Well then, here we are in part three already! Previously we:
Installed ADFS 2012 R2 For Office 365 in part 1 Installed ADFS 2012 R2 Proxy For Office 365 in Part 2
Installed ADFS 2012 R2 For Office 365 in part 1
Installed ADFS 2012 R2 Proxy For Office 365 in Part 2
Now we want to change the Office 365 domain to be a federated domain. As discussed in part 1, this means that all of the users who authenticate using this domain will become a federated identity and the on-premises ADFS server is responsible for authenticating these requests.
Update 20-8-2014: Added comment for SupportMultipleDomain switch for the Convert-MSOLDomainToFederated cmdlet.
Before we discuss the integration of Office with the on-premises ADFS infrastructure, let’s just again be clear on the criticality of ensuring that ADFS is available when the Office 365 domain is set to use ADFS authentication. For whatever reason if the ADFS infrastructure is unavailable, then Office 365 cannot complete the authentication process and thus users cannot get access to Office 365. This will cause a service impacting outage that will require resolution from you, not Microsoft’s online services team.
For this reason, unless you really need to leverage ADFS please review the DirSync password synchronisation feature in the recent DirSync builds.
Apologies if I sound pessimistic, but I don’t want to obviate the requirement for ADFS redundancy!
On the topic of ADFS redundancy one option is to also host a portion of your ADFS infrastructure in Azure. This is a perfect solution if you do not have sufficient capacity in your current datacentre, or your datacentres are located in close proximity of each other and a major incident would take both of them down.
There is a whitepaper published for this exact scenario. Please check this link. The documentation covers three main scenarios to meet the situations discussed above:
This is an example of hosting ADFS in Azure for DR purposes:
AD FS is supported for deployment on Azure Virtual Machines, but there are AD FS best practices that require technologies beyond what AD FS offers itself, such as load balancing/high availability. In addition to this please also consider the pricing for running this IAAS. Read through the deployment caveats in the ADFS Azure documentation above and also the additional discussion points here.
Back to the business at hand – updating Office 365 so that it now uses your on-premises ADFS server!
We will run the below on a domain joined server on the corporate network. This has the Windows Azure Active Directory PowerShell Module and the Microsoft Online Sign-In Assistance (SIA) installed. Let’s launch the WAAD PowerShell module. For reference the remote ADFS server is Tail-CA-STS.TailspinToys.ca.
For other WAAD management tasks, take a peek at Manage Azure AD using Windows PowerShell page.
Using Connect-MsolService let’s connect to our WAAD instance. Provide a set of global admin credentials:
We can see the current status of the domains within this tenant. the Get-MsolDomain cmdlet will show the domains, and we are interested in the first domain – “Tailspintoys.ca”.
Before we can execute the Convert-MsolDomainToFederated cmdlet, we need to also a hook into the local ADFS server (not the ADFS proxy) so that we can configure it.
There is a word of warning here, as chances are that you will see this lovely screen that features copious red text.
Set-MsolADFSContext : The connection to <ServerName> Active Directory Federation Services 2.0 server failed due to invalid credentials.
Active Directory Federation Services 2.0 server failed due to invalid credentials" style='background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border-width: 0px;' alt='Set-MsolADFSContext : The connection to Active Directory Federation Services 2.0 server failed due to invalid credentials' src='/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-91-09-metablogapi/image_5F00_thumb_5F00_62F9607B.png' border='0' />
This is caused by Remote PowerShell not being enabled on the remote ADFS server. This is an issue that is present on ADFS 2012 and ADFS 2012 R2 servers amongst others. Thankfully it is quite easy to fix, by running the below on the ADFS server:
Enable-PSRemoting
Once Remote PowerShell has been enabled, we can then connect to the ADFS server using the Set-MsolADFSContext cmdlet. Like the other MSOL cmdlets, this one is as unforgiving. If you forget to explicitly use the required parameters the MSOL cmdlets typically do not prompt like the Exchange cmdlets do. Because of this I have a habit of always specifying every option and not relying on PowerShell to prompt for required options that were missed.
Once we have connected to the ADFS server, we use the Convert-MsolDomainToFederated cmdlet to convert the Office 365 domain from Managed to Federated.
Set-MsolADFSContext -Computer Tail-CA-STS.tailspintoys.ca Convert-MsolDomainToFederated -DomainName tailspintoys.ca
Set-MsolADFSContext -Computer Tail-CA-STS.tailspintoys.ca
Convert-MsolDomainToFederated -DomainName tailspintoys.ca
Update 20-8-2014: Andy pointed out in the comment that there is an area of concern to be noted here for customers that have multiple top level domains. Back with ADFS 2.0 customers with multiple top level UPNs had to deploy separate ADFS instances for each domain suffix. A rollup was added to assist with this and the SupportMultipleDomain switch. Please see here for more details if you have multiple sign on domains.
Once converted, we check to see if the change applied:
Yes it did! The domain is now Federated.
The full properties of the domain now look like so:
Please be aware that it can take up to two hours for domain authentication changes to apply. Go drink a vat of coffee or play some flappy birds!
To test that we are being authenticated to Office 365 OWA via ADFS, let’s see what happens now that the domain has been converted to federated.
Open IE, and navigate to https://outlook.com/tailspintoys.ca this is the neat shortcut that we can use to access OWA. Change the domain name to match your own.
When we go to the browser is redirected to our on-premises ADFS server, at this URL: https://adfs.tailspintoys.ca/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=wa%3Dwsignin1.0%26rpsnv%3D3%26ct%3D1398824668%26rver%3D6.1.6206.0%26wp%3DMBI_KEY%26wreply%3Dhttps:%252F%252Fwww.outlook.com%252Fowa%252F%26id%3D260563%26whr%3Dtailspintoys.ca%26CBCXT%3Dout
We then sign in to the on-premises ADFS server:
ADFS authenticates us, assuming that the password is not fat-fingered, and this authorises Office 365 to let us access OWA:
The astute reader will notice that IE in-private mode has been used. This keeps my testing separate from the other IE Instances running on my laptop.
One thing to note, when testing this connectivity please do so on a regular client machine that has the proper access to the Internet and where the browser is not totally locked down. In the below example on a Server 2008 R2 SP1 server, when browsing to outlook.com/tailspintoys.ca the user experience is very different from the screenshots above.
The user will get logged on, but it can be disconcerting if you are expecting the sexy looking ADFS screen and you get an auth prompt instead…..
Chances are you will have use the TestExchangeConnectivity.com site to test and troubleshoot on-premises issues. The tool has been expanded as now we can also use it to test and diagnose Office 365 issues.
KB 2650717 How to diagnose single sign-on (SSO) logon issues in Office 365 by using Remote Connectivity Analyzer discusses using the tool to validate SSO.
BONUS TIP – if you get tired of typing that long URL to get to the site, try http://exrca.com
Using the IE developer tools, that are accessible by pressing F12 we can see the traffic flow that the browser has taken to reach the sites involved. You will want to click to enlarge the below.
Note that we went to the following URLs. Can you work out why there are three outlook.com ones at the top?
As discussed in KB 2647048, there are situations that will require the Office 365 domain federation to be repaired.
For example, you may find yourself running this:
I love this KB as it links to so many other articles that are relevant and introduce many of the issues that can arise with an ADFS deployment.
KB 2647048 -- How to update or to repair the configuration of the Office 365 federated domain
The PFE Platform blog have some great ADFS content, amongst other things. Just don't propose to Charity via the comment system please!
How to Build Your ADFS Lab on Server 2012 Part 1 Introduction to Active Directory Federation Services (AD FS) AlternateLoginID Feature Upgrading ADFS to Server 2012 R2 FAQ on ADFS - Part 1
How to Build Your ADFS Lab on Server 2012 Part 1
Introduction to Active Directory Federation Services (AD FS) AlternateLoginID Feature
Upgrading ADFS to Server 2012 R2
FAQ on ADFS - Part 1
Finally the TechNet Wiki has the ADFS content section.
ADFS Content MAP
Cheers,
Rhoderick
In part one we installed the ADFS server on our corporate network, and tested that it was working.
Now we need to make the ADFS infrastructure available to the Internet in a secure fashion, so that Office 365 will be able to contact the ADFS proxy to authenticate user requests.
In part three we will add the ADFS infrastructure to the Office 365 configuration,
In this installation, the ADFS proxy server will be placed into the DMZ, and installed as a workgroup machine since the Tailspintoys organisation does not possess a separate management forest in the DMZ. Ensure the machine is built as per your standard build process, is secured and all Microsoft updates are installed.
You will want to install the April 2014 Windows 2012 R2 update to light up additional pieces of ADFS functionality, but we will save that for a later blog post. If you do want to take a peek at this now, the PFE Platform folks are rocking it over here – please subscribe to their RSS feed too!
As discussed in part one, you will need a certificate from a trusted third party. Ensure that you check with the CA to ensure that you are able to install the certificate onto multiple servers as this is blocked in some license agreements. This is something that you must check directly with the CA.
If you are allowed to install the certificate from the ADFS server, then this simplifies matters else you will require an additional certificate. The name must match the ADFS namespace that you selected through the ADFS design process.
Since the ADFS server will be in a network that may not have access to the internal DNS zone information, ensure that it is able to resolve the ADFS namespace to the internal ADFS server. A swift update to the local hosts file may suffice, just remember to add this to your build documentation.
Create external DNS record for the ADFS proxy server. This A record will exist in the external DNS zone of you are using split DNS. In the Tailspintoys enterprise (cough, cough this lab) the internal DNS zone is held on AD integrated DNS zones. The external zone is at a commercial ISP, so the external DNS record was created at the commercial ISP so it resolves to the external IP of the ADFS proxy when I am at Starbucks.
Having the external DNS record point to the ADFS server’s external IP address will not allow traffic to flow unless the firewalls are configured to do so. In enterprises the ADFS proxy server will be installed into a DM so there will be an internal and external firewall. Both must be opened to allow SSL traffic over TCP port 443. In addition to this the ADFS server will also need access to the CRL distribution points on the Internet to verify certificate validity.
Exchange administrators should be used to this now as they have see Exchange updates take a long time to install on Exchange servers do not have access to crl.microsoft.com. In the case of ADFS, the server should be able to hit the CRL of external CAs.
Let’s fire up the Add Roles Wizard from server manager!
As noted in the previous post, there is no longer a separate ADFS proxy role in Windows 2012 R2. The Remote Access feature provides VPN, Direct Access and Web Application Proxy (WAP) functionality. It is the latter that we need to install.
Select Remote Access and let’s go find the droids we are looking for…
Unless you want to add any features, like telnet * for troubleshooting purposes later, click next.
The Remote Access role selection process starts. Unlike in days of old when installing a feature would install all of the bits, and by extension potential vulnerabilities, Windows now wants to only install the bare minimum. This is a paradigm shift compared to the early days of IIS where it would install everything and then you have to spend time stripping stuff back out. Index extension attack anyone?
In our case we just want to install the Web Application Proxy role service, so select that and click next
Confirm the choice, and then install.
Once the necessary WAP role services are installed, we are then able to launch the Web Application Proxy Wizard to configure WAP.
We need to configure the WAP proxy with the necessary information so that it knows it will be publishing our internal ADFS server and how to access ADFS.
On the screen below is where most configuration issues arise with this process. What a lot of folks do is interpret the Federation service name as the display name of the ADFS server. That will not get you very far unfortunately…
The federation service name field does NOT want you to enter the display name of the ADFS server farm. The display name in the previous example was “Tailspintoys STS”. and this can been checked by looking in the ADFS console
If you look closely at the ADFS properties, the federation service name is actually the FQDN of the service. In our case this is adfs.tailspintoys.ca so let’s enter that along with credentials on the ADFS server so we are able to access ADFS.
In the same way that we require a SSL certificate on the ADFS server, the same is true on the ADFS proxy as clients will establish SSL sessions to this machine which will then be bridged to the internal ADFS server.
Since the certificate was installed and verified as part of the preparatory work, we select it and move on.
Verify the details, and click configure.
The wizard starts to configure the ADFS proxy
And shortly thereafter completes!
At this time we should have a functional ADFS proxy server that is able to provide internet based users with access to our ADFS server’s authentication services. But as always, we need to test!
To open up the Remote Access management console, use the Remote Access Management shortcut in administrative tools.
If you have immediately launched this after installing the ADFS proxy it may take a few seconds or a refresh to show up. The other top tip is not to look for a published web app. Remember that WAP can be used to publish various applications to the internet, but in this case we are just wanting to use the base ADFS proxy components.
To check that the ADFS proxy is running, click onto the Operational Status in the left hand tree
Selecting the operational status, will then show how the ADFS proxy is currently running. You can also jump to Perfmon or Event Viewer from this node.
Should the ADFS proxy have an issue the console will light up like a Christmas tree. In this case I deliberately stopped the “Active Directory Federation Services” service on the ADFS proxy, please click to enlarge the image:
And as expected with the ADFS proxy crippled users will not be able to authenticate, even if they try an alternative browser!
Even though the Windows service is name the same on both the ADFS server and the ADFS proxy, note that the executable path is different:
In event viewer on the ADFS proxy, open up the application and services logs and check that the proxy is able to retrieve it’s configuration from the ADFS server. This can be seen here, click to enlarge:
With the full event details shown here:
Using the same URL as before, open Internet Explorer and navigate to your ADFS server’s federation metadata URL.
This will be something like the below, just change the FQDN to match your environment.
https://adfs.tailspintoys.ca/federationmetadata/2007-06/federationmetadata.xml
https://sts.contoso.com/federationmetadata/2007-06/federationmetadata.xml
The intent here is to ensure that we are able to get to the site externally. If you are not able to see the ADFS text rendered in the browser, start with ensuring that the firewalls are not dropping traffic.
Browse to the ADFS sign-in page and test that you are able to authenticate.
The URL will be similar to the below, again change the FQDN to match your organisation’s.
https://adfs.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm https://sts.contoso.com/adfs/ls/idpinitiatedsignon.htm
https://adfs.tailspintoys.ca/adfs/ls/idpinitiatedsignon.htm
https://sts.contoso.com/adfs/ls/idpinitiatedsignon.htm
You should see the below, and be prompted to sign in:
(Note that I did not full screen the window before grabbing capture else it would be too small)
Clicking the Sign In button will prompt for credentials:
If you successfully authenticate then you will be rewarded with this stellar screen:
And if are unable to type a password (like me doing demos) then you will get this less than stellar result:
In part three we will finish this off, and instruct Office 365 to leverage the shiny ADFS infrastructure to authenticate users.
* – Not having telnet client by default always grates. In the same way that explorer file options are always set to hide the good stuff like file extensions, system files and the ilk.
When discussing and reviewing Office 365 with customers, I wanted to have a series of posts to illustrate the steps involved when deploying Office 365. In the burgeoning drafts folder ADFS was at the top, so that got finished first!
The act of deploying and configuring ADFS 2012 R2 for Office 365 will be broken down into three separate blog posts
The IT security landscape keeps evolving. One of the recent changes is a move away from ACLs on files in the NTFS file system to an access control system that is based on claims. Claims based authentication is an industry standard security protocol to authenticate users. This is the underlying WS-* standards that describe the usage of Security Assertion Mark-up Language (SAML) tokens. Claims based auth requires these tokens, and by extension an entity that can issue the token. This is the Secure Token Service (STS). The STS server can be based on Active Directory Federation Services (ADFS) or other platforms that provide this service.
ADFS lights up one of the three options for Office 365 identity management, which is option #3 in the below list:
ADFS is the primary choice for customers who want to use federated identities with Office 365. In addition to this there are a variety of qualified third party identity providers that can be connected with Office 365 to provide the necessary plumbing for federation. The shortcut URL aka.ms/SSOProviders links to the ‘Works With Office 365’ Identity program, and lists the identity providers that have been qualified with Office 365. Please read the notes on the TechNet page with regards to the testing and support aspects of these services.
Some customers will use these services as they do not wish to invest in a fault tolerant and geographically dispersed ADFS implementation. The availability of ADFS is a key discussion point when discussing federation. For whatever reason if the ADFS infrastructure is unavailable, then Office 365 cannot complete the authentication process and thus users cannot get access to Office 365.
In addition since DirSync now replicates the user’s hashed password to WAAD, some customers now use DirSync to provide Same Sign On / Single Sign On (SSO). DirSync version 1.0.6385.12, which was released in May 2013, and latter builds provide the ability to synchronise passwords. DirSync can be downloaded here, and the TechNet Wiki has details on the release history. When running the configuration wizard with this release you will get the shiny “Password Synchronization” window:
This is worthwhile to mention as there is still a perception that ADFS is a hard requirement to get SSO. That is soooooooooooo Q1 2013!
Anyway, I digress let’s get back to ADFS…..
We shall look at installing ADFS 2012 R2 since there are numerous compelling features in this release!
The quick answer is a lot! Some examples include:
There are many others, but check here for them since we are focussing on Office 365 usage for ADFS.
Note that you will not see me call this release ADFS 3.0. Its full and proper name is ADFS 2012 R2. for reference here are the older versions and what some folks call them:
Update 5-5-2014: Please also see this post on exploring ADFS 2012 R2 Extranet Lockout protection.
Update 29-5-2014: Please also review update 2948086 Update that improves AD FS proxy and STS reliability in Windows Server 2012 R2 when multiple clients sign in.
Update 9-9-2014: For the other posts on ADFS, please view this tag cloud.
The prerequisites are listed on TechNet. Of course before jumping into the install the installation needs to be planned.
The ADFS role should be deployed within the corporate network, and not in the DMZ. The ADFS proxy role is intended to be installed into the DMZ.
The default topology for Active Directory Federation Services (AD FS) is a federation server farm, using the Windows Internal Database (WID), that consists of up to five federation servers hosting your organization’s Federation Service. In this topology, AD FS uses WID as the store for the AD FS configuration database for all federation servers that are joined to that farm. The farm replicates and maintains the Federation Service data in the configuration database across each server in the farm.
Since the availability of Office 365 relies upon the availability of ADFS when the domain is federated there is a strong recommendation to have at least two ADFS servers with a redundant ADFS proxy infrastructure.
Please review the design guidance on TechNet.
We can now use a standard service account or a Group Managed Service Account in ADFS 2012 R2.
In this case since the KDS root key was not configured, lets leverage a standard service account.
The installation process should set the required Service Principal Names (SPN) on the account.
Select what name you are to use to access ADFS. Typically this is along the lines of:
sts.wingtiptoys.ca adfs.tailspintoys.ca
sts.wingtiptoys.ca
adfs.tailspintoys.ca
Note that this is the namespace for the ADFS service. Since we will be using Kerberos to access ADFS internally, there must be a Service Principle Name (SPN) registered for this name. This will be associated to the service account, and since SPNs operate in the “Highlander – there can be only one!” mode you do not want to duplicate the SPN on the ADFS server by naming the computer the same as the ADFS namespace.
You also want to discuss what display name should be chosen, as this will be visible to users.
Since ADFS leverages SSL, we need to have a SSL certificate. You could try three options, but only one will work:
Office 365 needs to see a valid Service Communication Certificate on your ADFS infrastructure, so you are going to have to buy a certificate from a public CA. Office 365 will not trust a service communication certificate that is either self-signed or from your internal CA, which results in tears. We can use self-signed certificates for the Token Decrypting and Token Signing Certificate. These are separate from the service communication cert.
Please follow the documentation from your chosen CA to request, install and complete the certificate. The steps required vary from vendor to vendor and also over time. Make sure you are not missing any updated intermediate certificates! How would you know? Follow their process!!
For the purposes of this post we shall deploy the initial ADFS server, and in the future add another ADFS server for redundancy.
After starting up server manager’s add roles and features wizard, select Active Directory Federation Services, then click next.
We don’t need to add any additional features. Remember that the IIS dependency was removed in ADFS 2012 R2.
Clicking next takes us to the ADFS splash screen. Note that it helpfully tells us that the specific ADFS proxy role has been removed in Windows 2012 R2 and how to go about installing it. Shame I missed that the very first time I ran this, and could not find the old school ADFS Proxy role…
Clicking next will then install the necessary bits.
Bits are being shuffled around…
Shuffling has been completed, and the installation is complete. You can launch the ADFS configuration wizard from here, or alternatively if this window is closed it can be launched from server manager.
Before starting the ADFS configuration wizard I already installed my 3rd party certificate and tested that is was correctly installed.
Additionally a service account called ADFS-Service was also pre-created.
The wizard also states that you must have access to Domain Admin (DA) credentials!
Note that you are only given an option to either make a new ADFS farm or add this box to an existing farm. This saves the painful issue from older ADFS builds, where ADFS was not installed into a farm you were then unable to easily the add the second ADFS server for redundancy.
Provide your domain admin credentials.
We need to select the SSL certificate that we will use and also provide the ADFS name we selected in the design process.
In this case the name is adfs.tailspintoys.ca -- note that there is no concept of an InternalURL or ExternalURL for the ADFS namespace. Clients will use the same name on the intranet and internet to locate ADFS. Thus split DNS will make life simple!
Provide your chosen display name, and click next.
As mentioned earlier it is possible to use a GMSA as the ADFS service account. GMSA will automatically update the service account’s credentials and administrators will also be oblivious as to its password.
In this case a standard service account was used.
Select the database configuration as per the design.
The Tailspintoys corporation will use WID.
Review the options, and when happy pull the trigger!
For reference the PowerShell script is shown here:
# # Windows PowerShell script for AD FS Deployment # Import-Module ADFS # Get the credential used for the federation service account $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account." Install-AdfsFarm ` -CertificateThumbprint:"5804746A7980C8682FBF408D48EF6C3B02A5ZORG" ` -FederationServiceDisplayName:"Tailspintoys STS" ` -FederationServiceName:"adfs.Tailspintoys.ca" ` -ServiceAccountCredential:$serviceAccountCredential
# # Windows PowerShell script for AD FS Deployment #
Import-Module ADFS
# Get the credential used for the federation service account $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."
Install-AdfsFarm ` -CertificateThumbprint:"5804746A7980C8682FBF408D48EF6C3B02A5ZORG" ` -FederationServiceDisplayName:"Tailspintoys STS" ` -FederationServiceName:"adfs.Tailspintoys.ca" ` -ServiceAccountCredential:$serviceAccountCredential
The ADFS pre-requisite checks are done, and we can proceed to the configuration:
One coffee later, we have a shiny new ADFS server – whoo!!
We are not quite done yet, and there a couple of additional things to do!
Update 11-12-2014: The above update 2948086 is now bundled in this rollup: May 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
Update 16-7-2014: Other updates you may want to review are at the bottom of this post.
When multiple clients (over 200 clients) try to sign in by using an Active Directory Federation Services (AD FS) proxy, the AD FS proxy consumes 100% usage of the CPU. In this situation, the AD FS proxy performance is slow, and causes a delay that exceeds 10seconds. This also causes STS to work under minimal load. Therefore, STS rejects the requests or serves only 5 to 10 requests per second.
We must create the DNS record for the ADFS instance. This maps to the ADFS namespace that we previously planned. Create this A record in your internal DNS infrastructure.
Once the DNS record has been created an propagated ensure that it resolves correctly.
One thing to mention here, if you create a CNAME and point that to the server hosting ADFS chances are that you will run into a never ending authentication prompt situation.
In the below example the ADFS namespace is called adfs.tailspintoys.ca and a CNAME was used to direct traffic to the ADFS server called tail-ca-sts.tailspintoys.ca. This will likely cause the client to obtain a Kerberos ticket for the incorrect name.
The easiest way to stop this is to use a regular A record, like so:
There is also an option contained in KB 911149 that some folks have mentioned.
This topic covers additional steps to configure AD FS after you install the first federation server, including:
For more information about how to deploy AD FS, see How to deploy AD FS in Windows Server 2012 R2.
Open Internet Explorer and navigate to your ADFS server’s federation metadata URL.
The result should show this:
Depending upon how IE is configured you will either be prompted to provide credentials or be automatically signed-in.
If you want to have users be automatically signed-in then configure your browser settings to trust the federation server role by adding your federation service name (for example, https://adfs.tailspintoys.ca) to the browser’s local intranet zone. This will enable seamless sign-in using Windows Integrated Authentication.
Once we are happy that the ADFS instance is functioning appropriately we can then move onto installing the ADFS proxy role.
This will be covered in a separate post, to prevent this one getting too long!
In the smelly MEC 2014 man purse, there was a shiny Exchange 2103 SP1 architecture poster. The MEC attendees were the first ones to get the update to the older Exchange 2013 RTM poster, which is now published for everyone!
I created a deep zoom of the poster so that it is easy to scroll around on phones and tablet devices. Click the toggle button at the bottom right hand corner to enter full screen mode.
Use these controls to zoom in on touch devices rather than the native pinch zoom, else the text will not be readable as you will not be zooming just stretching the currently rendered image. If you have a mouse and scroll wheel that can also be used to zoom in and out. Pressing ‘Esc’ will exit the zoom, and return to the blog.
You can also directly download the Exchange 2013 SP1 poster from the Microsoft Download Center.
The Exchange architecture posters have been a very popular wallpaper choice for messaging engineers to adorn their cubicle walls with! Over the years there have been multiple iterations of the poster, and for reference the older ones are here:
The other Exchange 2013 tips of the day posts can be found here:
Exchange 2013 Tip Of The Day – 1 To 25
Exchange 2013 Tip Of The Day – 26 To 50
Exchange 2013 Tip Of The Day – 51 To 75
To obtain the listing below, the following command was used:
$Int = 76;While ($Int -le 100){Get-Tip $Int; Write-Host; $Int+=1}
To get a list of all parameters available for a cmdlet, type:
(Get-Command <Cmdlet Name>).Parameters | ft key
For example, to get all parameters for the New-TransportRule cmdlet, type:
(Get-Command New-TransportRule).Parameters | ft key
Did you know that you need to use the AssembleMessage script when exporting messages from a queue? For example, if you want to export the message with message ID 1234 from the contoso.com queue on server Mailbox1, you need to run the following command:
Export-Message -Identity Mailbox1\contoso.com\1234 | AssembleMessage -Path "C:\ExportedMessages\Message1234.eml"
Wondering how many log files are generated per server every minute? Quickly find out by typing:
Get-MailboxDatabase -Server <Mailbox Server Name> | ?{ %{$_.DatabaseCopies | ?{$_.ReplayLagTime -ne [TimeSpan]::Zero -And $_.HostServerName -eq $env:ComputerName} } } | %{ $count = 0; $MinT = [DateTime]::MaxValue; $MaxT = [DateTime]::MinValue; Get-ChildItem -Path $_.LogFolderPath -Filter "*????.log" | %{ $count = $count + 1; if($_.LastWriteTime -gt $MaxT){ $MaxT = $_.LastWriteTime}; if($_.LastWriteTime -lt $MinT){ $MinT= $_.LastWriteTime} }; ($count / ($MaxT.Subtract($MinT)).TotalMinutes) } | Measure-Object -Min -Max –Ave
Wondering how many log files are generated per database every minute? Quickly find out by typing:
Get-MailboxDatabase -Server <Mailbox Server Name> | %{ Get-ChildItem -Path $_.LogFolderPath -Filter "*????.log" | Group- Object -Property {$_.LastWriteTime.Day,$_.LastWriteTime.Hour,$_.LastWriteTime.minute} | ?{$_.Count -gt 1} | Measure-Object -Property Count -Min -Max -Ave }
Get quick health and status information for your mailbox database copies by typing:
Get-DatabaseAvailabilityGroup DAG1 | %{ $_.Servers | %{ Get-MailboxDatabaseCopyStatus -Server $_ } }
Did you know that you can share your calendar and contacts folders with other federated Exchange 2013 organizations by first creating a federation trust with the Microsoft Federation Gateway with a valid digital certificate? Just use the New-FederationTrust cmdlet and the certificate thumbprint to get started. Type:
New-FederationTrust -Name "Microsoft Federation Gateway" -Thumbprint <cetificate thumbprint>
Finish by setting up an organization relationship with another federated Exchange organization to share limited calendar free/busy information. Type:
Get-FederationInformation -DomainName <other domain name> | New-OrganizationRelationship -Name "<name of relationship>" -FreeBusyAccessEnabled $true -FreeBusyAccessLevel –LimitedDetails
Need to quickly get a list of your Exchange certificates and their thumbprints? Just use the Get-ExchangeCertificate cmdlet. Type:
Get-ExchangeCertificate | fl
Want to filter the list and include just the self-signed certificates? No problem! Type:
Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $true} | fl
Not sure your federation trust with the Microsoft Federation Gateway is working correctly? To test if a security token can be retrieved, just type:
Test-FederationTrust
Need a report on the status of each Exchange certificate installed on all Mailbox and Client Access servers? Try this:
Test-FederationTrustCertificate
Need to verify that an organization relationship is correctly configured and functioning as expected for a user in an external Exchange organization? Just type:
Test-OrganizationRelationship -UserIdentity <user email address> -Identity <external domain> –Confirm
Use this command to get all active mailbox move requests on a mailbox server:
$(Get-MailboxDatabaseCopyStatus -Server MBX | ?{ $_.status -eq "Mounted" }) | %{ Get-MoveRequest -TargetDatabase $_.DatabaseName } | ?{ $_.Status -ne "Completed" -and $_.Status -ne "CompletedWithWarning" }
Use this command to find all non-completed move requests and group them by target database:
Get-MoveRequest | ?{ $_.Status -ne "Completed" -and $_.Status -ne "CompletedWithWarning" } | group targetdatabase | sort Count –Descending
Use this command to find failure messages for all failed moves:
Get-MoveRequest -MoveStatus Failed | Get-MoveRequestStatistics | ft Alias, percentcomplete, message –auto
Use these commands to get a snapshot of the move throughput for completed moves.
$stats = Get-MoveRequest -MoveStatus Completed | Get-MoveRequestStatistics $stats | sort totalmailboxsize | ft Alias,{$_.totalmailboxsize.ToMB()},totalinprogressduration –auto
Use this command to view how many move requests are in the queue to be moved:
(Get-MoveRequest -MoveStatus Queued).count
Use this command to find all mailbox move requests for mailboxes on the active mailbox database copies that are hosted on the specified mailbox server. This command returns the display name, status of the move request, and the database to which the mailbox is being moved.
$(Get-MailboxDatabaseCopyStatus -Server MBX01 | ?{ $_.status -eq "Mounted" }) | %{ Get-MoveRequest -TargetDatabase $_.DatabaseName }
Need to see a list of the URLs for a user's calendar that has been published for Internet access? Just type:
Get-MailboxCalendarFolder -Identity <user alias>:\calendar | fl
Did you know that you can download and integrate the latest version of Help for all cmdlets on the local Exchange server? Type:
Update-ExchangeHelp
You need to run this command on each Exchange server to get updated Help.
Now that the Windows XP, Office 2003 and Exchange 2010 SP2 support expiration date has come and gone, the world is still turning and we are not in a state of Armageddon! *
That said, focus now needs to be on Office 2010 as it is 6 months until support ends for Office 2010 SP1 on the 14th of October 2014. At that point all Office 2010 installations need to be on SP2. This is detailed in the notes column below, since support ends 12 months after the next service pack releases or at the end of the product’s support lifecycle, whichever comes first.
The Microsoft support lifecycle site has the above details.
Office 2010 RTM support previously ended on the 10th of July 2012. If we look at the Office 2010 cumulative update for December 2013, specifically the Description of the Outlook 2010 hotfix package (Outlook-x-none.msp) we can see the platforms that the update supports. Please note that SP1 and SP2 are valid prerequisites for this update.
Outlook 2010 RTM is not listed as it was not a supported version at the time the update was released.
In a single word - yes!
If you want to continue to receive security updates for your Office 2010 clients then you need to be at the correct level to get updates. Once Office 2010 SP1 has transitioned out of support then updates will not be available to that build of the client. There are lots of other great reasons to keep Outlook updated! There has been a lot of work to improve the client with recent updates for both on premises and O365 scenarios. You will only benefit from that work if you install the updates!
While we are discussing Outlook 2010 specifically here, the same holds true for all products covered with the Microsoft support lifecycle. Please sign up for the Microsoft Support Lifecycle Quarterly Update Newsletter to stay abreast of supportability dates and ensure you get the support you deserve!
* – Armageddon was the first DVD that I bought back in 1999, and can remember having to shell out for not just the DVD player but also the hardware decoder card since a Pentium 200 did not really have the juice to render the video!
Exchange 2013 Tip of The Day – 76 To 93
$Int = 51;While ($Int -le 75){Get-Tip $Int; Write-Host; $Int+=1}
Want to know what permissions an Active Directory user account has on a specific mailbox? Use:
Get-Mailbox <Mailbox to Check> | Get-MailboxPermission -User <Active Directory User>
Want to know which mailboxes a specific Active Directory user has permissions to? Type:
$Mailboxes = Get-Mailbox -ResultSize Unlimited $Mailboxes | Get-MailboxPermission -User <Active Directory User> | Format-Table Identity, AccessRights, Deny
Caution: This command enumerates all the mailboxes in your organization. If you have lots of mailboxes, you may want to target specific mailboxes.
Want to get a list of the backup status of all mailbox databases in your organization? Type:
Get-MailboxDatabase -Status | Format-Table Name, Server, *Backup*
How about just the mailbox databases on a specific server? Type:
$Databases = Get-MailboxDatabase -Server <Server Name> -Status $Databases | Format-Table Name, *Backup*
To retrieve the current status of an Exchange server or database, use the Status parameter. For example:
Get-ExchangeServer -Status | Format-List Get-MailboxDatabase -Server <Server Name> -Status | Format-List
Want to view the mounted status of all mailbox databases? Type:
Get-MailboxDatabase -Status | Format-Table Name, Server, Mounted
What's the difference between server-side filtering and client-side filtering? Server-side filtering is used with the recipient and queue cmdlets, which support the Filter parameter, because these cmdlets can return large result sets. The server filters the results by using the criteria you specify and then sends you the filtered results. Client-side filtering can be used with any cmdlet. The entire result set is sent to the client computer, which then filters the data and provides a filtered result set. Client-side filtering uses the Where-Object cmdlet, which can be shortened to Where.
With Exchange 2013 Unified Messaging, you can redirect unauthenticated callers to certain telephone extensions to an operator instead of to the extension that was dialed. To list users for whom Unified Messaging transfers unauthenticated callers to the operator, instead of to the user, type:
$Mailboxes = Get-UMMailbox $Mailboxes | Where-Object { $_.AllowUMCallsFromNonUsers -eq ` [Microsoft.Exchange.Data.Directory.Recipient.AllowUMCallsFromNonUsersFlags] "None" }
You can use client-side filtering to return only the data that you want to see or work with. The following example retrieves all Active Directory user accounts in the Engineering department and puts the results in a table with two columns, Name and Department. By using the ResultSize parameter, the Get-User cmdlet limits the result set to 2,000 users.
$Users = Get-User -ResultSize 2000 $Users | Where { $_.Department -Eq "Engineering" } | Format-Table Name, Department
The special variable $_ represents the objects being passed from one cmdlet to another cmdlet in the pipeline. The $_ variable is automatically initiated by the Shell and is bound to the current pipeline object. You can access the properties of the object assigned to the $_ variable as you would any other object. The following example shows how you can view the Name property of each mailbox object that is passed through the pipeline:
Get-Mailbox | ForEach { $_.Name }
You can import CSV files and treat them as objects by using the Import-Csv cmdlet. Each row in a CSV file becomes an element in an array, and each column becomes a property. You can assign the CSV file to a variable, or you can pipe its contents directly to another cmdlet. In the following example, there are three columns in the CSV file, Name, Alias, and EmailAddress, with several rows that the ForEach cmdlet will cycle through. The data in each row is used to create a new mail contact.
$CSV = Import-Csv $CSV | ForEach { New-MailContact -Name $_.Name -Alias $_.Alias -ExternalEmailAddress $_.EmailAddress -OrganizationalUnit Users }
Want to customize your Exchange Management Shell profile? Run the following command to determine the location of your Microsoft.PowerShell_profile.ps1 file:
$Profile
You may have to create the PSConfiguration folder and Microsoft.PowerShell_profile.ps1 file. After you've done that, you can add your favorite functions and aliases, which will be loaded every time that the Exchange Management Shell is opened.
Want to see everything that occurs when you run a command? Include the Verbose parameter with the command. This parameter instructs the Exchange Management Shell to display detailed information about each action that the server takes to complete the command. This information can be useful in troubleshooting.
Any cmdlet that accepts a size value lets you specify whether the integer value is in kilobytes (KB), megabytes (MB), gigabytes (GB), or terabytes (TB). For example:
Set-Mailbox "Kim Akers" -ProhibitSendQuota 200MB -UseDatabaseQuotaDefaults $False
Want to create a new role group for your administrators? Use the New-RoleGroup cmdlet. The New-RoleGroup cmdlet lets you add management roles and specify the members to add to the new role group. Those members will be granted the permissions provided by the management roles. Type:
New-RoleGroup <role group name> -Roles <role 1>, <role 2>, <role 3...> -Members <member 1>, <member 2>, <member3...>
Remember, role groups are used to grant permissions to groups of administrators or specialist end users who require special permissions. If you want to manage permissions for end users, use management role assignment policies.
Do you want to create a new management role assignment policy that's based on an existing policy, but you don't want to include all the management roles? Use the Get-ManagementRoleAssignment cmdlet and pipe the results to the Where cmdlet. The Where cmdlet excludes any role assignments that contain the roles you specify. The remaining role assignments are piped to the New-ManagementRoleAssignment cmdlet. Type:
New-RoleAssignmentPolicy <new role assignment policy name> Get-ManagementRoleAssignment -RoleAssignee <old role assignment policy name> | Where { ($_.Role -NE "<role name 1>") -And ($_.Role -NE "<role name 2>") } | New-ManagementRoleAssignment -Policy <new role assignment policy name>
The Where statement is case-sensitive.
Then you can apply the new policy to a mailbox using the Set-Mailbox cmdlet:
Set-Mailbox <mailbox name> -RoleAssignmentPolicy <new role assignment policy name>
Do you want to remove a management role from a role group, role assignment policy, USG, or user but don't know the name of the management role assignment? Just find the role assignment with the Get-ManagementRoleAssignment cmdlet and pipe the results to the Remove-ManagementRoleAssignment cmdlet. Type:
Get-ManagementRoleAssignment -RoleAssignee <role assignee name> -Role <role name> | Remove-ManagementRoleAssignment
Exchange 2013 uses management role groups and management role assignment policies to manage permissions. Role groups enable you to grant permissions to groups of administrators and specialist end users. These are people who manage your organization or perform special tasks, like mailbox searches for compliance reasons. Role assignment policies enable you to grant permissions to your end users. These permissions include whether users can manage their own distribution groups, edit their own profile information, access voice mail, and more.
Management role groups enable you to grant permissions to groups of administrators and specialist end users. These are people who manage your organization or perform special tasks, like mailbox searches for compliance reasons. If you want to manage permissions for end users, use management role assignment policies.
Management role assignment policies enable you to grant permissions to your end users. These permissions include whether users can manage their own distribution groups, edit their own profile information, access voice mail, and more. If you want to manage permissions for administrators and specialist users, use management role groups.
Management role assignments determine what management roles are associated with management role groups and management role assignment policies. Role assignments also control what objects users who are members of role groups or assignment policies can modify using the cmdlets available on the associated management roles.
The Get-RoleGroupMember cmdlet lists all the members on a management role group. But if you want to get more details about the members of the role group, use the Get-ManagementRoleAssignment cmdlet. The Get-ManagementRoleAssignment cmdlet enables you to view the members of universal security groups that are members of role groups, view the management scope that applies, and more.
Do you need to store a value in a variable in a script and make sure it never changes? If so, make the variable a constant using the New-Variable cmdlet. Constants can be set once and don't allow their values to be changed. For example, the following creates the $IPAddress constant with the value 10.0.0.2.
New-Variable -Option Constant -Name IPAddress -Value "10.0.0.2"
Time files and we are now at the end of the Exchange 2010 SP2 support lifecycle. And as previously discussed Windows XP and Office 2003 left extended support yesterday. It seems like only yesterday when Exchange 2010 SP2 was released in November 2011,
The support lifecycle marker is the Exchange 2010 Service Pack. Exchange 2010 Rollup Updates (RU), are not milestones in the support lifecycle. So regardless if you have Exchange 2010 SP2 RU 8 installed, that build of Exchange 2010 will no longer receive security updates and code updates. To receive the support you are entitled to, please ensure that all your Exchange 2010 servers have SP3 installed. Ideally they will have a recent RU installed as well. At the time of writing this should be Exchange 2010 SP3 RU4 or RU5 since there is a security issue resolved in Exchange 2010 SP3 RU4.
One note on EdgeSync and reported Exchange version information. If you do have Exchange 2010 Edge servers installed, and EdgeSync is configured, then after installing Exchange 2010 SP3 onto the Edge servers you will not see the version information change when you run Get-ExchangeServer on the internal Exchange servers. This is because the version information is only written when EdgeSync is configured. To increment the version information in the internal AD, please re-subscribe the Edge servers.
Please review the lifecycle chart here for full details
So at this point please ensure that you are on SP3.
For details on SP3 – you can take a peek at these articles.
I also blogged about the expiration of Exchange 2010 RTM and Exchange 2010 SP1 support previously.
Full details about the Microsoft lifecycle policy can be viewed here
http://support.microsoft.com/lifecycle/
I would also encourage you to sign up to the quarterly lifecycle update newsletter to ensure that you have the knowledge to keep all of your products in a supported state, and continue to receive the support that you are entitled to!
MEC 2014 has now come and gone, and it's been both an exciting and tiring week! There was always so much going on that it was a constant battle to decide what to go and see next. But that is a great dilemma to face. I will be spending a lot of time in the coming weeks looking at the recordings on the IamMEC.com site. Jon Orton just commented that the content will be release in the coming weeks for everyone.
MEC 2014 was held in the Austin Convention Center. It was great to get away from –5 oC in Toronto and go to + 20 oC in Austin. Maybe the snow will be gone by when I get back. Maybe….
The Keynote on Monday demonstrated the increased pace of innovation that the product group are looking to deliver. 2014 and beyond promise to bring lots of value to the service, which will then make its way to the on-premises builds.
In addition to this, there were two main thoughts that I had from watching the keynote. Every time someone came on stage they were “excited” to talk to us, “excited” to demo something or “excited” to talk about upcoming features. Maybe they need to use the shift + F7 feature in Word to find other synonyms….
The second was the video content produced for MEC. The Exchange Innovation Lab video featuring Greg “CAS” Taylor, and David “TAP” Espinoza was the funniest bit of the keynote. It may be a British thing, but I loved the deadpan delivery.
The exhibition floor was packed with a multitude of vendors who were eager to showcase their solutions to customers. Customers were also able to pick up some really neat giveaways. To the right you can see the closest that I got to a booth babe!
This is my colleague Wes modelling one of the giveaways. You will notice the RaaS booth in the background since Wes is one of the global leads for Exchange Risk Assessment As A Service (RaaS). For more information on RaaS please take a look at this page.
One other area that was cool to walk around was the Exchange exhibition. Not only did the team produce a video to discuss the history of Exchange since it was born back in 1996. You can see the Exchange through the ages video below:
There were previous Exchange books, and for a real trip down memory lane the Exchange installation media. That’s right kids, when stuff came on CDs and floppys…..
This reminds me that I need to look at that blog post for Exchange 2013 as discussed with the MVPs!
Now let’s mention the really important aspect of MEC!
While the above were all really great technical things to look at the biggest aspect of MEC is connecting with the people who make up the Exchange community! While this means that countless free bottles of beer have to be consumed whilst talking to people, it was a hard task and I grudgingly stepped up to it!
I was fortunate to connect with many of the Exchange product group. These folks are ridiculously busy. So any time they take to meet with attendees is great. I also got to see many of the Exchange MVPs who I see online in the forums which was fantastic, even though one has a crippling nurse fetish. Though after the keynote, that may have been corrected… Many Microsoft PFEs and consultants were also attending MEC and it was outstanding to chat with all of them.
The UC Architects party was great! Since they also closed out MEC with a live recording of the latest podcast, I’ll look forward to seeing the more edited version!
Austin is certainly a great place, and I have some very happy memories from both it and MEC. I must comment on the public transportation system however. It does seem to be somewhat antiquated, and brings back memories of Fred Flintstone’s troglodyte transport…
I can only describe this as a “beer bus”. The passengers are sitting perpendicular to the direction of travel, and have to pedal to make the vehicle move. if you look closely at the rear of the “bus” you will see the advanced propulsion fuel container. A keg……
$Int = 26;While ($Int -le 50){Get-Tip $Int; Write-Host; $Int+=1}
Forget a property name? Not a problem because you can use wildcard characters to retrieve all properties that match the part of the name that you specify:
Get-Mailbox | Format-Table Name,*SMTP*
Want to work with data contained in a CSV file? Use Import-CSV to assign the data to an object. For example, type:
$MyCSV = Import-CSV TestFile.CSV
You can then manipulate the data easily in the Exchange Management Shell. For example, if there is a column called Mailboxes in the CSV data, you can use the following commands to sort or group the data by the Mailboxes column:
To sort: $MyCSV | Sort Mailboxes To group: $MyCSV | Group Mailboxes
This command spins through all your mailbox servers and reconnects all the uniquely identified but disconnected mailboxes in any one of the mailbox stores:
$Servers = Get-ExchangeServer $Servers | ` Where { $_.IsMailboxServer -Eq '$True' } ` | ForEach { Get-MailboxStatistics -Server $_.Name ` Where { $_.DisconnectDate -NotLike '' } ` | ForEach { Connect-Mailbox -Identity ` $_.DisplayName -Database $_.DatabaseName} }
Tab completion reduces the number of keystrokes required to complete a cmdlet. Just press the TAB key to complete the cmdlet you're typing. Tab completion kicks in whenever there is a hyphen (-) in the input. For example:
Get-Send<tab>
should complete to Get-SendConnector. You can even use wildcards, such as:
Get-U*P*<tab>
Pressing the TAB key when you enter this command cycles through all cmdlets that match the expression, such as the Unified Messaging Mailbox policy cmdlets.
Want to create a group of test users in your lab? Use this command:
1..100 | ForEach { Net User "User$_" MyPassword=01 /ADD /Domain; Enable-Mailbox "User$_" }
Like the Exchange Management Shell Tip of the Day? Try this:
Get-Tip
Want to set the properties on all or some Outlook Web Access virtual directories? Pipe the output of Get-OwaVirtualDirectory to the Set-OwaVirtualDirectory cmdlet. For example, the following command sets the Gzip level for all Outlook Web Access virtual directories:
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -GzipLevel High
Want to move your database path to another location? Type:
Move-DatabasePath -EdbFilePath DestFileName
To change the file path setting without moving data, use this command together with the ConfigurationOnly parameter. This command is especially useful for disaster recovery. Caution: Misuse of this cmdlet will cause data loss.
Need an easy way to add a new primary SMTP address to a group of mailboxes? The following command creates a new email address policy that assigns the @contoso.com domain to the primary SMTP address of all mailboxes with Contoso in the company field:
New-EmailAddressPolicy -Name Contoso -RecipientFilter {Company -Eq "Contoso"} -EnabledPrimarySMTPAddressTemplate "@contoso.com"
Want to retrieve a group of objects that have similar identities? You can use wildcard characters with the Identity parameter to match multiple objects. Type:
Get-Mailbox *John* Get-ReceiveConnector *toso.com Get-JournalRule *discovery*
Want to configure a group of objects that have similar identities? You can use wildcard characters with the Identity parameter when you use a Get cmdlet and pipe the output to a Set cmdlet. Type:
$Mailboxes = Get-Mailbox *John* $Mailboxes | Set-Mailbox -ProhibitSendQuota 100MB -UseDatabaseQuotaDefaults $False
This command matches all mailboxes with the name John in the mailbox's identity and sets the ProhibitSendQuota parameter to 100MB. It also sets the UseDatabaseQuotaDefaults parameter to $False so that the server uses the new quota you specified instead of the database default quota limits.
Forgot what the available parameters are on a cmdlet? Just use tab completion! Type:
Set-Mailbox -<tab>
When you type a hyphen (-) and then press the TAB key, you cycle through all the available parameters on the cmdlet. Want to narrow your search? Type part of the parameter's name and then press the TAB key. Type:
Set-Mailbox -Prohibit<tab>
Want to add an alias to multiple distribution groups that have a similar name? Type:
$Groups = Get-DistributionGroup *Exchange* $Groups | Add-DistributionGroupMember -Member kim
This command adds the alias kim to all distribution groups that contain the word Exchange.
Want to record exactly what happens when you're using the Exchange Management Shell? Use the Start-Transcript cmdlet. Anything that you do after you run this cmdlet will be recorded to a text file that you specify. To stop recording your session, use the Stop-Transcript cmdlet.
Notice that the Start-Transcript cmdlet overwrites the destination text file by default. If you want to append your session to an existing file, use the Append parameter:
Start-Transcript c:\MySession.txt –Append
Do you have a user who has network access but maintains an external mail account outside your Exchange organization? With Exchange 2013, you can now create mail-enabled users that are regular Active Directory accounts, but also behave like mail-enabled contacts. By using the Enable-MailUser cmdlet, you can add email contact attributes to any existing Active Directory user who doesn't already have a mailbox on an Exchange server. Users in your Exchange organization will then be able to send email messages to that user's external mail account. Type:
Enable-MailUser -Identity <Active Directory Alias> -ExternalEmailAddress <Destination SMTP Address>
Want to change the default prohibit send quota for a mailbox database? Type:
Set-MailboxDatabase <Mailbox Database Name> -ProhibitSendQuota <New Quota Size>
You can specify a bytes qualifier when you use the ProhibitSendQuota parameter. For example, if you want to set the prohibit send quota to 200 megabytes, type:
Set-MailboxDatabase <Mailbox Database Name> ProhibitSendQuota 200MB
You can also configure the IssueWarningQuota parameter and the ProhibitSendReceiveQuota parameter in the same way.
Want to know what version of Exchange Server each of your servers is running? Type:
Get-ExchangeServer | Format-Table Name, *Version*
Want to determine whether a server is running Exchange Server 2013 Standard, Enterprise or Hybrid Edition? Type:
Get-ExchangeServer <Server Name> | Format-Table Name, Edition
If you want to view which edition all your Exchange servers are running, omit the <Server Name> parameter.
Want to create a new resource mailbox that can be used to book a meeting room? Type:
New-Mailbox -Name <Conference Room Name> -UserPrincipalName <SMTP Address> -OrganizationalUnit <Organizational Unit> -Room
This command creates a disabled Active Directory user who has a mailbox that accepts meeting requests from users.
Want to control the properties of email messages sent to a specific domain? Use the RemoteDomain cmdlets. Create a new remote domain by using the New-RemoteDomain cmdlet. Type:
New-RemoteDomain -Name "Contoso.com Configuration" -DomainName contoso.com
Then modify the properties that you want for this remote domain by using the Set-RemoteDomain cmdlet:
Set-RemoteDomain "Contoso.com Configuration" -AutoReplyEnabled $True -AutoForwardEnabled $True
Booleans are parameters that can be evaluated as either $True or $False. Booleans are typically used as a flag on an object that modifies the behavior of that object. In the Exchange Management Shell, you must supply a Boolean parameter with either a $True, $False, 1, or 0. No other values are accepted, including True or False. For example, both of the following commands set the enabled state of the ExampleAssignment management role assignment to $True:
Set-ManagementRoleAssignment ExampleAssignment -Enabled $True Set-ManagementRoleAssignment ExampleAssignment -Enabled 1
Want an easy way to apply deleted item retention limits across multiple databases and servers? Try the following command to configure deleted item retention across all databases on a specified server:
Get-MailboxDatabase -Server <Server Name> | Set-MailboxDatabase -DeletedItemRetention 45.00:00:00
You can also apply the same deleted item retention limits or mailbox retention limits across all servers in your organization:
Get-MailboxDatabase | Set-MailboxDatabase -DeletedItemRetention 45.00:00:00 -MailboxRetention 120.00:00:00
The Exchange Management Shell helps us discover the amazing capabilities of PowerShell. One way it does this is by displaying a tip of the day so that we are introduced to concepts and topics that inevitably will come in handy one day!
Exchange 2010 tips can be found here and the Exchange 2007 Tips are listed on TechNet.
To retrieve the tips listed in this post, this PowerShell code was used to retrieve them:
$Int = 1;While ($Int -le 25){Get-Tip $Int; Write-Host; $Int+=1}
Please refer to the Exchange 2010 tips post for a more verbose version of the PowerShell code.
Just like the Exchange 2010 tips, the first four Exchange 2013 tips are also duplicated, though since they are randomly displayed it goes un-noticed!
Did you know that the Identity parameter is a "positional parameter"? That means you can use:
Get-Mailbox "user" instead of: Get-Mailbox -Identity "user"
It's a neat usability shortcut!
Tired of typing a long command every time that you want to do something? Alias it! Type:
Set-Alias GetMre Get-ManagementRoleEntry
For all the current aliases, type:
Get-Alias
Want to see the members of a dynamic distribution group that has a custom filter? Just use the Get-Recipient cmdlet. Type:
$DDG = Get-DynamicDistributionGroup "Contoso Marketing Managers" Get-Recipient -RecipientPreviewFilter $DDG.RecipientFilter
The Exchange Management Shell is a calculator, too! Try it directly at a command prompt:
1.2343+3123 or (23/435)*2
Command line SOS! Do you need help? Type:
Help <cmdlet-name> or <cmdlet-name> -?
You can choose what information to return when you view Help by using the Detailed, Full, and Examples switches:
Help Get-Mailbox –Detailed
Want to look at Help for a cmdlet but don't want to read through pages and pages of text in the Shell window? Just use the Online switch with the Get-Help cmdlet. The Online switch tells the Shell to open the online version of the cmdlet's Help topic in your default browser. Type:
Get-Help <cmdlet> –Online
The tilde character (~) should be familiar to Unix users. It represents the shortcut to your root directory. To see what it's evaluated to by default, type:
Dir ~
You can use it as a useful shortcut:
Cp SomeFile "~\My Documents"
CTRL+C is the equivalent of the hard-break command in the Exchange Management Shell. If a command is taking too long to run or you want to cancel an operation quickly, press CTRL+C to stop execution.
Pushd and Popd work the same way in the Exchange Management Shell as they do in cmd.exe. Type:
Pushd <location>
XML over everything! The Exchange Management Shell treats XML as a native type, so that you can do interesting things like:
$Sample = [XML](Get-Content SomeXMLFile.xml)
This command assigns $Sample to the actual XML object. To see it, type:
$Sample
To navigate, type:
$Sample.Prop1.Prop2
No need for text parsing when you want to load XML data!
Cmdlets that end in "Config" manage singleton configuration, either one per server or organization. For these tasks, you don't have to specify an identity because there is only one instance of the configuration. You may have to specify the Server parameter if the configuration is per server.
To get a list of all users on an Exchange 2013 server who aren't Unified Messaging-enabled, type:
$Mailboxes = Get-Mailbox $Mailboxes | ForEach { If($_.UmEnabled -Eq $False){$_.Name}}
To get a list of all users on an Exchange 2013 server who are Unified Messaging-enabled, type:
$Mailboxes = Get-Mailbox $Mailboxes = | ForEach { If($_.UmEnabled -Eq $True){$_.Name}}
To display the user's alias formatted in a table together with the user's Exchange 2013 server name and telephone extension, type:
Get-Mailbox | Format-Table ServerName,@{e={$_.SamAccountName};Label="User Alias"},@{Expression="Extensions";Label="Telephone numbers"}
To display the list of UM IP gateway server names disabled for outbound calling and hunt groups associated with a UM IP gateway server, type:
$Gateways = Get-UMIPGateway $Gateways | ForEach {If($_.OutCallsAllowed -Eq $False){ "Gateway Name = " +$_.Name;ForEach ($HuntGroup In $_.Huntgroups ){"Huntgroups " + $Huntgroup}}}
If you want to test all IP Block List providers, you just have to pipe the Get-IpBlockListProvider cmdlet to the Test-IpBlockListProvider cmdlet:
Get-IpBlockListProvider | Test-IpBlockListProvider -IpAddress 192.168.0.1
Before you remove an object by using the Remove verb, use the WhatIf parameter to verify the results are what you expect
Sometimes it's useful to convert the output of a cmdlet to a string to interoperate with native cmdlets. For example, type:
Get-Mailbox | Out-String | Findstr "Administrator"
Get all Win32 WMI information, such as Perfmon counters and local computer configurations. For example, type:
Get-WMIObject Win32_PerfRawData_PerfOS_Memory
Who isn't tired of spam? You can configure real-time block list (RBL) providers with the Exchange Management Shell by running the following two commands:
Set-IPBlockListProvidersConfig -Enabled $True -ExternalMailEnabled $True
and then
Add-IPBlockListProvider -Name <Name of RBL Provider> -LookupDomain <FQDN of RBL Provider> -AnyMatch $True
Access the event log from the Exchange Management Shell. To retrieve the whole event log, type:
Get-EventLog Application | Format-List
To retrieve all Exchange-related events, type:
Get-EventLog Application | Where { $_.Source -Ilike "*Exchange*" }
One benefit of the Exchange Management Shell is that cmdlets can output objects to the console. You can then manipulate this output and organize it in interesting ways. For example, to get a quick view in tabular format, use Format-Table:
Get-Mailbox | Format-Table Name,Database,RulesQuota
When doing some recent customer work for Exchange 2013, I ran into an annoying issue in one of my labs. Outlook 2013 refused to connect to Exchange 2013. A witch hunt then ensued to ensure that all of my Outlook Anywhere, Autodiscover and authentication settings were correct. Well it turns out that they were, and this was just a client side issue. Legacy IIS permissions when coexisting with Exchange 2013 are covered here for example.
The symptom was that Outlook would not connect using an existing profile, and was unable to create a net new profile. When creating a new profile the error received was “The action cannot be completed. The connection to Microsoft Exchange is unavailable. Your Network Adapter does not have a default gateway”.
Since this entire lab exists on a single flat subnet ( 10.0.0.0/8 ) I foolishly, ignored the default gateway bit of the error message and focussed on client connectivity. Why would it want a default gateway when all machines are on a single subnet, the network is a private Hyper-V switch and all machines resolve names perfectly……
Let’s look at what was going on and then remediate manually and how to automate the fix.
Trying to create a new Outlook 2013 profile with pre Outlook 2013 SP1 and then Outlook 2013 SP1 both resulted in the same issue.
Firing up Outlook initiated the Auto Account setup. As expected we hit up AD to get the SMTP address and then query AD for the Autodiscover SCP endpoints. For details on Autodiscover please see this post.
All normal so far. We issued the LDAP query to AD, did the Autodiscover SCP query, and start to process the Autodiscover response.
Then the wheels fall off the wagon……
Clicking OK, shows the below dialogue box.
Couple of things to mention about the content of the above window. Note that the Exchange server field does not state the name of any of the Exchange servers. Is this something to be worried about? The answer is no. This was a deliberate design change in Exchange 2013 to provide a single consistent identity that Outlook could store. The intent was to minimise the occurrences of “Your administrator has made a change that requires you to restart Outlook”. We can talk more about that with MAPI/HTTP.
You will note that the information specified in the Exchange server name is the ExchangeGUID of the mailbox. This can be seen below:
Get-Mailbox Administrator | Select Name, *GUID*
You will note that the ExchangeGUID does not show up in the ADDS cmdlet:
Get-ADUser Administrator | Select Name, *GUID*
Going back to the error screen again…..
Clicking Check Name again, just shows the previous error – The connection to Microsoft Exchange is unavailable. Your network does not have a default gateway.
What’s up with this?
In this case we are using a pretty rare scenario. All of these test machines exist on an isolated segment with no other network access whatsoever. Typical client machines have a default gateway configured to allow IP traffic to flow correctly in the environment. Outlook 2007 will typically look for a machine to have a default gateway set so they can perform some more advanced connection optimisation compared to Outlook 2003. In this case it this which is getting in the way. As described in KB 913843, this is disabled in the registry. The registry keys and values to set will depend upon the version of Outlook that you have installed. The registry keys are:
Which contains a REG_DWORD called DefConnectOpts = 0
Note that the RPC key may not currently exist. If it does not you can manually create it or use the automated solution below in this post.
This registry data disables the new Outlook 2007 connection logic and forces Outlook 2007 to use the same connection logic available in Outlook 2003. One check that gets disabled is the step to validate if a default gateway is present.
Please note that there are multiple reasons Outlook 2013 may not want to connect to Exchange 2013. This is just one of them. A couple of the other recent ones that I have see are:
KB 2264398 Outlook Unable to perform a Check Name or connect to an Exchange mailbox may get these errors:
KB 2934750 Outlook 2013 cannot connect after an Exchange Server 2010 mailbox is moved to Exchange Server 2013
If you want to automate this via a script, logon script or just don’t want to have to browse the registry, we can use the venerable reg.exe tool.
Reg.exe Add HKEY_CURRENT_User\Software\Microsoft\Office\15.0\Outlook\RPC /T REG_DWORD /V DefConnectOpts /D "0"
Reg.exe Query HKEY_CURRENT_User\Software\Microsoft\Office\15.0\Outlook\RPC /V DefConnectOpts
Funnily enough, after the fact I remembered that I’d seen this previously, about 5 years ago. Those who forget the past certainly do repeat the same mistakes!
When writing Exchange PowerShell scripts it is very useful to target specific machines to either query or set their properties. Thus the ability to generate a query that effectively targets the correct machines is a very good thing to have!
The reason I'm posting this is that I see a lot of people manually specify a list of servers, and then iterate through the list which typically looks like this:
$ExchangeServers = “Exch-1”, “Exch-2”, “Exch-3”
ForEach ($Server In $ExchangeServers)
{
# The code to do something goes here….. # I would indent these lines if Live Writer would allow it…. # Oh well, it’s not a perfect world….
# The code to do something goes here…..
# I would indent these lines if Live Writer would allow it….
# Oh well, it’s not a perfect world….
}
This is all good and fine if you have three servers. What if you have three hundred? Man, that would be a gargantuan sized variable and really horrible to maintain!
In those cases we want to work the server list out on the fly, and then iterate through the collection. Let’s look at some sample code that allows us to focus upon certain types and locations of servers.
Starting with simple example, let’s pull in a list of all the CAS servers in the organisation. Then for the remaining Exchange 2010/2007 roles. You will note that we have built in cmdlets for discovering each of these roles in a nice easy fashion:
Get-ClientAccessServer
Get-TransportServer
Get-MailboxServer
Get-UMServer
Well, that was good start! But let’s say that we want to then filter this list further. What if we want to then get a specific version of CAS?
In the previous example we successfully used the Get-ClientAccessServer cmdlet to retrieve a list of all CAS servers. So it should be simple to then just add the version information to this cmdlet as Get-Member does show us that there is a version parameter. For more information on Get-Member and other PowerShell fundamentals please check this series of articles out.
Oh, smeg! All of the versions are the same. What to do??
To be able to see the version information of a server, we need to use the Get-ExchangeServer cmdlet. There are other reasons for using this as well that we will get into at the end of the post.
In this example let’s select only Exchange 2010 CAS Servers. To do this we need to check that they are Version 14 (Exchange 2010 is E14). We shall save the Name parameter into the $CASServers variable, and sort it. Note that we are using Get-ExchangeServer as we can see the AD site information with that cmdlet. Get-ClientAccessServer does not return site information. This collection will be only CAS servers. Note though that, depending upon your requirements, you have to filter this more as it will include every CAS from every corner of your Exchange organisation. We shall address that concern later in the post!
$CASServers = Get-ExchangeServer | Where-Object {$_.IsClientAccessServer -Eq $true -and $_.AdminDisplayVersion -Match "^Version 14" } | Select Name | Sort-Object
In the above PowerShell code we are using the –Match operator. You will note that the “^” symbol is within the string that is being searched for. The ^ character indicates that this is the location where the string begins. This is part of regular expression searches, and you can read more about this here.
My personal preference is to always sort these collections so when reviewing output, since the data is then in a predictable order and that makes it much quicker and easier to analyse.
One other thing to note when looking at the Exchange 2007 and 2010 version strings. They will not increment when a RU is installed. Only an Exchange 2007 and Exchange 2010 Service Pack is designed to advance the build number. Exchange 2013 will increment the build number for each CU that is installed. This is discussed in great detail here.
Taking the previous example, it is a simple task to then change this so that we look for the Exchange 2007 version information which is “8.”. At this time all of your Exchange 2007 servers must be on Service Pack 3, with an up to date rollup as well. We could then hard code the search to look for only SP3 builds of Exchange 2007 which would be “8.3”, but let’s leave it open to search all versions.
$CASServers = Get-ExchangeServer | Where-Object {$_.IsClientAccessServer -Eq $true -and $_.AdminDisplayVersion -Match "^Version 8" } | Select Name | Sort-Object
$E14HUBServers = Get-ExchangeServer | Where-Object {$_.IsHubTransportServer -Eq $true -and $_.AdminDisplayVersion -Match "^Version 14" } | Select Name | Sort-Object
$E14MailboxServers = Get-ExchangeServer | Where-Object {$_.IsMailboxServer -Eq $true -and $_.AdminDisplayVersion -Match "^Version 14" } | Select Name | Sort-Object
Let’s now switch this up a little and make some more complicated queries!
As mentioned above, there will be times that you do not want to get every single CAS server in the organisation. Sometimes you only want those is a particular AD site. Remember that all CAS in a site should be configured the same, as you cannot control to what CAS a particular user is referred to and thus the configuration needs to be the same to ensure a consistent user experience.
In this example we want to get a collection of just the Exchange 2010 servers that exist in a specific AD site called Edinburgh.
$E14CASServers = Get-ExchangeServer | Where-Object {$_.AdminDisplayVersion -match "^Version 14" -and $_.ServerRole -Match "ClientAccess" -and ($_.Site -match "Edinburgh") } | Sort Name
The trick as you see here, is the multiple “-And” statements. This makes sure that each of the elements must evaluate to $True for it to be considered as part of the collection. Should any part of a given server evaluate to $False then it will not be present in the collection.
In the above example we leverage multiple “-And” statements to generate the required logic. In the example here we then add to this by using an “-OR” statement. For a server to be included in the collection it could be in AD SiteA or AD SiteB. In the example below the sites are called Edinburgh and Aberlour. Please ensure that this does not wrap:
$E14CASServers = Get-ExchangeServer | ?{$_.AdminDisplayVersion -match "^Version 14" -and $_.ServerRole -Match "ClientAccess" -and ($_.Site -match "Edinburgh" -or $_.Site -match "Aberlour") } | Sort Name
This will be a very handy command to ensure that all of your Exchange 2003 servers have been removed by the 8th of April 2014!
$Exchange2003Servers = Get-ExchangeServer | where {$_.AdminDisplayVersion -match "6.5"}
For this and the other examples we can get a count of the servers in a couple of ways.
$Exchange2003Servers | Measure-Object $Exchange2003Servers.Count
$Exchange2003Servers | Measure-Object
$Exchange2003Servers.Count
If you have a few hundred mailbox databases, then you will have developed a naming scheme for them to indicate which DAG, continent and mailboxes are contained therein.
To see databases that contain a particular string we can use our familiar wildcard search character:
Get-MailboxDatabase *04*
This is shown in the above example. We want to see databases that contain the phrase “04”. The same can be done for many other objects in Exchange.
For mailbox filtering examples, this is covered in great detail in this previous post.
Wow, time has certainly flown and its now only two weeks until MEC 2014 happens down in sunny Austin, Texas!
My MEC Profile is here. Currently looking at all the sessions and planning that out!
I’m really pumped and am looking forward to meeting a load of virtual friends from a wide range of countries from Sweden, Australia and the UK to name just a few! Having so many community members in a single place is simply outstanding!
What can we look forward to? Lots, including:
The MEC site also has some of the MEC 2012 videos for your viewing pleasure .
The theme for MEC 2012 was the lost conference. I wonder what fun has been cooked up for this one!
If you are also at MEC, please do come and say hello!
Since we are still in the early stages of the year, and Exchange 2013 SP1 is now available, we will see lots of migrations to Exchange 2013. Exchange 2013 can be deployed into an existing Exchange organisation where Exchange 2007 SP3 RU10 + and/or Exchange 2010 SP3 exists.
Let's look at an issue that can arise in an Outlook Anywhere co-existence scenario with Exchange 2007 and 2013. After walking through the scenario we will see what can be done about it and review a couple of other issues that will probably crop up, for example IIS permissions.
Update 27-3-2014: Added link to TechEd 2013 Outlook Anywhere session. Tightened up client auth wording.
Update 12-11-2014: Updated reference to OA traffic flow from Gavin's feedback.
Update 12-11-2014: Updated reference for disabling IPv6
Since some customers may not already have Outlook Anywhere enabled, and are lighting it up to permit co-existence with Exchange 2013, they may run into issues if the required OS bits are not deployed on the older versions of Exchange. You may receive EventID 2003 stating that the RPC over HTTP proxy component is not installed of is not configured correctly.
It is possible to install Exchange 2007 and enable Outlook Anywhere without installing the required underlying OS component. This is the RPC/HTTP proxy component that was introduced in Windows 2003 and allowed for the introduction of RPC/HTTPS. Since Exchange 2007’s Outlook Anywhere requires the RPC/HTTP component, it will not work without it. Funny that, eh?
We start this scenario with a base Windows 2008 R2 SP1 Installation. The telnet client is installed, and nothing else just to prove that the Get-WindowsFeature cmdlet is working. :
Since we are using Exchange 2007 on Windows Server 2008 R2 SP1, we will not be prompted to download and install additional hotfixes. So let’s focus on installing Exchange!
Slapping in the CD, and the splash screen launches.
The familiar Exchange 2007 introduction screen appears, and after reading it fully we move on to the next screen:
And we choose the typical installation type. There is a reason for not splitting the roles, and we shall get to that at the end of the post! Then we click Next.
As expected since this is a base OS, the Exchange readiness check fails as we are missing IIS and other OS bits.
To install the missing OS bits, we can grab the pre-canned OS requirement commands from TechNet. Since we are installing a server with CAS, Mailbox and HUB these OS bits must be installed:
ServerManagerCmd -i Web-Server ServerManagerCmd -i Web-ISAPI-Ext ServerManagerCmd -i Web-Metabase ServerManagerCmd -i Web-Lgcy-Mgmt-Console ServerManagerCmd -i Web-Basic-Auth ServerManagerCmd -i Web-Digest-Auth ServerManagerCmd -i Web-Windows-Auth ServerManagerCmd -i Web-Dyn-Compression
ServerManagerCmd -i Web-Server
ServerManagerCmd -i Web-ISAPI-Ext
ServerManagerCmd -i Web-Metabase
ServerManagerCmd -i Web-Lgcy-Mgmt-Console
ServerManagerCmd -i Web-Basic-Auth
ServerManagerCmd -i Web-Digest-Auth
ServerManagerCmd -i Web-Windows-Auth
ServerManagerCmd -i Web-Dyn-Compression
If the server will support Outlook Anywhere clients, install the RPC over HTTP proxy feature by running the following command:
ServerManagerCmd -i RPC-over-HTTP-proxy
For ease we will typically use something like the below which is one line. Please beware that it does not wrap:
ServerManagerCmd -i Web-Server, Web-ISAPI-Ext, Web-Metabase, Web-Lgcy-Mgmt-Console, Web-Basic-Auth, Web-Digest-Auth, Web-Windows-Auth, Web-Dyn-Compression, RPC-over-HTTP-proxy
Since folks may copy the above to install a server, the command is complete and includes the RPC/HTTP proxy component. However note that in the below example I have deliberately omitted the RPC/HTTP proxy Windows component, else our scenario will not play out!
Groovy, so we have the OS bits installed, and after a swift reboot we can then go and resume our Exchange installation. Again choosing the same options as before, the readiness check now passes. Green ticky-ticky all around!
Note that the RPC/HTTP proxy component is not installed. This can be verified by the Get-WindowsFeature output in the background.
One Exchange installation completes, the server should be restarted, and the latest RU installed. At the time of writing this was Exchange 2007 SP3 RU13.
As you saw, it is possible to install Exchange 2007 CAS role, without installing the RPC/HTTP proxy. Let’s move on to enabling Outlook Anywhere on the server, and see what happens!
Exchange 2007 will not check that the RPC/HTTP proxy component has been installed prior to enabling Outlook Anywhere.
Thus after Exchange 2007 is installed, we can enable Outlook Anywhere on this server, even without the RPC/HTTP component being installed:
In a nutshell, it is not good!
Exchange does not have a mechanism to convert the HTTPS traffic to RPC, so Outlook Anywhere will not work at all on this server.
If you are monitoring the event logs (as you should be) Exchange does detect that something is not right. Exchange will check and realises the RPC/HTTP component is not present. This generates the error 2003 stating that the RPC over HTTP component is not installed or is not configured correctly.
If you do open up Exchange Management Shell and look for the Outlook Anywhere settings, you will see that the Get-OutlookAnywhere cmdlet discovers that the /RPC virtual directory is not present since the RPC/HTTP component is not installed. For details on checks (and the time taken) made to virtual directories when running cmdlets, please also see this post.
Exchange 2013 CAS will also detect that something is amiss and write an error to its application event log. This will manifest itself as error 3005 from MSExchange Front End HTTP Proxy stating which server that it found an issue with. There are a few variants of this, with errors ranging from 404 to other HTTP error codes depending upon the issue at hand. In this case the error is a 404 since the RPCProxy.dll is not present.
Note that the error string states that this is a Client Access 2010 server, but in fact this is an Exchange 2007 box. Don't let that confuse you!
One other thing that you may notice for Exchange 2013’s proxy and redirection behaviour is the URL that is used to connect to legacy Exchange servers. Exchange 2013 will build a URL to match the FQDN of the server in question. I’ll save the details on that for a later post as it would add too much here.
When configuring Exchange 2007 Outlook Anywhere or Exchange 2010 Outlook Anywhere using the Exchange Management Console there are options to enable either basic or NTLM authentication.
The one originally chosen when deploying those servers depended upon your design which was in turn influenced by factors like client authentication requirements and NTLM support (or rather lack of) on any device that publishes Outlook Anywhere to the Internet.
If you configured Exchange 2007 Outlook Anywhere to use Basic auth, then you will see this in PowerShell:
Note that this is a separate server. This one is imaginatively called E2K7-2. If NTLM was used:
Note the two different authentication settings that are listed. ClientAuthenticationMethod and IISAuthenticationMethods. For the detail oriented people out there, you saw that one was plural and the other singular.
When you configure OA for Basic auth, then the ClientAuthenticationMethod and IISAuthenticationMethods are both set to Basic. The same is true for when OA is set to NTLM auth. In that case ClientAuthenticationMethod and IISAuthenticationMethods are both set to use NTLM.
When co-existing Exchange 2007 and 2010 with Exchange 2013, we need to ensure that the correct authentication settings are in place. There are two things that we need to pay attention to. Authentication at the IIS layer and authentication at the client layer. This is the IISAuthenticationMethods and ClientAuthenticationMethod properties respectively.
As specified in the Exchange Server Deployment Assistant, to allow CAS 2013 to redirect Outlook Anywhere connections to Exchange 2010 and 2007, Outlook Anywhere must be enabled and properly configured on Exchange 2007 and 2010. If Outlook Anywhere was previously deployed, then ensure that their configuration will support Exchange 2013. The follow permission considerations need to be addressed:
As an example to set basic client auth on Exchange 2007. The required permissions on Exchange 2007 and 2010 can be set using Set-OutlookAnywhere:
Set-OutlookAnywhere -Identity 'ServerName\Rpc (Default Web Site)' -ClientAuthenticationMethod Basic -SSLOffloading $False –ExternalHostName <Exchange2013HostName> -IISAuthenticationMethods NTLM, Basic
Setting multiple permissions on the IISAuthenticationMethods is probably a bit of a change compared to how we were previously configuring Outlook Anywhere. There have also been some interesting discussions on this topic in the past.
Permissions for Outlook Anywhere coexistence were also discussed by Greg Taylor, in a style that only Gregg manages to get away with, at Tech Ready 2013 NA in session OUC-B313. We should shoot who names these sessions….. The video, PowerPoint and podcast for this and all the other available Exchange TechEd 2013 sessions are here.
Without getting into the entire CAS namespace discussion, if you want all Outlook Anywhere traffic to flow via CAS 2013 a critical point is that the Exchange 2007 Outlook Anywhere external URL is set to the external hostname of the Exchange 2013 server. This is discussed in great detail in this post on EHLO by Ross.
Before you install Exchange 2013, you might need to disable IPv6 on some of your Exchange 2007 servers. Some connections between Exchange 2007 and Exchange 2013 don't work correctly when IPv6 is enabled and an Exchange 2007 server has both the Mailbox and Client Access server roles installed.
If you have Exchange 2007 servers that have both the Mailbox and Client Access server roles installed, complete the following steps on each of those servers to disable IPv6 on them. To do so
Note that the recommendation is not to use 0xFFFFFFFF nowadays, and 0xFF should be used instead. Please see this post on disabling IPv6.
Alternatively, if you want to automate this, you can use something like the following.
Reg.exe Add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /T REG_DWORD /V DisabledComponents /D "0xFF"
Reg.exe Query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /V DisabledComponents
This issue is discussed in the Exchange Deployment Assistant and also KB 2794253.
For the final gripping chapter, here are tips #76 to 101 for your PowerShell pleasure!
For the related articles in this series please see:
Tips 1 – 25
Tips 26 - 50
Tips 51 – 75
Exchange 2010 uses management role groups and management role assignment policies to manage permissions. Role groups enable you to grant permissions to groups of administrators and specialist end users. These are people who manage your organization or perform special tasks, like mailbox searches for compliance reasons. Role assignment policies enable you to grant permissions to your end users. These permissions include whether users can manage their own distribution groups, edit their own profile information, access voice mail, and more.
Management role assignment policies enable you to grant permissions to your end users. These permissions include whether users can manage their own distribution groups, edit their own profile information, access voicemail, and more. If you want to manage permissions for administrators and specialist users, use management role groups.
The Get-RoleGroupMember cmdlet lists all the members on a management role group. But if you want to get more details about the members of the role group, use the Get-ManagementRoleAssignment cmdlet. The Get-ManagementRoleAssignment cmdlet enables you to view the members of universal security groups that are members of role groups, view the management scope t hat applies, and more.
Did you know that you need to use the AssembleMessage script when exporting messages from a queue? For example, if you want to export the message with message ID 1234 from the contoso.com queue on server Hub1, you need to run the following command:
Export-Message -Identity Hub1\contoso.com\1234 | AssembleMessage –Path C:\ExportedMessages\Message1234.eml"
When you are creating a new Edge subscription, you need to run the New-EdgeSubscription cmdlet first on your Edge Transport server, and then on an administrator console that is connected to your internal Exchange organization. However, because Exchange 2010 uses remote Windows PowerShell, you can no longer use the Path parameter when importing an Edge subscription file. Instead you need to use the Get-Content cmdlet to first retrieve and encode the data, and then pass it to the New-EdgeSubscription cmdlet, like so:
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0) ) -Site "Default-First-Site"
Get-MailboxDatabase -Server $env:ComputerName | ?{ %{$_.DatabaseCopies | ?{$_.ReplayLagTime -ne [TimeSpan]::Zero -And $_ .HostServerName -eq $env:ComputerName} } } | %{ $count = 0; $MinT = [DateTime]::MaxValue; $MaxT = [DateTime]::MinValue; Get-ChildItem -Path $_.LogFolderPath -Filter "*????.log" | %{ $count = $count + 1; if($_.LastWriteTime -gt $MaxT){ $MaxT = $_.LastWriteTime}; if($_.LastWriteTime -lt $MinT){ $MinT= $_.LastWriteTime} }; ($count / ($MaxT.Subtract($MinT)).TotalMinutes) } | Measure-Object -Min -Max -Ave
Get-MailboxDatabase -Server $env:ComputerName | %{ Get-ChildItem -Path $_.LogFolderPath -Filter "*????.log" | Group-Object -Property {$_.LastWriteTime.Day,$_.LastWriteTime.Hour,$_.LastWriteTime.minute} | ?{$_.Count -gt 1} | Measure-Object -Property Count -Min -Max -Ave }
Did you know that you can share your calendar and contacts folders with other federated Exchange 2010 organizations by first creating a federation trust with the Microsoft Federation Gateway with a valid digital certificate? Just use the New-FederationTrust cmdlet and the certificate thumbprint to get started. Type:
Get-FederationInformation -DomainName <other domain name> | New-OrganizationRelationship -Name "<name of relationship>" -FreeBusyAccessEnabled $true -FreeBusyAccessLevel -LimitedDetails
Not sure your Federation Trust with the Microsoft Federation Gateway is working correctly? To test if a security token c an be retrieved, just type:
Need a report on the status of each Exchange certificate installed on all Hub Transport and Client Access servers? Try this:
Test-OrganizationRelationship -UserIdentity <user email address> -Identity <external domain> -Confirm
Get-MoveRequest | ?{ $_.Status -ne "Completed" -and $_.Status -ne "CompletedWithWarning" } | group targetdatabase | sort Count -Descending
Get-MoveRequest -MoveStatus Failed | Get-MoveRequestStatistics | ft Alias, percentcomplete, message -auto
$stats = Get-MoveRequest -MoveStatus Completed | Get-MoveRequestStatistics $stats | sort totalmailboxsize | ft Alias,{$_.totalmailboxsize.ToMB()},totalinprogressduration -auto
Use this command to view the last move report for a mailbox:
(Get-MailboxStatistics aylakol -IncludeMoveReport).MoveHistory[0] | fl
Did you know that you can allow users in your Exchange organization to publish their calendars to the Internet so that anyone can view their free/busy availability? Just configure a few settings to get started. To enable an Outlook Web App Virtual Directory and allow calendar publishing, type:
Set-OWAVirtualDirectory -Identity <Client Access server> -ExternalURL <External URL for Client Access server> -CalendarPublishingEnabled $true
To set the web proxy for the Mailbox server, type:
Set-ExchangeServer -Identity "<Mailbox server>" -InternalWebProxy <webproxy URL>
Finish by setting up a sharing policy for the "Anonymous" Internet domain and assign the sharing policy to a user mailbox. First type:
New-SharingPolicy -Name "<policy name>" -Domains 'Anonymous: CalendarSharingFreeBusySimple' -Enabled $True
Then type:
Get-Mailbox -Identity <user alias> | Set-Mailbox -SharingPolicy "<policy name>"
Here are the Exchange 2010 tips of the day from number 51 to 75.
Tips 1 - 25
Tips 26 – 50
Tips 76 - 101
Want to determine whether a server is running Exchange Server 2010 Standard Edition or Exchange Server 2010 Enterprise Edition? Type:
Want to control the properties of e-mail messages sent to a specific domain? Use the RemoteDomain cmdlets. Create a new remote domain by using the New-RemoteDomain cmdlet. Type:
You can control which features are available to Outlook Web Access users by using the Set-OwaVirtualDirectory cmdlet. Type:
Set-OwaVirtualDirectory "OWA (Default Web Site)" -ContactsEnabled $True -ChangePasswordEnabled $True
With Exchange Server 2010 Unified Messaging, you can redirect unauthenticated callers to certain telephone extensions to an operator instead of to the extension that was dialed. To list users for whom Unified Messaging transfers unauthenticated callers to the operator, instead of to the user, type:
Do you want to create a new management role assignment policy that's based on an existing policy, but you don't want to include all of the management roles? Use the Get-ManagementRoleAssignment cmdlet and pipe the results to the Where cmdlet. The Where cmdlet excludes any role assignments that contain the roles you specify. The remaining role assignments are piped to the New-ManagementRoleAssignment cmdlet. Type:
New-RoleAssignmentPolicy <new role assignment policy name> Get-ManagementRoleAssignment -RoleAssignee <old role assignment policy name> | Where { ($_.Role -NE "<role name 1>") -And ($_.Role -NE "<role name 1>") } | New-ManagementRoleAssignment -Policy <new role assignment policy name>
Do you want to remove a management role from a role group, role assignment policy, USG or user but don't know the name o f the management role assignment? Just find the role assignment with the Get-ManagementRoleAssignment cmdlet and pipe the results to the Remove-ManagementRoleAssignment cmdlet. Type:
The Exchange team today announced the availability of Update Rollup 5 for Exchange Server 2010 Service Pack 3. RU5 is the latest rollup of customer fixes available for Exchange Server 2010. The release contains fixes for customer reported issues and previously released security bulletins.
The astute reader will note that I did not post about the release of Exchange 2010 SP3 RU4 since that was a security release and contained only the security update in addition to SP3 RU3.
Update: 17-3-2014 Please also see this article KB 2925273 Folder views are not updated when you arrange by categories in Outlook after you apply Exchange Server 2010 Service Pack 3 Update Rollup 3 or Update Rollup 4
Update: 28-5-2014 The above issue contained in 2925273 is now corrected in Exchange 2010 SP3 RU6.
Exchange 2010 SP3 RU5 is not considered a security release as it contains no new previously unreleased security bulletin, but does contain all previous fixes. Exchange 2010 SP3 RU4 did include a security fix, which is present in RU5.
This is build 14.03.0181.006 of Exchange 2010, and KB2917508 has the full details for the release.
2913413 RPC Client Access service crashes with an exception in Exchange Server 2010
2919513 Memory leak or memory corruption occurs in Exchange Server 2010
2892257 Email items are lost when you move items between shared folders by using EWS delegate access
Now, before we rush off to download and install this there are a couple of items to mention!
Exchange 2013 SP1 has now been released to the Microsoft Download Center!
The build number for Exchange Server 2013 SP1 is 15.00.0847.032
Update 5-3-2014: If you are using custom transport agents please see Third-party transport agents cannot be loaded correctly in Exchange Server 2013 The script you need to remediate the issue is linked from that KB, and is available directly from the download center.
Update 14-4-2014: As discussed in post “Patching Exchange? Don’t Overlook Outlook”, make sure to keep Outlook updated. KB 2863911 Outlook 2013 profile might not update after mailbox is moved to Exchange 2013
Update 14-4-2014: Please see KB 2958434 if deleting Exchange 2013 databases. Users cannot access mailboxes in OWA or EAS when mailbox database is removed.
As always please read the release notes! Exchange 2013 SP1 contains schema changes and you will need to go through testing and validation to ensure a smooth rollout!
Noted at the bottom of the Exchange Team Post the next Exchange 2013 update will be CU5. Thus we could call this CU4, but Service Packs mark an important milestone for support lifecycle events so this do think of this as a Service Pack!
You can download Exchange 2013 SP1 from here.
Scroll down below for details on each of these features!
KB 2926248 contains the description for Exchange 2013 SP1.
Windows Server 2012 R2 is now a supported operating system in Exchange 2013 SP1. Exchange 2013 SP1 also supports installation in Active Directory environments running Windows Server 2012 R2. For more information, see Exchange 2013 System Requirements.
Edge Transport servers minimize attack surface by handling all Internet-facing mail flow, which provides SMTP relay and smart host services for your Exchange organization, including connection filtering, attachment filtering and address rewriting. For more information, see Edge Transport Servers.
OWA customers can report missed spam in the inbox (false negative) and misclassified as spam (false positive) messages to Microsoft for analysis by using its built-in junk email reporting options. Depending on the results of the analysis, we can then adjust the anti-spam filter rules for our Exchange Online Protection (EOP) service. For more information, see Junk Email Reporting in OWA.
Microsoft Exchange Online and Exchange 2013 SP1 now support S/MIME-based message security. Secure/Multipurpose Internet Mail Extensions (S/MIME) allows people with Office 365 mailboxes to help protect sensitive information by sending signed and encrypted email within their organization. Administrators can enable S/MIME for Office 365 mailboxes by synchronizing user certificates between Office 365 and their on-premises server and then configuring Outlook Online to support S/MIME. For more information, see S/MIME for Message Signing and Encryption and the Get-SmimeConfigcmdlet reference.
Data loss prevention (DLP) Policy Tips are informative notices that are displayed to senders in Outlook when they try sending sensitive information. In Exchange 2013 SP1, this functionality has been extended to both the desktop version of Outlook Web App and the mobile version (named OWA for Devices). You’ll see it in action if you have an existing DLP policy with Policy Tips turned on for Outlook. If your policy already includes Policy Tips for Outlook, you don't need to set up anything else. Go ahead and try it out!
Not currently using Policy Tips? To get started, Create a DLP Policy From a Template, then add a policy tip by editing the policy and adding a Notify the sender with a Policy Tipaction.
Deep content analysis is a cornerstone of DLP in Exchange. Document Fingerprintingexpands this capability to enable you to identify standard forms used in your organization, which may contain sensitive information. For example, you can create a fingerprint based off a blank employee information form, and then detect all employee information forms with sensitive content filled in.
SP1 provides an expanded set of standard DLP sensitive information types covering an increased set of regions, which makes it easier to start using the DLP features. SP1 adds region support for Poland, Finland and Taiwan. To learn more about the new DLP sensitive information types, see Sensitive Information Types Inventory.
Deploying and configuring Active Directory Federation Services (AD FS) using claims means multifactor authentication can be used with Exchange 2013 SP1 including supporting smartcard and certificate-based authentication in Outlook Web App. In a nutshell, to implement AD FS to support multifactor authentication:
Install and configure Windows Server 2012 R2 AD FS (this is the most current version of AD FS and contains additional support for multifactor authentication). To learn more about setting up AD FS, see Active Directory Federation Services (AD FS) Overview
Create relying party trusts and the required AD FS claims.
Publish Outlook Web App through Web Application Proxy (WAP) on Windows Server 2012 R2.
Configure Exchange 2013 to use AD FS authentication.
Configure the Outlook Web App virtual directory to use only AD FS authentication. All other methods of authentication should be disabled.
Restart Internet Information Services on each Client Access server to load the configuration.
For details, see Using AD FS claims-based authentication with Outlook Web App and EAC
SSL offloading is supported for all of the protocols and related services on Exchange 2013 Client Access servers. By enabling SSL offloading, you terminate the incoming SSL connections on a hardware load balancer instead of on the Client Access servers. Using SSL offloading moves the SSL workloads that are CPU and memory intensive from the Client Access server to a hardware load balancer.
SSL offloading is supported with following protocols and services:
Outlook Web App
Exchange Admin Center (EAC)
Outlook Anywhere
Offline Address Book (OAB)
Exchange ActiveSync (EAS)
Exchange Web Services (EWS)
Autodiscover
Mailbox Replication Proxy Service (MRSProxy)
MAPI virtual directory for Outlook clients
If you have multiple Client Access servers, each Client Access server in your organization must be configured identically. You need to perform the required steps for each protocol or service on every Client Access server in your on-premises organization. For details, see Configuring SSL Offloading in Exchange 2013
Although there are both private (internal network) and public (external network) settings to control attachments using Outlook Web App mailbox policies, admins require more consistent and reliable attachment handling when a user signs in to Outlook Web App from a computer on a public network such as at a coffee shop or library. Go here for details, Public Attachment Handling in Exchange Online.
Internet Explorer 10 and Windows Store apps using JavaScript support the Application Cache API (or AppCache), as defined in the HTML5 specification, which allows you to create offline web applications. AppCache enables webpages to cache (or save) resources locally, including images, script libraries, style sheets, and so on. In addition, AppCache allows URLs to be served from cached content using standard Uniform Resource Identifier (URI) notation. The following is a list of the browsers that support AppCache:
Internet Explorer 10 or later versions
Google Chrome 24 or later versions
Firefox 23 or later versions
Safari 6 or later (only on OS X/iOS) versions
Information workers in Exchange on-premises organizations need to collaborate with information workers in Exchange Online organizations when they are connected via an Exchange hybrid deployment. New in Exchange 2013 SP1, this connection can now be enabled and enhanced by using the new Exchange OAuth authentication protocol. The new Exchange OAuth authentication process will replace the Exchange federation trust configuration process and currently enables the following Exchange features:
Exchange hybrid deployment features, such as shared free/busy calendar information, MailTips, and Message Tracking.
Exchange In-place eDiscovery
For more information, see Configure OAuth Authentication Between Exchange and Exchange Online Organizations.
New in Exchange 2013 SP1, hybrid deployments are now supported in organizations with multiple Active Directory forests. For hybrid deployment features and considerations, multi-forest organizations are defined as organizations having Exchange servers deployed in multiple Active Directory forests. Organizations that utilize a resource forest for user accounts, but maintain all Exchange servers in a single forest, aren’t classified as multi-forest in hybrid deployment scenarios. These types of organizations should consider themselves a single forest organization when planning and configuring a hybrid deployment.
For more information, see Hybrid Deployments with Multiple Active Directory Forests.
Windows Server 2012 R2 enables you to create a failover cluster without an administrative access point. Exchange 2013 SP1 introduces the ability to leverage this capability and create a database availability group (DAG) without a cluster administrative access point. Creating a DAG without an administrative access point reduces complexity and simplifies DAG management. In addition, it reduces the attack surface of a DAG by removing the cluster/DAG name from DNS, thereby making it unresolvable over the network.
For more information, see High Availability and Site Resilience.
As with previous CUs, SP1 follows the new servicing paradigm that was previously discussed on the blog. This package can be used to perform a new installation, or to upgrade an existing Exchange Server 2013 installation to SP1. You do not need to install Cumulative Update 1 or 2 for Exchange Server 2013 RTM when you are installing SP1.
After you install this Service pack, you cannot uninstall the Service Pack to revert to an earlier version of Exchange 2013. If you uninstall this Service pack, Exchange 2013 is removed from the server.
Note that customised configuration files are overwritten on installation. Make sure you have any changes fully documented!
Once the Service Pack Installation has completed, restart the server. The server should be restarted even if you are not prompted.
What do I mean by that? Well, you need to ensure that you are fully informed about the caveats with the CU and are aware of all of the changes that it will make within your environment. Additionally you will need to test the CU your lab which is representative of your production environment.
Leading on where the previous post left off, here are the Exchange 2010 tips of the day from number 26 to 50.
$Servers = Get-ExchangeServer $Servers | ` Where { $_.IsMailboxServer -Eq '$True' } ` | ForEach { Get-MailboxStatistics -Server $_.Name ` | Where { $_.DisconnectDate -NotLike '' } ` | ForEach { Connect-Mailbox -Identity ` $_.DisplayName -Database $_.DatabaseName} }
Tab completion reduces the number of keystrokes required to complete a cmdlet. Just press the TAB key to complete the cmdlet you are typing. Tab completion kicks in whenever there is a hyphen (-) in the input. For example:
Want to change the authentication settings on an Outlook Web Access virtual directory? Try the following command as an example. It changes authentication from forms-based authentication to Windows authentication:
Set-OwaVirtualDirectory -Identity "OWA (Default Web Site)" -FormsAuthentication 0 -WindowsAuthentication 1
Want to remove an ActiveSync device from a user's device list? Type:
Remove-ActiveSyncDevice
This cmdlet can be helpful for troubleshooting devices that don't synchronize successfully with the server.
Want to clear all data from a mobile device? Use:
Clear-ActiveSyncDevice
Specify a time of day to clear the device, or let the task complete the next time that the device connects to the server .
Want to see a list of all devices that synchronize with a user's mailbox? Type:
Get-ActiveSyncDeviceStatistics
A variety of information is returned including device name, operating system, and last sync time.
Has one of your users asked you to recover their mobile device synchronization password? To return the user's password, type:
Get-ActiveSyncDeviceStatistics -ShowRecoveryPassword
Need an easy way to add a new primary SMTP address to a group of mailboxes? The following command creates a new e-mail address policy that assigns the @contoso.com domain to the primary SMTP address of all mailboxes with Contoso in the company field:
Start-Transcript c:\MySession.txt -Append
Do you have a user who has network access but maintains an external mail account outside your Exchange organization? With Exchange Server 2010, you can now create mail-enabled users that are regular Active Directory accounts, but also behave like mail-enabled contacts. By using the Enable-MailUser cmdlet, you can add e-mail contact attributes to any existing Active Directory user who doesn't already have a mailbox on an Exchange server. Users in your Exchange organization will then be able to send e-mail messages to that user's external mail account. Type:
Set-MailboxDatabase <Mailbox Database Name> -ProhibitSendQuota <New Quota Size> -UseDatabaseQuotaDefaults $False
Set-MailboxDatabase <Mailbox Database Name> ProhibitSendQuota 200MB -UseDatabaseQuotaDefaults $False
Since I had not see a complete list of the Exchange 2010 ones, I thought I’d jot them down. Exchange 2007 Tips are listed on TechNet.
Scroll down to the bottom for the PowerShell code used to retrieve this. And yes, the first four tips really are duplicated, though since they are randomly displayed it goes un-noticed! They remind me of a line from Red Dwarf *.
The Exchange Management Shell is a calculator too! Try it directly at a command prompt:
Help Get-Mailbox -Detailed
Get-Help <cmdlet> -Online
Tip of the day #12:
To get a list of all users on an Exchange 2010 server who aren't Unified Messaging-enabled, type:
To get a list of all users on an Exchange 2010 server who are Unified Messaging-enabled, type:
To display the user's alias formatted in a table together with the user's Exchange 2010 server name and telephone extension, type:
If you want to test all IP Block List providers, you just have to pipe the Get-IpBlockListProvider cmdlet to the Test-Ip BlockListProvider cmdlet:
Before you remove an object by using the Remove verb, use the WhatIf parameter to verify the results are what you expect.
When the Exchange Management Shell shortcut is launched it does many things. The properties of the shortcut show the following:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -noexit -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto"
RemoteExchange.ps1 calls another script --– CommonConnectFunctions.ps1. It is the latter script that creates the Get-Tip function which is called along with others to display the banner in the Exchange Management Shell.
For more details on the Exchange Management Shell please review this post.
Rather than go through and retrieve the tips one by one, PowerShell to the rescue! You can either use option 1 and save this to a .ps1 script or option two and just run as a oneliner.
Save the below to a .ps1 file and execute it in the Exchange Management Shell. Uses a While loop to iterate through all of the tips.
# Initialise the counter with a value of 1. $Int = 1 # PowerShell While Loop. Iterate to a count of 105 just to show that we have returned all tips While ($Int -le 105 ) { Get-Tip $Int Write-Host # Increment the counter $Int +=1 }
# Initialise the counter with a value of 1. $Int = 1
# PowerShell While Loop. Iterate to a count of 105 just to show that we have returned all tips While ($Int -le 105 ) { Get-Tip $Int Write-Host # Increment the counter $Int +=1 }
If you would like to just cut and paste, without reading any comments in the above go ahead and run this:
$Int = 1;While ($Int -le 105){Get-Tip $Int; Write-Host; $Int+=1}
The above PowerShell code will show all of the daily tips. To save your scroll finger from total exhaustion, the tips are split into 4 separate posts.
* - A superlative suggestion, sir, with just two minor flaws.
One: we don't have any defensive shields. And two: we don't have any defensive shields.
Now I realise that, technically speaking, that's only one flaw; but I thought it was such a big one, it was worth mentioning twice.
Most of the time when working with RBAC in Exchange we are not using large scripts to create and manage roles. Generally we use one-liners to configure RBAC. So I thought it would be useful to post some of the ones that I find myself frequently using.
As always please add a comment, or hit me up on the contact page and tell me want topics you want to see added here!
Get-ManagementRole –Cmdlet Set-CASMailbox
Get-ManagementRoleEntry “*\Set-CASMailbox
Get-ManagementRole –Parameter <parameter name>
Get-ManageMentRoleEntry “*\*” –parameter <parameter name>
This example works, but also review the next one down
Get-ManagementRole "Monitoring" | Select Name, RoleEntries | FL
Much better to use
Get-ManagementRoleEntry "Monitoring\*"
This can also be filtered. For example show me all the Get- cmdlets in the Mail Recipients role:
Get-ManagementRoleentry "Mail Recipients\Get-*"
Show me all the Set- cmdlets in the Mail Recipients role:
Get-ManagementRoleentry "Mail Recipients\Set-*"
Get-ManagementRoleAssignment -RoleAssigneeType User
Get-ManagementRoleAssignment –RoleAssigneeType RoleAssignmentPolicy
RoleAssignmentPolicy
Get-ManagementRoleAssignment -RoleAssigneeType RoleGroup
Get-RoleGroupMember -Identity "Organization Management"
Or
Get-RoleGroup -Identity "Organization Management" | Get-RoleGroupMember
The RoleAssignee parameter specifies the role group, assignment policy, user, or universal security group (USG) for which you want to view role assignments. If the RoleAssignee parameter is used, you can't use the Identity parameter.
By default, the command returns both direct role assignments to the role assignee, and indirect role assignments granted to a role assignee through role groups or assignment policies.
Get-ManagementRoleAssignment -RoleAssignee “Help Desk” | select Role,AssignmentMethod, EffectiveUserName
Using the Get-ManagementRoleAssignment cmdlet’s GetEffectiveUsers parameter, we can examine the effective permissions one individual has over another object. Using role groups and assignment policies make it easy to grant permissions to large numbers of users, you may not be aware of exactly who is a member of a role group, or who has been assigned an assignment policy. This is where the GetEffectiveUsers switch on the Get-ManagementRoleAssignment cmdlet is useful. It shows you what users are granted the permissions given by a management role through the role groups, assignment policies, and USGs that are assigned to them.
The GetEffectiveUser switch doesn't list users that are members of a linked foreign role group.
The GetEffectiveUsers switch specifies that the command should show the list of users in the role groups, assignment policies, or USGs associated with a role assignment. The users are effectively assigned the role assignment through their role group, assignment policy, or USG.
Show users that are granted permissions provided by the Mail Recipients role:
Get-ManagementRoleAssignment -Role "Mail Recipients" –GetEffectiveUsers
To find a specific user that's been granted permissions by a management role, you must use the Get-ManagementRoleAssignment cmdlet to retrieve a list of all effective users, and then pipe the output of the cmdlet to the Where cmdlet. The Where cmdlet filters the output and returns only the user you specified:
Get-ManagementRoleAssignment -Role Journaling -GetEffectiveUsers | Where { $_.EffectiveUserName -Eq "Matt Goss" }
To know every role that a user receives permissions from, you must use the Get-ManagementRoleAssignment cmdlet to retrieve all effective users on all management roles and then pipe the output of the cmdlet to the Where cmdlet. The Where cmdlet filters the output and returns only the role assignments that grant the user permissions.
Get-ManagementRoleAssignment -GetEffectiveUsers | Where { $_.EffectiveUserName -Eq "Ross Smith" }
In addition to the GetEffectiveusers option this is another one which is very useful – WritableReipient.
The WritableRecipient parameter specifies the recipient object you want to test to determine which role assignments allow it to be modified. The command takes into account the roles and scopes associated with each role assignment.
If this parameter is used with the GetEffectiveUsers switch, all of the users who can modify the recipient object indirectly through role groups and USGs are also returned. Without the GetEffectiveUsers switch, only the role groups, users, and USGs directly assigned the role assignment are returned.
In this example what can the Help-Desk-Admin do to account User-20?
Get-ManagementRoleAssignment -WritableRecipient User-20 -GetEffectiveUsers | where {$_.EffectiveUserName -eq "Help-Desk-Admin"}
In this example what can User-1 do to the MailContact object called Contact1 that is stored in AD?
Get-ManagementRoleAssignment -WritableRecipient Contact1 -GetEffectiveUsers | where {$_.EffectiveUserName -eq "user-1"}
Get-ManagementRoleAssignment provides a lot of filtering capabilities. You can customise this to tune searches to RoleAssignments that are Delegating, exclusive or by RoleAssigneeType.
While Exchange does not provide an out of the box mechanism to immediately show all RBAC in a single window (more on that in a future post), it does allow us to use the above PowerShell methods to create scripts and one-liners to discover and document. There are several example scripts out on ze interwebs, one example being here on MSPFE.
Get-ManagementRoleAssignment –GetEffectiveUsers | Where {$_.Enabled -eq $True} | Select-Object Role, RoleAssigneeName, RoleAssigneeType, RoleAssignmentDelegationtype, User, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, Identity | Export-CSV $PWD\RBAC-Effective.csv -NoTypeInformation
Note that I changed the original example from MSPFE. Formatting was updated, .csv file path is no longer hardcoded and NoTypeInformation was added.
>>>
After publishing some recent articles on RBAC, there was some feedback that a primer on RBAC would also be welcomed. So here it is!
It is not Really Boring Access Control. RBAC = Role Based Access Control. As a concept it is not new, however Exchange 2010 was the first time that it has been natively supported in Exchange. That being said, we still had the concept of roles in Exchange 2007 and older versions.
For example in Exchange 2003 we had these roles:
In Exchange 2007 we had slightly more roles:
As you can see the concept or roles is not new to Exchange, but why this RBAC thing? What’s that all about?
RBAC has many advantages compared to the previous administration model. RBAC allows for:
Access to Exchange 2010/2013 is controlled via RBAC. RBAC determines who can do what to a given object. This applies to both administrators and end users. RBAC will perform the action requested by the user and this will be in the security context of the Exchange Trusted Subsystem (ETS) universal security group. This is a change from previous versions where the credentials of the requesting users were used to access the object and make the necessary changes. As a result previous auditing methodologies need to change, so that we now make use of the Exchange auditing capabilities. ETS is a highly privileged group which contains read and write permissions to all Exchange objects. Nothing else should be added to this group.
RBAC is assigned to administrators to let them perform the necessary tasks on servers, connectors and mailboxes. This is in the form of a Role Assignment. RBAC to end users is delivered as a Role Assignment Policy. They are very similar but are tailored to their respective purpose.
In previous versions when a person was added to the Exchange Organization Administrators or Exchange Full Administrators roles they had every capability in Exchange. This is not the case any more, so become accustomed to not having access to all keys of the kingdom. Now, all the keys can be granted – it’s just that you do not have them by default. Examples of permissions and capabilities that an Org Admin does not have out of the box in Exchange 2010 include:
There are three main points to consider when planning out RBAC -- Where, What and Who.
OK – there is also the glue (role assignment that binds them), but let’s not mess up a nice list!
This is covered in detail by the RBAC Triangle Of Power.
Cutting through the terminology can be beneficial for reviewing RBAC. One frequently heard comment is that the word “role” is overused. When you see the main cmdlets laid out, it’s not bad! These are the core components of RBAC:
I’ll let you browse through the above content at your pleasure!
The end user RBAC roles contain cmdlets related to managing a user’s own mailbox and is scoped as such. Administrator RBAC roles contain the necessary cmdlets to manage the messaging infrastructure. Examples of Management Roles are show below:
They are represented in Active Directory as universal security groups, stored in the Microsoft Exchange Security Groups OU:
The Management Role contains Management Role Entries, which are the individual cmdlets and their parameters that actually let you do tasks. To see the actual Management Role Entries use the Get-ManagementRoleEntry cmdlet. Note that the Management Role Entries are stored within the Management Role, and this is why the syntax looks like Get-ManagementRoleEntry “ManagementRoleName\*”
Other examples to retrieve Management Role Entries could be:
It is fairly simple to understand how the built-in roles map to administrator or end user RBAC as the built in end user roles are prefixed with “My”. Custom roles are not obliged to follow this nomenclature (though it does make life easier if they do). To be sure of a Role type examine its IsEndUserRole property. The first role shown below is for end user RBAC, and the second is for administrators or specialist roles.
You will encounter two types of Role Groups on your travels. When Exchange 2010 or 2013 is installed into an AD forest all the necessary installation steps are executed, one of which is to install a base RBAC platform. If you have a multi forest (Exchange resource forest) environment, since the installation is executed in one forest then there is no knowledge of RBAC in the other forest. If you want to administer Exchange as a user from the account forest then you will need to tell Exchange in the resource forest who gets what administrative permissions in the user forest. In other words you need to roll your own RBAC for the user forest, this is a task that you need to perform as it is not automatically done.
A one way trust is the minimum requirement so the relevant AD objects are visible, and the RBAC roles can be defined. When assigning the roles, RBAC points to a Universal security group in the other forest and a Linked Role Group is created.
You will see this if you look for the RoleGroupType. Standard denotes a regular RBAC RoleGroup in the same forest as Exchange. Linked indicates that this is a linked role group to a remote forest.
Get-RoleGroup "Organization Management" | select Name, RoleGroupType | Format-Table -AutoSize
As the name implies, Management Scope stipulates where a particular set of permissions will apply. This could be scoped to a:
To perform advanced RBAC tasks you will certainly want to get familiar with this concept of management scopes since scopes allow you to control where a particular permission will apply. An example of a couple of scopes in one of my labs:
To create the Executive management scope we could run:
New-ManagementScope -name "Executives" -RecipientRestrictionFilter {memberofgroup -eq "cn=Execs,ou=VIP,dc=contoso,dc=com"}
On a related note, note that in PowerShell the equals character “ = “ is not used to evaluate if values match. The equals operator is text based and is “ –eq “ with the not equals operator being “ –ne “.
There is a handy table on TechNet or you can open PowerShell and review the output of:
Get-Help about_Comparison_Operators | More
Note that there are different aspects to scope, and the reason that I want to mention this is around scoping where users can read. While it is possible to limit the write aspects for both configuration and user scopes, read is at the organisation level.
Some folks like the above triangle of power to represent RBAC, but I personally prefer this graphic to really illustrate the relationships of the RBAC building blocks.
It pulls together all the concepts from Management Role Entries, Role Assignments and Role Assignment Policies.
Please see the previous posts to see how to create a custom RBAC role and then assign it to a group:
Creating RBAC Role To Delegate Contact Management - This one shows an example of using the “Mail Recipient Creation” role to create a customised role.
Allow Users To Manage Distribution Groups Without Creating New Ones - This one shows an example of customising the RBAC role assigned to an end user, and is something that RBC has already implemented in production.
How To Add Or Remove Cmdlet Parameter From RBAC Management Role - illustrates the amazing precision that is possible within RBAC
In case you were wondering about the Wipe Only ActiveSync Role that is shown in a couple of examples, this is discussed in RBAC: Walkthrough of creating a role that can wipe ActiveSync Devices.
* – Should trademark that!
When designing an upgrade strategy from an older version of Exchange to a newer one, a question that needs to be addressed is do we need to introduce a version of Exchange that may not currently be present? This may be when upgrading from Exchange 2003 to Exchange 2010. If that organisation does not have any Exchange 2007 servers, you need to evaluate if there may be a future requirement for one in the future. Examples include:
Once that first Exchange 2010 server is installed it is way to late to go back and introduce Exchange 2007. Actually its before the installation, but hold that thought for now. The same is also true when upgrading from Exchange 2007 to Exchange 2013, if there are no Exchange 2010 servers in the organisation.
Let’s look at an example where we are upgrading from Exchange 2007 to Exchange 2013.
As mentioned above, it is not the act of installing the files onto the disk of the new Exchange 2013 server that blocks the installation of Exchange. Nor is it the act of extending the schema to support Exchange 20103. To be specific it is the /PrepareAD stage that is the critical point. This means once you’ve run Exchange 2013’s /PrepareAD command you cannot introduce a 2010 role if it did not exist before 2013’s /PrepareAD was executed.
The individual steps to manually prepare the AD infrastructure for Exchange are listed in the Prepare Active Directory and Domains documentation for Exchange 2007, Exchange 2010 and also Exchange 2013:
/PrepareAD prepares the local domain for Exchange.
Exchange 2013 does not have the /PrepareLegacy or /PL switch. This was required for legacy Exchange 2003 coexistence so the Recipient Update Service (RUS) could continue to function. Since Exchange 2013 has a hard requirement that Exchange 2003 has been removed from the organisation prior to starting its setup, this is no longer required. Thankfully that also means I don’t have to describe the public and private property sets in AD!
NOTE: If you run the Exchange Setup wizard with an account that has the permissions required (Schema Admins, Domain Admins, and Enterprise Admins) to prepare Active Directory and the domain, the wizard will automatically prepare Active Directory and the domain.
You say this would never happen? Let me give you the following scenario. Assume you get a shiny new administrator workstation that has the latest version of Windows installed. In order to install the Exchange management tools you need to install the management tools from the latest build of Exchange. If you then logon with a domain admin/schema admin level of account to install the management tools, setup will check the AD versioning information and run the /PrepareSchema, /PrepareAD steps.
Morale of the story? You should not need schema admin permissions for your day to day role, even for highly trusted administrator. Grant and revoke schema admin membership as needed. Less is more!
Running Exchange 2013 setup checks the current status of Active Directory and the Exchange organisation. Besides warning that some infrastructure bits are missing, it does warn that if you continue with this course of action, you will be unable to introduce older versions of Exchange if they are not currently present:
To enhance search engine effectiveness, the above text is also pasted here:
Error:This computer requires the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit. Please install the software from http://go.microsoft.com/fwlink/?LinkId=260990.For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.UcmaRedistMsi.aspx
Warning:Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareAD'. No Exchange 2007 server roles have been detected in this topology. After this operation, you will not be able to install any Exchange 2007 servers.For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.NoE12ServerWarning.aspx
Warning:Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareAD'. No Exchange 2010 server roles have been detected in this topology. After this operation, you will not be able to install any Exchange 2010 servers.For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.NoE14ServerWarning.aspx
Warning:This computer requires the Microsoft Office 2010 Filter Packs - Version 2.0. Please install the software from http://go.microsoft.com/fwlink/?LinkID=191548.For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.MSFilterPackV2NotInstalled.aspx
Warning:This computer requires the Microsoft Office 2010 Filter Packs - Version 2.0 - Service Pack 1. Please install the software from http://go.microsoft.com/fwlink/?LinkId=262358.For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.MSFilterPackV2SP1NotInstalled.aspx
Stop! Hammer time!
What if I want to retain the ability to install an older version of Exchange, what do I need to do?
Taking the previous example where we are upgrading from Exchange 2007 to Exchange 2013, and there are no Exchange 2010 servers in the organisation, what do we have to do to retain the ability to add more Exchange 2010 servers at a future date?
The simplest solution is to deploy a virtual machine, install Exchange 2010 with all of the roles (yes that is required if you want to be able to install all 2010 roles in the future), and keep it patched and running. Should you ever need to install a production Exchange 2010 server, since there is still one Exchange 2010 in the organisation you are able to do so. Note this did say all the roles that you want in the future. Installing just the Exchange 2010 Mailbox role is not sufficient…
Should you reach the point where there are no business requirements for Exchange 2010, Exchange can then be gracefully uninstalled from the virtual machine and life continues
The same rules applied when upgrading Exchange 2003 to Exchange 2010 where there are no Exchange 2007 servers in that organisation. If an Exchange 2007 server was not introduced prior to Exchange 2010, then you were unable to go back and add it later.
Scanning Exchange databases with file system antivirus is a recipe for disaster. This really should not come as a surprise for admins running Exchange services within the enterprise, since this has been the field requirement for a long time. The documentation provided by Microsoft is very clear in what exclusions are required for file system antivirus and Exchange to coexist. For reference the relevant articles are:
If this is so well documented, then what could possibly go wrong? Plenty….
Update 30-6-2014: Please also see this post on a related issue.
Every vendor who writes a file system AV product will implement theirs in a different way. Because of this, and the fact that I will not identify vendors by name, this article will be written in a generic style. The concepts however will apply to the vast majority of AV products.
TechNet does a good job of listing the types of file system antivirus scanners:
Other terminology that may be encountered is the term On-Access. This is where AV will process a file when it is accessed. Unlike the On-Demand scan, if a file is never opened then it is never scanned. Reversely if it is opened multiple times then it will likely get scanned each time it is accessed. The exact details of this are at the discretion of the AV vendor.
The heuristics contained within each AV product vary greatly, and they behave differently on the above point and many others. Some do not show the configured file system exclusions in their admin tool graphical interface and you have to look at the registry to see what file system paths are actually being excluded. Others allow the AV team to lock the management application on the Exchange server down so that it is harder/impossible to see what scans are running, to troubleshoot issues and to terminate the AV scan (if required) without waiting for AV team to respond.
Please consult with your AV team and review their vendor’s documentation to understand how their product works .
Regrettably there are multiple issues that can and will arise if you allow file system AV to scan Exchange. Note that this is not just the mailbox database file, there are range of other locations that must also be exempted from file system AV scanning. For details see the links at the start of this post.
File-level scanners may scan a file when the file is being used or at a scheduled interval. This can cause the scanners to lock or quarantine an Exchange log file or a database file while Exchange tries to use the file. This behaviour may cause a severe failure in Microsoft Exchange and may also cause -1018 ESE errors.
One thing to note is that file-level scanners do not provide protection against e-mail viruses, such as the Storm Worm. Storm Worm was a backdoor Trojan horse virus that propagated itself through e-mail messages. The worm joined the infected computer to a botnet, where the computer was used to send spam e-mail messages in periodic bursts. Such viruses can affect the performance of the computer and the network that it is attached to.
This is not a new issue. As my friend Dave McGarr puts it over on his blog, Friends don’t let friends scan the M- drive ! Because of this, the M:\ drive was hidden by default in Exchange 2003. Exchange 2000, which introduced the M:\ Drive, was often negatively impacted by file system AV scanning M:\…..
This is the story of a recent engagement where I ran into some serious AV issues. The customer in question had recently completed an Exchange Server Risk Assessment (ExRAP). ExRAP looks at both technical and process aspects of managing messaging services. One interview question specifically asks if the correct AV exclusions have been implemented. The customer stated that they were.
Fast forward 4 months. The customer’s stable Exchange environment started to exhibit strange behaviours all of a sudden. Issues included degraded database performance, database failover issues and very poor Outlook client response times. As part of initial troubleshooting Microsoft requested that the AV exclusions be checked to ensure that they are correct and were not causing any issues. Again they were stated as correct. Screen shots and remote assistance sessions showed that the settings were entered. So what was causing databases not to failover between DAG members?
Well it turns out that only half of the puzzle was validated. Unbeknown to the Exchange admins, the AV team had implemented a weekly On-Demand scan that started late Sunday evening and scanned every single file on the server. Yes that's right -- zero exclusions… It gets better! These scans were taking a very long time to complete, and in some cases the scan did not complete until Wednesday or Thursday!
The AV product in use has a feature where it will lock a file that looks suspicious for an un-specified amount of time. The lock duration is controlled by the AV engine and is entirely at its discretion. This is what caused the database failover issues. When trying to mount a database on a server, AV locked the Exchange database as it though that MBD01.edb was suspicious. Since the file was locked, Exchange was unable to gain access to the database and mount it. If enough time elapsed then AV would release the file and the database could be mounted. Reviewing traces corroborated this, as we would see Exchange starting to read the database but not progressing further.
Not only was this an unsupported act as far as Microsoft is concerned the impact to the customer was tremendous. Some of the issues experienced were:
Rather than just state that the required exclusions be implemented, I thought it would be more beneficial to discuss some of the areas which typically contribute to the above situation, and some resolutions.
All teams must be tightly aligned on how AV is deployed and configured. While server teams like Exchange do not need to know the exact details of implementing AV on the backend, they must understand how to communicate with the other teams effectively, more on this in a minute! For example how do the Exchange servers get the correct AV policy assigned? Is it based on server name, location in AD or are Exchange servers manually tagged with a policy? This sounds minor, but this knowledge is critical in understanding the impact of choosing a different server name or the steps required if reinstalling an Exchange server from scratch.
To assist with communicating effectively, all teams should communicate using the same terminology to minimise any potential misunderstandings. In the above example, the Exchange team understood an AV exclusion to apply to any and all AV scans. However the AV teams did not share this viewpoint, and their terminology was more granular.
There must be a detailed discussion on the configuration of the AV policies that are applied to the Exchange infrastructure. Some examples include:
The AV agent health must be monitored by the AV team to ensure that an agent does not “go native”, and ignore its configuration. The worst possible case here would be for an agent to revert back to its default configuration which typically means that there are no exclusions and all files and processes are scanned.
AV team must accept that Exchange requires certain file system exclusions to operate in a supported manner by Microsoft. This is a tendency for such AV teams to perceive a security risk by the fact that MDB01.edb is never scanned by file system AV. Their concern that NaughyFile.edb will be stored on the Exchange server needs to be tempered with:
The above are only a few points in a typical discussion on this topic. Please engage with a security consultant to fully discuss such issues, as each enterprise will have different business requirements which translate into the underlying technical configuration. Some customers track these activities through a security sign off or waiver process.
Finally, do not assume that since a previous version of Exchange ran in a given environment, the AV conversation can be skipped! Take the time to ensure that all teams are on the same page, and that the correct exclusions are applied. Exchange 2010 has different exclusions compared to Exchange 2003! Additionally there will likely have been staff changes over the years since older AV policies were defined so have this critical conversation to prevent a critical situation – aka a CritSit!