Custom RBAC role for setting “Full Mailbox folder“ and “Send as” permission

RBAC October 24, 2013 Comments: 4

I tried to create an Custom RBAC role for setting the “Full Mailbox “ and “Send as” permission by going through few blogs and TechNet discussion. I just tried to implement in my lab and it was successful. I tried hard for Delegate and there is no option to  assign the permission to any of the Security Group Members for setting the Delegates. Delegate is an option which can be set only through outlook.

Below are the steps to create an custom RBAC role for Full Mailbox and Send As and it might be useful for if it suits some of their environment.

We can assign the permission to any of the security group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes through RBAC custom role.

We can accomplish this task by  assigning the Permissions to one of the security group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes, Shared Mailboxes

In order to test this in lab I first created a distribution group named Exchange Mailbox Folder.

Image

We can use  the below command to check the default management role entry

get-ManagementRoleEntry “Mail Recipients\*”

Image

Here we have the list of Mail recipients. We cannot modify the default Role   “Mail Recipients”, so we have to create the new custom role.

We can remove all the unwanted cmdlets from the custom Role and then we can assign the below listed permission to the created  Security Group Only.

1)       Add-MailboxPermission

2)       Add-MailboxFolderPermission

First we need to create a new management role with the below command

New-ManagementRole “Custom AddMailbox Permission” -Parent “Mail Recipients”

Image

Now we need to view the list of management role entry assigned for a custom role. We do not need all of the entries which are assigned for a default custom role.

get-ManagementRoleEntry “Custom AddMailbox Permission\*”

Image

Now we can go ahead and remove all of the role entries which we do not require and keep only add-mailbox permission and send as permission by running the below command.

get-ManagementRoleEntry “Custom AddMailbox Permission\*” | where {($_.name -ne “Add-Mailboxpermission”) -and ($_.name -ne “Add-MailboxFolderPermission”)} | Remove-ManagementRoleEntry

Image

We then  have to assign the permissions through  the managementRoleAssignment.

For Full Mailbox Folder  run the below command –

New-ManagementRoleAssigment “add mailbox permissions” -role “Custom AddMailbox Permission” -securityGroup “Exchange MailboxFolder ”  

For SendAsPermissions run the below command  –

New-ManagementRoleAssigment  “add mailbox permissions” -role “Active Directory Permissions” -securityGroup “Exchange MailboxFolder ”  

Image

I was successfully able to assign the Permission to “Exchange MailboxFolder “ security Group Members for setting the “Full Mailbox” and “SendAs” Access rights on the User Mailboxes.

Thanks

Sathish Veerapandian – MVP

Exchange 2013 Key Improvements and Enhancements

Exchange2013, General Information October 23, 2013 Leave a comment

1)      Managed Availability in Exchange 2013

In Exchange 2013, native, built-in monitoring and recovery actions are included in a feature called Managed Availability.

Managed Availability is the integration of built-in, active monitoring and recovering any issues of its own without any admin help and the Exchange 2013 high availability platform,allowing Exchange to make a determination on when to fail over a database based on service health.

To view the health of a server, you use the cmdlets Get-ServerHealth to retrieve the raw health data and Get-HealthReport that operates on the raw health data and provides a snapshot of the health

2)      Managed Store in Exchange 2013

This is a replacement for Information store in  earlier versions

Microsoft Exchange 2013 Managed Store is a mechanism used in Exchange Server 2013 to isolate failures at the database level.

The Managed Store in Exchange 2013 replaces the Exchange Information Store of past versions. The primary benefit of the

Exchange 2013 Managed Store is that if a single database process encounters any sort of error, only that database is affected. That said, the Managed Store also presents numerous enhancements over the Information Store, including:

 

•Improved integration with the Exchange Replication service,

•Better performance and resilience,

•Improved integration with Microsoft FAST search.

The Exchange 2013 Managed Store also reduces the number of potentially mounted databases per mailbox server from 100 (Exchange 2010) to 50 (Exchange 2013). This change should aid companies that rely on database availability groups (DAGs) as part of their general Exchange Server infrastructure.

3)      Safety net in Exchange 2013

Transport Dumpster  is replaced with Safety Net in Exchange 2013 unlike the earlier versions.

It prevents data loss by maintaining a queue of successfully delivered messages. Unlike the earlier version of transport dumpster It also holds emails of mailbox not a member of DAG and also public folders.

4)      Public Folders

There is no more public folders in exchange 2013.Instead the public folders are created  and associated to a parent public folder mailbox. There is no separate public folder DB in exchange 2013.Discussions can be stored, indexed, and searched

5)      Exchange Administration Center

The GUI-based EMC (Exchange Management Console) and the Web-based ECP (Exchange Control Panel) are being replaced by a single Web-based UI.No GUI and it’s an web based application.

 

6)      Exchange architecture revisions:

Exchange 2007 and 2010 are broken into five server roles, mainly to address performance issues like CPU performance, which would suffer if Exchange were running as one monolithic application. But Microsoft has made progress on the performance side, so Exchange 2013 has just two roles: Client Access server role and Mailbox server role. The Mailbox server role includes all the typical server components (including unified messaging), and the Client Access server role handles all the authentication, redirection, and proxy services. You can deploy Exchange 2013 with an Exchange 2010 Edge Transport server role but a 2013 Edge role is planned post-RTM.

7)      Storage Architecture

The sizing recommendations for Exchange 2010 and 2013 are the same, maximum of 2TB per database.

In 2013, the number of databases you can mount have changed, 5 in Std, but only 50 in Enterprise Exchange 2013. It is 100 in 2010 Enterprise.

 

8)      Transport Architecture

Divided into three Front End Transport service, Transport service, Mailbox Transport Service

Front End Transport service :  This service runs on all Client Access servers and acts as a stateless proxy for all inbound and outbound external SMTP traffic for the Exchange 2013 organization. The Front End Transport service doesn’t inspect message content, only communicates with the Transport service on a Mailbox server, and doesn’t queue any messages locally.

 

Transport service   This service runs on all Mailbox servers and is virtually identical to the Hub Transport server role in previous versions of Exchange. The Transport service handles all SMTP mail flow for the organization, performs message categorization, and performs message content inspection. Unlike previous versions of Exchange, the Transport service nevercommunicates directly with mailbox databases.

 

Mailbox Transport service   This service runs on all Mailbox servers and consists of two separate services: the Mailbox

Transport Submission service and Mailbox Transport Delivery service. The Mailbox Transport Delivery service receives SMTPmessages from the Transport service on the local Mailbox server or on other Mailbox servers, and connects to the localmailbox database using an Exchange remote procedure call (RPC) to deliver the message.

 

9)      Client Access Server Change

Outlook Connectivity:

CAS supports only RPC/HTTP (aka Outlook Anywhere). This architecture change is primarily to drive a

stable and reliable connectivity model.

The Exchange 2013 Client Access Server role simplifies the network layer. Session affinity at the load balancer is no longer required as CAS2013 handles the affinity aspects. CAS2013 introduces more deployment flexibility by allowing you to simplify your namespace architecture, potentially consolidating to a single world-wide or regional namespace for your Internet protocols. The new architecture also simplifies the upgrade and inter-operability story as CAS2013 can proxy or redirect to multiple versions of Exchange, whether they are a higher or lower version, allowing you to upgrade your Mailbox servers at your own pace.

 

10)   Changes in Active Sync

New Exchange ActiveSync provides more additional  following features:

•Support for HTML messages

•Support for follow-up flags

•Conversation grouping of email messages

•Ability to synchronize or not synchronize an entire conversation

•Synchronization of Short Message Service (SMS) messages with a user’s Exchange mailbox

•Support for viewing message reply status

•Support for fast message retrieval

•Meeting attendee information

•Enhanced Exchange Search

•PIN reset

•Enhanced device security through password policies

•Auto discover for over-the-air provisioning

•Support for setting automatic replies when users are away, on vacation, or out of the office

•Support for task synchronization

•Direct Push

•Support for availability information for contacts

 

11)   Outlook Web Access Replaced with outlook web app

Outlook Web App, or OWA, is completely revamped, with a new look and the ability to access it offline as a real mail client. Outlook is the rich desktop client; OWA is also a client but runs over the Web. The new OWA is also designed to be more suitable for touch interfaces, which makes it more appealing for smartphones and tablet devices.

12)   Retired Tools

Mail flow, performance troubleshooters and Exchange Best Practices Analyzer have been retired and no longer

13)   Data loss protection (DLP) in Exchange 2013

Data loss protection (DLP) is a feature that is built into the Exchange platform. A powerful tool to reduce the amount of sensitive data that leaks outside of the boundaries of the organization is written directly into the new transport rules.

This allows you to set up policies that do one or more of the following:

Enforce boundaries by preventing or limiting transmissions between groups of users, including between groups internal to a company

Apply different treatment to messages sent inside a company from messages sent outside of a company

Stop inappropriate content from coming into a company or leaving it.

Strip out confidential or otherwise sensitive data from transmissions

Archive or journal messages that are sent to or received from users or a group of users

Catch inbound and outbound messages and route them to a manager or administrator for inspection and approval prior to final delivery.

Add disclaimers to messages as they enter or leave the mail flow

 

14)   CDO/MAPI download for Exchange 2013

 

There is no support for BlackBerry Enterprise Server (BES) to communicate with Exchange Server 2013. The CDO/MAPI download is not yet available for Exchange 2013 and is “likely the primary reason” BES support is not yet available.Mobile devices can be supported Unless you are using a third-party solution that rides on top of ActiveSync.

15)   New in In-Place eDiscovery & Hold in Exchange 2013

Multi-Mailbox Search is known as In-Place eDiscovery.In Exchange Server 2010 and Office 365, Litigation Hold makes it possible to preserve mailbox items. When a user or a process attempts to delete an item permanently, it is removed from the user’s view to an inaccessible location in the mailbox. Additionally, when a user or a process modifies an item, a Copy-on-write (COW) is performed and a copy of the original item is saved right before the changed version is committed, preserving original content. The process is repeated for every change, preserving a copy of all subsequent versions.

The ability to give end users a tool to perform eDiscovery searches without the need for IT is great. Please refer the below blog.

References: http://blogs.technet.com/b/exchange/archive/2012/09/26/in-place-e-discovery-and-in-place-hold-in-the-new-exchange.aspx

Steps to perform a restore in Exchange 2010/2013 from a lag copy in DAG

Exchange2013, Restore October 3, 2013 Leave a comment

In real time scenarios we will come across several issues where users will be requesting for an restore from the backup.

Restore can be in 2 scenarios

1) User might request for a recent data within 2 weeks of time.

2) User might request for a very old data a months back.

From Exchange 2010 we had the concept of LAG copy from which we will be able to perform restore of mailboxes according to the replay lag time set.

We can alter this value from 0 to 14 days . The LAG copies are not full backup solution but they can help us during DR scenarios as well as restoring mailbox contents for user only for shorter period of date i.e, within 14 days maximum.

We can perform a restore from a lag copy in exchange 2010/2013 and below are the steps

1)  Find the user requirement for restore. (Folder level restore or Mails missing restore)

2)   If its mails missing restore try to recover them by using MFCMAPI by following the below technet article

http://support.microsoft.com/kb/2750293

3) If it’s a folder level restore then we need to go ahead with our standard restore procedure since the folder can’t be recovered by using mfcmapi.

 

4) First we need to check the user is in which database by running the below command

Get-mailbox   <username> | fl database

 

5) After finding the database of that user find the lag copy of that associated database

get-mailboxdatabase  <DBname> -status | fl mountedonserver,replaylagtimes

 

6) Suspend the lag copy server and start copying the logs and database folder into separate folders. Resume the replication once copied.

 

7)      Take copy of the original database copied from the lag server in a separate folder.

8)    Check the database state by running the below command.

Navigate to drive where DB located:eseutil /mh “DB Location”

 

09) Copy the required logs till date for which the user requested for restore  to a different location in log sequence. Run the below cmd for checking any damaged log files.

eseutil /ml eXX

 

a) Navigate to the location where you have copied the required logs which we saw on the previous step while running eseutil /MH. Copy the  required logs in log sequence and then run the command.(usually soft recovery gets completed  with /a if it initially fails with required logs)

b) While running eseutil /ml e00 we need to specify the number accordingly to the sequence of the log generated. EX  in our case the log sequence starts with E06 so we  have mentioned eseutil / e06.If the log sequence is going to be E03 then we need to mention eseutil / E03

c) All the required logs should show ok.Else the restore will not be successful.

 

10) Perform soft recovery to bring the database to the clean shutdown by running the below command.

eseutil /r /a exx  /d “DB location” /l “log file location”

 

Modify the location accordingly and run the above command and you will get the below output

Restore1

 

11)You will get the below output once the soft recovery is complete

 

Restore2

 

12) Now when you check the database health it should show in clean shutdown as below

Restore3

 

13)      Create a new recovery database with the below command

New-MailboxDatabase -Name RECOVERYDB  -Recovery -LogFolderPath “path location” -EdbFilePath ” path location” -Server  Recovery server name

Note:  If the below steps are not followed you will get error and the DB will not mount.

Do not mount the RDB which you have created.We need to rename the database which we repaired according to the RDB name .In our case we need to rename the EDB file as RECOVERYDB.edb

 

14) Check if the mailbox is present in Recovery database by running the below command. We are taking it as an output for our reference.

 [PS] C:>Get-MailboxDatabase RECOVERYDB| Get-MailboxStatistics   > D:output.txt

 

15)  Export to data to test mailbox folder or restore mailbox account from which we can extract the user data later.

 [PS] C:>New-MailboxRestoreRequest -SourceDatabase RECOVERYDB -SourceStoreMailbox “john”  -TargetMailbox recoverymbx -TargetRootFolder “testrecover”–AllowLegacyDNMismatch

 

16) Run the below command to check the mailbox restore status.

 

[PS] C:>Get-MailboxRestoreRequest   -Status Queued

Wait for 10 minutes and run the below command and the restore will be completed.

Get-MailboxRestoreRequest   -Status Completed

After restore gets completed extract the PST from the restored mailbox and hand it over to the user.

Thanks

Sathish Veerapandian

Monitoring Hub Transport Server

Exchange 2010/2013 Monitoring/Operational Scripts September 19, 2013 Leave a comment

Monitoring the queue is one of the important tasks in the Daily Exchange Server Check list.

  I have identified and modified a script for monitoring the Transport Queues on all the Hub servers .I have tested this output. This script runs on all hub servers and then it triggers an output email to the given recipients. Below are the screenshots and the script which will be helpful to us in terms of monitoring the Queue in the exchange 2007 & 2010.

Image    

Output of the HTML result.

Image  

Also this can be sent to a recipient email address and here is the  sample output of an test performed ‘

 

Image  

 

Below is the Script file 

 ***************************************************************************

 

$Msg = new-object system.net.mail.MailMessage

 

$msg.IsBodyHtml = $True

 

$msg.Body = $Queue

 

$msg.Subject = “Hub Transport Queue Information”

 

$msg.To.add(“Sathish@exchangequery.com”)

 

$msg.To.add(“Administrator@exchangequery.com”)

 

$msg.From = “Sathish@exchangequery.com”

 

$SmtpClient = new-object system.net.mail.smtpClient

 

$smtpclient.Host = ‘testlab.exchangequery.com’

 

$smtpclient.Send($msg)

 

 

$Queue = Get-TransportServer | Get-Queue | Select Identity,DeliveryType,Status,MessageCount,NextHopDomain,LastRetryTime, NextRetryTime | ConvertTo-Html -head $BodyStyle

 

 

$BodyStyle | Out-File C:\scripts\QueueInfo.html

 

$BodyStyle = “<style>”

 

$BodyStyle = $BodyStyle + “BODY{background-color:peachpuff;}”

 

$BodyStyle = $BodyStyle + “TABLE{border-width: 1px;border-style: solid;

border-color: black;border-collapse: collapse;}”

 

$BodyStyle = $BodyStyle + “TH{border-width: 1px;padding: 0px;

border-style: solid;border-color: black;background-color:thistle}”

 

$BodyStyle = $BodyStyle + “TD{border-width: 1px;padding: 0px;

border-style: solid;border-color: black;background-color:PaleGoldenrod}”

 

$BodyStyle = $BodyStyle + “</style>”

***************************************************************************

 

 

 

 

 

Script for removing adding users from multiple distribution groups/Specific Distribution Group

Exchange 2010/2013 Monitoring/Operational Scripts September 17, 2013 Leave a comment

Adding and removing users randomly from a Distribution group for an administrators is always an hectic job.
For example if an user who is an part of HR team leaves the company then administrator will receive an request from the HR team to remove the user out of all the HR distribution group.

This is an painful job for an admin to find the user on all associated distribution groups and then remove the user.
This job will be simple if  there could be some kind of an automation script which could remove the users from the associated distribution groups

This task can be achieved by using Dsmod and tweaking the DSmod according to our criteria.Below script will be useful in terms of removing users who have left the organization from their department  associated distribution group.

Step 1: copy the below text and save it in batch file

FOR /F “usebackq delims=” %%* in (“c:\test folder\users.txt”) do (
DSGET.exe USER “%%*” -memberof | DSMOD.exe GROUP -C -RMMBR “%%*”)

I have created an user named exchangequerytest and exchangequeryIT to execute this script as shown belowImage 

  
 
Step 2: Add the users DN in a text file in your own desired location or the test location which i have specified in the batch file

EX:
Test Location where i save list of users whom i need to remove

c:\test folder\users.txt

 

Image

Copy the DN name of the users and not alias

use the following command to get the alias –

Below is an sample output for query for an admin account

C:\scripts>dsquery user -name administrator
“CN=Administrator,CN=Users,DC=Exchangequery,DC=com”

Copy the output and save it within quotation as shown above in the test location specified in the batch file

Then navigate to the folder where we have the batch file saved and it will pick the users from the text file we have specified and will remove them automatically from all the distribution groups as output shown in the below example.We do not need to specify any DG name

Image

 Finally the user is removed from the distribution group

Image

 

 The above batch file will remove  the user from all ditrsibution group he was member of.In few cases we might come across some scenario in which we need to remove only from a particular distribution group.You can use the below script to remove from a specific distribution group

Below is an example for removing the user only from the group ITDEPT

FOR /F “usebackq delims=” %%* in (“c:\test folder\users.txt”) do (
dsmod group “ITDEPT” -rmmbr “%%*”)

Note: In the dsmod group ” ” specify the DN of the ITDEPT group and it will remove the users only from ITDEPT group. 

Steps to run Process Tracking Log (PTL) tool for use with Exchange 2007 and Exchange 2010

Monitoring Tools September 15, 2013 Leave a comment

Monitoring the mail flow  in an organization in the parameters of top email senders,non delivery report triggered,top domain sent list ,large email attachments is a tedious job for an exchange admin.

In-order to overcome these hectic scenarios and make the job of admins simpler Microsoft has introduced  Process Tracking Log which made the job very simple

Below are the steps to run the Process Tracking Log

Step 1 : Download the vb script and save it on “C:\” drive of your Hub server

Download Link : http://gallery.technet.microsoft.com/Process-Tracking-Log-PTL-904448

 

Step 2: Create this directory in your hub server for output file to be saved

c:\temp\MSGTRACK\Output\

 

Step3: save all your accepted domains in the below directory

c:\temp\MSGTRACK\Output\Archive\Get-AcceptedDomain.log

 

Step 4 :To parse one file in a single directory :

Image

To parse all files in a single directory:

Image

 

Output will be saved here: c:\temp\MSGTRACK\Output\

Below are the few examples of the outputs generated after running this script :

Image

 

Image

 

Image

 

References : http://blogs.technet.com/b/exchange/archive/2011/10/21/updated-process-tracking-log-ptl-tool-for-use-with-exchange-2007-and-exchange-2010.aspx

Steps to setup a new mobile device mailbox policy in exchange 2013

Exchange2013 September 2, 2013 Comments: 2

Exchange 2013 has introduced Mobile device mailbox policy which is more useful interms of managing active sync enabled users for managing passwords,specifying the minimum passwords length globally,mandatory special characters to be included and  setting up a device wipeout  after few number of failed password attempts.

 

The exchange active sync mailbox policies can be created via exchange administration center (EAC) or Exchange management shell (EMS).

Its better  and easier to create active sync mailbox policy via EAC and then add few more features extra by using EMS.

 

Below are the screenshots for creating device mailbox policy via EAC

1)Open Exchange Admin Center and click on the mobile option

Image

 

2)You can see the default mailbox policy which is configured automatically during  the installation

3)Click on the add button to configure a new mailbox policy which opens up  the below screenshot

Image

 

4)You can set the required parameters such as password length,number of sign-in failures which will be effected according to the policy you set globally or for few specific groups

 

Image

 

5) Also you have few additional parameters added like password relogin after idle time out,password recycle count in as shown in the below screenshot

Image

 

Once  we click on save activesync policy will be created.

After this creation to manage the active sync policy its better to use Exchange Management Shell since it has few more parameters which would be helpful and more efficient by using Set-ActiveSyncMailboxPolicy parameters

References : http://technet.microsoft.com/en-us/library/bb123756(v=exchg.150).aspx

 

Quick Reference for Managing Public Folders in Exchange 2010

Exchange2010, Public Folder June 28, 2013 Leave a comment

Below are the few commands which will be Helpful and can be a quick reference for managing the public folders through Exchange Management Shell

Public helpFollowing command will provide all the parameters for New-Publicfolder Cmdlet which is use to create new public folder.

Get-help New-Publicfolder

You can use the New-PublicFolder cmdlet to create a new public folder with the specified name

New-PublicFolder -Name [-Path ] [-Server ]
EXAMPLE
New-PublicFolder -Name Marketing
New-PublicFolder -Name Marketing -Path Legal\Cases -Server Server2

Use the Get-PublicFolder cmdlet to retrieve the attributes of a public folder or a set of public folders

Get-PublicFolder [-Identity ] [-Server ]
Get-PublicFolder [-Identity ] -GetChildren [-ResultSize ] [-Server ]
Get-PublicFolder [-Identity ] -Recurse [-ResultSize ] [-Server ]

EXAMPLE
Get-PublicFolder
Get-PublicFolder -Identity \NON_IPM_SUBTREE -Recurse | Format-List Name
Get-PublicFolder -Identity
Get-PublicFolder -Identity “\Legal\Documents\Pending Litigation”
Get-PublicFolder -Identity “\Legal\Documents\Pending Litigation” -Recurse
Get-PublicFolder -Identity “\Legal\Documents\Pending Litigation” -Recurse -ResultSize Unlimited
Get-publicfolder “\” -recurse -server

• The first example uses the Get-PublicFolder command without parameters to return the root public folder object (IPM_SUBTREE).
• The second example returns the names of all the system folders (which are not shown by default), starting at the system folder root (\NON_IPM_SUBTREE).
• The third example returns the public folder with the specified long-term entry identifier.
• The fourth example returns the Pending Litigation public folder from \Legal\Documents\.
• The fifth example returns the Pending Litigation public folder from \Legal\Documents\ and up to 9,999 public folders under the Pending Litigation public folder.
• The sixth example returns the Pending Litigation public folder from \Legal\Documents\ and all the public folders under it, without a limit on the number returned.
• The seventh example returns the hierarchy of all IPM_SUBTREE folders on the server SERVER1

Use the Set-PublicFolder cmdlet to set the attributes of public folders
USAGE
Set-PublicFolder -Identity [-AgeLimit ] [-HiddenFromAddressListsEnabled ] [-MaxItemSize ] [-Name ] [-PerUserReadStateEnabled ] [-PostStorageQuota ] [-Replicas ] [-ReplicationSchedule ] [-RetainDeletedItemsFor ] [-Server ] [-StorageQuota ] [-UseDatabaseAgeDefaults ] [-UseDatabaseQuotaDefaults ] [-UseDatabaseReplicationSchedule ] [-UseDatabaseRetentionDefaults ]

Set-PublicFolder -Identity [-AgeLimit ] [-HiddenFromAddressListsEnabled ] [-LocalReplicaAgeLimit ] [-MaxItemSize ] [-Name ] [-PerUserReadStateEnabled ] [-PostStorageQuota ] [-Replicas ] [-ReplicationSchedule ] [-RetainDeletedItemsFor ] [-Server ] [-StorageQuota ] [-UseDatabaseAgeDefaults ] [-UseDatabaseQuotaDefaults ] [-UseDatabaseReplicationSchedule ] [-UseDatabaseRetentionDefaults ]

Set-PublicFolder [-AgeLimit ] [-HiddenFromAddressListsEnabled ] [-Instance ] [-MaxItemSize ] [-Name ] [-PerUserReadStateEnabled ] [-PostStorageQuota ] [-Replicas ] [-ReplicationSchedule ] [-RetainDeletedItemsFor ] [-Server ] [-StorageQuota ] [-UseDatabaseAgeDefaults ] [-UseDatabaseQuotaDefaults ] [-UseDatabaseReplicationSchedule ] [-UseDatabaseRetentionDefaults ]

EXAMPLES
Set-PublicFolder “\Customer Service Requests” -UseDatabaseReplicationSchedule $false
Set-PublicFolder “\Customer Service Requests” -ReplicationSchedule Always
Set-PublicFolder \MyPublicFolder -ReplicationSchedule “Saturday.12:00 AM-Monday.12:00 AM”

• In the first example, the Set-PublicFolder command is used to change a public folder so that it does not use the database default replication schedule.
• In the second example, the Set-PublicFolder command is used to set the replication schedule to Always.
In the third example, the Set-PublicFolder command is used to set the folder to replicate only on weekends

Use the Remove-PublicFolder cmdlet to remove an existing public folder.

USAGE
Remove-PublicFolder -Identity [-Recurse ] [-Server ]

EXAMPLES
Remove-PublicFolder -Identity “\Test\Directory\My Public Folder”
Remove-PublicFolder –Identity “\Test” -recurse

• First example deletes the public folder named My Public Folder from the \Test\Directory tree. Please note that if there will be any sub-folder under My Public Folder then it will give you error saying that ” The folder ‘My Public Folder’ has subfolders, so it cannot be deleted”
• In Second example it will delete the Test folder and all subfolders under Test folder.

Use the Enable-MailPublicFolder cmdlet to mail-enable public folders. This is asynchronous operation and it may take several minutes before the public folder is actually mail enabled. The task will return before operation is complete.

USAGE
Enable-MailPublicFolder -Identity [-HiddenFromAddressListsEnabled ] [-Server ]

EXAMPLES
Enable-MailPublicFolder “\My Public Folder”

• In this example, the Enable-MailPublicFolder command is used to mail-enable the public folder that has the name My Public Folder.

Use the Disable-MailPublicFolder cmdlet to mail-disable a public folder.

USAGE
Disable-MailPublicFolder -Identity [-Server ]

EXAMPLES
Disable-MailPublicFolder -Identity “My Public Folder”

• This example mail-disables a public folder that is called My Public Folder.

Get-MailPublicFolder | Format-List

• This example returns all mail-enabled public folders if total number of public folders are less then 10000 otherwise it will display up to 10000 public folders. In this example, the output of the Get-MailPublicFolder command is piped to the Format-List command so that all the available information is displayed in the result.
Use the Update-PublicFolder cmdlet to start content synchronization of a public folder.

USAGE
Update-PublicFolder -Identity -Server

EXAMPLES
Update-PublicFolder “\Legal\Cases\My Public Folder” -Server “My Server”

Get-PublicFolder “\Legal\Cases\My Public Folder” | Update-PublicFolder -Server “My Server”

• These examples show two ways to start content replication of the public folder named My Public Folder in the \Legal\Cases path from the server named My Server to all of the servers on the replication list for My Public Folder.

– Force hierarchy replication

Use the Update-PublicFolderHierarchy cmdlet to start content synchronization of the public folder hierarchy.
Get-MailboxServer -Identity Server1 | Update-PublicFolderHierarchy

• This example pipes the output of the Get-MailboxServer command to the Update-PublicFolderHierarchy command to start content replication of the public folder hierarchy from Server1 to Mailbox servers with a public folder store.

Use the Add-PublicFolderAdministrativePermission cmdlet to add administrative permissions to a public folder or a public folder hierarchy.

USAGE
Add-PublicFolderAdministrativePermission -Identity -AccessRights -User [-Deny ] [-InheritanceType ] [-Server ]

Add-PublicFolderAdministrativePermission -Identity -Owner [-Server ]

Add-PublicFolderAdministrativePermission [-Identity ] -Instance [-AccessRights ] [-Deny ] [-InheritanceType ] [-Server ] [-User ]

EXAMPLES
Add-PublicFolderAdministrativePermission -User Chris -Identity \MyPublicFolder -AccessRights ViewInformationStore
Add-PublicFolderAdministrativePermission -User Chris -Identity \MyPublicFolder -AccessRights ViewInformationStore –Deny

• In the first example, a user named Chris is given the ViewInformationStore permission on the public folder named MyPublicFolder.
• In the second example, the Deny parameter is added to the command in the first example, which denies the user named Chris the ViewInformationStore permission.

The AccessRights parameter specifies the rights that are being added. Valid values include:
• None
• ModifyPublicFolderACL
• ModifyPublicFolderAdminACL
• ModifyPublicFolderDeletedItemRetention
• ModifyPublicFolderExpiry
• ModifyPublicFolderQuotas
• ModifyPublicFolderReplicaList
• AdministerInformationStore
• ViewInformationStore
• AllStoreRights
• AllExtendedRights

Use the Remove-PublicFolderAdministrativePermission cmdlet to remove administrative permissions for a public folder or a public folder hierarchy.

USAGE
Remove-PublicFolderAdministrativePermission -Identity -AccessRights -User [-Deny ] [-InheritanceType ] [-Server ]

Remove-PublicFolderAdministrativePermission [-Identity ] -Instance [-AccessRights ] [-Deny ] [-InheritanceType ] [-Server ] [-User ]

EXAMPLES
Remove-PublicFolderAdministrativePermission -User Chris -Identity \MyPublicFolder -AccessRights ViewInformationStore

• In the example, the ViewInformationStore permission is removed from a user named Chris on the public folder named MyPublicFolder.

Use the Get-PublicFolderAdministrativePermission cmdlet to get the administrative permissions for a public folder or a public folder hierarchy.

USAGE
Get-PublicFolderAdministrativePermission -Identity [-Server ] [-User ]

Get-PublicFolderAdministrativePermission -Identity [-Owner ] [-Server ]

EXAMPLES
Get-PublicFolderAdministrativePermission -Identity “\My Public Folder”
Get-PublicFolderAdministrativePermission -Identity “\My Public Folder” -User Chris -Server “My Server” | Format-List
Get-PublicFolderAdministrativePermission -Identity “\My Public Folder” –Owner

• In the first example, the Get-PublicFolderAdministrativePermission command is used to retrieve the access rights for all users of the public folder named My Public Folder.
• In the second example, the Get-PublicFolderAdministrativePermission command is used to retrieve the administrative permissions for the public folder named My Public Folder, for the user named Chris, on the server named My Server. In this example, the output of the Get-PublicFolderAdministrativePermission command is piped to the Format-List command so that all the available information is displayed in the result.
• In the third example, the Get-PublicFolderAdministrativePermission command is used to determine the owner of the public folder named My Public Folder.

Steps to Troubleshoot Offline Address Book – Exchange 2010 & Exchange 2003 mixed environment

Exchange 2003, Offline Address Book June 20, 2013 Leave a comment

Things  To be checked before you proceed with troubleshooting  – ?

      What type of clients are used – Outlook 2003, Outlook 2007 or Outlook 2010

      Have the OAB files been replicated from Mailbox Server(OAB GenServer) to Client   Access Server.

      Does the organization contain at the least one Oab-VirtualDirectory.

      Is the OAB set for web distribution?

      Any recent changes on the environment or any updates or patches installed.

      How many users are affected and the mode of occurrence?

 

TROUBLESHOOTING

Check if Autodiscover Service is working fine in Outlook 2007 & Outlook 2010  because misconfiguration of Autodiscover could cause the OAB to fail downloading.

 

Steps to check – check the test email auto configuration on outlook client

Also another  way to check this is to see if users are able to modify OOF Assistant settings in Outlook 2007 0r 2010 .

If the problem is with Outlook 2003 then proceed with linear troubleshooting for OAB in legacy Exchange

For Outlook 2010 check if the OabVirtualDirectory is present.

To verify, open Exchange Management Shell and enter the following cmdlet. This
will return all of the OAB Virtual Directories found.

Get-OabVirtualDirectory

If the cmdlet doesn’t return any OAB virtual directories, then there is a problem
and you will need to create an OAB Virtual Directory using the
New-OabVirtualDirectory task.

Verify if there are any OABs setup for Web Distribution.

Do the following:
a. Open the Exchange Management Console.
b. Expand the Organizational Container.
c. Click on the Mailbox Container.
d. In the middle MMC pane, click on the ‘Offline Address Book’ tab.
e. If there are any Offline Address Books setup for Web distribution, they
will be identified as such under the Distribution Mechanism column as Web-Based.

The following location on the Client Access Server can be checked to see if the
Offline Address Book files have been replicated:

C:\Program Files\Microsoft\Exchange Server\Client access\OAB

This is the local cache for the Client Access server and any Offline Address Book
files that need to be updated will be updated here.

Permissions should also be checked. If any of the default permissions are locked
or are missing, the Offline Address Book files might not be replicated.

The following permissions that are installed on this directory are as follows:

Anonymous access disabled
Integrated Windows Authentication Enabled
Read Permission Enabled
Write permission disabled
Directory Browsing Disabled
Script source access disabled
Log Visits Enabled
Index this resource disabled
Execute permissions set to None

If you suspect that you are having a OAB Generation problem, turn up Diagnostic
Logging through the Exchange Management Shell.

On the Exchange 2010 mailbox server, open Exchange Management Shell and
enter the following cmdlet:

Set-EventLogLevel “MSExchangeSA\OAL Generator” -Level Expert

After you hit enter you will not see any output that indicates that the
logging level has been set.

However, you can verify the level using the following cmdlet:

Get-EventLogLevel “MSExchangeSA\OAL Generator”

Next, type Update-OfflineAddressBook -Identity “Default Offline Address
List”. This will generate the Default Offline Address List.

Review the application event log on the mailbox server.

Another method for troubleshooting OAB failures is to use the tracing built into
ExTRA

 

  • Exchange 2010 OAB
    ================

    Analyze current configuration
    ——————————————–

    1. Use Exchange Management Console
    2. Expand Server Configuration and select Mailbox
    3. Right-click the server in the list of servers and click Properties
    4. Select the Client Settings tab
    a. Check specified Offline Address Book configuration
    b. Check Distribution methods (Web and/or public folders)

    Public folder distribution
    OAB 4.0, 3a, 2.0

    Web folder distribution
    OAB 4.0

    Public folder distribution
    ———————————-

    Use MFCMAPI to inspect the public folders housing the OAB data

    1. Public Root
    2. NON_IPM_SUBTREE
    3. OFFLINE ADDRESS BOOK
    4. DN for OAB (for example, /o=Fourthcoffee/cn=addrlists/cn=oabs/cn=Default Offline
    Address List)
    5. Double-click any of the following folders to see the messages within:

    OAB version 2
    OAB version 3a
    OAB version 4

    Web distribution
    ————————-

    1. use Exchange Management Console
    2. Expand Server Configuration
    3. Select Client Access
    4. Select the CAS server in top pane
    5. Select the “Offline Addresss Book Distribution” tab in the bottom pane
    6. Right-click the listed OAB and click Properties

    a. On the General tab look at the Polling Interval value. This is the value used
    by the File Replication Service to determine how often to replicate the OAB files
    to the distribution point.
    b. On the URLs tab look at the Internal URL and External URL values to see if
    they are appropriately configured (We should know the correct values)

    7. check the OAB generation share:

    \Program files\Microsoft\Exchange Server\ExchangeOAB

    Do you see a folder with a {guid} that matches the {guid} in the OAB URL shown
    in Outlook (Test E-mail AutoConfiguration)?

    8. Check the web distribution folder:

    \Program files\Microsoft\Exchange Server\ClientAccess\OAB\{guid}

    a. Does this {guid} match the {guid} in the share listed in step 7
    b. If not, what is the number of minutes specified for the Polling Interval? Is
    the File Replication Service running?

    c. check the Event log on the generation server

    Source: MSExchangeFDS
    Category: FileReplication

    Steps to generate a new Web distribution OAB
    ————————————————————————-

    1. In Exchange Management Console go to Organization Configuration – Mailbox
    2. Click “New Offline Address Book”
    a. Name = E2010 Web OAB
    b. OAB generation server = <E2010 mailbox server>
    c. Enable Web-based distribution
    Vdir = OAB (Default web site) CLT-E2k10
    d. Enable public folder distribution
    3. Right-click the newly created OAB and click Update
    4. Check the \program files\microsoft\exchange server\ExchangeOAB folder

    <result> you should see the {guid} subfolder just generated. This data will need to
    be replicated to the CAS server

    5. On the CAS server check \program files\microsoft\exchange
    server\clientaccess\OAB for web distribution

    <result> the files probably won’t be replicated here just yet.

6. Select Server Configuration – Mailbox

       Examine Mailbox Database properties

       Go to the Client settings tab

       Offline Address Book = <name of your new OAB> (browse if necessary)

7. Select Server Configuration – Client Access

       Select your CAS server in the top pane

       Select the “Offline Address Book Distribution” tab

       Right-click OAB (Default Web Site) and click Properties

       On the General tab check the Polling interval (set it temporarily low to
force FRS replication of the OAB files)

       On the URLs tab validate the Internal URL and external URL (for example,
the Intenal URL would just be https://cas_server/ )

8. Wait a minute or two (or whatever time you specified for the Polling
Interval)
9. On the CAS server, re-check \program files\microsoft\exchange
server\clientaccess\OAB for web distribution

<result> the files should now be in the distribution point on the CAS server

10. To force a regen of the autodiscover settings run iisreset (or just wait)

NOTE: Don’t run iisreset on a production server.

11. Start Outlook 2007 or 2010 with a cached mode profile.
12. Check the OAB URL in the Test Email AutoConfiguration dialog

<result> the URL should point to the the URL specified above plus /OAB/{guid}. For
example, https://server/OAB/d15381e6-ce14-4949-a147-2681e656744a/

Outlook 2010 OAB Analysis
======================

Troubleshooting
————————–

1. Check the Sync Issues folder

       Check the different Synchronization Log messages (with a red exclamation
point icon)

       Check for an error in the message under “Microsoft Exchange offline address
book”

2. Check the Olkdisc.log file (in the %temp% folder) for the listed OAB URL
3. Inspect the OAB URL with the Test E-mail AutoConfiguration tool

      Start Outlook

      Press CTRL, right-click the Outlook icon in the system tray and then click
Test E-mail AutoConfiguration

      Clear the two “Guessmart” checkboxes and click Test
Inspect the value for “OAB URL”

– If you using public folders for the OAB then this will say “Public
folder”

– If you are using Web distribution for the OAB this this will list the full URL to the OAB files. For example, https://server/oab/{guid}

 

 

 

 

 

 

Steps to troubleshoot on messages stuck in local delivery queue in exchange 2003

Exchange 2003 June 18, 2013 Leave a comment

Here are the few troubleshooting steps which will be helpful during messages stuck in local delivery queue

 

Open up the queue viewer and check for last error information in the local delivery queue

 

Open  the event viewer and look for event id 2080 and check for GC and DC availability

 

Increase  the Diagnostics logging for the following keys in the registry for Dsaccess

General

Cache

Topology

Config

Ldap

 

Restart the system attendant service and check  if we could find any relevant ids

Check  with the directory access tab on ESM   and see if DC and GC are listed

 

Finally you can go ahead and hard code the exchange server to listen on a particular DC if nothing works.

 

Note:Changes in registry should be made properly and correctly else it might make the exchange server not to listen to DC’s

 

Added the following registry keys.

 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeADAccess\Profiles\Default\UserDC1

IsGC = REG_DWORD 0x0

Hostname = REG_SZ <DC Name>

 

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeADAccess\Profiles\Default\UserGC1

IsGC = REG_DWORD 0x1

Hostname = REG_SZ <DC Name>

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeADAccess\Instance0

ConfigDCHostName = REG_SZ <DC Name