Installing Enterprise Vault 9 Pre-Requisites via PowerShell

No Comments » Written on August 23rd, 2011 by Jeremy Phillips
Categories: Enterprise Vault, Exchange, PowerShell
Tags: Archiving, Enterprise Vault, Exchange, PowerShell

This might come in handy for some. It can be executed from PowerShell running as Administrator.

Import-module ServerManager

Add-WindowsFeature MSMQ-Server, NET-Framework-Core, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Http-Redirect, Web-Asp-Net, Web-NET-Ext, Web-ASP, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Filtering, Web-IP-Security, Web-Stat-Compression, Web-Mgmt-Console, Web-Scripting-Tools, Web-Mgmt-Service, Web-Metabase, Web-WMI, Web-Lgcy-Scripting, Web-Lgcy-Mgmt-Console, RSAT-Web-Server

Export All Mailboxes to PST in Exchange 2010 SP1

No Comments » Written on June 29th, 2011 by Jeremy Phillips
Categories: Exchange, PowerShell

We’re migrating our on-premise email environment to Office 365 but prior to decommissioning the last server I wanted to take a snapshot of all mailboxes as they are right now; the easiest way to do this is exporting them to PST with New-MailboxExportRequest [TechNet Info]. So, without further ado, here a quick and easy way to export all mailboxes from a small environment:

$mailboxes = get-mailbox

foreach ($mailbox in $mailboxes) {

new-mailboxexportrequest -mailbox $mailbox -FilePath \\server\c$\$mailbox.pst

}

Obviously you’re going to want to change the FilePath but keep in mind you must point it towards a UNC path, not a drive letter. To see the status of the exports you can run the below command.

Get-MailboxExportRequest | Get-MailboxExportRequestStatistics

Exchange Links – 06/10/11

No Comments » Written on June 10th, 2011 by Jeremy Phillips
Categories: Blog, Exchange
Tags: exchange links

We tend to read quite a bit on Exchange; here are some articles you may find useful or informative. If you have suggestions on any other blogs or websites we should be reading please leave a comment.

Creating Distribution Groups Overriding Naming Policy
Distribution Group Naming Policy is a template that, we as Exchange admins, apply to all newly created distribution groups. [...] There will be times in which you want to cerate a distribution group with a particular name, without getting the standard policy applied. You can create new groups or modify existing ones, ignoring the naming policy been configured. Read More @ How Exchange Works

The Conversation Action Settings Folder
If you’re used to using Outlook on Windows, you may never have seen this folder. In fact, you might not have seen it if you are a Win Outlook user, because it’s only present on Exchange 2010 mailboxes. Read More @ Paul’s Down Home Page

Using Room List Distribution Group in Exchange 2010
As the name suggests, “Room List Distribution Group” is a distribution group which has a list of room mailboxes as its members. Why do we need one of these groups, you might ask. In earlier versions of Outlook, if you wanted to search for a room’s availability while setting up a meeting, you needed to add all possible rooms to the meeting request and then use the Scheduling Assistant to view available rooms. [...] In Exchange 2010, if a room list distribution group has been configured, an end user can add just the distribution group, which will list all the meeting rooms and the availability automatically. Read More @ How Exchange Works

Exchange Server 2010 Native Data Protection – Part 1
Exchange Server 2010 brings new features that allow companies to protect their emails without performing any backups. These features introduce the concept known as Exchange Native Data Protection, formerly known as Backup-less Exchange Organization. Read More @ ExchangeInbox.com

Compliance Transport Rules

No Comments » Written on February 8th, 2011 by Kevin Miller
Categories: Exchange, Security

I had a customer recently ask me to help them create Exchange transport rules to block credit card numbers and social security numbers from being sent via email. This lead me to research how credit card numbers are formatted and how Exchange transport rules uses regular expressions. Below are the commands I provided to the customer to create rules to block credit cards and social security numbers as well as notes I took on number formatting.

NOTE || According to the Microsoft KB (\s|.|-) should block Space, Period, and Hyphen. In real life the \s seems to block anything, resulting in an SSN number blocking expression that blocks phone numbers. I am looking into why this is happening. Until I update this again please remove the \s| from all expressions before implementing the rules

Blocking without blobs

The rules below will not block 16,15,and 9 digit number blobs – Meaning, someone could send 123234355 as their SOC and it would go through. Additionally they only block the numbers grouped with a space, period, or hyphen/dash between the number groupings (\s|.|-)

Block SSN numbers

New-TransportRule -Name “Social Security Number Block Rule” -SubjectOrBodyMatchesPatterns “\d\d\d(\s|.|-)\d\d(\s|.|-)\d\d\d\d” -RejectMessageEnhancedStatusCode “5.7.1″ -RejectMessageReasonText “This message has been rejected because of content restrictions”

Block Credit Card numbers

New-TransportRule -Name “Visa_Mastercard_Discover_Block Rule” -SubjectOrBodyMatchesPatterns

“\d\d\d\d(\s|.|-)\d\d\d\d(\s|.|-)\d\d\d\d(\s|.|-)\d\d\d\d” -RejectMessageEnhancedStatusCode “5.7.1″ -RejectMessageReasonText “This message has been rejected because of content restrictions”

Block Amex Numbers

New-TransportRule -Name “Amex_Block Rule” -SubjectOrBodyMatchesPatterns”\d\d\d\d(\s|.|-)\d\d\d\d\d\d(\s|.|-)\d\d\d\d\d” -RejectMessageEnhancedStatusCode “5.7.1″ -RejectMessageReasonText “This message has been rejected because of content restrictions”

Blocking with blobs

The rules below will block 16 and 15 digit blobs of numbers that start with 3, 4, 5, and 6011 as is apprriate for card format. The rules will also block 9 digit blobs to block SSN numbers with out number breaks. Additionally they block the numbers grouped with a space, period, or hyphen/dash between the number groupings (\s|.|-)

Block SSN numbers

New-TransportRule -Name “Social Security Number Block Rule” -SubjectOrBodyMatchesPatterns “\d\d\d(\s|.|-)\d\d(\s|.|-)\d\d\d\d\s”,“\d\d\d\d\d\d\d\d\d\s” -RejectMessageEnhancedStatusCode “5.7.1″ -RejectMessageReasonText “This message has been rejected because of content restrictions”

Block Credit Card numbers

New-TransportRule -Name “Visa_Mastercard_Discover_Block Rule” -SubjectOrBodyMatchesPatterns

“\d\d\d\d(\s|.|-)\d\d\d\d(\s|.|-)\d\d\d\d(\s|.|-)\d\d\d\d”,”4\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\s”,”5\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\s”,”6011\d\d\d\d\d\d\d\d\d\d\d\d(\s” -RejectMessageEnhancedStatusCode “5.7.1″ -RejectMessageReasonText “This message has been rejected because of content restrictions”

Block Amex Numbers

New-TransportRule -Name “Amex_Block Rule” -SubjectOrBodyMatchesPatterns”\d\d\d\d(\s|.|-)\d\d\d\d\d\d(\s|.|-)\d\d\d\d\d”,”3\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\s” -RejectMessageEnhancedStatusCode “5.7.1″ -RejectMessageReasonText “This message has been rejected because of content restrictions”

Number formatting notes

Social Security number is a 9 digits long. Examples include:

123-23-7788 ” \d\d\d(\s|.|-)\d\d(\s|.|-)\d\d\d\d”
123 23 7788
12323788 “\d\d\d\d\d\d\d\d\d\(\s)”

The Visa card format is 16 digits long and starts with a “4″. Examples include:

4xxx-xxxx-xxxx-xxxx || “\d\d\d\d(\s|.|-)\d\d\d\d(\s|.|-)\d\d\d\d(\s|.|-)\d\d\d\d”
4xxx xxxx xxxx xxxx
4xxxxxxxxxxxxxxx “4\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\s”

The MasterCard format is 16 digits long and starts with a “5″. Examples include:

5xxx-xxxx-xxxx-xxxx || “\d\d\d\d(\s|.|-)\d\d\d\d(\s|.|-)\d\d\d\d(\s|.|-)\d\d\d\d”
5xxx xxxx xxxx xxxx
5xxxxxxxxxxxxxxx “5\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\s”

The Discover card format is 16 digits long and starts with “6011″. Examples include:

6011-xxxx-xxxx-xxxx || “\d\d\d\d(\s|.|-)\d\d\d\d\d\d(\s|.|-)\d\d\d\d\d”
6011 xxxx xxxx xxxx
6011xxxxxxxxxxxx “6011\d\d\d\d\d\d\d\d\d\d\d\d(\s”

The American Express card format is 15 digits long and starts with a “3″. Examples include:

3xxx-xxxxxx-xxxxx || “\d\d\d\d(\s|.|-)\d\d\d\d\d\d(\s|.|-)\d\d\d\d\d”
3xxx xxxxxx xxxxx
3xxxxxxxxxxxxxx “3\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\s”

See the following link for a transport rule regular expression reference — http://technet.microsoft.com/en-us/library/aa997187.aspx

Database Spare Tire

No Comments » Written on February 8th, 2011 by Kevin Miller
Categories: Exchange

We check our tires for defects and proper air pressure on a regular basis, yet we all still carry around a spare tire just in case. We monitor our Exchange environments for database and volume size diligently, yet we don’t have a spare tire. With a car you call AAA or a friend if you get a flat. If your Exchange database volume fills up who are you going to call to get going quickly? If you’re running on SAN or NAS you could get in touch with the SAN team and ask to have a volume expanded, but that is not always a fast solution

We have an idea for an Exchange Database, a spare tire of sorts, the idea is as follows:

Create a 5GB empty file on every Exchange database volume you can delete in case the database grows too large, fills up the volume, and dismounts. You can then quickly delete the file and remount the databases while we work out the size issue. We don’t have to ask the SAN team for more size. We are back up and running super fast

Creating the 5GB spare tire file for your Exchange database is a simple task. It can be done with one line command using a built in Windows command. Run the following command to create your own 5GB spare tire files on your DB volumes

fsutil.exe file createnew c:\Spare.Tire 536870912

And that boys and girls is a quick way to build an inexpensive spare tire to use in case your databases get too big.

KEMP Load Balancers for Exchange 2010

No Comments » Written on January 21st, 2011 by Jeremy Phillips
Categories: Exchange, News
Tags: Exchange, KEMP Technologies

I was recently informed that KEMP Load Balancers (Specifically LM-2200/2500/2600/3500/3600/5500 hardware load balancers & their LoadMaster VLM software load balancer) have passed the qualification program for Exchange 2010. In Microsoft’s own words:

The qualification program for load balancers ensures that customers have seamless experiences with setup, support, and use of qualified load balancers with Microsoft’s Exchange Server 2010. Only products that meet Exchange Server 2010 requirements will be listed.

We’re both a reseller partner of KEMP and use an LM-2200 ourselves, so I’m happy to see they are now a qualified solution for Exchange 2010. You can visit the Microsoft Exchange 2010 Load Balancer Deployment page here for a full list of approved load balancers.

Windows Phone 7 SSL

1 Comment » Written on January 21st, 2011 by Kevin Miller
Categories: Exchange, Mobility, Security
Tags: Exchange, Security, Windows Phone 7

I have an HTC surround Windows Phone 7 phone I use as my daily driver. I’m a hug fan of my WP7 phone. I’m able to sync mine with 6 ActiveSync accounts; huge for me since I have accounts on so many Exchange servers. One of the first things you do when you start working at a new company as an email consultant is to setup email on your phone, Right? I had a hell of time making my phone sync with the Exchange server here.

After about an hour of messing around my phone I was able to make it work. Below is a run down of my issue and how I fixed it.

Error || The error on the phone was “there is an error with the certificate for the mail.cohesivelogic.net” Error code 80072F0d“

Solving the issue

Below is an outline of steps I took to work out the issue

First I used Outlook on my computer to test AutoDiscover ( Hold down CTRL + rRght click the Outlook Icon on the system tray near the time and select Test AutoDiscover ) – I did this because we have .com email addresses and a .net email server and I wanted to be sure everything was correct
After messing with the server settings a bit ( swaping .com and .net ) I got the CERT error
Logged into OWA to check the certificate and make sure it had all of the needed SAN names on it – it did
So I sat there scratching my head for a bit – then it came to me “ Maybe, Windows Phone 7 does not trust startSSL” – I looked it up http://msdn.microsoft.com/en-us/library/gg521150(VS.92).aspx, and my grabthars hammer startSSL / StartCOM was not listed
Now I had 2 issues, how to install a Cert on WP7 and where to find the root CA so I could download it to install it.
I found the root CA here – http://www.startssl.com/certs/ – Hint you need the CA.CER file to add the root to the phone.
To get the CERT on my phone I downloaded the file to my desktop, Emailed it a working Outlook account on my phone. Then clicked the file on my phone and it allowed me to install the cert. The phone is smart enough to know the file type and know what to do with it.
After installing the trusted root CA my none working ActiveSync account started working YEAH! more email to read while driving, I mean more email to read on my phone…..

Moral of the story – WP7 only supports a limited number of certs out of the box. It’s pretty simple to add a new cert and be off and moving if you run into a cert issue.

Exchange 2010 & Single Name SSL Certificates

5 comments Written on January 4th, 2011 by Jeremy Phillips
Categories: Exchange
Tags: Certificates, Exchange

I was talking with a colleague today who was getting ready to upgrade his small Exchange environment from Exchange 2007 to Exchange 2010 and the subject of certificates came up; mainly, the cost of a SAN (Subject Alternative Name) certificate. For smaller environments many organizations either don’t want or can’t afford to spend hundreds of dollars on a SAN certificate. There is, however, a way to roll out Exchange 2010 with a single name SSL certificate as long as a few pre-requisites are met.

Notes:

First and foremost, this is likely not a Microsoft supported configuration. While we’ve rolled it out in small environments with success, it may not be the best fit for you.

This has only been tested with all roles collocated on a single server. We haven’t tested it in highly available environments because it likely won’t work.

For this example, domain.com is the domain name, mail.domain.com is the URL we’re setting all services to and EXCHANGE is the NetBIOS name of the Exchange server.

To give credit where it’s due: I was not the first to think of doing this but instead used Simon Butler’s excellent article on Exchange 2007 with a Single Name SSL Certificate when working with 2007. It was then a logical leap to try applying a similar configuration to Exchange 2010.

Pre-Requisites

1.) An external DNS provider that supports SRV records. You’ll need to insert an SRV record of _autodiscover._tcp.domain.com in DNS for this to work. We use Zerigo for this ourselves and highly recommend them.

2.) Outlook 2007 with the update rollup released June 27, 2007 (Discussed in this Microsoft KB article) to provide support for Exchange Autodiscover via SRV lookup.

3.) Split-horizon DNS to allow mail.domain.com to resolve to different IPs internally and externally. This requires a working knowledge of DNS.

4.) An SSL certificate for mail.domain.com. While you can use any commercial provider you’d like for this, StartSSL provides free single name SSL certificates.

The Steps

1.) Point external DNS for mail.domain.com to the external IP address of the Exchange server.

2.) Create the SRV record _autodiscover._tcp.domain.com with content of mail.domain.com on port 443. Your DNS provider might also have you enter it like this:

Service: _autodiscover

Protocol: _tcp

Port Number: 443

Host: mail.domain.com

3.) Point internal DNS for mail.domain.com to the internal IP address of the Exchange server.

Note:

These examples can be copied and pasted into the text editor of your choice. Then simply replace mail.domain.com with the correct FQDN of your Exchange server and paste the correct command into a PowerShell session on your Exchange 2010 server.

4.) Set the Internal URLs.

Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory –InternalUrl “https://mail.domain.com/Autodiscover/Autodiscover.xml”

Get-ClientAccessServer | Set-ClientAccessServer –AutodiscoverServiceInternalUri “https://mail.domain.com/Autodiscover/Autodiscover.xml”

Get-WebservicesVirtualDirectory | Set-WebservicesVirtualDirectory –InternalUrl “https://mail.domain.com/Ews/Exchange.asmx”

Get-OabVirtualDirectory | Set-OabVirtualDirectory –InternalUrl “https://mail.domain.com/Oab”

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory –InternalUrl “https://mail.domain.com/Owa”

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory –InternalUrl “https://mail.domain.com/Ecp”

Get-ActiveSyncVirtualDirectory -Server $CASserver | Set-ActiveSyncVirtualDirectory -InternalUrl “https://mail.domain.com/Microsoft-Server-ActiveSync”

5.) Set the External URLs.

Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory –ExternalUrl “https://mail.domain.com/Autodiscover/Autodiscover.xml”

Get-webservicesVirtualDirectory | Set-webservicesVirtualDirectory –ExternalUrl “https://mail.domain.com/Ews/Exchange.asmx”

Get-OabVirtualDirectory | Set-OabVirtualDirectory –ExternalUrl “https://mail.domain.com/Oab”

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory –ExternalUrl “https://mail.domain.com/Owa”

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory –ExternalUrl “https://mail.domain.com/Ecp”

Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl “https://mail.domain.com/Microsoft-Server-ActiveSync”

6.) Verify they’re all set correctly.

Get-AutodiscoverVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Get-webservicesVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Get-OabVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Get-OwaVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Get-EcpVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Get-ActiveSyncVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Expected output of the above commands is something like this:

[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Identity InternalUrl ExternalUrl

——– ———– ———–

EXCHANGE\Autodiscover (Default Web Site) https://mail.domain.com/autod… https://mail.domain.com/autod…

[PS] C:\Windows\system32>Get-webservicesVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Identity InternalUrl ExternalUrl

——– ———– ———–

EXCHANGE\EWS (Default Web Site) https://mail.domain.com/ews/e… https://mail.domain.com/ews/e…

[PS] C:\Windows\system32>Get-OabVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Identity InternalUrl ExternalUrl

——– ———– ———–

EXCHANGE\OAB (Default Web Site) http://mail.domain.com/OAB https://mail.domain.com/OAB

[PS] C:\Windows\system32>Get-OwaVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Identity InternalUrl ExternalUrl

——– ———– ———–

EXCHANGE\owa (Default Web Site) https://mail.domain.com/owa https://mail.domain.com/owa

[PS] C:\Windows\system32>Get-EcpVirtualDirectory | ft Identity,InternalURL,ExternalUrl

Identity InternalUrl ExternalUrl

——– ———– ———–

EXCHANGE\ecp (Default Web Site) https://mail.domain.com/ecp https://mail.domain.com/ecp

7.) You can verify everything is working by using the Exchange Remote Connectivity Analyzer located at https://www.testexchangeconnectivity.com

8.) Don’t forget to monitor your new Exchange server!

Automatically Fixing FailedAndSuspended Exchange 2010 Databases with PowerShell

No Comments » Written on August 18th, 2010 by Jeremy Phillips
Categories: Exchange, PowerShell
Tags: Exchange, PowerShell, Script

Another quick script, this one finds all databases located on Exchange 2010 servers with a status of ‘FailedAndSuspended’ and then reseeds them. Since this scripts makes changes to the systems, instead of just reading information, all activities are logged via PowerShell’s transcript feature. You’ll need to change the path in the 5th line of the script to reflect an actual location on your system.

Note that there are other options besides a reseed, this just makes the most sense the majority of the time.


add-pssnapin *0* -ErrorAction SilentlyContinue
$startstring="Start script run at:  "
$startendtime=date
$startannounce=$startstring+$startendtime
Start-Transcript -Append -Force -Path 'C:\<path>\DBHealthFix.log'
$startannounce
#gets list of mailboxservers, locates 2010 servers, gets db copy status, finds copies that are failed, updates failed copies
$mailboxservers = get-mailboxserver | get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}
foreach ($mailboxserver in $mailboxservers){
get-mailboxdatabasecopystatus -Server $mailboxserver.name | ?{$_.Status -like 'FailedAndSuspended'} | update-mailboxdatabasecopy -deleteexistingfiles -confirm:$false
}
stop-transcript

Here are some screenshots of what happens along the way:

The script shown in the first and last screenshot is available here.

Checking Exchange 2010 Database Health with PowerShell

1 Comment » Written on August 18th, 2010 by Jeremy Phillips
Categories: Exchange, PowerShell
Tags: Exchange, PowerShell, Script

Just a quick script that checks your database health. Anything besides ‘Healthy’ or ‘Mounted’ should probably be investigated.
Add-PSSnapin *0* -ErrorAction SilentlyContinue $mailboxservers = get-mailboxserver | get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'} $A = (get-host).UI.RawUI $A.WindowTitle = "Database Health Check" $B = $A.windowsize $B.width = 110 $B.height = 30 $A.WindowSize = $B while ($true) {cls; foreach ($mailboxserver in $mailboxservers){Get-MailboxDatabaseCopyStatus -Server $mailboxserver.name | ft -AutoSize Name,*Status,ContentIndexState,CopyQueueLength,ReplayQueueLength} ;sleep 5}

This it the output, refreshed every 5 seconds:

An example of when databases are actually doing something:

« Older Entries