Ticket: Exhcnage 2010 upgrade AddressList

 

 

http://blogs.technet.com/b/ilvancri/archive/2010/06/15/don-t-forget-to-update-your-ldap-filters-to-opath-filters-when-transitioning-from-exchange-2003-to-exchange-2010.aspx

 

1. download PS1 from MSExchangeTeamBlog

2. Update methods

# Examples on ways to use this script in Powershell…

# To convert a manually entered filter and display the result:
#
# .\ConvertFrom-LdapFilter "(&(mailnickname=*))"
#
# To convert the LDAP filter on an existing address list and display the result:
#
# .\ConvertFrom-LdapFilter (Get-AddressList "My Address List").LdapRecipientFilter

# To convert the LDAP filter on an existing address list and update the address list with the new filter:
#
# Set-AddressList "My Address List" -RecipientFilter ( .\ConvertFrom-LdapFilter (Get-AddressList "My Address List").LdapRecipientFilter )

# To convert all existing legacy address lists and display the result without actually updating them:
#
# Get-AddressList | WHERE { $_.RecipientFilterType -eq ‘Legacy’ } | foreach { .\ConvertFrom-LdapFilter $_.LdapRecipientFilter }

# To convert all existing legacy address lists and output the name, current LDAP filter, and the generated OPATH to a tab-delimited file without actually updating the address lists:
#
# Get-AddressList | WHERE { $_.RecipientFilterType -eq ‘Legacy’ } | foreach { $_.Name + [char]9 + $_.LdapRecipientFilter + [char]9 + (.\ConvertFrom-LdapFilter $_.LdapRecipientFilter) } > C:\suggestedfilters.txt

# To convert all existing legacy address lists and actually update the address lists without prompting:
#
# Get-AddressList | WHERE { $_.RecipientFilterType -eq ‘Legacy’ } | foreach { Set-AddressList $_.Name -RecipientFilter (.\ConvertFrom-LdapFilter $_.LdapRecipientFilter) -ForceUpgrade }

# To convert all legacy address lists, GALs, and email address policies, without prompting, run three commands:
#
# Get-AddressList | WHERE { $_.RecipientFilterType -eq ‘Legacy’ } | foreach { Set-AddressList $_.Name -RecipientFilter (.\ConvertFrom-LdapFilter $_.LdapRecipientFilter) -ForceUpgrade }

# Get-GlobalAddressList | WHERE { $_.RecipientFilterType -eq ‘Legacy’ } | foreach { Set-GlobalAddressList $_.Name -RecipientFilter (.\ConvertFrom-LdapFilter $_.LdapRecipientFilter) -ForceUpgrade }

# Get-EmailAddressPolicy | WHERE { $_.RecipientFilterType -eq ‘Legacy’ } | foreach { Set-EmailAddressPolicy $_.Name -RecipientFilter (.\ConvertFrom-LdapFilter $_.LdapRecipientFilter) -ForceUpgrade }

3. Legacy AddressList waiting for upgrade

4. different RecipientFilter

5. Choose convert single legacy addresslist

# To convert the LDAP filter on an existing address list and update the address list with the new filter:
#
# Set-AddressList "My Address List" -RecipientFilter ( .\ConvertFrom-LdapFilter (Get-AddressList "My Address List").LdapRecipientFilter )

6. Start Upgrade

7. Upgrade result

8. You cannot use EMC to edit the recipient filter

Ticket: Exchange 2010 OWA blank GAL

 

Exchange 2010 /2007 

透過網頁OWA 登入

點選通訊錄出現以下錯誤

*****************************************************

Request

Url: https://msft:443/owa/forms/premium/AddressBook.aspx?ae=Dialog&t=AddressBook&a=PickRecipients

User host address: 10.1.3.3

User: aaa

EX Address: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=user084e0818

SMTP Address: a@msft.com

OWA version: 14.0.639.21

Mailbox server: EXCH.msft.com

Exception

Exception type: System.NullReferenceException

Exception message: 並未將物件參考設定為物件的執行個體

Call stack

於 Microsoft.Exchange.Data.Directory.SystemConfiguration.AddressBookBase.GetAllRoomsAddressList(ClientSecurityContext clientSecurityContext, ADSystemConfigurationSession configurationSession) 於 Microsoft.Exchange.Clients.Owa.Core.UserContext.get_AllRoomsAddressList() 於 Microsoft.Exchange.Clients.Owa.Core.Directory.DirectoryAssistance.GetAllRoomsAddressBookInfo(UserContext userContext) 於 Microsoft.Exchange.Clients.Owa.Core.UserContext.get_AllRoomsAddressBookInfo() 於 Microsoft.Exchange.Clients.Owa.Premium.Controls.SecondaryNavigationDirectoryList.CreateCondensedDirectoryList(UserContext userContext, Boolean isRoomPicker) 於 Microsoft.Exchange.Clients.Owa.Premium.DirectoryView.RenderSecondaryNavigation(TextWriter output, UserContext userContext, Boolean isRoomPicker) 於 Microsoft.Exchange.Clients.Owa.Premium.Controls.NavigationHost.RenderSecondaryNavigation(TextWriter output, Boolean showContacts) 於 ASP.forms_premium_addressbook_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer) 於 System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) 於 System.Web.UI.Page.Render(HtmlTextWriter writer) 於 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

 

解決方法：

1. 原先AD 中有測試用的Exchange 未正常移除

2. Get-OrganizationConfig 取得 ResourceAddressList 關連錯誤的Address List object

3. New-AddressList -Name 所有會議室 -RecipientFilter {(Alias -ne $null -and (RecipientDisplayType
-eq ‘ConferenceRoomMailbox’ -or RecipientDisplayType -eq ‘SyncedConferenceRoomMailbox’))}

4. 開啟 adsiedit.msc

CN=FirstOrganization,CN=MicrosoftExchange,CN=Services,CN=Configuration,DC=test,DC=local，右鍵，找到msExchResourceAddressLists，

CN=所有會議室,CN=All Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=test,DC=local

3.重啟下“Microsoft Exchange 通訊簿” 服務。

REF: Exchange 2010 upgrade custom address list

 

在收件者命令中建立篩選器

Exchange 2007 SP1 與 SP2 中 -RecipientFilter 參數可篩選的內容

 

-RecipientFilter 參數的許多屬性會接受萬用字元。如果您使用萬用字元，請使用 -like 運算子，而不要使用 -eq 運算子。-like 運算子是用來尋找符合各種類型 (例如字串) 的模式比對，而 -eq 運算子則是用來尋找完全的相符。

其他 OPATH 語法資訊

若要建立自己的自訂篩選，請注意下列事項：

• 使用大括號 { } 括住具有 Filter 或 RecipientFilter 參數的整個 OPATH 語法字串。
• 在所有的運算子之前加上連字號。以下為最常見的運算：
  • -and
  • -or
  • -not
  • -eq (等於)
  • -ne (不等於)
  • -lt (小於)
  • -gt (大於)
  • -like (字串比較)
  • -notlike (字串比較)
• RecipientFilter 及 Filter 參數的許多內容都接受萬用字元。如果您使用萬用字元，請使用 like 運算子，而非 eq 運算子。like 運算子是用來尋找符合各種類型 (例如字串) 的模式比對，而 eq 運算子則是用來尋找完全相符的項目。

 

E14 – Enable-AddressListPaging

重要事項：

Exchange 2010 現在會在新容器中建立系統通訊清單。使用 Exchange 2003 或 Exchange 2007 管理工具所建立或修改的收件者，不會與這些系統通訊清單一起加註戳記。因此，他們不會被 Get-Recipient 指令程式看到。
若要修正這個問題，您必須啟用 Active Directory 虛擬清單檢視 (VLV)。當您完成將現有 Exchange 2003 組織升級到 Exchange 2010，並解除委任 Exchange 2003 伺服器之後，必須啟用 Active Directory VLV。若要啟用 Exchange 2010 的 VLV，請執行 Enable-AddressListPaging 指令程式。如需相關資訊，請參閱Enable-AddressListPaging。

REF: GAL 讀取權限限制

 

1. Exchange 2003 GAL 讀取權限限制

http://blog.xuite.net/jammylo/Exchange/4592684

http://www.msexchange.org/tutorials/Shared-Hosting-Exchange-2003-Part2.html

2. Exchange 2007 GAL讀取權限限制

http://technet.microsoft.com/en-us/library/bb936719(printer).aspx

Configure Microsoft Exchange Server 2007 with multiple address lists so different groups of users can have their own address list and secure those address lists so that groups of users can only see their specific address list.

Supported

Companies that want to totally segregate their address lists can do so by removing access to the Default Global Address List and creating two or more address lists or virtual organizations. You can also set up additional functionality to restrict searching via Outlook Web Access to particular organizational units (OUs) or specific address lists using the msExchQueryBaseDN attribute.

Unsupported

This configuration is one where companies may want to totally segregate their address lists and still have access to the Default Global Address List, or try to split the Global Address List (GAL) into two separate address lists. An example of this configuration would be a company with two groups of 500 users that belong to the Sales and Finance departments. Both groups are in the GAL, however the desire is to have everyone access the GAL except one group. If you are going to segregate your address lists, then they will be segregated. Attempting this configuration will cause problems with the check names functionality which will prevent users from creating Outlook profiles, and can also break the OAB Generation Process. This also allows Outlook users to see all of the Address Lists from within Outlook, which cannot be changed.

 

Blog Extended Reading

More Information & Reference

REF: E14 Mailbox Role – Part 3 – E-Mail Address Policies

 

1. Update-EmailAddressPolicy  環境中不適合直接run 這個command, 除非重新調整過email address policy.

2. 舊版的email address policy 將無法直接編輯

 

3. 新版(2007 開始) 的好處是透過GUI 直接選定AD object, 取代過往的LDAP query

(&(&(&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) )))(objectCategory=user)(company=msft*))))

只是不知 Mail group 只套用leagacyExchangeDN 的問題是否有解決?

 

 

Exchange applies a policy to all recipients that match the recipient filtering criteria:

• The recipient policy functionality is divided into two features: e-mail address policies and accepted domains.

  A detailed discussion about accepted domains is outside the scope of this topic. For information about accepted domains, seeUnderstanding Accepted Domains.

• When you run the Update-EmailAddressPolicy cmdlet in the Exchange Management Shell, the recipient object is updated with the e-mail address policy. For detailed syntax and parameter information, see Update-EmailAddressPolicy.
• Each time a recipient object is modified and saved, Exchange enforces the correct application of the e-mail address criteria and settings. When an e-mail address policy is modified and saved, all associated recipients are updated with the change. In addition, if a recipient object is modified, that recipient’s e-mail address policy membership is reevaluated and enforced.

 

Custom SMTP e-mail address

Variable	Value
%g	Given name (first name)
%i	Middle initial
%s	Surname (last name)
%d	Display name
%m	Exchange alias
%xs	Uses the first x letters of the surname. For example, if x = 2, the first two letters of the surname are used.
%xg	Uses the first x letters of the given name. For example, if x = 2, the first two letters of the given name are used.

 

Blog Extended Reading

More Information & Reference

1. Understanding E-Mail Address Policies