Category Archives: Exchange2013

Quick Bites – Best practices for installing Exchange Servers across different subnets/sites

In this article i have collected few information that we need to look into while we are  planning for Exchange Servers across different subnets.

Exchange servers will work perfectly fine on different subnets. As long as there is no firewall interruption between Exchange servers in the subnet you should be fine.Even if you have firewall it will work fine but ensure that you have DC and GC connectivity if you have firewall to these servers since exchange needs them to contact frequently.

But keep in mind the exchange servers need to talk to each other almost constantly and that would just make things extremely difficult and make troubleshooting harder if you run into any issues with Exchange and GC/DC connectivity.
Ensure that there is no Windows Firewall or A/V interfering perhaps between 2 subnets. Let’s have a look at few things that we need to consider during our planning.

 

For DAG –
If I’ve got servers on multiple subnets do I need to have a DAG IP in the range of each subnet ?

There needs to be a new Subnet added to the DAG before the node in a different subnet can join the DAG.The reason for this is so the DAG name can be switched and hosted in either of subnets.

MAPI network and Replication Network should not be on the same subnets. Having them on a different subnets will not be single point of failure. When a replication network fails, replication should automatically fail-over to the DAG’s MAPI network .Always, DAG member which communicates with other site requires each site with different Replication Network Subnet.

Probably you can perform the below tasks as a part of checking to ensure that the DAG configuration is correct

Run the below command to check the network settings of DAG :-

Get-DatabaseAvailabilityGroup -Identity DAGNAME | ft DatabaseAvailabilityGroupIpAddresses

To provide network connectivity between each of the replication subnet, a persistent static route must be entered into the Exchange member’s routing table.

To create a persistent static route run the below command :-

netsh interface ip add route (Example IP)10.3.0.0/ 24 “replication 1” 10.4.0.2
netsh interface ip add route (Example IP)10.4.0.0/ 24 “replication 2” 10.3.0.2
Validate through Failover Cluster Manager and ensure that DAG IP is Online.

 
For CAS Array –

CAS Array is site Specific

It is possible to add 2 CAS Servers belonging to different subnet in a CAS Array but they should be in same AD sites. Since they should be querying the same DC’s so we can have Exchange servers spanned across 2 datacenters in a single site if you are planning for adding cas servers in a array in 2 different subnets.

If it is going to be 2 different subnets and different sites then we need to create 2 different CAS array one in each site and probably need to do a DNS round robin which will not give a full HA even by setting the TTL values.

 
For HUB –

We need to have hub servers in each site and they are site specific.Hub servers can support HA for different subnets and help in mail routing only when they are spanned across  the same site in different datacenters.
If we are planning for HA for hub servers in different subnet and different site then we need to install hub servers on each site for HA.

The above points will be useful while we plan for Exchange server deployment in 2 sites and subnets.

Reference –

http://blogs.technet.com/b/timmcmic/archive/2014/05/06/exchange-2010-2013-what-constitutes-a-failure-of-the-replication-network.aspx

http://social.technet.microsoft.com/wiki/contents/articles/28362.best-practices-for-installing-exchange-servers-across-different-subnetssites.aspx

Thanks 

Sathish Veerapandian

MVP – Exchange Server 

Steps to configure cross-forest availability between two exchange forests in Exchange 2013

In this article lets have a look at steps to configure cross-forest availability between two exchange forests

By using the Add-AvailabilityAddressSpace commandlet which has been introduced from Exchange 2013 we would be able to share the exchange free busy data between 2 forests.

We need to have a trust relationship between the source forest and target forest to execute this command. Only then the below command will be successful.

If a trust relationship exists between the two forests, run the following commands.

In our example lets think of sharing the freebusy information between domain Exchangequery.com and toybox.com.

In Order to share the free busy info between these 2 forests we need to perform the below steps

In the source forest perform the following tasks : (ExchangeQuery.com)

Add-AvailabilityAddressSpace -ForestName toybox.com -AccessMethod PerUserFB -UseServiceAccount $true

The above command adds the target domain’s address space  in source domain to share the free busy information in a secured way.

Below types of access methods can be used.

PerUserFB – used to access the FB data in All Exchange Servers group.
OrgWideFB – used to access the FB data in specific group in the target forest.
InternalProxy – used to proxy the request in the latest version of exchange in the site.

The type of access method  can be selected according to our requirement.

Now we need to run the below command in the target domain ( Toybox.com)

Get-Exchangeserver | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights “ms-exch-epi-token-serialization” -User “ExchangeQuery.com\Exchange Servers”

The above command will add required permission for source domain on the target domain Exchange Servers to  access the free busy information.

In a trust relationship scenario, run this command in the target forest toybox to export the SCP from the target forest to the source forest :

 
Export-AutodiscoverConfig –DomainController “LocalForestDomainController” -TargetForestDomainController “(toybox.com)” -TargetForestCredential (Get-Credential) -MultipleExchangeDeployments $true

Type (Toybox\Administrator) password  when prompted.

Now we need to perform the same tasks in the target forest  toybox.com  to share the exchangequery.com address space for sharing the freebusy data.

In the target forest perform the following tasks : (Toybox.com)

Add-AvailabilityAddressSpace -ForestName exchangequery.com – AccessMethod PerUserFB -UseServiceAccount $true

Run the below command in the Source domain ( ExchangeQuery.com)

Get-ClientAccessServer | Add-AdPermission -AccessRights ExtendedRight -ExtendedRights “ms-exch-epi-token-serialization” -User “Toybox.com\Exchange Servers”

 

Now  run this command in the forest Exchangequery.com to export the SCP from the target forest to the source forest:

 
Export-AutodiscoverConfig –DomainController “LocalForestDomainController” -TargetForestDomainController “exchangequery.com” -TargetForestCredential (Get-Credential) -MultipleExchangeDeployments $true

Type Exchangequery.com\Administrator password when prompted.

Imp Note : This command Add-AvailabilityAddressSpace is available and applicable only for Exchange 2013 servers and Office 365.

The required trust relationship, contacts and address space  between the 2 different organizations must be already created and replicated between them.Only then free busy information will be working.

Reference – http://technet.microsoft.com/en-us/library/bb124122(v=exchg.150).aspx

http://social.technet.microsoft.com/wiki/contents/articles/28332.steps-to-configure-cross-forest-availability-between-two-exchange-forests-in-exchange-2013.aspx

Thanks 

Sathish Veerapandian

MVP – Exchange Server

Quick Bites – Troubleshooting POP and IMAP connectivity issues in Exchange 2013

In this article lets have a look at troubleshooting POP and IMAP connectivity issues in Exchange 2013.

First lets have a basic requirements  to check what are the features and things that needs to be enabled in-order for these services to work.

 
What ports should be used by the clients for each configuration : –

Port 25 for SMTP with or without TLS, anonymous authentication; (Outgoing)
Port 587 for SMTP with TLS; (Outgoing)
Port 143 for IMAP  without TLS (Incoming);
Port 993 for IMAP with SSL/TLS (Incoming)
Port 110 for POP3  without TLS (Incoming);
Port 995 for POP3 with SSL/TLS (Incoming);

Ensure that all the required ports are open in your firewall accoding to the configuration you have ( with or without TLS). Probably we can do a telnet from externally and see if we get a proper banner.

For POP – Telnet domainname 110
FOr IMAP – Telnet domainname 143

For TLS to work do we need to install any certificates on the servers : –

You should create certificate including your CAS server FQDN and Mailbox FQDN as the SAN name. It should not be self-signed certificate. You should get it from an internal CA or a public CA. Then assign the services SMTP, POP3, IMAP and IIS to this certificate only then it will work.

Do we need to configure anything on the server for POP and IMAP Authentication : –

For Authentication type for POP and IMAP Services, we can choose to use plaintextlogin or securelogin. You can refer to http://technet.microsoft.com/library/aa997188(v=exchg.141).aspx. It defines how the application provide the username and password to do authentication.

 
Below things can  also be checked for Troubleshooting POP and IMAP issues : –
We Can run Test-PopConnectivity and see the results
We Can run Test-imapconnectivity and see the results
Use the remote connectivity analyser for IMAP and POP and see the results

Run the below commands to see the POP and IMAP settings
Get-POPSettings -Server CASservername
Get-IMAPSettings -Server CASservername

Restart your POP3 service and see the results
Check if your POP3 service have valid certificate assigned
Run Get-ExchangeCertificate and see if the certificates are assigned for POP and IMAP services.

Check your ports config and ensure they are correct
Port 110 for POP3  without TLS;
Port 995 for POP3 with SSL;

If you have configured POP and IMAP with either SSL or TLS then a valid certificate should be configured for the same to respond to SSL or TLS(depends upon what type you choose)

Check the incoming and outgoing mail server in Outlook settings

We can enable the trace log and open the log in the location.

Please refer to http://technet.microsoft.com/en-us/library/aa997690(v=exchg.141).aspx to set the location and enable the log.

Thanks 

Sathish Veerapandian

MVP – Exchange Server

Update – Exchange Server meetings in Russian time zones as well as names of time zones may be incorrect after October 26, 2014

After October 26, 2014, Exchange Server some users who are in Russian time zones may see meeting times incorrect Time Zone-display names may be outdated in OWA.

Microsoft released an update (KB 2998527) for Windows on September 23, 2014 to address this change and it should be installed on the end user PC’s and Servers since exchange and outlook relies on windows for the time zone information.

How to obtain this update

The following files are available for download from the Microsoft Download Center.

Update for Windows Server 2012 R2 (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1bf7a4a0-3bc1-41cc-a374-b4ce39468c32

Update for Windows Server 2012 (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=4f9e0be3-8b1e-4a55-a901-397a4b63953b

Update for Windows 8.1 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=ab371992-26ff-41dc-9c4f-d5ada0f40f5c

Update for Windows 8.1 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=349e7859-5815-45f3-8f4a-8054a3db804d

Update for Windows 8 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3691d9fd-6a0a-47cd-b809-82ad81a71082

Update for Windows 8 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=2f8d1b1f-ec76-4a3c-9d48-a85bfc0394b4

Update for Windows Server 2008 R2 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=388ab764-8dd4-4ec9-ab03-d7005c553d9c

Update for Windows Server 2008 R2 for Itanium-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=de6ccda2-8ddc-4368-bf20-57e54d3b1d18

Update for Windows 7 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=c3aaf9fd-9bcb-45d6-9573-370a750ed200

Update for Windows 7 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1f09acc5-8791-4d63-ae59-8a9b8d4f0ef3

Update for Windows Embedded Standard 7 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3f1ec6b5-8d72-45e9-9c14-26afeb8a92fb

Update for Windows Embedded Standard 7 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=afe9f877-1554-465c-a89b-0be103ab5468

Update for Windows Server 2008 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=04ff80b6-4581-4f2c-8133-f344d26d5d35

Update for Windows Server 2008 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=dede4525-57c1-4cb2-b454-0b617f35e357

Update for Windows Server 2008 for Itanium-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=27a6e895-869b-4011-ae11-ada1c25e26e2

Update for Windows Vista for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=ef48921e-d478-46d3-9b6f-8620a53fa4e8

Update for Windows Vista for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1707623b-ae1c-4250-ad55-011ec063c279

Update for Windows Server 2003 for x64-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=8573abcf-47a0-4a24-88fc-d8adde177781

Update for Windows Server 2003 for x32-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1f44929a-fc1b-4b41-b179-c48e4a2b1975

Update for Windows Server 2003 for Itanium-based systems (KB2998527)
http://www.microsoft.com/downloads/details.aspx?FamilyId=de452734-bb99-4d05-873e-0f12988f61d6

 

Things that we can troubleshoot for the affected reported user even if any issues reported from end users after the above update is applied

1) Restart the affected user’s PC and see the results.

2) login to owa for the affected user and see the time zone whether it is set to UTC+4 as below

d

 

3) If it is set to different time zone then correct the value to UTC + 4 as above

Check the affected user date and time settings in his PC and it should reflect as UTC + 3 as below which is Russian Time Zone

Untitled1

4) Also run the below command to check to ensure that the affected user Time Zone is in Russian Standard Time

Get-MailboxRegionalConfiguration “affecteduserid”

 

img111

 

5) If you notice the user TimeZone is set to a different region then run the below command to change the user to Russian Standard Time

Set-MailboxRegionalConfiguration “affecteduserid” -TimeZone “russian standard time”

References – https://support.microsoft.com/kb/2998527?wa=wsignin1.0

Thanks 

Sathish Veerapandian

Ports and protocols Requirement for Exchange and Lync Server Deployment

Very often we might get confused in a new deployment project if we are running into multiple issues and tasks. The most confusing part that we will often run into is the port requirements for internal,external as well as related services.I have consolidated and prepared a document for the port requirements for a new deployment of on-premise  Lync and Exchange servers.

Lets have a look at the Lync server requirements first –

Following ports for the respective protocol and direction  should be opened, for hassle free and full featured Lync enabled User to function perfectly fine.

Port                   Protocol            Direction               Usage

5060/5061          TCP/UDP               Bidirectional          For SIP

1434                  UDP                      Bidirectional          For SQL servers

443                    STUN/TCP            Outgoing              Audio, video, application sharing sessions

444                    HTTPS/TCP          Bidirectional          Lync Front End server

443                    PSOM/TLS            Outgoing              Data sharing sessions

3478                  STUN/UDP            Outgoing              Audio, video sessions, Desktop Sharing

5223                  TCP                     Outgoing              Lync Mobile pushes notifications

50000 – 59999    RTP/UDP              Outgoing              Audio, video sessions

5067                  TCP/TLS              Bidirectional          Incoming SIP requests for Mediation servers.

57501-65535     TCP/UDP              Bidirectional           VideoConferencing

8057,8058         TCP/TLS              Bidirectional          Front End Service

 
For remote access to work for IM and Presence, it is mandatory that SIP traffic is allowed to flow bi-directionally. Hence, Port needs to be allowed as follows:

• Port 443 and 5061 from Internet to Access Edge External IP (bi-directional)
• Port 5061 from Edge Internal IP to Internal Network (bi-directional)

Edge server should be accessible from the Internet over port 443, 3478 and 5061.
Reverse Proxy require Port 443 to be opened.
For a Mobile Access user who is outside the corporate network, the request hits the Reverse Proxy and is then sent to the Front End pool or Director.No user level authentication is done on the reverse proxy.
Its always recommend to implement a Director Server Role for additional security.The Director is both offloading the authentication and providing an extra layer of security against DoS attacks.
Director must be in the same subnet where the Front End Servers reside which will be in the Private network. It should not be in the perimeter or DMZ.

 
Below will be the Flow of mobile application requests for Mobility Service :

All the External user Lync log in requests through mobile devices –> will go through the reverse proxy server –> and it will go to the edge server –> and hit the front end pool.
The Microsoft Lync Server gets user information from Auto-discover Service and then it returns all the Web Services URLs for the user’s home pool, including the Mobility Service URLs.

Below are the list of additional features that require external access through a reverse proxy for users accessing them externally.We need to think of validating them once the deployment is completed.

1) Enabling external users to download meeting content for any meetings.
2) Enabling external users to expand distribution groups.
3) Enabling remote users to download files from the Address Book service.
4) Accessing the Microsoft Lync Web App client.
5) Accessing the Dial-in Conferencing Settings webpage.
6) Accessing the Location Information service.
7) Enabling external devices to connect to Device Update web service and obtain updates.

Now we will look into the port requirement for Exchange servers as well.

Port Requirements for Exchange On-premise Servers (Applies to Exchange2 2010 and 2013):

Port                   Protocol            Direction               Usage

25                     SMTP                  Bidirectional            For Sending and receiving emails

50636                 TCP                   Bidirectional            From Hub to Edge and Vice Versa

135                    TCP/RPC             Outgoing                HUB to Mailbox via MAPI

80/443               HTTP/HTTPS       Bidirectional            Autodiscover

993                     TCP                   Incoming                IMAP

995/110               TCP                   Incoming                POP3(Any one of the port depends upon config)

5075-5077           TCP                   Incoming                CAS to OCS Communications

5061                   TCP                   Outgoing                 CAS to OCS Communications

 

For OWA and Outlook Anywhere port 443 should be opened in firewall.
For IMAP port 993 should be opened in Firewall.Port 25 should be opened on Firewall for both internal and external internet mail flow traffic.

I think most of the port requirement for Lync and Exchange deployment have been added above. Feel free to comment or correct me if anything needs to be added or corrected.

Also Refer – http://social.technet.microsoft.com/wiki/contents/articles/28141.ports-and-protocols-requirement-for-exchange-and-lync-server-deployment.aspx

References:

http://technet.microsoft.com/en-us/library/gg398833.aspx

http://technet.microsoft.com/en-us/library/bb331973.aspx

http://support.microsoft.com/kb/2409256#VerifyNetworkRequirements

http://support.microsoft.com/kb/2423848

http://technet.microsoft.com/en-us/library/gg425727

Thanks 
Sathish Veerapandian

MVP – Exchange Server

Steps to Delete circulated Suspicious emails with Search-Mailbox

In this article we will have a look at steps to identify the spam emails circulated in an environment. When a user suspects any spam email and informs the IT Team  first and the foremost thing that would come to an Admin is that whether the emails have been circulated to everyone or not.

There are multiple scenarios where the spam messages can be circulated in an environment.

  • From single spam source  email address to single recipient.
  • From Single spam email address to multiple recipients.
  • From multiple spam email address to multiple recipients with different subject line.

Its always better to make a search in the whole organization to make sure the emails are not circulated to all the users.

The easiest way to identify the spam emails is to run a search command with the subject line so that all the affected mailbox can be identified.

Now we will have a look at the steps to perform this action with search-mailbox command.

First we need to add the user who is going to perform this task to Discovery Management group
This should be done in order to use the search-mailbox command. If we do not add this then the user won’t be able to run search command.

Create a new role group as below. We need this in order to export/Import the contents from the source mailbox and copy it to the target mailbox.
Run the below commands to create the role group if we don’t have already . If we have the import/export rolegroup already then just add the user who is going to perform this action into that rolegroup.
To Create –  New-RoleGroup “Mailbox Import-Export Management” -Roles “Mailbox Import Export”
To Add user – Add-RoleGroupMember “Mailbox Import-Export Management” -Member Administrator

newsearch5

Even if single user suspects a virus message it is better to search in the whole organization to make sure the emails are not circulated to others.Now run the below command to search the virus email throughout the organization. In our example we are going to identify an infected email with the subject “Virus Infected”

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -LogOnly -TargetMailbox administrator -TargetFolder filter -LogLevel Full

NewSearch1

Once we run the command we could see the searching would be started as shown in the above screenshot. The search results may take some time depending upon the environment and number of mailboxes we have.

Upon a successful completion of search we can see the logs and the emails in the zip file attached as shown in the screenshot.

newsearch2

Now we need to run the below command to search the infected emails and delete all of them in the whole organization

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -TargetMailbox administrator -TargetFolder filter -deletecontent -LogLevel Full

newsearch4

Once it identifies the affected emails it would ask us for confirmation as shown above before deleting the suspected emails as shown in the screenshot above.

Apart from the above as an additional part of security check we can also run a message tracking with the subject in the whole organization to see to whom all the infected emails have been circulated and ensure all the emails have been deleted.

Run the below command to perform a Message Tracking with subject in the whole organization. In our case we are using the subject “Virus Infected” .

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Messagesubject “Virus Infected” | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp

newsearch6

Imp Note Note:

Hi Please add your account to Discovery Management role group for the search-mailbox command to work.

Add-RoleGroupMember -Identity “Discovery Management” -Member Administrator

Above method can be used to identify and delete any circulated spam email in our organization.

Thanks

Sathish Veerapandian

MVP – Exchange Server

AdminAuditlogging in Exchange 2013

By using Admin-audit logging options enabled we would be able to keep a track of the organizational,user level changes that has been made in an environment.This gives us more information if in case we need to track any major change that has been done and if we need to find which person has done that.

By default Admin Audit logging is enabled in a new installation of Exchange 2013. By using this in an organization we can make an entry of list of admin audit log enabled command-lets so that administrators whoever perform any task which is included in this list will be captured in the logs. By this we would be able to have a close security control  over the messaging environment. Also we can make some exclusions for few commands in the admin audit logging by which those commands wont be captured on the logs.

There are few default set of cmdlets that will be logged once logging is enabled  which will include all cmdlets except the Get, Search and Test cmdlets. Which means that  Get, Search and Test cmdlets won’t be capture in the audit logs.This can be modified by the AdminAuditLogCmdlets. Each of the cmdlets to be monitored,excluded  can be specified individually.

Now let’s have a look at enabling and modifying  the admin audit logging properties

Run the below command to check the audit logging properties

Get-AdminAuditLogConfig

Aud

 

If you notice the parameters which i have highlighted in red-box are only the main things which we need to concentrate.

As we can see the AdminAuditlogCmdlets has value * which means it will log all the entries of commandlets except search and Get .Also we can see the excludedcmdlets value is set to null so there is no exclusions set by default.

I can enable logging only for few important org level commands by setting a value in AdminAuditlogCmdlets

Let’s say if i want to exclude only few commandlets which are necessary for the admins for daily operations i can include them in the excludedcmdlets

I’m giving an example in this scenario. The below example creates and tracks logs only for any changes that have been made in Accepted Domain, Mailbox Database and Send Connectors.
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *”New-AcceptedDomain,Set-Sendconnector,Dismount-Database”

Note: In-order to add multiple values  you need to specify the command-lets in quotation and multiple comma values as shown in the screenshot

actual

Now we can see only the below values in the loggingcmdlets

actual1

Below value will exclude the logging for Set-mailbox, Disable-Mailbox and Enable-Mailbox in our example.

Set-AdminAuditLogConfig  -AdminAuditLogexcludedCmdlets *”Set-Mailbox,Disable-Mailbox,Enable-Mailbox”

AUD3

Now we can see only the below values in the excluded loggingcmdlets

AUD4

We have enabled adminaudit logging now. Now all the changes that we are doing for the AdminAdminAuditlog commandlets be stored.

Where does these logs gets stored?

From Exchange 2010 SP1 the audit mailbox gets created automatically when we enable audit logging.Its more secure.It will create adminaudit logs folder in the audit mailbox and stores these logs.Also even admins do not have access to this Audit Mailbox and its more secure.This audit mailbox account gets disabled by default.Even if any admins finds a way to access this audit mailbox it logs traces of that and there is no way to access this without any history of traces.

Below are the examples of searching few admin audit logs

Below command will help in finding admins who recently dismounted database made any changes in sendconnector configuration

Search-Adminauditlog -Cmdlets dismount-database | ft rundate,caller,objectmodified

Search-Adminauditlog -Cmdlets set-sendconnector | ft rundate,caller,objectmodified

If in case of scenarios during any outage and if you would like to bypass these logs we can use write-adminauditlog command to make an entry . So that this entry would be made in your name and can be excluded. Below is an example

Write-AdminAuditLog -Comment "Ran Dismount-Database and Mount-Database"

Over all it is very useful in monitoring the organizational changes.
If we possibly run this command once in a month then we would be able to monitor 
the organizational,server level changes done by admins.

Thanks
Sathish Veerapandian
MVP - Exchange Server

Script to identify the users forwarding, redirecting and forward as attachment emails to external ids

It’s always difficult to protect sensitive emails being leaked out from any organization. In order to avoid this there are few things that can be blocked on the global settings from the server end.

If we have the auto forwarding and autoreply  option enabled on the default remote domain then any users can create an external contact in his local outlook profile and then he can forward all his emails to his external ids. Here is the possibility  again where sensitive data being leaked out from organization.

The default remote domain will have autoforward and autoreply disabled . That is the recommended configuration.

We need to disable the autoforwarding, autoreply  option in the default remote domain.  If in case if we are forwarding any emails to trusted partners or vendors through any application we can specifically create a custom remote domain for them and enable auto forwarding for that particular remote domain  alone. By doing this no end users will be able to redirect, forward or forwardas attachment their internal emails to their external ID’s.

We can check that by running the below command

Get-RemoteDomain | ft Auto*

Autoreply

If it is enabled run the below commands to disable them

Set-RemoteDomain -Identity default -AutoForwardEnabled $false
Set-RemoteDomain -Identity default -Autoreplyenabled $false

Recently I was looking for a solution for this kind of issue and came up with an idea of a script that can be used to pull out users who have redirect, forward or forwardas attachment options enabled in their outlook rules.

I have created a script which can be used to pull out this kind of information. The below script will run on all mailboxes in entire organization and will pull out users who have external rules set, and then it will send an email to administrator in CSV format by which he can see who all has this option enabled.

***************************************************

Set-Adserversettings -viewentireforest $true

foreach ($mbx in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $mbx.DistinguishedName | where {($_.ForwardTo -ne  $null) -or ($_.redirectto -ne $null) -or ($_.forwardasattachment -ne $null)} | select  MailboxOwnerID,Name,ForwardTo | export-csv d:\ForwardRule.csv} -Notypeinformation

Send-MailMessage -To alias@domain.com -cc alias@domain.com -From anyid@domain.com -Subject “Forward To” -Attachments d:\ForwardRule.csv -SmtpServer specifytransportserver

*******************************************************

Copy the above text in a notepad and then save them as ps1. Navigate to the location where you saved it and then you can execute the command

Things you need to modify in the above script

Set the drive location for the csv file in a place where you wish to save.

For sending email in the to and cc field give user for whom you need this report to be sent

From address specify the address from where it needs to be sent and give the mailbox server as smtp server if it’s 2013 or hub server if it is 2010 or 2007.

Here is the example

Just copy the code in text file and save it in ps1 format.

navigated to the location and ran.

Rules5

 

Received the email

rules4

 

 

When we open the csv file the output is displayed for users who have forwardto,redirectto and forwardasattachment option set in outlook rules for external id’s.

Rules3

 

Note:

This command pulls out rules from user’s mailbox only if they are enabled. If the user has a rule created and if he has disabled it temporarily then it won’t fetch that information.

 

Thanks

Sathish Veerapandian

MVP – Exchange Server

OWA,EWS configuration in Exchange 2013/2007 coexistence

We need to consider few factors while planning for coexistence between Exchange 2013 and legacy exchange servers especially exchange 2007 .We might run into few confusions. In this article i will mention few key points which needs to be considered while planning Exchange 2007 and 2013 coexistence for owa,ews setup.

In coexistence with exchange 2013 and legacy version the request happens in 2 types.
For Exchange 2010 – Exchange 2013 does a Proxy for owa and ews requests for users in exchange 2010.
For Exchange 2007 – Exchange 2013 does redirection for owa and ews requests for users in Exchange 2007.

When a user with an Exchange 2007 mailbox logins externally from OWA the requests goes to Exchange 2013. Now the Exchange 2013 needs this connection to be redirected to exchange
2007 server.

In Order to do this Exchange 2013 requires a dedicated external host name configured on exchange
2007 server’s for the required services accessed from externally. So the external and internal hostnames of the Exchange 2007 server need to be different from the hostnames of the Exchange 2013 server and need to be pointed to the Exchange 2007 server.

Better use the Exchange Server Deployment Assistant which will give much clear information.If
you are still confused then you can remember the following key points.

First all the services URL’s needs to be pointed to Exchange 2013 CAS server from exchange
2007.Exchange 2013 CAS server will redirect the connections to Exchange 2007 server.

Legacy Names:
Configure following Legacy host names for the below services in exchange 2007

OwaVirtualDirectory – Create https://ExternalLegacyHostName/owa
WebServicesVirtualDirectory – Create https://ExternalLegacyHostName/EWS/Exchange.asmx
UMVirtualDirectory – Create https://ExternalLegacyHostName/UnifiedMessaging/Service.asmx
OABVirtualDirectory – Create  https://ExternalLegacyHostName/OAB
ActiveSyncVirtualDirectory – Create  https://InternalLegacyHostName/Microsoft-Server-ActiveSync

 

Planning Internal and External owa URL’s

For Exchange 2013 OWA URL: Use same old URL for OWA access to Exchange 2013 and change the IP address from exchange 2007 to E15 internally.
Change the external owa url and redirect the connections to exchange 2013 CAS.

For Exchange 2007 OWA URL:

Create Legacy. Domain.com for external owa users.
Create Legacy.Domain.com for internal owa users.

Below is an example to Modify the OWA url :

On Exchange 2013 point the ExternalUrl  ‘mail.contoso.com’ to Exchange internet facing CAS server.
On Exchange 2007 create the ExternalUrl as ‘legacy.contoso.com’

 

Certificates:

All the required SAN entries for UM,webservices and activesync should be created.
Add external owa legacy URL to the public certificate and install it on both Exchange 2007 and
Exchange 2013 only then owa redirection will work.
You need to Include internal Legacy. Domain.com on Exchange 2007 Certificate for OWA co-
Existence.
Following change needs to be done in Firewall

External OWA URL should be directed to exchange 2013 Internet Facing CAS.

External EWS URL should be directed to  exchange 2013 Internet Facing CAS.

External Autodiscover URL should should be directed to  Exchange 2013 CAS.
External ActivesyncVirtualDirectory should be directed to Exchange 2013 CAS.

External UMvirtualDirectory should be directed to  Exchange 2013 CAS.

Create new NAT rule on firewall for Legacy.domain.com to Exchange 2007 CAS. You can do this as well.By doing this users will be able to log on directly using the URL https://legacy.domain.com/owa with a mailbox on Exchange 2007.

 

External and Internal DNS settings

Public DNS – Map all of your external public DNS records (ews,owa,activesync etc.,) to your
exchange 2013 public IP if you have dedicated one for 2013 or FQDN of your internet facing CAS server.
Example:
Current external owa URL (contoso.domain.com) – point it to dedicated exchange 2013 public ip or internet facing exchange 2013 CAS FQDN.
Current External Autodiscover – point it to dedicated exchange 2013 public ip or internet
facing exchange 2013 CAS FQDN

Internal DNS – Configure the Exchange 2007 to point SCP AutoDiscoverURI to Exchange 2013 Client
Access FQDN by changing DNS entry for Autodiscover.domain.com to exchange 2013 CAS sever Ip
address

The internal DNS records should point to the internal host name and IP address of your Exchange
2013 Client Access server
Make sure that legacy.contoso.com resolves to CAS2007 in internal and external DNS.

Authentication Settings:

This part is little bit tricky. You need to plan according to your organization. If you have FBA configured in TMG or ISA server then you need to configure accordingly.
Set the owa virtual directory authentication only to  Basic in exchange 2007.
In exchange 2013 set owa virtual directory to only (Windows Authentication) or only (form-based authentication) or only (Basic, No redirection, SSL Enabled) depends according to your setup.

Things to check:

If you have redirection configured in IIS on the Exchange 2007 Server Make sure that the above
Virtual Directories doesn’t have it configured.

If you have FBA enabled on ISA or TMG then disable FBA on Exchange 2013 CAS else users will be prompted twice for authentication.

References:

http://technet.microsoft.com/en-us/library/jj898581(v=exchg.150).aspx

Checklist: Upgrade from Exchange 2007
http://technet.microsoft.com/en-us/library/ff805032(v=exchg.150).aspx

Install Exchange 2013 in an Existing Exchange 2007 Organization
http://technet.microsoft.com/en-us/library/jj898582(v=exchg.150).aspx

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-2-step-by-step-exchange-2007-to-2013-migration.aspx

Thanks

Sathish Veerapandian

Configure new UM Dial Plan and UM IP Gateway in Exchange 2013

UM server is the one  that provides Voice Mail, Outlook Voice Access and other Exchange voice features. Integrating the UM functionality along with the existing telephony system or lync is one of the challenging role that admin would face. Planning should be done properly according to the enterprise voice plan which is used in the organization.

As we know from Exchange 2013 there is no separate role for UM. Their services are running in CAS server and Mailbox server and below are the list of services that are handling  UM processes.

Microsoft Exchange Unified Messaging Call Router service

Routes the incoming SIP traffic from Lync server or any other IP-PBX or SBC which sends only SIP traffic. This traffic can come from a VoIP gateway, Session Border Controller (SBC), PBX or IP PBX. . Any media traffic sent to the Client Access servers would be redirected to a Mailbox server since the Client access servers are not capable of handling RTP and SRTP media traffics.

Microsoft Exchange Unified Messaging service

These servers will handle the initiating Session Initiation Protocol (SIP) traffic from the Lync server for voicemails are left over the Unified Messaging service. It accepts the connection either in port 5061  or 5060 (depends on your config secure or unsecure) and then redirects to Worker process in port 5065 or 5066 . This service does not do any media conversion.

Microsoft Exchange Unified Messaging Worker Process

Worker process receives the SIP requests only on port 5065 or 5066. Which means the actual media conversion takes place in this port. It does the following below thing

1) Does Registration of the process with Unified Communications Managed API 4.0 and converts all the required information for media processing for SRTP and RTP protocols.

2) Does the Initialization of Simple Mail Transfer Protocol (SMTP) message Submission and submits the voice message to the user’s mailbox who has UM enabled.

In this article we will have a look at the steps to configure UM and steps to integrating with Lync or existing telephone system in Exchange 2013.

 

Open EAC  Click on Unified Messaging and select UM dial plans as shown below

 

1

 

 

Give it a name and provide the extension length that the users need for the subscriber access number to be used by Enterprise Voice users.

Select the Dial Plan type according to your Lync / IP-PBX or SBC settings you have.

 

2

 

 

Select the VoIP Security mode according to your enterprise voice plan settings that you have.

3

 

 

Select the  appropriate country region and click save

4

 

 

Once finish click save and select configure the dial codes

Specify the codes according to your requirement.

5

 

 

Configure Outlook Voice Access as per requirement

6

 

 

Select settings and configure the options about searching the names when users are directed to the voice mailbox .

7

 

 

Configure the transfer and search options

8

 

 

Configure the transfer and search option according to the requirement and click save we are done.

Now we need to create a New UM IP gateway.

Things to consider before we create a new UM IP gateway

Run ExchUcUtil.ps1 and OcsUmUtil.exe only if you do not have any IP-PBX or SBC and if your are going to  integrate your UM functionality with Lync or OCS pool. If you have multiple dial plans associated with different enterprise voice plan then you need to plan accordingly.

If you plan to integrate with  Lync pool then run ExchUcUtil.ps1 on all Exchange Mailbox servers

Note : The ExchUcUtil.ps1 script creates one or more UM IP gateways for Lync integration. You must disable outgoing calls on all UM IP gateways except one gateway that the script created. This includes disabling outgoing calls on UM IP gateways that were created before you ran the script

Run OcsUmUtil.exe script on the Lync server

OcsUmUtil.exe Creates contact objects for each auto-attendant and subscriber access number to be used by Enterprise Voice users.

Verifies that the name of each Enterprise Voice dial plan matches its corresponding unified messaging (UM) dial plan phone context. This matching is necessary only if the UM dial plan is running on a version of Exchange earlier than Exchange 2010 Service Pack 1 (SP1).

If you are going to integrate UM with any IP-PBX or SBC directly then you can skip the above step.

Now we need to create a new UM IP gateway.

Open EAC click Unified Messaging and select New UM IP gateways

 

9

 

 

Give a name for the IP gateway

In the address tab give the FQDN or the IP address of the SBC or the IP-PBX that you have

Note: When you specify the FQDN on the IP-PBX or SBC then you need to create a Host A record for the same on DNS and map it to its IP.

Now select the associated dial plan that you need

10

 

Now enable the option the allow outgoing calls and allow message waiting indicator. Also set forwarding address if you wish to set forwarding address.

11

Click on save and we are done configuring UM dial plan and UM IP gateway  in Exchange 2013.

Note: Unified Messaging requires enterprise CAL licensing.

There is no mandatory requirement for Public UM certificate.UM cert can be internal as you do not need to publish this service to the outside world, since you’ll connect via Lync to it and therefore the communicationss are all internal in that respect.

References :

http://technet.microsoft.com/en-us/library/gg398193.aspx

http://technet.microsoft.com/en-us/library/bb125151(v=exchg.150).aspx

http://technet.microsoft.com/en-us/library/jj966276(v=exchg.150).aspx

Cheers

Sathish Veerapandian

%d bloggers like this: