Script to Start, Stop and query exchange counters on all Exchange servers

Perfmon, Scripts September 10, 2014 Comments: 8

I have developed a script which can be used to Query, Start and Stop Exchange counters on all servers in Exchange environment.

This script can be executed in scenarios where we need to enable Perfmon counters for Exchange on all Exchange servers during troubleshooting scenarios.

Copy the list of Exchange servers for which we need to run Perfmon and save them in a notepad in the below format in the server where you are going to execute this command.

Scrip1

 

Probably if you have difficulty in collecting the list of servers manually we can run the below command and take the output by running the below command.

Get-ExchangeServer | select name  >c:\servers.txt

Once you get the output just format the text file and ensure no spaces and other characters are present apart from servers as above screenshot.

 

Copy the below text and save it in ps1 file. Ensure you change the server path alone in this script which has the server list.

 

***************************************************************************

write-host ”

1.List Available Counters for Exchange_All

2.Start Counter for  Exchange_All

3.Stop Counter for Exchange_All

$option = Read-host

$server = get-content “Example- d:\exserver.txt”

switch ($option)

 

{

 

1

 

{

 

$server | foreach {logman query Exchange_All -s $_}

 

 

}

 

2

{

 

$server | foreach {logman start Exchange_All -s $_}

 

}

 

3

 

{

 

$server | foreach {logman stop Exchange_All -s $_}

}

 

4

 

{

}

 

}

********************************************************************************

Navigate to the location where we have this file saved and run.

We will get 3 available options as below.

Option 1 –  To List Available Counters for Exchange_All

Option 2 – To Start Counter for Exchange_All

Option 3 – To Stop Counter for Exchange_All

 

scrip2

 

Choose the required option and the command will be executed accordingly.

Below is example for querying the Perfmon counters for Exchange_All in all exchange servers.

script3

 

 

Below is example for starting the Perfmon counters for Exchange_All in all exchange servers.

scrip4

Below is example for stopping the Perfmon counters for Exchange_All in all exchange servers

scrip5

This command can be useful when we might need to enable Perfmon on multiple exchange servers at one time in troubleshooting scenarios.

Thanks

Sathish Veerapandian

Details Template Editor Exchange 2013

Details Template Editor, Exchange2013 September 8, 2014 Comments: 8

Details Template Editor is used to modify or add extra information in the objects properties which are accessed through GAL.

For Example if company demands to have a column called Block or Cabin number to be added in each and every user’s mailbox to be displayed via GAL .We can use the details template editor and create new columns for the same. So by doing this when a user resolves any mailbox from the GAL and access their properties then he/she would be able to see the created object entries (Eg: Cabin number or Block).

In this example we will see how to create an additional column for Building Block which needs to be populated and visible in the user properties when end users accessed from GAL.

 

Details Template Editor can be modified by using Exchange toolbox as well as Exchange Management Shell. We will look through how to modify them with Exchange Toolbox.

Go to start all programs and Open Exchange Toolbox.

Unlike in Exchange 2010 we have only three configuration management tools as below and open Details Template Editor

D1

 

 

Select preferred language and the preferred template type for which we need to add the new columns

There are multiple template types (Contact, User, Group, Public Folder, Mailbox Agent etc..,)

So ensure that you choose the correct Template Type.

D2

 

 

And then it opens up the editor page as below

D3

 

Here we have 2 options over the left

Group Box – When we double click on this option it creates an empty new box where the specified value is entered.

Label – A unique name defined for the newly created group box like (department, Alias as shown in above picture)

Now double click on the group box over the left and it creates a new empty column where the value needs to be displayed.

Over the right editor pane we have the layout height width adjustment option by which we can alter the values and bring it to look uniform with the other group boxes.

D4

 

Now create a new label box by double clicking on the label icon and drag it to the newly created group box.

D5

 

Now im entering the value Block in my example in the text. You can enter the desired value to appear in the GAL object.

D6

 

D7

 

We are done with creating the template. Now we need to assign a attribute to this newly created group box since no attributes will be linked with newly created group box.

Do the below steps to link a unassigned attribute to the newly created Group box.

In the right editor pane select any one of the unassigned attribute.

D8

 

Once done click on file and we have an option called save

D9

 

Run the below command to populate this value to any user via GAL

Set-Mailbox Usermailbox -CustomAttribute “specify the value”

In my example im setting this value for Exchangequery Mailbox

Set-Mailbox Exchangequery -CustomAttribute10 “B”

D10

 

 

Note: By default this new value will not be created for any user and displayed in the GAL. We need to run the above command for the users to display this value in the GAL.

Now we can see this value is populated for the user we have set. This value will be displayed in Outlook when we see the properties of this user and new value Block with the value B will be displayed.

D11

 

We can edit details template using exchange management shell as well

We can use below command to see the accepted property types in details template.

Get-DetailsTemplate | Get-Member

D12

 

 

We can run the below commands to see the examples

Get-DetailsTemplate     – Examples

D13

 

To get the detailed information we can use the below parameter as well.

Get-Help Get-DetailsTemplate –Detailed

D14

It’s better to use the Exchange Toolbox for creating new details template since there are multiple attributes involved and Details Template Editor is much user friendly. We can use Exchange Management Shell to modify or add any entries for users in the custom attributes assigned.

We are done with creating custom entries for objects using details template editor.

Sathish Veerapandian

Configure PowerShell in client PC to remotely manage Exchange server 2010/2013

Powershell, Scripts September 2, 2014 Comments: 5

Sometimes we might run into a situation where we need to perform admin tasks from a client PC where we do not have management tools installed in office location.

In those scenarios we can always connect to the Exchange Management shell and import all the modules from exchange through windows PowerShell.

By using this we can grant access  to the help desk team with only view only admin rights or recipient management rights on their PC without having the Exchange management tools installed so that they can view user mailbox settings and perform basic troubleshooting from their power shell.

Prerequisites

The client PC must be a member of the domain Windows 7 or Windows 8 or minimum windows server 2008.

The client PC must have minimum Windows PowerShell 2.0 and no exchange management tools is required

The user for whom we are going to grant this access should be having local admin rights on his PC as well as  Admin rights on the Exchange Servers( You can give the user administrative roles , end user roles ,organizational management or recipient management according to your criteria)

Applies for Exchange 2010 and 2013

Go to start – Right click on windows power shell and click run as administrator.

 

powershell0

Now we need to check if the PowerShell profile is created for the user who has logged into the PC  by running  $profile in powershell

Though it will display the below default path we need to check if the file actually resides.

powershell2

 

 

Run the below command to check if the file exists in the location.

Test-Path $profile

powershell3

By default the ps1 profile will not be created and that’s the reason it shows as false.

We need to create it by running the below command

New-Item -path $profile –Type File -Force

powershell4

Now we can see the file is created.

Now open the file through PowerShell

Notepad.exe $profile

powershell5

 

Now we need to establish a remote session to connect to Exchange server to import the commands. In order to do those add the following command

The first line of below command will help us to authenticate with the exchange server.

The second line to create a new session with specified exchange server

The third line to import all the pss session from that particular  server.

The last fourth and fifth are optional since I have set directory location in this client PC and command to view all value from all the Exchange Servers in entire forest.

Below is the command. Just copy ,paste the value in the powershell file and save .

************************************************************************

$Credential = Get-credential

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://casservername/powershell -credential $credential

import-pssession $session

set-location c:\

set-adserversettings -viewentireforest $true

***********************************************************************

powershell6

 

 

Now open the PowerShell with run as admin and will prompt you for credentials.

powershell7

 

Once you have authenticated you will see the below screen which says you have successfully connected remotely with Exchange server.

 

powershell8

 

 

We can create PowerShell ISE profile for this user as well which will be very useful and provide additional informational while typing any commands since  the help desk team might not be aware of Exchange commands.

Do the same procedure for creating PowerShell ISE profile

Go to start and run windows PowerShell ISE.

powershell9

 

Opens the below window.

powershell10

 

Type the same command to create profile for ise and click on Run Script Icon or press F5 button to execute.

New-Item -path $profile –Type File -Force

powershell11

 

 

Now copy ,paste the same command as we did for PowerShell   file in the below location.

powershell12

 

Now open Windows PowerShell.ISE and it will prompt for credentials and get connected to Exchange modules.

Below is an example of executing from PowerShell ISE which gives us suggestions while executing the commands in the command pane.

We have an option to choose our command and either Run, Insert or Copy the file in the script pane.

Note : The below option is available only from Windows PowerShell 3.0

final2

Final

 

We are done with connecting to Exchange through Client PC windows power shell.

Cheers

Sathish Veerapandian

 

Install and Configure Lync 2013 server standard edition

Lync August 25, 2014 Comments: 2

In this article we will look at steps to install Lync 2013 server standard edition.

Before we deploy Lync server in environment it’s always mandatory to do a proper planning for the enterprise voice features as there are more factors involved in connecting to the mediation server and need to be designed and planned accordingly.

To install Standard edition front end server we need to plan the below things mandatory

Readiness for Enterprise voice

If we are planning for enterprise voice it’s better to check few things before we install front end server.

By default the mediation server is collocated with the front end server in standard edition. But this needs to be considered and deployed separately or collocated according to our enterprise voice plan.

In Lync 2013 standard edition we can choose to deploy mediation servers separately based on our requirements.

Below are the types of enterprise plan that are available and we need to plan accordingly

 

SIP trunking – For SIP trunk there is separate Standalone mediation servers required because the mediation servers acts as a proxy for all the Lync 2013 clients and transcodes media whenever required. So a dedicated server is required to handle this traffic as we do not have a dedicated pstn or a pbx.

Direct SIP trunk with PSTN – If you have Direct SIP trunk with PSTN gateway then separate mediation servers is not required since they are capable of receiving traffic from any pool and capable of DNS load balancing across the pools.

 

Ip-PBX or SBC – We don’t need to have a separate mediation server as long as the below conditions are met for IP-PBX or SBC

If IP-PBX or SBC is intelligent and can receive traffic from mediation server and route the traffic to the mediation server.

IP-PBX should not support media bypass and it should be able to do the media processing by its own by relieving the mediation server from media processing.

Also it’s always better to run the Microsoft Lync server 2013 planning tool to see if the front end server along with the mediation server can handle the load. If it does not then it is best recommended deploying a separate pool and separate mediation server.

Readiness for SQL

By default, the SQL Server Express back-end database is collocated on the Standard Edition server. You cannot move it to a separate computer.

SQL Standard/Enterprise is not supported with Lync 2013 Standard Edition pools. If you use a separate SQL Standard/Enterprise instance, you can deploy only Lync Enterprise edition.

 

Readiness for Active Directory Services

Domain Functional Level – Minimum should be at least Windows server 2003.

Forest Functional level – Minimum should be at least windows server 2003.

 

Install prerequisites on the front end server

In this article we will look at how to install Lync 2013 on Windows server 2008 R2 server.

Following prerequisites must be installed on the FE server

 

Microsoft .NET Framework 4.5

Remote Server Administration Tools (RSAT)

Microsoft Visual C++ 11 Redistributable

Windows powershell 3.0

HTTP Activation

WCF Activation

Windows Installler 4.5

Microsoft Silver light 5

Run the below commands for installing the below features

Import-Module ServerManager

Add-WindowsFeature Web-Server, Web-Static-Content, Web-Default-Doc, Web-Scripting-Tools, Web-Windows-Auth, Web-Asp-Net, Web-Log-Libraries, Web-Http-Tracing, Web-Stat-Compression, Web-Default-Doc, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Errors, Web-Http-Logging, Web-Net-Ext, Web-Client-Auth, Web-Filtering, Web-Mgmt-Console, Web-Asp-Net45, Web-Net-Ext45, Web-Dyn-Compression, Web-Mgmt-Console, Desktop-Experience

Once the above installation is done ensure that you have joined this server in the domain and  logged in as domain admin.

Note : Admin User account must be a member of domain, enterprise and schema admins for the installation.

Run the setup from the CD

You will be prompted to install the Microsoft visual C++ as sql is installed on front end standard  server by default

 

Lync11

 

Choose the installation location and click install.

lync1

 

Click accept on the license agreement to proceed with the installation.

lync2

 

Once the installation is completed we will have 2 new programs installed in the task bar.

  • Lync server management shell.
  • Lync server deployment wizard.

 

Now open Lync deployment wizard. It determines the deployment state once we open.

 

lync3

 

Click on prepare schema

lync4

 

Click on finish once completed.

Click on Prepare forest and click on finish once done

lync5

 

Click on Prepare domain and click on finish once done

lync6

 

Once prepare domain done open lync deployment wizard again and click on prepare standard edition server.

Once we have done the above things we can see the below groups created

lync7

 

Now we need to add users to provide administrative access to the Lync Server Control Panel.

Add users in CS Administrator group who requires access to Lync Server Control Panel.

lync8

 

Now create SRV record for automatic sign on for the Lync clients.

Create Record: (screenshot below)

  • Service should be :  _sipinternaltls
  • Protocol should be :  _tcp
  • Port number:  5061
  • Host: point to your FQDN to your Front-End Server or Pool

lync9

 

Now go back to the deployment wizard and install Lync administrative tools. Once after you install  you will see a new option called Lync server topology builder.

Open Lync   Server topology builder and select new topology.

lync10

 

Now define the SIP domain for the users to log in

lync14

 

 

Every Lync server front end pool must be deployed in a site. So specify the site and you can also mention multiple sites later..

lync16

 

 

Now define the front end pool fqdn

lync14

 

Now select the features that we need to enable. IM and presence is enabled by default. Select the additional features according to your design. Select collocate mediation server if you need to install mediation server along with FE pool.

lync15

 

Just click default settings on the sql server store as we are installing standard edition.

For define file store alone we need to manually specify the installation path as it wont create the path automatically. We need to create a share folder and grant access to users

RTCHS Universal Services

RTC Component Universal Services

RTC Universal Server Admins

RTC Universal Config Replicato

Now click on Finish

Now open Topology builder and click on publish to publish the topology

 

lync17

 

Once the publishing wizard is completed click install or update lync server system to complete the installation successfully.

We are done with installing the Front end server collocated along with mediation server.

You can later install monitoring and archiving server separately.

Cheers

Sathish Veerapandian

Exchange Mailbox Folder Permission Script

Scripts August 20, 2014 1 Comment

One of the important task of the Exchange admin to assign the folder permission to the delegates, When new delegates added to the generic mailbox and Resource mailboxes. If the mailboxes has multiple folders and sub folders its time consuming process. The script simplifies the task and eliminates the manual errors

Browse to the folder and run the ps1 file, the initial screen looks below and select the option based on your action

 

***************************************************************************

<#
.SYNOPSIS

Add mailbox folder permission to the delegates for user and resource mailboxes

.DESCRIPTION

Important task of the Exchange admin to assign the folder permission to the delegates
when new delegates added to the generic mailbox and Resource mailboxes.
the script simplify the task and eliminate the manual errors

#>

Write-host ”

Assign Mailbox folder Permission
——————————–

1.Assign Folder permission to Single folder

2.Assign Folder Permission to All folders(includes user created,default,recoverable mailbox folders)

3.Assign Folder permission only to the default folders(inbox,calendar,….)

4.Assign Folder permission only to the user created folders

5.Exit ” -ForeGround “Cyan”

$option = Read-host “Choose the Option”

switch ($option)
{

1 {

$Mailbox = Read-Host “Enter Mailbox ID ”

$Folder = Read-Host “Enter the FOLDER NAME ( Examplles : Inbox,calendar…)”

$delegate = Read-Host “Enter Delegate ID ”

$Permission = Read-Host “Enter Type of Permission(Author, Editor, Owner, Reviewer, none)”

$foldername = $Mailbox + “:\” + $folder

If ($folder -ne “”)

{
Add-MailboxFolderPermission $foldername -User $delegate -AccessRights $Permission -confirm:$true

}

Else

{ Write-Host ” Please Enter Folder name ” -ForeGround “red”}

;break

}

2
{

$Mailbox = Read-Host “Enter Mailbox ID”

$delegate = Read-Host “Enter Delegate ID ”

$Permission = Read-Host “Enter Type of Permission(Author, Editor, Owner, Reviewer, none)”

$AllFolders = Get-MailboxFolderStatistics $Mailbox | Where { $_.FolderPath.ToLower().StartsWith(“/“) -eq $True }

ForEach($folder in $AllFolders)

{

$foldername = $Mailbox + “:” + $folder.FolderPath.Replace(“/”,”\”)
Add-MailboxFolderPermission $foldername -User $delegate -AccessRights $Permission -confirm:$true

}
;Break}
3 {

$Mailbox = Read-Host “Enter Mailbox ID”

$delegate = Read-Host “Enter Delegate ID ”

$Permission = Read-Host “Enter Type of Permission(Author, Editor, Owner, Reviewer, none)”

$Default = Get-MailboxFolderStatistics $mailbox | ?{$_.foldertype -ne “user created” -and $_.foldertype -ne “Recoverableitemsroot” -and $_.foldertype -ne “RecoverableItemsDeletions” -and $_.foldertype -ne “RecoverableItemspurges” -and $_.foldertype -ne “RecoverableItemsversions” -and $_.foldertype -ne “syncissues” -and $_.foldertype -ne “conflicts” -and $_.foldertype -ne “localfailures” -and $_.foldertype -ne “serverfailures” -and $_.foldertype -ne “RssSubscription” -and $_.foldertype -ne “JunkEmail” -and $_.foldertype -ne “CommunicatorHistory” -and $_.foldertype -ne “conversationactions”}

ForEach($folder in $default)

{

$foldername = $Mailbox + “:” + $folder.FolderPath.Replace(“/”,”\”)
Add-MailboxFolderPermission $foldername -User $delegate -AccessRights $Permission -confirm:$true
}

;break}

4 {

$Mailbox = Read-Host “Enter Mailbox ID”

$delegate = Read-Host “Enter Delegate ID ”

$Permission = Read-Host “Enter Type of Permission(Author, Editor, Owner, Reviewer, none)”

$Default = Get-MailboxFolderStatistics $mailbox | ?{$_.foldertype -eq “user created”}

ForEach($folder in $default)

{

$foldername = $Mailbox + “:” + $folder.FolderPath.Replace(“/”,”\”)
Add-MailboxFolderPermission $foldername -User $delegate -AccessRights $Permission -confirm:$true

}

;break}

5 {

}
}

************************************************************************

copy above code and save it as ps1 as extension(addmailboxfolderperm.ps1)

 

Custom Transport rules in Exchange 2013

DLP, Exchange2013 August 19, 2014 Comments: 2

By using transport rules in Exchange 2013  we can filter, inspect or block any confidential emails that match any specific conditions with the email that matches the transport rule. By using this we would be able to prevent the leakage of the sensitive data in any organization.

Transport rules along with DLP and policy tips can be used to give end users warning informational tips when they try to send any emails which does not abide the company policy.

In-order to achieve this we need to create a transport rule first, and then create a associated DLP policy and then configure policy tips for the same. we will look into how to perform this with a small example.

Below example is a simple rule that helps us to block any emails with attachments that has a character set invoice

Open EAC – Go to Mail Flow – Select Rules

Click on the + sign to create a new rule – Give it a name

pic1

 

We have scope to choose as well. In my example im selecting the option if the recipient is located outside the organization this applies for external users.

 

pic2

 

We can apply a condition to this rule. Specify a character set. In my case im specifying name invoice so that all emails which contains character invoice will be sent for review and approval.

 

pic3

 

We can take the following action on the message that matches the criteria for invoice. In my case im forwarding the email for approval by administrator.

 

pic4

 

We can add an exception too by excluding few recipients who are entitled to send those messages or even according to subject or few other parameters as shown below.

 

pic5

 

We can still enhance this rule and notify end users before they try to send any emails which do not meet the company policy. This task can be accomplished with the help of policy tips.

Policy tips are informative messages displayed to the end users in owa, outlook and owa for devices before they tend to send any offending content in any organization.

They function similar to MailTips where an informational message is given to the user while he/she tries to add any attachment like pdf file which an organization restricts to send through email to external users. By using this users will come to know that this kind of email is not allowed to send and they can abide the rules.

 

Policy Tips works along with DLP. An associated DLP policy also should be created for the same.

To create Custom DLP Policy

Open EAC – Click Compliance management – Select Data Loss Protection – Select New Custom DLP Policy

 

DLP1

 

Now give it a name and specify the description.

Select the state to be enabled and choose option Test DLP policy with Policy Tips and click save.

 

DLP2

 

Now Click on the DLP policy created and click edit

Select Rules – You can create a new rule.

im selecting option notify sender when sensitive information is sent outside organization rule in my case.You can create a new rule or an existing one which matches your criteria and click save.

 

DLP3

 

To edit Policy Tips

In-order to do that  click edit on the custom created DLP policy and select Manage policy tips

 

DLP4

Click on the option notify the sender option .

 

pic6

 

Select the locale language

And specify the text message  that needs to be displayed to the end user when he/she tries to send an email which matches our Transport rule, DLP and policy tips.

 

pic7

 

Below is the example of the policy tip notification.

 

DLP5

Note : If you are using policy tip for SSN, Passport Numbers , Credit Card numbers with already existing DLP templates then policy tips will be triggered only  for valid passport numbers,credit card numbers and SSN numbers.

Sathish Veerapandian

Steps to configure IRMS in Exchange 2013

Exchange2013, IRMS August 12, 2014 Leave a comment

Information Rights Management Service IRMS is an inbuilt Messaging policy feature which is available from Exchange 2013. This inbuilt Messaging policy works along with transport rule to secure all the sensitive email transits that is happening in our organization.

By Using IRMS we will be able to inspect any sensitive email content with help of transport rules, encrypt them and then provide secure access only  to the required users.

IRM agents are built in transport agents. But however when we run Get-TransportAgent we will not be able to see the IRM agents visible. Because most of the inbuilt transport agents that come along with the installation are not visible in Get-TransportAgent and they are unmanageable from PowerShell.

IRMS works with the help of ADRMS and informational protected technology which is introduced from Windows Server 2008. ADRMS uses extensible rights markup language (XrML) type certificates to certify users and computers. We need to have AD RMS installed to use this IRM functionality.

 

By Using IRM following actions can be taken

  1. We can restrict confidential email to be sent only to the right recipients and other recipients can be blocked.
  2. Prevent forwarding a confidential message to other recipients.
  3. Prevent Copying and pasting a confidential message
  4. Prevent printing a confidential Message

 

This IRM requires Licensing to work along with ADRMS.When we enable IRM pre-Licensing is enabled by default.

There is a prelicensing agent which acts on the categorizer on the mailbox server in the transport service which attaches a prelicensing in OnRoutedMessage to IRM- protected messages.

So by this prelicensing which is issued by default by the ADRMS to the IRM protected messages end users will be able to access these emails through Outlook in online/offline mode and as well as through OWA, Active sync devices as well.By doing this the client does not need to send a request to the ADRMS for license to access these emails each and every time.

 

IRM works in the following clients

Manually by Outlook users – By using IRM functionality in Outlook. (This is a client side IRM from outlook and no IRM transport rule from server is triggered in this scenario)

Manually by Outlook Web App users – By using Web-Ready Document Viewing.( This is a client side IRM from outlook and no IRM transport rule from server  is triggered in this scenario)

Manually by Windows Mobile and Exchange ActiveSync device – This requires users to connect their supported Windows Mobile devices to a computer and activate them for IRM (This is a client side IRM from outlook and no IRM transport rule from server is triggered in this scenario)

Automatically on Mailbox servers – Works with the help of Transport Protection Rules from server.

 

Note:

A message which is already IRM protected by any of the client type like Outlook, OWA or Activesync will not be again IRM protected by Transport protection rules since its already protected. IRM purely works with the help of ADRMS encryption so all the client side IRM protection will already be processed if a user tries to use IRM functionality from Outlook or OWA.

 

IRMS works in the categorizer Mailbox Transport service in the following ways:

 

RMS Decryption agent – Decrypts the messages to provide access to transport agents for inspection.

Transport Rules agent – An associated IRM transport rule inspects the email and marks the email as IRM protected email and notifies RMS encryption agent

RMS Encryption agent – Identifies the IRM marked messages by transport rule and then encrypts them for protection.

Prelicensing agent – Attaches a prelicensing to this message in OnRoutedMessage to IRM- protected messages by AD RMS cluster.

Journal Report Decryption agent– Decrypts only irm messages with journal reports.

 

Now let’s see how to enable IRM in Exchange 2013.

Prerequisites to use IRM in Exchange 2013

1) We need to have ADRMS installed in our Environment

 Note: We need to have IRMS installed separately on a server. It should not be installed on a server  where we have Exchange installed.

Follow the below steps for ADRMS installation.

Open server manager. Go to roles and select ADRMS.

 

1

 

 

Click next

2

 

Select federation support as well if you wish to extend ADRMS to federated partners.

3

 

Click create new AD RMS cluster

4

 

Choose a location to store configuration database

5

 

Default website is selected automatically

6

 

We need to create a separate service account to manage ADRMS

7

 

 

Specify the internal address to be used for ADRMS.

 

8

 

 

Choose server authentication certificate

9

 

 

Provide a server licensor certificate which helps to identify the clients

10

 

 

 

Just navigate through the wizard it’s pretty much easy and complete the installation of ADRMS role.

11

 

 

 

Note: By default Exchange 2013 IRM features support Microsoft Office file formats. We can extend IRM protection to other file formats by deploying custom protector.

If you need to support additional files then you will need to import custom protector in ADRMS.

For custom protectors refer http://msdn.microsoft.com/en-us/library/office/bb802693(v=office.14).aspx

 

2) Grant access to Exchange servers to use ADRMS for IRM. Perform the following task.

Open IIS – open default Website – Click _wmcs – Select Certification

Switch to content view – right click on servercertification.asmx and click edit permissions ensure that Exchange servers are listed as shown below.

Note:  This setting on IIS should be checked on the server where we have installed ADRMS. _wmcs directory will be visible only after we install ADRMS.

12

 

3) We need to create a dedicated security group for encryption and decryption of these messages by super admins

Perform the following task

Create a dedicated super user group to be used in AD users and Computers.

Open ADRMS – in security policies select super users and ensure super user functionality is enabled. If not add this user to the group.

4) Run the below commandlets to enable IRM.

 

First check the IRM settings by running the below command.

Get-IRM configuration.

13

 

To enable on CAS –   Set-IRMConfiguration -ClientAccessServerEnabled $true

To Enable for OWA –   Set-OWAMailboxPolicy –Identity Default -IRMEnabled $true

For Multimailbox IRM search –   Set-IRMConfiguration -SearchEnabled $true

For Licensing Internally –   Set-IRMConfiguration –InternalLicensingEnabled $true

For Licensing External users –   Set-IRMConfiguration –ExternalLicensingEnabled $true

 

5) Create an associated transport rule for IRM for mailbox side IRM.

Note: Before creating transport security rules we need to have RMS templates loaded from the ADRMS to use in this rule. To identify the set of RMS template from ADRMS run the below command.

Get-RMSTemplate | format-list

Open EAC – Select Mail flow and select – Rules

Select Apply Rights protection to Messages

 

14

 

Use the Select RMS template dialog box to select a template.

Add any exception if we need to use any exception for few senders.

Below is an example of adding an exception for Administrator. IF  any IRM message which matches the  Template chosen in IRM for Admin then we can set exception to forward the message to his manager for approval.

15

 

Clicks save and we are done.

 

Below is an example by using Do not forward template in ADRMS. The Outlook and owa users while composing this message by organizer will receive this type of information as shown below.

s0

Also  we can use Test-IRMConfiguration commandlets to check the IRM functionality for a user

Below is an example for testing IRM config for user Adam sent emails.

Test-IRMConfiguration -Sender adams@contoso.com

References: http://technet.microsoft.com/en-us/library/dd638140(v=exchg.150).aspx

http://technet.microsoft.com/enus/library/dd298166(v=exchg.150).aspx

http://technet.microsoft.com/enus/library/bb125012(v=exchg.150).aspx

http://technet.microsoft.com/en-us/library/dd979798(v=exchg.150).aspx

Sathish Veerapandian

Customized system messages to users in different languages in Exchange 2013

Exchange2013, Transport August 6, 2014 Leave a comment

In this article let’s have a look at customizing system messages (Warning mailbox limit, ProhibitSendMailbox, DSN) to users in different languages.

Let’s take an example if we have users who are using mailboxes across different regions in multiple geographical locations. In this scenario users will be having different languages as default according to their region. For example user might have his default language as French and some might have default language as English.

In these scenarios we can customize this system message according to different region so that the users will be getting the system generated emails according to their regional language.

Let’s take a scenario of customizing system messages for French users as well as English users who are residing in different locations.

So we need to deliver DSN,Quota Messages in English for SetA users and in French for SetB users. By this way SetA users gets the DSN in English and SetB users gets DSN in French.

In-order to accomplish this task we need to create a new customized quota message. We need to run the below commands.

 

First we need to set the language property of the user mailbox according to his region. In order to accomplish this we need to run the below commands

For French users – Set-Mailbox – identity “user” -languages “FR-CA”

For English users – Set-Mailbox – identity “user” -languages “EN-US”

1) Warning Messages

For French users

New-SystemMessage –QuotaMessageType WarningMailbox -Language FR –Text “type French text here”

S1

For English users

New-SystemMessage –QuotaMessageType WarningMailbox -Language EN–Text “Watch out! Your mailbox has reached its maximum capacity

 

2) Prohibit Send mailbox:

New-SystemMessage –QuotaMessageType ProhibitSendMailbox –Language EN –Text ““type english text here”

New-SystemMessage –QuotaMessageType ProhibitSendMailbox –Language FR –Text “type French text here”

 

3) Prohibit Send receive mailbox:

New-SystemMessage –QuotaMessageType ProhibitSendReceiveMailbox –Language FR –Text ““type French text here”

New-SystemMessage –QuotaMessageType ProhibitSendReceiveMailbox –Language EN –Text “Watch out! Your mailbox has reached its maximum capacity”

S2

 

4) For DSN’s we can use the below command

New-SystemMessage -DsnCode 5.3.2 -Language En -Internal $true -Text “Any English TEXTMessage”

New-SystemMessage -DsnCode 5.3.2 -Language FR -Internal $true -Text “Any French TEXTMessage”

Once after we have made the above changes users will be able to receive system messages according to their MailboxRegionalConfiguration settings.

 

To view the system messages we can use the below commandlets:

To view the language for user – Get-MailboxRegionalConfiguration –Identity username

For Warning – Get-SystemMessage -Identity EN\WarningMailbox

For prohibit Send – Get-SystemMessage -Identity EN\ProhibitSendMailbox

For prohibit SendReceive – Get-SystemMessage -Identity EN\ProhibitSendReceiveMailbox

S3

To modify system messages:

Set-SystemMessage -Identity EN\WarningMailbox -Text “Your mailbox is becoming too large.”

Set-SystemMessage -Identity EN\ProhibitSendMailbox -Text “Your mailbox can not send nor receive any more …”

Set-SystemMessage -Identity EN\ProhibitSendReceiveMailbox -Text “Your mailbox can not send nor receive any more …

To remove any customized system message you can use the below command

Remove-SystemMessage -Identity EN\WarningMailbox.

Refer more:

http://technet.microsoft.com/en-us/library/bb310757(EXCHG.80).aspx

http://technet.microsoft.com/en-us/library/aa998878(v=exchg.150).aspx

Sathish Veerapandian

Modifying System Generated Mailbox in Exchange 2013

Connectors, Exchange2013 July 30, 2014 Comments: 3

In this article we will have a look at the system generated mailbox and steps to modify system generated mailbox in Exchange 2013.

By default the system generated mailbox comes from sender “Microsoft Outlook”. Sometimes we might need to change the display name of the system generated mailbox because some of the users might use Non-Microsoft clients like MAC, Linux etc., and cannot understand if system generated emails are why sent from “Microsoft Outlook”  sender and this could create confusion for end users if they have configured outlook on multiple PC’s thinking  that could cause trouble in sending email to few users.

In these kinds of scenarios we can specify identical display for Microsoft Exchange Recipient, so that it would be easily understandable by all client users in domain that the message is sent from the server and not from outlook. Also there could be scenarios where users would reply for an ndr message received  if he/she is not aware of these system generated emails. It could be better if we have a mailbox setup which is monitored by admins so that users can reply for these ndr’s and can be addressed.

 

Now let’s have a look into few of these parameters involved first.

Basically there are 2 types for system generated Mailbox in a  organization that exchange server can send. It can send NDR’s for internal users for mailbox limit quota warning, non-deliverable reports for internal senders. MicrosoftExchangeRecipientPrimarySmtpAddress attribute is involved in sending ndr’s to the internal users. Also it can send external NDR for external recipients as well who is not part of accepted domain in our organization. Externalpostmasteraddress attribute is involved in sending ndr notification to users who are not part of our domain. Both these attributes are in organizational level and can’t be altered from server level.

We can use the below command to check the value of the MicrosoftExchangeRecipientPrimarySmtpAddress

Get-OrganizationConfig | FL MicrosoftExchangeRecipientPrimarySmtpAddress

When we run this command it shows a default value with alphanumeric@domain.com as shown below

 

T2

We can use the below command to check value of Externalpostmasteraddress

Get-TransportService | FL Identity, ExternalPostMasterAddress

By default the Externalpostmaster address value is not set to any value. Which means by running this command usually the result will be null as shown below.

T1

 

In my case it is just showing the list of hub transport server , transport service(exchange 2013) and edge server without any values  since  I have not set any specific mailbox.

So what happens if there is no value set for ExternalPostMasterAddress.

The NDR for external users will be sent in postmaster@domain.com format from our domain if we have only mailbox and cas servers. It will use edge server to send out these external ndr’s if we have edge configured and the value will be postmaster@edgeserverfqdn.

 

So if you need to change this value run the below command

Set-TransportConfig -ExternalPostMasterAddress postmaster@contoso.com

To change the value of MicrosoftExchangeRecipientPrimarySmtpAddress  is little bit tricky. We can change this value to a different mailbox however if we make any organizational changes by running set-organization command then it reverts back this value to default value Microsoft Outlook.

 

First we need to change the value by running the below command

MicrosoftExchangeRecipientEmailAddressPolicyEnabled $False

And then we need to set an appropriate email address from which it can send out NDR’s to the internal users.

Set-TransportConfig MicrosoftExchangeRecipientPrimarySmtpAddress localit@exchangequery.com

T5

 

Note:

MicrosoftExchangeRecipientEmailAddressPolicyEnabled –   If this parameter is set to $false, you must manually add new e-mail addresses to the Microsoft Exchange recipient when e-mail address policies are added or modified.

There is an alternative way by which we can achieve this setting. We can change the display name alone through ADSI edit

To make this change in the adsiedit follow the below instruction

  • Open ADSIEdit.msc
  • Configuration – Services – Microsoft Exchange
  • Open the properties of “CN=MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e” in right hand side pan.
  • Locate the display name attribute and Make sure that it is displaying “Microsoft Exchange” if not then change it to Desired Display name that users want to see when they receive an NDR.
  • Close ADSIEdit.

If you need the internal ndr’s to be copied to a mailbox and if a user reply back to an ndr and if that email needs to be delivered to a mailbox and monitored then we need to set value for the attribute MicrosoftExchangeRecipientReplyRecipient.Run the below command

Set-OrganizationConfig -MicrosoftExchangeRecipientReplyRecipient localit

After you run the above command you can see the value as below when you run

Get-OrganizationalConfig |FL

T6

If we want the external ndr’s to be sent to the above email address  we can run the below command

Set-TransportConfig -GenerateCopyOfDSNFor 5.1.0, 5.1.1

dsn

Above is an example for getting a copy of DSN only for 2 ndr codes. We can add multiple ndr codes as well.

Troubleshooting Outlook Connectivity issues for all users in Exchange 2013

Autodiscover, Exchange2013 July 28, 2014 Comments: 3

In this article i will list down few common steps that can be checked during troubleshooting outlook connectivity issues  in Exchange 2013 SP1 and later.

First step is that we need to identify whether it is happening for few users, or all users or its just one user and troubleshoot accordingly. In this blog we will discuss about troubleshooting Outlook connectivity issues for all users in Exchange 2013 environment .

1) Ensure that all Microsoft Exchange Services which  is  set to automatic are up and running.Especially the Microsoft Exchange RPC Client Access service must be started which is more involved in Outlook Connectivity issues.

2) Check in the application log for any throttling events in both CAS server as well as mailbox server.

3) If it  is a new Exchange 2013 setup ensure Host A record for Mail ,Webmail and Auto discover on internal DNS is created correctly.

4) Ensure that the new Exchange Certificate is created and assigned to the IIS service. If you have SSL make sure that the SSL certificate is assigned to the virtual directory.

5) Ensure that autodiscover internal url,ews internal url,oab internal url are set correctly.

6) Check the authentication methods in the IIS for the RPC .If you have enabled mapihttpenabled protocol  then check the mapi virtual directory. It can be Basic, NTLM, Negotiate on both the virtual directories and negotiate authentication is enabled by default in Exchange 2013.

You can use the below command to check the authentication method for mapi virtual directory if you have enabled mapihttpenabled  protocol.

Get-MapivirtualDirectory | fl

Below is the output and check the iis authentication method and internal authentication column.

ol4

 

Also you can check if you have enabled mapihttpenabled by running the below command

Get-organizationalconfig | fl Mapi*

ol6

Analyzing this part is very important.If your organization is using mapihttpenabled protocol then we need to enable this option. There are also few other settings that needs to be configured for using this protocol.For enabling mapihttpenabled protocol refer microsoft blog

http://technet.microsoft.com/en-us/library/dn635177(v=exchg.150).aspx

This value should be set to false if you have  not configured mapihttpenabled in your organization else end users will face trouble in connecting through Outlook . Run the below command to disable mapihttpenabled feature.

Set-OrganizationConfig -MapiHttpEnabled $False

7) Also it could be problem if the outlook providers were not set correctly.

Below is an example of setting up outlook providers .

First we need to run the below command  to check the value of outlook provider

Get-OutlookProvider

 

ol1

In our case since  the outlook provider is not set we get the values to be null.

Run the below commands to set the outlook provider name

Set-OutlookProvider -Server exchange2013CAS EXCH -CertPrincipalName msstd:exchangequery.com
Set-OutlookProvider -Server exchange2013CAS EXPR -CertPrincipalName msstd:exchangequery.com

 

ol2

Note:

Make sure that the certprincipal name that you are entering matches the name of the autodiscover that you have given in the SAN certificate and internal DNS.

Below will be the output if the outlook providers are set.

ol3

 

Though Outlook providers is not required as it is changes the autodiscover settings to global level from server level .But problems might arise if the outlook providers were not set correctly and autodiscover settings are not configured correctly.So its always better to check the values of outlook provider during troubleshooting these kind of scenarios and there is no harm in setting these values.

Get and easy and secured access to your online private work space and catch up with latest emails and essential documents with office 365 on your preferred device(PC/Mac/android/iOS) on your remotely accessible virtual desktop from CloudDesktopOnline.com with 24*7 top-notch support services from Apps4Rent.com.

Sathish Veerapandian

MVP – Office Servers & Services