Random Technical Artices By Sachin Filinto

Patching Exchange 2010 Servers

2013-04-29T16:10:18Z

I Often get questions around how best to install Exchange updates or service packs. This Blog Post attempts to answer that Question.

To start with, I recommend having a Patch management Policy. A Good Patch management policy document should have the following listed:

1. How often should the updates / service pack be installed. ( e.g. Service Pack - once every quarter / critical updates - ASAP)

2. Applications which would possibly have a dependency on the Patch / Service pack. ( BB, Backup, antivirus , archiving, other 3^rd party products ).

These 3^rd party products should be tested for any dependencies on the Update / Service pack.

3. Sequence of server roles to install the Patches on.

Internet facing servers / sites should patched first

Non-internet facing should be after all internet facing sites are updated.

4. AV should be disabled for the time of installation.

5. StartDagServerMaintenance.ps1 before install & StopDagServerMaintenance.ps1 after success to disable replication & re-enable it after SP installation is complete

Additional Reading : http://technet.microsoft.com/en-us/library/bb629560.aspx

6. The Servers must be re-started if the installation of an update / Service pack prompts for a restart.

7. Tests which need to performed to validate services are up & running as expected.

8. Tests which need to be performed to validate the Updates / Service Pack is installed correctly.

Some Quick Leanings of Exchange 2013

2013-03-23T00:40:00Z

*Features

~95.5% reduction in IOPS

Exchange 2013 is capable of being deployed in a multi-site worldwide architecture with a single namespace. ( using multiple technologies )

Auto re-seed to spare disk. ( but needs operational maturity )

*Good to know

CAS is now a protocol proxy only. (2 layers V/S 5 layers)

No longer supports MAPI Clients ( only outlook anywhere )

No MAPI on CAS only RPC-over-HTTP

ECP is now EAC

Notification to admin when certificate is expiring ( EAC )

Maximum DB per server; Enterprise Edition- 50, Standard Edition - 5

one thread per DB

Hard block on 2003 to 2013 migration. (even cross forest )

New server gets into maintenance mode once it is installed

Quota notification e-mail is generated during users login ( V/S every day at midnight in Exchange 2010 )

Executing Exchange PowerShell commands from a CMD Prompt

2013-03-20T11:42:07Z

A Quick blog on how to execute an Exchange PowerShell script (.ps1 extension) from a command prompt.

A .ps1 cannot be executed from a Command prompt. to execute it one needs to use a PowerShell shell. Further if this script calls any exchange cmdlet, it would require to be executed in an Exchange Management Shell.

The following command does all three in one line. i.e. run the script from c:\script\script.ps1 ( which is an exchange script ) from a command prompt.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -psconsolefile "C:\Program Files\Microsoft\Exchange Server\V14\Bin\exshell.psc1" -file "C:\script\script.ps1"

A Quick Note on ADMT Versions & Pre-requisites.

2013-01-14T04:26:16Z

ADMT
At the time of writing this Blog;

ADMT 3.1 - 32 Bit version. ( Will not install on Windows 2008R2 )
This installer has SQL 2005 Express Edition ( with necessary service pack integrated into the installer )

ADMT 3.2 - 64 Bit Version. ( The first & only version which will install on Windows 2008R2 )

SQL 2008
There are many download options available on the Microsoft website,
* Express Edition & Enterprise Edition
* 32 Bit & 64 Bit
* With & Without Service pack integrated.

Your mileage will vary depending on what version of SQL, Windows & ADMT you use.

For the purpose this migration, I used ADMT 3.2 on a windows 2008 R2, member server with SQL 2008 sp3 Express Edition ( x64 )
This was installed in the target forest.
Password Export Server was installed on a Domain Controller in the source forest.

How to Check the version of SQL ?

Type these commands in a cmd prompt:

sqlcmd -S.
select @@version
go

Additional Reading: Link, Link

Moving to a new forest and retaining the same SMTP domain ( with native scripts ) - Part II

2013-01-09T06:32:32Z

3. Moving the Active Directory account using ADMT

ADMT is a great tool for Migrating and Restructuring Active Directory Domains ( user accounts, passwords, groups & group membership, computer accounts & much more.)

However It is very important to note that ADMT DOES NOT touch Exchange attributes.

ADMT can be executed before prepare-move request, after prepare-move request or skipped if we want to use a linked account.

Assuming Prepare-move request was executed first, when executing ADMT we need to merge the account with an existing MEU.

Below are screen grabs of the ADMT wizard. the critical options are highlighted.

If ADMT is run prior to the Prepare-MoveRequest.ps1 script is executed, we would need to execute Prepare-MoveRequest.ps1 with the -OverWriteLocalObject Switch.

4. The Actual Move of Mailboxes.

Having prepared the environment, moving the mailbox should now be a breeze. Given that Moving mailbox is a large topic, so In order to keep this blog concise, I shall jump straight to the command & explain only what is relevant.

MRSProxy or NO MRSProxy

MRSProxy encapsulates all communication between the organizations in HTTPS packets thus making the move seamless.

Assuming the source forest has Exchange 2010 SP2 or above, enable MRSProxy in the source forest.

Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -MRSProxyEnabled $true -MRSProxyMaxConnections 50

Details can be found Here

In the event that the source forest does NOT have an Exchange 2010 server, we cannot use the MRSProxy. So we skip the above step & use the -remotelegacy in lieu of -remote switch in the move command.
Command to Move the Mailbox across the forests ( pull the mailbox from source forest to the target forest )

First save the credentials in two variables:

( target forest )

$LocalCredentials = Get-Credential

( source forest )

$RemoteCredentials = Get-Credential

Then execute the command based on whether the source forest has MRSProxy enabled or not.
- With MRSProxy DISABLED in the source ( even if there is a E2010 server in the source )
New-MoveRequest

-Identity johndoe@tailspintoys.com

-RemoteCredential $RemoteCredentials

-TargetDeliveryDomain 'tailspintoys.com'

-RemoteGlobalCatalog dcx01.contoso.com

-RemoteLegacy
- With MRSProxy enabled in the source (on a server e2010.contoso.com )
New-MoveRequest

-Identity johndoe@tailspintoys.com

-RemoteCredential $RemoteCredentials

-TargetDeliveryDomain 'tailspintoys.com'

-RemoteGlobalCatalog dcx01.contoso.com

-Remote

-RemoteHostName E2010.contoso.com

Note: -RemoteHostName is the E2010 servers where we have enabled the MRSProxy

When the above commands are executed, it will result in the source mailbox turning into a Mail User ( MEU) & the Target Mail User (MEU) into a user mailbox.

Source forest:

User Mailbox> Mail User ( MEU )

Target forest:

Mail User (MEU) > User Mailbox

Before Move:

Move Command:

After Move:

Note: Issues to be aware of when moving across forests
1. Outlook nickname cache is best cleared ( from the client side )
1. Update OAB & replicate to the CAS servers. Have the users wait till it downloads or ask them to manually download the OAB.
1. Depending on how end-users have created their outlook rules, it could break. You might need to re-create the outlook rules.
1. Shared mailboxes + their users & manager + delegate sets should be moved together. you cannot have a manager in one forest & delegate in a different forest
2. This Mailbox pull will result in the source mailboxes being hard deleted. Ensure you have a backup in case you need to retrieve the mailbox
1. "Suspend this move when it is ready to complete" option is not available when moving across forest.
Additional Reading.

http://technet.microsoft.com/en-us/library/dd351123.aspx

http://blogs.technet.com/b/exchange/archive/2010/08/10/3410619.aspx

5. Ensuring Mail flow between source & target during the co-existence phase.

The Method described below would work fine if we have to migrate all the mailboxes from the source forest to the target forest rapidly & in one scheduled activity. This is because both the source & target forest are authoritative for the same SMTP domain.

This drawback ( of having to move all the mailboxes in one scheduled outage ) would be acceptable if the number of mailboxes is small or the actual move would happen in a short span of time. However this is not a common scenario as most migrations would take several hours if not days or weeks.

In the event that the move of mailbox takes several hours, days or weeks, we would need to have e-mail flowing between the source forest, ( mailboxes which are going to be migrated ) & the target forest ( mailboxes which have already been migrated ) Thus a migrated user can send an e-mail to a user who is yet to be migrated & vice-versa.

The additional steps to achieve this would involve:

1. Add a new accepted domain e.g. @tailspintoys.local in the target forest and also add this domain as a secondary SMTP address to the target forest objects.

Thus we have an additional secondary SMTP e-mail address of johndoe@tailspintoys.local

set-emailaddresspolicy -id "Default Policy" -enabledemailaddresstemplates SMTP:@tailspintoys.com,smtp:@tailspintoys.local

update-emailaddresspolicy -id "Default Policy"

2. Modify the move command used earlier. Change the TargetDeliveryDomain to tailspintoys.local

e.g. New-MoveRequest -Identity johndoe@tailspintoys.com -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'tailspintoys.local' -RemoteGlobalCatalog dcx01.contoso.com -RemoteLegacy

Thus the Target address on the MEU in the source forest after the mailbox is moved will be johndoe@fabrikam.local besides the expected proxy addresses.

Once Executed, we will now have the MEU in the source having a target address of tailspintoys.local

3. Create appropriate connectors for mail flow.

In order to have e-mail flowing between the two forests we would need to configure connectors in both the forests. This procedure could vary depending on how the existing mail flow is configured.

Here are the PowerShell commands used in my lab:

source_to_target mail flow

Source send connector

new-SendConnector

-Name 'source_to_target'

-Usage 'Internet'

-AddressSpaces 'SMTP:*.tailspintoys.local;1'

-IsScopedConnector $false

-DNSRoutingEnabled $false

-SmartHosts 'ex01.fabrikam.com'

-SmartHostAuthMechanism 'None'

-UseExternalDNSServersEnabled $false

-SourceTransportServers 'ex01.contoso.com'

Target receive connector

new-ReceiveConnector

-Name 'source_to_target'

-Usage 'Internet'

-Server 'EX01.fabrikam.com'

-Bindings '0.0.0.0:25'

-RemoteIPRanges '10.10.10.103'

target_to_source_and_internet mailflow

target send connector

new-SendConnector

-Name 'target_to_source_and_internet'

-Usage 'Internet'

-AddressSpaces 'SMTP:*;1'

-IsScopedConnector $false

-DNSRoutingEnabled $false

-SmartHosts 'ex01.contoso.com'

-SmartHostAuthMechanism 'None'

-UseExternalDNSServersEnabled $false

-SourceTransportServers 'EX01.fabrikam.com'

source receive connector

new-ReceiveConnector

-Name 'target_to_source_and_internet'

-Usage 'Custom'

-Server 'Ex01.contoso.com'

-Bindings '0.0.0.0:25'

-RemoteIPRanges '10.10.10.11'

-AuthMechanism 'Tls, ExternalAuthoritative'

-PermissionGroups 'AnonymousUsers, ExchangeServers'

Note1: usage = internet as this would not require authentication.

Note2: RemoteIPRanges is the IP address of the server used in the send connector matching this receive connector. This will result in only the identified server being able to send e-mail over this receive connector.

Note3: For this example I have chosen to create a separate send & receive connector in both the forests. However you could also achieve this by modifying the existing receive connectors instead of creating new receive connectors.

6. Additional configuration needed.

AutoDiscovery for outlook clients ( also used by free-busy ) Reference link

Free-busy / Availability information.

Redirecting OWA across forests

Linked mailboxes

Shared / Resource mailboxes

I hope to cover these in future blogs, time permitting.

Additional Reading Link1 Link2 Link3

Thank you for reading this far & I hope this blog was useful for your cross-forest migration.

Next Blog: How Groups can be migrated across forests & what kind of issues can crop up.

Moving to a new forest and retaining the same SMTP domain ( with native scripts ) - Part I

2012-10-17T09:47:00Z

The purpose of this blog is to document how a cross-forest migration is done with native Exchange 2010 tools. Another reason I am writing this blog is that I did not find this method documented either in the Microsoft community content nor on the internet. ( Same SMTP domain but Different AD Domain / forest )

This Blog is a meant to be very concise & to the point article on how to go about the migration using built-in tools like ADMT & Prepare-MoveRequest.ps1 script which can be freely downloaded from the Microsoft website & is included with Exchange 2010 Service Pack 1 respectively.

This Method of co-existence & migration could be classified as Short co-existence with a One-way GAL synchronization.

To start with we need to get some basics crystal clear.

1. Some Basics

a. proxyaddresses & targetaddress

proxyaddresses is the main attribute where e-mail address information is kept. When you open the properties of a recipient in Outlook and look at the "E-mail Addresses" tab, you are looking at this attribute. This is a multi-valued string containing all the addresses that represent the recipient.

e.g. SMTP:user101@tailspintoys.com, smtp:johndoe@tailspintoys.com,X400:c=US;a= ;p=contoso;o=Exchange;s=user101

targetAddress

In contacts and mail-enabled users (MEU) this attribute will point to a mailbox outside the Exchange organization, for example, to a Hotmail account or to another's company address.

Source & for further reading : Link

b. Mail Enabled User ( MEU )

Also Known As: Mail User /Mail-Enabled Active Directory user.

A mail user is similar to a mail contact, except that a mail user has Active Directory logon credentials and can access resources. Thus a MEU represents a user outside the Exchange organization. Each mail user has an external e-mail address. All messages sent to the mail user are routed to this external e-mail address & for this it uses the targetAddress attribute mentioned earlier in this Blog.

A MEU does not appear different from a mailbox in the GAL.

Source & further reading Link , Link ,Link

2. Preparing for the actual mailbox move to the target forest.

To move a mailbox from an Exchange 2003/07/10 Server to another Exchange 2010 forest, the target forest must contain a valid mail-enabled user (MEU) with a specified set of Active Directory attributes.

There are several ways to Create this MEU in the target forest ( ILM/ FIM / Custom Scripts / Prepare-MoveRequest.ps1 )

For a list of mandatory & optional attributes see this Link. In this blog I shall cover only the Prepare-MoveRequest.ps1

Prepare-MoveRequest.ps1

When executed some of the things this Script does is:

a. Creates a disabled "Mail User" in the target forest & copies proxyaddresses attribute from the source forest to target forest. ( besides other attributes )

b. Stamps the targetaddress attribute of the target object.

c. Append the LegacyExchangeDN value from the source forest object as a X500 Proxy address of the target object.

d. Append the LegacyExchangeDN value from the target forest object as an X500 Proxy address of the source object.

Lets take a look at each of these points in more detail.

a. Creates a disabled "Mail User" in the target forest & copies proxyaddresses attribute from the source forest to target forest. ( besides other attributes )

The following diagram shows the output when Prepare-MoveRequest.ps1 is executed.

The following diagram shows the Mail User created in the target forest.

The following diagram shows the disabled Mail User in the target forest.

The following diagram shows the LegacyExchangeDN attribute of the Mail User in the target forest.

b. Stamps the targetaddress attribute of the target object.

The following diagram shows the targetaddress attribute of the Mail User in the target forest.

c. Append the LegacyExchangeDN value from the source forest object as a X500 Proxy address of the target object.

The following diagram shows the LegacyExchangeDN from the source forest being appended as the x500 Proxy address in the target forest.

The following diagram shows the x500 proxy address on the target MEU

d. Append the LegacyExchangeDN value from the target forest object as an X500 Proxy address of the source object.

The following diagram shows the LegacyExchangeDN from the target forest being appended as the x500 Proxy address in the source forest.

The following diagram shows the LegacyExchangeDN from the target forest as a x500 proxy in the source forest.

The following diagram shows the empty targetAddress in the source forest.

Syntax:

.\Prepare-MoveRequest.ps1 -RemoteForestDomainController dcx01.contoso.com -RemoteForestCredential $RemoteCredentials -LocalForestDomainController dc01.fabrikam.com -LocalForestCredential $LocalCredentials -TargetMailuserOU "OU=mig,DC=fabrikam,DC=com" -verbose -identity johndoe

You need to define $LocalCredentials & $RemoteCredentials before executing the above command.

For this we can use:

(Target Forest )

$LocalCredentials = Get-Credential

(Source Forest )

$RemoteCredentials = Get-Credential

Note: In the examples shown above, Contoso.com is the Source forest & Fabrikam.com is the target forest. @tailspintoys.com is the SMTP domain used in both the source & target forests.

( It is advisable to use the -verbose switch to log any possible warning & errors. )

Important considerations:

a. A very critical point to note is that by adding the LegacyExchangeDN value as an X500 proxy address in the opposing forests, ensures that replying to any e-mails prior to the migration will not result in an NDR. ( Exchange does not necessarily use the SMTP address when replying to e-mails from internal users )

b. This Script DOES NOT copy the password & the SID ( For that you need to use ADMT).

c. Prepare-MoveRequest.ps1 should be run prior to ADMT. Thus ADMT would need to be executed with the "Migrate and Merge Conflicting Objects" option selected. ( more details in ADMT section )

d. If executed for all users in the Organization, this can effectively be used to populate the GAL in the target forest prior to moving the mailbox from source to target.

As seen in the Below screenshot, a MEU is not distinguishable in the GAL of the target forest )

For further reading on the Prepare-MoveRequest.ps1 script see Link

…To be continued in Part II

Moving to a new forest and retaining the same SMTP domain ( with native scripts ) - Part II

Architecting Virtual Workloads - Exchange 2010

2012-10-10T04:46:00Z

Some months back I delivered a session on virtualizing exchange server for Microsoft Partners who in turn deploy exchange for their customers. I had forgotten about this until last week when a customer asked me for the slide deck.

Key Points for the Exchange Architect:

1. Virtualization is great technology but not ideal for all kinds of workload. Given your Exchange server topology needs along with the available server hardware, think well if virtualization will really benefit you.

2. When virtualizing Exchange, Architects should be more concerned with the debate on Physical VS Virtual Rather then HYPER-V VS 3rd party Product.

So often I see this is not the case.

3. There are several features & options ( and more added with each new product release ) of each virtualization platform. Ensure you understand all relevant ones prior to deployment. Even a single in-correctly used feature can cause a huge performance impact thus leaving a negative perception to virtualization or chosen virtualization technology.

I see such scenarios regularly when reviewing customers messaging environment.

Here is the slide deck I used for that session.

- Sachin Filinto.

My first Panorama

2011-08-29T07:20:00Z

Here is another reason I love the company I work for.

On a recent trip to the remote northern border of our country, I decided to
make a panorama of a lake I saw.

Quickly clicked several photos standing at the edge of the lake & when I
got back home, got down to 'Stitching' them.

To deviate a bit: I knew of two challenges with a panorama. 1) Stitching the
photos 2) displaying it with the ability of zooming, panning & rotating. (
Of course if the final output is saved as a image point 2) is not relevant but
you will lose the ability to pan, zoom & rotate)

Given that I had never done this before I started looking around for a way to stich
the pictures. After spending a fair amount of time looking for
appropriate software I was suggested a software from Microsoft which I did not
know could do this. ( Microsoft ICE )

After installing, usage was a breeze and I quickly created my first panorama saved as
a .jpg.

Next I tried a feature which allowed saving the panorama directly to Photosynth (http://www.photosynth.net/ ).

Given that when I last tried out photo synthesis I was not pleased with the results. ( In hindsight I believe I was not using it correctly )

The results were amazing and although rough on the edges I had my first panorama. ( Remember I did not know what to look for when clicking the photos )

The software I just spoke about can be downloaded from below links.

http://research.microsoft.com/en-us/um/redmond/groups/ivm/ice/

http://www.photosynth.net/

Next stop. Creating more panoramas.

- Sachin Filinto

Edit : Found another way to view and share high-resolution imagery http://zoom.it/ also from microsoft & using Windows Azure and Microsoft Silverlight.

Edit 2 : For the people who have asked, Yes thats Pangong Tso Lake which was featured in the movie 3 Idiots

Always SSL when using Hotmail

2011-03-28T13:00:00Z

Many years back I setup ISA Server ( V 2000 ) in proxy mode for a customer. Playing around with it I saw how easy it was to eavesdrop on any e-mail & IM traffic ( MSN & Yahoo ) leaving the corporate network via the ISA Proxy. Capturing the password might have been difficult, but there was virtually nothing preventing the Administrator from getting a record of all e-mail & IM traffic sent by their users.

This always Played on my mind as a result of which I am always very particular of what network I use to check my personal e-mail accounts ( Hotmail, Yahoo ) as well as to log in to Instant messengers. This becomes difficult when I travel ( been doing it a lot) especially when outside the country where my data card will not work.

Over the years I tried a couple of ways to trick my favourite e-mail provider to talk ‘SSL only’ to my browser. But besides the login page most other pages after authenticating go http.

Last week I found a nice feature in my Hotmail account setting. Which I turned on immediately.

Works like a charm. And now my mind is more at ease when checking Hotmail over un-trusted networks.

As a Downside, the Hotmail stopped working on my windows mobile 6.5 phone. ( but works on Windows Phone 7 )

Now I wish other free e-mail provides provide the same.

- Sachin Filinto

Sharing files with users on the internet using fuselabs

2011-03-26T16:57:00Z

Given that everything is now moving to being cloud based, I tried using DriveSpace for sharing an excel file with a relative.
Unfortunately I did not know her Live ID ( dint even know if she had one ) but went ahead and sent an invite to her gmail address ( that’s the one she uses ).
Ideally she would need to link her gmail ID to a windows live ID (http://en.wikipedia.org/wiki/Windows_live_id ) after which she would be able to access the file, but something went wrong and she was not able to get access.

Given that she was using Gmail, another way would have been for me to use a Gmail account for sharing the file over google docs. But i dont use Gmail.

Solution:

Docs for Facebook from Fuselabs to the rescue (http://fuse.microsoft.com/ ) with this I can now upload a document to fuselabs & give anybody with a facebook account ( and on my friend list ) access to it.

Yes I know I could use gmail docs for sharing the file, but choose not to for multiple reasons. 1) what if that person does not have a gmail account ? 2) google docs mess up office documents formatting 3) don’t quite like google’s reputation when it comes to privacy on the internet.

To try it out yourself at http://docs.com/

- Sachin Filinto

Random Technical Artices By Sachin Filinto

Patching Exchange 2010 Servers

Some Quick Leanings of Exchange 2013

Executing Exchange PowerShell commands from a CMD Prompt

A Quick Note on ADMT Versions & Pre-requisites.

Moving to a new forest and retaining the same SMTP domain ( with native scripts ) - Part II

3. Moving the Active Directory account using ADMT

4. The Actual Move of Mailboxes.

MRSProxy or NO MRSProxy

Command to Move the Mailbox across the forests ( pull the mailbox from source forest to the target forest )

5. Ensuring Mail flow between source & target during the co-existence phase.

6. Additional configuration needed.

Moving to a new forest and retaining the same SMTP domain ( with native scripts ) - Part I

1. Some Basics

a. proxyaddresses & targetaddress

b. Mail Enabled User ( MEU )

2. Preparing for the actual mailbox move to the target forest.

Architecting Virtual Workloads - Exchange 2010

My first Panorama

Always SSL when using Hotmail

Sharing files with users on the internet using fuselabs