Author Archives: Sathish Veerapandian

Steps to export/import enterprise vault archive mailbox as PST

Enterprise Vault February 25, 2015 Comments: 14

In this article we will have a look at the steps to export/import the enterprise vault archive as a PST.

Log in to the Enterprise Vault server and open Enterprise vault admin console

Select the node and select the archives

EV1

 

Now right click on the archives icon and you have an option to export and import as a PST/NSF files.

Now we will see the steps to export as PST.

EV2

 

Now we have 3 options as shown below for the export of PST file

EV3

 

Now choose the archive mailbox for the export

Ev4

 

Select the source archive file

ev5

 

We have an option to export items in a specific date range which i find to be very useful

ev6

 

Choose the folder path and we have an option to split the PST files

ev7

 

Confirm the PST export settings

 

ev9

 

Once we click on next we have the status of the export and

 

there is a report file of the export as well

ev10

 

 

These steps  can be useful to export/import the PST to enterprise vault archive for the end users.

Hope this helps.

Thanks

Sathish Veerapandian

Steps to create/identify the list of public Ip’s used by exchange services

Exchange2010, Exchange2013 February 22, 2015 Leave a comment

In this article we will look at the steps to create and identify the list of public Ip’s used by exchange

In this article we will have a look at the steps to set all Outgoing SMTP from 1 IP address and to see all the ip address from the Exchange server.

First you have to run Get-SendConnector SourceIPAddress x.x.x.x from the EMS in order to see the source IP address of the exchange server

Note:

By default this value will be set only to 0.0.0.0 and exchange hub will take its default assigned ip to send emails to the smart host (firewall/spam filter/Spam cloud). However you can check this if there is any value set to be on the safer side.

Now how the mail flow will go from your Exchange server

From your Exchange – to your firewall – then its gets NAT’ed from local ip to public ip and to internet

We need to NAT our local IP to one public IP.

Inorder to do that Follow the below steps:

Now you need to accomplish this with a router/firewall with a feature called Policy Based Routing.

1)      Create a firewall/NAT rule to NAT outbound traffic from exchange ip address to your preferred public ip address.

2)      With this you could make a rule like: When traffic is coming from my mail server AND the destination port is 25, send the traffic through your ISP from one of your public IP.

To be more precise you will have to do many to one NAT in your firewall as below:

For Example below is your server

Server name      Private IP (Server)     (Public IP on firewall)               Port

Server1:               192.168.0.1          –> 65.55.33.118                           Port 25

Server2:               192.168.0.2          –> 65.55.33.118                           Port 25

If your servers configured as above your source public will be 65.55.33.118 from both the servers.

Also you should have PTR created for your external IP. If not please inform your ISP to create PTR for your external IP’s.

How to identify which Public IP your exchange services are using

There are multiple ways to identify the public ip address used by exchange server

The easiest way to identify them is through MX lookup

You can query all the Exchange url’s through nslookup to see the results

Things you need to query through nslookup:

1)      Query external autodiscover url

2)      Query webmail external url

3)      Query outlook anywhere external  url

Below is an example of mxlookup for Microsoft  records

This steps can be useful during the migration scenarios of exchange servers as well as firewall.

Thanks
Sathish Veerapandian

Steps to perform a extended message trace in Office 365

Office 365 February 16, 2015 Comments: 4

In this article we will look at the steps to perform a extended message trace in Office 365.

What is Message Trace ?

Message trace is same like  same message tracking in Exchange 2010 . By using this we would be able to track/trace an email which was already sent  through a mailbox which resides in the office 365 cloud.

In-order to perform a message trace perform the following action.

Login to office 365 Admin portal and click on Admin Icon

Track1

 

 

Scroll down all the way down to  Admin and click on Exchange

Track2

 

 

Navigate to mail flow and select message center as shown below

 

Track3

 

Now it will take you to message tracking center.Now Specify the start date and end date

Track4

Select the date range.

Note: The tracking results through EAC will be displayed only for the last 7 days.

If you want to see the message tracking results for more than 7 days then we can export them in csv file and see the results.

Track5

 

Also we have an option to trace the emails based upon the message delivery  status which i find this to be very useful.

Track6

 

The final result will be displayed as below

Track7

 

Track8

 

Also we have an option to see the pending and already completed traces that can be viewed.

Track9

 

Note:

By default the message tracking logs will be available only for the past 90 days. If at all your organization will like to extend this period then its better to open a case with Microsoft and extend the tracking period for the same.

 

Thanks 

Sathish Veerapandian

MVP – Exchange Server

Tech Tip of the Day – What is a federated exchange solution ?

Federation February 16, 2015 Leave a comment

In short, federation is when two Company trust each other and when federation is enabled between them they can share their user’s presence, calendar and global address list.

In a short description  below things needs to be done in order to enable a federation between to organizations

Setup two AD-FS Servers (for company A and company B)

Setup AD FS federated trust between company A and company B

Choose a Server for Authentication Certificate for SSL Encryption (only 1)

Configure the resource server (web server, Application server to which resources clients access) for company A and company B

 

It’s always recommended that all Exchange organizations use the business instance of the Microsoft Federation Gateway for federation trusts. Before configuring federated delegation between the two organizations, you need to verify which Microsoft Federation Gateway instance each Exchange organization is using for any existing federation trusts.

 

Inorder to identify the instance  run the following command

 

Get-FederationInformation -DomainName <the hosted Exchange domain namespace>

 

For exchange to “Configure Federated Delegation” you need to remember the below

 

Domain Namespace Requirements:

 

Step 1: Create a federation trust with the Microsoft Federation Gateway.

 

https://technet.microsoft.com/en-us/library/dd335198(v=exchg.141).aspx#Shell

 

Step 2: Create TXT records for federated delegation

https://technet.microsoft.com/en-us/library/ee423548(v=exchg.141).aspx

 

Step 3: Configure the domains for federated delegation

Add-FederatedDomain -DomainName contoso.com

 

Step 4: Create an Autodiscover DNS record

 

https://technet.microsoft.com/en-us/library/cc772053(WS.11).aspx

 

Step 5: Create an organization relationship

New-OrganizationRelationship -Name “Contoso” -DomainNames “contoso.com”,”northamerica.contoso.com”,”europe.contoso.com” -FreeBusyAccessEnabled $true -FreeBusyAccessLevel LimitedDetails

 

Thanks & Regards

Sathish Veerapandian

MVP- Exchange Server 

RBAC error – Disable-Mailbox isn’t within your current write scopes can’t perform save operation

RBAC February 10, 2015 Leave a comment

I just recently ran into this problem and thought of sharing this which might be helpful to others in similar situations.

I just created a RBAC  Role group and a write scope for a group of admins to create and mange mailboxes in few mailbox databases.

All the role group was created successfully and role entries seems to be working fine without any issues except for the disable-mailbox and enable-mailbox.

So when the assigned role admins were able to create, modify , remove mailboxes, mail universal distribution groups , mail contacts , mail universal security groups , dynamic distribution groups but they weren’t able to enable or disable any of the objects on their own.

When they tried to enable  or disable any mailboxes  that they get the below error

 

RBAC_no_Enable-Mailbox_error

 

I ran the command Get-ManagementScope Scopename | Fl to see the recipient filter types

I was able to see the recipient type user mailbox, mail enabled contacts, mail contacts , mail universal security groups  and dynamic distribution.

But still it was not working.

later i identified the problem. Enable-Mailbox and Disable-Mailbox will remove only the exchange attributes from the user account and leaves the user account and the mailbox in the retention.

For this functionality to work we will need to have AD permission for the user in the RBAC to perform this operation.

So we need to add the recipient filter  (recipientType -eq ‘user’ ) which will grant AD permission to the desired RBAC custom group which will grant permissions to those RBAC admins.

So i have added list of possible entries below that would be helpful for the help-desk team since by running only the above will remove the other permissions.

So for helpdesk to manage the normal daily operations the below entries will be sufficient along with  (recipientType -eq ‘user’ ) added.

Set-ManagementScope “ENTER THE RBAC GROUP” -RecipientRestrictionFilter {(RecipientType -eq ‘usermailbox’) -or (recipientType -eq ‘user’) -or (recipientType -eq ‘mailuser’) -or (recipienttype -eq ‘mailcontact’) -or (recipienttype -eq ‘mailuniversaldistributiongroup’) -or (recipienttype -eq ‘mailuniversalsecuritygroup’)}

 

 

Once after the above i was successfully able to come out of the error 🙂

Thanks 

Sathish Veerapandian

MVP – Exchange Server 

 

 

Quick bites – Things to consider during cross forest migration from Exchange 2010 to 2013

Quick Bites February 6, 2015 Leave a comment

In this article we will look at the readiness to be done during cross forest migration from exchange 2010 to 2013.

There are multiple ways to perform this and this is again one of the best practices that can be followed.
The first and the foremost thing is that we need to ensure that DNS is setup properly vice versa between the source and the target forest.

Steps to ensure for DNS setup:
1) Check if you have the same root DNS for both of the forest DNS namespaces. Make sure that the root zone contains delegations for each of the DNS namespaces.
Also, update the root hints of all DNS servers.
To Update root hints on the DNS server follow this article –  http://go.microsoft.com/fwlink/?LinkId=92717
If there is no shared root DNS server for both of the forests and the root DNS servers for each forest DNS namespace are running a Windows Server operating system, configure DNS conditional forwarders in each DNS namespace to route queries for names in the other namespace.
To Configure DNS server forwarders follow this article http://go.microsoft.com/fwlink/?LinkId=92718
IMP :  If there is no shared root DNS server and the root DNS servers for each forest DNS namespace are not running a Windows Server operating system, configure DNS secondary zones as well in each DNS namespace to route queries for names in the other namespace.
To Add a secondary server for an existing zone follow this article http://go.microsoft.com/fwlink/?LinkId=92719

After above steps are done validate the DNS configuration through nslookup . You can follow the below article as well if you are having doubt in verifying through NSLOOKUP

https://technet.microsoft.com/en-us/library/977fa8ed-ec71-4d39-9f9e-9facd5a61364
Create a new forest trust:

2. Create a forest trust
a. Use account which belongs to Domain Admins or Enterprise Admins of domain. Open Active Directory Domains and Trusts on a DC of domain. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .
To open Active Directory Domains and Trusts in Windows Server® 2012, click Start , type domain.msc .
b. In the console tree, right-click the domain that you want to administer, and then click Properties .
c. On the Trusts tab, click New trust , and then click Next .
d. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next .
e. On the Trust Type page, click Forest trust , and then click Next .
f. On the Direction of Trust page, do one of the following:
o To create a two-way, forest trust, click Two-way .
Users in this forest and users in the specified forest will be able to access resources in either forest.
o To create a one-way, outgoing forest trust, click One-way:outgoing .
Users in this forest will not be able to access any resources in the specified forest.
g. Continue to follow the instructions in the wizard.

Validate the created trust.

 

Once the above is completed you can run prepare new request by following the below article

https://technet.microsoft.com/en-us/library/ee861103%28v=exchg.150%29.aspx

Once prepare move request is completed run the new move request

Also set the move request large item limit to minimum to 50 so that large mailboxes move will not create an issue during migration by running the below command

Get-MoveRequest | Set-MoveRequest -LargeItemLimit 50
Rollback Plan if in case of anything went wrong:

Delete trust accordingly. To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority.
To remove a trust using the Windows interface
1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .
To open Active Directory Domains and Trusts in Windows Server® 2012, click Start , type domain.msc .
2. In the console tree, right-click the domain that contains the trust that you want to remove, and then click Properties .
3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts) , click the trust to be removed, and then click Remove .
4. Do one of the following, and then click OK :
o Click No, remove the trust from the local domain only .
If you select this option, we recommend that you repeat this procedure for the reciprocal domain.
o Click Yes, remove the trust from both the local domain and the other domain .
If you select this option, you must type a user account and password with administrative credentials for the reciprocal domain.

Also you can follow the below excellent write up about cross forest migration by exchange server MVP Prabhat Nigam

http://msexchangeguru.com/2013/11/03/e2013crossforestmigration/

Thanks & Regards

Sathish Veerapandian

MVP – Exchange Server

Back Pressure in Exchange in 2013

Back Pressure, Exchange2013 January 28, 2015 Comments: 2

Back-pressure is used to monitor resources like hard disk space , availability of memory and version buckets to give an advance notification to the administrator before the email server is totally down.This feature was introduced from Exchange 2007. The concept of back-pressure in Exchange 2013 is the same as it was in Exchange 2010.
Basically high level of hard drive space utilization is calculated by using the following formula in Exchange 2013:
100 * (hard disk size – fixed constant) / hard drive size
The value of fixed constant is 500 megabytes (MB)

A list of changes that are made to the message queue database is kept in memory until those changes can be committed to a transaction log. Then the list is committed to the message queue database itself. These outstanding message queue database transactions that are kept in memory are known as version buckets.

If normal level isn’t reached for the entire version bucket history depth, then edgetransport.exe config file is coded to take the following actions:

1) Reject incoming messages from other Exchange servers ( could be internal exchange servers as well as external exchange servers)- initially

2) Reject message submissions from mailbox databases by the Mailbox Transport Submission service on Mailbox servers – End users sent email received from their respective databases to transport submission service will be rejected. Which means that these messages will not reach till the categorizer level and all the messages will be rejected at the precategorizer level itself.
3) Reject incoming messages from non-Exchange servers – Could be notes,zimbra etc.,
4) Reject message submissions from Pickup and Replay directories – Messages from applications dropped in the pickup directory

Similarly following event logs will be logged in the affected server:

Event log entry for an increase in any resource utilization level
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Resource Manager
Event ID: 15004
Description: Resource pressure increased from Previous Utilization Level to Current Utilization Level.

Event log entry for a decrease in any resource utilization level

Event Type: Information

Event Source: MSExchangeTransport

Event Category: Resource Manager
Event ID: 15005
Description: Resource pressure decreased from Previous Utilization Level to Current Utilization Level.
Event log entry for critically low available disk space
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Resource Manager
Event ID: 15006
Description: The Microsoft Exchange Transport service is rejecting messages because available disk space is below the configured threshold. Administrative action may be required to free disk space for the service to continue operations.
Event log entry for critically low available memory
Event Type: Error
Event Source: MSExchangeTransport
Event Category: Resource Manager
Event ID: 15007
Description: The Microsoft Exchange Transport service is rejecting message submissions because the service continues to consume more memory than the configured threshold. This may require that this service be restarted to continue normal operation.

So the above event logs will help you to identifying the back-pressure on the affected server

Solution:

Use the Command Prompt to move the existing queue database and transaction logs to a new location.
In a Command prompt window, open the EdgeTransport.exe.config file in Notepad by running the following command:

Notepad %ExchangeInstallPath%Bin\EdgeTransport.exe.config

Change the drive letter in which you wish to have the new location by changing in the below add key values

<add key=”QueueDatabasePath” value=”D:\Queue\QueueDB” />
<add key=”QueueDatabaseLoggingPath” value=”D:\Queue\QueueLogs” />

Thanks 

Sathish Veerapandian

MVP – Exchange Server

Quick Bites – Deploy Edge server in Exchange 2010/2013 coexistence scenarios

Edge Server, Exchange2013 January 24, 2015 Leave a comment

If you deploy Exchange 2013 servers in your Exchange 2010 organization and you have external mailflow configured to pass emails through exchange 2013 Edge Transport servers, you should configure subscription for Exchange 2013 edge servers to your existing Exchange 2010 hub servers.

You can subscribe an edge server in a site to multiple HUB servers if it is(Exchange 2007/2010) and CAS & Mailbox Combined together if it is Exchange 2013 servers.

You can subscribe a 2007/2010 edge to 2013 Exchange CAS & HUB combined servers. This can be done vice versa as well.

You can import the Edge Subscription file and run EdgeSync on a standalone Exchange 2013 Mailbox server, or on a server where the Mailbox server and the Client Access server are installed on the same computer.

Note :

You can’t import the Edge Subscription file or run EdgeSync only on a standalone Exchange 2013 Client Access server.
You cannot subscribe an edge servers to multiple site since edge servers are bounded to site specific and can be subscribed to multiple mailbox & CAS servers in a single site

Make sure you open the below ports on the firewall

Inbound traffic:
SMTP – TCP port 25 (from Internet)
SMTP – TCP port 25 (from Edge server to Hub server on internal network)
Outbound traffic:
SMTP – TCP/UDP port 25 (from Edge to Internet)
SMTP – TCP/UDP port 25 (from Hub to Edge server)

Very IMP : Do not open the below mentioned ports on perimeter firewall. These ports should be open only on intranet firewall.

LDAP for Edge Sync – TCP port 50389 (from Mailbox to Edge server) Secure LDAP for Edge Sync – TCP port 50636 (from Mailbox to Edge server).

Thanks
Sathish Veerapandian

MVP – Exchange Server

Microsoft Exchange Search Host Controller service terminated unexpectedly

Content Index, Exchange2013 January 22, 2015 Comments: 2

We might notice that Microsoft Exchange Search Host Controller service is crashing intermittently after a database failover and trying to start by its own but never succeeds.

When we look in to the application log we will get the following event logs

The Microsoft Exchange Search Host Controller service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service

  1. Faulting application name: hostcontrollerservice.exe, version: 15.0.4454.1006, time stamp: 0x50d08ef5
    Faulting module name: KERNELBASE.dll, version: 6.2.9200.16384, time stamp: 0x5010ab2d
    Exception code: 0xe0434352
    Fault offset: 0x00000000000189cc
    Faulting process id: 0x73f0
    Faulting application start time: 0x01d0348c64230ae1
    Faulting application path: C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe
    Faulting module path: C:\Windows\system32\KERNELBASE.dll
    Report Id: a5eb039b-a07f-11e4-9438-00155d0aca05
    Faulting package full name:
    Faulting package-relative application ID:

 

What is the main functionality of this Microsoft Exchange Search Host Controller service?

It connects with exchange mailbox databases and creates content indexes for each databases.

This content indexes helps in the eDiscovery search.This eDiscovery search uses the content indexes for search query that are done in the entire organization.

 

What things will be affected if the Microsoft Exchange Search Host Controller service is stopped?

1) We will not be able to perform  eDiscovery search in the entire organization.

 

2) And also mailbox database in a DAG will not automatically failover if the content index is not healthy and it shows as failed and suspended.

However we would be able to perform a manual failover through EMS with the switch -SkipClientExperienceChecks with a bad content index state as a work around.

Things to check:

I would recommend to have to have latest updates installed on all Exchange servers.

Disable all the AV and third party agents running on the affected server, try starting the host controller service and see the results.

Run the below command to check the content index status of the database

content

If you get the above error rebuilding the content index will help to start the host controller service

However  if you identify the content index state to be failed and suspended for only one database then you can use the below command to reseed the content index catalog only for that database .

 

Update-MailboxDatabaseCopy -Identity DBname\MBXservername  -CatalogOnly

To rebuild the whole content index of affected mailbox server perform the below task

Log on to the affected server and navigate to the below location where you have host controller files

 

<C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController

hostcontroller.old

Set the host controller service and Microsoft exchange search to disabled and stopped state

Rename the folder hostcontroller to hostcontroller.old    and start the host controller service this time it should most probably start the service without any issues

Once the service starts it will build new content indexes for the mailbox databases on the affected server.

Also Refer : http://social.technet.microsoft.com/wiki/contents/articles/29640.microsoft-exchange-search-host-controller-service-terminated-unexpectedly.aspx

Thanks

Sathish Veerapandian

MVP – Exchange Server

Quick Bites – Lync Mediation Server concurrent voice call handling capacity

Lync January 21, 2015 Leave a comment

What would be the maximum number of concurrent Voice calls that  can handle  take from a single mediation server?

1) Standalone mediation server.

2) Collocated with FE server.

It depends on the number of servers configured  in the pool

The Number of Video conferencing, voice calls that can be hosted on the number of servers depends on what other conferences like IM, desktop sharing is used in the organization as well.

Here is the calculation for video conferencing to be hosted on Front End Server.

This from the TechNet article – Scenario-Based Capacity Planning-

http://technet.microsoft.com/en-us/library/gg615029.aspx.

 

Can we use DNS Load Balancing for Mediation Server collocated with existing FE servers?

You must deploy DNS load balancing to support Mediation Server pools that have multiple Mediation Servers.

For details, see the Using DNS Load Balancing on Mediation Server Pools section of DNS Load Balancing in the Planning documentation.

http://technet.microsoft.com/en-us/library/gg398634.aspx

 

Mediation servers should use only DNS load balancing according to Microsoft recommendation:

http://technet.microsoft.com/en-us/library/gg398391.aspx

If you want to deploy multiple Mediation Servers in the pool in order to provide high availability, then select multiple computers pool option.

Thanks 

Sathish Veerapandian

MVP – Exchange Server