New Exchange patches

UPDATE:
the Exchange 2010 Rollup8 has a bug in it so Microsoft removed the download link and will replace this rollup. If you happen to be fast and already installed KB2986475, Microsoft recomend to uninstall it and wait for the updatged rollup.Exchange Server 2013 Cumulative Update 7 (CU7) is released.
A version 2 of Exchange 2010 SP3 UR8 is now released, download here.
 
Exchange 2013 Cumulative Update 7.
Download link and KB2986485
Exchange Server 2010 Service Pack 3, Update Rollup 8.
Download link and KB2986475
Exchange Server 2007 Service Pack 3, Update Rollup 15.
Download link and KB2996150
Notice that there is Active directory schema updates that must be applied before installing Exchange 2013 CU7.

Who and what is using the Exchange Web Service

Exchange Web Service (EWS) has been around since Exchange 2007. You  should know that outlook uses EWS for several functions and primary for calendar stuff such as Free/Busy queries. There is also several flavor of Mac that uses EWS as its only API for communicating with Exchange.
Toss in Lync client in the mix and you will also see it communicating with EWS.
To get a complete list of what us using your Exchange servers EWS you have to look in the IIS-logs. Your buddy here is the good old logpaser which can be found here LogParser 2.2 download.
Copy the IIS logfiles you want to analyze into a folder of your choice. Start a command prompt and run:
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" "SELECT cs(User-Agent) as UserAgent, count(*) as hits FROM "path to iis logfiles" WHERE cs-uri-stem LIKE '/EWS/Exchange.asmx' AND cs-username GROUP BY UserAgent" –I:IISW3C
Output will show the UserAgent and number of corresponding hits.
You can add “-O:tsv > outputfilename.txt” at the end of the logparser query to save the output in a tab separated text file for easier reading.
You can also run the logparser query in LogParserStudio. You see here that there is a number of different clients using EWs and they also have different patch levels. UserAgent OC/15 is Lync 2013 client and OC/4 is Lync 2010 client.
ExchangeServicesClient is an appl. made by EWS managed API.

You might also find other UserAgents in there such as “Sipe/1.18.2” or “Evolution/3.10.2”.
You might want to stop them from accessing EWS, how is this done?
If you have configured your LoadBalancer to do Layer 7 inspection you probably could stop these UserAgents but a much easier way is to do this.
Configure some properties on the Organization object.
First have a look of current and default configuration. We see here that by default everyone is allowed to communicate with EWS
Get-OrganizationConfig | fl EWS*
EwsAllowEntourage          :
EwsAllowList               :
EwsAllowMacOutlook         :
EwsAllowOutlook            :
EwsApplicationAccessPolicy :
EwsBlockList               :
EwsEnabled                 :
How do you stop certain clients or only allow some?
Set the EwsApplicationAccessPolicy parameter to either EnforceAllowList or EnforceBlockList and then us the EwsBlockList or EwsAllowList which is an array of UserAgent (case sensitive) of the applications. You must also set the Enable EwsEnabled parameter to true to get this to work.
So there is actually a way to allow only certain applications to communicate with EWS. have a look at the Set-OrganizationConfig cmdlet http://technet.microsoft.com/en-us/library/aa997443(v=exchg.150).aspx

Exchange Update Rollups and Service Pack released today

Exchange 2007 Service Pack 3 Update rollup 13 is now available for download from here. Read the corresponding KB2917522 for bugfixes which is almost zero.

Also Exchange 2010 SP3 UR5 was released and can be downloaded from here. The corresponding KB2917508 contains some interesting bugfixes and new functionality.

 

Exchange 2013 Service Pack 1 which is essentially CU4 but is named SP1 instead. it contains some new functionality such more DLP functionality and the big one, support for Windows Server 2012 R2 Domain Controllers, raising both Domain Function and Forest Functional Level to 2012R2, and installing Exchange 2013 SP1 on Windows 2012 R2.

Other new stuff is that Edge server is back. A new protocol used for client/server communication is introduced called MAPI/HTTP which is very similar to MAPI over RPC which is then tunneled over HTTP so in short, communication don’t rely on RPC layer which gives some advantages when it comes to authentication and reconnection of clients. It is disabled by default and you also need Outlook 2013 SP1 for leverage MAPI/HTTP.
If you use TMG or any other reverseproxy that filter on URL’s you need to add ‘/mapi/*’ as an allowed URL.

As usual there is the regular schema and AD prep stuff to do before you install the first SP1 server.

Release notes and What's new
Download link and KB2926248 link

Exchange cannot send mail to some domains

Have you encountered that Exchange cannot deliver mail to some destinations on Internet? This is becoming more and more common. You may ask why this happen in the first place and why it’s becoming more common.

The answer lies in how Exchange do DNS queries. Exchange was designed to run on a corporate network where you have full control on how DNS is setup and configured. Basically Exchange believe that DNS will always respond with a correct answer. But when Exchange send mail to Internet, DNS queries and answers might not always be what you expect, this is especially true when more and more organizations start using IPv6.

Using Network Monitor or any other network sniffer when Exchange tries to deliver a mail over Internet you will see that there is query for MX. One problem here is if the destination domain have IPv6 information in their Internet DNS but do not have AAAA records for hosts specified in their MX records, Exchange will simply do not another query for A records for the MX hosts and mail will queue on Exchange.
There are variations on what information is in the destination DNS zone and how your DNS is configured, if you have IPv6 yourself etc, but the behavior is the same, DNS will sometimes fail.

Solution is very simple. configure the sendconnector used for sending mail to Internet to use an external DNS, that is not to reconfigure your windows box to query another name server but simply use the Exchange configuration
Set-SendConnector <SendConnectorNameToInternet> -UseExternalDNSServersEnabled $True

You don’t even have to specify a specific name server on your HUB/Edge server, but you can if you like.

This will change the behavior of Exchange DNS queries to not to stop when there is no AAAA records if other IPv6 information is found, but to continue to do IPv4 DNS queries. remember that Windows prefer IPv6 over IPv4. This can be verified by using a network sniffer.

Have done testing both with HUB and Edge servers and with Exchange 2010 and 2013, and the behavior is the same.

The only reference on Technet on this matter is this article http://technet.microsoft.com/en-us/library/bb676467(v=exchg.150).aspx that talks about normal and lenient mode, but it doesn’t explain the changed behavior if using external DNS or not.

So in short, configure your sendconnectors sending to Internet to use an external DNS to make your live easier.

Looking for Exchange 2013 CU3 ?

look no further other than KB2892464. As usual it contains several bugfixes, support for IE11 in OWA, less memory consumption for the search infrastructure, bug around backup and restore which you can read more about in KB2888315.
To install CU3, you must deploy schema updates so talk with your Active Directory team to have them deployed before you run the CU3 setup.
Download is found here

Microsoft also released Exchange 2010 SP3 UR3 which can be found in KB2891587 and download from here

As always, read the KB and notes carefully before deploy.

happy patching.

Exchange 2007 and 2010 anti-spam automatic installation

Some organizations use the built-in anti-spam feature in Exchange 2007 and 2010. http://technet.microsoft.com/en-us/library/aa997658(v=exchg.141).aspx.

Content Filter engine is using definitions created by Microsoft and in an ideal world they are downloaded, approved and installed with help of windows update, but for many reason this is not always possible.

I created a small vbscript that uses windows update to search for only Exchange standard antispam updates and automatically install them without doing anything with other updates.

WU_Exchange_AntiSpam.vbs script can easily be scheduled to run with task scheduler.

' search and automatically install Exchange Server standard antispam definitions
' Lasse Pettersson, http://anewmessagehasarrived.blogspot.com
'
 
Set updateSession = CreateObject("Microsoft.Update.Session")
'Updatetitle to search for
updateTitle = "Microsoft Exchange Server Standard Anti-spam Filter Updates"
 
WScript.Echo vbCRLF & "Searching for: " & updateTitle & "..."
Set updateSearcher = updateSession.CreateupdateSearcher()
 
'Search for all software updates, already installed and not installed
Set searchResult = updateSearcher.Search("Type='Software'")
Set updateToInstall = CreateObject("Microsoft.Update.UpdateColl")
updateIsApplicable = False
 
'Cycle through search results to look for the update title
For i = 0 To searchResult.Updates.Count-1
    Set update = searchResult.Updates.Item(i)
    If Left(UCase(update.Title),Len(updateTitle)) = UCase(updateTitle) Then
        'Update in list of applicable updates 
        'Determine If it Is already installed Or Not
        If update.IsInstalled = False Then
            WScript.Echo vbCrlf & "Result: Update applicable, not installed."
            updateIsApplicable = True
            updateToInstall.Add(update)
        Else 
            'Update Is installed so notify user And quit:
            WScript.Echo vbCrlf & "Result: Update applicable, already installed."
            updateIsApplicable = True
            WScript.Quit
        End If
    End If 
Next
 
If updateIsApplicable = False Then
    WScript.Echo "Result: Update is not applicable to this machine."
    WScript.Quit
End If
 
'Download update
Set downloader = updateSession.CreateUpdateDownloader() 
downloader.Updates = updateToInstall
WScript.Echo vbCrlf & "Downloading..."
Set downloadResult = downloader.Download()
WScript.Echo "Download Result: " & downloadResult.ResultCode
        
'Install Update
Set installer = updateSession.CreateUpdateInstaller()
WScript.Echo vbCrlf & "Installing..."
installer.Updates = updateToInstall
Set installationResult = installer.Install()
        
'Output the result of the installation
WScript.Echo "Installation Result: " & installationResult.ResultCode
WScript.Echo "Reboot Required: " & installationResult.RebootRequired

If you run this script manually, use the cscript engine because some text is written and looks better if you don’t use the wscript engine.

Exchange 2010 Service Pack 2 Rollup 5 version 2

Some weeks ago Microsoft released rollup 5 but it was withdrawn quickly due to some reported issues. Now Microsoft has released version 2.

It contains several bug fixes as expected KB 2785908 but also contain fix for the security bulletin MS12-080 which is rated Critical Microsoft Security Bulletin MS12-080

Download link for Update Rollup 5-v2 for Exchange Server 2010 Service Pack 2 (KB2785908)

Exchange 2010 Service Pack 2 Update Rollup 5

It is time again for another rollup for Exchange 2010. This is number 5 for Service Pack 2.

Read the full description here and download it here

Patching Exchange 2010 servers being member of a Database Availability Group (DAG)

For administrators that come from a non-clustered environment to a clustered one must learn that patching is done different. Non-clustered servers often simply can be set to use WSUS or any other patching product with simply install patches and then most likely a restart of services or a reboot of the windows box. With clustering solution this is not best practice and behaving this way often break something in the process.
The preferred way of patching clustered servers is to move resources off the node you’re about to patch and then apply patches. This is a manual process and often takes time. Positive side is that administrators have complete visibility of the process and sees if anything don’t work as expected and can take action on the failed node while other nodes of cluster is still maintain service to users. This scenario also let administrator work at regular office hours instead of working late at night on patching-day or weekends.
Exchange 2010 is delivered with some scripts that help administrators manage all this manually.
In the scripts directory, there are 3 scripts. StartDagServerMaintenance.ps1, StopDagServerMaintenance.ps1 and RedistributeActiveDatabases.ps1
Start on the first node by running StartDagServerMaintenance.ps1 –serverName <node name>
This will move databases from the first node to another node in the DAG and also move the Cluster Group to another node if needed, to maintain quorum and have the Primary Active Manager online which is important. It will not just move things off the first node, it will also reconfigure some parameters to stop databases moving back if a failure occur on another node during maintenance. This is the same for the “Cluster Group” resource.
Now you can patch and do other maintenance on the first node as needed without it coming online.
For it to come online after maintenance you run StopDagServerMaintenance –serverName < node name>
This will remove configuration to stop databases move to the server. So from here on the server is free to host active databases again or running the Primary Active Manager. Script will not move any databases back to the server, it will just configure server to be a possible owner of databases.
Next step is to repeat all this for any other node in your DAG. If you have a large dag then it is possible to patch multiple servers at the same time. But be careful to maintain quorum, otherwise things will break.
As a last step when all servers are back online in normal state is to use the last script RedistributeActiveDatabases
This script has several parameters but the one you want to use now is -BalanceDbsByActivationPreference
When run, databases will be moved to the mailbox database server with the lowest activationpreference set on each individual database so hopefully it is set already in a way that suits your environment.
All these steps takes time and is manual, you should also verify between each step that replication is working and you don’t do backup at the same time. Replication can be verified with Get-MailboxDatabaseCopyStatus cmdlet.
What happens if you simply apply patches to server being member of a DAG and reboot it afterwards ?
In theory nothing should stop your DAG from serving users. This is also what I experience from real live as long as you don’t reboot multiple servers at the same time and loose quorum, but what sometime happens is that replication and Indexing breaks, leaving some tasks for admins to clean up later.
Smaller organizations often don’t have the time to babysit servers while patching them, they just want to configure patches in WSUS and they will automatically be applied during the night without anything bad happen.
To make this work you must first configure windows update client on server to not to apply patches at the same time. Next I have created a script that you must schedule to run a little bit ahead of time when Windows Update do its work. Let say you configure Windows Update to apply patches at 1 am in the morning, then schedule the script to run 30 to 60 minutes before.
On next node in your DAG you schedule Windows Update to apply patches at 3am, so on this server schedule the script to run sometime between 2 and 2.30 am.
Script will do about the same thing as the start/stopdagservermaintenance script but in a slightly different way. It will not configure databases and servers to be blocked from activation. It will verify and not move any databases while a backup is running. It will also try to fix some errors such as content index or replication being in a failed state. Fixing error should not be needed in a perfect world but can happen. Script is just doing some very basic things and it is up to you to change what you think is good action to different situations.
Script loops through looking for database and replication health state. If something is not good it will try to apply action to it and also try to move databases to another node in your DAG. Between each loop there is pause for a minute to let replication and other things to catch up and come to a steady state.
It will not loop forever, but has a limit of ten times. I figured that, if actions could not be performed with 10 tries it is not worth trying anymore. You probably have something worse to handle than just a script handling a little glitch in your DAG.
Parameters that you probably need to set to suit your environment is the sleep time on line 120 and number of loops on line 124, copy and replayqueuelength on row 110 need to be set to work correctly in your organization.
There is a lot of IF’s between line 23 and 110 trying to handle different situations. Look through these and see if they are OK for you.
Script doesn’t have any special error handling or output. I figured if it scheduled at nighttime there isn’t much need for output anyway. Logging can be added for admins to look at later.
Why not schedule the start/stopdagservermaintence script? This can of course be a viable solution. Problem here as I see it is that it will set servers and databases to not become active automatically and you want to set everything back to automatic once each server is patched. The problem is that you don’t know how long time each server take to patch so picking the correct schedule could be tricky and if only have a small DAG with 2 servers you want them to be available as much time as possible. My script also tries to correct some issues before move databases to another node.
Script is on my Skydrive

Patching time for Exchange

It is time again for Update rollups for Exchange.

Exchange 2010 is now on Service Pack 2 update rollup 4. Read KB 2706690 for more information what’s inside.
Download link is here

Exchange 2007 is now on Service Pack 3 update rollup 8, Read KB 273423 for more information what’s inside.
Download link is here

Happy patching.

Exchange 2010 Service Pack2 Update Rollup 3

Microsoft released a new update for Exchange 2010.

Download link Update Rollup 3 for Exchange 2010 SP2 (KB2685289)

This one includes several good fixes, for example RPC Client Access Cross-Site connectivity issues and the annoying Synchronization of an organizational forms library fails

Read the complete list of fixes this rollup includes

Move mailbox to free up space in databases

Admins are from time to time doing mailbox moves. Reason could be several but the goal is often to create some white space in mailbox databases.

By moving mailboxes to a different database you think it will create "holes" in the source database, and that's true until you the source server is Exchange 2010 service pack 1. With Service Pack 1 the behavior changed to leave the data it the source database until it get cleaned up when the mailbox retention limit is reached. http://technet.microsoft.com/en-us/library/ff829913.aspx
Reason for the change is that mailbox data should be easily accessed in a catastrophic failure before having a proper backup of the target database.

But what if you really want to create some space in the database now?
You could change the mailbox retention timeout to low number of days or even zero days. This might not be suitable solution and then you have to clean up the left-overs manually.
Article above say that mailboxes is in a soft-deleted state so they can be found with this command.

Get-MailboxStatistics -Database <databasename> | where {$_.DisconnectReason -eq "SoftDeleted"}

To clean up, you use the cmdlet Remove-StoreMailbox.

To make it work you do this is to steps. First save the mailboxes you want to delete in a variable.

$mbxs = Get-MailboxStatistics -Database databasename_you_want_to_clean_up | where {$_.DisconnectReason -eq “SoftDeleted”}

and then you delete them

$mbxs | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted -Confirm:$false}

This will trigger a process to clean up in the database and you can follow it creating whitespace with this command

Get-MailboxDatabase -Status | Sort-Object name | Format-Table Name, DatabaseSize, AvailableNewMailboxSpace

or for a specific database

Get-MailboxDatabase -Identity databasename -Status | Format-Table Name, DatabaseSize, AvailableNewMailboxSpace

 

Remove-StoreMailbox is the same command used for purging deleted mailboxes.

$mbxs = Get-MailboxStatistics -Database databasename_you_want_to_clean_up| where {$_.DisconnectReason -eq “Disabled”}

and then

$mbxs | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState Disabled -Confirm:$false}

After you purged disabled or softdeleted mailboxes you should have created some whitespace for mailboxes to grow in without growing the EDB file.

Happy purging.

Update Calendar folder permission

Most admins have one time or another come across the need for changing permission on individual folders in mailboxes.
Most common cases I have seen this is for calendar folder in resource mailboxes.
This is an easy task but some challenges exist. To start with you use the MailboxFolderPermission cmdlet to set/add/remove permissions.

To read the existing permission on the calendar folder, run.

Get-MailboxFolderPermission -Identity LasseP

And you will see the following output.

FolderName : Top of Information Store
User : Default
AccessRights : {None}
Identity : Default
IsValid : True

FolderName : Top of Information Store
User : Anonymous
AccessRights : {None}
Identity : Anonymous
IsValid : True

You see the usual Anonymous and Default permission group. Interesting here is that you see the permission for “Top of Information Store” which is the root folder in the mailbox.


To get permission for a specific folder you have to specify this as a parameter and here we must know the exact folder name. This gives us some interesting challenges for Multilanguage organization because the calendar folder can have different names.
So if I specify the calendar folder name in Swedish

Get-MailboxFolderPermission -Identity LasseP:\Kalender

I get an error because the folder name is not “Kalender”, but when specifying the English name I get what I want.

Get-MailboxFolderPermission -Identity LasseP:\Calendar

FolderName : Calendar
User : Default
AccessRights : {AvailabilityOnly}
Identity : Default
IsValid : True

FolderName : Calendar
User : Anonymous
AccessRights : {None}
Identity : Anonymous
IsValid : True

Folder name must also be correct when using Set/Add-MailboxFolderPermission.
So how do we know the calendar folder name for a mailbox?
Here is neat trick we can use to get the name with Get- MailboxFolderStatistics cmdlet.

Get-MailboxFolderStatistics -Identity LasseP -FolderScope Calendar | Select-Object -First 1).Name

The output will be a text string with the calendar folder name, in our example it is “Calendar”.
Selecting only the first object is needed because users can have more than a single calendar folder and we want only the default calendar folder in the mailbox which is returned first.
Next step is to update the ACL with new permission, and here we have one more challenge. We need to figure out if we want to add permission or change existing reason for this is that we have two cmdlet to use, Add-MailboxFodlerPermission and Set- MailboxFodlerPermission. Each one of them will give an error if used in the wrong context.

To add a new user (or a group) to the ACL, run.

Add-MailboxFolderPermission -Identity LasseP:\Calendar -User Eva -AccessRights Reviewer

This will grant user Eva the reviewer permission on LasseP’s calendar folder.
Running the same cmdlet again will give you an error with “Add-MailboxFolderPermission : An existing permission entry was found for user: Eva”.

To change the permission you must use Set-MailboxFolderPermission

Set-MailboxFolderPermission -Identity LasseP:\Calendar -User Eva -AccessRights Owner

The vice versa is true if you run Set-MailboxFolderPermission and the user being granted permission is not in the ACL you will get an error saying “Set-MailboxFolderPermission : There is no existing permission entry found for user: Axel”
So before we can update the folder permission you must know if the user/group is already member of the ACL. This is accomplished by using Get-MailboxFolderPermission, this we already tried earlier.
To make things easier without issuing multiple commands I created a script.

Update-CalendarFolderPermission.ps1

########################################
# Update-CalendarPermission.ps1 -Identify <mailbox> -User <xxx> -Permission <permission>

param
(
    [Parameter(Mandatory = $true, HelpMessage="Enter a mailbox where you apply permission to")]
    [ValidateNotNullOrEmpty()]
    [string]$Identity ,

    [Parameter(Mandatory = $true, HelpMessage="Enter a user/group who will be granted the permission  syntax domain\xxx might be needed")]
    [ValidateNotNullOrEmpty()]
    [string]$User = "",
    
    [parameter(Mandatory = $true, HelpMessage="Enter a valid permission set")]
    [ValidateSet("ReadItems","CreateItems","EditOwnedItems","DeleteOwnedItems","EditAllItems","DeleteAllItems","CreateSubfolders","FolderOwner","FolderContact","FolderVisible","None","Owner","PublishingEditor","Editor","PublishingAuthor","Author","NonEditingAuthor","Reviewer","Contributor","AvailabilityOnly","LimitedDetails","Remove")]
    [string]$Permission = ""
)

#Add Exchange 2010 Management Shell if needed
if (! (Get-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction:SilentlyContinue) )    {
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction:Stop
}

$MBX = Get-Mailbox $identity

$CalendarName = (Get-MailboxFolderStatistics -Identity $MBX.alias -FolderScope Calendar | Select-Object -First 1).Name
$folderID = $MBX.alias + ':\' + $CalendarName

if ($Permission -eq 'remove') {
    # special case, remove permission from user
    Remove-MailboxFolderPermission -Identity $folderID -User $User -Confirm:$False
}
else {
    $i = @(Get-MailboxFolderPermission -Identity $folderID -User $User -ErrorAction SilentlyContinue).count
    if ($i -eq 0) {
        # not in ACL, add permission
        Add-MailboxFolderPermission -Identity $folderID -User $User -AccessRights $Permission > $Null
    }
    else {
        # user is already in ACL, change permission
        Set-MailboxFolderPermission -Identity $folderID -User $User -AccessRights $Permission
    }

    # display new permission for $user
    Get-MailboxFolderPermission -Identity $folderID -User $User
}

Script isn't that hard to follow, there is some required input parameters needed. When this is handled, script continue with figuring out the calendar folder name then add or set permission depending on if user is already on ACL.

I also built in a special case where you could set permission to "remove" to remove the user from ACL on the calendar folder.


An example would be.

Update-Calendarpermission -identity Eva -User Lassep -Permission ReadItems

This will grant Lassep Read permission on Eva's calendar folder.


Script don't accept pipelining from other commands so if you want to update permission on multiple mailboxes you need to do this with two lines of code instead.

$mbx = Get-Mailbox conf*
foreach($mb in $mbx) { .\update-calendarpermission.ps1 -Identity $mb.Alias -User Lassep -Permission ReadItems}

First line is save mailboxes you want to change permission on into the $mbx variable.

Second line calls the Update-CalendarPermission script once for each mailbox in the $mbx variable.

The two line script will grant LasseP Read Permission on all 'conf*' mailboxes


now, go and play with this is a lab before running it on every mailbox in your production environment.

Using SuspendWhenReady

I recently did a migration from Exchange 2007 to Exchange 2010. We staged every mailbox move to use the SuspendWhenReady parameter on the New-MoveRequest to ensure that when we finally resumed the paused mailbox move everything should go as fast as possible.

Everything went OK, mailboxes started to move and when they reach 95% the suspended themselves. We did this for all approx. 5000 mailboxes and after a few days everything had been synchronized.

When time struck "migration" we started of by resuming about 100 mailboxes to see how the system responded. Whoa did we get a surprise, everything on the old Exchange 2007 server come to an almost complete freeze, it was almost unusable. We had some concerns with the old server since it was overloaded even before we started move mailboxes but we never thought it would be this bad.

Some hours of investigation and troubleshooting we discovered that when we kick of several hundreds of suspended mailbox moves the old server freeze but when we did 5 to 10 at a time everything worked as it should and with reasonable speed.

We didn't want to spend 24 hours manually resume 10 suspended mailbox moves every minute so I created a short EMS script that did it for us.

While ($True)
{
    Get-Date
    $nr = (Get-MoveRequest -ResultSize unlimited -MoveStatus InProgress).Count
    "moverequests " + $nr
    if ($nr -lt 2)
    {
        Get-MoveRequest -MoveStatus AutoSuspended | Select -First 10 | Resume-MoveRequest 
    }
    Sleep 60
    "-"
}

script runs in an endless loop, printing date and time to EMS window, calculate how many ongoing move-requests we have and when it is below 2 we fire of and resume 10 more. Finally a pause for 1 minute and do it all over again.

You might need to tweak this a bit by changing timeout and number of move requests to resume. In my case values in script worked fine but if you have an Exchange 2007 server that is not as squeezed then you might be fine with other values.

Microsoft Exchange Server 2010 Service Pack 2 (SP2)

Exchange SP2 has left the building.

It contains some interesting features. The one I like the most is Address Book Policies. With ABP the administrator can easily configure which users can see which Address Book/s. This gives the function that many organizations want to segment address book for users in a supported way instead of the really messy solution by ACL'ing different objects in Exchange.

Other feature is for example the good old OMA is back. It's like OWA but without graphics and probably most used by mobile devices. The official name is 'OWA Mini'.

For you people that want configure your on-premise Exchange installation with O365 in hybrid configuration there is the new 'Hybrid Configuration Wizard' that help you setup the configuration a lot easier than the myriads of manual steps needed before.

Pre-requirement info http://technet.microsoft.com/en-us/library/bb691354.aspx

Release notes http://go.microsoft.com/fwlink/?LinkId=235234

Download link http://www.microsoft.com/download/en/details.aspx?id=28190

Exchange Server 2010 Service Pack 1 Update Rollup 5 is released

UR5 for Exchange 2010 SP1 is now released. It contains several bug fixes. Here is the description Exchange 2010 SP1 UR5 - 2582113.
Problem with PDF attachment from MAC clients should finally be resolved. Also the error message "There are no items to show in this view." in Outlook 2010 is resolved.

Here is the download link

The usual warning for customer running forefront security for Exchange is to disable forefront with "fscutility /disable" before applying rollup and afterwards enabled forefront again with "fscutility /enable"
How to Apply Exchange Service Packs and Rollups to a Computer that is Running FSE

More proxyaddresses scripts

Remember the post about Remove proxy addresses Script? It was developed for Exchange 2007 and did not work for Exchange 2010.
People wrote comments with suggestions (thank you all for that) and I thought I published an updated version that work with Exchange 2010 together with another script that add SMTP addresses.

# Remove proxy addresses
# change the Get-Mailbox statement in line 7 to select only a subset of mailboxes

$DomainToRemove = "*@olddomain.com"

#get mailboxes and iterate through
Get-Mailbox -ResultSize Unlimited | foreach {
$_.Alias
# .emailaddresses returns array
# loop each email address
for ($i=$_.EmailAddresses.Count;$i -ge 0; $i--)
{
$address = $_.EmailAddresses[$i]
#Write-Host $address
# removes all addresses with $DomainToRemove
if ($address.SmtpAddress -like $DomainToRemove )
{
Write-host("Remove smtp adress: " + $address.AddressString.ToString() )
# remove address in the array
$_.EmailAddresses.RemoveAt($i)
}
}
# save changes
$_ | Set-Mailbox -EmailAddresses $_.EmailAddresses
Write-Host
}

And the Add proxy addresses script.

# Add proxy addresses
# change the Get-Mailbox statement in line 8 to select only a subset of mailboxes

$AddressSearchedFor = "*@domaintocopy.com"
$DomainToAdd = "@newdomain.com"

#get mailboxes and iterate through
Get-Mailbox -ResultSize Unlimited | foreach{
$_.Alias
# .emailaddresses returns array
# loop each email address
for ($i=$_.EmailAddresses.Count;$i -ge 0; $i--)
{
$address = $_.EmailAddresses[$i]
#Write-Host $address

# look for SMTP addresses in source
if ($address.SmtpAddress -like $AddressSearchedFor )
{
# get the left part of address
$a = [string] $address
$b = $a.indexof("@")
$a = $a.substring(5, $b-5 )
#Write-Host $

# Add SMTP address
Write-host("Adding smtp adress: " + $a + $DomainToAdd )
# add address in the array
$_.EmailAddresses.add("smtp:" + $a + $DomainToAdd)
}
# save changes
$_ | Set-Mailbox -EmailAddresses $_.EmailAddresses
}
Write-Host
}

Outlook authentication popup when database move or failover

Have you noticed that when you run Exchange 2010 DAG and move the active database to another node, outlook throw an authentication prompt.

The behavior according to many sources including Microsoft is that a move or failover should go almost unnoticed by the end user. Well it does sometime, but many times outlook popups the authentication prompt.

Messed around in my lab with all kind of configurations and discovered that the prompt is to the outlook anywhere URL. This makes sense because the database goes offline and then another database goes online. This takes a short moment but the only component that should see this is CAS and outlook should still have connection to your Hardware Load Balancer or CAS if you don’t have a HLB. So if outlook is aware of a database goes offline then this is kind of valid.

To try things a little bit more I configured the system not to resolve the Outlook anywhere URL when connected to the internal network and then I did a move of active database again and I was very surprised that outlook still did popup for the outlook anywhere URL without actually being able to resolve it in DNS or even less actually connecting to it.

I figured there must be some caching going on here and to be safe I simply reboot everything. But outlook behaved the same, prompting me for credentials for an URL that could not be reached.

Finally I poked around in the configuration and decided to change the authentication scheme for outlook anywhere to Windows Integrated. I did not have a TMG or UAG in the system so I did not need to configure Kerberos Constrained Delegation (that’s another story).

Placed an outlook on the outside of the network and things went smooth; NTLM let me in directly with my cached domain credentials.

Moved outlook to the internal network and still everything worked as it should. Finally did move of the active database to another server. Outlook did not even blink, well almost, it just said it’s not connected and then a couple of seconds later it said connected again.

Well this must be one of the rare occasions when everything worked as it should according to various sources. Did about 20 more move of the active mailbox database and not a single time did outlook give me authentication prompt.

Well, I reconfigured outlook anywhere to use basic clear text authentication again and moved the database back and forth and about half the times outlook gave me the annoying authentication prompt.

Did some more testing with various setup and different version of outlook but the behavior is the same. When outlook anywhere is configured with basic clear text I get authentication prompts and when configured with Windows Integrated everything work without a hiccup.

Do we have any drawbacks by configure windows integrated authentication on outlook anywhere? Yes there is. Depending on if you have ISA/TMG/UAG doing Kerberos Constrained Delegation against your CAS, everything must belong to the same windows domain. Well, not exactly everything but all accounts used in the process, that is computer and user accounts.
This means if you have multiple forests or multiple domains and publishing Outlook Anywhere with pre-authentication on TMG/UAG, you’re almost forced to use Basic Authentication.

More information about Kerberos Constrained Delegation will be posted in a later post.

Exchange Server 2010 Service Pack 1 Update Rollup 4

UR4 for Exchange 2010 SP1 have fixed several bugs, both stuff that users see and also some things that only Exchange admin see.
Information about the update is found in KB2509910

Schedule your Exchange 2010 scripts

If you’re running Exchange you most likely want to run script on a regular basis.

Here is how you schedule a Exchange 2010 management shell script.

Copy your script file into a folder of your choice. ex. c:\script\script.ps1

The most tricky part is how to actually start the powershell script to run. This is set on the actions tab.
Create new action with “start a program” and for program/script enter the path to powershell.exe
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

for the argument textbox, enter
-Command “. 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\script\script.ps1”

The RemoteExchange.ps1 is the script that start a remote Exchange 2010 Management shell session to an Exchange 2010 server. The last part is the path to your script.

Several settings on the job depends on what your script does.
You might need to run the script highest privileges, Configure for Windows 7, Windows Server 2008 R2 etc.

If you know that your script normally take 5 min to run, it’s a good practice to use settings to either stop if it runs for a long time and also block multiple instances to run at the same time.

Another handy thing you can include in your script is actually to make the Exchange snapin to load from the script instead of having the task load it.
Here is an example.

# some Exchange script
# bla bla.

# Load the Exchange snapin if it's no already present.
function LoadExchangeSnapin
{
    if (! (Get-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction:SilentlyContinue) )
    {
        Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction:Stop
    }
}


# The meat of the script!
&{

    "*** some Exchange Script started ***" >> scriptlogfile.log
    [DateTime]::Now >> scriptlogfile.log

    # Load the Exchange cmdlets.
    & LoadExchangeSnapin

    # the rest of the script

    [DateTime]::Now >> scriptlogfile.log
    "*** some Exchange Script ended ***" >> scriptlogfile.log
}