Category Archives: Outlook

MsExchQueryBaseDN and Exchange 2010 SP1

Posted on by
9

Note: At TechEd NA 2011 session EXL326, announcing Exchange 2010 SP2 features (e.g. GAL segmentation), Greg Taylor stated that SP1 breaks MsExchQueryBaseDN in Exchange 2010. This might explain the behaviour as described in this article.

As you may know, the msExchQueryBaseDN attribute can be used to limit a user’s scope of the global address book and address searches (also see kb817218). This is helpful for restricting access in environments consisting of multiple organizations or organizations with a substantial  number of mail-enabled objects. The attribute is part of the user object and you configure it by pointing it to a DN of the OU or address list of choice, e.g. OU=sales,DC=company,DC=com. Note that by default msExchQueryBaseDN is empty, so that user will search the whole domain the user’s part of.

With Exchange 2010 SP1, the following unexpected behavior is encountered in Outlook when you’ve set the msExchQueryBaseDN attribute:

msExchQueryBaseDN Set
When msExchQueryBaseDN is set to a valid DN, Outlook WebApp (OWA) will show the default global address with elements from the configured msExchQueryBaseDN downwards. Outlook 2007/2010 will show an empty global address list; other global address lists are invisible. Searching the address book in OWA works, in Outlook it doesn’t because Outlook thinks the address list is empty:

image

Note that if the structure contains many elements, opening the global address list in OWA may result in the following exception:

Url: https://…/owa/forms/premium/SubPageContainer.aspx?ae=AddressList&t=Recipients&subpage=DirectoryView.ascx
User host address: …
User: Blake, Francis
EX Address: /o=…
SMTP Address: francis@eightwone.com
OWA version: 14.1.270.1
Mailbox server: ex2010a.domain.local
Exception
Exception type: Microsoft.Exchange.Data.Directory.ADVlvSizeLimitExceededException
Exception message: Active Directory operation failed on ex2010a.domain.local. There are too many entries which exceed limit of Virtual List View. Additional information: The directory service encountered an unknown failure. Active directory response: 000020EF: SvcErr: DSID-03140350, problem 5010 (UNAVAIL_EXTENSION), data 0

The message indicates it tries to fit too many elements in the list.

MsExchQueryBaseDN cleared
When msExchQueryBaseDN is cleared, Outlook and OWA will show the default global address list as well as other address lists. Also, even though the number of elements is equal or larger than when msExchQueryBaseDN is set, the global address list will show in OWA. So, apparently the number of elements isn’t an issue, which makes the exception you get in OWA when msExchQueryBaseDN is set confusing.

image

After some digging, I think this behavior is related to dropping address list segregation support for on-premises Exchange 2010 and moving several functions and support for it to Exchange 2010 hosting mode. A possible clue can be found in the Exchange 2010 mailbox attribute QueryBaseDNRestrictionEnabled, which description reads:

The QueryBaseDNRestrictionEnabled parameter specifies whether to restrict a user’s ability to view or search for other mailboxes in their organization. If this parameter is set to $true, the global address list (GAL) of the specified mailbox user isn’t populated. Specifically, if the user views the GAL, it will appear empty. If this parameter is set to $false, users can use the GAL to view all mailboxes in their organization, including mailboxes for which this parameter is set to $true. The default value is $false.

This empty GAL behavior when QueryBaseDNRestrictionEnabled is set to $true matches the behavior encountered when setting the msExchQueryBaseDN attribute.

So be advised that while we wait for Service Pack 2, of which the Exchange Team said it will contain some form of (still undisclosed) address list segregation (announcement here),you will run into the issues described above when using msExchQueryBaseDN in an Exchange 2010 SP1 environment.

To bulk clear the msExchQueryBaseDN attribute for a whole domain, execute the following command from the Exchange Management Shell:

Get-Mailbox –ResultSize Unlimited | ForEach {$o=[ADSI](“LDAP://”+$_.distinguishedName);$o.PutEx(1,”msExchQueryBaseDN”,0);$o.SetInfo()}

Updated: Added SP2 announcement mentioning to broken MsExchQueryBaseDN (May 18th).

Fix for Outlook 2007 Personal Archive update

Posted on by
1

As announced early February, the Office team has released a fix for the Outlook 2007 Personal Archive issues. This fix is also integrated in the Office 2007 Cumulative Update for February 2011 (kb2493732).

The description of the Outlook fix included in this CU can be found at kb2475891.Unfortunately, it doesn’t mention any specific Personal Archive issues.

You can request the individual hotfix here.

Mac Outlook 2011 & Exchange 2003

Posted on by
11

There are still a lot of questions and tweets on Mac’s Outlook 2011, Exchange 2003 and why that combination doesn’t work. I can only assume people overlooked the system requirement in the Apple store, which clearly states “Exchange support in Outlook 2011 requires connectivity to Microsoft Exchange 2007 SP1 RU4 or later”.

The reason for lack of support lies in the fact that Outlook 2011 connects to Exchange Server using what is called Exchange Web Services. These services were introduced with Exchange 2007 (and thus are also available in Exchange 2010). The result is that Office 2011 can’t synchronize information, like e-mail, contacts and calendar, with Exchange 2003.

On a side note, you could use Entourage 2008 which utilizes the WebDAV protocol. This is supported by Exchange 2003 as well as 2007, but was discontinued in Exchange 2010.

Is this bad? I think not. Apart from the requirement, which is clearly mentioned, Exchange 2003 is almost 8 years old now. Products evolve and mainstream support has already ended for Exchange 2003. Even if Exchange 2003 is running rock solid, organizations should be considering on what to do with their Exchange 2003 environments as part of the IT life cycle management process.

SSL client compatibility

Posted on by
Reply

Exchange fellow Jetze Mellema blogged (in Dutch) about a useful online check, which will allow you to check your current client – computer or smartphone – against a set of certificates from different vendors. The short – and more memorable and mobile friendly – URL for this test is as follows: http://m.ssltest.net.

The creator, SSL reseller FairSSL, also keep a total overview, which is located at http://www.ssltest.net/compare/sar.php. Note that the table’s titles are hard to read, but when hovering above the cells the corresponding product will be displayed.

Outlook 2007 archive KB published, omits archive function

Posted on by
2

After releasing the hotfix for enabling Exchange 2010 personal archives for Outlook 2007 users yesterday, the related knowledgebase article was published today (KB2458611).

What you might notice when reading the list of fixed issued is that the article doesn’t mention the included support for archives. Interesting. One might wonder what that implies from a support perspective.

Update: There are reports of issues with Outlook 2007 after installing update KB2412171, like Loss of Archive/Auto-Archive functions (not to be confused with personal archives), performance issues and Outlook Anywhere/NTLM issues.  Since KB2458611 is based on that update, so you might expect similar issues. More information here by Outlook MVP Ben Schorr.

Update: Official information confirms three issues have been identified with this fix:

  1. Secure Password Authentication issues when configured but server doesn’t support it (e.g. GMail);
  2. If you haven’t configured an Exchange account,
    1. Performance issues;
    2. Inability to configure AutoArchive for IMAP/POP3 or Outlook Live accounts.

More information on the Outlook Product Team blog here.

Update: The Microsoft Exchange team blogged about the December 2010 update for Office 2007 here. They state that “This update extends archive support to Outlook 2007”. In the same blog, the archiving functionality I described earlier here is hereby also officially confirmed.

Update: The Outlook team re-released the hotfix which addresses the 3 issues mentioned above (and on which the Outlook team blogged here). You can download the updated KB2412171 hotfix here.