need to create a Public Folder database, and then set the option to store the OAB in Public Folders. Use the EMC to do this, since there it is a simple checkbox.

Updating the OAB

By default, the OAB is created by the first mailbox server, and is updated every day at 0500 local time. Changes made to Active Directory are retrieved from a Global Catalog server, and updated within the OAB. You can use the EMC or the EMS to force an immediate update to the OAB, but consider two things: first, this is CPU intensive on your mailbox server, and second, your Outlook clients won’t immediately get the updates anyway. Remote and cached mode clients can always use OWA, which uses the GAL directly. Just make sure AD replication has completed before sending a user to the OWA site, or you will get another phone call. If you really must update an OAB, in the EMC, just right click the OAB and choose update. Or you can open the EMS and run the command Update-OfflineAddressBook –Identity “Default Offline Address Book.” To get your clients to update, have the user go in Outlook to the Send/Receive option in the ribbon, select the drop down next to Send/Receive Groups, and select Download Address Book. The OAB is a great enhancement for users and admins alike, caching address lists on remote clients and conserving bandwidth. With just a little care and feeding, the OAB is easy to use, easy to maintain, and improves the end user experience significantly.

Inside Exchange -The Offline Address Book

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

If your organization is part of a regulated industry, is publicly traded, or has business units that might need to engage in different operations that could present a conflict of interest, you may find yourself tasked with deploying an ethical wall within your Exchange organization. While it may sound intimidating, it is actually an easy and straightforward task which Exchange handles well. This post will discuss ethical walls, and then show you how to set them up with Exchange 2010.

In business or legal terms, ethical walls (sometimes called Chinese walls) are communication and information barriers set up between individuals or business units to ensure that no information or communication can be exchanged between parties. They can be required when a business has competing interests, like when a financial company has a group A that advises businesses and is privy to sensitive information, and has a group B that advises others on investments. If A is working on something that could impact stock prices and is not public information, B could take advantage of that information to the benefit of their clients, which would be considered insider trading and highly illegal. It’s also common to find ethical walls within law firms, should two different attorneys in the same firm find themselves representing the interests of different parties.

In Exchange, an ethical wall helps ensure that no email can be sent or received between anyone in A and anyone else in B, preventing accidental or intentional sharing of information between those groups. Exchange 2010 uses transport rules to establish an ethical wall. Since all messages between users are handled by the Hub Transport server role, your Hub Transport server will be able to apply the appropriate transport rules to all messages.

The best way to approach building an ethical wall starts with creating distribution lists that contain the users for each “side” of the wall. That way, you can create your transport rules and apply them to messages between the two groups without altering other DLs in your environment. Should someone in A send an email to someone in B, your ethical wall can block the message and respond with an NDR. You may also want to set up a web page on your intranet that you can use in the NDR to refer violators to the reason, and to provide appropriate legal or HR contacts.

Note: it is very important to test your transport rules before applying them to production, to ensure that you stop all messages appropriately without impacting other critical email communications (internal or external).

One you have identified your users, and created the appropriate DLs, there are eight steps to creating an ethical wall in Exchange:

1. Launch the EMC and navigate to Organization Configuration, Hub Transport.
2. Create a New Transport Rule.
3. Enter a name, a comment that explains what the rule is for, and whether or not you want the rule created as Enabled or not, then click Next.
4. On the Conditions page, select the option “between members of distribution list and distribution list.” Click the first distribution list link in the lower pane and add the first DL you created for A. Then click the second link and add the DL for B. Then click Next.
5. On the Actions page, you need to configure the transport rule to “send rejection message to sender with enhanced status code.” Then click “rejection message” and enter text to display in the diagnostic information for administrators and click OK. Regular users won’t see this. Then click the “enhanced status code” and specify something in the 5.7.x range. I suggest you start with x=228 and work your way down from there if multiple rules are necessary. It is this that you will alter shortly to display a link to the users. Then click Next.
6. Set up any exceptions that are required, but be sure that these are approved by legal and HR. When setting up an ethical wall, there will rarely be any exceptions. Click Next.
7. On the “Create Rule” page, review the summary and then click Finish.
8. Open the EMS, and use the “new-systemmessage” command to create text to go along with the 5.7.228 enhanced status code you created. Here is an example, where your intranet site is http://intranet and you have created a page policy1.html off the root to provide more information.

New-SystemMessage –DsnCode 5.7.228 –Internal $true
–Text “This message is prohibited by policy. See
 <a href=http://intranet/policy1.html>Policy 1 </a> for
details.”

When a user tries to send a message that violates the transport rule, it will be rejected, and the NDR sent back to the sender will contain that message with the link to read more about why their email is prohibited.

Of course, email is only one form of communication between individuals or groups, and Exchange cannot control phone calls, conversations in elevators, or secret messages sent by carrier pigeon. If you do need to implement an ethical wall, work with your legal department to make sure you have your messaging requirements covered, but make sure everyone understands the limits of the technology.

Inside Exchange: Ethical Walls

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Last month, I posted an article titled “What’s a good mailbox size?” where I discussed many of the considerations an architect must take into account when sizing storage for a new email system. In that post, I also set up a survey where I asked readers to answer six short questions about what they think makes a good size for a mailbox, as well as what future plans they might have for system growth. As promised in last month’s post, I am sharing the results of the survey now.

While the total number of respondents was somewhat less than I hoped for, the quality of those responses from survey participants is greatly appreciated. No one skipped any of the first four questions; the last two were “if” type and should have been skipped if not applicable. Thanks to all those who took the time to share their answers. I will share each question and the responses by percentage below.

1. What email system are you running now?

The vast majority of respondents are running Exchange, with a smattering of Notes, but nothing else apparently. While the dominance of Exchange was no surprise, that not a single Groupwise or Sendmail admin responded makes me wonder whether those products are dying out, or if their admins simply are too busy to deal with surveys.

2. What is the standard mailbox size (in MB) for regular users?

Almost half of those responding give standard users mailboxes less than half a gig. Those results shocked me on their own, but wait until you read question four!

3. What is the standard mailbox size (in MB) for special users (IT, executive, HR, or any other group that needs a larger mailbox)?

It looks like half of the admins who responded draw no distinction between regular users and special users. How egalitarian of you. We do see an uptick in the sizes though, with the other half of you giving special users 5 GB or more of storage space.

4. Is your current mailbox size adequate for the majority of users?

Okay, this is the answer that floored me. Over 90% of respondents feel their mailbox sizes are adequate. Considering how many provision regular users with less than half a Gigabyte, that is not at all what I would have expected. If you are one of those folks, please let us know in the comments how you do it. Do you have an aggressive deletion policy, an archiving solution, or do you just prohibit attachments? Inquiring minds want to know.

5. If you are considering a larger mailbox size for regular users, how big would you like that to be?

This is another response that did not come out like I expected. No one is looking for huge mailboxes (>25 Gigabytes) and most look like they would be happy with 10 GB or less. Storage vendors may weep to see this.

6. If you are considering a larger mailbox size for special users, how big would you like that to be?

Now we see an expected distinction, where special users will get much larger mailboxes. The designers of Exchange 2010 are smiling that so many of us share their vision.

So to summarise, the vast majority of regular users’ mailboxes are either in the 512MB range, or in the 1 to 5 GB range. In about half the cases, special users get a bump to 5 GB or larger. Most of us are happy with our mailbox sizes, but if we were going to increase them, it’s only the special users who’d really see a big change, and no one seems to want to go above 25 GB for mail.

Once again I’d like to thank those of you who participated in the survey for your time and the information you shared. I know it will be very useful to me, and I hope that other regular readers of TheEmailAdmin can also benefit from this.

Are there any other issues you’d like to see surveyed and discussed here? Any questions you’d love to see asked in such a large forum? If there are, leave a comment and if I get enough good ones, I will create another survey for the readers so we can see just how everyone else is doing it.

As it Turns Out, a Good Mailbox Size Is…

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

With hosted and cloud mail services growing in prominence, it’s no wonder we’re starting to see more coverage of these services on TheEmailAdmin.com. In my humble opinion, Office 365 is setting the pace for all the rest, and as the service matures, more and more resources become available for companies looking to move some or all of their email services to the cloud.

The one thing about Office 365 that tends to give many admins pause is the same thing that makes them shy away from upgrading to Exchange 2010 – the requirement to use PowerShell for some administrative work. While much of what you need to use PowerShell for in Office 365 will be given to you in a copy-paste ready format, and other admins may never use PowerShell on their own, preferring to deal with what they can get from a GUI or service ticket, the more adventurous (or advanced) admins know that to get real work done, you have to roll up your sleeves and drop to the prompt. And that is why this post presents some very useful web resources for those of you ready to take the plunge.

The place to start

New Office 365 admins may want to start with this page that introduces PowerShell and its use for managing Office 365. This page explains what Windows PowerShell is, and how to install the Office 365 cmdlets. It’s the right place to start for new customers, or even admins considering a move to the cloud to see what advanced management is available to them. You can find this page at http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh124998.aspx.

The Windows PowerShell Command Builder

Our first web based resource for PowerShell users is a Silverlight application called the Windows PowerShell Command Builder. Microsoft has put up a site that lets you create PowerShell commands for SharePoint Server 2010, SharePoint Foundation 2010, and Office 365 using a simple drag-and-drop interface. Available verbs are up top, Nouns are underneath, and you can just drag them over to the Design Surface to put a cmdlet together. The nouns and verbs are easier to understand and are ‘translated’ into the appropriate PowerShell command. Required and optional modifiers are shown below based on the command you have started to build, and the actual PowerShell command is shown at the bottom of the design surface. Once you have it strung together, you can click a button to copy it to the clipboard, so you can paste it into your shell or the script you are putting together. If you right-click the Silverlight app, you can ‘install’ it to your computer (it’s just a self-contained webpage) for easy access later on. You can see this great tool at this link.
http://www.microsoft.com/resources/TechNet/en-us/Office/media/WindowsPowerShell/WindowsPowerShellCommandBuilder.html

The Windows PowerShell cmdlets for Office 365 reference

Microsoft has also posted a ton of documentation online, on the site aptly named onlinehelp. This site includes a fantastic page on the available PowerShell cmdlets for Office 365. The page includes links to anchor text on the page for managing users, groups, domains, SSO, licensing, service options, and more. Clicking the link takes you further down the page to the relevant material. It’s like an online webpage for the get-help command. You can see this site at http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125002.aspx.

Reference to Available PowerShell Cmdlets in Exchange Online

This site is another useful reference for admins wanting to use PowerShell to manage their Office 365 tenant. Quick links are at the top of the page, which take you to the anchor text further down that goes into the command. Each section also contains a link to a webpage with more specific information on the task. You can find this page at http://help.outlook.com/en-us/140/dd575549.aspx.

And remember, some cloud services, particularly Office 365, offer coexistence as an option. You can move some of your email to the cloud to reduce your storage costs or shift expenses from capital (capex) to subscription (opex) models, while still keeping the most important mailboxes on premise. It’s a great way to keep the most critical mailboxes close, while stretching a few more years out of your existing mail servers and storage as demands continue to grow.

Four PowerShell Resources for Office 365

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Administrators of Novell’s flagship messaging and collaboration product Groupwise should move quickly to apply the latest security patch from Novell, which addresses multiple vulnerabilities that could lead to code execution.

The Groupwise Internet Agent (GWIA) is responsible for all SMTP connections with external mail systems, and it was discovered recently that this agent has three distinct memory corruption issues that can be exploited when the GWIA parses rule variables in weekday, weekly, and yearly vcalendar messages.

There is currently no known exploit in the wild for any of these three vulnerabilities, but the first one was assigned a CVE last year, and the other two just last month. CVE-2010-4325 contains more information on the Weekday RRULE vulnerability, while CVE-2011-2662, and CVE-2011-2663 are reserved and awaiting updates. Novell has released three security advisories around these issues:

Security Vulnerability – GroupWise 8 Internet Agent Weekday RRULE (VCALENDAR) Vulnerability

Security Vulnerability – GroupWise 8 Internet Agent Weekly RRULE (VCALENDAR) Vulnerability

Security Vulnerability – GroupWise 8 Internet Agent Yearly RRULE (VCALENDAR) Vulnerability

Novell has also released Hot Patch 3, which addresses all three of the vulnerabilities. If you are running that already, your server is not vulnerable to any of the three vulnerabilities. If you are not, you should test HP3 in your environment as soon as possible and deploy it to your systems. Systems running earlier versions of Groupwise are also vulnerable, but no patch will be released for these unsupported platforms.

Researchers determined that successfully exploiting any of the three vulnerabilities could result in the server executing arbitrary code with system level privileges. Even a failed exploit could lead to a denial of service condition that would require the server to be rebooted. The attack can be launched by sending a maliciously formatted iCal calendar file to a user of the system by anyone external to the system.

Sebastien Renaud of VUPEN Security is credited with discovering one, while the other two are credited only to an anonymous researcher at Verisign’s iDefense Labs and an anonymous researcher at TippingPoint’s Zero Day Initiative.

While my posts tend to focus more on Microsoft Exchange than any other email platform, and I’m sure most of us are in the habit of checking our email early on patch Tuesday every month for the latest security patches from Microsoft, it is crucial that we do not overlook other vendors’ software that is sitting on our network. Whether we are using a third party application that runs on Windows, a distro of Linux, or network hardware, we as admins must pay attention to the security bulletins that come out from our vendors, and stay on top of necessary security patches. If you do not already have a patch management program in place, take a look at these three blog posts on patching:

1. What should be included in your patch management policy?
2. A Patch Management Strategy for Your Network
3. 6 Tips for a Successful Patching Process

and then consider a good patch management application for your network. Look for one that can address not just the operating system, but also the applications that run on your network, and that can scan for network hardware firmware as well.

Novell Patches Critical Issue in Groupwise

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

You’d have to have spent the last two years of your professional career living under a rock to have not come across “the cloud”. The cloud – this; the cloud – that; the cloud, the cloud, the cloud… Cloud computing promises to be the next sea change in information technology, as more and more Somethings as a Service (*aaS) hit the market, with every player from Microsoft and Google all the way down to JoeBob’s Hosting trying to get in on the action.

Email services look to be the most common, some of the easiest to move to the cloud, and certainly of the most interest to readers of this blog. My colleagues Jeff Orloff and Paul Mah have both written some great articles around this topic already. Today, I want to talk about cloud based email services from a different point of view; that of the email admin who thinks the cloud will make his or her job go away.

There are all sorts of euphemisms for jobs coming to an end; downsizing, right sizing, smart sizing, outsourcing, off shoring, and many others. I’ve been involved in a few of these. Sometimes I was the last man standing, other times I was the rat leaving the sinking ship, and once I was the deer in the headlights who never believed it would happen to him. All of those situations sucked, and I don’t want to promise you that no one will lose their job because their company moved their email to the cloud. What I do want to do is help you realize that:

a)      Moving your company’s email to the cloud DOES NOT mean your company doesn’t need email admins. Your boss is a fool if they think they can get rid of the entire email team.

b)      If you are an in house Exchange shop today, you will want to keep some in house Exchange servers even after the cloud move is complete. It’s called hybrid mode, and it offers significant advantages to a company, and it means you still need email admins.

c)       Overworked shops might find the cloud to be just the relief they need.

d)      There are several new skillsets a company needs to have in-house to support a cloud based service. There are opportunities to take your skillset to the next level and be just as critical tomorrow as you are today.

e)      Cloud migrations can take months; sometimes more than a year. Sure, an SMB can move their email in a weekend to the cloud, but an enterprise with thousands of users and gigabytes of email will take much longer, starting with remediation.

Your company will still need email admins

Managing a cloud based service requires admins who can take care of user needs, client needs, provisioning, set up, backups and restores, and to be the contact between the users and the service provider. Cloud providers take care of the care and feeding for an email system, and are on the hook for BCP/DR, but they don’t talk to end users and they don’t provision accounts.

Hybrid mode

Keeping some Exchange servers on premise lets you move mailboxes from the cloud back to your own servers, which lets you keep access to the mailboxes of former employees without paying the monthly costs to keep that mailbox in the cloud. Some companies are deciding to move only the regular users to the cloud, while keeping key personnel and executives’ mailboxes on-prem…in essence outsourcing the basic users to free up space and resources while keeping the VIPs in house to provide more personal service. You may also find add-ons like archiving are better kept in-house, which means you need email servers (just not as many as before).

Taking some of the load off

Again, that hybrid model offers a lot to consider. Moving the regular users’ mailboxes to the cloud not only reduces the number of servers you need, it frees up the diskspace your power users need for their multi-gigabyte mailboxes. Cloud providers are great, but they are not, and never will be, able to offer the executives the personal hand holding they expect when they have problems, need their Crackberries reset, or can’t find that critical email. You may find yourself going home earlier, and not getting as many late night calls.

Skillsets

To keep a company’s email running smoothly during and after a migration to the cloud, you will need to understand licensing, cost models, federated services, vendor management, and can also polish up your customer support skills. In every large org I have ever dealt with, the vendor management folks are some of the highest paid in all of IT. Dealing with a cloud provider is not a bad way to break into that tax bracket. Plus, most email admins know some networking and AD stuff; both of which are important and might let you move to another team. Working on a cloud migration can make you very marketable to those who offer cloud based email services. Consider also the security aspects of using a cloud provider – security has been one of the top ten most sought after skills in IT since the late 90′s and cloud security is a hot topic you can get hands-on experience with as you go through a new migration.

Time

Even if none of the above appeal and you are convinced that your job is on the chopping block, there is no need to jump ship day one. Cloud migrations will take significantly longer than anyone expects until they get into the project planning. For the duration of that project, you are one of the most important persons in the room. Have an honest conversation with your management, knowing that you are in a position of power. They need you to make the migration successful, and you have every right to know whether you are targeted for a new role or not post migration. I have seen email admins get very generous severance packages in return for staying with a project.

Don’t automatically assume that the words “the cloud” are another euphemism for “time to job hunt”. Look at it from all angles, never underestimate your own importance to the project, and make the most of it. You can find that every cloud really does have a silver lining if you keep your wits about you.

Inside Every Cloud Is a Silver Lining

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

While the Edge Transport Server role, the Hub Transport Server role, the Mailbox server role, and even the UC server role are all critical, it’s the Client Access Server role that your users interact with most. The CAS handles all the interactions between clients and the Exchange 2010 infrastructure – whether the clients are using Outlook, ActiveSync, OWA, IMAP, POP3, or EWS. It also handles all AD queries for clients. It’s critical to ensure that your CAS servers are configured correctly, and built with the redundancy and capacity your clients need.
In this post we will take a look at some of the recommend, or preferred, practices for setting up and maintaining your CAS servers to provide the best possible user experience with the least administrative overhead.

Sizing

Size your CAS server to handle both the current, and the foreseeable growth of your user base. CAS servers consume RAM and CPU, and can use a lot of network bandwidth based on client needs, but won’t use disk for much other than the operating system and logging.
See this TechNet article for specific sizing recommendations, and use the enterprise version of the operating system so you can implement an array later even if you don’t want to start with one.

Combining roles

While smaller shops will try to reduce their server numbers as much as possible, larger organizations, and those who want to implement arrays, will want to keep the CAS servers roll specific. If your org is small enough to forgo the redundancy, the CAS role can be combined with the Hub Transport role easily.

Arrays

Implement CAS server arrays to provide both maximum performance and redundancy. You will use the Network Load Balancing capabilities of Server 2008 to create a virtual ip.addr that listens for client connection requests, and balances the load across all array members. If one CAS server in an array must be taken offline, the other members of the array can handle client needs. Depending on your needs, you can implement up to 16 servers in an array.

Publishing to the Internet

All clients, no matter what type, will need to connect to the CAS server when using email. While most of your “fat” clients could first fire up their VPN before launching Outlook, web mail and smart phone users will want to get to email without a VPN. Microsoft Forefront TMG is a great solution for securely publishing all of the Exchange CAS server capabilities to the Internet in a secure and high performance way.

Site coverage

If you centralize your email system with all mailbox servers in one or more hubs, you might be tempted to place your CAS servers the same way. While this will work fine for smaller organizations, those with larger user counts across several offices might want to place CAS servers near their users. Remember, CAS servers not only proxy connectivity to the mailbox servers, they handle all directory lookups. Placing them closer to the users will improve response time and reduce WAN traffic. Of course you will want to place the CAS servers handling OWA and ActiveSync traffic close to your perimeter.

Patching

While the CAS server is very important to clients, it is also very fast to build. Since patching Exchange 2010 systems should start at the edge and work in towards the Mailbox and UC roles, you will patch your CAS servers before anything other than the Edge transport role. There are PowerShell scripts included to make it easy to take a CAS server out of an array, patch it, and then add it back to an array.

Backups

As a general rule, there is little on a CAS that cannot be easily recreated other than log files. Consider how important the log data is for your data retention policy, and implement the backup solution that supports that. My CAS servers are all virtual, so I just snapshot the VMs once a week.

Understanding these preferred practices for your Exchange 2010 CAS servers, and implementing the recommended configurations will help you to provide the best user experience, exceed your SLAs, and live the life of an Exchange rockstar. Okay, maybe the last one is a stretch, but trust me on the other two.

Inside Exchange-CAS Server Best Practices

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

With the importance of email growing every day, and its mission-critical nature meaning that there is no acceptable outage, ensuring that users’ mailboxes are available is a critical part of system design and administration. Exchange 2010 offers several technologies to maximize system uptime, including Database Availability Groups. DAGs, as they are called, are replicas of the database that stores users’ mailboxes, and can be setup across two or more mailbox servers to provide highly available, resilient storage in order to support maximum uptime.

DAGs involve two or more mailbox servers hosting identical copies of a mail database, and are intended to provide high availability. They are not for disaster recovery and should not be considered as a replacement for backups. My colleague Paul Cunningham wrote a great article that goes into more detail about DAGs, which you can read here. You should check out his post, as it goes into more detail about the fundamentals of DAGs then we will cover in this post.

DAGs are single master type databases. The active database replicates changes to the other member(s) of the DAG continuously and automatically. If the server hosting the master goes down, another member of the DAG takes over and clients are automatically connected to it thanks to the Client Access Server role. Since all changes to the database are replicated to all other nodes, no data loss occurs and clients will likely not even notice. DAGs can also span WAN links, enabling you to setup site redundancy for your mail.

There are some preferred or recommended practices for DAGs that we’ll cover below:

1. Have as many mailbox servers hosting a copy of the mailbox database as you need, but more is not always better. You can have up to 16 members, but if you have a 100GB database, that means you have an extra 1500 GB of redundant data. Don’t go crazy just because you can.
2. Ensure that each mailbox server participating in the DAG has two NICs, and good connectivity to every other member of the DAG. Two NICs are preferred so that DAG replication traffic can use one NIC, while client access uses the other. This is not required, but it is recommended.
3. Make sure that if there is a firewall between DAG members, it permits bi-directional TCP port 64327, which is used for replication.
4. Don’t try to use DAGs for Public Folder redundancy.
5. If you have redundant datacenters, have a DAG member on the far side of the WAN to enhance fault tolerance in the event of a site disaster.
6. Disable the Windows firewall on any server to which you want to assign the File Share Witness role, or configure WMI exceptions in advance.
7. Don’t create the File Share Witness share on any share that is replicated using DFS.
8. In higher security environments, encrypt replication traffic between DAG members using the EMS command: Set-DatabaseAvailabilityGroup –Identity <name>  -NetworkEncryption Enabled
9. Never use DAGs as a reason for not running backups. Deletions will be replicated between DAGs just as quickly as new mail coming in, and if a user purges, your only hope may be SIR. DAGs are a fault-tolerance solution, not a disaster recovery solution.
10. If you need to perform maintenance on a DAG member, remove it from the DAG before you begin using the StartDagServerMaintenance.ps1 script that is included with Exchange. When maintenance is complete, run the StopDagServerMaintenance.ps1 script to return the DAG member to the DAG.

If you have any other recommended practices you regularly use for your DAGs, leave a comment below and share the knowledge.

Inside Exchange-Best Practices for DAGs

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators