A Unified Communication Blog
Get Adobe Flash player

Exchange 2007

A few days ago Microsoft released a security bulletin about MS Exchange server 2000, 2003 & 2007. In the days after experts have analysed the vulnerabilities that is secured with these patches, and they are serious.

I urge all Exchange admins to update there Exchange Servers ASAP


The Updates:
Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004(KB959897)

Microsoft Exchange Server 2003 Service Pack 2(KB959897)

Microsoft Exchange Server 2007 Service Pack 1(KB959241)

Microsoft has updated thiere Unified Messaging Language Packs catalog

Use unified messaging language packs to allow the Exchange Server 2007 system to speak additional languages to callers. This download contains pre-recorded prompts, for example “Welcome, you are connected to Microsoft Exchange” in the language specified by this download. It also enables text to speech translation such that content (e-mail, calendar, contact information, etc.) can be read to the caller in the language of the Unified Messaging language pack.

Currently supported languages:

  • Dutch
  • English (Australia)
  • English (Great Britain)
  • English (United States)
  • French
  • French (Canadian)
  • German
  • Italian
  • Japanese
  • Korean
  • Mandarin (Peoples Republic of China)
  • Mandarin (Taiwan)
  • Portuguese (Brazil)
  • Spanish
  • Spanish (Mexico)
  • Swedish

Get it here:


and here:



I just stumbled over a nice cool online tool from the Exchange Team over at http://blog.unifiedcommunications.eu/

It seems that the Microsoft Exchange Team is working on a online tool to test Exchange Internet based services (ActiveSync, Outlook Anywhere, Autodiscover & SMTP) The tool is still Prototype, and i have found no public references to it yet. So it should be used as-is.
The Microsoft Exchange Server Remote Connectivity Analyzer (nice name by the way) can help you test and troubleshoot you public configuration (Public DNS & Firewall)


Security note:

To use the tool, you must enter username and password to complete the test. It is highly recommended that you create a temporary user for this test, and delete it after you complete the test.

I just checked the WhoIs database with this result:
(… So it is Microsoft.)

Error message when accessing the mailbox being proxied by a CAS server in other than the mailbox AD site:

The page must be viewed over a secure channel

The page you are trying to access is secured with Secure Sockets Layer (SSL).
Please try the following:
Type https:// at the beginning of the address you are attempting to reach and press ENTER.

HTTP Error 403.4 – Forbidden: SSL is required to view this resource.

Note that the URL is /exchange. It should be /OWA, because the user is located on a Exchange 2007 Mailbox / CAS server


This error was caused by the CAS server in the secondary AD site, requiring SSL on the /Exchange virtual directory. (or in other words, the solution was to set the IIS not to require SSL on the Exchange virtual directory only) The problem was that the Exchange 2007 CAS server was not redirecting to the /OWA virtual directory, but after changing the config, it is redirected (and still using SSL)

Another error was found in the same setup, but this was easier to figure out:

Error message in IE:

Outlook Web Access is not currently available for the user mailbox that you are trying to access. If the problem continues, contact technical support for your organization and tell them the following: The Microsoft Exchange Client Access server that is proxying the Outlook Web Access requests is running an older version of Microsoft Exchange than the Client Access server in the mailbox Active Directory site.

The Event Viewer on the Internet facing CAS server shows this event:

Event Type: Error
Event Source: MSExchange OWA
Event Category: Proxy Event ID: 46
User: N/A
Computer: CAS Server
Client Access server “https://webmail.domain.com/owa“, running Microsoft Exchange version “”, is proxying Outlook Web Access traffic to Client Access server “second-CAS.domain.com”, which runs Exchange version “”. To ensure reliable interoperability, the proxying Client Access server needs to be running a newer version of Exchange than the Client Access server it is proxying to. If the proxying Client Access server is running a newer version of Exchange than the Client Access server it is proxying to, the proxying Client Access server needs to have an Outlook Web Access resource folder (for example, “<Exchange Server installation path>)ClientAccessowa8.0.498.0″ that contains all the same versioned resource files as the Client Access server it is proxying to. If you will be running Outlook Web Access proxying with mismatched server versions, you can manually copy this resource folder to the proxying Client Access server.


Update all Exchange servers to the same build number (service pack & Patch level)

Microsoft has released a Update Rollup 3 for Exchange Server 2007 SP1 and Update Rollup 7 for Exchange 2007 RTM.

Read more about it here from the Exchange Team:

Or at Microsoft at:

Description of Update Rollup 3 for Exchange Server 2007 Service Pack 1

Description of Update Rollup 7 for Exchange Server 2007

Update (July 10):

  • The patch stops Exchange related services
  • The Patch includes the previous updates for SP1 (rollup 1 & 2)
  • The patch may require the server to restart to complete.
  • Please note that it can takes some time to apply this update (up to 15 min.)(see image below)

While waiting for the next relaese of the Unified Messaging Language Packs for Exchange Server 2007 i bumped over this page showing the ones released to date:


From what i´ve heard, there should be additional language packs released this summer, but i dont have a date…

I have a setup which consists of this:

2 x Exchange 2007 SP1 CCR server installed on Windows 2008
1 x Exchange 2007 SP1 CAS server installed on Windows 2008
2 x Windows 2003 SP2 domain controllers where the 32 bit Exchange Management Tools is installed.

When I start the EMC from my Windows 2003 servers I get the below error message:

Microsoft Exchange Error
The following error(s) were reported while loading topology information:
Unable to create Internet Information Services (IIS) directory entry. Error message is: Access is denied.
HResult = -2147024891.
Access is denied.

Directory Path: IIS://Mbxsrv.contoso.com/W3SVC/1/ROOT/Exchange
server name: Mbxsrv.contoso.com
local machine name: DC2
local machine fqdn: dc2.contoso.com
Access is denied.

Microsoft Exchange Error

The following error(s) were reported while loading topology information:
Unable to create Internet Information Services (IIS) directory entry. Error message is: Access is denied.
HResult = -2147024891.
Access is denied.

Directory Path: IIS://Cassrv.contoso.com/W3SVC/1/ROOT/Microsoft-Server-ActiveSync Detail:
server name: Cassrv.contoso.com
local machine name: DC2
local machine fqdn: dc2.contoso.com
Access is denied.

Unable to create Internet Information Services (IIS) directory entry. Error message is: Access is denied.
HResult = -2147024891.
Access is denied.

Directory Path: IIS://Cassrv.contoso.com/W3SVC/1/ROOT/OAB
server name: Cassrv.contoso.com
local machine name: DC2
local machine fqdn: dc2.contoso.com
Access is denied.

I made a support case with Microsoft and after long time they confirmed that its bug in the communication between Windows 2003 and Windows 2008, and it seems to be related to IIS. The developers is working on fix for it.
I’ll keep you updated when i hear something new about this issue.



I have just made a brand new Exchange 2007 SP1 CCR cluster on a Windows 2008 platform for one of my customers, and that kind of environment needs to be backed up from time to time.
And since HP Data Protector 6 doesn’t support Windows 2008 before version 6.1 which is scheduled to be released in September, I decided to test Microsoft Data Protection Manager 2007 which has support for both Exchange 2007 SP1 CCR clusters and Windows 2008.
From other bloggers and forums on the internet I have found that I’m not the only one which has got at lot of “fun” with DPM 2007 in that kind of environment.
So I will like to share some of the experience I have got with the product so fare and hopefully help others.

Problem 1: Installing the agent on Windows 2008
I had/have like many others problems with remote installing the agent to Windows 2008 servers. But the last installation I made I have disabled the Windows firewall before I pushed the agent to the servers. And that worked the first time with no problems.
Also remember to install the feature pack 1:
x86: http://www.microsoft.com/downloads/details.aspx?FamilyID=e9e1fe35-b175-40a8-8378-2f306ccc9e28&displaylang=en

x64: http://www.microsoft.com/downloads/details.aspx?FamilyID=ad5cd1a2-9b87-4a2c-90a2-9dbaf1024310&DisplayLang=en

With Feature Pack 1 you get System State Support for Windows 2008, SQL 2008 Support and better tape support.

I haven’t found the golden way to remote install the agent when Windows firewall is enabled (yet), But I have seen in other blogs that File and Print Service and WMI MUST be enabled in the firewall on the server that you try to push the agent to.

Problem 2: How-to Protect Exchange 2007
I did like many others – installed the DPM and when I couldn’t get it to work I read the manual.
My first problem was that I couldn’t see or select my Exchange stores in the Protection Group wizard.

Solution: Install EMC on the DPM server (with the same patch level), and on the same drive as the DPM.
Copy ese.dll and eseutil.exe to the DPMBIN folderAnd run this command on the DPM server:
Fsutil hardlink create “C:Program FilesMicrosoftDPMbineseutil.exe” “C:Program FilesMicrosoftExchange Serverbineseutil.exe”
The fsutil requires that DPM and EMC is installed on the same drive, otherwise the command will fail.

Link to the agent Prerequisites in the manual: http://technet.microsoft.com/da-dk/library/bb808827(en-us).aspx#ExchangeServerDatabaseUtilities

Problem 3: Protecting Windows 2003 Server
Before you deploy the DPM agent to Windows 2003 servers remember to install the VSS patch.http://support.microsoft.com/kb/940349/
I didn’t install the patch on my first 2003 server, and it took 30 min for the server boot – not cool for a production server.

Problem 4: Couldn’t see the virtual cluster node
As I wrote in the beginning, one of my installations was to protect a Windows 2007 CCR SP1 cluster installed on two Windows 2008 servers.
I manage to install the agent on both nodes in the cluster with no problems. Afterwards I could also see the virtual cluster name, but I couldn’t see or select my virtual exchange server.
After some time I found the problem – a failure in my CCR cluster.
I had at some point after I have installed the cluster created a new storage group and mailbox store which I then later on deleted from the EMC. No problem with that – but it seems like that there might be a bug somewhere (either in Exchange or in Windows 2008), because the deleted mailbox store was still a resource in my Failover cluster management tool.
After I deleted the failed resource in FCM then I could see my virtual exchange server name in the “Protection Group wizard” – and then backup works.

Problem 5: Can’t select System State on Windows 2008 Server
When I’m selecting my Windows 2008 servers I can only see “All Shares” and “All Volumes” but not my System State.

Solution: Install Feature Pack 1 and you will get Windows 2008 System State Support.

x86: http://www.microsoft.com/downloads/details.aspx?FamilyID=e9e1fe35-b175-40a8-8378-2f306ccc9e28&displaylang=en

x64: http://www.microsoft.com/downloads/details.aspx?FamilyID=ad5cd1a2-9b87-4a2c-90a2-9dbaf1024310&DisplayLang=en


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 75 other subscribers

Follow me on Twitter