$HTS = (Get-ExchangeServer | ?{$_.IsHubTransportServer -eq "True"}); while ($true){foreach ($HT in $HTS){Get-queue -server $HT | ?{$_.MessageCount -gt "0" -and $_.DeliveryType -ne "ShadowRedundancy"}}; write-host -foregroundcolor green "Next..."; sleep 15}
Database Size Limit in GB script
EMS to set the database size limit in the registry
$DBsize = "200"
$loc = get-location
[string]$server = $env:computername
$var1 = "HKLM:\System\CurrentControlSet\services\MSExchangeIS\"
$var2 = "\"
$var3 = "Database Size Limit In GB"
$var4 = “*Database Size Limit In GB*”
$var5 = "\Logstate"
$regkeys = (Get-ChildItem -path $var1$server)
Set-location -path REGISTRY::
foreach ($regkey in $regkeys){
$key = (Get-ItemProperty -path $regkey); if ($key -notlike $var4){New-ItemProperty -path $regkey -name $var3 -value $DBsize -PropertyTYpe "DWord"}
}
Remove-itemProperty $var1$server$Var5 -name $var3 -confirm:$false
set-location -path $loc
$loc = get-location
[string]$server = $env:computername
$var1 = "HKLM:\System\CurrentControlSet\services\MSExchangeIS\"
$var2 = "\"
$var3 = "Database Size Limit In GB"
$var4 = “*Database Size Limit In GB*”
$var5 = "\Logstate"
$regkeys = (Get-ChildItem -path $var1$server)
Set-location -path REGISTRY::
foreach ($regkey in $regkeys){
$key = (Get-ItemProperty -path $regkey); if ($key -notlike $var4){New-ItemProperty -path $regkey -name $var3 -value $DBsize -PropertyTYpe "DWord"}
}
Remove-itemProperty $var1$server$Var5 -name $var3 -confirm:$false
set-location -path $loc
Method not allowed
Method not allowed
Whilst trying to perform DAG tasks in an Exchange 2010 environment (suspending replication, moving an active database copy), I was getting some warnings (in yellow) as follows:
WARNING: The cmdlet extension agent with the index 0 has thrown an exception in OnComplete(). The exception is:
System.Net.WebException: The request failed with HTTP status 405: Method Not Allowed.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.b__3()
at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocolclient, AuthenticateAndExecuteHandler`1 handler)
at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.FindFolder(FindFolderType FindFolder1)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer..ctor(OrganizationId organizationId, ADUser adUser, ExchangePrincipal principal)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.Create(OrganizationId organizationId, ADUser mailbox, ExchangePrincipal principal)
at Microsoft.Exchange.ProvisioningAgent.AdminLogAgentClassFactory.ConfigWrapper.get_MailboxLogger()
at Microsoft.Exchange.ProvisioningAgent.AdminLogProvisioningHandler.OnComplete(Boolean succeeded, Exception e)
at Microsoft.Exchange.Provisioning.ProvisioningLayer.OnComplete(Task task, Boolean succeeded, Exception exception)
They were just warnings, but I still needed to get to the bottom of them as they indicate a problem.
The crux of this is the “The request failed with HTTP status 405: Method Not Allowed” – implying to me an authentication problem. I was suspecting that the hardware load balancers were at fault. I understood that the action that I was doing would have result in Autodiscover being updated (or attempted updating). I examined the authentication types on the Autodiscover virtual directory and tested direct connectivity by tricking my client with a hosts file entry. This ruled out the load balancers as I still got the error. Nothing was amiss with the vdirs or authentication. This was also not limited to one CAS server, thus reducing the likelihood of it being an IIS that simply needed recycling. I had deliberately set the external url on the Autodiscover virtual directory when I installed Exchange 2010 into the environment so that the existing clients didn’t get any impact from an untested service. That testing has been successfully completed, so it is now safe to expose clients to Autodiscover and that is what fixed it.
In my case the above warning message actually meant “The external url of the Autodiscover Virtual Directory is blank”. Obvious really, eh? I populated the external url for all the new Exchange 2010 CAS servers and that’s the end of the warnings.
Whilst trying to perform DAG tasks in an Exchange 2010 environment (suspending replication, moving an active database copy), I was getting some warnings (in yellow) as follows:
WARNING: The cmdlet extension agent with the index 0 has thrown an exception in OnComplete(). The exception is:
System.Net.WebException: The request failed with HTTP status 405: Method Not Allowed.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.SoapWebClient.CustomSoapHttpClientProtocol.<>c__DisplayClass4.
at Microsoft.Exchange.SoapWebClient.HttpAuthenticator.NetworkServiceHttpAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocol client, AuthenticateAndExecuteHandler`1 handler)
at Microsoft.Exchange.SoapWebClient.SoapHttpClientAuthenticator.AuthenticateAndExecute[T](SoapHttpClientProtocolclient, AuthenticateAndExecuteHandler`1 handler)
at Microsoft.Exchange.SoapWebClient.EWS.ExchangeServiceBinding.FindFolder(FindFolderType FindFolder1)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer.GetAdminAuditLogsFolder(ADUser adUser)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.EwsMailer..ctor(OrganizationId organizationId, ADUser adUser, ExchangePrincipal principal)
at Microsoft.Exchange.ProvisioningAgent.MailboxLoggerFactory.Create(OrganizationId organizationId, ADUser mailbox, ExchangePrincipal principal)
at Microsoft.Exchange.ProvisioningAgent.AdminLogAgentClassFactory.ConfigWrapper.get_MailboxLogger()
at Microsoft.Exchange.ProvisioningAgent.AdminLogProvisioningHandler.OnComplete(Boolean succeeded, Exception e)
at Microsoft.Exchange.Provisioning.ProvisioningLayer.OnComplete(Task task, Boolean succeeded, Exception exception)
They were just warnings, but I still needed to get to the bottom of them as they indicate a problem.
The crux of this is the “The request failed with HTTP status 405: Method Not Allowed” – implying to me an authentication problem. I was suspecting that the hardware load balancers were at fault. I understood that the action that I was doing would have result in Autodiscover being updated (or attempted updating). I examined the authentication types on the Autodiscover virtual directory and tested direct connectivity by tricking my client with a hosts file entry. This ruled out the load balancers as I still got the error. Nothing was amiss with the vdirs or authentication. This was also not limited to one CAS server, thus reducing the likelihood of it being an IIS that simply needed recycling. I had deliberately set the external url on the Autodiscover virtual directory when I installed Exchange 2010 into the environment so that the existing clients didn’t get any impact from an untested service. That testing has been successfully completed, so it is now safe to expose clients to Autodiscover and that is what fixed it.
In my case the above warning message actually meant “The external url of the Autodiscover Virtual Directory is blank”. Obvious really, eh? I populated the external url for all the new Exchange 2010 CAS servers and that’s the end of the warnings.
Relay Connectors & multi-valued properties
I’ve been working with Receive connectors, specifically relay connectors.
101 Relay Connectors – A basic Receive Connector can be used to allow hosts to relay internally. By adding an AD Permission, you can allow hosts to relay externally. So why not create two relay connectors?
New-ReceiveConnector -Server -RemoteIPRanges 1.2.3.4 -Name "Allowed to Relay Internally HTS_Server" -AuthMechanism Tls, BasicAuth -PermissionGroups AnonymousUsers -MaxMessageSize 20MB -Bindings 0.0.0.0:25,:::25
New-ReceiveConnector -Server -RemoteIPRanges 6.7.8.9 -Name "Allowed to Relay Externally HTS_Server" -AuthMechanism Tls, BasicAuth -PermissionGroups AnonymousUsers -MaxMessageSize 20MB -Bindings 0.0.0.0:25,:::25
Get-ReceiveConnector | ?{$_.name -like "Allowed to Relay Externally*"} | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
So now we have Relay Connectors, but adding IP Addresses to them is not such a simple task. When you use Set-ReceiveConnector –RemoteIPRanges the existing values get overwritten.
I tried to apply the instruction given in article http://technet.microsoft.com/en-gb/library/bb684908(v=exchg.150).aspx as follows:
Set-ReceiveConnector <RelayConnector> –RemoteIPRanges @{Add=”1.2.3.4”}
It should have worked. But it didn’t :-(
So I tried this instead: http://exchangepedia.com/2007/02/how-to-update-multi-valued-attributes-in-powershell.html as follows:
$var= Get-ReceiveConnector <RelayConnector>; $var.RemoteIPRanges +=”1.2.3.4”; $var | Set-ReceiveConnector "RelayConnector"
And even:
$var= Get-ReceiveConnector <RelayConnector>; Get-Content .\IPs.txt | foreach {$rc.RemoteIPRanges += "$_"}; $var | Set-ReceiveConnector
Still no joy :-(
I don't want to have to do this in EMC. I may have a load of addresses to add. And the trouble with listing them is that the buffer size of the Exchange Management Shell causes the field to be truncated. Even after using Out-String. So what’s the quickest and easiest way to append IP addresses to a receive connector?
By using the ‘View Exchange Management Shell Command Log’ (http://technet.microsoft.com/en-gb/library/ee332355.aspx). If you add one IP address (e.g. 1.2.3.4) then you’ll see the command that was run to add it, listing all the existing values. Copy, paste, massage in notepad and use in EMS to add the additional IP addresses or ranges. E.g.:
Set-ReceiveConnector -Identity 'SERVER01\Allowed to Relay Internally SERVER01' -RemoteIPRanges '1.2.3.4', '2.3.4.5'
And then to list multiple IP addresses or address ranges in a Receive Connector's RemoteIPRanges property:
(Get-ReceiveConnector "RelayConnector").RemoteIPRanges | ft Lowerbound,Upperbound,RangeFormat -AutoSize
101 Relay Connectors – A basic Receive Connector can be used to allow hosts to relay internally. By adding an AD Permission, you can allow hosts to relay externally. So why not create two relay connectors?
New-ReceiveConnector -Server
New-ReceiveConnector -Server
Get-ReceiveConnector | ?{$_.name -like "Allowed to Relay Externally*"} | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
So now we have Relay Connectors, but adding IP Addresses to them is not such a simple task. When you use Set-ReceiveConnector –RemoteIPRanges the existing values get overwritten.
I tried to apply the instruction given in article http://technet.microsoft.com/en-gb/library/bb684908(v=exchg.150).aspx as follows:
Set-ReceiveConnector <RelayConnector> –RemoteIPRanges @{Add=”1.2.3.4”}
It should have worked. But it didn’t :-(
So I tried this instead: http://exchangepedia.com/2007/02/how-to-update-multi-valued-attributes-in-powershell.html as follows:
$var= Get-ReceiveConnector <RelayConnector>; $var.RemoteIPRanges +=”1.2.3.4”; $var | Set-ReceiveConnector "RelayConnector"
And even:
$var= Get-ReceiveConnector <RelayConnector>; Get-Content .\IPs.txt | foreach {$rc.RemoteIPRanges += "$_"}; $var | Set-ReceiveConnector
Still no joy :-(
I don't want to have to do this in EMC. I may have a load of addresses to add. And the trouble with listing them is that the buffer size of the Exchange Management Shell causes the field to be truncated. Even after using Out-String. So what’s the quickest and easiest way to append IP addresses to a receive connector?
By using the ‘View Exchange Management Shell Command Log’ (http://technet.microsoft.com/en-gb/library/ee332355.aspx). If you add one IP address (e.g. 1.2.3.4) then you’ll see the command that was run to add it, listing all the existing values. Copy, paste, massage in notepad and use in EMS to add the additional IP addresses or ranges. E.g.:
Set-ReceiveConnector -Identity 'SERVER01\Allowed to Relay Internally SERVER01' -RemoteIPRanges '1.2.3.4', '2.3.4.5'
And then to list multiple IP addresses or address ranges in a Receive Connector's RemoteIPRanges property:
(Get-ReceiveConnector "RelayConnector").RemoteIPRanges | ft Lowerbound,Upperbound,RangeFormat -AutoSize
Powershell remoting
I always configure my new Exchange servers for remote management and Powershell remoting but also run commands on each server. Sometimes these are commands that I want to run in a disconnected session but the default for MaxShellsPerUser is set to 5, which can cause issues with running remote scripts. The value is by design as per this article (http://blogs.msdn.com/b/powershell/archive/2010/05/03/configuring-wsman-limits.aspx) but if you know what you're doing (and you should do if you're trying to overcome this problem) then raising the value to 25 is not harmful. Unfortunately I couldn't do this remotely (by design to prevent malicious reconfiguration), but it's a simple one liner on each server:
$l = Get-Location; cd WSMan:\localhost\Shell; Set-Item .\MaxShellsPerUser 25; dir; Set-Location $l
If I break that down - assigning the current location to a variable just allows us to return to the same place afterwards; change to WSMan path; modify the value; show some output; return to the original location
Now I can run remote commands without exceeding the MaxShells limit, such as this one for restarting the Exchange Transport service on multiple servers:
$s = new-pssession -computername SERVER1, SERVER2, SERVER3
invoke-command -session $s {$h = Restart-Service MSExchangeTransport}
exit-pssession
More info on Powershell remoting can be found at:
http://technet.microsoft.com/en-us/library/dd819505.aspx
$l = Get-Location; cd WSMan:\localhost\Shell; Set-Item .\MaxShellsPerUser 25; dir; Set-Location $l
If I break that down - assigning the current location to a variable just allows us to return to the same place afterwards; change to WSMan path; modify the value; show some output; return to the original location
Now I can run remote commands without exceeding the MaxShells limit, such as this one for restarting the Exchange Transport service on multiple servers:
$s = new-pssession -computername SERVER1, SERVER2, SERVER3
invoke-command -session $s {$h = Restart-Service MSExchangeTransport}
exit-pssession
More info on Powershell remoting can be found at:
http://technet.microsoft.com/en-us/library/dd819505.aspx
Exchange 2010 bits and pieces
Here are a few bits and pieces for optimizing an Exchange 2010 deployment:
Moving the Transport Database and Queue (e.g. to a fast disk):
cd $exscripts; .\Move-TransportDatabase.ps1 -queueDatabasePath "T:\TransportRoles\Data\Queue\DB" -queueDatabaseLoggingPath "T:\TransportRoles\Data\Queue\Logs"
Note: Do not create the folders! You can create the root folders but NOT the host folders (e.g. In above I mean do NOT create 'DB' or 'Logs' folders)
Configure the Cluster Account environment variables (Local System on Windows 2008 R2) to a dedicated volume:
Set-ItemProperty -path "REGISTRY::\HKEY_USERS\S-1-5-18\Environment" -name TMP -value T:\Temp; Set-ItemProperty -path "REGISTRY::\HKEY_USERS\S-1-5-18\Environment" -name TEMP -value T:\Temp
Notice that the above is using the Set-ItemProperty with the registry and specifically with HKEY_USERS. That wasn’t easy to work out how to target!
Configure Cluster parameters:
Import-module FailoverClusters; (Get-Cluster).SameSubnetThreshold=10; (Get-Cluster).SameSubnetDelay=1000
Configure ClusterLog size:
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name ClusterLogSize -Value 32 -Type DWord
Moving the Transport Database and Queue (e.g. to a fast disk):
cd $exscripts; .\Move-TransportDatabase.ps1 -queueDatabasePath "T:\TransportRoles\Data\Queue\DB" -queueDatabaseLoggingPath "T:\TransportRoles\Data\Queue\Logs"
Note: Do not create the folders! You can create the root folders but NOT the host folders (e.g. In above I mean do NOT create 'DB' or 'Logs' folders)
Configure the Cluster Account environment variables (Local System on Windows 2008 R2) to a dedicated volume:
Set-ItemProperty -path "REGISTRY::\HKEY_USERS\S-1-5-18\Environment" -name TMP -value T:\Temp; Set-ItemProperty -path "REGISTRY::\HKEY_USERS\S-1-5-18\Environment" -name TEMP -value T:\Temp
Notice that the above is using the Set-ItemProperty with the registry and specifically with HKEY_USERS. That wasn’t easy to work out how to target!
Configure Cluster parameters:
Import-module FailoverClusters; (Get-Cluster).SameSubnetThreshold=10; (Get-Cluster).SameSubnetDelay=1000
Configure ClusterLog size:
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name ClusterLogSize -Value 32 -Type DWord
Create mailboxes with EMS
I couldn't find my script for setting up test mailboxes for an Exchange 2010 environment that I am working on, so I had to re-write it. Sometimes it's just quicker to go back to the drawing board!
My scenario is that I have 30 databases and I want to create one mailbox per database. I also want to keep these at the end of the GAL so as not to upset existing users, so I'm naming them 'zztestuser' with a number appended.
So that I can run this quickly without having to input anything, I am first converting a plain text password to a secure string and using it throughout the script. Once it is defined as a variable I can re-use it again and again. So the first two lines do that bit and then it's all quite repetitive. I used Excel with the Concatenate function to put it all together, but the fields in Excel have their limitations, so a mix of Excel and Notepad with the 'replace' feature work well.
Here is my script for creating 30 new mailboxes with one in each database. Copy the code, modify as appropriate and save to a ps1.
$PlainPassword = "P@ssw0rd"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText –Force
New-Mailbox -Name 'zztestuser01' -Alias 'zztestuser01' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser01@domain.com' -SamAccountName 'testuser01' -FirstName 'zztestuser' -Initials '' -LastName '01' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB01'
New-Mailbox -Name 'zztestuser02' -Alias 'zztestuser02' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser02@domain.com' -SamAccountName 'testuser02' -FirstName 'zztestuser' -Initials '' -LastName '02' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB02'
New-Mailbox -Name 'zztestuser03' -Alias 'zztestuser03' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser03@domain.com' -SamAccountName 'testuser03' -FirstName 'zztestuser' -Initials '' -LastName '03' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB03'
New-Mailbox -Name 'zztestuser04' -Alias 'zztestuser04' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser04@domain.com' -SamAccountName 'testuser04' -FirstName 'zztestuser' -Initials '' -LastName '04' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB04'
New-Mailbox -Name 'zztestuser05' -Alias 'zztestuser05' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser05@domain.com' -SamAccountName 'testuser05' -FirstName 'zztestuser' -Initials '' -LastName '05' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB05'
New-Mailbox -Name 'zztestuser06' -Alias 'zztestuser06' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser06@domain.com' -SamAccountName 'testuser06' -FirstName 'zztestuser' -Initials '' -LastName '06' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB06'
New-Mailbox -Name 'zztestuser07' -Alias 'zztestuser07' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser07@domain.com' -SamAccountName 'testuser07' -FirstName 'zztestuser' -Initials '' -LastName '07' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB07'
New-Mailbox -Name 'zztestuser08' -Alias 'zztestuser08' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser08@domain.com' -SamAccountName 'testuser08' -FirstName 'zztestuser' -Initials '' -LastName '08' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB08'
New-Mailbox -Name 'zztestuser09' -Alias 'zztestuser09' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser09@domain.com' -SamAccountName 'testuser09' -FirstName 'zztestuser' -Initials '' -LastName '09' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB09'
New-Mailbox -Name 'zztestuser10' -Alias 'zztestuser10' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser10@domain.com' -SamAccountName 'testuser10' -FirstName 'zztestuser' -Initials '' -LastName '10' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB10'
New-Mailbox -Name 'zztestuser11' -Alias 'zztestuser11' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser11@domain.com' -SamAccountName 'testuser11' -FirstName 'zztestuser' -Initials '' -LastName '11' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB11'
New-Mailbox -Name 'zztestuser12' -Alias 'zztestuser12' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser12@domain.com' -SamAccountName 'testuser12' -FirstName 'zztestuser' -Initials '' -LastName '12' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB12'
New-Mailbox -Name 'zztestuser13' -Alias 'zztestuser13' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser13@domain.com' -SamAccountName 'testuser13' -FirstName 'zztestuser' -Initials '' -LastName '13' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB13'
New-Mailbox -Name 'zztestuser14' -Alias 'zztestuser14' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser14@domain.com' -SamAccountName 'testuser14' -FirstName 'zztestuser' -Initials '' -LastName '14' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB14'
New-Mailbox -Name 'zztestuser15' -Alias 'zztestuser15' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser15@domain.com' -SamAccountName 'testuser15' -FirstName 'zztestuser' -Initials '' -LastName '15' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB15'
New-Mailbox -Name 'zztestuser16' -Alias 'zztestuser16' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser16@domain.com' -SamAccountName 'testuser16' -FirstName 'zztestuser' -Initials '' -LastName '16' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB16'
New-Mailbox -Name 'zztestuser17' -Alias 'zztestuser17' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser17@domain.com' -SamAccountName 'testuser17' -FirstName 'zztestuser' -Initials '' -LastName '17' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB17'
New-Mailbox -Name 'zztestuser18' -Alias 'zztestuser18' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser18@domain.com' -SamAccountName 'testuser18' -FirstName 'zztestuser' -Initials '' -LastName '18' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB18'
New-Mailbox -Name 'zztestuser19' -Alias 'zztestuser19' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser19@domain.com' -SamAccountName 'testuser19' -FirstName 'zztestuser' -Initials '' -LastName '19' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB19'
New-Mailbox -Name 'zztestuser20' -Alias 'zztestuser20' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser20@domain.com' -SamAccountName 'testuser20' -FirstName 'zztestuser' -Initials '' -LastName '20' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB20'
New-Mailbox -Name 'zztestuser21' -Alias 'zztestuser21' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser21@domain.com' -SamAccountName 'testuser21' -FirstName 'zztestuser' -Initials '' -LastName '21' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB21'
New-Mailbox -Name 'zztestuser22' -Alias 'zztestuser22' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser22@domain.com' -SamAccountName 'testuser22' -FirstName 'zztestuser' -Initials '' -LastName '22' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB22'
New-Mailbox -Name 'zztestuser23' -Alias 'zztestuser23' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser23@domain.com' -SamAccountName 'testuser23' -FirstName 'zztestuser' -Initials '' -LastName '23' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB23'
New-Mailbox -Name 'zztestuser24' -Alias 'zztestuser24' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser24@domain.com' -SamAccountName 'testuser24' -FirstName 'zztestuser' -Initials '' -LastName '24' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB24'
New-Mailbox -Name 'zztestuser25' -Alias 'zztestuser25' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser25@domain.com' -SamAccountName 'testuser25' -FirstName 'zztestuser' -Initials '' -LastName '25' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB25'
New-Mailbox -Name 'zztestuser26' -Alias 'zztestuser26' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser26@domain.com' -SamAccountName 'testuser26' -FirstName 'zztestuser' -Initials '' -LastName '26' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB26'
New-Mailbox -Name 'zztestuser27' -Alias 'zztestuser27' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser27@domain.com' -SamAccountName 'testuser27' -FirstName 'zztestuser' -Initials '' -LastName '27' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB27'
New-Mailbox -Name 'zztestuser28' -Alias 'zztestuser28' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser28@domain.com' -SamAccountName 'testuser28' -FirstName 'zztestuser' -Initials '' -LastName '28' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB28'
New-Mailbox -Name 'zztestuser29' -Alias 'zztestuser29' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser29@domain.com' -SamAccountName 'testuser29' -FirstName 'zztestuser' -Initials '' -LastName '29' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB29'
New-Mailbox -Name 'zztestuser30' -Alias 'zztestuser30' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser30@domain.com' -SamAccountName 'testuser30' -FirstName 'zztestuser' -Initials '' -LastName '30' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB30'
My scenario is that I have 30 databases and I want to create one mailbox per database. I also want to keep these at the end of the GAL so as not to upset existing users, so I'm naming them 'zztestuser' with a number appended.
So that I can run this quickly without having to input anything, I am first converting a plain text password to a secure string and using it throughout the script. Once it is defined as a variable I can re-use it again and again. So the first two lines do that bit and then it's all quite repetitive. I used Excel with the Concatenate function to put it all together, but the fields in Excel have their limitations, so a mix of Excel and Notepad with the 'replace' feature work well.
Here is my script for creating 30 new mailboxes with one in each database. Copy the code, modify as appropriate and save to a ps1.
$PlainPassword = "P@ssw0rd"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText –Force
New-Mailbox -Name 'zztestuser01' -Alias 'zztestuser01' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser01@domain.com' -SamAccountName 'testuser01' -FirstName 'zztestuser' -Initials '' -LastName '01' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB01'
New-Mailbox -Name 'zztestuser02' -Alias 'zztestuser02' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser02@domain.com' -SamAccountName 'testuser02' -FirstName 'zztestuser' -Initials '' -LastName '02' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB02'
New-Mailbox -Name 'zztestuser03' -Alias 'zztestuser03' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser03@domain.com' -SamAccountName 'testuser03' -FirstName 'zztestuser' -Initials '' -LastName '03' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB03'
New-Mailbox -Name 'zztestuser04' -Alias 'zztestuser04' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser04@domain.com' -SamAccountName 'testuser04' -FirstName 'zztestuser' -Initials '' -LastName '04' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB04'
New-Mailbox -Name 'zztestuser05' -Alias 'zztestuser05' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser05@domain.com' -SamAccountName 'testuser05' -FirstName 'zztestuser' -Initials '' -LastName '05' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB05'
New-Mailbox -Name 'zztestuser06' -Alias 'zztestuser06' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser06@domain.com' -SamAccountName 'testuser06' -FirstName 'zztestuser' -Initials '' -LastName '06' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB06'
New-Mailbox -Name 'zztestuser07' -Alias 'zztestuser07' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser07@domain.com' -SamAccountName 'testuser07' -FirstName 'zztestuser' -Initials '' -LastName '07' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB07'
New-Mailbox -Name 'zztestuser08' -Alias 'zztestuser08' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser08@domain.com' -SamAccountName 'testuser08' -FirstName 'zztestuser' -Initials '' -LastName '08' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB08'
New-Mailbox -Name 'zztestuser09' -Alias 'zztestuser09' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser09@domain.com' -SamAccountName 'testuser09' -FirstName 'zztestuser' -Initials '' -LastName '09' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB09'
New-Mailbox -Name 'zztestuser10' -Alias 'zztestuser10' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser10@domain.com' -SamAccountName 'testuser10' -FirstName 'zztestuser' -Initials '' -LastName '10' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB10'
New-Mailbox -Name 'zztestuser11' -Alias 'zztestuser11' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser11@domain.com' -SamAccountName 'testuser11' -FirstName 'zztestuser' -Initials '' -LastName '11' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB11'
New-Mailbox -Name 'zztestuser12' -Alias 'zztestuser12' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser12@domain.com' -SamAccountName 'testuser12' -FirstName 'zztestuser' -Initials '' -LastName '12' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB12'
New-Mailbox -Name 'zztestuser13' -Alias 'zztestuser13' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser13@domain.com' -SamAccountName 'testuser13' -FirstName 'zztestuser' -Initials '' -LastName '13' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB13'
New-Mailbox -Name 'zztestuser14' -Alias 'zztestuser14' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser14@domain.com' -SamAccountName 'testuser14' -FirstName 'zztestuser' -Initials '' -LastName '14' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB14'
New-Mailbox -Name 'zztestuser15' -Alias 'zztestuser15' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser15@domain.com' -SamAccountName 'testuser15' -FirstName 'zztestuser' -Initials '' -LastName '15' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB15'
New-Mailbox -Name 'zztestuser16' -Alias 'zztestuser16' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser16@domain.com' -SamAccountName 'testuser16' -FirstName 'zztestuser' -Initials '' -LastName '16' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB16'
New-Mailbox -Name 'zztestuser17' -Alias 'zztestuser17' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser17@domain.com' -SamAccountName 'testuser17' -FirstName 'zztestuser' -Initials '' -LastName '17' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB17'
New-Mailbox -Name 'zztestuser18' -Alias 'zztestuser18' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser18@domain.com' -SamAccountName 'testuser18' -FirstName 'zztestuser' -Initials '' -LastName '18' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB18'
New-Mailbox -Name 'zztestuser19' -Alias 'zztestuser19' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser19@domain.com' -SamAccountName 'testuser19' -FirstName 'zztestuser' -Initials '' -LastName '19' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB19'
New-Mailbox -Name 'zztestuser20' -Alias 'zztestuser20' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser20@domain.com' -SamAccountName 'testuser20' -FirstName 'zztestuser' -Initials '' -LastName '20' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB20'
New-Mailbox -Name 'zztestuser21' -Alias 'zztestuser21' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser21@domain.com' -SamAccountName 'testuser21' -FirstName 'zztestuser' -Initials '' -LastName '21' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB21'
New-Mailbox -Name 'zztestuser22' -Alias 'zztestuser22' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser22@domain.com' -SamAccountName 'testuser22' -FirstName 'zztestuser' -Initials '' -LastName '22' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB22'
New-Mailbox -Name 'zztestuser23' -Alias 'zztestuser23' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser23@domain.com' -SamAccountName 'testuser23' -FirstName 'zztestuser' -Initials '' -LastName '23' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB23'
New-Mailbox -Name 'zztestuser24' -Alias 'zztestuser24' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser24@domain.com' -SamAccountName 'testuser24' -FirstName 'zztestuser' -Initials '' -LastName '24' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB24'
New-Mailbox -Name 'zztestuser25' -Alias 'zztestuser25' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser25@domain.com' -SamAccountName 'testuser25' -FirstName 'zztestuser' -Initials '' -LastName '25' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB25'
New-Mailbox -Name 'zztestuser26' -Alias 'zztestuser26' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser26@domain.com' -SamAccountName 'testuser26' -FirstName 'zztestuser' -Initials '' -LastName '26' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB26'
New-Mailbox -Name 'zztestuser27' -Alias 'zztestuser27' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser27@domain.com' -SamAccountName 'testuser27' -FirstName 'zztestuser' -Initials '' -LastName '27' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB27'
New-Mailbox -Name 'zztestuser28' -Alias 'zztestuser28' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser28@domain.com' -SamAccountName 'testuser28' -FirstName 'zztestuser' -Initials '' -LastName '28' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB28'
New-Mailbox -Name 'zztestuser29' -Alias 'zztestuser29' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser29@domain.com' -SamAccountName 'testuser29' -FirstName 'zztestuser' -Initials '' -LastName '29' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB29'
New-Mailbox -Name 'zztestuser30' -Alias 'zztestuser30' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser30@domain.com' -SamAccountName 'testuser30' -FirstName 'zztestuser' -Initials '' -LastName '30' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB30'
Exchange and Adobe iFilters
*N.B. this is an old article and may no longer be relevant*
(Note: This article refers to Exchange 2007 and Exchange 2010)
The full set of IFilters installed with Exchange out of the box include Microsoft Office documents (e.g. doc/docx, xls/xlsx, ppt/pptx), Email message formats (e.g. msg, eml), HTML and text formats. These are used on Hub Transport servers (when filtering attachments using Transport Rules) and Mailbox servers (for indexing attachments).
Third Party iFilters can be added and as per http://blogs.technet.com/b/exchange/archive/2009/05/11/3407435.aspx, Adobe PDF is one of the most common.
Adobe provide the iFilters as a downloadable, installable package: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025
which also needs registering. The following article summarizes how to do that: http:// marksmith.netrends.com/Lists/Posts/Post.aspx?List=d0ef1a62%2D8e97%2D484a%2D9053%2D7acda05534cb&ID=93&Web=2dee96c1%2D5fed%2D439e%2Db530%2D37626608d03e. However, it doesn’t quite go far enough. There are some steps to do afterwards and two of them involve modifying registry permissions.
I decided that these were two steps that could be automated by Powershell, so set about doing that. The method used is straight off of Technet; that is, using get-acl to ingest the current permissions and then set-acl to add to them. The code for setting Read access for the Network Service on the two relevant keys for the Adobe iFilters is as follows:
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\NETWORK SERVICE","ReadKey","Allow")
$acl1 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl1.SetAccessRule($rule)
$acl1 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl2 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
$acl2.SetAccessRule($rule)
$acl2 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
You can save the above to a script and run it after registering the Adobe iFilters or you can incorporate it into one script (enhancing the one by Mark E. Smith) so that the full script looks like this:
# save as Register-Adobe-PDF-filter.ps1
#
# Download installation from: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025
# Refer to: http://blogs.technet.com/b/exchange/archive/2009/05/11/3407435.aspx
# Adobe iFilter Directory Path
$iFilterDirName = "C:\Program Files\Adobe\Adobe PDF IFilter 9 for 64-bit platforms\bin"
# Get the original path environment variable
$original = (Get-ItemProperty "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Environment" Path).Path
# Add the ifilter path
Set-ItemProperty "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Environment" Path -value ( $original + ";" + $iFilterDirName )
$CLSIDKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID"
$FiltersKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters"
# Filter DLL Locations
$pdfFilterLocation = “PDFFilter.dll"
# Filter GUIDs
$PDFGuid ="{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
# Create CLSIDs
Write-Host "Creating CLSIDs..."
New-Item -Path $CLSIDKey -Name $PDFGuid -Value $pdfFilterLocation -Type String
# Set Threading model
Write-Host "Setting threading model..."
New-ItemProperty -Path "$CLSIDKey\$PDFGuid" -Name "ThreadingModel" -Value "Both" -Type String
# Set Flags
Write-Host "Setting Flags..."
New-ItemProperty -Path "$CLSIDKey\$PDFGuid" -Name "Flags" -Value "1" -Type Dword
# Create Filter Entries
Write-Host "Creating Filter Entries..."
# These are the entries for commonly exchange formats
New-Item -Path $FiltersKey -Name ".pdf" -Value $PDFGuid -Type String
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\NETWORK SERVICE","ReadKey","Allow")
$acl1 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl1.SetAccessRule($rule)
$acl1 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl2 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
$acl2.SetAccessRule($rule)
$acl2 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
Write-Host -foregroundcolor Green "The NETWORK SERVICE has been granted read access to the following registry keys:`n$CLSIDKey\$PDFGuid`n$FiltersKey\.pdf"
Write-Host " "
Write-Host -foregroundcolor Yellow "Next, reboot the Exchange Server
- after which you need to rebuild the search indexes using the precanned script:"
Write-Host " "
Write-Host -foregroundcolor White "cd $exscripts; .\ResetSearchIndex.ps1 –Force –All"
Write-Host " "
Write-Host -foregroundcolor Green "Then wait for the indexes to be rebuilt before initiating a search.
Repeat this process on each Mailbox Server and Hub Transport in the organization"
Write-Host " "
Write-Host -foregroundcolor Yellow "Note: The permissions on the keys above for NETWORK SERVICE are required on the Hub Transport role (or multi-roled server that hosts the Hub role) so that transport rules can do PDF attachment filtering"
(Note: This article refers to Exchange 2007 and Exchange 2010)
The full set of IFilters installed with Exchange out of the box include Microsoft Office documents (e.g. doc/docx, xls/xlsx, ppt/pptx), Email message formats (e.g. msg, eml), HTML and text formats. These are used on Hub Transport servers (when filtering attachments using Transport Rules) and Mailbox servers (for indexing attachments).
Third Party iFilters can be added and as per http://blogs.technet.com/b/exchange/archive/2009/05/11/3407435.aspx, Adobe PDF is one of the most common.
Adobe provide the iFilters as a downloadable, installable package: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025
which also needs registering. The following article summarizes how to do that: http:// marksmith.netrends.com/Lists/Posts/Post.aspx?List=d0ef1a62%2D8e97%2D484a%2D9053%2D7acda05534cb&ID=93&Web=2dee96c1%2D5fed%2D439e%2Db530%2D37626608d03e. However, it doesn’t quite go far enough. There are some steps to do afterwards and two of them involve modifying registry permissions.
I decided that these were two steps that could be automated by Powershell, so set about doing that. The method used is straight off of Technet; that is, using get-acl to ingest the current permissions and then set-acl to add to them. The code for setting Read access for the Network Service on the two relevant keys for the Adobe iFilters is as follows:
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\NETWORK SERVICE","ReadKey","Allow")
$acl1 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl1.SetAccessRule($rule)
$acl1 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl2 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
$acl2.SetAccessRule($rule)
$acl2 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
You can save the above to a script and run it after registering the Adobe iFilters or you can incorporate it into one script (enhancing the one by Mark E. Smith) so that the full script looks like this:
# save as Register-Adobe-PDF-filter.ps1
#
# Download installation from: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025
# Refer to: http://blogs.technet.com/b/exchange/archive/2009/05/11/3407435.aspx
# Adobe iFilter Directory Path
$iFilterDirName = "C:\Program Files\Adobe\Adobe PDF IFilter 9 for 64-bit platforms\bin"
# Get the original path environment variable
$original = (Get-ItemProperty "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Environment" Path).Path
# Add the ifilter path
Set-ItemProperty "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Environment" Path -value ( $original + ";" + $iFilterDirName )
$CLSIDKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID"
$FiltersKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters"
# Filter DLL Locations
$pdfFilterLocation = “PDFFilter.dll"
# Filter GUIDs
$PDFGuid ="{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
# Create CLSIDs
Write-Host "Creating CLSIDs..."
New-Item -Path $CLSIDKey -Name $PDFGuid -Value $pdfFilterLocation -Type String
# Set Threading model
Write-Host "Setting threading model..."
New-ItemProperty -Path "$CLSIDKey\$PDFGuid" -Name "ThreadingModel" -Value "Both" -Type String
# Set Flags
Write-Host "Setting Flags..."
New-ItemProperty -Path "$CLSIDKey\$PDFGuid" -Name "Flags" -Value "1" -Type Dword
# Create Filter Entries
Write-Host "Creating Filter Entries..."
# These are the entries for commonly exchange formats
New-Item -Path $FiltersKey -Name ".pdf" -Value $PDFGuid -Type String
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\NETWORK SERVICE","ReadKey","Allow")
$acl1 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl1.SetAccessRule($rule)
$acl1 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl2 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
$acl2.SetAccessRule($rule)
$acl2 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
Write-Host -foregroundcolor Green "The NETWORK SERVICE has been granted read access to the following registry keys:`n$CLSIDKey\$PDFGuid`n$FiltersKey\.pdf"
Write-Host " "
Write-Host -foregroundcolor Yellow "Next, reboot the Exchange Server
- after which you need to rebuild the search indexes using the precanned script:"
Write-Host " "
Write-Host -foregroundcolor White "cd $exscripts; .\ResetSearchIndex.ps1 –Force –All"
Write-Host " "
Write-Host -foregroundcolor Green "Then wait for the indexes to be rebuilt before initiating a search.
Repeat this process on each Mailbox Server and Hub Transport in the organization"
Write-Host " "
Write-Host -foregroundcolor Yellow "Note: The permissions on the keys above for NETWORK SERVICE are required on the Hub Transport role (or multi-roled server that hosts the Hub role) so that transport rules can do PDF attachment filtering"
Windows Disk Timeouts (Ex2010)
*N.B. this is an old article and may no longer be relevant*
As per the following article, MS make recommendations regarding storage for the Exchange 2010 MBX role:
http://technet.microsoft.com/en-us/library/ee832792(v=exchg.141).aspx
This post pertains specifically to the recommendation for the disk timeout value. By default this is set at 60 seconds. For DAS or SAN this should be modified to 20 seconds. I have created a one liner to do this:
Set-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\services\Disk -name TimeOutValue -value 20
More info on the topic can be found here:
http://blogs.msdn.com/b/san/archive/2011/09/01/the-windows-disk-timeout-value-understanding-why-this-should-be-set-to-a-small-value.aspx
Note that the information is omitted from the Exchange 2013 version of the Technet article:
http://technet.microsoft.com/en-us/library/ee832792.aspx
Don't ask me why. I can't see that it wouldn't still be relevant. If you're looking at this in reference to Exchange 2013, read the blog and make up your own mind. Personally, I would still set it to 20 seconds in the absence of specific advice.
Wow. Is it only five to four? I've got another five minutes of work. Time for a coffee...
As per the following article, MS make recommendations regarding storage for the Exchange 2010 MBX role:
http://technet.microsoft.com/en-us/library/ee832792(v=exchg.141).aspx
This post pertains specifically to the recommendation for the disk timeout value. By default this is set at 60 seconds. For DAS or SAN this should be modified to 20 seconds. I have created a one liner to do this:
Set-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\services\Disk -name TimeOutValue -value 20
More info on the topic can be found here:
http://blogs.msdn.com/b/san/archive/2011/09/01/the-windows-disk-timeout-value-understanding-why-this-should-be-set-to-a-small-value.aspx
Note that the information is omitted from the Exchange 2013 version of the Technet article:
http://technet.microsoft.com/en-us/library/ee832792.aspx
Don't ask me why. I can't see that it wouldn't still be relevant. If you're looking at this in reference to Exchange 2013, read the blog and make up your own mind. Personally, I would still set it to 20 seconds in the absence of specific advice.
Wow. Is it only five to four? I've got another five minutes of work. Time for a coffee...
Exchange Links
Bringing the Exchange Links back to the top of the list...
We're on Exchange 2010 SP3 now: http://blogs.technet.com/b/exchange/archive/2013/02/12/released-exchange-server-2010-sp3.aspx which can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=36768 (Exchange 2013 CU1 is needed for upgrading)
Checking Exchange schema versions - http://social.technet.microsoft.com/wiki/contents/articles/2772.exchange-schema-versions-common-questions-answers.aspx
How to check the version of a Microsoft Exchange Server – RIM KB20412 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB20412
GCM exsetup |%{$_.Fileversioninfo}
Exchange server and Update Rollups build numbers - http://social.technet.microsoft.com/wiki/contents/articles/240.exchange-server-and-update-rollups-build-numbers.aspx
File-Level Antivirus Scanning on Exchange 2010 - http://technet.microsoft.com/en-us/library/bb332342(v=exchg.141).aspx
Proper virus exclusions for servers hosting the OAB - http://blogs.msdn.com/b/dgoldman/archive/2010/05/12/proper-virus-exclusions-for-servers-hosting-the-oab.aspx
Exchange 2010 datacenter switchover tool now available - http://blogs.technet.com/b/exchange/archive/2012/10/19/exchange-2010-datacenter-switchover-troubleshooter-now-available.aspx
RBAC: Walkthrough of creating a role that can wipe ActiveSync Devices - http://blogs.technet.com/b/exchange/archive/2012/09/12/rbac-walkthrough-of-creating-a-role-that-can-wipe-activesync-devices.aspx
Exchange, Stubbing, and Database Space Reclamation - http://blogs.technet.com/b/exchange/archive/2012/08/27/exchange-stubbing-and-database-space-reclamation.aspx
Exchange Server 2010 Monitoring Management Pack re-released - http://blogs.technet.com/b/exchange/archive/2012/09/06/exchange-server-2010-monitoring-management-pack-re-released.aspx
TimMcmichael's blog (Microsoft) which contains some good Datacenter Activation Coordination articles: http://blogs.technet.com/b/timmcmic/
Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010 - http://exchangeserverpro.com/activesync-device-access-rules-user-agent
Get-DAGHealth.ps1 – Database Availability Group Health Check Script - http://exchangeserverpro.com/get-daghealth-ps1-database-availability-group-health-check-script
PowerShell Tip: Fix All Failed Exchange Database Content Indexes - http://exchangeserverpro.com/fix-all-failed-exchange-database-content-indexes
Download Free Exchange PowerShell Scripts - http://exchangeserverpro.com/powershell
How to Deal with SSL Requirements for Exchange when Certificate Authorities Won’t Issue You a Certificate (Using a Name No Longer Valid Under New Rules) - http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate
One liners: List All Users Who Have Send-As Access To Other Mailboxes - http://www.ehloworld.com/1643
Maximum number of Exchange accounts in an Outlook profile - http://www.slipstick.com/exchange/maximum-number-exchange-accounts-outlook-profile/
Changing the default *.pst and *.ost sizes - http://www.slipstick.com/outlook/config/changing-the-default-pst-and-ost-sizes/
Organizational Forms Library in Exchange 2010 - http://www.slipstick.com/exchange/2010-exs/organizational-forms-library-exchange-2010/
Outlook is slow when using mapped drives - http://www.slipstick.com/outlook/outlook-2010/outlook-slow-mapped-drives/
How to successfully add and seed a database copy: http://blogs.technet.com/b/timmcmic/archive/2012/12/04/exchange-2010-adding-database-copies-to-databases-with-a-single-copy-results-in-copy-status-failed-after-seeding-is-completed.aspx
Datacenter switchover - http://technet.microsoft.com/en-us/library/dd351049
RPC Client Access Cross-Site Connectivity Changes - http://blogs.technet.com/b/exchange/archive/2012/05/30/rpc-client-access-cross-site-connectivity-changes.aspx
PowerShell Script to Generate Email Traffic in a Test Lab Environment - http://www.mikepfeiffer.net/2011/08/testing-exchange-autodiscover-with-powershell-and-the-ews-managed-api/
Powershell Script for Collection Events Logs from multiple servers and generating a single html report - http://blogs.technet.com/b/parallel_universe_-_ms_tech_blog/archive/2011/09/29/powershell-script-for-collection-events-logs-from-multiple-servers-and-generating-a-single-html-report.aspx
Shell variables - e.g. $ExBin, $ExScripts - http://technet.microsoft.com/en-us/library/bb124036.aspx
Three ways to tighten OWA 2010 security - http://searchexchange.techtarget.com/tip/Three-ways-to-tighten-OWA-2010-security
PST Capture 2.0 - http://blogs.technet.com/b/exchange/archive/2013/02/22/time-to-go-pst-hunting-with-the-new-pst-capture-2-0.aspx
We're on Exchange 2010 SP3 now: http://blogs.technet.com/b/exchange/archive/2013/02/12/released-exchange-server-2010-sp3.aspx which can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=36768 (Exchange 2013 CU1 is needed for upgrading)
Checking Exchange schema versions - http://social.technet.microsoft.com/wiki/contents/articles/2772.exchange-schema-versions-common-questions-answers.aspx
How to check the version of a Microsoft Exchange Server – RIM KB20412 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB20412
GCM exsetup |%{$_.Fileversioninfo}
Exchange server and Update Rollups build numbers - http://social.technet.microsoft.com/wiki/contents/articles/240.exchange-server-and-update-rollups-build-numbers.aspx
File-Level Antivirus Scanning on Exchange 2010 - http://technet.microsoft.com/en-us/library/bb332342(v=exchg.141).aspx
Proper virus exclusions for servers hosting the OAB - http://blogs.msdn.com/b/dgoldman/archive/2010/05/12/proper-virus-exclusions-for-servers-hosting-the-oab.aspx
Exchange 2010 datacenter switchover tool now available - http://blogs.technet.com/b/exchange/archive/2012/10/19/exchange-2010-datacenter-switchover-troubleshooter-now-available.aspx
RBAC: Walkthrough of creating a role that can wipe ActiveSync Devices - http://blogs.technet.com/b/exchange/archive/2012/09/12/rbac-walkthrough-of-creating-a-role-that-can-wipe-activesync-devices.aspx
Exchange, Stubbing, and Database Space Reclamation - http://blogs.technet.com/b/exchange/archive/2012/08/27/exchange-stubbing-and-database-space-reclamation.aspx
Exchange Server 2010 Monitoring Management Pack re-released - http://blogs.technet.com/b/exchange/archive/2012/09/06/exchange-server-2010-monitoring-management-pack-re-released.aspx
TimMcmichael's blog (Microsoft) which contains some good Datacenter Activation Coordination articles: http://blogs.technet.com/b/timmcmic/
Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010 - http://exchangeserverpro.com/activesync-device-access-rules-user-agent
Get-DAGHealth.ps1 – Database Availability Group Health Check Script - http://exchangeserverpro.com/get-daghealth-ps1-database-availability-group-health-check-script
PowerShell Tip: Fix All Failed Exchange Database Content Indexes - http://exchangeserverpro.com/fix-all-failed-exchange-database-content-indexes
Download Free Exchange PowerShell Scripts - http://exchangeserverpro.com/powershell
How to Deal with SSL Requirements for Exchange when Certificate Authorities Won’t Issue You a Certificate (Using a Name No Longer Valid Under New Rules) - http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate
One liners: List All Users Who Have Send-As Access To Other Mailboxes - http://www.ehloworld.com/1643
Maximum number of Exchange accounts in an Outlook profile - http://www.slipstick.com/exchange/maximum-number-exchange-accounts-outlook-profile/
Changing the default *.pst and *.ost sizes - http://www.slipstick.com/outlook/config/changing-the-default-pst-and-ost-sizes/
Organizational Forms Library in Exchange 2010 - http://www.slipstick.com/exchange/2010-exs/organizational-forms-library-exchange-2010/
Outlook is slow when using mapped drives - http://www.slipstick.com/outlook/outlook-2010/outlook-slow-mapped-drives/
How to successfully add and seed a database copy: http://blogs.technet.com/b/timmcmic/archive/2012/12/04/exchange-2010-adding-database-copies-to-databases-with-a-single-copy-results-in-copy-status-failed-after-seeding-is-completed.aspx
Datacenter switchover - http://technet.microsoft.com/en-us/library/dd351049
RPC Client Access Cross-Site Connectivity Changes - http://blogs.technet.com/b/exchange/archive/2012/05/30/rpc-client-access-cross-site-connectivity-changes.aspx
PowerShell Script to Generate Email Traffic in a Test Lab Environment - http://www.mikepfeiffer.net/2011/08/testing-exchange-autodiscover-with-powershell-and-the-ews-managed-api/
Powershell Script for Collection Events Logs from multiple servers and generating a single html report - http://blogs.technet.com/b/parallel_universe_-_ms_tech_blog/archive/2011/09/29/powershell-script-for-collection-events-logs-from-multiple-servers-and-generating-a-single-html-report.aspx
Shell variables - e.g. $ExBin, $ExScripts - http://technet.microsoft.com/en-us/library/bb124036.aspx
Three ways to tighten OWA 2010 security - http://searchexchange.techtarget.com/tip/Three-ways-to-tighten-OWA-2010-security
PST Capture 2.0 - http://blogs.technet.com/b/exchange/archive/2013/02/22/time-to-go-pst-hunting-with-the-new-pst-capture-2-0.aspx
Exchange Page File setting
*N.B. this is an old article and may no longer be relevant*
This post is to clear up any ambiguity regarding the recommended Page File settings for an Exchange server. If you search online for a solution you will find all sorts of answers (and of course if it's on t'internet then they must be right).
The short answer is to set the minimum and the maximum to the amount of RAM plus 10MB.
That answer can be found posted by Microsoft here:
http://technet.microsoft.com/en-us/library/cc431357.aspx
It states there - "As documented in the Exchange 2007 System Requirements and Exchange 2010 System Requirements, the recommended paging file size is equal to the amount of RAM in the server plus 10 MB."
It also states - "To prevent page file fragmentation, we recommend that you set the paging file size initial and maximum values to be the same value. If you reduce the size of either the initial or maximum page file settings, you must restart your computer to see the effects of those changes. Increases typically do not require a restart."
This post is to clear up any ambiguity regarding the recommended Page File settings for an Exchange server. If you search online for a solution you will find all sorts of answers (and of course if it's on t'internet then they must be right).
The short answer is to set the minimum and the maximum to the amount of RAM plus 10MB.
That answer can be found posted by Microsoft here:
http://technet.microsoft.com/en-us/library/cc431357.aspx
It states there - "As documented in the Exchange 2007 System Requirements and Exchange 2010 System Requirements, the recommended paging file size is equal to the amount of RAM in the server plus 10 MB."
It also states - "To prevent page file fragmentation, we recommend that you set the paging file size initial and maximum values to be the same value. If you reduce the size of either the initial or maximum page file settings, you must restart your computer to see the effects of those changes. Increases typically do not require a restart."
Creating a custom Management Role Group
*N.B. this is an old article and may no longer be relevant*
Here's a post on creating a custom Management Role Group for a 1st Line support desk using the following blog entry as guidance:
http://msexchangeteam.com/archive/2009/11/16/453222.aspx
The customer requirement is:
1st Line should be able to create mailboxes / mail contacts / mail users and disable them but must not be able to remove them. They will not be doing mailbox moves or any Public Folder management. The pre-canned Recipient Management role therefore doesn’t fit the bill as they would have too many rights. The scope is the whole Organization, which is the default scope anyway.
Step 1 – Determine what to base your new custom role on. I chose Recipient Management.
Step 2 – Examine what Management Roles you want from that Role Group. I opted for Mail Recipient Creation, Mail Recipients & Recipient Policies as these are appropriate from the list (BTW, I got the list from ECP/Administrator Roles):
Recipient Management
Members of this management role group have rights to create, manage and remove Exchange recipient objects in the Exchange organization.
Assigned roles:
..........Distribution Groups
..........Mail Enabled Public Folders
..........Mail Recipient Creation
..........Mail Recipients
..........Message Tracking
..........Migration
..........Move Mailboxes
..........Recipient Policies
Step 3 – Examine the Management Roles and determine what Management Role Entries you want to keep (Management Role Entries are the cmdlets that can be performed if you have this Management Role assigned to you) . These cmdlets help you:
Get-ManagementRoleEntry "Mail Recipient Creation\*" | select Name | out-file c:\support\Mail_Recipient_Creation.txt
Get-ManagementRoleEntry "Mail Recipients\*" | select Name | out-file c:\support\Mail_Recipients.txt
Get-ManagementRoleEntry "Recipient Policies\*" | select Name | out-file c:\support\Recipient_Policies.txt
Here is an example of the Management Role Entries (this is the one for Recipient Policies):
Write-AdminAuditLog
Set-ThrottlingPolicyAssociation
Set-ThrottlingPolicy
Set-OwaMailboxPolicy
Set-ActiveSyncMailboxPolicy
Remove-ThrottlingPolicy
Remove-OwaMailboxPolicy
Remove-ActiveSyncMailboxPolicy
New-ThrottlingPolicy
New-OwaMailboxPolicy
New-ActiveSyncMailboxPolicy
Get-ThrottlingPolicyAssociation
Get-OwaMailboxPolicy
Get-DomainController
Get-DetailsTemplate
Get-CASMailbox
Get-ActiveSyncMailboxPolicy
I examined them (with the client) and we came up with a list of things to keep. Most things apart from ‘remove’ and stuff to do with ‘RemoteMailbox’.
Step 4 – Create new Management Roles that are children of existing roles:
New-ManagementRole -Name "1stLineMailRecipientCreation" -Parent "Mail Recipient Creation"
New-ManagementRole -Name "1stLineMailRecipients" -Parent "Mail Recipients"
New-ManagementRole -Name "1stLineRecipientPolicies" -Parent "Recipient Policies"
Step 5 – Strip the new Management Roles of all Management Role Entries apart from one (it is a requirement to keep at least one):
Get-ManagementRoleEntry "1stLineMailRecipientCreation\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "1stLineMailRecipients\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "1stLineRecipientPolicies\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Step 6 – Add in the Management Role Entries selected in Step 3 above. I put them into a ps1 file and the three attachments to this message include the cmdlets for doing this. Here are examples of three cmdlets from the scripts (I could have put all of them into one ps1 file, but this is complicated enough already):
Add-ManagementRoleEntry "1stLineMailRecipientCreation\New-Mailbox"
Add-ManagementRoleEntry "1stLineMailRecipients\Set-User"
Add-ManagementRoleEntry "1stLineRecipientPolicies\New-ActiveSyncMailboxPolicy"
Step 7 – Create a new Role Group (called “1st Line”) and add the new Management Roles to it:
New-RoleGroup "1st Line" -Roles 1stLineMailRecipientCreation,1stLineMailRecipients,1stLineRecipientPolicies –Description “Members of this group can create new mailboxes”
I can now see the new Role Group in ECP (see below).
In AD you’ll also find it in the Microsoft Exchange Security Groups OU (see below).
It sounds simple now that I read this, but it took a couple of hours to get to this point, so this post is as much to remind me the next time as it is to save you the hassle of working out how to do it.
Here's a post on creating a custom Management Role Group for a 1st Line support desk using the following blog entry as guidance:
http://msexchangeteam.com/archive/2009/11/16/453222.aspx
The customer requirement is:
1st Line should be able to create mailboxes / mail contacts / mail users and disable them but must not be able to remove them. They will not be doing mailbox moves or any Public Folder management. The pre-canned Recipient Management role therefore doesn’t fit the bill as they would have too many rights. The scope is the whole Organization, which is the default scope anyway.
Step 1 – Determine what to base your new custom role on. I chose Recipient Management.
Step 2 – Examine what Management Roles you want from that Role Group. I opted for Mail Recipient Creation, Mail Recipients & Recipient Policies as these are appropriate from the list (BTW, I got the list from ECP/Administrator Roles):
Recipient Management
Members of this management role group have rights to create, manage and remove Exchange recipient objects in the Exchange organization.
Assigned roles:
..........Distribution Groups
..........Mail Enabled Public Folders
..........Mail Recipient Creation
..........Mail Recipients
..........Message Tracking
..........Migration
..........Move Mailboxes
..........Recipient Policies
Step 3 – Examine the Management Roles and determine what Management Role Entries you want to keep (Management Role Entries are the cmdlets that can be performed if you have this Management Role assigned to you) . These cmdlets help you:
Get-ManagementRoleEntry "Mail Recipient Creation\*" | select Name | out-file c:\support\Mail_Recipient_Creation.txt
Get-ManagementRoleEntry "Mail Recipients\*" | select Name | out-file c:\support\Mail_Recipients.txt
Get-ManagementRoleEntry "Recipient Policies\*" | select Name | out-file c:\support\Recipient_Policies.txt
Here is an example of the Management Role Entries (this is the one for Recipient Policies):
Write-AdminAuditLog
Set-ThrottlingPolicyAssociation
Set-ThrottlingPolicy
Set-OwaMailboxPolicy
Set-ActiveSyncMailboxPolicy
Remove-ThrottlingPolicy
Remove-OwaMailboxPolicy
Remove-ActiveSyncMailboxPolicy
New-ThrottlingPolicy
New-OwaMailboxPolicy
New-ActiveSyncMailboxPolicy
Get-ThrottlingPolicyAssociation
Get-OwaMailboxPolicy
Get-DomainController
Get-DetailsTemplate
Get-CASMailbox
Get-ActiveSyncMailboxPolicy
I examined them (with the client) and we came up with a list of things to keep. Most things apart from ‘remove’ and stuff to do with ‘RemoteMailbox’.
Step 4 – Create new Management Roles that are children of existing roles:
New-ManagementRole -Name "1stLineMailRecipientCreation" -Parent "Mail Recipient Creation"
New-ManagementRole -Name "1stLineMailRecipients" -Parent "Mail Recipients"
New-ManagementRole -Name "1stLineRecipientPolicies" -Parent "Recipient Policies"
Step 5 – Strip the new Management Roles of all Management Role Entries apart from one (it is a requirement to keep at least one):
Get-ManagementRoleEntry "1stLineMailRecipientCreation\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "1stLineMailRecipients\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "1stLineRecipientPolicies\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Step 6 – Add in the Management Role Entries selected in Step 3 above. I put them into a ps1 file and the three attachments to this message include the cmdlets for doing this. Here are examples of three cmdlets from the scripts (I could have put all of them into one ps1 file, but this is complicated enough already):
Add-ManagementRoleEntry "1stLineMailRecipientCreation\New-Mailbox"
Add-ManagementRoleEntry "1stLineMailRecipients\Set-User"
Add-ManagementRoleEntry "1stLineRecipientPolicies\New-ActiveSyncMailboxPolicy"
Step 7 – Create a new Role Group (called “1st Line”) and add the new Management Roles to it:
New-RoleGroup "1st Line" -Roles 1stLineMailRecipientCreation,1stLineMailRecipients,1stLineRecipientPolicies –Description “Members of this group can create new mailboxes”
I can now see the new Role Group in ECP (see below).
In AD you’ll also find it in the Microsoft Exchange Security Groups OU (see below).
It sounds simple now that I read this, but it took a couple of hours to get to this point, so this post is as much to remind me the next time as it is to save you the hassle of working out how to do it.
Cat6e cables
*N.B. this is an old article and may no longer be relevant*
I don't normally post about hardware, but I had an e-mail from Bob a while back and think it's worth sharing:
"Started to wonder why Cat6e cable from CPC is like £100 and the “same” stuff of ebay is much cheaper – It’s because the more expensive stuff uses solid copper and the cheaper stuff is known as CCA (Copper clad aluminium)
A bit of googling:
“The use of CCA wire directly contravenes both CAT5e and CAT6 specifications which denote the use of copper conductors. CCA wire is not a copper conductor. Organizations supplying CCA as CAT5e and CAT6 network cables should examine very carefully if they are in compliance with the sales of goods act”
http://www.cetecglobal.com/technologies/cabling/cca.htm
Same goes for patch leads as well, so watch what you order."
So the lesson is not to buy Cat6e cables from Hong Kong or Shanghai for 99p with free postage!
Nice one Dave.
Simples (squeak).
I don't normally post about hardware, but I had an e-mail from Bob a while back and think it's worth sharing:
"Started to wonder why Cat6e cable from CPC is like £100 and the “same” stuff of ebay is much cheaper – It’s because the more expensive stuff uses solid copper and the cheaper stuff is known as CCA (Copper clad aluminium)
A bit of googling:
“The use of CCA wire directly contravenes both CAT5e and CAT6 specifications which denote the use of copper conductors. CCA wire is not a copper conductor. Organizations supplying CCA as CAT5e and CAT6 network cables should examine very carefully if they are in compliance with the sales of goods act”
http://www.cetecglobal.com/technologies/cabling/cca.htm
Same goes for patch leads as well, so watch what you order."
So the lesson is not to buy Cat6e cables from Hong Kong or Shanghai for 99p with free postage!
Nice one Dave.
Simples (squeak).
Exchange 2010 to 2003
*N.B. this is an old article and may no longer be relevant*
An FYI with regards to moving mailboxes from Exchange 2010 back to Exchange 2003.
If you do this through EMC, you cannot monitor it through EMS. It thinks that no move requests exist.
When you try and do this through EMS, it won’t recognize the Exchange 2003 Target Database. In order to select an Exchange 2003 Mailbox Database you have to specify it’s GUID. The ways to do this that I found on the web either didn’t work or were too cumbersome.
So I looked in the Exchange Management Shell log and found a command that EMC had run to identify the database and found that you can get the database GUID from there. Put it all together and what you get is:
Get-MailboxDataBase -IncludePreExchange2010 | select identity,guid
Simples (as Bob would say).
So now I can insert the database GUID into my EMS move request:
New-MoveRequest -TargetDatabase "a10a12b3-2469-23ca-35ad-ea21acebd0e4" -BadItemLimit 100 -AcceptLargeDataLoss
And hey presto, I can monitor the move request process with the following:
moverequests = get-MoveRequest ; foreach ($moverequest in $moverequests) {Get-MoveRequestStatistics $moverequest | select Alias,DisplayName,StartTimestamp,TotalQueuedDuration,PercentComplete,BytesTransferred,StatusDetail,SourceDatabase,TargetDatabase,Status,TotalinProgressDuration,OverallDuration}
or stick it in a script that refreshes (e.g. Monitor-MoveRequests.ps1):
$moverequests = get-MoveRequest ; get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}
$A = (get-host).UI.RawUI
$A.WindowTitle = "Monitor Mailbox Move requests"
$B = $A.windowsize
$B.width = 150
$B.height = 65
$A.WindowSize = $B
while ($true) {cls; foreach ($moverequest in $moverequests) {Get-MoveRequestStatistics $moverequest | select Alias,DisplayName,StartTimestamp,TotalQueuedDuration,PercentComplete,BytesTransferred,StatusDetail,SourceDatabase,TargetDatabase,Status,TotalinProgressDuration,OverallDuration}
;sleep 5}
Note that I am throwing the last two scripts into the mix just to show off. I came up with this so that I can review mailbox moves through EMS as they are then reviewed in one window rather than opening and closing GUI windows to get them to refresh. Don't forget that your target Exchange 2003 mailbox database must have a valid System Mailbox or else the move will fail. If it doesn't have one but there is another Exchange 2003 mailbox database that does, move the mailbox to there and then move it again using System Manager.
N.B. Always test your rollback plan. It's better than an unforeseen forced new career plan!
An FYI with regards to moving mailboxes from Exchange 2010 back to Exchange 2003.
If you do this through EMC, you cannot monitor it through EMS. It thinks that no move requests exist.
When you try and do this through EMS, it won’t recognize the Exchange 2003 Target Database. In order to select an Exchange 2003 Mailbox Database you have to specify it’s GUID. The ways to do this that I found on the web either didn’t work or were too cumbersome.
So I looked in the Exchange Management Shell log and found a command that EMC had run to identify the database and found that you can get the database GUID from there. Put it all together and what you get is:
Get-MailboxDataBase -IncludePreExchange2010 | select identity,guid
Simples (as Bob would say).
So now I can insert the database GUID into my EMS move request:
New-MoveRequest
And hey presto, I can monitor the move request process with the following:
moverequests = get-MoveRequest ; foreach ($moverequest in $moverequests) {Get-MoveRequestStatistics $moverequest | select Alias,DisplayName,StartTimestamp,TotalQueuedDuration,PercentComplete,BytesTransferred,StatusDetail,SourceDatabase,TargetDatabase,Status,TotalinProgressDuration,OverallDuration}
or stick it in a script that refreshes (e.g. Monitor-MoveRequests.ps1):
$moverequests = get-MoveRequest ; get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}
$A = (get-host).UI.RawUI
$A.WindowTitle = "Monitor Mailbox Move requests"
$B = $A.windowsize
$B.width = 150
$B.height = 65
$A.WindowSize = $B
while ($true) {cls; foreach ($moverequest in $moverequests) {Get-MoveRequestStatistics $moverequest | select Alias,DisplayName,StartTimestamp,TotalQueuedDuration,PercentComplete,BytesTransferred,StatusDetail,SourceDatabase,TargetDatabase,Status,TotalinProgressDuration,OverallDuration}
;sleep 5}
Note that I am throwing the last two scripts into the mix just to show off. I came up with this so that I can review mailbox moves through EMS as they are then reviewed in one window rather than opening and closing GUI windows to get them to refresh. Don't forget that your target Exchange 2003 mailbox database must have a valid System Mailbox or else the move will fail. If it doesn't have one but there is another Exchange 2003 mailbox database that does, move the mailbox to there and then move it again using System Manager.
N.B. Always test your rollback plan. It's better than an unforeseen forced new career plan!
Certificate Revocation Checking problem
*N.B. this is an old article and may no longer be relevant*
I had an issue a while back with performing certificate revocation checking. The SAN cert installed wasn’t working because the VLAN the servers are on did not have direct internet access. I needed to get the proxy to allow my Exchange servers (which are using the System account to do CRL checking) unauthenticated access to *.verisgn.com and *.verisign.net
In order to do this I had to follow the information I found in my old colleague Marcin's blog (http://unified.swiatelski.com/2011/01/exchange-2010-certificate-status.html) which did just relay what Microsoft publish (http://technet.microsoft.com/en-us/library/bb430772.aspx) but with the added warning:
Notice: Please remember to set value of bypass-list parameter to your local Active Directory domain FQDN. If you pass over this part you won't be able to connect to your Exchange using Exchange Management Console nor PowerShell.
I would have put that in BOLD and possibly RED AND BOLD, because it is more than just a minor annoyance. Maybe even RED AND BOLD UNDERLINED.
Also noteworthy is the following blog with some tips and troubleshooting information for this scenario:
http://blogs.microsoft.co.il/blogs/yuval14/archive/2011/09/20/how-to-resolve-exchange-2010-error-message-the-certificate-status-could-not-be-determined-because-the-revocation-check-failed.aspx
And the following information that I deduced or gathered elsewhere:
· CRL checking is performed at random intervals, but after modifying winhttp settings, you should reboot the server and wait for up to an hour
· To view logging, go to Event Viewer, Applications and Services Log, Microsoft, Windows, CAPI2 and enable the operational log
· Set-ExchangeServer –InternetWebSettings should work, but doesn’t
I had an issue a while back with performing certificate revocation checking. The SAN cert installed wasn’t working because the VLAN the servers are on did not have direct internet access. I needed to get the proxy to allow my Exchange servers (which are using the System account to do CRL checking) unauthenticated access to *.verisgn.com and *.verisign.net
In order to do this I had to follow the information I found in my old colleague Marcin's blog (http://unified.swiatelski.com/2011/01/exchange-2010-certificate-status.html) which did just relay what Microsoft publish (http://technet.microsoft.com/en-us/library/bb430772.aspx) but with the added warning:
Notice: Please remember to set value of bypass-list parameter to your local Active Directory domain FQDN. If you pass over this part you won't be able to connect to your Exchange using Exchange Management Console nor PowerShell.
I would have put that in BOLD and possibly RED AND BOLD, because it is more than just a minor annoyance. Maybe even RED AND BOLD UNDERLINED.
Also noteworthy is the following blog with some tips and troubleshooting information for this scenario:
http://blogs.microsoft.co.il/blogs/yuval14/archive/2011/09/20/how-to-resolve-exchange-2010-error-message-the-certificate-status-could-not-be-determined-because-the-revocation-check-failed.aspx
And the following information that I deduced or gathered elsewhere:
· CRL checking is performed at random intervals, but after modifying winhttp settings, you should reboot the server and wait for up to an hour
· To view logging, go to Event Viewer, Applications and Services Log, Microsoft, Windows, CAPI2 and enable the operational log
· Set-ExchangeServer –InternetWebSettings should work, but doesn’t
Backing up IIS
*N.B. this is an old article and may no longer be relevant*
I came across this within a script tucked away on the Exchange Team blog downloads. I think it’s worth extracting and putting into its own script in case changes need to be made to IIS, as a rollback option. The following article goes into more detail about IIS behaviour and restoring from a backup:
http://blogs.iis.net/bills/archive/2008/03/24/how-to-backup-restore-iis7-configuration.aspx
Here’s the script. Save it as BackupIIS.ps1; it takes a minimicronanosecond to run.
function BackupIISConfig
{
Write-Host "Backing up current IIS configuration" -ForegroundColor green
pushd
Set-Location "$env:windir\System32\inetsrv"
$backup = "Exchange IIS Backup "+(get-date -format "MMddyyyy-hhmmss")
.\appcmd.exe ADD Backup $backup
Write-Host "Backup saved to: $env:windir\System32\inetsrv\backup\" -ForegroundColor Green
popd
}
BackupIISConfig
As I said, it's not my script and I'm not taking credit for it. But it's a good script and it's tucked away and I just thought that it would be useful to have it 'not' tucked away.
I came across this within a script tucked away on the Exchange Team blog downloads. I think it’s worth extracting and putting into its own script in case changes need to be made to IIS, as a rollback option. The following article goes into more detail about IIS behaviour and restoring from a backup:
http://blogs.iis.net/bills/archive/2008/03/24/how-to-backup-restore-iis7-configuration.aspx
Here’s the script. Save it as BackupIIS.ps1; it takes a minimicronanosecond to run.
function BackupIISConfig
{
Write-Host "Backing up current IIS configuration" -ForegroundColor green
pushd
Set-Location "$env:windir\System32\inetsrv"
$backup = "Exchange IIS Backup "+(get-date -format "MMddyyyy-hhmmss")
.\appcmd.exe ADD Backup $backup
Write-Host "Backup saved to: $env:windir\System32\inetsrv\backup\" -ForegroundColor Green
popd
}
BackupIISConfig
As I said, it's not my script and I'm not taking credit for it. But it's a good script and it's tucked away and I just thought that it would be useful to have it 'not' tucked away.
Exchange 2010 resetting diagnostics logging
*N.B. this is an old article and may no longer be relevant*
I’ve found a bug in Exchange 2010 where resetting Diagnostics Logging back to defaults basically doesn’t work. There’s a screenshot of the error at the end of this post.
<--fail-->
Anyway, moving on from that, I did some searching on Technet and it states that ‘Lowest’ is the default level for all those services. WRONG (double fail). It’s the default level except for the following which are set to ‘Low’:
MSExchange RBAC\RBAC
MSExchange ADAccess\Topology
MSExchange ADAccess\Validation
I searched and couldn’t find a script to report on the logging level as I wanted it or to reset the levels, so I came up with my own.
This one reports all services that are not set to lowest:
$exchangeservers = get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}; foreach ($exchangeserver in $exchangeservers){Get-EventLogLevel -Server $exchangeserver | ?{$_.EventLevel -ne "Lowest"}}
Here’s the best bit. This script will set all the Event Log levels back to default:
$exchangeservers = get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}; foreach ($exchangeserver in $exchangeservers){Get-EventLogLevel -Server $exchangeserver | ?{$_.Identity -like "*\MSExchange*"} | Set-EventLogLevel -Level Lowest -Confirm:$0; Get-EventLogLevel -Server $exchangeserver | ?{$_.Identity -like "*\MSExchange ADAccess\Topology"} | Set-EventLogLevel -Level Low -Confirm:$0 ; Get-EventLogLevel -Server $exchangeserver | ?{$_.Identity -like "*\MSExchange ADAccess\Validation"} | Set-EventLogLevel -Level Low -Confirm:$0 ; Get-EventLogLevel -Server $exchangeserver| ?{$_.Identity -like "*\MSExchange RBAC\RBAC"} | Set-EventLogLevel -Level Low -Confirm:$0}
I’ve found a bug in Exchange 2010 where resetting Diagnostics Logging back to defaults basically doesn’t work. There’s a screenshot of the error at the end of this post.
<--fail-->
Anyway, moving on from that, I did some searching on Technet and it states that ‘Lowest’ is the default level for all those services. WRONG (double fail). It’s the default level except for the following which are set to ‘Low’:
MSExchange RBAC\RBAC
MSExchange ADAccess\Topology
MSExchange ADAccess\Validation
I searched and couldn’t find a script to report on the logging level as I wanted it or to reset the levels, so I came up with my own.
This one reports all services that are not set to lowest:
$exchangeservers = get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}; foreach ($exchangeserver in $exchangeservers){Get-EventLogLevel -Server $exchangeserver | ?{$_.EventLevel -ne "Lowest"}}
Here’s the best bit. This script will set all the Event Log levels back to default:
$exchangeservers = get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}; foreach ($exchangeserver in $exchangeservers){Get-EventLogLevel -Server $exchangeserver | ?{$_.Identity -like "*\MSExchange*"} | Set-EventLogLevel -Level Lowest -Confirm:$0; Get-EventLogLevel -Server $exchangeserver | ?{$_.Identity -like "*\MSExchange ADAccess\Topology"} | Set-EventLogLevel -Level Low -Confirm:$0 ; Get-EventLogLevel -Server $exchangeserver | ?{$_.Identity -like "*\MSExchange ADAccess\Validation"} | Set-EventLogLevel -Level Low -Confirm:$0 ; Get-EventLogLevel -Server $exchangeserver| ?{$_.Identity -like "*\MSExchange RBAC\RBAC"} | Set-EventLogLevel -Level Low -Confirm:$0}
Preparing an Exchange 2010 DAG DR server
*N.B. this is an old article and may no longer be relevant*
Consider this scenario. You want to add an additional Exchange 2010 mailbox server that is going to be part of a DAG but you don’t want it to have any primary mailbox database copies e.g. a DR server that is only going to have database copies of activation preference 3
During installation you are forced to create a mailbox database. So here’s a simple way of achieving the goal.
My command to install the mailbox node is this:
C:\Installs\ExchangeMedia\Setup.com /mode:Install /Role:M /TargetDir:D:\Exchange /u:C:\Installs\ExchangeMedia\Updates /InstallWindowsComponents /MdbName:DefunctDB /DbFilePath:C:\Installs\DefunctDB.edb /LogFolderPath:C:\Installs
My command to tidy up the database and files after a reboot is this:
Remove-MailboxDatabase DefunctDB -Confirm:$false; del C:\installs\*.log; del c:\installs\*.edb; del c:\installs\*.jrs; del C:\installs\*.chk
Now you have a nice tidy mailbox server to add to your DAG and replicate mailbox databases to.
Consider this scenario. You want to add an additional Exchange 2010 mailbox server that is going to be part of a DAG but you don’t want it to have any primary mailbox database copies e.g. a DR server that is only going to have database copies of activation preference 3
During installation you are forced to create a mailbox database. So here’s a simple way of achieving the goal.
My command to install the mailbox node is this:
C:\Installs\ExchangeMedia\Setup.com /mode:Install /Role:M /TargetDir:D:\Exchange /u:C:\Installs\ExchangeMedia\Updates /InstallWindowsComponents /MdbName:DefunctDB /DbFilePath:C:\Installs\DefunctDB.edb /LogFolderPath:C:\Installs
My command to tidy up the database and files after a reboot is this:
Remove-MailboxDatabase DefunctDB -Confirm:$false; del C:\installs\*.log; del c:\installs\*.edb; del c:\installs\*.jrs; del C:\installs\*.chk
Now you have a nice tidy mailbox server to add to your DAG and replicate mailbox databases to.
Exchange 2010 First Public Folder Database
*N.B. this is an old article and may no longer be relevant*
The first Public Folder Database in Exchange 2010 gets assigned a random name and installed at the default location. This may be okay for many customers, but not most. So a bit of tidy up work is required. Fortunately Captain Powershell has it under control.
Get-PublicFolderDatabase -Server SERVER1 | Set-PublicFolderDatabase -Name PFDB01 ; Dismount-Database PFDB01 -Confirm:$false ; Move-DatabasePath PFDB01 -edbFilePath M:\ExchangeData\PFDB01\PFDB01.edb -LogFolderPath L:\ExchangeData\PFDB01LOGS -Confirm:$false ; Mount-DataBase PFDB01
(where SERVER1 is the name of the first mailbox server built into the environment)
Here’s my job log:
[PS] C:\Windows\system32>Get-PublicFolderDatabase
Name Server
---- ------
Public Folder Database 1399... SERVER1
[PS] C:\Windows\system32>Get-PublicFolderDatabase -Server SERVER1 | Set-PublicFolderDatabase -Name PFDB01 ; Dismount-Database PFDB01 -Confirm:$false ; Move-DatabasePath PFDB01 -edbFilePath M:\ExchangeData\PFDB01\PFDB01.edb -LogFolderPath L:\ExchangeData\PFDB01LOGS -Confirm:$false; Mount-DataBase PFDB01
[PS] C:\Windows\system32>Get-PublicFolderDatabase
Name Server
---- ------
PFDB01 SERVER1
I think the only way to improve on it would be to tidy up the empty folder left behind, but I’m not going to lose sleep over that.
The first Public Folder Database in Exchange 2010 gets assigned a random name and installed at the default location. This may be okay for many customers, but not most. So a bit of tidy up work is required. Fortunately Captain Powershell has it under control.
Get-PublicFolderDatabase -Server SERVER1 | Set-PublicFolderDatabase -Name PFDB01 ; Dismount-Database PFDB01 -Confirm:$false ; Move-DatabasePath PFDB01 -edbFilePath M:\ExchangeData\PFDB01\PFDB01.edb -LogFolderPath L:\ExchangeData\PFDB01LOGS -Confirm:$false ; Mount-DataBase PFDB01
(where SERVER1 is the name of the first mailbox server built into the environment)
Here’s my job log:
[PS] C:\Windows\system32>Get-PublicFolderDatabase
Name Server
---- ------
Public Folder Database 1399... SERVER1
[PS] C:\Windows\system32>Get-PublicFolderDatabase -Server SERVER1 | Set-PublicFolderDatabase -Name PFDB01 ; Dismount-Database PFDB01 -Confirm:$false ; Move-DatabasePath PFDB01 -edbFilePath M:\ExchangeData\PFDB01\PFDB01.edb -LogFolderPath L:\ExchangeData\PFDB01LOGS -Confirm:$false; Mount-DataBase PFDB01
[PS] C:\Windows\system32>Get-PublicFolderDatabase
Name Server
---- ------
PFDB01 SERVER1
I think the only way to improve on it would be to tidy up the empty folder left behind, but I’m not going to lose sleep over that.
MS Exchange RPC Client Access Service fails to start
*N.B. this is an old article and may no longer be relevant*
I had an issue with installing Exchange 2010 whereby installation took an age and the MS Exchange RPC Client Access service failed to start. I’ve had a similar issue in the past with DoubleTake, so applied the same troubleshooting and workaround.
To troubleshoot, I established that the MS Exchange RPC Client Access service is trying to listen on a particular port, so looked to see why that might not be able to. Firewall off, start MSExchangeRPC service – fail. Check for other software installed – (no AV) – the only other software is some asset management software called NetSupportDNA. Found the service for that, stopped the service, start MSExchangeRPC service – success, start NetSupportDNA service – success. Modified the service startup type for NetSupportDNA service to Automatic (delayed start) and for good measure added a dependency on the MSExchangeRPC service (new multistringvalue in regedit). A small screen capture is included at the end of this post.
During further Exchange server installations I’ll stop the NetSupportDNA service (it doesn’t need to be running all the time) and then modify the parameters before a server reboot (I exported the registry key and whittled it down to these two items).
The client finds this an acceptable workaround. I’ll need to do it on the mailbox servers as well as clients connect directly to them for Public Folders.
While this is a fairly specific problem, as I said at the beginning, I came across a similar issue previously so I’m really just highlighting the delayed start service startup type and how it can be used to workaround issues.
I had an issue with installing Exchange 2010 whereby installation took an age and the MS Exchange RPC Client Access service failed to start. I’ve had a similar issue in the past with DoubleTake, so applied the same troubleshooting and workaround.
To troubleshoot, I established that the MS Exchange RPC Client Access service is trying to listen on a particular port, so looked to see why that might not be able to. Firewall off, start MSExchangeRPC service – fail. Check for other software installed – (no AV) – the only other software is some asset management software called NetSupportDNA. Found the service for that, stopped the service, start MSExchangeRPC service – success, start NetSupportDNA service – success. Modified the service startup type for NetSupportDNA service to Automatic (delayed start) and for good measure added a dependency on the MSExchangeRPC service (new multistringvalue in regedit). A small screen capture is included at the end of this post.
During further Exchange server installations I’ll stop the NetSupportDNA service (it doesn’t need to be running all the time) and then modify the parameters before a server reboot (I exported the registry key and whittled it down to these two items).
The client finds this an acceptable workaround. I’ll need to do it on the mailbox servers as well as clients connect directly to them for Public Folders.
While this is a fairly specific problem, as I said at the beginning, I came across a similar issue previously so I’m really just highlighting the delayed start service startup type and how it can be used to workaround issues.
BES links (re: Exchange)
*N.B. this is an old article and may no longer be relevant*
I've compiled all the BES links that an Exchange Consultant could possibly want. If I've missed anything, then you're over-engineering it.
BlackBerry Enterprise Server Compatibility Matrix - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB22601
Recommended Microsoft Active Directory groups for the BlackBerry Enterprise Server service account – KB04557 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB12309
Some BlackBerry smartphone users are unable to receive emails after a mailbox move from Exchange 2007 to Exchange 2010 – KB32634 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB32539
How to install or upgrade the MAPI Client and Collaboration Data Objects 1.2.1 on the BlackBerry Enterprise Server – KB15779 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB10285
Restarting the BlackBerry Enterprise Server services may cause delays in message delivery – KB04789 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB03296
How to turn ON Global Catalog referrals on BlackBerry Enterprise server – KB16118 - http://technet.microsoft.com/en-us/library/ee332346.aspx
Search the Blackberry Knowledge Base - http://btsc.webapps.blackberry.com/btsc/microsites/microsite.do
I'm aware that RIM have (in the past) moved or deleted their KB articles. To this end I have created some very basic pdfs of the above articles and packed them in one zip file. You can download the zip file here. Wasn't that nice of me?
I've compiled all the BES links that an Exchange Consultant could possibly want. If I've missed anything, then you're over-engineering it.
BlackBerry Enterprise Server Compatibility Matrix - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB22601
Recommended Microsoft Active Directory groups for the BlackBerry Enterprise Server service account – KB04557 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB12309
Some BlackBerry smartphone users are unable to receive emails after a mailbox move from Exchange 2007 to Exchange 2010 – KB32634 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?noCount=true&externalId=KB32539
How to install or upgrade the MAPI Client and Collaboration Data Objects 1.2.1 on the BlackBerry Enterprise Server – KB15779 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB10285
Restarting the BlackBerry Enterprise Server services may cause delays in message delivery – KB04789 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB03296
How to turn ON Global Catalog referrals on BlackBerry Enterprise server – KB16118 - http://technet.microsoft.com/en-us/library/ee332346.aspx
Search the Blackberry Knowledge Base - http://btsc.webapps.blackberry.com/btsc/microsites/microsite.do
I'm aware that RIM have (in the past) moved or deleted their KB articles. To this end I have created some very basic pdfs of the above articles and packed them in one zip file. You can download the zip file here. Wasn't that nice of me?
Fixing Failed and Suspended DB copies
*N.B. this is an old article and may no longer be relevant*
I was looking for something in my archive e-mail and stumbled across this script for Exchange 2010.
One of the things I have observed is that database copies easily fail if you have repeated failovers and switchovers with little or no traffic. As what happens when you are testing a new environment.
http://www.cohesivelogic.com/2010/08/automatically-fixing-failedandsuspended-exchange-2010-databases-with-powershell/
It's not one of my scripts, so I'm not taking credit for it.
Here is the script listed in the article:
I don't know any rocket scientists, which is okay because it doesn't need one to work out that you need to replace "<path>" in the script with an appropriate folder name.
I was looking for something in my archive e-mail and stumbled across this script for Exchange 2010.
One of the things I have observed is that database copies easily fail if you have repeated failovers and switchovers with little or no traffic. As what happens when you are testing a new environment.
http://www.cohesivelogic.com/2010/08/automatically-fixing-failedandsuspended-exchange-2010-databases-with-powershell/
It's not one of my scripts, so I'm not taking credit for it.
Here is the script listed in the article:
add-pssnapin *0* -ErrorAction SilentlyContinue
$startstring="Start script run at: "
$startendtime=date
$startannounce=$startstring+$startendtime
Start-Transcript -Append -Force -Path 'C:\<path>\DBHealthFix.log'
$startannounce
#gets list of mailboxservers, locates 2010 servers, gets db copy status, finds copies that are failed, updates failed copies
$mailboxservers = get-mailboxserver | get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}
foreach ($mailboxserver in $mailboxservers){
get-mailboxdatabasecopystatus -Server $mailboxserver.name | ?{$_.Status -like 'FailedAndSuspended'} | update-mailboxdatabasecopy -deleteexistingfiles -confirm:$false
}
stop-transcript
I don't know any rocket scientists, which is okay because it doesn't need one to work out that you need to replace "<path>" in the script with an appropriate folder name.
Useful links (Lync & other)
Here are a few more useful links.
LYNC
Set-CsLync2013Prereqs.ps1 – Easily install prerequisites and tools for Microsoft Lync Server 2013 - http://www.ehloworld.com/1697
Lync products: http://www.techland.co.uk/ & http://www.vcomm.com/
OTHER
Mounting an ISO to a HP iLO over HTTP - http://torxsmind.blogspot.co.uk/search/label/iLO
LYNC
Set-CsLync2013Prereqs.ps1 – Easily install prerequisites and tools for Microsoft Lync Server 2013 - http://www.ehloworld.com/1697
Lync products: http://www.techland.co.uk/ & http://www.vcomm.com/
OTHER
Mounting an ISO to a HP iLO over HTTP - http://torxsmind.blogspot.co.uk/search/label/iLO
Exchange Management Shell tips
This article has been ported from my old TechBlog as it is still valid and useful.
I’ve used loops to perform repeated tasks before but hit a snag with one that I wanted to do. It’s easy to vary an object with a number variable. For example:
1..4 | Foreach-object {Get-ExchangeServer -Identity SERVER0"$_"}
returns SERVER01, SERVER02, SERVER03, SERVER04.
Simples as Bob would say.
But trying to do that in a command that is already incorporating quotes (because there are spaces) poses a new dilemma. What am I on about? Look at the following example:
Set-OWAVirtualDirectory -Identity "SERVER0"$_"\OWA (Default Web Site)" -ExternalUrl https://mail.company.com/owa
That won’t work.
Don’t panic Mr Mainwaring, don’t panic
I have a solution and it works a treat. Break up the text and define it as a variable(s). Like this:
$dir = "\OWA (Default Web Site)"; 1..4 | Foreach-object {Set-OWAVirtualDirectory -Identity SERVER0"$_"$dir -ExternalUrl https://mail.company.com/owa}
So that one liner basically does this:
Set-OWAVirtualDirectory -Identity SERVER01\OWA (Default Web Site) -ExternalUrl https://mail.company.com/owa
Set-OWAVirtualDirectory -Identity SERVER02\OWA (Default Web Site) -ExternalUrl https://mail.company.com/owa
Set-OWAVirtualDirectory -Identity SERVER03\OWA (Default Web Site) -ExternalUrl https://mail.company.com/owa
Set-OWAVirtualDirectory -Identity SERVER04\OWA (Default Web Site) -ExternalUrl https://mail.company.com/owa
I’ve used loops to perform repeated tasks before but hit a snag with one that I wanted to do. It’s easy to vary an object with a number variable. For example:
1..4 | Foreach-object {Get-ExchangeServer -Identity SERVER0"$_"}
returns SERVER01, SERVER02, SERVER03, SERVER04.
Simples as Bob would say.
But trying to do that in a command that is already incorporating quotes (because there are spaces) poses a new dilemma. What am I on about? Look at the following example:
Set-OWAVirtualDirectory -Identity "SERVER0"$_"\OWA (Default Web Site)" -ExternalUrl https://mail.company.com/owa
That won’t work.
Don’t panic Mr Mainwaring, don’t panic
I have a solution and it works a treat. Break up the text and define it as a variable(s). Like this:
$dir = "\OWA (Default Web Site)"; 1..4 | Foreach-object {Set-OWAVirtualDirectory -Identity SERVER0"$_"$dir -ExternalUrl https://mail.company.com/owa}
So that one liner basically does this:
Set-OWAVirtualDirectory -Identity SERVER01\OWA (Default Web Site) -ExternalUrl https://mail.company.com/owa
Set-OWAVirtualDirectory -Identity SERVER02\OWA (Default Web Site) -ExternalUrl https://mail.company.com/owa
Set-OWAVirtualDirectory -Identity SERVER03\OWA (Default Web Site) -ExternalUrl https://mail.company.com/owa
Set-OWAVirtualDirectory -Identity SERVER04\OWA (Default Web Site) -ExternalUrl https://mail.company.com/owa
Exchange 2010 Datacenter failover and switchback scripts
This article has been ported from my old TechBlog as it is still valid and useful.
I’ve been lapping up some sunshine in the garden but the weather is now changing again, so it’s back indoors and time to post something. From some recent work I was doing, here are some scripts for DAG failover to DR site and switchback again. There are specific assumptions here; firstly, I was working with two mailbox servers in my main site and a single mailbox server in the DR site. Secondly, I had a single DAG. Thirdly, I was using the same CAS Array for both sites – that is not necessarily always going to be the case, but this was just a DR site, so was appropriate for me. Finally, I was blocking database activation in the DR site. You can easily modify the scripts according to your circumstances and need to modify some of the tags anyway.
< MAIN_SITE>
< DR_SITE>
< DAGNAME>
< DR_MBX_SERVER>
< CASARRAY>
In my example there are 15 mailbox databases named DB01-DB15.
#### TERMINATE FAILED DATACENTER
#### if mailbox server(s) in are still powered on but not functioning properly
POWER OFF
### or
Stop-DatabaseAvailabilityGroup -ActiveDirectorySite -Confirm:$false
#### if AD is available in but servers went off before doing the previous step
Stop-DatabaseAvailabilityGroup -ActiveDirectorySite -ConfigurationOnly -Confirm:$False
#### check that the mailbox servers have stopped in
Get-DatabaseAvailabilityGroup | select Name,*server*
#### run in
Stop-DatabaseavailabilityGroup -ActiveDirectorySite -ConfigurationOnly -Confirm:$False
#### ACTIVATE DR SITE
#### run in
stop-service ClusSvc
Restore-DatabaseAvailabilityGroup -ActiveDirectorySite -Confirm:$False
(repeat above if necessary)
1..9 | ForEach-Object {Move-ActiveMailboxDatabase DB0"$_" -ActivateOnServer -SkipActiveCopyChecks -MountDialOverride:None –confirm:$false}; 0..5 | ForEach-Object {Move-ActiveMailboxDatabase DB1"$_" -ActivateOnServer -SkipActiveCopyChecks -MountDialOverride:None –confirm:$false}
Set-clientaccessarray –site –confirm:$false
#### SWITCHBACK
#### run in after site is brought back up
Start-DatabaseAvailabilityGroup -ActiveDirectorySite
(repeat above if necessary)
Set-clientaccessarray –site –confirm:$false
#### check that mailbox servers in show as started in DAG ()
Get-DatabaseAvailabilityGroup | select Name,*server*
#### move databases back to
origlocation$=get-location; set-location exscripts$; .\RedistributeActiveDatabases.ps1 - -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution -Confirm:$false; set-location origlocation$
(repeat above if necessary)
#### if appropriate, block from activating databases when is available
Set-MailboxServer -DatabaseCopyAutoActivation:blocked
I’ve been lapping up some sunshine in the garden but the weather is now changing again, so it’s back indoors and time to post something. From some recent work I was doing, here are some scripts for DAG failover to DR site and switchback again. There are specific assumptions here; firstly, I was working with two mailbox servers in my main site and a single mailbox server in the DR site. Secondly, I had a single DAG. Thirdly, I was using the same CAS Array for both sites – that is not necessarily always going to be the case, but this was just a DR site, so was appropriate for me. Finally, I was blocking database activation in the DR site. You can easily modify the scripts according to your circumstances and need to modify some of the tags anyway.
< MAIN_SITE>
< DR_SITE>
< DAGNAME>
< DR_MBX_SERVER>
< CASARRAY>
In my example there are 15 mailbox databases named DB01-DB15.
#### TERMINATE FAILED DATACENTER
#### if mailbox server(s) in
POWER OFF
### or
Stop-DatabaseAvailabilityGroup
#### if AD is available in
Stop-DatabaseAvailabilityGroup
#### check that the mailbox servers have stopped in
Get-DatabaseAvailabilityGroup | select Name,*server*
#### run in
Stop-DatabaseavailabilityGroup
#### ACTIVATE DR SITE
#### run in
stop-service ClusSvc
Restore-DatabaseAvailabilityGroup
(repeat above if necessary)
1..9 | ForEach-Object {Move-ActiveMailboxDatabase DB0"$_" -ActivateOnServer
Set-clientaccessarray
#### SWITCHBACK
#### run in
Start-DatabaseAvailabilityGroup
(repeat above if necessary)
Set-clientaccessarray
#### check that mailbox servers in
Get-DatabaseAvailabilityGroup | select Name,*server*
#### move databases back to
origlocation$=get-location; set-location exscripts$; .\RedistributeActiveDatabases.ps1 -
(repeat above if necessary)
#### if appropriate, block
Set-MailboxServer
Monitor-MoveRequests.ps1
This article has been ported from my old TechBlog as it is still valid and useful.
I had to painfully watch someone move a mailbox and monitor its progress using Exchange Management Console the other day and I made a note to myself to share my mailbox move bits and pieces, especially a script ”what I writ’ to monitor move requests. I meant to add something to happen when the mailbox move is complete, but haven’t got round to it and can’t be bothered at the present time. Another day.
Here’s the Monitor-MoveRequests.ps1 script:
$moverequests = get-MoveRequest ; get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}
$A = (get-host).UI.RawUI
$A.WindowTitle = "Monitor Mailbox Move requests"
$B = $A.windowsize
$B.width = 150
$B.height = 65
$A.WindowSize = $B
while ($true) {cls; foreach ($moverequest in $moverequests) {Get-MoveRequestStatistics $moverequest | select Alias, DisplayName, StartTimestamp, TotalQueuedDuration, PercentComplete, BytesTransferred, StatusDetail, SourceDatabase, TargetDatabase,Status, TotalinProgressDuration, OverallDuration}
;sleep 5}
It may look familiar; I modified another script to make it
Here’s the rest of the stuff:
Test mailbox is ready to move:
New-MoveRequest -Identity user01@company.com -TargetDatabase "MDB01" –whatif
Move a mailbox:
New-MoveRequest -Identity user01@company.com -TargetDatabase "MDB01"
Clear a mailbox move request:
Get-MoveRequest | where {$_.status -eq "Completed"}
Clear all move requests:
Get-MoveRequest | where {$_.status -eq "Completed"} | Remove-moverequest -confirm:$False
New mailbox creation:
New-Mailbox -Name 'user01' -Alias 'user01' -OrganizationalUnit 'company.local/staff' -UserPrincipalName 'user01@company.com>' -SamAccountName 'user01' -FirstName 'user01' -Initials '' -LastName '' -ResetPasswordOnNextLogon $false -Database MDB01
Multiple move requests (enter in a ps1 script):
New-MoveRequest user01 -TargetDatabase "MDB01" -suspend
New-MoveRequest user02 -TargetDatabase "MDB02" -suspend
Start multiple move requests (enter in a ps1 script e.g. ResumeMailboxMoves.ps1):
Get-MoveRequest | Resume-MoveRequest
Powershell script as a batch file (e.g. for scheduling using Task Scheduler)(where ‘D:\Exchange’ is the Exchange install path):
PowerShell.exe -command ". 'D:\Exchange\bin\RemoteExchange.ps1'; cls; Connect-ExchangeServer -auto; & 'D:\Exchange\Scripts\ResumeMailboxMoves.ps1'"
I had to painfully watch someone move a mailbox and monitor its progress using Exchange Management Console the other day and I made a note to myself to share my mailbox move bits and pieces, especially a script ”what I writ’ to monitor move requests. I meant to add something to happen when the mailbox move is complete, but haven’t got round to it and can’t be bothered at the present time. Another day.
Here’s the Monitor-MoveRequests.ps1 script:
$moverequests = get-MoveRequest ; get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}
$A = (get-host).UI.RawUI
$A.WindowTitle = "Monitor Mailbox Move requests"
$B = $A.windowsize
$B.width = 150
$B.height = 65
$A.WindowSize = $B
while ($true) {cls; foreach ($moverequest in $moverequests) {Get-MoveRequestStatistics $moverequest | select Alias, DisplayName, StartTimestamp, TotalQueuedDuration, PercentComplete, BytesTransferred, StatusDetail, SourceDatabase, TargetDatabase,Status, TotalinProgressDuration, OverallDuration}
;sleep 5}
It may look familiar; I modified another script to make it
Here’s the rest of the stuff:
Test mailbox is ready to move:
New-MoveRequest -Identity user01@company.com -TargetDatabase "MDB01" –whatif
Move a mailbox:
New-MoveRequest -Identity user01@company.com -TargetDatabase "MDB01"
Clear a mailbox move request:
Get-MoveRequest | where {$_.status -eq "Completed"}
Clear all move requests:
Get-MoveRequest | where {$_.status -eq "Completed"} | Remove-moverequest -confirm:$False
New mailbox creation:
New-Mailbox -Name 'user01' -Alias 'user01' -OrganizationalUnit 'company.local/staff' -UserPrincipalName 'user01@company.com>' -SamAccountName 'user01' -FirstName 'user01' -Initials '' -LastName '' -ResetPasswordOnNextLogon $false -Database MDB01
Multiple move requests (enter in a ps1 script):
New-MoveRequest user01 -TargetDatabase "MDB01" -suspend
New-MoveRequest user02 -TargetDatabase "MDB02" -suspend
Start multiple move requests (enter in a ps1 script e.g. ResumeMailboxMoves.ps1):
Get-MoveRequest | Resume-MoveRequest
Powershell script as a batch file (e.g. for scheduling using Task Scheduler)(where ‘D:\Exchange’ is the Exchange install path):
PowerShell.exe -command ". 'D:\Exchange\bin\RemoteExchange.ps1'; cls; Connect-ExchangeServer -auto; & 'D:\Exchange\Scripts\ResumeMailboxMoves.ps1'"
Powershell - working with the registry
This article has been ported from my old TechBlog as it is still valid and useful.
I’ve been a good boy and taken the Lync leap. The really annoying thing I’ve always found about Lync is that it always starts up, especially when I don’t want it to. I reboot my laptop at home in the evening or at the weekend and the next thing I know is people are trying to contact me because they thing I’m working. Please. Working outside working hours? You don’t know me well enough.
So I set about doing something about it.
I started by tracking down what was forcing the Lync startup. I’m running Windows 7 64-bit and I found it here:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
"Communicator"=”C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
So I set about nobbling that and replacing it with a Scheduled task that runs every weekday at 9am that starts up Lync.
Guess what? It works.
But this post would be far too simple and boring if that’s all I included in it. So let’s use some Powershell and to make this whole process a lot more complicated. But seriously, this is a great opportunity to demonstrate how to work with the Registry using Powershell and to introduce a script I found to help.
The script I found creates a .reg backup of Registry keys / values. The beauty of this is that you can then easily script and record what you are doing. I found the script here: http://franckrichard.blogspot.co.uk/2010/12/generate-reg-regedit-export-to-file.html
It’s quite clearly not my script, but I’ve used it and it does what it says on the tin. I found that I needed to specify ‘HKEY_LOCAL_MACHINE’ instead of ‘HKLM’, but with that heads-up you should find it easy to use. The script is included at the bottom of this page and can also be downloaded directly here. Don’t forget about your execution policy, although Powershell will prompt you if you have forgotten.
I’ve been a good boy and taken the Lync leap. The really annoying thing I’ve always found about Lync is that it always starts up, especially when I don’t want it to. I reboot my laptop at home in the evening or at the weekend and the next thing I know is people are trying to contact me because they thing I’m working. Please. Working outside working hours? You don’t know me well enough.
So I set about doing something about it.
I started by tracking down what was forcing the Lync startup. I’m running Windows 7 64-bit and I found it here:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
"Communicator"=”C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
So I set about nobbling that and replacing it with a Scheduled task that runs every weekday at 9am that starts up Lync.
Guess what? It works.
But this post would be far too simple and boring if that’s all I included in it. So let’s use some Powershell and to make this whole process a lot more complicated. But seriously, this is a great opportunity to demonstrate how to work with the Registry using Powershell and to introduce a script I found to help.
The script I found creates a .reg backup of Registry keys / values. The beauty of this is that you can then easily script and record what you are doing. I found the script here: http://franckrichard.blogspot.co.uk/2010/12/generate-reg-regedit-export-to-file.html
It’s quite clearly not my script, but I’ve used it and it does what it says on the tin. I found that I needed to specify ‘HKEY_LOCAL_MACHINE’ instead of ‘HKLM’, but with that heads-up you should find it easy to use. The script is included at the bottom of this page and can also be downloaded directly here. Don’t forget about your execution policy, although Powershell will prompt you if you have forgotten.
Subscribe to:
Posts (Atom)