Wednesday, April 13, 2011

Exchange 2010 Retention Stamping

 

 

 

Managed Folder Assistant processing: Retention Hold and Migrated Mailboxes

While engaged at a customer for Exchange 2003 to Exchange 2010 migration project, there were various requirements around retention/aging.  Migrating from Exchange 2003 aging to Exchange 2010 Retention strategy was quite a hurdle for the client.  Reason being there were various capabilities in Exchange 2003 (such as email notification of expired items) and other legal speed bumps that warranted a deep dive into retention policies (RPs), retention policy tags (RPTs), Managed Folder work cycles, and how the Managed Folder Assistant processes mail items.  The table below provides a list of various mailbox setting profiles and what the resulting affect is following the manage folder assistant runs against the mailbox.

 

Scenario

Results


Mailbox migrated

· RetentionPolicy applied
· RetentionHoldEnabled = FALSE
· Move-Request NOT CLEARED

Mailbox Items WILL NOT BE STAMPED with retention information (Until Move Request is Cleared), and expired items will  NOT BE DELETED by managed folder assistant until RetentionHoldEnabled is set to FALSE, RetentionHoldEndDate is expired.


Mailbox migrated

· RetentionPolicy applied
· RetentionHoldEnabled = TRUE (prior to managed folder assistant processes the mailbox)
· Move-Request IS CLEARED

Mailbox Items WILL BE STAMPED with retention information, however expired items will NOT BE DELETED by managed folder assistant until RetentionHoldEnabled is set to FALSE, RetentionHoldEndDate is expired.


Mailbox migrated

· RetentionPolicy applied
· RetentionHoldEnabled = TRUE (prior to managed folder assistant processes the mailbox)
· Move-Request NOT CLEARED

Mailbox Items WILL NOT BE STAMPED with retention information (Until Move Request is Cleared), and expired items will NOT BE DELETED by managed folder assistant until RetentionHoldEnabled is set to FALSE, RetentionHoldEndDate is expired.


Existing or New Mailbox
(Typical Mailbox Settings)

· RetentionPolicy applied
· RetentionHoldEnabled = FALSE (prior to managed folder assistant processes the mailbox)

Mailbox Items WILL BE STAMPED with retention information, and the expired items WILL BE DELETED by the Managed Folder Assistant according to retention policy.


Existing or New Mailbox

· RetentionPolicy applied
· RetentionHoldEnabled = TRUE (prior to managed folder assistant processes the mailbox)

Mailbox Items WILL BE STAMPED with retention information, and the expired items NOT BE DELETED by managed folder assistant until RetentionHoldEnabled is set to FALSE or RetentionHoldEndDate is expired

Tuesday, January 4, 2011

Exchange 2010–Creating a Scheduled Task (Using Scheduler Import Task)

 

 

This article provides a method of importing a predefined Task Scheduler (XML) import file and then manipulating the tasks to your liking.

Sample Import Task XML File Contents.


(This content can be copy and pasted into a file, and then modified prior or following the import task – Easiest is after the import)

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2010-05-11T15:55:47</Date>
    <Author>administrator</Author>
  </RegistrationInfo>
  <Triggers>
    <TimeTrigger>
      <Repetition>
        <Interval>PT1H</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>2010-05-11T15:55:00</StartBoundary>
      <Enabled>true</Enabled>
    </TimeTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>SYSTEM</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <IdleSettings>
      <Duration>PT10M</Duration>
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>Powershell.exe</Command>
      <Arguments>-NonInteractive -WindowStyle Hidden -command 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\Operations\CheckDatabaseRedundancy.ps1 -MonitoringContext -ShowDetailedErrors -SummaryMailFrom:'SMTPFromAddress@contoso.com' -SendSummaryMailTos:@('SMTPToAddress@contoso.com') -ErrorAction:Continue</Arguments>
    </Exec>
  </Actions>
</Task>

**   NOTE:  The Arguments Key has values that are not used below.  This is an example of reusing an existing task and then modifying the task to your needs.

Import Task and Modify

  1. Copy the PowerShell Script to a machine that has the Exchange Server 2010 Management Tools installed 
  2. Copy and Modify one of the Scheduled task XML files (Listed Above) to a specific location (Local to the machine executing the scheduled task)
  3. Open Task Scheduler (Administrative Tools\Task Scheduler)
  4. Right Click a node on the left hand pane and select "Import Task

clip_image001

  1. During the import modify the necessary properties, schedules. Most importantly be sure to edit the "Action" tab. You will want to modify the script to be called if its not set properly, as well as the Arguments

PROGRAM/SCRIPT: PowerShell.exe

ARGUMENTS: -NonInteractive -WindowStyle Hidden -command 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\Scripts\Exchange\MailboxInfo.ps1

clip_image002

Tuesday, October 19, 2010

Exchange Server 2010 - Management Console Error

 

While logged onto an Exchange 2010 server, and opening the Exchange Management Console, an error message appears. This error message can be traced to one of two things.  Either the Exchange 2010 Server is really having communication problems with the In-Site Domain Controllers or there is profile corruption on the account you are using to log into the Exchange 2010 Server.  More times than not, it is indeed the profile corruption of the Exchange Management Console file.   

clip_image001

Remediation Steps:



Verify Communication with Domain Controllers:

First Verify the Exchange 2010 Server is not receiving errors during MSExchange DSAccess suitability testing.  This can be verified within the Event log\Application

EventID:  2080
Source:  MSExchange ADAccess

image

If  not all of your In-Site domain controllers are listed OR the suitability score differs significantly from one another.  Be sure to investigate whether or not there are communication and/or replication issues with your DCs.  If all looks good, move on to the profile corruption fix.

Profile corruption:

TO FIX:

1. Log into IOPMAIL01, navigate to the following location:
C:\Users\<Username>\AppData\Roaming\Microsoft\MMC\

2. Delete or rename the following file: “Exchange Management Console

3. Log out and log back in. Open the Exchange Management Console and errors should be gone.

Wednesday, October 13, 2010

Exchange Server 2010 SP1 – SSLOffloading

 

If you will be leveraging a Hardware Load Balancer for your Exchange 2010 environment there are some additional Exchange specific setting modification required to get this working, whether you are using PassThrough, SSLOffloading or ReverseSSL (aka SSLBridging).

  • System Requirements for this configuration:   EXCHANGE SERVER 2010 “SP1”

Options for Load Balancing Exchange 2010 CAS Servers using Hardware Load Balancer:

  • Pass Through

image

    • Simple and a very common deployment method
      • Configuration Requirements
        • Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
          "RpcTcpPort"="60001"
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
          "TCP/IP Port"=dword:0000ea60 
  • Reverse SSL (aka SSL Bridging) ---  Recommendedimage

    • More advanced configuration, and more advanced forms of loadbalancing available.
      • Benefits:
        • Secure communications end-to-end; no passwords in clear text between HLB and CAS
        • Less configuration required on Exchange 2010 than SSLOffloading below.
        • If your Exchange 2010 CAS are already configured, the only configuration remaining is   Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
          "RpcTcpPort"="60001"
          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
          "TCP/IP Port"=dword:0000ea60
      • Disadvantages:
        • Does not offload (encryption and decryption) cpu processing from the CAS Servers.
           
  • SSLOffloading 

    (Note the script as the end of this article will configure all of these parameters for you)

image

    • More advanced forms of loadbalancing available.   (This Article provides steps to configure)
      • Configuration Requirements
      • Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters]
        "RpcTcpPort"="60001"
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
        "TCP/IP Port"=dword:0000ea60
    • Remove “Require SSL from Default Website and All Exchange Virtual Directories on each CAS Server
    • Enable Outlook Anywhere, Set Authentication Basic and Set Outlook Anywhere SSLOffloading to TRUE
    • Set OWA for SSLOffloading

      New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD
    • Modify the web.config file for Autodiscover and EWS

      # Configure web.config files
      $path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path
      (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config
      $path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path
      (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config

 

Important
If you configure SSL offloading on an Exchange 2010 CAS server, all user passwords will be sent in clear between the HLB device(s) and the CAS servers, so it's important the traffic is sent over a secure network not accessible by malicious users. If the security policy within the organization states that all passwords should be sent in an encrypted form (even when occurring over a secure network), it's recommended to enable reverse SSL on the HLB device(s). In addition, it's recommended to enable reverse SSL, if the organization does not have a secure network in place between the HLB device(s) and the CAS servers or if there's no noticeable performance gain of offloading SSL to the HLB device(s) in the environment.

SCRIPT to Configure CAS for SSLOffloading

 #This script will configure the Exchange 2010 Client Access Servers

# for Hardware loadBalancer with SSLOffloading enabled.
#
# System Requirements: EXCHANGE SERVER 2010 "SP1"
#
#
# Set registry key

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD

# Assign Static Port for MSExchangeAB

New-Item -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB -Name Parameters

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters -Name RpcTcpPort -Value 60000 -PropertyType REG_SZ

# Assign Static Port for MSExchangeRPC

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem -Name "TCP/IP Port" -PropertyType DWORD -Value 0000ea60

# Disable RequireSSL on websites

."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Autodiscover" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/ecp" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/EWS" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Microsoft-Server-ActiveSync" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/owa" -commitPath:APPHOST -section:access -sslFlags:None

.

"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/rpc" -commitPath:APPHOST -section:access -sslFlags:None

 

# Configure web.config files

$path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path

(

Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config 

$path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path

(

Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config 

# Configure Outlook Anywhere

$enabled = Get-OutlookAnywhere –Identity "$($env:COMPUTERNAME)\RPC*"

If ($enabled)

{Set-OutlookAnywhere –Identity

"$($env:COMPUTERNAME)\RPC*" -SSLOffloading $true}

Else

{

Write-Host "Configure Outlook Anywhere and remember to check the box to enable SSL Offloading"}

Write-Host -f Red "NOTE: Run `"iisreset /noforce`" to complete the process"

Monday, October 11, 2010

Exchange 2010 SP1 Upgrade Install Issues

 

Installation of Exchange 2010 SP1 Upgrade results in “AuthorizationManager CheckFailed” error, and Exchange is uninstalled.

 Culprit:   Powershell Execution Policy.  Round 3 below describes the remediation steps.   The other rounds merely prove that multiple solutions published over the Internet did not fix this issue.

The Error:

My first installation of Exchange 2010 SP1 upgrade to my existing Exchange 2010 Client Access Server was a complete failure.  Following AD prep and prerequisite checks/installs, I proceeded with the upgrade and During the Preparing Files section of the install I received the “AuthorizationManager Check Failed” message. 

image

After clicking FINISH on the installation wizard, I noticed that Exchange 2010 no longer existed on that server.  The Removing Exchange files is actually the step prior to “Preparing Files”, isn't that lovely.  Fortunately, I always snapshot my servers prior to Rollup and Service Pack installation, so I was able to rollback and try pass number two. 

Failed Remediation Attempts

Below are the various FAILED remediation steps I took to try and get through this upgrade successfully.  You will see some of these scattered around the Internet.  None of them worked for me.  The solution at the end of this article is the real deal, and fixed my problem.

  • Tried uninstalling previous rollups (Had Rollup 4 installed) – Upgrade failed
  • Changing Execution policy to unrestricted as well as Bypass (local machine policy only) – Upgrade failed.
  • Disabled UAC – Upgrade failed
  • Downloaded instllation (upgrade) exe set to “UNBLOCK” before execution. – Upgrade failed
  • Set within IE (Internet Options \ Advanced \ Security)  - Upgrade failed
    image
  • All inclusive settings from above – Upgrade failed.

 

The Solution (Successful): 

1.  Download Ex2010 SP1 from the Internet on to the machine you are installing SP1.  Following file download, Right Click the exe file > Properties >  “UNBLOCK”.  Extract the file to a location on the local system.
Note: The download was only executed on the first Exchange 2010 server I upgraded.  I copied the files over to the other Exchange 2010 for the other servers upgraded.

2. Download and Install any prerequisites required for the SP1 installation.

3. Open Powershell and check the ExecutionPolicy for that server.   Be Sure to check the ExecutionPolicy using the GET-EXECUTION POLICY –LIST      command.  If you merely run the Get-ExecutionPolicy command, the LocalMachine execution policy will only be displayed.

If the execution policy is different from the image below, in particular the Machine and User Policy settings being set other than “UNDEFINED” then check to see what is applying the settings.  Could be either Local Policy or Domain Policy (GPO).

The image below lists the desired settings:
image

To verify a GPO applying the settings, perform the following:

  1. Open a command widows with extended rights “Run as administrator”.
  2. At the command prompt, type and then press ENTER:

    gpresult /z > PolicySettings.txt
  3. Open the file PolicySettings.txt in Notepad and Search for the following entry in the list:

    image 

    Note where in the Group Policy hierarchy that this entry resides. Repeat this step to determine whether there are other entries that reference "PowerShell."
  4. If Enabled, modify the GPO setting this value to “NotConfigure”.
  5. Perform a GPUPDATE /force on the Exchange server you are installing SP1 and verify that the policy is no longer applied. 
  6. Verify the settings ExecutionPolicy again like above.  Once things look like above proceed with the installation.
    From Powershell:   Get-ExecutionPolicy –list     image
  7. Once the settings look good, proceed with the upgrade installation.   Be sure to run the installation with elevated privileges.  I normally open a command prompt (Run As Administrator), navigate to the installation directory and execute the installation.
  8. This procedure was successful and consistent across all my Exchange 2010 servers

Of course if youimage have AD DS Group Policy that was the culprit, once you have fixed the policy it should apply (verify though) to the remainder of the Exchange servers. 

Wednesday, October 6, 2010

Cannot Activate Database Copy: Content Index Catalog Files in Failed State

 

 

When activating a database copy in an Exchange Server 2010 Database Availability Group it may fail with an error message that catalog index files are in a failed state.

alt

 

When you view the copy status of the mailbox database the content index is in a failed state.

[PS] C:\>Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name : Mailbox Database 01\EX1
ContentIndexState : Failed

Name : Mailbox Database 02\EX1
ContentIndexState : Healthy


To resolve the issue update the content index on the server on which it has failed.



[PS] C:\>Update-MailboxDatabaseCopy "Mailbox Database 01\EX1" -CatalogOnly


The content index should now be in a healthy state.



[PS] C:\>Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name : Mailbox Database 01\EX1
ContentIndexState : Healthy

Name : Mailbox Database 02\EX1
ContentIndexState : Healthy


After the content index is healthy you can attempt to activate the database copy again.

Friday, August 13, 2010

Forefront Client Security – Collection Database creation Failure

 

Problem:

While installing FCS roles (Management, Collection Server, Collection Database, Reporting Server and Reporting Database) on a server, the requirements, the verifying settings and requirements shows all is well (image below).  That is until you initiate the install and the installation bombs out with an error on the creating collection database task.  I have run into many posts about this same issue and just about every one of them has a different solution or they gave up.  Some of the solutions say that its because .NET framework 1.1 is not installed, or Collation settings are not set correctly, etc..  

Now I have tried just about every solution out there, and none of them fixed my issue.  So I took matters into my own hands and ventured away from the standard installation wizard.  Below is the solution that got me to the point where I successfully created the Collection Database on the server, and then I was able to resume installing the remaining roles.

Note:  I have only encountered this issue on Windows 2003 x32.  All other installs on Win2008 have been successful.   Below is an image of the FCS server and the roles (consolidated).
 
 

image

 

Solution:

A little more information about my configuration will explain the solution.   I had the OS installed on C:\ (Of Course), and SQL 2005 installed on E: Drive.  Well eventhough I configured SQL 2005 default database location to the E:\ drive (which of course was permissioned correctly), and specified E:\… for the installation files,  the FCS Client installation wizard was still attempting to create the Database on C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data. 

The wizard does not do what you would expect it to do.  Has a mind of its own apparently.

The FIX”:

Permission the SQLServer2005MSSQLUser$<computername>$MSSQLSERVER local group and/or the Installation Account your are using Full control , and permission to the MSSQL\  and child directories.  Once this was completed, I was able to complete the Collectino Database creation process and installation FCS Server.  Following the installation, you can move the databases to the desired location.  To do that you will have to stop Client Security services, detach the databases (OnePoint and SystemCenterReporting), move the files and Attach the databases.

image