As I mentioned last week Microsoft finally introduced new branding, a new licensing model and the road map for Microsoft Exchange Hosted Services (EHS), formerly known as FrontBridge Technologies Inc.

Microsoft have also launched a page dedicated to give you a more detailed overview of the EHS (see below).

Introduction
Electronic messaging is mission critical, but it remains vulnerable to a growing array of threats. Viruses, worms, denial-of-service attacks, spam, and the need to satisfy a growing set of government regulations and legal actions all make effective message management increasingly difficult.

Microsoft Exchange Hosted Services is composed of four distinct services that help organizations protect themselves from e-mail-borne malware, satisfy retention requirements for compliance, encrypt data to preserve confidentiality, and preserve access to e-mail during and after emergency situations. The services are deployed over the Internet, which helps minimize up-front capital investment, free up IT resources to focus on value-producing initiatives, and mitigate messaging risks before they reach the corporate firewall.

As a component of the Microsoft Exchange solution portfolio, Microsoft Exchange Hosted Services provide a layer of protection features deployed across a global network of Internet data centers. The services create a security enhanced message stream to and from your on-premise messaging infrastructure.

Read more over at the official MS site.

You can also sign up for a 30-day trial here.

Nino Bilic did a blog entry over at the You Had Me At EHLO blog. Unfortunately Microsoft have learned that some customers are installing the E12 CTP build in their production environments

DO NOT install Exchange 12 into your production environment.

Read more about the consequences of doing so here.

Are you experiencing problems when you try to delete a partnership with a Windows Mobile 5.0 device with MSFP installed using the Microsoft Exchange Server ActiveSync Web Administration tool? Perhaps you get a :

Failed to access user’s Mailbox, verify that the mailbox and user account are enabled and functional.
Server Error in ’/MobileAdmin’ Application.
——————————————————————————–The remote server returned an error: (401) Unauthorized.

This can occur if Integrate Windows authentication hasn’t been enabled on the Exadmin virtual directory on the mailbox server, or if the MobileAdmin Web application isn’t running under the ExchangeApplicationPool application pool.

For more information see below MS KB article:

Error message when you try to use the Microsoft Exchange Server ActiveSync Web Administration tool to delete a partnership or to perform a Remote Wipe operation on a mobile device in Exchange Server 2003 SP2: “(401) Unauthorized”

Another great post on the MS team blog…

Lately I’ve seen a lot of questions regarding the use of homeMDB in policy filters. I want to use this post to explain the reason that ExBPA warns about this, and hopefully clear up the confusion about how to address this.

Linked Value Replication is a feature that was added to Active Directory in Windows 2003. The point of LVR is that when a DN-linked attribute is changed, only the changes need to be replicated. For instance, instead of replicating a list of all members every time group membership is changed, it can replicate only the DNs that are added or deleted. LVR is also used for certain single-valued attributes, including homeMDB.

A quirk of LVR is that a replication packet contains two separate lists of changes - one list of regular attributes and then a separate list of linked attributes. When a DC receives such a replication packet, the non-linked attributes are applied first, with all non-linked attributes on the same object being applied in the same transaction. Once all non-linked attributes for all objects in the packet have been applied, it moves on to processing the linked attributes. This means that in a large replication packet, there can be a delay between the time the non-linked values are updated and the time the linked values are updated for the same object. This delay is what causes unexpected RUS behavior for the system policies and, possibly, recipient policies.

Let’s cover the system policies first. The point of the system policies are to stamp certain required attributes, such as homeMDB, on objects that are missing those attributes. There’s a particular system policy which is affected by this problem, and that’s the Mailbox Enable User policy. The filter that is placed on this policy by Exchange setup will match any user who has both mailnickname and any one of either homeMDB, homeMTA, or msExchHomeServerName.

If you consider this for a moment, you begin to understand the problem. Let’s say a user is mailbox-enabled on a DC other than the one the RUS points to. The user object will have to be replicated over for the RUS to evaluate it. When the RUS DC receives the incoming replication packet, the AD replication engine is going to write non-linked values to the object before writing homeMDB to the object. In a large replication packet on a heavily loaded DC, there can be a significant delay (10-20 seconds or more) after mailnickname and msExchHomeServerName get committed to the object before homeMDB is committed.

So let’s say there’s a 20-second window during which the object only has the non-linked values that were just committed. What happens if the RUS evaluates the object during this time? Well, it has a mailnickname and msExchHomeServerName, so it matches the Mailbox Enable User policy. But at this time the object appears to be missing the required homeMDB attribute. So the RUS stamps homeMDB with the first mailbox store it finds for that server, overwriting the homeMDB value that replicated in with the object.

This is why LVR can result in mailboxes being inadvertently rehomed to different stores than the ones on which they were created. The fix is to change the filter on the Mailbox Enable User policy so that this policy only matches user objects that already have a homeMDB value. This is explained in the following ExBPA article: http://www.microsoft.com/technet/prodtechnol/excha...7.mspx . This is also discussed in KB903291.

LVR is only a problem for recipient policies when you have policy filters based on LVR attributes such as homeMDB. All the values that are not subject to Linked Value Replication (like mailnickname or msExchHomeServerName) replicate together. You don’t have to worry about stamping something wrong if you base your filters on those types of values. Sure, you might stamp a user with proxyAddresses before the homeMDB value comes over, but who cares? When you base filters on LVR values like homeMDB, that’s the situation where you end up making wrong decisions.

Consider this situation. I have a user with the following attributes:

Dn: newUser

Mailnickname: newuser

HomeMDB: CN=Mailbox1,…

extensionAttribute1: special value

I have two recipient policies with the following filters:

Policy1: (&(mailnickname=*)(extensionAttribute1=special value))

Default Policy: (&(mailnickname=*))

Now, newUser replicates over to the DC the RUS points to. The RUS happens to look at the user before he has fully replicated, so we only have values that are not subject to LVR. But it doesn’t matter. Mailnickname is there, and extensionAttribute1 is there, so we make the right decision. Now change it to where you have these two policies:

Policy1: (&(mailnickname=*)(homeMDB=CN=Mailbox1,…))

Default Policy: (&(mailnickname=*))

NewUser replicates over to the DC the RUS points to. The RUS happens to look at the user before he has fully replicated, so we only have values that are not subject to LVR. So the first time the RUS looks at the user, he matches the Default Policy (because we only have mailnickname). So boom, he gets stamped with the wrong policy.

Because the Default policy matches any object with mailnickname, the Default policy is always going to match a partially-replicated object. Since a filter based on LVR attributes will not be able to match a partially-replicated object, you run the risk of getting objects stamped with the Default policy when you base the other policy filters on LVR attributes.

The fix for this problem is, of course, to change the recipient policies to not use homeMDB or other attributes that are subject to LVR. This is described in the following ExBPA article: http://www.microsoft.com/technet/prodtechnol/excha...7.mspx .

I hope this clears up any confusion on the use of homeMDB in recipient policies. If you have any questions, post ’em in Comments!

Source: http://blogs.technet.com/exchange/archive/2006/03/...8.aspx 

Alright so you have already deployed Windows Mobile devices in your Exchange Server 2003 mobile messaging environment, and now you have one user after the other contacting the IT department with all sorts of device related issues (who said certificates ) If you can say yes to this you might want to have a closer look a Pocket Controller-Enterprise from SOTI inc. This brilliant product makes it, among many other things, possible to remote the Windows Mobile devices in your organization from a desktop PC (even over GPRS!).

Is that cool or what?

Are you experiencing problems installing the Exchange “12″ CTP release? More specifically are you getting the below error message during setup?

“Exchange Server ’12’ requires Microsoft Management Console 3.0.”

Then chances are you have installed the RTM version of the MMC 3.0 instead of the MMC RC1 release.

In order to fix this problem see this post by Nino Bilic over at the MS Exchange team blog.

From Matt Hester’s WebLog…

I just wanted to share recent customer question I received from Bob.The story was sparked by a new addition to my technology family.Thanks to Harold Wong, I now have a new HTC Wizard, more importantly it has the new Mobile 5 bits and the security feature pack on it.So I can get direct push of my email without using SMS messaging.Very cool stuff.

The reason I mention this is that currently my team are doing live sessions on Exchange 2003 SP2 and we are discussing the new direct push technology for mobile 5 devices.There has been some confusion on this so I would recommend that you check out Harold’s blog on Mobile 5 and the MSFP: http://blogs.technet.com/haroldwong/archive/2006/0...6.aspx

Back to my point I had one of my event attendees, Bob asked me this:
How does Verizon’s wireless-sync workgroup software work in comparison to Microsoft’s Active-sync with Mobile 5 devices?

Here is the answer (BTW, if I misstate the Verizon Technology please comment):

Verizon Wireless Sync (based on what I read here): http://www.verizonwireless.com/b2c/businessSolutio...pEmail

Mail comes into your Exchange Server is sends it to the Client.Then the Client, using their wireless sync software sends an IP notification and pushes the email to the device via IP.By installing Verizon’s Wireless Sync on your desktop PC, as long as your PC is left on and in a condition to receive email, you’ll get new emails, calendar, contact, and task information sent to your mobile device whenever you’re out of the office. (according to the web site).This is very good that it does not use SMS, however there are two flags that are raised for me:

1. How long will this take?.The email goes from the server, then it has to go to the client then to the device.
2. What if the PC is turned off?Then this solution, from what I have read will not work.In my, opinion I do not like that but more importantly this is a key difference between Active Sync and Verizon’s solution.The difference is that Active Sync is connecting directly to the server, and it does not have the additional hop to the PC.

Microsoft Active Sync with Mobile 5 and Direct push:
Whether you are Mobile 5 or not the basic premise is the same.Mail comes into Exchange, then via Active Sync, based on schedule (more on that in a second) the device will download email, contacts…etc.The technological difference here comes down to what software you have on the device, and they really only concern here is when the devices are configured as always up to date:

1. Without Mobile 5.0 and the Security Pack (uses SMS and always up-to-date):
   With always up to date turned on when the message comes into Exchange Server, exchange sends a hidden SMS text message down to the device to “wake” the device up and then the device runs active sync.The main issue with this technology as designed is the SMS messages which cost .05 to .10 cents a transaction.To avoid this charge and get a similar feel to getting email, configure the schedule sync to occur automatically every 5 minuets.I have done this, although not ideal, it is quite effective for getting email, not always immediate but 5 minutes is not that bad of a lag and I would probably compare it to the lag you may see in Verizon’s solution.
2. With Mobile 5.0 and the Security Pack (uses IP and Direct Push):
   The only difference between the above solution and this one is instead of a SMS message Exchange sends a direct IP packet to the device andnot a SMS message.(BTW this is called Direct Push not always up to date; bottom line is the same email gets to the device. This wakes the device up and we get email.This works with any standard data planand does not incur any additional cost above and beyond your data plan, presuming you have enough each month.

Even though the SMS is a huge draw back, the fantastic thing about Microsoft Exchange is the configuration here is very straight forward.If you have OWA setup, this is about all you need to get Active Sync on the devices to work (the client access guide listed below outlines the steps needed to fully configure this).

To learn more about how Exchange does this look at the client access guide: http://www.microsoft.com/technet/prodtechnol/excha...7.mspx

Bottom line: In my opinion.Today, if you are using Exchange as your email server I think you can get a very similar experience with Active Synch and a 5 minute schedule synch vs. Verizon’s synch software with out having to leave a pc on and connected to the network.Not to mention you do not have load any additional software.More importantly when Mobile 5 devices with the MSFP are more widely released you are poised to take advantage of the new software almost immediately.

Source: http://blogs.technet.com/matthewms/archive/2006/03...6.aspx

Great post about Exchange 2003 mobile messaging over at Eileen Brown’s blog…

Every month I get an internal email newsletter from David in Denver. He’s a technical specialist focused on Exchange, so our paths cross quite a bit (I last saw him during out Exchange 12 training in Redmond in January). Well, he hasn’t got a blog (why David?) which is strange, because his newsletters are full of the most amazing hints and tips, and have a full collection of technical resources in one place. So I’ve pinched the lot from his latest newsletter for wider distribution. He was planning to deliver a mobility tour in the US in February and collated all of these links. So with apologies if you’ve seen these before, and thanks to David for doing such a great job, here are all of his links on Exchange and mobility:

Step By Step Guide to setting up Windows Mobile and Exchange Server 2003: Microsoft IT Scalability Experience With Windows Mobile Exchange Server 2003: Exchange Server ActiveSync (EAS) FAQ:

Exchange Server 2003 documentation:

• Chapter 6, “Managing Client Access to Exchange Server” in the Exchange Server 2003 Administration Guide
• Chapter 8, “Configuring Exchange Server 2003 for Client Access” in the Exchange Server 2003 Deployment Guide
Client Access Guide for Exchange Server 2003:     

Windows Mobile Enterprise Resource Kit:

Microsoft Exchange Server ActiveSync Certificate-Based Authentication Deployment (English only)
Provides several tools to help an Exchange administrator configure and validate client certificate authentication for Exchange Server ActiveSync.

Exchange Server ActiveSync Mobile Web Admin Tool
The Microsoft Exchange Server ActiveSync Web Administration tool enables administrators to manage the process of remotely erasing lost, stolen, or otherwise compromised mobile devices.

By using the Exchange Server ActiveSync Web Administration Web tool, administrators can perform the following actions:

• View a list of all devices that are being used by any enterprise user
• Select/De-select devices to be remotely erased
• View the status of pending remote erase requests for each device
• View a transaction log that indicates which administrators have issued remote erase commands, in addition to the devices those commands pertained to

The Microsoft Exchange Server ActiveSync Web Administration Tool is designed for use With Exchange Server 2003 Service Pack 2 and compatible mobile devices.

Source: http://blogs.technet.com/eileen_brown/archive/2006...s.aspx 

All the way back since the first Windows Mobile 2005-based devices started appearing on the market, I’ve had several questions from people who, for one reason or the other, couldn’t get their device to synchronize properly with an Exchange 2003 Server using Exchange ActiveSync (EAS). In most of the cases the reason turned out to be, that the mobile device simply didn’t trust the certificate provider, who issued the certificate that had been installed on the respective Exchange Server. For some reason (and I really don’t know why! ) a Windows Mobile 5 device, by default, doesn’t trust all the certificates Internet Explorer trusts. This means that you, in most situations, need to install the immediate and root certificates from the respective certificate provider manually on the device. This can typically be done by copying the certificate to the device (in .DER format), where you then simply double-click on it in File Explorer.

I’ll also include this information in one of my upcoming articles, that will cover the new Messaging Security Feature Pack (MSFP) also known as the Adaption Kit Update 2 (AKU2), which will appear here on MSExchange.org in a near future.