Praveen

Praveen

We all are aware about the Mailbox ‘Full Access’ and ‘Send As’ permissions. What if we have to assign permissions in more granular level? Is it possible with Exchange Mailboxes? The answer is “Yes”, it is possible with a little administrative efforts.

We will make use of 2 PowerShell commands to achieve this goal,

Add-MailboxPermission and Add-MailboxFolderPermission.

There is a two-step approach to achieve the desired result.

Step 1 – Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.

Step 2 – Execute Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.

Step1

Add-MailboxPermission -Identity "Common Mailbox Name" –User   “Read Delegate Account Name”-AccessRights ReadPermission -InheritanceType All

ADd-Mbx_Permission_Read

Now try to access the mailbox by adding as an additional mailbox, you will receive an access permission warning when you try to expand the additional mailbox ReadTest. To grant access to expand and view folders, we will now execute the step 2 as mentioned earlier.

Step2

We will initially give permission at the Top Information Store (Root) folder, and then execute the permission on rest of the folders inside the mailbox.

Add-MailboxFolderPermission -Identity ReadTest -User ReadAdmin -AccessRights Reviewer

ADd-Mbx_Folder_Permission_Root

Now you will not receive the warning alert when try to expand the mailbox, but still will have no access to any folder. Execute the below cmdlet to assign the read permission to rest of folders under the mailbox.

foreach($item in (Get-MailboxFolderStatistics ReadTest |where { ($_.foldertype -ne "ConversationActions") -and ($_.foldertype -notlike "Recoverable*") -and ($_.FolderPath -notlike "/Sync*")})){$fname =ReadTest:” + $item.FolderPath.Replace(“/”,”\”); Add-MailboxFolderPermission $fname -User ReadAdmin -AccessRights Reviewer}

Replace the values marked in different color according to the user accounts.

You may execute the command by adding ‘–whatif’ at the end to verify what happens when you run the command. It will help to understand what action the command will perform on real execution.

ADd-Mbx_Folder_Permission_All_Whatif

Execute the command without the –whatif switch if everything looks okay.

ADd-Mbx_Folder_Permission_All

You will now be able to access all the folders with Read Only permission. Try to delete a message, it will display access denied error(shown below).

However, the delegate will be able to change the status of the email between read and unread.

That's it, you have now customized the permission to restrict only read access, and hence users from deleting accidently and purposefully.

In Detail, you may assign any of the following permissions inside the folder level using the AccessRights parameter along with Add-MailboxFolderPermission

  • None -  FolderVisible
  • Owner -   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingEditor -  CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • Editor - CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingAuthor - CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • Author - CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • NonEditingAuthor - CreateItems, ReadItems, FolderVisible
  • Reviewer - ReadItems, FolderVisible
  • Contributor - CreateItems, FolderVisible

The above permission can also assign manually from outlook client, remember the way we assign permission to Own created public folders.

Adding Permission to Reply and Forward along with only Read permission

Simply add “Send As” permission along with the Read Permission, using Add-MailboxPermission command.

Share your comments J

-Praveen

This video will help you to deal with the Exchange Server 2013 SSL Certificate administration with ease and simple. The video has been created to give you an idea about the following,

  • How to Create a Certificate Signing Request on Exchange Server 2013
  • How to Submit the CSR to Certificate Authority (I have used an Enterprise CA to complete my request)
  • How to Complete a Pending Certificate Request (CSR) in Exchange Server 2013
  • How to Verify and Enable the installed SSL Certificate on Exchange Server 2013

Share your comments, also let me know if you have any issues in dealing with SSL certificate on Exchange (any version).

-Praveen

 

Restore-DatabaseAvailabilityGroup is one of the cmdlets used when we do a datacenter switchover of Exchange DAG, especially during a disaster recovery situation. We might end up unsuccessful in executing the Restore-DatabaseAvailabilityGroup and will fail with below error.

WARNING: Server 'EX2010-02' was marked as stopped in database availability group 'DAG-01' but couldn't be removed from
the cluster. Error: A server-side database availability group administrative operation failed. Error: The operation
failed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while
attempting a cluster operation. Error: Cluster API '"EvictClusterNodeEx('EX2010.fabrikam.com') failed with 0x46.
Error: The remote server has been paused or is in the process of being started"' failed. [Server:
Ex2010-DR.fabrikam.com]
WARNING: The operation wasn't successful because an error was encountered. You may find more details in log file
"C:\ExchangeSetupLogs\DagTasks\dagtask_2013-09-18_07-23-26.439_restore-databaseavailabilitygroup.log".
Server 'EX2010' in database availability group 'DAG-01' is marked to be stopped, but couldn't be removed from the cl
uster. Error: A server-side database availability group administrative operation failed. Error: The operation failed. C
reateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting
a cluster operation. Error: Cluster API '"EvictClusterNodeEx('EX2010-02.fabrikam.com') failed with 0x46. Error: The rem
ote server has been paused or is in the process of being started"' failed. [Server: Ex2010-DR.fabrikam.com]
    + CategoryInfo          : InvalidArgument: (:) [Restore-DatabaseAvailabilityGroup], FailedToEvictNodeException
    + FullyQualifiedErrorId : EF6ADD3F,Microsoft.Exchange.Management.SystemConfigurationTasks.RestoreDatabaseAvailabil
   ityGroup

Before we jump into the solution, let’s understand what the command actually does,

  1. It forms the cluster with started DAG members using /forcequorum
  2. It evicts the stopped DAG member from the cluster nodes list.

You might observe that few stopped DAG members are evicted and failed on one of the stopped servers. What I observed is, it can be due to the delay in information replication or a communication failure.

Solution:

The issue can be workaround in couple of ways as stated below,

  1. Do run the Restore-DatabaseAvailabilityGroup cmdlets after some time and see if the activity succeed. (Note – you may re-run it when the cluster services are up and running if you are running Exchange 2010 SP1 or later. Earlier version administrators, please excuse me !!
  2. If you are unsuccessful when using Exchange Powershell, try evicting the server from Failover Cluster Manager mmc.

As mentioned, you may run the Restore-DatabaseAvailabilityGroup cmdlet couple of time to see if it succeeds without being stopping the cluster service on Exchange 2010 SP1 and above.

-Praveen

Exchange installation will set the Exchange Server Transport Queue database and Logging path inside the installation directory by default. Many times due to various reasons we change the location of Transport queue database and logging into another drive. You can adopt anyone of the following method,

Method 1: Use the Powershell Script Move-TransportDatabase.ps1

This is the easiest method, and I strongly recommend too.

1. Move the Queue Database Path by running the below cmdlet,

.\Move-TransportDatabase.ps1 -queueDatabasePath:"H:\ExchangeDatabases\TrasportQueue"

Move_DB_Location

2. Move the Queue Database Logging Path by executing the below cmdlet,

.\Move-TransportDatabase.ps1 -queueDatabaseLoggingPath:"H:\ExchangeDatabases\TrasportQueue"

Move_DB_Logging_Location

You are done!

Method 2: Modify the EdgeTransport.exe.config file in "%ExchangeInstallPath%Bin" path.

Open "%ExchangeInstallPath%Bin\EdgeTransport.exe.config" in a notepad and modify the below entries,

<add key="QueueDatabasePath" value="<LocalPath>" />
<add key="QueueDatabaseLoggingPath" value="<LocalPath>" />

Replace the <LocalPath> with the new location you created, in my case it is “H:\ExchangeDatabases\TrasportQueue” and the changed entries as shown below.

<add key="QueueDatabasePath" value=" H:\ExchangeDatabases\TrasportQueue " />
<add key="QueueDatabaseLoggingPath" value=" H:\ExchangeDatabases\TrasportQueue " />

Save and close the notepad, and restart your Microsoft Exchange Transport service. You are done!

Ensure that the database queue files and logging files are created under the new location and the mailflow is normal.

Share if you face any issues!

-Praveen

We sometime might have to modify the replication network settings to accommodate either more DAG members, or to completely change the replication network with an alternate IP range due to some network revamp etc. I have outlined the steps to which you can safely modify the NIC settings and the DAG replication network properties without any downtime.

There are basically 2 scenarios,

  1. Extend the existing replication VLAN subnet to accommodate more DAG members
  2. Migrate the replication network to another VLAN as part of some network revamp

Extend/Modify the existing replication VLAN subnet to accommodate more/less DAG members

You can follow the below steps to extend the VLAN, it is always better to keep the databases active on limited number of servers during the operation.

  1. Modify the subnet mask on the replication NIC settings.
  2. Open the EMC and navigate to DAG Configuration window (Organization Configuration -> Mailbox; then click on Database Availability Groups tab in the right pane of EMC).
  3. Modify the subnet mask on DAG Network settings, follow below steps
    1. Click on the DAG name, for which you want to modify the network settings
    2. Open the properties of the DAGNetwork, that used for replication (private).
    3. Delete the existing subnet (only when you are modifying the subnet range) and apply the change
Note – You will not be able to directly modify the netmask, and it will through the below warning message if you do so,
Set-DatabaseAvailabilityGroupNetwork
Failed
Error:
Subnet '10.0.0.0/27' can't be set because it conflicts with existing subnet '10.0.0.0/29'. When setting subnets, the subnet must exactly match a subnet that is configured for a network on the server.
d.  Click on Add button and enter the new IP range and subnet mask and Apply the changes (e.g: 10.0.0.0/27)
4.  Verify the replication.

Note: During the change, the database replication will be disturbed and will resume automatically once the changes are over. Ensure that the replication network IPs are reachable from each node in case if you find any replication issues after the changes.

Migrate / Change the replication network to another VLAN as part of some network revamp

In this, we will start with the DAGnetwork property modification.

  1. Open the EMC and navigate to DAG Configuration window (Organization Configuration -> Mailbox; then click on Database Availability Groups tab in the right pane of EMC).
  2. Add the new IP range and subnet mask on DAG Network settings, follow below steps
    1. Click on the DAG name, for which you want to modify the network settings
    2. Open the properties of the DAGNetwork, that used for replication (private).
    3. Add the new ip range and subnet mask as an additional subnet and apply the change

Note – you may receive the below warning,

Set-DatabaseAvailabilityGroupNetwork

Completed

Warning:

Subnet '10.0.0.0/27' isn’t present in the database availability group. It will be added to the database availability groups network , but it will have no effect until a corresponding subnet has been physically configured on a server in the database availability group.

d.  Click on Add button and enter the new IP range and subnet mask and Apply the changes  (e.g. 10.0.0.0/27)

3.  Modify the replication NIC properties on the DAG member server with the new network IP address and subnet masks.

4.  Verify the replication after an interval.

The process is simple and fairly safe, and not expecting any down time to the end users operations. However, it is recommended to take necessary precautions.

Share your comments/queries.

-Praveen

Follow the below simple steps create and activate blackberry enterprise service 10 account. The process 2 stages as usual, i.e. creation of account in BES 10 server (console), and activating on the Blackberry 10 device.

Steps to create (add) the account on Blackberry Enterprise Service 10 (BDS).

1. Logon to Blackberry Adminstration Console (Blackberry Device Service)

2. On the left pane, locate "Profiles" and expand

3. Click on "Create an Email Profile"

4. Enter the Person Name in the "Name" text box and select the "Type" as "Active Sync" (only one option)

Email_Profile_1

5.Click on Continue and Enter your "Server Name" (in my case it is CAS array name)

Email_Profile_2

6. Click on "Save" at the bottom of the wizard.

7. Now Expand User menu in the left pane and Click on Create

8. Search for the User and Add the user similar to the BES 5.0 process

9. Click the User and navigate the Email profile tab and select the Email profile created.

Once you finish the above steps, you can activate the BB account on a Blackberry 10 device.Follow the below steps to activate the Blackberry account on device.

Steps to activate the account on Blackberry 10 device.

1.On the home screen, Open “Settings"

2.Open Accounts

3.Tap on Add Account

4.Tap on ‘Email, Calendar and Contacts’ options

5.Enter the email address This email address is being protected from spambots. You need JavaScript enabled to view it. and tap on ‘Next’

6.On the next screen Enter the Activation Password provided by IT Administrator

7.The device will ask for the “Work” password, only applicable to access your business applications. Enter password for e.g. ‘bbpwd’ and tap ‘Next

Note – Work password needs to be provided to open the Business Emails and Applications only. So do not select device password option, and if you select to set is as device password then you will have to provide this password each time when you unlock your Blackberry device.

The activation process will now configure your work profile on Blackberry device by contacting the server policies.

8.Next screen Enter your business email password (Your Company email Password) and tap Save

The process of activating your device is finished now. The device will now start syncing with server for data and the sync process can take several minutes depends on the server data and the internet connection speed of your device.

 Hope it helped you to activate your first Blackberry Enteprise Service account on your Blackberry Device.

-Praveen

It is now time to change our Blackberry infrastructure with Blackberry Enterprise Service 10. Blackberry has released help documentation for how to install and configure different modules of enterprise service 10.

In BES 10, RIM has come up with 3 main modules.

BlackBerry Device Service
Universal Device Service
BlackBerry Management Studio

There is an order in which you should install these modules on a single server. The help document provide a good insight about all these, I recomend you to go through this small documentation before you introduce your Blackberry Enterprise Services10 on your infrastrucure.

Installing BlackBerry Device Service, Universal Device Service, and BlackBerry Management Studio on the same host server

BlackBerry Management Studio 6.4 - Installation and Upgrade Guide
BlackBerry Device Service 6.2 - Installation and Configuration Guide
Universal Device Service 6.2.1 - Installation and Configuration Guide

I was successful in installing all the above modules on a single server, and will be posting article about that soon.

-Praveen

Recently I had to do a recovery installation of Public Folder hosting DAG member, due to some hardware issues. The PF is hosted only on single server,  hence I had to plan for a quicker recovery to ensure the minimum downtime to Public Folder access. The process is simple if you are familiar with the recovery installation of Exchange Server 2010 DAG member.

  1. Dismount the Public Folder (if the public folder is heavily used, select an off peak time to ensure lesser changes to PF)
  2. Copy the Public Folder Database and Logs to the new server
  3. Do a recovery installation of server to new hardware, follow Recovery Installation of a DAG Member with Multi Roles – Exchange Server 2010
  4. Ensure that the Copied public folder is at the right location, and mount the database

You may follow the same procedure if you wish to do the recovery installation of Exchange Server 2010 server,

The process is as easy as mentioned, and can be opted for smaller organization without having much of issues. Only drawback is, the public folder will not be available during the recovery installation time. If you plan well, the downtime will be lesser than an hour.

-Praveen

Let's get into the task straight. I have tried to make it simple on how to install your first Exchange Server 2013 on a Windows Server 2012 infrastructure. I already have given an idea about the pre-requisites and things to check before we start the installation on my preview installation guide. You may read those here, otherwise let's get started!!

My Lab,

- One Domain Controller (Windows Server 2012 Std), and the functional level is Windows 2008 r2 (you may chose 2012 as well).
- One Member Server (Windows Server 2012 Std)
- Domain Name heloed.local

In case if you wish to use the Domain Controller to prepare your AD, you must install the following features additionally.

  1. Microsoft .NET Framework 4.5
  2. Windows Management Framework 3.0
  3. Install the Remote Tools Administration Pack (run Install-WindowsFeature RSAT-ADDS on 2012 server or Add-WindowsFeature RSAT-ADDS on 2008 server)

And then prepare the domain by using the setup /PrepareSchema and/or by running setup /PrepareAD /OrganizationName:<organization name>. The second command will also extend the schema, so you don't have to run prepareschema if you plan to use the same administrator account which has the forest level permission.

Once you prepare your AD, you can straight go and install the Exchange Server. But, here I have planned to club the AD preparation and Exchange Server installation together so I did not install the above features on my DC.

Let's start the Exchange part,

  • Add the server(will be used for installing exchange 2013) into domain (heloed.local) and login with the credential which has the required permission.
Note - If you already extended the schema and prepared the domain, you may use just a domain admin account to continue with the exchange installation. I recommend to delegate the permissions as required to avoid any hick ups.
  • Execute the below commands to add the required features to the server,
For Mailbox Role or Combined Mailbox and CAS role,
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

For CAS role only installation,
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

  • Restart the server to continue with the installation.

  • Install the 3 components below in order (if you plan to install CAS role only, the filterpacks are not required),

1. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

MS_UC_API_Runtime

2. Microsoft Office 2010 Filter Pack 64 bit

FilterPack

3. Microsoft Office 2010 Filter Pack SP1 64 bit

 FilterPack-sp1

It is time to start the actual Exchange Server 2013 installation,

  • Extract the Exchange-x64.EXE to "C:\Ex2013_Extract" directory, and navigate the directory where it is extracted and double click on "setup", start the wizard and click next on "Check for updates" section on wizard. It will intiate the Copying Files process.

  • Click next on Introduction and proceed to License Agreement section. select I agree and proceed next.

  • On Recommended Settings section, I chose Don't use. you may select the appropriate.

  • Select the Server Roles on the next screen, I chose both Mailbox and Client Access Roles. Click on next to proceed,
Wizard_-_Server_Roles

 

  • If you wish to change the installation path, you may do on the next screen. Click next once you finalyze the installation path.
  • Give and Org Name, I given it as HeloED
  • Malware protection, select as appropriate (I said 'No'), then it will start the readiness check before the actual install.
For me, there was only one warning which say's "Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareAD'. No Exchange 2010 server roles have been detected in this topology. After this operation, you will not be able to install any Exchange 2010 servers". This is just fine with me, so I proceed for installation.
Wizard_-_Readiness_Check_Results

Now you may sit back and relax (as we see in earlier version of windows installation :) until it finishes its work and it takes about 30 - 40 minutes...You will receive a successful installation screen once all the installation steps are over.

I would rate the installation of Exchange Server 2013 is simpler compare the earlier versions, now you can open the Exchange Administration Console (EAC) to further finalize the post installation tasks. I have written an another post related to the Exchange Server 2013 preview version installation on Windows Server 2008 R2. If you wish to install on 2008 server, you may read that.

-Praveen

In this post I will cover the recovery installation steps for a failed/crashed DAG member server with multi role (the same steps can also be used if you wish to change the hardware). I have tried tried to include almost every possible points which can occure during the recovery of mutil role DAG member recovery on Exchange Server 2010.

Few of the steps mentioned in the below steps can be performed initially, however try to follow on this order to have a success recovery.
  • Install a new server with same Name, OS and patch level.

  • Perform the DAG removal steps, otherwise setup will fail (Exchange server is a member of a database availability group.)
Note - There are 2 scenarios, one is when we decide to recover a live server and other is recovering a crashed server. So if the server which is planned to be recovered in online, perform the DAG removal steps before you shut this server down to ensure successful removal without any errors. I have taken the situation that the server is offline and can not be bought online to do the DAG cleanup (configuration only removal).
    • Remove all database copies on the failed server (it may give a warning, if the server is offline but it can be safely ignored)
Remove_Database_Copy
    • Remove the failed server from DAG configuration
Remove_DAG_Member-serverconfig_Only
  • Reset the computer account from ADUC Console(failed exchange server/ the server planned to reinstall),

  • Assign the same IP as like the failed server(including replication), and join to the domain

  • Install the pre-requisites for exchange installation.

  • Create Same structure of drives/mount points on the new server, this is for the database copy creations etc.

  • Initiate the recovery mode installation by running the below command from installation directory on command prompt (sometimes ASP and ISAPI feature error may through during the pre-check, ensure these features are installed to the recovery server),
    • Setup /m:RecoverServer
Success_Completion
  • You will need to restart the server after the successful installation of the server.

Once the server is restarted, you can add it back to the DAG membership and create the database copeis, which I have explained in the next sction.

Add the server back to DAG membership

This operation may fail if the server is still in the cluster configuration,So you may have to evict the node from Failover Cluster Manager (shown below)

Evict_from_Failover_Cluster_Manager

Add database copy to the recovered server and let it finish the initial seeding.

Add_Database_Copy

You are almost all done.  Also ensure that you redo all the customized settings for your infrastructure.

Share if you face any issues,

-Praveen

Page 10 of 15
theme by reviewshub