Microsoft recently offered new information about how to improve performance of the Exchange Server Knowledge Consistency Checker (KCC). The KCC ensures that the directory's information about which sites and servers are on the network matches the actual sites and servers that exist. In performing this task, the KCC can make changes to the site directory to make it match the state of the network. The Microsoft article "XADM: Naming Exchange Server Computers to Optimize KCC Performance" (http://support. microsoft .com/support/kb/ articles/q224/5/92.asp) explains that the KCC searches for servers in alphanumeric order. Therefore, the names you use for the computers influence KCC performance—and the amount of network traffic it generates.

Another Microsoft article, "XADM: 'Denial of Service' Vulnerability in Store Vulnerability with IMAP" (http:// support.microsoft.com/ support/kb/ articles/q230/2/85.asp), discusses a different problem. If you can reach your Exchange server from the Internet via inbound IMAP4 traffic, be aware that a Denial of Service (DoS) attack exists that can make your Information Store (IS) quit responding. A malicious client can flood the server with IMAP4 packets containing no operation (NOOP) commands. Although these commands don't do anything, queuing enough of them can overload the IS. The article describes the available hotfix.

Last, the "Oops of the Month" award goes to the Exchange Server 5.5 Service Pack 2 (SP2) Lotus Notes connector, which can't talk to a Lotus Notes R5 server. If you need to make your Exchange servers talk to Notes servers, be aware of this incompatibility and plan to use Notes 4.52 on the servers that host the Notes connector.

I occasionally need to create distribution lists (DLs) manually. I'm frustrated that the Microsoft Exchange Administrator program doesn't give you a way to enter a company name when you create the DL. Is there some backdoor way to do this?

Fortunately, yes. You create the DL, then export it to a Comma Separated Values (CSV) file, add the Company attribute, and reimport it. Here are the specific steps to follow:

  1. Create the DL and populate it.
  2. Use the Tools, Directory Export command to export the DL. Make sure that Distribution list is the only check box selected in the Export objects group.
  3. Open the CSV file with your favorite text editor, and add a new attribute (Company) to the header line. You can use Microsoft Excel, too. If you do, add a new column and a heading in the first row of the column.
  4. Add the proper company name to each DL in the CSV file, taking care to get it in the column where you added the Company attribute.
  5. Reimport the modified CSV file with the Tools, Directory Import command.

I want to use Secure Sockets Layer (SSL) to secure SMTP mail traffic, but I can't establish an SSL session to the Exchange server, whether I use Outlook or Outlook Express. What can I do?

You can't use standard SMTP clients with an SSL-enabled SMTP server because TCP port 25 is the default port used for SMTP traffic but port 465 is the standard SSL SMTP port. An additional wrinkle is that Microsoft's Internet mail clients (Outlook and Outlook Express) speak SSL, but the Internet Mail Service (IMS) speaks a related protocol, Transport Layer Security (TLS).

One solution is to point your SSL SMTP clients at an SSL-capable SMTP server (e.g., Netscape's mail server), or you can deploy Outlook 2000 and Outlook Express 5.0, both of which can speak TLS on port 25.

I tried to install Outlook 98 and Exchange Server on a test machine. Why couldn't I get Exchange to install after I installed Outlook?

Because some versions of Exchange and Outlook 98 use some of the same DLLs and components, you must install them in the correct order. Try removing Outlook 98, installing Exchange, then installing Outlook 98. After you've confirmed that the programs are working to your satisfaction, add the latest Exchange service pack.

We upgraded our Exchange Server 5.5 servers to SP2 and installed the Key Management Server (KMS). We then set our KMS to issue only version 3 certificates, but the KMS has issued some of our users version 1 certificates instead. Why?

The KMS has a flaw in SP1 and SP2. Earlier clients (in particular, the Exchange 4.0 and 5.0 clients and Outlook 97) that understand only version 1 certificates always request version 1 certificates, using the version field built into the certificate request. The KMS in SP1 and SP1 happily honors requests for version 1 certificates, even if you tell it not to. You can obtain a hotfix (build 5.5.2606.0 of kmserver.exe and kmsmsg.dll) from Microsoft Product Support Services (PSS), or you can wait for SP3. Because most sites aren't using Secure/MIME (S/MIME), this flaw is unlikely to be a problem for most people.

Why can't you renew signature certificates with the SP2 KMS?

A simple programming error caused this flaw in SP2. The flaw isn't likely to affect many S/MIME sites because the typical renewal interval for a signature key is 2 or more years, and SP2 hasn't been around that long. Look for Microsoft to fix this problem in SP3.

I try to schedule server maintenance for times when no users are on the Exchange server, but no matter when I perform the maintenance, users still log on while I'm working on the server. How can I prevent users from logging on?

The easiest solution is to stop the IS service. However, if you need to keep it running, a technical solution is to add a Registry key that lets you restrict who can log on to your server's IS. When this key is in place, only users whose distinguished names (DNs) appear in the Registry value can log on. All other users see a dialog box saying their logon failed. (Don't apply this change during regular business hours unless you want a flurry of phone calls from puzzled users wondering why they can't log on.)

To make this work, you need to add the REG_MULTI_SZ value Logon Only As to the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ Services\ MSExchangeIS\ParametersSystem key. Remember to save a current version of the Registry before you alter it. Then, add the full DN of the accounts you want to allow to log on, including the organization, site, and recipient container names. For example

/o=RA/ou=USA-East/cn=recipients/cn=PaulR

specifies that a user named PaulR in the recipients container of the USA-East site in the RA organization can log on. Before making this change, you must stop the IS, then restart it when you're finished.

We removed a server from our Exchange Server site for maintenance, then reinstalled it. Now we have two copies of the server's EventConfig folder in the Events Root public folder. These folders don't appear in our mail clients; how can we delete them?

This anomaly happens when you completely remove the server from the site before the Message Transfer Agent (MTA) replicates notice of the server's event folder deletion throughout the site. All the other servers still think the folder is there, and the original server is no longer around to tell them otherwise. The fix for this problem is straightforward:

  1. Using your Exchange service account, log on to the problem server.
  2. Stop the Event Service (MSExchangeES).
  3. Run \exchsrvr\bin\events.exe with the /c:serverName switch. Replace serverName with the name of your server. This switch tells the Event Service to clean up its folder list. Running this program deletes one of the folders in the Event Root folder.
  4. Restart the Event Service.

You might have to force Exchange Administrator to update its folder list; to do so, press F5 after you restart the Event Service.

How can I measure how often people send messages to DLs?

My first thought was that you can't measure this usage, but I found an easy way to do it. If you turn on message tracking logs, Exchange makes a tracking log entry every time it expands a DL. Therefore, you can safely assume that every time someone sends a message to the DL, Exchange expands the DL. You need to write a script that scans the message tracking logs looking for Event 26—the DL expansion event. (Perl works great for this, but you can use something else if you prefer.) Along with the event ID, you can get the name of the object being expanded, which is the DL name. (Thanks to Missy Koslosky for sharing the details of this process on the Exchange mailing list at http://www .swynk.com.)

Tony Redmond suggested an even easier solution. Create a public folder, and add it to the DL. Every time someone sends a message to the DL, the message will appear in the folder. As long as you don't mind archiving DL messages in a folder, this technique works, too.

Why doesn't the Directory Service/ Information Store (DS/IS) consistency adjuster fill in all the mailbox attributes?

Don't run the consistency adjuster without a good reason because it has some quirks. (Tony Redmond's "The Infamous DS/IS Consistency Adjuster," May 1998, describes some pitfalls to watch for.) The DS/IS consistency adjuster recreates directory objects for items that are in the IS but don't have corresponding directory entries. You need to recreate directory objects when you restore a backup of the IS but don't have a good copy of the directory. However, when you create the directory entries from scratch, the adjuster can't recreate mailbox attributes based only on the information in the IS. The Microsoft article "XADM: Attributes Missing After Recreated DS Objects with DS/IS (http://www.support.microsoft.com/ support/kb/articles/ q197/9/70.asp) has a complete list of attributes that you must create manually.

Our backup program occasionally hangs. We're reasonably sure that our backup hardware isn't at fault. What could be wrong?

The Exchange backup interface component edbbcli.dll has a known flaw. If your backup program tries to allocate a large memory buffer to hold data as the program reads it from the server and that allocation fails, the backup application can hang—it sits there waiting for data that never arrives. You can obtain a post-SP2 hotfix for this problem; the hotfix includes build 5.5.2511.0 or later of edbbcli.dll. As always, if you're not having this problem, don't install the hotfix—wait for SP3.

What's the purpose of the Log Record Stalls/sec counter on the Performance Monitor Database object?

This Exchange Performance Monitor counter measures how many times per second the DS or IS can't write a log entry to the transaction log because log buffers aren't available. Exchange uses a two-step architecture: Log entries go into a buffer, then the database engine flushes them from the buffer to the disk. If no buffers are available, the database engine forces the component that wanted to log something to sleep for a brief interval before trying again.

Ideally, the number of log stalls per second is 0; that is, every component that tries to log something has its log request fulfilled immediately. Any time an IS thread has to wait for its turn at the log, your server's performance slows down.

As it turns out, the Exchange Performance Optimizer often sets the number of log buffers to an inappropriately low number, particularly on multiprocessor servers with a lot of RAM. I expect that Microsoft will eventually fix this behavior.

In the meantime, if you look at the counter and see sustained values above 0, increase the number of log buffers available to the IS by changing a Registry value. Add a new REG_ DWORD value named Log Buffers to HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\MSExchange IS\ParametersSystem, then increase its value. Each buffer holds 512 bytes of data, so you can safely bump the number up to 256 or even 512.

How can I tell which service pack a particular server has on it? How can I get version information for individual DLLs?

The General tab of the server Properties page tells you what Exchange Server version (e.g., 4.0, 5.5) you're running, including the service pack that's currently installed. To get a quick overview of the service pack levels of all servers in your site, use Exchange Administrator to expand the site's Servers object, then look in the right pane for the service packs and build numbers. (However, the Properties page won't tell you whether you're running the Standard or Enterprise edition of Exchange. To obtain this information, open the server's Site Configuration container, open the Servers item, select the server, and open its Properties page.)

Locating the version for a particular DLL is easy if you know where it's located. Select the DLL in Windows Explorer, right-click the DLL, and choose Properties. When the Properties dialog box appears, choose the Version tab; you'll see the file version and some other information about the DLL's version, build, and history. (This technique also works for executables.)

I deleted an Exchange server before I removed that server window from my Exchange Administrator desktop. Now, every time I launch Exchange Administrator, the program tries to connect to that server when it restores my desktop, so I have to wait for the connection to fail. How can I fix this problem?

Exchange Administrator tries to be helpful by keeping track of which servers you've connected to. As you've discovered, sometimes the program is too helpful. The program keeps track of servers in two ways: It keeps a list in the toolbar of servers you've recently connected to, and it remembers which servers you were connected to when you quit the program. This second list is causing your problem.

The simplest way to fix this problem is to start Exchange Administrator and let it fail to connect to the missing server. Then, go to the Tools menu and use the Save Connections Now command. This command updates the list of current connections so that Exchange Administrator won't try to reopen the missing server the next time you launch Exchange Administrator. If you want to purge the server list from the toolbar too, use your favorite Registry editor to remove the HKEY_CURRENT_USER\Software\ Microsoft\Exchange\ MSExchangeAdmin\ Desktop\Servers key.