READ RECEIPT 369 Figure 8.22 Microsoft Operations Manager

Chapter 9 Improving Performance If you think you are experiencing a memory leak, please be aware that memory leaks may not be what they appear to be. You may discover that a memory leak is really not a memory leak but a performance enhancement. Microsoft Knowledge Base article 268343, How to Use Umdh.exe to Find Memory Leaks As with any other software, providing good performance is one of the keys to the successful deployment of Exchange 2003. E-mail is the number-one form of electronic communication in corporations today, and it is one of the most commonly used productivity applications used. So when performance on a server that supports mailboxes drops significantly (maybe it takes 10 seconds to open a mail message), what will your users report? And how will it affect their work? If one of your Exchange servers were to become unavailable, how many support calls would your help desk receive in the first five minutes? What would happen if your entire Exchange organization became unavailable? Would you just have a prerecorded message at the help desk to handle all the calls that would be flooding in? Because of the amount of communication that flows through a mail system, people have become so dependant on their messaging environments that it is one of the most crucial services in an organization. In many cases, loss of messaging can stop business processes and interfere with the bottom line. The key to ensuring that your mail systems stay up and running is making sure both your Windows environment and your Exchange server are healthy. What is a healthy Windows or Exchange server? Everyone will probably have a unique perspective on this, but my definition includes the following criteria: . During the busiest times of the day, the Exchange server should be able to provide MAPI clients with the ability to open and display small messages (less than 10KB) in less than two seconds. . The server should provide reasonable room for growth without adversely affecting users. . Free/busy information should be current. . Public folder content should be current and easily retrieved. . External e-mail (to the Internet) should be available 99 percent of the time. . Server-to-server e-mail should be delivered within one minute.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services

READ RECEIPT 369 Figure 8.22 Microsoft Operations Manager

READ RECEIPT 369 Figure 8.22 Microsoft Operations Manager reports Read Receipt Thus, what enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the reach of ordinary men, is foreknowledge. Sun Tzu, The Art of War Reporting on and monitoring Exchange is not the same as overadministering, which I cautioned you against in previous chapters. In fact, monitoring your Exchange servers should have minimal, if any, impact on their operations. Administrators who have implemented any sort of monitoring of their organizations will tell you eventually you will be glad you implemented it. Any insight you can gain into the operation and usage of your Exchange servers will serve you well in the long run. Monitoring can be as simple as merely keeping tabs on your queue lengths and available disk space all the way to something as sophisticated as NetIQ or Microsoft MOM. Developing tools that will help you to isolate errors and malfunctions before they become problems ultimately helps improve your availability. Reporting on the usage of your Exchange system will also serve you well in the long run. Any statistics on usage become very valuable when the time comes to justify the mail system s budget. After all, providing a report to your boss stating that the average user sends and receives 50 messages per day, that you deliver on average 500 messages to the Internet each hour, and that almost all of these messages are being sent to your customers addresses can only bode well for you and the system you support.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services

UNDERSTANDING OWA 2003 817 Figure 21.8 Home Directory

CHANGING OWA FEATURES THROUGH THE REGISTRY 819 You can further restrict this by defining a REG_SZ Registry value called AcceptedAttachment FrontEnds and entering the list of front-end servers that will allow attachments. Blocking Attachment Types By default, Outlook Web Access blocks all Level 1 attachments. (Level 1 versus Level 2 attachments are discussed in Chapter 17, Securing Exchange Server 2003. ) At the top of the Outlook Web Access message form, you will either see a message indicating Access to the Following Potentially Unsafe Attachments Has Been Blocked if the attachment is considered a Level 1 attachment or Attachments Can Contain Viruses That May Harm Your Computer. Attachments may not display correctly if it is considered a Level 2 attachment (see Figure 21.10). Figure 21.10 OWA warning of a potentially dangerous attachment (a Level 2 attachment) A Level 1 attachment cannot be opened nor saved, but a Level 2 attachment can be saved. Via Registry settings, you can remove an attachment from the Level 1 or Level 2 attachment list, or you can add attachments to the Level 1 or Level 2 attachment list. By default, all Level 1 attachments are also in the Level 2 attachment list. Outlook Web Access 2003 defines four types of attachments: two types of Level 1 attachments and two types of Level 2 attachments. There are regular file attachments and MIME types. The following Registry keys are preexisting on an OWA 2003 server: . Level1FileTypes . Level1MIMETypes . Level2FileTypes . Level2MIMETypes All four of these Registry keys are REG_SZ Registry keys. WARNING Do not demote dangerous file types unless you know exactly what you are doing and you are sure these file types will not be harmful to your organization. Changing the Default Folder List Later in this chapter, I will cover how to configure an individual user so they see only certain folders or features of their mailbox. This feature is often called OWA segmentation and is handy in a

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Discount Web Hosting services

UNDERSTANDING OWA 2003 817 Figure 21.8 Home Directory

818 CHAPTER 21 DEPLOYING OUTLOOK WEB ACCESS Figure 21.9 Spell checking using Outlook Web Access The spell checker does not consider words that are repeated, Roman numerals, single letters, capitalized initials, URLs, e-mail addresses, or file paths when spell checking. The spell checker includes support for English, French, German, Italian, Korean, and Spanish. NOTE The OWA spell-checker dictionaries cannot be edited or customized. Tweaking and Customizing OWA Outlook Web Access is versatile and flexible. Many administrators are pleasantly surprised to learn that they can disable features and change the default behavior of the OWA interface. Some of these configuration changes are made through the Registry, while others are made in Active Directory, Internet Information Services, or configuration files. Changing OWA Features through the Registry You can enable and disable a number of features by editing the Registry on the Exchange 2003 server that is hosting OWA. Unless otherwise noted, most of the changes to the changes to the Registry are made in the following key: HKLMSYSTEMCurrentControlSetServicesMSExchangeWebOwa Once the change is made, you will need to stop and restart the w3svc service (World Wide Web Publishing Service). Attachment Blocking You can prohibit your users from opening attachments when connecting to Exchange 2003 through OWA. You do this through the DisableAttachments Registry value; this value is of type REG_ DWORD. This value must be created because it does not exist in the Registry by default. You have three options when setting this value: . A value of 0 allows attachments. . A value of 1 blocks all attachments from any OWA server. . A value of 2 blocks attachments from being opened on a back-end server.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Discount Web Hosting services

UNDERSTANDING OWA 2003 817 Figure 21.8 Home Directory

UNDERSTANDING OWA 2003 817 Figure 21.8 Home Directory property page of the Redirect Virtual Web Server Redirecting Exchange 5.5 OWA Users I read this really useful tip from the SWINC Exchange 2003 FAQ at www.swinc.com/resource/ exchange/ and was immediately relieved that apparently others had felt my pain. While this is a minor annoyance for the IT department, a couple of hundred users calling the help desk will make it seem major. Users tend to add the OWA server URL to their favorites or use it from their autocomplete cache in their history. The problem is that the default URL for Exchange 5.5 was something like https://owa.somorita.com/exchange/logon.asp. When the OWA server is upgraded to OWA 2003, this URL will no longer function correctly. A simple of trick of the IIS administrator, a new virtual directory, and redirection will fix this minor annoyance. Using Internet Information Services Manager console, create a new virtual directory on the / Exchange virtual directory. When created, configure it to redirect to the /Exchange virtual directory just like shown in Figure 21.8. When anyone connects to this URL, they will be automagically directed to the correct URL. Understanding the OWA Spell Checker One of the most requested features for Outlook Web Access was a spell checker; this feature has finally been included with Exchange 2003. The spell checker has been implemented as a server-side process rather than a client-side process. This is mostly because there would be considerable network overhead downloading the OWA dictionary whenever a spell-checking operation had to be done. So instead, when you click the spell-check button on the message toolbar (this is the button with the little ABC and small check mark), the client sends the entire message to the server, and the server performs the spell check and returns the suggested changes. TIP Spell checking is available only using the premium OWA client interface. The user must also select their default language the first time they use the spell checker; this is stored in their OWA preferences on the Exchange server and can be changed on the Options property page. Figure 21.9 shows the spell-checker dialog box after the server has checked the message and returned suggested changes for misspelled words.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Discount Web Hosting services

814 CHAPTER 21 DEPLOYING OUTLOOK WEB ACCESS Without

816 CHAPTER 21 DEPLOYING OUTLOOK WEB ACCESS TIP The forms-based logon page requires a user to login with their domainusername, or they can use their UPN. Redirecting Users to SSL Pages Throughout this book, I have strongly urged you to use SSL for Internet protocol clients such as OWA. However, it is hard to convince your user community to use HTTPS rather than HTTP when typing in a URL into their OWA server. Yet with a little ingenuity, you can help them along by redirecting them to the secure site. This is especially important if they have already added the nonsecure site to the browser s Favorites list. One of the things I like to do is to set up a friendly alias to the OWA server (such as owa.somorita.net) and then redirect the default or main page of the Web site so that the user does not have to remember owa.somorita.com/exchange. This makes it a little easier for users to remember the OWA page. If you are enabling SSL, you must use owa.somorita.net as the common name for the certificate. Redirecting Using the SSL Required Error Page You have a couple of ways to redirect users. If the virtual server has been set to require security (on the Directory Security property page and behind the Secure Communications Edit button), then when users connect to a nonsecure page on that server, they will get the 403.4 Forbidden: SSL Required web page. This page is nothing more than an HTML file (%windir%HelpIishelp Common403-4.htm). You can either edit this file or create your own so that it will direct the user automatically to the correct site. For example, I will create a file in the WinntHelpIishelpCommon directory called redirect.htm that has the following contents: Then I have to edit the 403.4 error found on the website s Custom Errors property page to point it to my custom file. This method works most of the time, but it is slower (because the client has to connect to one page and then to another), and it is not always reliable with older browser clients. Of course, if you are blocking port 80 on your firewall, then this method will not do you any good because the inbound HTTP requests will not get to the server in the first place. Redirecting Using the Home Directory Properties Another method you can use (which may be more reliable and faster) is to create an additional site that redirects the user through the server. First, you need to change the nonsecure port of the default website from 80 to something like 8080, and you will probably want to require SSL on that site. Next, you need to create a new virtual server that uses port 80; you can blank out the SSL port because this virtual server does not require SSL security. On the Home Directory property page of the new virtual server (as shown in Figure 21.8), click the A Redirection to a URL radio button. Enter the path to the original web server including the HTTPS, and check the boxes called The Exact URL Entered Above and A Directory Below This One. Often I will even do this on the default virtual server instead. That keeps me from having to create an extra virtual server. Of course, this assumes users are always typing in HTTPS in the URL line. Also, if you are going to direct both internal and external users to this site, you must make sure the URL in the Redirect To field is available internally as well as externally.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Discount Web Hosting services

814 CHAPTER 21 DEPLOYING OUTLOOK WEB ACCESS Without

UNDERSTANDING OWA 2003 815 Notice also on the Compression drop-down list box. You have three options for compression: None, Low, and High. The compression feature allows the Exchange 2003 server to compress the style sheets and scripts larger than 1KB as well as dynamic HTML code (DHTML) such as messages and user Inbox listings. Compression occurs prior to the SSL encryption rather than afterward in the case of modem compression; modem compression is not effective when compressing encrypted data. The compression algorithm used is GZip compression, and it requires the client be running IIS 6 or later. Furthermore, it requires both Exchange 2003 and Windows 2003 on the server. Enabling compression will add CPU load on to the Exchange servers; Microsoft estimates high compression adds about 10 percent CPU overhead. However, compression can improve performance of clients on slow links (such as dial-up) by 50 percent. NOTE If the compression feature is enabled but you are not connecting to the OWA server with an IE 6 or later client, the client behaves normally. Once forms-based authentication is enabled, you must connect to the Exchange server using SSL in order to see the login form. For example, if I type https://owa.somorita.com/exchange, I will automatically be redirected to the OWA login page; Figure 21.7 shows a slightly customized version of this login page. Figure 21.7 A customized OWA login page The login page is an Active Server Page (ASP), and you can find it in Program FilesExchsrvr ExchwebBinAuthusa (for U.S. English); the file is LOGON.ASP. The first part of the file contains constants that are used for the text you see on the page as well as common error messages. Later in the file you can change the graphics that appear by default. With some care (and backup copies of the files!) even a novice web developer like myself can make basic changes to this login page. However, service packs (and sometimes critical updates) overwrite LOGON.ASP. So keep a careful record of the changes you make, because you will need to make them again once the updates are completed.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Discount Web Hosting services

814 CHAPTER 21 DEPLOYING OUTLOOK WEB ACCESS Without

814 CHAPTER 21 DEPLOYING OUTLOOK WEB ACCESS Without enabling this forms-based authentication, users are presented with a regular Internet Explorer authentication dialog box: When the user logs in, these credentials are cached and sent to the server each time an HTTP request is sent to the server. The credentials are sent to the server in the HTTP Authorization header; this header looks something like this: HTTP: Authorization =Basic dm9sY2Fub3N1cmZcam1jYmVlOkJlbGwuMjIy The browser continues to cache these credentials for as long as the browser window is open. This introduced lots of problems with Exchange 2000 OWA when users would check their e-mail, connect to a few other URLs, and then leave the computer without closing the browser window. Someone else could come along and click Back a few times and get into that user s mailbox. That is why it was so important for the user to close the browser window when they were through checking their mail via OWA. Forms-based authentication (also sometimes called cookie-based authentication) handles authentication by assigning the user a cookie. The cookie has an inactivity timer set that will automatically expire if the user stops accessing OWA unless the user is actually editing a message. This type of authentication also prevents users from checking the Remember My Password box and storing their password in the computer s protected store. Once the user clicks the Logout button, there is no way someone can click the Back button and return to the mailbox. To enable forms-based authentication, you need to edit the properties of the HTTP virtual server. Figure 21.6 shows the Settings property page of an HTTP virtual server. Simply check the Enable Forms Based Authentication box. You will be reminded that before this login page can be used you must enable SSL for that virtual server. Figure 21.6 Enabling formsbased authentication for OWA

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Discount Web Hosting services

136 CHAPTER 4 UNDERSTANDING EXCHANGE 2003 DATA STORAGE

138 CHAPTER 4 UNDERSTANDING EXCHANGE 2003 DATA STORAGE mailboxes each, I suspect that this will happen more frequently with Exchange 2003. I have heard of this happening on really busy Exchange 2003 servers. The good news is that you can reset the log file generation. I usually take this opportunity to perform an offline defragmentation on all the stores in a storage group at the same time. For a server that is supporting 5,000 mailboxes, this will take more than a few minutes. Here is a procedure you can use to reset the log file generation: 1. Perform a normal (full) backup of the entire storage group. 2. Dismount all the stores in the storage group. 3. Optionally, use the ESEUTIL utility with the /D option to perform an offline defragmentation/ compaction of each store in the storage group. 4. Move all of the log files that begin with E*.LOG for that particular storage group, and move the checkpoint file. These files should be moved out of the production log directory into a temporary holding spot until you are sure that the stores are mounted and working properly with their new logs. 5. Remount all of the stores in that storage group. 6. Perform a normal (full) backup of the entire storage group, as now your previous backups will no longer be usable with the new generation of log files. Ta da! You have reset your log file generation. This did require downtime for every information store in the entire storage group. An alternative to resetting the log file generation in this method is to create a new storage group, create new mailbox stores in that storage group, and then move the mailboxes to the new mailbox stores. If minimal disruption to your user community is important, this may be a better (though time-consuming) approach. NOTE Exchange 2003 will cleanly shut down the stores prior to running out of log file numbers and issue a warning to the event logs. Prior versions of Exchange did not always shut down cleanly when this happened. Viewing Advanced Log File Information You can learn some revealing information from each log file by using the ESEUTIL command. The ESEUTIL command with the /ML option will dump the header information from the log file. The following is the result of the ESEUTIL /ML command: Microsoft(R) Exchange Server Database Utilities Version 6.5 Copyright (C) Microsoft Corporation. All Rights Reserved. Initiating FILE DUMP mode… Base name: e00 Log file: e00003a7.log lGeneration: 935 (0x3A7) Checkpoint: (0x3A8,16D5,3F) creation time: 12/11/2005 22:27:28 prev gen time: 12/11/2005 22:26:33 Format LGVersion: (7.3704.8)

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services

136 CHAPTER 4 UNDERSTANDING EXCHANGE 2003 DATA STORAGE

TRANSACTION LOG FILES 137 Transaction Log Files The ESE database engine uses write-ahead logging. All transactions are first written completely to transaction logs prior to being committed to the database; this gives ESE the atomicity and durability features of an ACID database. As discussed earlier in this chapter, transaction logs are critical to the operation of Exchange Server. There will be a unique set of transaction logs for each storage group, and each set of transaction logs should be located on a separate physical hard disk. Exchange log files are always 5120KB in size; if you find a log file that is a different size (except for the Enntmp.log file), either it is not an Exchange transaction log or it is corrupted. (Windows Active Directory uses a transaction log file size of 10,240KB; these files are named slightly differently, too.) Each storage group has an assigned log file prefix. The first storage group uses E00, the second storage group uses E01, and so on. The active log file in the first storage group transaction log file directory is E00.log. When this file fills up, it is renamed to e0000001.log, and a new E00.log is created. When the newly created log file fills up, it is renamed to E0000002.log, and another new E00.log is created. If you view either of these directories, you will see a collection of these old log files. NOTE All subsequent examples use the prefix E00. If you are managing more than one storage group, you may have a log file prefix of E01, E02, or E03. When circular logging is disabled (the default), transaction logs will accumulate until a normal or incremental backup is run. On an Exchange 2003 server supporting 1,500+ active mailboxes, I have seen a single storage group generate 2,000 transaction logs in less than 48 hours. Regular backups must be run to ensure that the transaction log file disk does not run out of disk space! WARNING Never delete transaction logs manually unless instructed to do so by Microsoft Product Support Services (PSS). Don t panic if you see a few hundred megabytes or even a few gigabytes of transaction logs accumulating each day. A gigabyte of transaction logs does not mean a gigabyte of new messages; it means there have been a gigabyte of transactions against the database in that storage group. Transactions include not only the newly arrived messages but also any changes to the database (moves, folder creations, deletions, modifications, permissions changes, and so on). As I stated earlier, the transaction log files should be on their own physical hard disk. You should have sufficient disk capacity to allow a week to two weeks of transaction logs to accumulate, if necessary. WARNING Never enable disk compression on any Exchange database, transaction log, tracking log, or queue directory. This hurts performance and could cause larger database files to become corrupted. Too Many Log Files? I know what you may be saying to yourself right about now. You are probably saying Self, if the log files are named E00xxxxx.LOG and they use a hexadecimal numbering scheme, won t I eventually reach E00FFFFF.LOG? You are correct; eventually you will reach that particular log file generation name. I used to tell people this would probably not happen very often. After all, that is 1,048,575 log files, which is a lot of transactions! But in this day and age of server consolidation and cluster nodes that support 5,000

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Low Cost Web Hosting services