Just a quick script that checks your database health. Anything besides ‘Healthy’ or ‘Mounted’ should probably be investigated.

Add-PSSnapin *0* -ErrorAction SilentlyContinue
$mailboxservers = get-mailboxserver | get-exchangeserver | ?{$_.IsE14OrLater -eq 'True'}
$A = (get-host).UI.RawUI
$A.WindowTitle = "Database Health Check"
$B = $A.windowsize
$B.width = 110
$B.height = 30
$A.WindowSize = $B
while ($true) {cls; foreach ($mailboxserver in $mailboxservers){Get-MailboxDatabaseCopyStatus -Server $mailboxserver.name | ft -AutoSize Name,*Status,ContentIndexState,CopyQueueLength,ReplayQueueLength} ;sleep 5}


This it the output, refreshed every 5 seconds:

An example of when databases are actually doing something:

What do you do to get reliable service? Do you hire the best IT people on the market? Do you spend millions of dollars on the cutting edge hardware running the most cutting edge software?

Honestly, if you’re like most people, you will have a “good enough” system in place. This doesn’t mean that you have a solution that is held together with duct tape and chewing gum, but it does mean that there could always be an improvement somewhere in there. If you want to improve things like e-mail, collaboration or communication, Microsoft actually has quite a nice offering available!

What is BPOS?

BPOS stands for Business Productivity Online Suite and consists of a set of tools that allow a business to move some high maintenance services off-premise to be hosted in the “cloud.” What this means to the customer it that they have an option to have certain Microsoft products hosted by Microsoft and then they can consume that software as a service. This concept of “Software as a Service” is a really big deal at Microsoft right now, and it’s all over the business world. Virtualizing what used to be a desktop application and consuming it as a web page is the new way to enable workers to be productive on almost any hardware, almost anywhere.

What Software as a Service can I get?

The major components of the BPOS offerings are the normal server-based platform products that Microsoft offers for business productivity:

• Exchange Online – You get to have your e-mail hosted on an Exchange 2007 cluster with full accessibility via Outlook Anywhere, Outlook Web Access and ActiveSync. Right now each user starts off with a default of 5GB of mailbox storage space, but that may increase in the near future (you can increase it to 25GB right now, but 5 is the default).
• SharePoint Online – Using SharePoint, you get to take advantage of the rich collaboration tools such as document, calendar and task sharing; user based permissions; and workflow content management features.
• Office Live Meeting – Each user will have the ability to install the LiveMeeting client and create and participate in LiveMeeting events.
• Office Communications Online – One of my favorite features of the BPOS offering is that each company gets to use Microsoft Office Communications Server. With this product you have fully integrated IM and presence capabilities without having to install and configure a pretty complex product.
• Grab-bag of features from Forefront Online Protection for Exchange – With this added bonus, you get virus and spam filtering using Microsoft’s Forefront products.

In addition to those things, there are options that you can purchase to increase what you get out of the service from Archiving and Encryption of e-mail to Desktop Management using System Center Online Desktop Manager.

I’m a BIG company, is this offering right for me?

That is one of the beauties of the offerings provided by Microsoft Online Services! The service that I have been describing is aimed at smaller business (below 3000 seats). For our larger customers, there is another offering called BPOS-D with the “D” standing for Dedicated. This means that instead of being hosted in a multi-tenant environment, a specific set of servers will be set aside, just for you.

I’ll be posting more information about how the service works and some of the issues that companies have had to deal with in more posts in a whole BPOS series. Tune in for more!

To learn more about Microsoft Business Productivity Online Suite (BPOS), contact us and signup for a free 30 day BPOS trial here.

So, I was clicking around in some Exchange 2010 documentation and I ran across the Exchange 2010 Deployment Assistant. I was totally floored! I knew that it was out there, but after poking around in it, it actually looks like a tool that I would recommend to people! It covers various deployment scenarios and even if they don’t cover EVERYTHING, it’s a good way for an IT Pro to get up to speed on the steps necessary for deploying Exchange 2010. The scenarios that are covered are:

• Upgrade from Exchange 2003
• Upgrade from Exchange 2007
• Upgrade from Exchange 2003 & 2007 (Mixed environment)
• New installation of Exchange 2010

Features like a “Start over” button and a fairly simplistic scheme allow for the reader to really focus on the actual steps. The one thing that I want to point out is that they break down the installation of the Exchange 2010 roles and what you need to do for each role once it’s installed. It looks like the basic assumption is that every role is on a separate machine, to help divide the required steps. Installing each of the roles separately is NOT required, but it is helpful to know what each role actually required.

I’ve been looking around for some good ways to flesh out an Exchange lab to test some migration scenarios. I’ve gotten a lot of good advice from people on good ways to do this, but I really wanted something simple and elegant. Here’s what I settled on:

The Concept

Ed Crowley, MVP and all-around good guy (I suspect, since I’ve never actually met the guy), suggested that I just simply use a script to build a bunch of RFC-822 formatted files with the *.eml extension and then dump them in the Transport folder. This will cause Exchange 2007 to look at them and deliver them to the mailbox that they need to go to. I remember using some hackery like this back when I was manually looking at spam on an Exchange 2003 box. I would gather up all the false positives and resubmit them to the dumpster for delivery. The real benefit of this method is that I can use PowerShell to generate those files a LOT more quickly than I can figure out a script to generate the actual SMTP submission.

The Script

Once I did the research on what the RFC-822 format actually requires, here’s the PowerShell script I wrote to generate mail messages for the three test mailboxes:

<#

This is a script to generat a bunch of *.eml files and dump them in the transport directory of Exchange

Tim Robichaux

1/14/2010

}


The Outcome

It looks like the server that I’m populating is a VM, so I’ve totally swamped the transport service as it’s taking quite a while to deliver the messages. Another interesting thing is that it looks like it’s delivering them based on the order of the GUID, rather than the timestamp, so they’re showing up in all sorts of odd order.

I have to label this project as a success so far. I wanted to be able to generate some content quickly and I have to say that the hour I’ve spent getting this straight was worth it, balanced on the time it would have taken to populate messages by hand.

Lessons Learned and Future Revisions

There are a couple of really important things I learned from this. First off, the cmdlet “out-file” defaults to the system default. This means that if you are using it for generating some raw text, you have to explicitly set “ASCII” or whatever you need. I’ve run into this gottcha before, but it’s no less frustrating. Another thing that I learned from this is that older versions of PowerShell don’t always like comments and things like that. It’s often quite confusing about what you can do on a given system with the version of PowerShell that’s installed.

In future revisions, I want to build this into a user account generation script so that at the time of generation, I create the user, generate the mailbox and then populate it. Another thing that I would like to do is set up an array or pool of “From” addresses to give a little bit variety. Also a nice feature would be to add a “-FromFile” switch that would allow me to populate a bunch of the variables from a config file.

I just had a conversation about how many nodes can fail in a three node DAG and since there was a misconception present I figured I should point out a section of the “Planning For High Availability and Site Resilience” article on TechNet.

From “Witness Server Requirements”
DAGs with an odd number of members do not use a witness server. All DAGs with an even number of members will use a witness server. The witness server can be any computer running Windows Server.

What does this mean? You need to have node majority within the DAG; if you have a three server DAG and two fail you only have one left and therefore don’t have majority. If you want to sustain two failures in a DAG then you need to design your DAG with four nodes and use a witness server.

When you add/remove a server from the DAG (note that a node failing does not count) the addition or removal of a witness server happens automatically. You can either specify a directory (The witness server cannot be a member of the DAG) or by automatically selecting a 2010 Hub Transport server in the site that does not have the Mailbox role installed.

Questions are welcome in the comments, a link to the TechNet article is below.

Planning for High Availability and Site Resilience: Exchange 2010 Help

Recently one of my customers moved their office location and in the process moved their Internet connectivity to a T-1. Their provider, Qwest Communications, assigned them a /27 subnet to go along with it and offered to delegate reverse DNS to them. Sounds great, right? Well, there is a problem here; my customer is a Microsoft shop using Windows 2008 for all their public DNS and Windows 2008 DNS does not gracefully handle reverse DNS for classless subnets. This resulted in my customer lacking reverse DNS for their Exchange environment; Since a number of hosts will not accept inbound mail from an IP without reverse DNS this was causing some issues with mail delivery and very much affecting their business.

I eventually tracked down the source of the problem to the method used by Qwest, delegating out a small portion of the classful zone to my customer’s name servers and entering CNAMEs for all the individual IPs. This is not an uncommon solution and when using anything but Windows DNS it is quite easy to accommodate.

Let me lay out the basic scenario I encountered first and then I’ll tell you how to solve this problem.

Note: All IPs and domain names have been changed to protect the innocent.

Public IPs assigned to my customer: 192.168.0.192 – 192.168.0.223

Name servers my customer uses: ns1.customer.com & ns2.customer.com

Public IP that my customer’s Exchange environment uses for outbound mail: 192.168.0.194

What was happening here was that when Qwest delegated rDNS for 192.168.0.194, they told remote servers they should be looking for 194.192-223.0.168.192.in-addr.arpa. The initial and obvious solution is to simply create a reverse DNS zone in Windows DNS for 192-223.0.168.192.in-addr.arpa and create PTR records, right? Not so fast there… You can create the reverse zone easily but you can’t create PTR records in the correct format unfortunately.

Hence the quite simple solution: dnscmd

After you’ve created the zone, simply launch an elevated command prompt (Start -> Right Click on Command Prompt -> Run As Administrator) and use the following syntax to add PTR records manually.

dnscmd <dns server> /recordadd <full zone name – 192-223.0.168.192.in-addr.arpa as an example> <last octet of IP – e.g. 194 for 192.168.0.194> 10 PTR <appropriate fqdn>

So in my customer’s case I used the below command to create a PTR entry for mail.customer.com located at 192.168.0.194:

dnscmd custns1 /recordadd 192-223.0.168.192.in-addr.arpa 194 10 PTR mail.customer.com.

You should then be good to go!

What is Sender Policy Framework?

Sender Policy Framework (SPF) is an attempt to control forged e-mail. SPF is not directly about stopping spam – junk email. It is about giving domain owners a way to say which mail sources are legitimate for their domain and which ones aren’t. While not all spam is forged, virtually all forgeries are spam. SPF is not anti-spam in the same way that flour is not food: it is part of the solution.

SPF was created in 2003 to help close loopholes in email delivery systems that allow spammers to “spoof” or steal your email address to send hundreds, thousands or even millions of emails illicitly.

SPF is a protocol developed by a group of motivated volunteers, joined by a mutual desire to improve the operation of the internet. It is not a commercial product offered by a for-profit corporation. The SPF protocol is being adopted by a growing number of domain hosts and Internet Service Providers (ISPs), and, as in any technology evolution, there will be some bumps on the road, but Azaleos is here to help along the way.

What does SPF actually do?

Suppose a spammer forges your e-mail address (you@yourorganization.com ) and tries to spam hundreds of thousands of addresses from somewhere other than your mail server. Without SPF in place you are sure to get hundreds if not thousands of Non-Delivery Reports (NDRs) delivered to your mailbox as SMTP lacks any built-in authentication mechanism and it’s easy to pretend to be someone you’re not.

When SPF is in place and operational, the spammer’s message is still sent  from your e-mail address, but remote mail servers now have a way to verify whether or not the spammer’s e-mail server is allowed to send e-mail from your e-mail address.

If your organization says they recognize the sending IP addresses, it passes, and you can assume the sender is who they say they are. If the message fails SPF tests, it’s a forgery and the message is silently dropped without an NDR being generated.

How do I implement SPF for my domain?

First, if you have an existing SPF record (or if you don’t know if you have an existing SPF record), go to the SPF validation wizard located at http://www.kitterman.com/spf/validate.html and enter the domain name part of your e-mail address (everything to the right of the @ symbol) into the topmost box and click on “Get SPF Record (if any)“. That will tell you if your domain already has an SPF record and if its syntax is correct.

If you don’t have an SPF record or you want to work on changing yours, great! The wizard located at http://old.openspf.org/wizard.html is the place to go. It will help you develop the SPF record properly.

Once you have a draft SPF record from the wizard located at http://old.openspf.org/wizard.html you will want to review it and see if what you ended up with makes sense. Take a look at the SPF record syntax located at http://www.openspf.org/SPF_Record_Syntax to get a better understanding of what your record means. Go back to the SPF validation wizard located at http://www.kitterman.com/spf/validate.html and put the domain part of your e-mail address in the domain part of the second test and your draft record in the SPF record part (do not enclose it in quotes, just the record) and then click on “Check SPF Record”. This will tell you if the syntax of your draft record is correct. You can also use the third test in the SPF validation wizard to experiment with different IP addresses your mail might come from with different records and see that you get the results you expect. The first two tests can tell you if the syntax of your record is correct. This is the only one that can tell you if the content of the record is right for your e-mail sending architecture.

Once you have convinced yourself that your record is ready to be published or updated, you publish as a record of type TXT in your domain’s public DNS. How this is done varies considerably from provider to provider. If you don’t know how, you will need to contact your DNS provider. If you don’t know who that is, it is probably the domain registrar that you registered the domain with. If you can’t figure out who it is, we can help you figure it out.

Some text courtesy openspf.org, licensed under Creative Commons CC BY-SA 2.5

We thought you might be interested in a new guide from MessageLabs ‘Choosing a Solution to Email Threats: Software, Appliance or Managed Service?’

With so many options available, it’s important for businesses to understand the differences. With an honest look at the appliance, software and SaaS-based approaches, this free guide will help you choose the best email security solution for your business.

Click here to download your FREE guide.

Good security isn’t just good practice, its good business. This is why Cohesive Logic has joined forces with MessageLabs to provide industry-leading protection with email spam and virus filtering services.

For more information about MessageLabs spam and virus filtering services in general, please see our Message Hygiene Services page. If you have any additional questions or would like to start a free trial please don’t hesitate to contact us.

Microsoft has released a beta preview of Jetstress that has been updated to take into the new Exchange 2010 mailbox IO profile. Read more at You Had Me At EHLO… and download via Microsoft Exchange Server Jetstress 2010 Beta (64-Bit)