Exchange Server 2013 High Availability Book

After a lot of work, I have finally released my first book: Microsoft Exchange Server 2013 High Availability!    :)

I now fully appreciate the work involved in the process of writing/releasing a book!

 

 

“This practical hands-on guide will provide you with a number of clear scenarios and examples that will explain the mechanics behind the working of Exchange 2013 High Availability and how maximum availability and resilience can be achieved through it.

 

Throughout this book, you will go through all the roles, components, and features that should be considered when addressing high availability. You will go through how to achieve high availability for the Client Access and Mailbox server roles, what’s new in load balancing, site resilience, the new public folders, and much more.

 

You will learn to successfully design, configure, and maintain a highly available Exchange 2013 environment by going through different examples and real-world scenarios, saving you and your company time and money, and eliminating errors.”

 

 

The book is available on Amazon.com, Amazon.co.uk, Packt Publishing, and soon in Google Play store, Apple books, Safari books online, Bookshout!, Kobo books, EBL, Vital Source and O'Reilly.

Any feedback appreciated! :)

Exchange 2013 SP1 Feature list

Now that we are getting closer and closer to the release of Exchange 2013 Service Pack 1, here is a list of its main features:

·        Exchange 2013 SP1 will add Windows Server 2012 R2 as a supported operating system for Exchange Server 2013 with SP1;

·        Support for S/MIME in OWA will be brought back in SP1. With SP1 customers will have S/MIME support across Outlook, Exchange ActiveSync clients, and OWA;

·        The Edge Transport server role for Exchange Server 2013 will be available with SP1.

·        Fixes and Improvements. SP1 will include fixes and improvements in several areas. SP1 is the first service pack issued in the new Exchange Server cumulative update release model - thus SP1 is essentially CU4. The installation of SP1 will follow the same process as the prior Exchange 2013 CU releases. SP1 will include all fixes included in previously released cumulative updates for Exchange 2013.

·        MapiHttp is the new communication mechanism added to later builds of Microsoft Exchange Server 2013 and Microsoft Outlook 2013. The plan is to add the functionality to Microsoft Outlook 2010 in a future build. You may also see the new MapiHttp feature referred to internally as the Exchange HTTP Transport or by the internal code name Alchemy. The new MapiHttp transport protocol replaces the older RPC/HTTP (RPC over HTTPS) protocol. This is in an effort to improve the reliability and stability of the Outlook/Exchange connection by removing the dependency on the Microsoft Remote Procedure Call (RPC) communication mechanism;

·         DLP Policy Tip support in OWA.

Free/Busy Information Period (Exchange 2013-2007 Error)

Free/busy information requests to an Exchange 2007 organization from an Exchange 2013 organization may fail due to a mismatch in the requested free/busy information period. By default, Exchange 2007 accepts availability requests for 42 days of free/busy information and Exchange 2013 may request 62 days of free/busy information. If the request exceeds the default 42 limit imposed by Exchange 2007, the request will fail.

 

In order to prevent this failure, follow the steps below to configure your Exchange 2007 CAS servers to accept longer period free/busy information requests:

1. On all your Exchange 2007 CAS servers, open the following file with a text editor such as Notepad (remember to create a backup copy first!):
<Exchange Installation Path>\V14\ClientAccess\ExchWeb\EWS\web.config

2. Locate the appSettings section;

3. Add a new key “<add key="maximumQueryIntervalDays" value="62" />” and save the web.config file. The maximumQueryIntervalDays value is not present by default. When this value is not present, Exchange 2007 uses the default interval of 42 days.

4. Restart IIS on all the Exchange 2007 CAS servers.

DLP Policy Tips in OWA

DLP Policy Tips are informative notices that are displayed to senders in Outlook when they try sending sensitive information. In Exchange 2013 SP1, this functionality has been extended to both the desktop version of Outlook Web App and the mobile version (named OWA for Devices), and you will see it in action if you have an existing DLP policy with Policy Tips turned on for Outlook.

 

The experience and functionality are similar to Policy Tips in Outlook, you do not need to set up anything else.

 

Check Status of Federation Certificates

The certificate used to establish a federation trust is automatically propagated to all Mailbox and Client Access servers in the Exchange organization. If you need to report on its status, use the following cmdlet:

Test-FederationTrustCertificate

This cmdlet, which does not require any parameters, will check the status of certificates used for federation on all Mailbox and Client Access servers.

Exchange 2013 CU3 Invalid Hybrid Product Key

On a newly installed Exchange Server 2013 Cumulative Update 3 (CU3) server (not an upgrade from an earlier 2013 build), when you are setting up a hybrid deployment and you enter the product key to activate it, you will receive the following error message:

error
Invalid Product Key.

This issue occurs because of a regression in CU3 for Exchange 2013 which causes the product to be mistakenly recognized as invalid.

You can safely ignore this product activation error message. Until this issue is resolved in the near future, there are no adverse effects from leaving the server unlicensed. This is a known issue that is scheduled to be addressed in SP1.

If you already deployed the product key for the Hybrid Edition on a server and later upgraded the server to Exchange 2013 CU3, the server will remain licensed, and the license will be displayed as valid.

Staged Exchange Migration with ADFS and DirSync

Some organizations implement ADFS and DirSync in order to take advantage of the Single Sign-On capabilities. However, not all of them opt for a hybrid deployment and perform a Staged Exchange Migration instead to move mailboxes from the on-premises environment to Office 365.

 

In order to perform such migration, one of the steps involved is the creation of a CSV for the Migration batch. This CSV needs to have three columns: EmailAddress, Password and ForceChangePassword.

 

The problem here is if the ForceChangePassword field is set to True. This will cause the migration to fail because Office 365 cannot modify that attribute for an Identity Federated user (remember we are using ADFS and DirSync) so you would get an error.

 

To overcome this, simply update the CSV file and set the ForceChangePassword field to False. This should allow for the migration to succeed.

Office 365 Identity Federation Debug Tool

The Microsoft Remote Connectivity Analyzer tool has been updated and it now includes testing for Office 365 federated identity provider. This can be used with an Office 365 tenant configured for federation with either ADFS or another WS-* based Security Token Service. It helps debug possible issues with the federated identity provider through simple tests.

 

The tool is available for download here.

 

Once downloaded and installed, click on “I can’t setup federation with Office 365, Azure, or other services that use Azure Active Directory (Beta)”:

 

 Then enter your Office 365 credentials and begin the login test of your federation configuration:

 

 Tests are done from the PC that you download the testing tool to. It will attempt to log in to Office 365 using the federation configuration. The testing will proceed and then show results which should help debug any possible federation issues.

Message Tracking Report

New to Exchange 2013, the Get-MessageTrackingReport cmdlet is used to return data for a specific message tracking report.

 

This cmdlet, used by the delivery reports feature, requires you to specify the ID for the message tracking report you want to view. Therefore, first you need to use the Search-MessageTrackingReport cmdlet to find the message tracking report ID for a specific message. You then pass the report ID to the Get-MessageTrackingReport cmdlet.

 

Note that you need to be assigned permissions before you can run this cmdlet. You will not have access to some of its parameters if the account used is not a member of one of the following groups: Organization Management, Records Management or Recipient Management.

 

 

This first example gets the message tracking report for messages sent from one user to another and returns the summary of the message tracking report for a message that Alice Jones sent to John Richardson:

$Temp = Search-MessageTrackingReport “Alice Jones” -Recipients “johnr@letsexchange.com”
Get-MessageTrackingReport $Temp.MessageTrackingReportID -ReportTemplate Summary

• The ReportTemplate parameter specifies a predefined format for the output. You can either return a summary for all recipients or a detailed tracking report for one recipient using one of the following values: RecipientPath or Summary.

 

 

The second example gets the message tracking report for the following scenario: a user named Nuno Mota was expecting an e-mail message from joe@domain.com that never arrived. He contacted the Help Desk, which generated a message tracking report on behalf of Nuno returning detailed troubleshooting information for the specific recipient path:

Search-MessageTrackingReport “Nuno Mota” -Sender “joe@letsexchange.com” -ByPassDelegateChecking -DoNotResolve | ForEach {Get-MessageTrackingReport $_.MessageTrackingReportID -DetailLevel Verbose -BypassDelegateChecking -DoNotResolve -RecipientPathFilter "nunom@domain.com" -ReportTemplate RecipientPath}

• The BypassDelegateChecking switch allows Help Desk staff and administrators to retrieve message tracking reports for any user. By default, each user can only see the message tracking reports for messages sent or received by the user. When using this switch, Exchange allows administrators to view message tracking reports for messages exchanged among other users.
• The DoNotResolve switch prevents the resolution of e-mail addresses to display names. This improves performance, but the end result may not be as easy to interpret because it is missing the display names.
• The DetailLevel parameter specifies the amount of detail to be displayed for the message tracking report. You can use one of the following values: Basic or Verbose. If you specify Basic, simple delivery report information is displayed, which is more appropriate for information workers. If you specify Verbose, full report information is displayed, including server names and physical topology information.
• The RecipientPathFilter parameter specifies the recipient for which the command returns the detailed tracking report. This parameter is used when using the RecipientPath report template.

Microsoft’s Top Solutions Content Blog

As part of Microsoft’s efforts to keep communities informed about the most relevant content that address the top questions or issues present in the forums and other support channels, Microsoft introduced the new Top Solutions Content blog.

In this blog, you will find valuable information about the Microsoft top support solutions for several of its popular products in the Server and Tools portfolio.

In the Exchange Server section, Top Support Solutions for Microsoft Exchange Server, some of the top Microsoft Support solutions to the most common issues experienced include:

• How to temporarily deactivate the kernel mode filter driver in Windows
• How to do performance tuning for NTLM authentication by using the MaxConcurrentApi setting
• Troubleshooting long running MAPI connections to Exchange Server 2010 through Network Load Balancers
• Configuring Kerberos Authentication for Load-Balanced Client Access Servers
• Configure the Availability Service for Cross-Forest Topologies
• Users in a source forest cannot view the free/busy information of mailboxes in a target forest in an Exchange Server 2010 environment
• When, if and how do you modify Outlook Providers?

Checking DirSync Version

If you need to check what version of DirSync you currently have installed, simply run the following PowerShell cmdlet:

(GP “hklm:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Online Directory Sync”).DisplayVersion

Remember that you can use the Version Release History WiKi to keep track of the versions that have been released and the main changes introduced.

Public and Private Computer Default Setting in OWA 2013

In a previous tip, How to Configure Public and Private Computer Settings in OWA 2013, I explained how to add the Private Computer option back to the OWA logon page in Exchange 2013.

 

When adding this feature back, the Private Computer checkbox always comes up checked:

 

 

However, some customers might want it unchecked by default. Unfortunately, there is no way to configure this through the Shell or EAC... We need to modify the logon.aspx file located at (...)\V15\FrontEnd\HttpProxy\owa\auth

 

Before you proceed, remember to create a backup copy of this file!

Open the file, scroll down to line 214 and delete the word checked.

This is how line 214 looks originally:

input id="chkPrvt" onclick="clkSec()" name="trusted" value="4" type="checkbox" checked role="checkbox" aria-labelledby="privateLabel"

And how it looks after deleting checked:

input id="chkPrvt" onclick="clkSec()" name="trusted" value="4" type="checkbox" role="checkbox" aria-labelledby="privateLabel"

After making this change, save the file, restart IIS and the Private Computer option will no longer be selected by default:

Allow XML files in Office 365 OWA

With Exchange 2003 we had to make changes to the Registry in order to allow or block particular file types in OWA, and in Exchange 2007 we had to configure OWAs’ virtual directories. Since Exchange 2010 that this is done through Outlook Web App Mailbox Policies and this applies to the latest Exchange 2013 and Exchange Online.

To check which files are currently being block, and to change this is necessary, first connect to your exchange online service via powershell.

$cred = Get-Credential

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic –AllowRedirection

Import-PSSession $session

After successfully connecting, run the following cmdlet to check what file types are being blocked:

Get-OwaMailboxPolicy "policy name" | Select -ExpandProperty BlockedFileTypes | Sort

If you want to make changes and allow certain file types, such as XML files for example, you remove the .xml from the BlockedFileTypes and BlockedMimeTypes lists and add it to the AllowedFileTypes and AllowedMimeTypes lists:

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -BlockedFileTypes @{Remove = ".xml"}
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AllowedFileTypes @{Add = ".xml"}
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -BlockedMimeTypes @{Remove = "text/xml", "application/xml”}
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy –AllowedMimeTypes @{Add = "text/xml", "application/xml”

Remember to ensure the settings in the ECP at permissions -> Outlook Wep App policies -> file access match those in servers -> virtual directories -> owa (Default Web Site) -> file access in terms of Direct File Access which enables or disables direct access to all file types in OWA. If this parameter is set to $False, users will not be able to click on attachments in e-mails to open or save the files. The attachment is visible, but the link is grayed out.

Exchange Hybrid #550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

There might be cases where in Exchange hybrid deployments where Exchange Online and on-premises users have the same e-mail namespace (such as alias@domain.com), Office 365 users are unable to send e-mails to on-premises users and receive a nondelivery report (NDR) error message similar to:

 

#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

 

Amongst other possible reasons, this can be caused if the domain set up in the hybrid deployment is not configured as a shared domain in Office 365. To correct this problem, follow these steps using the Exchange Admin Center in the new Office 365:

1.       Sign in to the Office 365 portal as a global admin;

2.       In the header, click Admin, and then click Exchange;

3.       In the left navigation pane of the Exchange Admin Center, click mail flow and then click accepted domains;

4.       Select the domain that is set up for the hybrid deployment, and then click Details;

5.       Select Shared, and then click save.

 

The EAC the domains that you added to your account through the Microsoft Office 365 portal. It lets you manage how messages are delivered. In a hybrid scenario, Exchange Online must be set up correctly so that when a cloud-based user sends an e-mail to an on-premises user, Exchange Online routes the e-mail to the on-premises messaging environment.

Office 365 Service Comparison

The following page can be used to filter and compare features of Office 365 plans, Office 365 services and on-premises products, such as comparing every feature of Exchange Server 2013 on-premises vs. Exchange online: Office 365 service comparison.

This is extremely useful when exploring Exchange Online (or any Office 365 service for that matter) and trying to decide if Exchange Online meets all the organization’s requirements.

 

Exchange 2013 StalledDueToCI Error

When running some tests on Exchange 2013 Cumulative Update 1, namely migrating Public Folders from Exchange 2010 to 2013, I noticed the migration was taking too long. When querying more details regarding the migration request using the cmdlet Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics -IncludeReport, I noticed the following error:

The job is currently stalled due to ‘Content Indexing’ lagging behind on resource ‘CiAgeOfLastNotification(Mailbox Database 1415171211)’

When checking the ContentIndexState for this database, it was in a FailedAndSuspended state...

It seems there is a bug in Exchange 2013 RTM and CU1 which causes Exchange to not setup all the groups necessary in Active Directory. Specifically for this case is the group “ContentSubmitters”. As such, if you are experiencing this problem, you need to:

    1. Manually create the group in AD under the existing exchange groups OU;

    2. Change the security on the group and allow Administrators and NetworkService accounts Full Control;

    3. Restart the Microsoft Exchange Search and the Microsoft Exchange Search Host Controller services on every Mailbox server.

Now, you should notice the mailbox databases content index status changing from Failed to Healthy, with the migrations starting to transfer at a much better speed.

Exchange 2013 DAG with Dynamic Quorum

Windows Server 2012 introduced a new quorum model called Failover Clustering Dynamic Quorum, which we can use with Exchange. When using Dynamic Quorum, the cluster dynamically manages the vote assignment to nodes based on the state of each node. When a node shuts down or crashes, it loses its quorum vote. When a node successfully re-joins the cluster, it regains its quorum vote. By dynamically adjusting the assignment of quorum votes, the cluster can increase or decrease the number of quorum votes that are required to keep it running. This enables the cluster to maintain availability during sequential node failures or shutdowns.

 

With a dynamic quorum, the cluster quorum majority is determined by the set of nodes that are active members of the cluster at any time. This is an important distinction from the cluster quorum in Windows Server 2008 R2 where the quorum majority is fixed, based on the initial cluster configuration.

 

The advantage this brings, is that it is now possible for a cluster to run even if the number of nodes remaining in the cluster is less than 50%! By dynamically adjusting the quorum majority requirement, the cluster can sustain sequential node shutdowns down to a single node and still keep running. It does not allow the cluster to sustain a simultaneous failure of a majority of voting members though. To continue running, the cluster must always have a quorum majority at the time of a node shutdown or failure.

 

 

The following picture shows a DAG still operational even though two out of three servers are offline:

 

 

To read more about this feature, including tests with an Exchange 2013 DAG, please check my Exchange 2013 DAGwith Dynamic Quorum article on MSExchange.org.

Last Logon Information in Exchange 2013

If we want to check when a user last logged on to their mailbox in Exchange 2007 and 2010 we have to use the Exchange Management Shell [EMS] and the following cmdlet:

Get-MailboxStatistics "User" | Select LastLoggedOnUserAccount, LastLogonTime

Note that the LastLoggedOnUserAccount property indicates the account last used to log on to the mailbox. This could be a user with FullAccess permissions to the mailbox, a delegate or even someone simply checking the user’s Calendar!

 

With Exchange 2013 part of this information is now available through the Exchange Administration Centre as well. If you:

    1.       Navigate to Recipients and then Mailboxes;

    2.       Double-click on the user you want to check this information for;

    3.       Select the Mailbox Usage tab and in there you will see the Last Logon date and time.

However, to check who actually logged on, we still need to use the EMS...

Office 365 Network Analysis Tool

With BPOS and the first iteration of Office 365, Microsoft provided the Speed Test web tool to assist in determining if an organization’s internet connection could support Microsoft Online services, mainly focusing on Exchange Online and Lync Online. This tool was available from www.microsoftspeedtest.com.

However, for some reason, this tool has not been available for many months now, leaving organizations and IT professionals without a tool to evaluate the impact of Microsoft Online services on their internet connection.

Fortunately, the Office 365 Network Analysis Tool is now available! Similar to Speed Test, this new tool is also web-based and runs several checks such as port connectivity, route paths between the client and tenant, bandwidth speed and capacity tests, and VoIP readiness. At the end of the test the tool generates a nice report.

 

This tool can be found at:

North America
   http://na.deployoffice365.com (URL not yet available)
   http://na1-fasttrack.cloudapp.net

EMEA
   http://emea.deployoffice365.com (URL not yet available)
   http://em1-fasttrack.cloudapp.net

APAC
   http://apac.deployoffice365.com (URL not yet available)
   http://ap1-fasttrack.cloudapp.net

How to Trigger a Full Password Sync in DirSync

In Windows Azure Active Directory Synchronization Tool (or DirSync), a full Password Sync and a full Directory Sync are two different events. A full Password Sync synchronizes password hashes for all DirSync users, while a full Directory Sync does not trigger a full password sync. By default, the only activity that triggers a full password sync is completing the DirSync’s Configuration Wizard.

But there is a way around this. In order to trigger a full password sync, perform the following steps (you must be using DirSync v6438.0003 or above):

1. On the DirSync server, run the following .psc1: C:\Program Files\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1;
2. In the new Powershell console, run Set-FullPasswordSync;
3. Now load the services console by running Services.msc;
4. Restart the Forefront Identity Manager Synchronization Service Service.

Once this is complete, you should see a series of 656 EventIDs (Password Sync Requests) and 657 EventIDs (Password Sync Results) indicating that a full password sync was triggered.