Exchange 2013 Platform Options

For BDMs and architects, this model describes the available platform options for Exchange 2013. Customers can choose from Exchange Online with Office 365, Hybrid Exchange, Exchange Server on-premises and Hosted Exchange. The poster includes details of each architectural option, including the most ideal scenarios for each, the license requirements and IT Pro responsibilities.

Get the poster now on PDF or Visio format from the Download Center here.

 

 

Exchange Cmdlet History in Exchange 2010/2013

Having a list of all Exchange cmdlets we ran is always useful. Besides the usual methods of getting these from the PowerShell window history (by pressing the F7 key) or from the administrator audit logs, for example, the Event Log also has a list of these cmdlets!

Both in Exchange 2010 and 2013, most cmdlets are recorded under the Applications and Services Logs -> Microsoft -> MsExchange Management event log.

In here we have entries under the MSExchange CmdletLogs source and with an EventID of 1 (cmdlet ran successfully) and/or 6 (cmdlets that failed).

For example, by running the following cmdlet: Add-MailboxPermission Mota –User Nuno –AccessRights FullAccess –InheritanceType All

We get this entry in the event log: Cmdlet Add-MailboxPermission, parameters {Identity=Mota, User=Nuno, AccessRights={FullAccess}, InheritanceType=All}.

NOTE: cmdlets started with Get-* do not get logged.

Check Account Permissions to Mailboxes

If you want to check what permissions an Active Directory user account has on a specific mailbox, simply use the following cmdlet which will enumerate all the permissions the user has on that mailbox:

Get-Mailbox "mailbox" | Get-MailboxPermission -User "AD_user"

If, alternatively, you want to check which mailboxes that specific user has permissions to, you can update the cmdlet to:

Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission -User "AD_user" | FT Identity, AccessRights, Deny

However, please be careful as this cmdlet will enumerate all mailboxes in the organization. If there are dozens of thousands, you might want to target only specific mailboxes.

Modifying a user’s group membership may impact Exchange hybrid

Many organizations are currently running an Exchange Hybrid deployment between their on-premises Exchange and Exchange Online in Office 365. In this scenario, as part of the synchronization configuration, users that are added to some AD security groups before the Exchange hybrid deployment configuration is successfully written back to the on-premises AD will not have access to those features until the procedure documented below is executed.

The affected security groups are:

   • Schema Admins;

   • Enterprise Admins;

   • Cert Publishers;

   • Domain Admins;

   • Account Operators;

   • Print Operators;

   • Administrators (domain local);

   • Server Operators;

   • Backup Operators.

To resolve this issue, you should use the dsacls tool to re-provision the MSOL_AD_Sync_RichCoexistence account permissions to the AdminSDHolder object in your local Active Directory forest.

To modify the AdminSDHolder container, download and install the Windows Server 2003 Service Pack 1 (SP1) Support Tools (dsacls.exe is available as part of the Windows Support Tools).

Next, run the following commands:

dsacls CN=AdminSDHolder,CN=System,DC="mydomain",DC=com /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchArchiveStatus"

dsacls CN=AdminSDHolder,CN=System,DC="domain",DC="com" /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchBlockedSendersHash" 

dsacls CN=AdminSDHolder,CN=System,DC="domain",DC="com" /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchSafeRecipientsHash" 

dsacls CN=AdminSDHolder,CN=System,DC="domain",DC="com" /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchSafeSendersHash" 

dsacls CN=AdminSDHolder,CN=System,DC="domain",DC="com" /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"MSExchUCVoiceMailSettings" 

dsacls CN=AdminSDHolder,CN=System,DC="domain",DC="com" /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;"ProxyAddresses" 

Installing DirSync on a Domain Controller

The Active Directory Sync tool [DirSync] can now be installed on an Active Directory Domain Controller [DC] as long as you install version 6553.0002 or above.

The process of installing DirSync on a DC is mostly the same as for deploying it normally. However, the administrator installing the tool will need to log-off and log-on again after the Installation Wizard is complete and before the Configuration Wizard is run. This additional step of logging off and logging back in is necessary to ensure that the Directory Sync tool is installed using the least privileges possible on the DC.

If you forget to follow the above process, the Configuration Wizard will return an “Constraint Violation Error” error. If you face this error, simply log off and log in again and you will be able to proceed.

Note that the recommendation is still to deploy DirSync on a member server rather than a DC as it will install FIM 2010 R2 SP1 and SQL Server 2012 Express SP1 by default, which can add overhead to your DC.

Exchange Server 2013 SP1 Architecture Poster

The latest version of the architecture poster for Exchange 2013 has now been released, this time for SP1.

 

Previously made available at the Microsoft Exchange Conference [MEC], it is now available to everyone at the Download Center: Microsoft Exchange Server 2013 Service Pack 1 Architecture Overview.

Azure Active Directory Sync Services goes Beta

Microsoft Azure Active Directory Sync Services (AADSync) has been announced as Customer Technology Preview (CTP) and is available through the Connect site.

AADSync, which is the next iteration of FIM2010 and DirSync, is used to onboard an on-premises environment to Windows Azure Active Directory and Office 365 and continue to synchronize changes. This new version allows for more advanced scenarios where DirSync, targeted at organizations with a single-forest, does not provide support for. Although FIM addresses scenarios that DirSync does not, it is often too complex for most IT admins to configure. With AADSync Microsoft is making this configuration a lot easier and more predictive.

One example of such scenario is the “Fully mesh with optional GALSync”, which allows users and resources to be located in any forest (commonly there would be two-way trusts between the forests). If Exchange is present in more than one forest, there could optionally be a GALSync solution representing a user in one forest as a contact in each other forest.

 

In this picture, AADSync would join on the mail attribute so a user with a mailbox in one forest is joined with the contacts in the other forests. Distribution and security groups can be found in each forest and can contain a mix of users, contacts, and FSPs (Foreign Security Principals).

For more information, please visit www.aadsync.com. Note that the content on this site will be moved to TechNet once AADSync has been released.

Stay tuned for further details on AADSync!

Office 365 and Heartbleed

As most IT people already know by now, on April 8, 2014, security researchers announced a flaw in the OpenSSL encryption software library used by many websites to protect customers’ data. The vulnerability, known as “Heartbleed”, could potentially allow a cyber-attacker to access a website’s customer data along with traffic encryption keys.

The good news for Microsoft customers/users is that, after a thorough investigation, Microsoft determined that Microsoft Account, Microsoft Azure, Office 365, Yammer and Skype, along with most Microsoft Services, are not impacted by the OpenSSL “Heartbleed” vulnerability. Windows’ implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections.

Exchange Hybrid Migration Endpoints

A migration endpoint is a management object in Exchange Online that contains the connection settings and administrator credentials for the source server that hosts the mailboxes that we want to migrate to Exchange Online.

For certain migration types such as a cutover or staged migration, the migration endpoint also defines the number of mailboxes to migrate simultaneously during initial synchronization and the number of mailboxes to synchronize simultaneously during incremental synchronization, which occurs once every 24 hours. During incremental synchronization, on-premises and Exchange Online mailboxes are synchronized so that new e-mails sent to mailboxes on the source server are copied to the corresponding Exchange Online mailbox.

In this post, we are going to look at migration points for a Hybrid deployment. When moving mailboxes, Exchange will try to automatically determine the migration endpoint (MRS Proxy FQDN) to be used. If unsuccessful, we can enter it manually if we are using the EAC for example. After a migration endpoint is created, it will not be deleted so that Exchange can re-use it for further migrations.

It is always recommended to test the connection settings to the server that hosts the mailboxes that we want to migrate. The connection settings will be tested when we create a migration endpoint, but verifying the settings before creating an endpoint will give us an opportunity to troubleshoot any issues (note that the Credentials parameter specifies the logon credentials for an account that can access mailboxes on the target server):

$Credentials = Get-Credential
Test-MigrationServerAvailability -ExchangeRemoteMove -Autodiscover -EmailAddress "email address for on-premises admin account" -Credentials $Credentials

For onboarding and offboarding remote move migrations in an Exchange hybrid deployment, we have to create Exchange Remote migration endpoints. The migration endpoint contains the connection settings for a Client Access server in our on-premises Exchange organization. To allow this Client Access server to accept incoming remote move requests, we have to enable the MRS Proxy endpoint by running:

Set-WebServicesVirtualDirectory "EXCH-SERVER\EWS (Default Web Site)" -MRSProxyEnabled $True
or
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -MRSProxyEnabled $True

Note: the same Exchange Remote migration endpoint can be used for moving on-premises mailboxes to Exchange Online or for moving Exchange Online mailboxes to your on-premises organization.

The following example creates an endpoint for remote moves by using the Autodiscover parameter to detect the required settings:

$Credentials = Get-Credential
New-MigrationEndpoint -ExchangeRemoteMove -Name OnpremEndpoint -Autodiscover -EmailAddress administrator@letsexchange.com -Credentials $Credentials

Alternatively, we can manually specify the FQDN of the server(s) we want to use (this is useful in a globally dispersed environment to ensure that mailboxes are moved using a local server):

$Credentials = Get-Credential
New-MigrationEndpoint -ExchangeRemoteMove -Name OnpremEndpoint - RemoteServer MRSserver.letsexchange.com -EmailAddress administrator@letsexchange.com -Credentials $Credentials

In this case, when moving mailboxes using New-MigrationBatch we can use the SourceEndpoint parameter to specify the endpoint we just created.

To verify that we have successfully created the Remote migration endpoint, simply run:

Get-MigrationEndpoint OnpremEndpoint | FL

DirSync and Azure Active Directory Object Limits

Since May 2012 that all customers of Azure Active Directory and Office 365 have a default object limit of 50,000 objects (users, mail-enabled contacts and groups) by default.

This limit determines how many objects can be created in a tenant using DirSync, PowerShell, the GRAPH API or manually.

What some administrators are not aware of, is that when the first domain is verified, this object limit is automatically increased to 300,000 objects (each tenant is only granted one increase).

As before, if you have verified a domain and need to synchronize more than 300,000 objects OR you do not have any domains to verify and need to synchronize more than 50,000 objects, you will need to contact Azure Active Directory Support to request an increase to your object quota limit.

Also, please note that objects that were once present in your on-premises Active Directory, synchronized to Azure AD via DirSync and then deleted, may still contribute towards your Azure AD object limit for a period of up to 30 days. If the sum of these deleted objects and the remaining active objects is greater than your object limit, you may continue to receive notifications informing you that you have exceeded your object limit even though the object no longer appears in the on-premises AD or in the Azure AD directory. You can clear these by running:

Get-MsolUser -ReturnDeletedUser -All | Remove-MsolUser -RemoveFromRecycleBin –Force

Despite this 300,000 object limit, it is still recommended to run DirSync on a full installation of SQL Server if you plan to synchronize more than 50,000 objects.

Exchange Through the Ages

Exchange 2013 Server Role Requirements Calculator v6.3

v6.3 of the Exchange 2013 Server Role Requirements Calculator has just been released.

To download it click here and for more information see the Exchange 2013 Server Role Requirements Calculator post on the Exchange Team's blog.

 

Changes to this version include:

• Revised Dispart.ps1 script to create database mount points consistent with JetStress performance counters;
• Added Calculator version number to record one field three of CSV export files;
• Changes in sizing guidance.

 

As you might already know, Exchange 2013 SP1 introduced the MAPI/HTTP protocol, which causes an increase in requests handled by the CAS role when compared to requests generated by clients using RPC/HTTP. As each connection has a measurable amount of processing overhead, this results in an overall increase to our CPU requirements on CAS, moving from a 1:4 ratio of CAS to Mailbox processor cores, to a 3:8 ratio (a 50% increase)...

 

Exchange Server 2013 Server Role Requirements Calculator v6.3 has been updated to take into account this guidance change.

Office 365 Mail Protection Reports

Out of the box, Office 365 offers more than 30 excellent reports for its various services, covering all the important aspects, from mailbox to traffic statistics, from Lync to SharePoint.

 

These reports can be found under reports in the Admin Dashboard. As a side note, please be aware that Exchange Online reports are only visible if you have at least one Exchange Online license within your account.

 

 

However, what some admins are not aware of, is that they can generate further mail traffic reports using the Mail Protection Reports! Simply download the msi appropriate for your Office installation (rather than the operating system platform), install it and then open the shortcut on the Desktop.

 

Click on Query and fill in username and password of an Office 365 Administrator for your tenant. Next, you can chose an interval of time from which to collect data:

 

Click OK and the tool will start gathering information:

 

The results are really impressive:

 

Available are reports around mail traffic, spam, malware, rules, data loss prevention, and more, with some reports being very customizable!

Prevent Office 365 Password Expiration

In Office 365, when not using ADFS or DirSync with Password Sync, you can disable password expiration through PowerShell.
Once you establish a PowerShell session to your Office 365 tenant, run:

Set-MsolUser "username" -PasswordNeverExpires $True

To change it for all users, you can use:

Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $True

Viewing the Administrator Audit Log in Exchange 2013 and Exchange Online

Instead of exporting the administrator audit log, which can take up to 24 hours to receive in an e-mail, in Exchange 2013 CU3 (and above) and Exchange Online you can now view administrator audit log entries in the EAC. To do this, go to Compliance Management -> Auditing and click View the administrator audit log.

 

Up to 1000 entries will be displayed on multiple pages. To narrow the search, you can specify a date range.

Office 365 with Internet Explorer 8

The bottom line is: Office 365 is not designed to work with Internet Explorer [IE] 8, and the user experience in Outlook Web Access [OWA] may be compromised, especially when used on Windows XP and/or with low memory machines. Office 365 will not offer code fixes to resolve problems encountered when using IE8, and new Office 365 experiences will likely not work at all.

Office 365 is no longer ending all support for IE8 on 8 April 2014, but both the user and support experience will be limited. After 8 April 2014, IE8 users:

  • Will not be deliberately prevented from connecting to the service;

  • Will not receive code fixes for bugs related to IE8. Security fixes will be released as needed;

  • May only use OWA Light (this does not apply to Office 365 Dedicated);

  • Should expect that the quality of other Office 365 user experiences will diminish over time.

While Office 365 Customer Support and Service will attempt to assist customers with IE8-related problems, the only solution to a particular problem may be to upgrade to a modern browser.

The recommended browser is, at this stage, IE9 with at least MS12-037: Cumulative Security Update for Internet Explorer: June 12, 2012 installed. However, IE10 or later is strongly recommended. This is because, similarly to IE8, Office 365 does not offer code fixes to resolve problems encountered when using IE9, the quality of the user experience will likely diminish over time, and that some new Office 365 experiences might not work at all.

As such, to reiterate, IE10 or later is strongly recommended.

Public Folder permissions lost after Public Folder mailboxes are moved

In an Exchange 2013 organization running CU2 build 15.00.0712.022, if you move a Public Folder (PF) mailbox the permissions structure on some PFs might be lost in the following situations:

1. If you move a secondary PF mailbox using New-MoveRequest, the permissions on any PF not stored in the secondary PF mailbox would be lost from the secondary PF mailbox and replaced by the default Access Control List (ACL). The original ACLs can be restored via a full synchronization event by running the following command:

Update-PublicFolderMailbox -InvokeSynchronizer  -FullSync

2. If you move the primary PF mailbox using New-MoveRequest, the permissions on any PF not stored in that PF mailbox are lost and replaced by the default ACL which gives Author permissions to Default authenticated users.

To work around this issue, install Exchange 2013 CU2 build 15.00.712.024 or later.

Exchange 2013 in coexistence scenario might trigger all clients to download OAB

Installing the first Exchange 2013 server in an organization that already has Exchange 2007 or 2010 might trigger all clients in the organization to download a new copy of the OAB, which can result in network saturation and server performance issues.

This occurs because Exchange 2013 creates a new default OAB in the organization that supersedes the Exchange 2007/2010 OAB. Mailboxes that do not have a specific OAB assigned to them, or that are located on a mailbox database that does not have a specific OAB assigned, will download the new default OAB.

To prevent this from happening, assign an OAB to every mailbox or database before installing the first Exchange 2013 server.

Exchange Admin Center Cmdlet Logging

The Exchange 2010 Management Center included PowerShell cmdlet logging functionality, something that was removed in Exchange 2013. The good news is that this functionality has returned as part of the Exchange Admin Center in Exchange 2013 SP1 and soon to Exchange Online as well.

 

When you sign in with Admin credentials you will find the entry point for the PowerShell log view in the drop down list besides the help question mark under “Show Command Logging” (this feature is not available for non-admins):

 

The cmdlet list will display up to 500 entries and includes features such as search, export, start/stop logging, and more.

Exchange Server 2013 High Availability Book

After a lot of work, I have finally released my first book: Microsoft Exchange Server 2013 High Availability!    :)

I now fully appreciate the work involved in the process of writing/releasing a book!

 

 

“This practical hands-on guide will provide you with a number of clear scenarios and examples that will explain the mechanics behind the working of Exchange 2013 High Availability and how maximum availability and resilience can be achieved through it.

 

Throughout this book, you will go through all the roles, components, and features that should be considered when addressing high availability. You will go through how to achieve high availability for the Client Access and Mailbox server roles, what’s new in load balancing, site resilience, the new public folders, and much more.

 

You will learn to successfully design, configure, and maintain a highly available Exchange 2013 environment by going through different examples and real-world scenarios, saving you and your company time and money, and eliminating errors.”

 

 

The book is available on Amazon.com, Amazon.co.uk, Packt Publishing, and soon in Google Play store, Apple books, Safari books online, Bookshout!, Kobo books, EBL, Vital Source and O'Reilly.

Any feedback appreciated! :)