Exchange 2010 bits and pieces

Here are a few bits and pieces for optimizing an Exchange 2010 deployment:

Moving the Transport Database and Queue (e.g. to a fast disk):
cd $exscripts; .\Move-TransportDatabase.ps1 -queueDatabasePath "T:\TransportRoles\Data\Queue\DB" -queueDatabaseLoggingPath "T:\TransportRoles\Data\Queue\Logs"

Note: Do not create the folders! You can create the root folders but NOT the host folders (e.g. In above I mean do NOT create 'DB' or 'Logs' folders)

Configure the Cluster Account environment variables (Local System on Windows 2008 R2) to a dedicated volume:
Set-ItemProperty -path "REGISTRY::\HKEY_USERS\S-1-5-18\Environment" -name TMP -value T:\Temp; Set-ItemProperty -path "REGISTRY::\HKEY_USERS\S-1-5-18\Environment" -name TEMP -value T:\Temp

Notice that the above is using the Set-ItemProperty with the registry and specifically with HKEY_USERS. That wasn’t easy to work out how to target!

Configure Cluster parameters:
Import-module FailoverClusters; (Get-Cluster).SameSubnetThreshold=10; (Get-Cluster).SameSubnetDelay=1000

Configure ClusterLog size:
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name ClusterLogSize -Value 32 -Type DWord

Create mailboxes with EMS

I couldn't find my script for setting up test mailboxes for an Exchange 2010 environment that I am working on, so I had to re-write it. Sometimes it's just quicker to go back to the drawing board!

My scenario is that I have 30 databases and I want to create one mailbox per database. I also want to keep these at the end of the GAL so as not to upset existing users, so I'm naming them 'zztestuser' with a number appended.

So that I can run this quickly without having to input anything, I am first converting a plain text password to a secure string and using it throughout the script. Once it is defined as a variable I can re-use it again and again. So the first two lines do that bit and then it's all quite repetitive. I used Excel with the Concatenate function to put it all together, but the fields in Excel have their limitations, so a mix of Excel and Notepad with the 'replace' feature work well.

Here is my script for creating 30 new mailboxes with one in each database. Copy the code, modify as appropriate and save to a ps1.


$PlainPassword = "P@ssw0rd"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText –Force
New-Mailbox -Name 'zztestuser01' -Alias 'zztestuser01' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser01@domain.com' -SamAccountName 'testuser01' -FirstName 'zztestuser' -Initials '' -LastName '01' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB01'
New-Mailbox -Name 'zztestuser02' -Alias 'zztestuser02' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser02@domain.com' -SamAccountName 'testuser02' -FirstName 'zztestuser' -Initials '' -LastName '02' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB02'
New-Mailbox -Name 'zztestuser03' -Alias 'zztestuser03' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser03@domain.com' -SamAccountName 'testuser03' -FirstName 'zztestuser' -Initials '' -LastName '03' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB03'
New-Mailbox -Name 'zztestuser04' -Alias 'zztestuser04' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser04@domain.com' -SamAccountName 'testuser04' -FirstName 'zztestuser' -Initials '' -LastName '04' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB04'
New-Mailbox -Name 'zztestuser05' -Alias 'zztestuser05' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser05@domain.com' -SamAccountName 'testuser05' -FirstName 'zztestuser' -Initials '' -LastName '05' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB05'
New-Mailbox -Name 'zztestuser06' -Alias 'zztestuser06' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser06@domain.com' -SamAccountName 'testuser06' -FirstName 'zztestuser' -Initials '' -LastName '06' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB06'
New-Mailbox -Name 'zztestuser07' -Alias 'zztestuser07' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser07@domain.com' -SamAccountName 'testuser07' -FirstName 'zztestuser' -Initials '' -LastName '07' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB07'
New-Mailbox -Name 'zztestuser08' -Alias 'zztestuser08' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser08@domain.com' -SamAccountName 'testuser08' -FirstName 'zztestuser' -Initials '' -LastName '08' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB08'
New-Mailbox -Name 'zztestuser09' -Alias 'zztestuser09' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser09@domain.com' -SamAccountName 'testuser09' -FirstName 'zztestuser' -Initials '' -LastName '09' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB09'
New-Mailbox -Name 'zztestuser10' -Alias 'zztestuser10' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser10@domain.com' -SamAccountName 'testuser10' -FirstName 'zztestuser' -Initials '' -LastName '10' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB10'
New-Mailbox -Name 'zztestuser11' -Alias 'zztestuser11' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser11@domain.com' -SamAccountName 'testuser11' -FirstName 'zztestuser' -Initials '' -LastName '11' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB11'
New-Mailbox -Name 'zztestuser12' -Alias 'zztestuser12' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser12@domain.com' -SamAccountName 'testuser12' -FirstName 'zztestuser' -Initials '' -LastName '12' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB12'
New-Mailbox -Name 'zztestuser13' -Alias 'zztestuser13' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser13@domain.com' -SamAccountName 'testuser13' -FirstName 'zztestuser' -Initials '' -LastName '13' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB13'
New-Mailbox -Name 'zztestuser14' -Alias 'zztestuser14' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser14@domain.com' -SamAccountName 'testuser14' -FirstName 'zztestuser' -Initials '' -LastName '14' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB14'
New-Mailbox -Name 'zztestuser15' -Alias 'zztestuser15' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser15@domain.com' -SamAccountName 'testuser15' -FirstName 'zztestuser' -Initials '' -LastName '15' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB15'
New-Mailbox -Name 'zztestuser16' -Alias 'zztestuser16' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser16@domain.com' -SamAccountName 'testuser16' -FirstName 'zztestuser' -Initials '' -LastName '16' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB16'
New-Mailbox -Name 'zztestuser17' -Alias 'zztestuser17' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser17@domain.com' -SamAccountName 'testuser17' -FirstName 'zztestuser' -Initials '' -LastName '17' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB17'
New-Mailbox -Name 'zztestuser18' -Alias 'zztestuser18' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser18@domain.com' -SamAccountName 'testuser18' -FirstName 'zztestuser' -Initials '' -LastName '18' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB18'
New-Mailbox -Name 'zztestuser19' -Alias 'zztestuser19' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser19@domain.com' -SamAccountName 'testuser19' -FirstName 'zztestuser' -Initials '' -LastName '19' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB19'
New-Mailbox -Name 'zztestuser20' -Alias 'zztestuser20' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser20@domain.com' -SamAccountName 'testuser20' -FirstName 'zztestuser' -Initials '' -LastName '20' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB20'
New-Mailbox -Name 'zztestuser21' -Alias 'zztestuser21' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser21@domain.com' -SamAccountName 'testuser21' -FirstName 'zztestuser' -Initials '' -LastName '21' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB21'
New-Mailbox -Name 'zztestuser22' -Alias 'zztestuser22' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser22@domain.com' -SamAccountName 'testuser22' -FirstName 'zztestuser' -Initials '' -LastName '22' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB22'
New-Mailbox -Name 'zztestuser23' -Alias 'zztestuser23' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser23@domain.com' -SamAccountName 'testuser23' -FirstName 'zztestuser' -Initials '' -LastName '23' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB23'
New-Mailbox -Name 'zztestuser24' -Alias 'zztestuser24' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser24@domain.com' -SamAccountName 'testuser24' -FirstName 'zztestuser' -Initials '' -LastName '24' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB24'
New-Mailbox -Name 'zztestuser25' -Alias 'zztestuser25' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser25@domain.com' -SamAccountName 'testuser25' -FirstName 'zztestuser' -Initials '' -LastName '25' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB25'
New-Mailbox -Name 'zztestuser26' -Alias 'zztestuser26' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser26@domain.com' -SamAccountName 'testuser26' -FirstName 'zztestuser' -Initials '' -LastName '26' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB26'
New-Mailbox -Name 'zztestuser27' -Alias 'zztestuser27' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser27@domain.com' -SamAccountName 'testuser27' -FirstName 'zztestuser' -Initials '' -LastName '27' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB27'
New-Mailbox -Name 'zztestuser28' -Alias 'zztestuser28' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser28@domain.com' -SamAccountName 'testuser28' -FirstName 'zztestuser' -Initials '' -LastName '28' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB28'
New-Mailbox -Name 'zztestuser29' -Alias 'zztestuser29' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser29@domain.com' -SamAccountName 'testuser29' -FirstName 'zztestuser' -Initials '' -LastName '29' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB29'
New-Mailbox -Name 'zztestuser30' -Alias 'zztestuser30' -OrganizationalUnit 'domain.com/Users' -UserPrincipalName 'zztestuser30@domain.com' -SamAccountName 'testuser30' -FirstName 'zztestuser' -Initials '' -LastName '30' -Password $SecurePassword -ResetPasswordOnNextLogon $false -Database 'DB30'

Exchange and Adobe iFilters

*N.B. this is an old article and may no longer be relevant*

(Note: This article refers to Exchange 2007 and Exchange 2010)

The full set of IFilters installed with Exchange out of the box include Microsoft Office documents (e.g. doc/docx, xls/xlsx, ppt/pptx), Email message formats (e.g. msg, eml), HTML and text formats. These are used on Hub Transport servers (when filtering attachments using Transport Rules) and Mailbox servers (for indexing attachments).
Third Party iFilters can be added and as per http://blogs.technet.com/b/exchange/archive/2009/05/11/3407435.aspx, Adobe PDF is one of the most common.
Adobe provide the iFilters as a downloadable, installable package: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025
which also needs registering. The following article summarizes how to do that: http:// marksmith.netrends.com/Lists/Posts/Post.aspx?List=d0ef1a62%2D8e97%2D484a%2D9053%2D7acda05534cb&ID=93&Web=2dee96c1%2D5fed%2D439e%2Db530%2D37626608d03e. However, it doesn’t quite go far enough. There are some steps to do afterwards and two of them involve modifying registry permissions.

I decided that these were two steps that could be automated by Powershell, so set about doing that. The method used is straight off of Technet; that is, using get-acl to ingest the current permissions and then set-acl to add to them. The code for setting Read access for the Network Service on the two relevant keys for the Adobe iFilters is as follows:

$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\NETWORK SERVICE","ReadKey","Allow")
$acl1 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl1.SetAccessRule($rule)
$acl1 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl2 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
$acl2.SetAccessRule($rule)
$acl2 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"

You can save the above to a script and run it after registering the Adobe iFilters or you can incorporate it into one script (enhancing the one by Mark E. Smith) so that the full script looks like this:



# save as Register-Adobe-PDF-filter.ps1
#
# Download installation from: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025

# Refer to: http://blogs.technet.com/b/exchange/archive/2009/05/11/3407435.aspx

# Adobe iFilter Directory Path
$iFilterDirName = "C:\Program Files\Adobe\Adobe PDF IFilter 9 for 64-bit platforms\bin"

# Get the original path environment variable
$original = (Get-ItemProperty "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Environment" Path).Path
# Add the ifilter path
Set-ItemProperty "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Environment" Path -value ( $original + ";" + $iFilterDirName )

$CLSIDKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID"
$FiltersKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters"

# Filter DLL Locations
$pdfFilterLocation = “PDFFilter.dll"

# Filter GUIDs
$PDFGuid ="{E8978DA6-047F-4E3D-9C78-CDBE46041603}"

# Create CLSIDs
Write-Host "Creating CLSIDs..."

New-Item -Path $CLSIDKey -Name $PDFGuid -Value $pdfFilterLocation -Type String

# Set Threading model
Write-Host "Setting threading model..."

New-ItemProperty -Path "$CLSIDKey\$PDFGuid" -Name "ThreadingModel" -Value "Both" -Type String

# Set Flags
Write-Host "Setting Flags..."
New-ItemProperty -Path "$CLSIDKey\$PDFGuid" -Name "Flags" -Value "1" -Type Dword

# Create Filter Entries
Write-Host "Creating Filter Entries..."

# These are the entries for commonly exchange formats
New-Item -Path $FiltersKey -Name ".pdf" -Value $PDFGuid -Type String

$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\NETWORK SERVICE","ReadKey","Allow")
$acl1 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl1.SetAccessRule($rule)
$acl1 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID\{E8978DA6-047F-4E3D-9C78-CDBE46041603}"
$acl2 = Get-Acl "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"
$acl2.SetAccessRule($rule)
$acl2 |Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters\.pdf"

Write-Host -foregroundcolor Green "The NETWORK SERVICE has been granted read access to the following registry keys:`n$CLSIDKey\$PDFGuid`n$FiltersKey\.pdf"
Write-Host " "
Write-Host -foregroundcolor Yellow "Next, reboot the Exchange Server
- after which you need to rebuild the search indexes using the precanned script:"
Write-Host " "
Write-Host -foregroundcolor White "cd $exscripts; .\ResetSearchIndex.ps1 –Force –All"
Write-Host " "
Write-Host -foregroundcolor Green "Then wait for the indexes to be rebuilt before initiating a search.
Repeat this process on each Mailbox Server and Hub Transport in the organization"
Write-Host " "
Write-Host -foregroundcolor Yellow "Note: The permissions on the keys above for NETWORK SERVICE are required on the Hub Transport role (or multi-roled server that hosts the Hub role) so that transport rules can do PDF attachment filtering"

Windows Disk Timeouts (Ex2010)

*N.B. this is an old article and may no longer be relevant*

As per the following article, MS make recommendations regarding storage for the Exchange 2010 MBX role:

http://technet.microsoft.com/en-us/library/ee832792(v=exchg.141).aspx

This post pertains specifically to the recommendation for the disk timeout value. By default this is set at 60 seconds. For DAS or SAN this should be modified to 20 seconds. I have created a one liner to do this:

Set-ItemProperty -path HKLM:\SYSTEM\CurrentControlSet\services\Disk -name TimeOutValue -value 20

More info on the topic can be found here:
http://blogs.msdn.com/b/san/archive/2011/09/01/the-windows-disk-timeout-value-understanding-why-this-should-be-set-to-a-small-value.aspx

Note that the information is omitted from the Exchange 2013 version of the Technet article:

http://technet.microsoft.com/en-us/library/ee832792.aspx

Don't ask me why. I can't see that it wouldn't still be relevant. If you're looking at this in reference to Exchange 2013, read the blog and make up your own mind. Personally, I would still set it to 20 seconds in the absence of specific advice.

Wow. Is it only five to four? I've got another five minutes of work. Time for a coffee...

Exchange Links

Bringing the Exchange Links back to the top of the list...

We're on Exchange 2010 SP3 now: http://blogs.technet.com/b/exchange/archive/2013/02/12/released-exchange-server-2010-sp3.aspx which can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=36768 (Exchange 2013 CU1 is needed for upgrading)

Checking Exchange schema versions - http://social.technet.microsoft.com/wiki/contents/articles/2772.exchange-schema-versions-common-questions-answers.aspx

How to check the version of a Microsoft Exchange Server – RIM KB20412 - http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB20412
GCM exsetup |%{$_.Fileversioninfo}

Exchange server and Update Rollups build numbers - http://social.technet.microsoft.com/wiki/contents/articles/240.exchange-server-and-update-rollups-build-numbers.aspx

File-Level Antivirus Scanning on Exchange 2010 - http://technet.microsoft.com/en-us/library/bb332342(v=exchg.141).aspx

Proper virus exclusions for servers hosting the OAB - http://blogs.msdn.com/b/dgoldman/archive/2010/05/12/proper-virus-exclusions-for-servers-hosting-the-oab.aspx

Exchange 2010 datacenter switchover tool now available - http://blogs.technet.com/b/exchange/archive/2012/10/19/exchange-2010-datacenter-switchover-troubleshooter-now-available.aspx

RBAC: Walkthrough of creating a role that can wipe ActiveSync Devices - http://blogs.technet.com/b/exchange/archive/2012/09/12/rbac-walkthrough-of-creating-a-role-that-can-wipe-activesync-devices.aspx

Exchange, Stubbing, and Database Space Reclamation - http://blogs.technet.com/b/exchange/archive/2012/08/27/exchange-stubbing-and-database-space-reclamation.aspx

Exchange Server 2010 Monitoring Management Pack re-released - http://blogs.technet.com/b/exchange/archive/2012/09/06/exchange-server-2010-monitoring-management-pack-re-released.aspx

TimMcmichael's blog (Microsoft) which contains some good Datacenter Activation Coordination articles: http://blogs.technet.com/b/timmcmic/

Creating ActiveSync Device Access Rules Based on User Agent in Exchange Server 2010 - http://exchangeserverpro.com/activesync-device-access-rules-user-agent

Get-DAGHealth.ps1 – Database Availability Group Health Check Script - http://exchangeserverpro.com/get-daghealth-ps1-database-availability-group-health-check-script

PowerShell Tip: Fix All Failed Exchange Database Content Indexes - http://exchangeserverpro.com/fix-all-failed-exchange-database-content-indexes

Download Free Exchange PowerShell Scripts - http://exchangeserverpro.com/powershell

How to Deal with SSL Requirements for Exchange when Certificate Authorities Won’t Issue You a Certificate (Using a Name No Longer Valid Under New Rules) - http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate

One liners: List All Users Who Have Send-As Access To Other Mailboxes - http://www.ehloworld.com/1643

Maximum number of Exchange accounts in an Outlook profile - http://www.slipstick.com/exchange/maximum-number-exchange-accounts-outlook-profile/

Changing the default *.pst and *.ost sizes - http://www.slipstick.com/outlook/config/changing-the-default-pst-and-ost-sizes/

Organizational Forms Library in Exchange 2010 - http://www.slipstick.com/exchange/2010-exs/organizational-forms-library-exchange-2010/

Outlook is slow when using mapped drives - http://www.slipstick.com/outlook/outlook-2010/outlook-slow-mapped-drives/

How to successfully add and seed a database copy: http://blogs.technet.com/b/timmcmic/archive/2012/12/04/exchange-2010-adding-database-copies-to-databases-with-a-single-copy-results-in-copy-status-failed-after-seeding-is-completed.aspx

Datacenter switchover - http://technet.microsoft.com/en-us/library/dd351049

RPC Client Access Cross-Site Connectivity Changes - http://blogs.technet.com/b/exchange/archive/2012/05/30/rpc-client-access-cross-site-connectivity-changes.aspx

PowerShell Script to Generate Email Traffic in a Test Lab Environment - http://www.mikepfeiffer.net/2011/08/testing-exchange-autodiscover-with-powershell-and-the-ews-managed-api/

Powershell Script for Collection Events Logs from multiple servers and generating a single html report - http://blogs.technet.com/b/parallel_universe_-_ms_tech_blog/archive/2011/09/29/powershell-script-for-collection-events-logs-from-multiple-servers-and-generating-a-single-html-report.aspx

Shell variables - e.g. $ExBin, $ExScripts - http://technet.microsoft.com/en-us/library/bb124036.aspx

Three ways to tighten OWA 2010 security - http://searchexchange.techtarget.com/tip/Three-ways-to-tighten-OWA-2010-security

PST Capture 2.0 - http://blogs.technet.com/b/exchange/archive/2013/02/22/time-to-go-pst-hunting-with-the-new-pst-capture-2-0.aspx

Exchange Page File setting

*N.B. this is an old article and may no longer be relevant*

This post is to clear up any ambiguity regarding the recommended Page File settings for an Exchange server. If you search online for a solution you will find all sorts of answers (and of course if it's on t'internet then they must be right).

The short answer is to set the minimum and the maximum to the amount of RAM plus 10MB.

That answer can be found posted by Microsoft here:
http://technet.microsoft.com/en-us/library/cc431357.aspx

It states there - "As documented in the Exchange 2007 System Requirements and Exchange 2010 System Requirements, the recommended paging file size is equal to the amount of RAM in the server plus 10 MB."

It also states - "To prevent page file fragmentation, we recommend that you set the paging file size initial and maximum values to be the same value. If you reduce the size of either the initial or maximum page file settings, you must restart your computer to see the effects of those changes. Increases typically do not require a restart."

Creating a custom Management Role Group

*N.B. this is an old article and may no longer be relevant*

Here's a post on creating a custom Management Role Group for a 1st Line support desk using the following blog entry as guidance:
http://msexchangeteam.com/archive/2009/11/16/453222.aspx

The customer requirement is:
1st Line should be able to create mailboxes / mail contacts / mail users and disable them but must not be able to remove them. They will not be doing mailbox moves or any Public Folder management. The pre-canned Recipient Management role therefore doesn’t fit the bill as they would have too many rights. The scope is the whole Organization, which is the default scope anyway.

Step 1 – Determine what to base your new custom role on. I chose Recipient Management.

Step 2 – Examine what Management Roles you want from that Role Group. I opted for Mail Recipient Creation, Mail Recipients & Recipient Policies as these are appropriate from the list (BTW, I got the list from ECP/Administrator Roles):

Recipient Management

Members of this management role group have rights to create, manage and remove Exchange recipient objects in the Exchange organization.

Assigned roles:
..........Distribution Groups
..........Mail Enabled Public Folders
..........Mail Recipient Creation
..........Mail Recipients
..........Message Tracking
..........Migration
..........Move Mailboxes
..........Recipient Policies

Step 3 – Examine the Management Roles and determine what Management Role Entries you want to keep (Management Role Entries are the cmdlets that can be performed if you have this Management Role assigned to you) . These cmdlets help you:

Get-ManagementRoleEntry "Mail Recipient Creation\*" | select Name | out-file c:\support\Mail_Recipient_Creation.txt
Get-ManagementRoleEntry "Mail Recipients\*" | select Name | out-file c:\support\Mail_Recipients.txt
Get-ManagementRoleEntry "Recipient Policies\*" | select Name | out-file c:\support\Recipient_Policies.txt

Here is an example of the Management Role Entries (this is the one for Recipient Policies):

Write-AdminAuditLog
Set-ThrottlingPolicyAssociation
Set-ThrottlingPolicy
Set-OwaMailboxPolicy
Set-ActiveSyncMailboxPolicy
Remove-ThrottlingPolicy
Remove-OwaMailboxPolicy
Remove-ActiveSyncMailboxPolicy
New-ThrottlingPolicy
New-OwaMailboxPolicy
New-ActiveSyncMailboxPolicy
Get-ThrottlingPolicyAssociation
Get-OwaMailboxPolicy
Get-DomainController
Get-DetailsTemplate
Get-CASMailbox
Get-ActiveSyncMailboxPolicy

I examined them (with the client) and we came up with a list of things to keep. Most things apart from ‘remove’ and stuff to do with ‘RemoteMailbox’.

Step 4 – Create new Management Roles that are children of existing roles:

New-ManagementRole -Name "1stLineMailRecipientCreation" -Parent "Mail Recipient Creation"
New-ManagementRole -Name "1stLineMailRecipients" -Parent "Mail Recipients"
New-ManagementRole -Name "1stLineRecipientPolicies" -Parent "Recipient Policies"

Step 5 – Strip the new Management Roles of all Management Role Entries apart from one (it is a requirement to keep at least one):

Get-ManagementRoleEntry "1stLineMailRecipientCreation\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "1stLineMailRecipients\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry
Get-ManagementRoleEntry "1stLineRecipientPolicies\*" | ? {$_.name -ne "Write-AdminAuditLog"} | Remove-ManagementRoleEntry

Step 6 – Add in the Management Role Entries selected in Step 3 above. I put them into a ps1 file and the three attachments to this message include the cmdlets for doing this. Here are examples of three cmdlets from the scripts (I could have put all of them into one ps1 file, but this is complicated enough already):

Add-ManagementRoleEntry "1stLineMailRecipientCreation\New-Mailbox"
Add-ManagementRoleEntry "1stLineMailRecipients\Set-User"
Add-ManagementRoleEntry "1stLineRecipientPolicies\New-ActiveSyncMailboxPolicy"

Step 7 – Create a new Role Group (called “1st Line”) and add the new Management Roles to it:

New-RoleGroup "1st Line" -Roles 1stLineMailRecipientCreation,1stLineMailRecipients,1stLineRecipientPolicies –Description “Members of this group can create new mailboxes”

I can now see the new Role Group in ECP (see below).

In AD you’ll also find it in the Microsoft Exchange Security Groups OU (see below).

It sounds simple now that I read this, but it took a couple of hours to get to this point, so this post is as much to remind me the next time as it is to save you the hassle of working out how to do it.

Cat6e cables

*N.B. this is an old article and may no longer be relevant*

I don't normally post about hardware, but I had an e-mail from Bob a while back and think it's worth sharing:

"Started to wonder why Cat6e cable from CPC is like £100 and the “same” stuff of ebay is much cheaper – It’s because the more expensive stuff uses solid copper and the cheaper stuff is known as CCA (Copper clad aluminium)

A bit of googling:
“The use of CCA wire directly contravenes both CAT5e and CAT6 specifications which denote the use of copper conductors. CCA wire is not a copper conductor. Organizations supplying CCA as CAT5e and CAT6 network cables should examine very carefully if they are in compliance with the sales of goods act”

http://www.cetecglobal.com/technologies/cabling/cca.htm

Same goes for patch leads as well, so watch what you order."

So the lesson is not to buy Cat6e cables from Hong Kong or Shanghai for 99p with free postage!

Nice one Dave.

Simples (squeak).

Exchange 2010 to 2003

*N.B. this is an old article and may no longer be relevant*

An FYI with regards to moving mailboxes from Exchange 2010 back to Exchange 2003.

If you do this through EMC, you cannot monitor it through EMS. It thinks that no move requests exist.
When you try and do this through EMS, it won’t recognize the Exchange 2003 Target Database. In order to select an Exchange 2003 Mailbox Database you have to specify it’s GUID. The ways to do this that I found on the web either didn’t work or were too cumbersome.

So I looked in the Exchange Management Shell log and found a command that EMC had run to identify the database and found that you can get the database GUID from there. Put it all together and what you get is:

Get-MailboxDataBase -IncludePreExchange2010 | select identity,guid

Simples (as Bob would say).

So now I can insert the database GUID into my EMS move request:

New-MoveRequest -TargetDatabase "a10a12b3-2469-23ca-35ad-ea21acebd0e4" -BadItemLimit 100 -AcceptLargeDataLoss

And hey presto, I can monitor the move request process with the following:

moverequests = get-MoveRequest ; foreach ($moverequest in $moverequests) {Get-MoveRequestStatistics $moverequest | select Alias,DisplayName,StartTimestamp,TotalQueuedDuration,PercentComplete,BytesTransferred,StatusDetail,SourceDatabase,TargetDatabase,Status,TotalinProgressDuration,OverallDuration}

or stick it in a script that refreshes (e.g. Monitor-MoveRequests.ps1):

$moverequests = get-MoveRequest ; get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}
$A = (get-host).UI.RawUI
$A.WindowTitle = "Monitor Mailbox Move requests"
$B = $A.windowsize
$B.width = 150
$B.height = 65
$A.WindowSize = $B
while ($true) {cls; foreach ($moverequest in $moverequests) {Get-MoveRequestStatistics $moverequest | select Alias,DisplayName,StartTimestamp,TotalQueuedDuration,PercentComplete,BytesTransferred,StatusDetail,SourceDatabase,TargetDatabase,Status,TotalinProgressDuration,OverallDuration}
;sleep 5}

Note that I am throwing the last two scripts into the mix just to show off. I came up with this so that I can review mailbox moves through EMS as they are then reviewed in one window rather than opening and closing GUI windows to get them to refresh. Don't forget that your target Exchange 2003 mailbox database must have a valid System Mailbox or else the move will fail. If it doesn't have one but there is another Exchange 2003 mailbox database that does, move the mailbox to there and then move it again using System Manager.

N.B. Always test your rollback plan. It's better than an unforeseen forced new career plan!

Certificate Revocation Checking problem

*N.B. this is an old article and may no longer be relevant*

I had an issue a while back with performing certificate revocation checking. The SAN cert installed wasn’t working because the VLAN the servers are on did not have direct internet access. I needed to get the proxy to allow my Exchange servers (which are using the System account to do CRL checking) unauthenticated access to *.verisgn.com and *.verisign.net

In order to do this I had to follow the information I found in my old colleague Marcin's blog (http://unified.swiatelski.com/2011/01/exchange-2010-certificate-status.html) which did just relay what Microsoft publish (http://technet.microsoft.com/en-us/library/bb430772.aspx) but with the added warning:

Notice: Please remember to set value of bypass-list parameter to your local Active Directory domain FQDN. If you pass over this part you won't be able to connect to your Exchange using Exchange Management Console nor PowerShell.

I would have put that in BOLD and possibly RED AND BOLD, because it is more than just a minor annoyance. Maybe even RED AND BOLD UNDERLINED.

Also noteworthy is the following blog with some tips and troubleshooting information for this scenario:
http://blogs.microsoft.co.il/blogs/yuval14/archive/2011/09/20/how-to-resolve-exchange-2010-error-message-the-certificate-status-could-not-be-determined-because-the-revocation-check-failed.aspx

And the following information that I deduced or gathered elsewhere:

· CRL checking is performed at random intervals, but after modifying winhttp settings, you should reboot the server and wait for up to an hour
· To view logging, go to Event Viewer, Applications and Services Log, Microsoft, Windows, CAPI2 and enable the operational log
· Set-ExchangeServer –InternetWebSettings should work, but doesn’t