Friday, August 28, 2015

Reporting Exchange Attributes of the AD Object

Hi folks,

This little code will help you to report the Exchange related attributes from your AD accounts and export them into the CSV file.

So imagine a scenario where you have a bunch o test accounts which start with TST for which you need to report their recipient type information. This is where Get-AdUser cmdlet comes to help. Of course you may modify your filter according to the attribute to filter on or you can use -Filter * to output all the users. Alternatively you can filter by display name or any other attribute that fits your purpose better.

When creating report for clarity sake i used samAccountName and DisplayName to identify my mailbox-enabled users as well as msExchRecipientDisplayType  and msExchRecipientTypeDetails as I was hunting for those values. Again any Exchange or non-Exchange user attributes can be used. You can refer here as a good cheat list for the user AD attributes as a reference. And of course don't forget to import PowerShell module for AD.

Import-Module ActiveDirectory
Get-ADUser -Filter {sAMAccountName -like "TST*"} -Properties * |select samAccountName,DisplayName,msExchRecipientDisplayType,msExchRecipientTypeDetails |Export-Csv Report.csv


Enjoy!

Tuesday, August 18, 2015

Resolving Some of Exchange 2013 Upgrade Issues


Hi folks,

I have been lately working on the upgrade of one of my Exchange 2013 servers to CU5.

My installation attempt was interrupted with a lot of errors and warnings which were revealed during prerequisites check.



The good things is that all these warnings are quite straightforward and therefore are really addressable.

The first warning was very straight forward: send connector with the namespace * was missing e.g. your Exchange organization is not able to send email to the internet. This can be ignored (which is not fatal) and the send connector can be configured afterwards or you can run this command to have the connector created:

New-SendConnector "Internet Send Connector" -FrontendProxyEnabled:$true -AddressSpaces *




The second warning was about missing UCMA 4.0. I was surprised how Exchange 2013 was there in the first place without it. But I ended up downloading and installing it. Which again is very straight forward.



Finally there was an error related to the UM services not being able to be installed because of misconfigured PowerShell execution policy.

It can be found at this branch: Computer Policy-> User Configuration-> Administrative Templates-> Windows Components-> Windows PowerShell. The setting name is Turn On Script Execution. The default setting of the is Enabled for all scripts.

To make UM installation successful we need to enable it. Following instructions for from MS support article I have set the value for Turn On Script Execution to Not Configured.




After this I have executed setup.exe /m:Upgrade /IAcceptExchangeServerLicenseTerms and Exchange 2013 upgrade to SP1 has gone smoothly.



So the main trick here is to read warnings and use the appropriate URLs.

Enjoy.

Monday, August 17, 2015

First Glance on Exchange 2016 (Part 3). Quickly Configuring CAS Virtual Directories

Hi folks,

In this article I will share with you how I configured virtual directories in my Exchange 2016 lab. Please note that there is no dedicated CAS role in Exchange 2016 and it is running as client access services on the Mailbox server.

As you remember I'm quite a lazy guy to configure every server one-by-one either by using EAC or EMS. As the result I have put this little script together which buffers all the virtual directories (for each CAS protocol) and identically configuring internal and external URLs for each of them. This script can be used in any environment which is running Exchange 2010/2013/2016.

The code that I have executed is as follows (of course don't forget to replace URLs with the proper ones in your environment):


Get-OwaVirtualDirectory |foreach {Set-OwaVirtualDirectory -Identity $_.Identity -InternalUrl https://mail.contoso.com/owa -ExternalUrl https://mail.contoso.com/owa}

Get-EcpVirtualDirectory |foreach {Set-EcpVirtualDirectory -Identity $_.Identity -InternalUrl https://mail.contoso.com/ecp -ExternalUrl https://mail.contoso.com/ecp}

Get-oabVirtualDirectory |foreach {Set-OabVirtualDirectory -Identity $_.Identity -InternalUrl https://mail.contoso.com/OAB -ExternalUrl https://mail.contoso.com/OAB}

Get-ActiveSyncVirtualDirectory |foreach {Set-ActiveSyncVirtualDirectory -Identity $_.Identity -InternalUrl https://mail.contoso.comt/Microsoft-Server-ActiveSync -ExternalUrl https://mail.contoso.com/Microsoft-Server-ActiveSync}

Get-WebServicesVirtualDirectory |foreach {Set-WebServicesVirtualDirectory -Identity $_.Identity -InternalUrl https://mail.contoso.com/EWS/Exchange.asmx -ExternalUrl https://mail.contoso.com/EWS/Exchange.asmx}

Get-MapiVirtualDirectory |foreach {Set-MapiVirtualDirectory -InternalUrl https://mail.contoso.com/mapi -ExternalUrl https://mail.contoso.com/mapi -Identity $_.identity -IISAuthenticationMethods Negotiate}

Execution results in something like:









If you are to use this method for the scenario when adding new Exchange 2013/2016 servers into your current organization and are planning to use different namespace you may consider using variables and filters to avoid up with your production environment.

And finally it appears that MS is giving preference to MAPI/HTTP over RPC/HTTP and therefore this protocol is enabled in the brand new Exchange 2016 organization is enabled by default.



To be continued..

Saturday, August 15, 2015

First Glance on Exchange 2016 (Part 2)

Hi folks,

In this article I continue story of my encounter with the Exchange 2016. After both of the servers have been installed. It is time to configure them.

Here I'm following guidelines from the TechNet. The configuration tasks can be done from both EAC or EMS. I personally preferred EMS for the majority of the tasks as it is more fun.

I have started with preparation works. I have created all the necessary DNS records. In my case I have created A record mail.contoso.com. It will be used as the hostname for client access and transport. Since it is the lab I used poor man's solution, namely DNS round-robin. Of course in the production enterprise environment it will be one single A record pointing to load balancer's VIP address.



Of course the other record I have created was MX record. I assume you all know what it is and how it is used



Additionally I have created SPF record as follows (all email sent from the servers configured as MX records are valid senders of email):
msglab16.net IN TXT “v=spf1 mx –all”



After this I have created a forward lookup DNS zone and called it labmail.com. There I also created MX and SPF record. I will use this DNS zone for my second accepted domain.

As DNS records were ready I moved to the Exchange 2016 configuration. So I have started with configuring the transport level.

First, I have created Send Connector for Internet Mail (using * as the address space and added both of transport servers as source servers).

New-SendConnector -Name "Internet Mail" -AddressSpaces * -SourceTransportServers EX2016-EX01,EX2016-EX02


Send connectors are created with the default maximum message size is 35 MB. So I have tweaked it to

Set-SendConnector "Internet Mail" -MaxMessagesize 50MB



After that I have added labmail.com as accepted domain of the Internal Relay type (this can be used for scenarios of the Office 365 or cross forest integration where part of the recipients sits in one organization and another one in the other). This is a quick command to do this:

New-AcceptedDomain -Name labmail.com -DomainName labmail.com -DomainType InternalRelay


The accepted domain msglab16.com has been created by default as Authoritative accepted domain (since this is the name of my AD forest in the lab).

When a new accepted domain has been selected I have tweaked default email address policy to make email addresses in the format firstname.secondname@labmail.com (%g.%s@labmail.com) as default email address of my recipients.



Additionally I have added another email format alias@mgslab.com to the policy.



After policy has been modified I clicked Apply to have policy applied to all the existing recipients (in my case it was only admin, so be careful in the real life scenarios with this button). Additionally in real life you may created new email address policy and change its priority as appropriate so that it is applied to your new recipients. And, at the end of the day, you can also always use EmailAddressPolicyEnabled:$false for Set-* commands for each recipient to configure them with the email addresses you desire.


After transport had been configured I started working on configuring Exchange Server certificate which will be used for client access and transport. Using EAC is a nicer tool for creating cert request and then assigning it to Exchange services but PowerShell is more fun.

New-ExchangeCertificate -GenerateRequest -SubjectName "c=US, o=MSGLAB16, cn=mail.contoso.com" -DomainName contoso.com, example.com -PrivateKeyExportable $true

After request has been created I submit it to the certification authority. Of course in production environment it should be trusted third-party CA where request should be submitted. In my case I was using my internal enterprise CA in the lab. The following screenshots are self-explanatory and therefore need no additional comments:








After certificate has been downloaded I have imported it to an Exchange server as follows:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\ExportedCert.cer -Encoding byte -ReadCount 0))

After certificate has been imported I used its thumbnail and assigned it to IIS,SMTP,POP and IMAP services. And after this don't forget to run iisreset



Certificate for my second server I configured using EAC. I have also attached screenshots from that exercise to this article. Again they are quite self explanatory.









To be continued...

Friday, August 7, 2015

First Glance on Exchange 2016 (Part 1)

Hi folks,

As you know our beloved Microsoft is about to produce Exchange Server 2016 in the Q4 this year. Meanwhile since 22 July we have Exchange 2016 Preview available for free to download with the accompanying documentation which can be find in TechNet Library.

As some of you may know architecture of Exchange 2016 has been changed as compared to 2013. CAS role has been removed and instead CAS service is now available on the Mailbox role. It is responsible for authentication, proxy, and limited redirection services, and the HTTP, POP, IMAP, and SMTP client access protocols. So it appears that Exchange 2016 Mailbox server is multi-role Exchange 2013 box. Of course there are a lot of improvements into storage and namely to DAGs.



Overall technical requirements are not much different of those that were in Exchange 2013, even though they are not 100% the same.

So I have decided to build the lab in my virtual environment at home. I have deployed 1 domain controller (Windows 2012 forest mode, as minimum Windows 2008 is now are required) and 2 Exchange servers.

Installation, doesn't differ much from what we had in Exchange 2013.

So first we start with installation of the Exchange 2016 prereqs in the following order:

1. Windows Features. You can find the code for installing necessary Windows 2012 R2 components as well as other prereqs on this page.



2. .Net Framework 4.5.2



3. UCMA 4.0



After this we need to prepare Active Directory for Exchange deployment. Of course when you install first server of the new Exchange release (whether the main version, Service Pack or Cumulative Update) AD should be extended to support new object types and attributes. Of course installation program can do it on your behalf which is good for lab but not very good in most of the production environments.

There are 3 commands to prepare AD in a more controlled fashion (commands are pretty obvious so I won't explain you what each of them does):

setup.exe /prepareSchema /IAcceptExchangeServerLicenseTerms

setup.exe /PrepareAD /OrganizationName:EXCHORGNAME /IAcceptExchangeServerLicenseTerms

setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms




If you want to make sure that AD prep has been successful you can refer to this my previous blog post. Or alternatively you can launch ADSIEdit  and see that container for Exchange organization has been created with all the necessary sub-containers.



After AD is prepared and all prereqs are in place we are ready to install our first Exchange 2016 server. Again installation methods didn't change from the last versions:

If you use command line unattended method you can use command like this one:

setup.exe /mode:Install /Roles:Mailbox /IAcceptExchangeServerLicenseTerms



Alternatively you can use good old installation method as below. I believe no explanations are needed here.













After installation is over you can check if all Exchange services are running by using Test-ServiceHealth cmdlet



I will continue posting about this new version as I play in my lab and explore new features.

To be continued...