Friday, June 19, 2009

Exchange 2010: Hub Transport Role Installation Fails

Many people, including me the first time, have been reported that the Hub Transport Role installation fails while starting the MSexchangeTransport service and that the below error is reported in setup window when you try to install Exchange 2010 Beta.

Error
The execution of: “$error.Clear(); if ($RoleStartTransportService) { start-SetupService -ServiceName MSExchangeTransport }”, generated the following error: “Service ‘MSExchangeTransport’ failed to reach status ‘Running’ on this server.”


Aparently, this normally happens when you disable IPv6 in Local Area Connection, which was what I did.


Resolutions
· Enable IPv6 in Local Area Connection.

· To completely disable IPv6 on a Windows Server 2008-based computer, follow these steps and add a registry key:
1. Open Registry Editor
2. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
3. In the details pane, click New, and then click DWORD (32-bit) Value
4. Type DisabledComponents, and then press ENTER
5. Double-click DisabledComponents, and then type 0xffffffff in Hexadecimal or 4294967295 in Decimal

· Apply the “Microsoft Fix It” available in KB952842 to disable IPv6.


Note: If the setup still fails, remove IPv6 entry from the hosts file available at %systemroot%\system32\drivers\etc

Monday, June 1, 2009

Exchange Shared Mailboxes

What most administrators do when they want to create a mailbox that can be accessed by several users, is create a “normal” mailbox and hand the password to all of those who require access to it or give them full access permissions to it.

Either way, that also creates an enabled user account on Active Directory (AD) that users could use to login to a workstation, which is not very secured.

With Exchange 2007 and 2010 we have a new kind of mailboxes, a shared mailbox. A shared mailbox has a disabled AD account to which it is connected. Since the account is disabled, you don’t need to set a password and you can’t use it to login to a workstation! So, they act as a security measure. You will no longer be required to have extra username/password combinations for accessing your network. You can easily assign permissions specifically to those users requiring access.

However, you can’t create these accounts by the Exchange Management Console (EMC)... So, let’s fire up the shell!


Creating a Shared Mailbox
The process to create a share mailbox is exactly the same as a regular mailbox, with the exception of the option –Shared on the New-Mailbox command. For example, let’s create a shared mailbox to where all the quarantined e-mails will go to:

New-Mailbox –Name Quarantine –Alias quarantine –OrganizationalUnit “letsexchange.com/Users” –Database “Mailbox Database” –UserPrincipalName quarantine@letsexchange.com -Shared


This way, a disabled AD account will be created in the Organizational Unit Users with an attached mailbox. Since the account is disabled by default, no password is required.



Permissions
Since we don’t want to associate a password with a shared mailbox, we have to grant mailbox permissions for the users who require access to them.

We can assign permissions using security groups or just simply to users. To give me access to the Quarantine mailbox, all I have to do is:

Add-MailboxPermission Quarantine –User n.mota –AccessRights FullAccess


Now I have full access permissions to it. However, I’ll probably also want Send-As rights so that I can send e-mails with the shared mailbox's e-mail address.

Add-ADPermission Quarantine –User n.mota –ExtendedRights Send-As


You may want to add permissions to read/write personal information so that users can setup delegates if needed:

Add-ADPermission Quarantine –User n.mota –AccessRights ReadProperty, WriteProperty –Properties “Personal Information”



Accessing Shared Mailboxes
Since I now have full access permissions to this shared mailbox, one method for accessing it is to add it as an additional mailbox within Outlook. To do that:

• Open Outlook
• Go to Tools and click on Account Settings...
• Make sure your e-mail address is select and click on Change...
• Click on More Settings...
• Go to the Advanced tab and on the Open these additional mailboxes add the shared mailbox


This is the best method if you use the shared mailbox a lot as this allows you to read e-mails from the shared mailbox and sending as that e-mail address when desired. Unfortunately, this method will not save items sent as that mailbox to its Sent Items folder. All items sent or deleted within Outlook will be stored in the primary mailbox's Sent or Deleted Items folder.
This is something that doesn’t make sense to me and I hope to see it changed on the next version of Outlook.

You can also create a separate e-mail profile for Outlook to work with just this mailbox, thus preventing the previous “issue”.

The other option you have is, of course, to use Outlook Web Access (OWA). To open the shared mailbox, and since I already have full access permissions to it, I can open it by simply adding the quarantine@letsexchange.com e-mail address to the end of my normal OWA URL and authenticating using my normal domain credentials, like: https://htcas1/owa/quarantine@letsexchange.com


Or, by logging in to OWA with my normal account and opening this mailbox using the arrow besides my name on the top right hand corner.




Notes:
• The icon on the Exchange Console for a shared mailbox differs from the one for a regular mailbox;
• When check on the Exchange Console, you can see the difference on the Recipient Type Details column: User Mailbox vs Shared Mailbox;
• It’s possible to convert existing mailboxes into shared mailboxes! To do that, all that you need to do is: Set-Mailbox n.mota –Type Shared;
• To convert it back to a regular mailbox, just use the –Type Regular option.