Large distribution groups can lead to some unfortunate incidents in an Exchange organization, such as the one that occurred at Reuters recently when a person was able to send to 33,000 recipients, causing a server-crushing increase in email traffic as hundreds of those recipients proceeded to “reply all”.

One of the precautionary measures you can take is restricting who can send to your largest distribution groups. Of course this means you must first identify those groups, which is quite simple to do with PowerShell.

The Exchange management shell includes a Get-DistributionGroupMember cmdlet that can output the members of a distribution group. This cmdlet has one flaw in that it does not perform a recursive search. For example, this “All Staff” distribution group has two smaller groups nested in it as members, which then contain the several hundred individual recipients. If we use Get-DistributionGroupMember it tells us that there are two members, which is true in one sense, but quite useless for our objective here.

[PS] C:\Scripts>(Get-DistributionGroupMember "All Staff").Count
2

Sure, we could build a script with a recursive function that expands the membership of any groups contained within other groups, and that would do the job. But that’s a bunch of code that isn’t necessary, because fortunately an Active Directory PowerShell cmdlet comes to the rescue. Get-ADGroupMember has a -Recursive switch to handle this for us.

[PS] C:\Scripts>(Get-ADGroupMember -Recursive "All Staff").Count
389

So let’s say that we want to produce a report of all distribution groups that contains their names, member counts, and managers as well (in case we need to discuss any restrictions on the group with the owner/manager). I’ve written a simple PowerShell script to do just that.

Download Get-DGMemberCounts.ps1 from Github

Here’s an example of the script running.

[PS] C:\Scripts>.\Get-DGMemberCounts.ps1
Payroll Team has 3 members
Public Folder Owners has 2 members
Head Office Staff has 386 members
All Staff has 389 members
Regional Office Staff has 4 members
All Office Meeting Rooms has 3 members
Deny Outgoing External Email has 1 members
ZTestExternal2 has 1 members
Security Team has 0 members
Social Club has 3 members
App_Tier2_ABCDEF has 1 members
DL_Alannah.Shaw has 2 members
DL_Mike.Ryan has 2 members
DL_ex2010test has 1 members

And the resulting CSV file.

This article Get Distribution Group Member Counts with PowerShell is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

In May 2015 the first edition of our ebook Office 365 for Exchange Professionals was released. Co-authored by Tony Redmond, Michael van Horenbeeck and I, and with Jeff Guillet providing technical editing, we covered Office 365 from the perspective of Exchange admins over 18 chapters containing 630 pages of content.

At the time we committed to updating the ebook to remain current with the changes occurring in Office 365 (450 in the last year, according to Microsoft), and we released several minor updates and corrections since May to achieve that. There have also been major new features launched that we spent time exploring and understanding, participating in Preview programs, exploring best practices, and then writing new sections for the ebook. In fact, there are now 150 new pages of content ready to be released in the 2nd edition (September 2015) of Office 365 for Exchange Professionals.

As Tony puts it…

The second edition contains 150 pages of new content together with a heap of changes, updates, refinements, and responses to questions asked by readers. We have extensive coverage of Office 365 Groups, Delve, the Compliance Center, and the Import Service and consider the eBook to be up to date with the current state of Office 365 – or as close as we can make it.

There’s also the new AADConnect tool, Mobile Device Management, Advanced Threat Protection, and more. All up it is a significant update and we’re looking forward to releasing the new edition next week.

When will it be available?

We’re currently planning to release Office 365 for Exchange Professionals, September 2015 Edition on the 16th September (US time), during the IT/Dev Connections conference in Las Vegas that all four of us will be speaking at.

To get your copy you can:

• Buy the new edition in PDF and EPUB formats direct from Exchange Server Pro (in fact, you can pre-order it now and save 15%, and access the ebook files from September 16th)
• Buy the new edition in Kindle format from the Amazon store (also available for pre-order now, and will be available to download from September 30th)

If you already own the May 2015 edition and you purchased direct from Exchange Server Pro you will get access to a discounted upgrade offer. Details will be sent out next week.

How to Get a Free Copy at IT/Dev Connections

If you’re planning to attend IT/Dev Connections next week you’ll have the chance to meet the author team and get one of 50 free copies of Office 365 for Exchange Professionals.

Binary Tree are hosting a special launch party for the new edition of the ebook on Wednesday, September 16th at 4:30pm. Get all the details and RSVP here. We’d love to see you there for a drink and to talk about Exchange and Office 365. Just remember to RSVP!

And I’ll see you in Las Vegas!

This article The Second Edition of Office 365 for Exchange Professionals is Coming (and How to Get a Free Copy) is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

A lot of the comments and questions I receive here relate to situations where an admin is trying to locate missing emails and needs some advice on where to look. Hunting for missing emails is a task that many Exchange admins are asked to do on a regular basis. In most of the operations roles I’ve held during my career I would deal with at least one of these cases every day.

In this series of articles I’ll provide you with information and troubleshooting tips that will make the task of finding missing emails much simpler.

Understanding your Scenario

There is no single approach to locating missing emails in an Exchange Server environment, because most cases are different in some way. For example, is the email missing because it was sent from Person A to Person B but never arrived? Or is it missing because Person B received it but now can’t find it? Each of those scenarios is the same from an end user impact perspective – Person B doesn’t have the email message they need – but are different from a troubleshooting perspective. One is a potential email delivery problem, the other is a potential data recovery scenario. And each one has a wide variety of possible root causes.

So the first step for you will be to clearly define the scope of the problem. It’s rare to receive a support ticket from your help desk team, or a report from end users, that contains 100% of the information you need. So there may be some questions you need to ask, such as:

• Who sent the email?
• Do they work for the same company or are they an external sender?
• When was it sent?
• Who did they send it to?
• Did anyone else receive the email?
• Have you been able to receive emails from that person before?
• Are others around you still receiving emails?
• Are you still receiving emails from other people, or are you receiving no emails at all?
• Is this problem specific to one device, or are you not receiving emails anywhere (e.g. Outlook, OWA, mobile)?
• Did the sender receive any error message or non-delivery report? (Not an easy one to answer if the sender is an external party)
• If you had received the email and it has now disappeared, when did you notice it was gone? When was the last time you remember seeing it?
• Does anyone else have access to your mailbox or account details (e.g. a delegate or assistant)?

If the person who reported the problem is available to speak to then they will usually be able to answer at least some of the questions above. If they can’t answer them all (e.g. they’re unsure about the time the email was sent) then you’ll just need to broaden your search to account for different possibilities. But I usually find that enough information comes out of a short conversation to add much needed clarity to the situation.

Basic Elimination

Depending on the answers you get for the questions you ask you should go through a short process of elimination to rule out anything that the end user wasn’t able to confidently answer. For example, send them a test email from your own computer with a delivery receipt enabled, and make sure it is received in their Outlook as well as their mobile device. With that one simple test you’ve ruled out multiple possible causes of the problem.

By the way, the delivery receipt when you are testing internal emails is important. For one thing, it means you can do the test without the other person being available to confirm delivery. It also means that you’ll know that the email was delivered successfully even if the end user claims it wasn’t (e.g. they have an inbox rule or some other issue preventing it from appearing in their Outlook or mobile device).

The more you can rule out quickly the easier your troubleshooting will be. However, don’t assume that anything you’ve ruled out in the initial part of the investigation should be completely ignored. At this stage you’re only trying to identify the best place to start looking. You may need to come back later to things that you ruled out and investigate those as well.

You should also consider what has changed (perhaps by you or your team) recently that may have contributed to the problem. Often we can make changes to the environment which take several days to emerge as a user-impacting problem, so make sure you consider all recent changes, not just those that occurred in the last day or so.

Understanding the Environment

To troubleshoot email delivery you need to have an understanding of the environment you’re working in and what the mail flow path should look like for the scenario you’re dealing with. Having a Transport diagram of your environment printed out on your desk or easily accessible on your computer is a good start. It should include notations for all devices or services that could impact connectivity along the way, such as firewalls, load balancers, security appliances, external smart hosts, and so on. Not only will this guide your troubleshooting but it will also highlight whether any other support teams may need to be involved in the case.

If you’re dealing with a new customer and you don’t have a diagram like that already then spend a few minutes at the start of the call finding out what’s involved in their mail flow and sketch yourself a quick diagram. It might sound a bit basic but I do recommend it. My notebooks are full of drawings like that from previous support cases.

An Example

Let’s take a look at a simple scenario of an external sender emailing a person in the organization. This organization is very simple, with just a single Exchange server receiving email directly from the internet via the firewall.

In the simple scenario above a missing email case could be:

• A delivery problem with emails from one or more external senders, which could be caused by a wide variety of problems with DNS, firewalls, internet routing, spam filters, block lists, and more.
• An internal delivery problem within Exchange itself, which again has many possible root causes.
• An email that has been moved or deleted from the user’s mailbox, which needs to be found or recovered from backup, and may also involve an investigation into when and how it was removed, and who removed it.

So even though it is a very simple scenario, there are many possibilities for what has caused the email to go missing.

Over a series of upcoming articles I’ll explore a variety of troubleshooting scenarios and some tips that will help you with your investigations into any case of missing emails.

This article The Hunt for Missing Emails in an Exchange Server Environment is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

I’m pleased to announce that we’ve released the second edition of Office 365 for Exchange Professionals, known as the September 2015 edition, which is available now.

For a limited time the new edition is available with a 15% discount. Find out more here.

If you’re an existing customer of the May edition of the ebook, the new edition contains an additional 150 pages of content for new features that have recently appeared in Office 365. You can log in to the members page here where you’ll see a link you can click on to receive a discounted upgrade to the new edition.

The Kindle version will be available on September 30th and can be pre-ordered here.

Thanks to our sponsor Binary Tree we held a launch event at IT/Dev Connections with the opportunity to and enjoy a beer and a chat about Office 365 with the authors and other MVPs. Thanks to everyone who came along, we hope you enjoy reading the ebook.

Being an ebook we ended up signing the USB keys that were used to give away free copies to those who came to the launch party, which was good for a laugh.

Binary Tree also kindly organised a printed copy for us to sign. A one of a kind!

Order your copy of Office 365 for Exchange Professionals before September 30th and save 15%.

This article Office 365 for Exchange Professionals (September 2015 Edition) Now Available is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

Microsoft has released Cumulative Update 10 for Exchange Server 2013.

From the Microsoft Exchange Team blog:

The release includes fixes for customer reported issues, minor product enhancements and previously released security bulletins, including MS15-103.

Cumulative Update 10 does not include updates to Active Directory Schema, but does include additional RBAC definitions requiring PrepareAD to be executed prior to upgrading any servers to CU10. PrepareAD will run automatically during the first server upgrade if Setup detects this is required and the logged on user has sufficient permission.

The updates released today are important pre-requisites for customers with existing Exchange deployments who will deploy Exchange Server 2016. Cumulative Update 10 is the minimum version of Exchange Server 2013 which will co-exist with Exchange Server 2016.

Cumulative Update 10 is available for download here.

For deployment steps refer to this guide to installing cumulative updates for Exchange Server 2013.

This article Exchange Server 2013 Cumulative Update 10 Released is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

Microsoft has released Update Rollup 11 for Exchange Server 2010 Service Pack 3.

From the Microsoft Exchange Team blog:

This release provides an important fix for an Information Store crash when customers are upgrading their Lync server infrastructure to Skype for Business. Exchange Server 2010 is in extended support and will receive security and time zone fixes on-demand on a go-forward basis.

Exchange Server 2010 Service Pack 3 Update Rollup 11, is the minimum version of Exchange Server 2010 which will be supported in a coexistence deployment with Exchange Server 2016.

Update Rollup 11 can be downloaded from Microsoft here.

The standard order of deployment for Exchange Server 2010 updates applies.

1. Client Access servers, starting with the internet-facing ones. See this article for how to patch a CAS array.
2. Hub Transport servers
3. Unified Messaging servers
4. Mailbox servers. See this article for how to patch a Database Availability Group.
5. Edge Transport servers

This article Exchange Server 2010 Service Pack 3 Update Rollup 11 Released is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

In this article we’re going to look at troubleshooting email delivery problems from external senders, focusing on SMTP connectivity. To begin with we’ll use a simple scenario of an external sender emailing a person in the organization. This organization is very simple, with just a single Exchange server receiving email directly from the internet via the firewall.

For reports of email that has gone missing in transit I generally start my search closest to the source. In this case that would mean taking an “outside in” approach to troubleshooting the SMTP connectivity from external senders.

Usually the external email server is one that you will have no access to for troubleshooting, but that doesn’t mean you can’t do your own external testing.

• Are your MX records configured correctly?
• Is your firewall accepting connections on TCP port 25, and NATing them to the Exchange server?
• Is your Exchange server accepting connections on TCP port 25? Protocol logging is useful for looking at this on the Exchange server.
• Is your Exchange server accepting email submissions? A common issue here is back pressure.

You can test each of those things individually with simple tools like Telnet and nslookup, but during the initial investigation one quick way to test all of them is to use the Inbound SMTP Email test from the Remove Connectivity Analyzer. Send yourself an email from the RCA, which will actually send one email to each of your MX records (so if you have two MX records you’ll receive two test messages, and so on).

A successful inbound SMTP test will confirm that an MX record can be found, an SMTP connection to that MX record was possible, and the test email was submitted successfully. It will also test your MX record for open relay issues. But don’t just assume a green tick is good. You still need to look at the results carefully.

• What if your MX record is pointing to the wrong DNS name? Perhaps you’ve recently changed MX records for a migration.
• What if that DNS name is resolving to the wrong IP address?

In more complex routing topologies you may also need to consider:

• What if the server it’s connecting to is your inbound email security appliance (or a cloud hosted service), not your Exchange server, and the emails are getting stuck there?
• What if the inbound SMTP connections are being load balanced, and the test happens to have been load balanced to a healthy server instead of an unhealthy server?

You’ll be able to answer some of the above simply by the fact of whether the test email messages arrived in your inbox or not. If they did not arrive then clearly there is a problem somewhere that needs further investigation. For example, you may need to look in the logs or queues of your email security appliance/service.

If the test email messages did arrive, you can check the message headers to verify that they took the route you were expecting and that there were no significant delays.

If the test email has not arrived, and you’ve eliminated all of the potential causes above (MX records, firewall ports) then you can also check the protocol logs on the Exchange server itself to confirm that the SMTP connections are hitting the Exchange server, and whether the Exchange server is accepting or rejecting them. Protocol logging needs to be enabled on each receive connector on the server that you want to log for troubleshooting purposes. My tip here is to always enable it so that you have the log data already being generated when it comes to troubleshooting scenarios.

• Troubleshooting Email Delivery with Exchange Server Protocol Logging
• Configuring Unique Receive Connector SMTP Banners in Exchange Server (also a useful tip by Jeff Guillet)

You can use the protocol logs to verify any combination of problem scenarios, such as:

• Inbound SMTP from all external senders is working (i.e. no rejections or SMTP errors visible in the protocol logs for that time/date)
• Inbound SMTP from some external senders is working (i.e. you can see successful connections for some senders, but not for the sender that was reported to you in the support ticket)
• Inbound SMTP is not working for any external senders (i.e. the ExRCA test and all other inbound SMTP traffic seems to be getting rejected with errors, or not connecting at all which may be due to DNS or firewall issues)

Assuming that inbound SMTP connections look healthy you can progress onto other troubleshooting such as message tracking.

Return to main article

This article Troubleshooting SMTP Connectivity from External Senders is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

Who changed that email address policy? Who dismounted that database? Who granted that person access to the CEO’s mailbox?

As an Exchange administrator those are all the type of questions you could be asked quite regularly, especially if you work in a large IT team with many administrators making changes on a daily basis.

Fortunately, ever since Exchange Server 2010 we’ve been able to answer those questions using administrator audit logging. Admin audit logging captures all changes made my administrators using the Exchange management tools (PowerShell cmdlets, or the Exchange Admin Center). Only commands that make changes are logged, for example Remove-Mailbox, whereas commands that do not cause changes are not logged, such as Get-Mailbox.

Configuring Administrator Audit Logging

Admin audit logging has the following default configuration.

• Admin audit logging is enabled.
• 90 days of log retention.
• All cmdlets that can make modifications are audited.
• All parameters of the above cmdlets are logged.
• Test cmdlets (such as Test-MAPIConnectivity) are not logged.
• Log level of “none”, which doesn’t mean nothing is logged, it just logs details of the command that was run, who ran it, and which object they modified. The other option is “verbose” which also logs the old and new properties of the object that were modified by the command.

Admin audit logging can be disabled, or the config modified to limit the cmdlets or parameters that are audited, or to modify the log retention period. For this reason you should limit the ability of administrators in your organization to modify the admin audit log settings. By default this right is granted to members of Organization Management and Records Management. I recommend you review your RBAC role group membership to ensure that only the most trusted administrators are members of those groups.

Note that any changes made to the admin audit log config are logged in the admin audit logs, regardless of whether admin audit logging is enabled or disabled. So in theory you should see evidence of any tampering that has occurred.

Searching Administrator Audit Logs

Admin audit logs are reasonably simple to search using the Exchange management shell. There’s a few different approaches you can take:

• Search for a specific cmdlet or cmdlets
• Search within a specific date range
• Search for actions taken by a specific administrator
• Search for actions taken against a specific object

You can also combine the above by using multiple parameters in your search.

Let’s take a look at a simple example – someone has granted the user Alex Heyne access to the CEO Alannah Shaw’s mailbox. We know this is done using the Add-MailboxPermission cmdlet, so we can use the –Cmdlets parameter for Search-AdminAuditLog to run the search.

[PS] C:\>Search-AdminAuditLog -Cmdlets Add-MailboxPermission
RunspaceId         : f6553abe-9d57-40bc-8e43-dc919bea2b50
ObjectModified     : exchange2013demo.com/ExchangeUsers/Alannah.Shaw
CmdletName         : Add-MailboxPermission
CmdletParameters   : {User, AccessRights, Identity}
ModifiedProperties : {}
Caller             : exchange2013demo.com/Users/Administrator
ExternalAccess     : False
Succeeded          : True
Error              :
RunDate            : 22/09/2015 4:35:33 PM
OriginatingServer  : SYDEX2 (15.00.1076.011)
Identity           : AAMkADI1NGQyZjhiLTFkYTAtNDhmYy05OTBiLTU4MGZlODY0MDQ3NgBGAAAAAAAkqZy/nl4jSa4VBIka73bMBwCEoBRTwPA6QK
                     t9HgzDn/p6AAAAAAEYAACEoBRTwPA6QKt9HgzDn/p6AACUBtrhAAA=
IsValid            : True
ObjectState        : New

Another approach for the same scenario would be to look for modifications to the object “Alannah.Shaw” by using the -ObjectIds parameter. In this example it gives us exactly the same result, but you can imagine that other modifications may have been made to the same object and that multiple log entries would appear in many real world environments.

[PS] C:\>Search-AdminAuditLog -ObjectIds Alannah.Shaw
RunspaceId         : f6553abe-9d57-40bc-8e43-dc919bea2b50
ObjectModified     : exchange2013demo.com/ExchangeUsers/Alannah.Shaw
CmdletName         : Add-MailboxPermission
CmdletParameters   : {User, AccessRights, Identity}
ModifiedProperties : {}
Caller             : exchange2013demo.com/Users/Administrator
ExternalAccess     : False
Succeeded          : True
Error              :
RunDate            : 22/09/2015 4:35:33 PM
OriginatingServer  : SYDEX2 (15.00.1076.011)
Identity           : AAMkADI1NGQyZjhiLTFkYTAtNDhmYy05OTBiLTU4MGZlODY0MDQ3NgBGAAAAAAAkqZy/nl4jSa4VBIka73bMBwCEoBRTwPA6QK
                     t9HgzDn/p6AAAAAAEYAACEoBRTwPA6QKt9HgzDn/p6AACUBtrhAAA=
IsValid            : True
ObjectState        : New

Searches can be limited to specific date ranges. Here’s how to search for modifications made by “Administrator” in the last 30 days.

[PS] C:\>Search-AdminAuditLog -UserIds Administrator -StartDate (Get-Date).AddDays(-30)

A lot of results were returned, so I haven’t displayed them. But let’s say that I wanted to know just the object IDs that “Administrator” had modified in the last 30 days.

[PS] C:\>$logentries = Search-AdminAuditLog -UserIds Administrator -StartDate (Get-Date).AddDays(-30)
[PS] C:\>$logentries.ObjectModified
SYDEX2
SYDEX2\mapi (Default Web Site)
SYDEX2\OAB (Default Web Site)
SYDEX2\EWS (Default Web Site)
SYDEX2\Microsoft-Server-ActiveSync (Default Web Site)
SYDEX2\ecp (Default Web Site)
SYDEX2\owa (Default Web Site)
SYDEX2\Rpc (Default Web Site)
SYDEX1
SYDEX1\mapi (Default Web Site)
SYDEX1\OAB (Default Web Site)
SYDEX1\EWS (Default Web Site)
SYDEX1\Microsoft-Server-ActiveSync (Default Web Site)
SYDEX1\ecp (Default Web Site)
SYDEX1\owa (Default Web Site)
SYDEX1\Rpc (Default Web Site)
SYDEX2
SYDEX2\mapi (Default Web Site)
SYDEX2\OAB (Default Web Site)
SYDEX2\EWS (Default Web Site)
SYDEX2\Microsoft-Server-ActiveSync (Default Web Site)
SYDEX2\ecp (Default Web Site)
SYDEX2\owa (Default Web Site)
DB04\MELEX1
SYDEX2\Rpc (Default Web Site)
SYDEX1
SYDEX1\mapi (Default Web Site)
SYDEX1\OAB (Default Web Site)
SYDEX1\EWS (Default Web Site)
SYDEX1\Microsoft-Server-ActiveSync (Default Web Site)
SYDEX1\ecp (Default Web Site)
SYDEX1\owa (Default Web Site)
SYDEX1\Rpc (Default Web Site)
DB03\MELEX1
SYDEX2\owa (Default Web Site)
SYDEX1
SYDEX1\mapi (Default Web Site)
SYDEX1\OAB (Default Web Site)
SYDEX1\EWS (Default Web Site)
SYDEX1\Microsoft-Server-ActiveSync (Default Web Site)
SYDEX1\ecp (Default Web Site)
DB01\MELEX1
DB04\MELEX1
DB03\MELEX1
DB02\MELEX1
DB01\MELEX1
MELEX2
MELEX1
SYDEX2
SYDEX1

Looks like “Administrator” has been messing with virtual directories and databases. Let’s make it even more useful and look at the time stamp, cmdlet, and objects modified by “Administrator” in the last 30 days.

[PS] C:\>$logentries | Select RunDate,CmdletName,CmdletParameters,ObjectModified
RunDate                       CmdletName                    CmdletParameters              ObjectModified
-------                       ----------                    ----------------              --------------
27/08/2015 11:51:35 AM        Set-ClientAccessServer        {AutoDiscoverServiceIntern... SYDEX2
27/08/2015 11:51:33 AM        Set-MapiVirtualDirectory      {ExternalUrl, InternalUrl,... SYDEX2\mapi (Default Web S...
27/08/2015 11:51:19 AM        Set-OabVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX2\OAB (Default Web Site)
27/08/2015 11:50:51 AM        Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX2\EWS (Default Web Site)
27/08/2015 11:49:55 AM        Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX2\Microsoft-Server-Ac...
27/08/2015 11:48:56 AM        Set-EcpVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX2\ecp (Default Web Site)
27/08/2015 11:47:39 AM        Set-OwaVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX2\owa (Default Web Site)
27/08/2015 11:46:13 AM        Set-OutlookAnywhere           {DefaultAuthenticationMeth... SYDEX2\Rpc (Default Web Site)
27/08/2015 11:46:02 AM        Set-ClientAccessServer        {AutoDiscoverServiceIntern... SYDEX1
27/08/2015 11:46:02 AM        Set-MapiVirtualDirectory      {ExternalUrl, InternalUrl,... SYDEX1\mapi (Default Web S...
27/08/2015 11:46:01 AM        Set-OabVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX1\OAB (Default Web Site)
27/08/2015 11:45:59 AM        Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX1\EWS (Default Web Site)
27/08/2015 11:45:57 AM        Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX1\Microsoft-Server-Ac...
27/08/2015 11:45:53 AM        Set-EcpVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX1\ecp (Default Web Site)
27/08/2015 11:45:47 AM        Set-OwaVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX1\owa (Default Web Site)
27/08/2015 11:45:40 AM        Set-OutlookAnywhere           {DefaultAuthenticationMeth... SYDEX1\Rpc (Default Web Site)
27/08/2015 11:40:03 AM        Set-ClientAccessServer        {AutoDiscoverServiceIntern... SYDEX2
27/08/2015 11:40:01 AM        Set-MapiVirtualDirectory      {ExternalUrl, InternalUrl,... SYDEX2\mapi (Default Web S...
27/08/2015 11:39:47 AM        Set-OabVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX2\OAB (Default Web Site)
27/08/2015 11:39:25 AM        Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX2\EWS (Default Web Site)
27/08/2015 11:38:34 AM        Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX2\Microsoft-Server-Ac...
27/08/2015 11:37:34 AM        Set-EcpVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX2\ecp (Default Web Site)
27/08/2015 11:36:06 AM        Set-OwaVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX2\owa (Default Web Site)
27/08/2015 11:35:59 AM        Update-MailboxDatabaseCopy    {DeleteExistingFiles, Conf... DB04\MELEX1
27/08/2015 11:34:38 AM        Set-OutlookAnywhere           {DefaultAuthenticationMeth... SYDEX2\Rpc (Default Web Site)
27/08/2015 11:34:26 AM        Set-ClientAccessServer        {AutoDiscoverServiceIntern... SYDEX1
27/08/2015 11:34:25 AM        Set-MapiVirtualDirectory      {ExternalUrl, InternalUrl,... SYDEX1\mapi (Default Web S...
27/08/2015 11:34:24 AM        Set-OabVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX1\OAB (Default Web Site)
27/08/2015 11:34:21 AM        Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX1\EWS (Default Web Site)
27/08/2015 11:34:18 AM        Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX1\Microsoft-Server-Ac...
27/08/2015 11:34:12 AM        Set-EcpVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX1\ecp (Default Web Site)
27/08/2015 11:34:08 AM        Set-OwaVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX1\owa (Default Web Site)
27/08/2015 11:34:00 AM        Set-OutlookAnywhere           {DefaultAuthenticationMeth... SYDEX1\Rpc (Default Web Site)
27/08/2015 11:27:33 AM        Update-MailboxDatabaseCopy    {DeleteExistingFiles, Conf... DB03\MELEX1
27/08/2015 11:26:30 AM        Set-OwaVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX2\owa (Default Web Site)
27/08/2015 11:25:14 AM        Set-ClientAccessServer        {AutoDiscoverServiceIntern... SYDEX1
27/08/2015 11:25:07 AM        Set-MapiVirtualDirectory      {ExternalUrl, InternalUrl,... SYDEX1\mapi (Default Web S...
27/08/2015 11:25:04 AM        Set-OabVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX1\OAB (Default Web Site)
27/08/2015 11:25:02 AM        Set-WebServicesVirtualDire... {ExternalUrl, InternalUrl,... SYDEX1\EWS (Default Web Site)
27/08/2015 11:24:59 AM        Set-ActiveSyncVirtualDirec... {ExternalUrl, InternalUrl,... SYDEX1\Microsoft-Server-Ac...
27/08/2015 11:24:47 AM        Set-EcpVirtualDirectory       {ExternalUrl, InternalUrl,... SYDEX1\ecp (Default Web Site)
27/08/2015 11:13:30 AM        Update-MailboxDatabaseCopy    {DeleteExistingFiles, Conf... DB01\MELEX1
27/08/2015 10:42:12 AM        Suspend-MailboxDatabaseCopy   {Identity}                    DB04\MELEX1
27/08/2015 10:42:11 AM        Suspend-MailboxDatabaseCopy   {Identity}                    DB03\MELEX1
27/08/2015 10:42:11 AM        Suspend-MailboxDatabaseCopy   {Identity}                    DB02\MELEX1
27/08/2015 10:42:09 AM        Suspend-MailboxDatabaseCopy   {Identity}                    DB01\MELEX1
26/08/2015 12:10:24 PM        Set-ExchangeServer            {ProductKey, Identity}        MELEX2
26/08/2015 12:10:23 PM        Set-ExchangeServer            {ProductKey, Identity}        MELEX1
26/08/2015 12:10:22 PM        Set-ExchangeServer            {ProductKey, Identity}        SYDEX2
26/08/2015 12:10:11 PM        Set-ExchangeServer            {ProductKey, Identity}        SYDEX1

Summary

As you can see administrator audit logging contains a lot of valuable information to help you identify who has been making changes in your Exchange organization. You can also see why it is important to limit administrative rights to only the minimum that each IT team member needs to do their job.

This article Use Admin Audit Logging to Track Changes Made by Administrators is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

Every now and then I get a question relating to running an Exchange server on an internet connection that only has a dynamic public IP address available. This is most common when people are running an Exchange Server test environment at home with a residential, consumer-grade internet connection. But it also comes up occasionally for businesses running on those types of internet connections.

There’s three challenges that present themselves here:

• Inbound connections to the server such as OWA (HTTPS) or incoming email (SMTP) will stop working if the dynamic IP changes and the DNS records for your external URLs (such as the OWA URL) and MX records aren’t updated to the new IP address
• Outbound mail flow from a dynamic IP will often be blocked due to IP reputation issues or spam block lists
• Outbound mail flow will often be blocked by the ISP not allowing outbound SMTP connections from dynamic IP ranges

Each of those has a solution and depending on your circumstances you may be able to solve them all, but I know that in some cases the problems are not able to be overcome. But let’s take a look at the solutions anyway.

Inbound Connections to a Dynamic Public IP Address

First, the inbound connections. If you’re trying to learn about Exchange Server then having inbound connectivity to services such as Outlook Anywhere, OWA, and ActiveSync is helpful, and so is being able to establish inbound mail flow or to set up a Hybrid configuration with Office 365.

The solution I use for dynamic IP addresses is to sign up with a dynamic DNS provider. There are a variety of providers out there, some are free and some are paid. You can shop around and choose one you’re comfortable with. Most recently I used No-IP who have a free option.

I set up a free hostname similar to “mytestlab.no-ip.org”. My DSL router includes a feature that will automatically update No-IP with my new public IP address each time it changes (as an alternative, they provide a client that you can install to handle this). If my IP doesn’t change for 30 days then I simply click a link in an email that No-IP sends me to re-confirm that I am using the hostname. If you want to avoid that 30 day confirmation process their paid plans are very inexpensive, and you can even use them to host your own domain name.

However, I don’t use that free hostname for my Exchange namespaces. Instead, I set up my Exchange namespaces (such as “mail.exchange2013demo.com”) as CNAME records in DNS that alias to the “mytestlab.no-ip.org” hostname. This allows me to still acquire SSL certificates for my Exchange server because I am the owner of exchange2013demo.com, whereas I am not the owner of no-ip.org and therefore can’t buy SSL certificates for hostnames in that domain.

The same applies to my MX records. I configure normal MX records, for example mail.exchange2013demo.com, and alias that to the no-ip.org hostname.

So inbound connections to an Exchange Server on a dynamic public IP can work by using:

• A dynamic DNS provider
• A DSL router that supports the dynamic DNS provider, or the provider’s downloadable client software
• CNAME records in DNS for my namespaces and MX records that alias to the dynamic hostname

I have not encountered any issues with the above solution so it should work for test environments or real production environments, though I generally wouldn’t recommend it for production environments.

Outbound Connections from a Dynamic Public IP Address

Outbound connections tend to be more troublesome because there are two common issues. But the solution for both is the same, it just depends whether your ISP supports it.

At the heart of the issue is how untrustworthy the dynamic IP address ranges for residential/consumer ISPs are, given their history of residential computers being compromised and used as botnets to spread spam, malware, or DDoS attacks. Any email sent from such an IP address is likely to be junked or blocked entirely during the initialization of the SMTP connection.

Another factor is that many ISPs block outbound SMTP connections from their customers to the internet at large, only allowing them to specific hosts such as the ISP’s own SMTP servers.

While this isn’t a big deal for a test lab that just wants to send some test messages, it is nice to see that your outbound email actually works, so if you can get around it with minimal effort then it’s worth it.

The basic solution is to configure your outgoing email to use the ISP server as a smart host.

If your ISP does not provide a smart host, and offers no way to request an exception to the rules, then you may be out of luck. I have seen some people get around this using a VPN tunnel and a smart host service, so all is not lost, but it makes things more complex overall.

If you’re trying to set up a Hybrid with Office 365 things become a bit harder. Although the Hybrid configuration itself can be set up, you’re likely to have your Hybrid mail flow from on-prem to the cloud rejected due to your dynamic IP address. You can request that the IP address be unblocked by Microsoft, which they’ll generally do without any problems, but the next time your dynamic IP address changes you could be blocked again. Still, for the sake of learning how Hybrid configurations are set up you may only need it working for a few days while you do your testing.

Summary

Those are my tips for running an Exchange Server on a dynamic IP address. They mostly apply to test environments. If you’re trying to run a production system on a dynamic IP you can expect some other concerns to arise, particularly around mail flow and things like managing SPF records, as well as optimizing your DNS record TTLs so that there is no lengthy disruption every time your IP address changes. So for production your mileage may vary, but for testing it is perfectly fine.

If you’ve got any additional tips you want to share with people from your own experience running Exchange on a dynamic IP address please leave a comment below.

This article Using Dynamic Public IP Addresses for Exchange Server is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

Microsoft Outlook is available for iOS and Android mobile devices. Outlook for iOS and Android was originally called Acompli, created by the company of the same name before they were acquired by Microsoft in December 2014. Microsoft re-branded Acompli and launched it as Outlook for iOS and Android in January 2015, and now generally refers to it as Microsoft Outlook as part of their consistent branding for Outlook across all platforms.

Managing Email, Not Just Accessing Email

A major gripe with many mobile email applications, particularly the native mail apps that ship with mobile operating systems like iOS and Android, is that they deliver only basic access to email and calendars. Very little functionality exists in those native apps to help end users manage their email, and historically many of the third party email apps for mobile devices have had poor user interfaces and have not improved productivity at all.

In a world where email is supposedly dead, yet more and more people are drowning in the ever increasing volume of email they receive, it is not surprising to see specialized mobile email applications arrive on the scene. These apps put features in the hands of users to allow them to manage their email better, sort through the noise, and (for some people) achieve “Inbox Zero”. This is a good thing for users, and I applaud Microsoft for getting into this space rather than live with the user experiences that other applications are providing.

I’ve been using Microsoft Outlook on my iPhone and iPad since it was released in January 2015, and it has won me over. Initially the experience was a little rough around the edges, but Microsoft has maintained a steady pace of updates and now Outlook is very fast and stable on my devices, and makes high volumes of email quite manageable.

So I’m happy with it from a functionality point of view, but does that make it suitable for enterprises who also need to assess mobile applications from a security point of view?

Security for Microsoft Outlook on iOS and Android

When Outlook launched there was a lot of noise made about the way that the application works, with particular concern around the storing of user credentials.

In short, Outlook for iOS and Android connects to a server or service hosted in the cloud. It does not connect directly to your corporate Exchange server, Office 365 tenant, or other email services (the app supports Outlook.com, Yahoo!, and Gmail).

When you configure an account in Outlook for iOS and Android you’re sending your encrypted credentials to the cloud service. The cloud service then connects to your mailbox on your behalf, accesses your email for the purposes of indexing and sorting (for example, to determine what should go in your “Focused” inbox view), and then the app on your mobile device downloads the messages from that cloud service.

Here’s a more detailed explanation from Microsoft’s Javier Soltero (previously co-founder and CEO of Accompli):

Outlook uses Oauth for the accounts that support it (Outlook.com, OneDrive, Dropbox, Box, Gmail). For those not familiar, this provides us a way to access those cloud services without ever touching your password. For accounts that don’t support Oauth (Exchange ActiveSync, Yahoo, iCloud), we have to handle this differently.

When a user logs into Exchange and Office 365, we encrypt their password with a unique key that is specific to that user’s device and stored securely on it. The encrypted password is then passed along to Outlook’s cloud service and used to connect the accounts. Any time our service needs to present that password, it needs to have cooperation from the device in order to decrypt it using the key.

This architecture means that in order to gain access to your password, you would have to have access to both our cloud service and have physical access to the unlocked device. This applies to both us as well as anyone who would attempt to gain access from the outside.

As we continue to innovate on both our app and our service we will leverage alternative mechanisms such as OAuth as soon as they are available.

Cynics would say this is akin to a “man in the middle” attack. Which it is; except it is not malicious.

There are legitimate concerns to be had here for many enterprises.

• Credential storage. The details are explained in the quote from Javier Soltero above. I trust Microsoft to securely store my data including my credentials, and so do thousands of organizations around the world (take Microsoft Account/Live ID, Office 365, DirSync with Password Sync as examples).
• Corporate policy violation. Providing your user credentials to a third party is a breach of many IT usage policies, and the app doesn’t make clear to end users that this is occurring. In fact the typical end user would have no idea that this is happening.
• Data is stored in the USA. For organizations with data sovereignty or regulatory issues with off-shore data storage this will be a problem.

Microsoft has committed to addressing these concerns as best they can as Outlook development continues. But given the reliance on this architecture for the features of the application itself, it’s pretty safe to assume that the architecture of Outlook for iOS and Android is not going to change, and that the cloud service acting as a proxy between the user and their mailbox will remain in place.

For enterprises that have a problem with any of the concerns above you can block or quarantine Outlook from your Exchange or Office 365 mailboxes by following the steps here to create an ActiveSync device access rule:

• How to Block or Quarantine the Outlook for iOS and Android App in Exchange Server and Office 365

As for any concerns about long term credential storage, for example if an account becomes inactive, Microsoft has advised that the credentials for inactive accounts are purged after 24-72 hours.

Mobile Device Management for Outlook for iOS and Android

I spent some time examining Outlook for iOS and Android from a mobile device management perspective. I found a few interesting things that I wanted to expand on here.

Policy Compliance

Initially Outlook for iOS and Android would successfully connect to mailboxes that have ActiveSync mailbox policies in place that require things like PIN codes and device encryption, even if the mobile device itself did not meet those requirements. This is a classic example of a weakness in the ActiveSync protocol in that it basically trusts the device or app to be honest about its compliance with policies.

This is not automatically a problem. The default policies for Exchange 2013 and Office 365 are quite permissive and do not require PINs or device encryption. So any organization still running those default policy settings potentially has no problem with Outlook for iOS and Android’s behavior. On the other hand, I don’t know of any customers who would allow such a weak mobile device policy, and any that are still running that weak default policy tend to be unaware that they are doing so.

Today the Outlook application correctly enforces PIN/passcode requirements, but any users who installed the first version of the app and have not updated since then could still be avoiding policy compliance.

Device Associations

Due to the “man in the middle” approach being used with Outlook for iOS and Android there will only ever be one mobile device association visible for the user, no matter how many different devices they have installed the app on.

This is fine, if a little awkward to report accurately on, until someone loses a device. Imagine an executive who has the app on their phone and tablet. The tablet is lost in the back of a taxi, but they still have their phone. The IT team has to make a decision – issue a remote wipe for the single “device”, which will wipe the account data from every device the app is installed on. Or, do nothing.

There’s no right answer there. But it does lead us into the next problem.

Remote Wipe Behavior

I was pleased to see that in my testing the remote wipe does actually work, and it does only remove the specific account from the Outlook for iOS and Android app. Other accounts configured in the app are untouched, as is the rest of the data on the device itself. This type of “selective wipe” is perfect for BYOD environments. But there’s still a problem with how it works with this app.

Unfortunately, the app (or the cloud service in the middle) never reports back with the result of the wipe in every test I have performed. No matter whether the remote wipe was request was successful or not, it will remain in a “pending” state forever. Or until the wipe request is removed.

In the earlier example of the executive with two devices this presents a problem. All their devices are blocked from connecting due to the remote wipe request. If they want to keep using their phone then the remote wipe request needs to be removed, without anyone knowing whether the lost tablet was successfully wiped.

There may be a workaround available whereby the app is completely removed and reinstalled, which gives it a new device ID and circumvents the problem. But that is still an awkward solution, and doesn’t solve the issue of the remote wipe result never being reported accurately.

Blocking Behavior

This falls more into the user experience side of things rather than being an architectural concern, but I’ll call it out here anyway.

When some versions of Outlook for iOS and Android are blocked, for example by using ActiveSync device access rules as mentioned earlier, it interprets this as an authentication failure and re-prompts for credentials. The other option given to the user at that time is to delete the account from the app. However, it is not clear whether this deletes the account only from the app, or also from the cloud service that is storing credentials and polling for email on the user’s behalf.

Other mail apps such as the native Mail app on iOS simply interpret a block as a “failure to connect to server”, which is also not a great user experience but is possibly better than falling into a cycle of re-entering credentials or removing the account entirely.

Summary

In my view Microsoft has done the right thing in acquiring this application from Acompli and launching it as Outlook for iOS and Android. The world is crying out for better email management apps and Microsoft needs to be in this space. After a bumpy start the application has improved in terms of features, user experience, and security as Microsoft continues to release frequent updates.

I consider this application ready for enterprise. It has a few caveats that some organizations will consider deal breakers, but for most businesses Outlook on iOS and Android is good enough today to be considered a secure and user friendly mobile email application.

This article Is Microsoft Outlook for iOS and Android the Best Mobile Email App for Business and Enterprise Users? is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

When an administrator issues a remote wipe for a mobile device they may receive a warning message:

The user username who is currently logged on, isn’t a valid recipient.

This error can occur when the administrative user you are logged in with does not have a mailbox. This can commonly occur in Exchange Online (Office 365) when using an account that is not mailbox-enabled for admin tasks so as not to consume an Office 365 license.

Despite the warning the remote wipe is still successfully issued, however as the admin account has no email address the wipe results will not be sent as an email notification. If you wish to issue a remote wipe and receive the email notification of the result you can use PowerShell and the Clear-MobileDevice cmdlet instead.

This article AirSync Recipient Not Found Exception when Remote Wiping a Mobile Device is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

Microsoft has released Exchange Server 2016 RTM, available for download now. A public preview of Exchange Server 2016 has been available for customers to test and evaluate since July 2015.

Exchange Server 2016 represents Microsoft’s commitment to delivering an on-premises messaging product that “meet’s today’s business expectations.”

With the volume of email and other communications continuing to grow, people need tools that help them focus on what’s most important in their inboxes, schedules and interactions with others at work. And as the quantity of email data grows, so do the demands on IT to manage, preserve and protect it. To help you meet these challenges, we’ve deepened the integration between Exchange and other Office products, so your organization can be more productive and collaborate more effectively.

The key areas that Microsoft has focussed on with Exchange Server 2016 are:

• Better collaboration – with Outlook 2016 and the new “Outlook on the web” (the new name for OWA) document sharing will be easier, replacing traditional email attachments with links to OneDrive for Business or SharePoint 2016 (currently in Preview).
• Improved Outlook web experience – this is truly a big step forward for OWA (sorry, Outlook on the web) which I personally use about 50% of the time. The quick action “Archive” button is my favourite, as well as the pasting of in-line images. Emojis are nice as well I suppose.
• Search – faster, more flexible, more intelligent. Search can always be better of course.
• Extensibility – the add-in model for Outlook and Outlook on the web is in full swing. Interestingly the REST APIs have not made it into RTM, but we can likely expect to see those in a future update.
• eDiscovery – an important addition is the ability to search, hold and export public folder content. Microsoft has moved through the five stages of grief over public folders and is now in the acceptance stage. Public folders, once considered deprecated, will be around for a long time and need the same compliance features as mailboxes.
• Simplified architecture – combining Client Access and Mailbox services into a single server role greatly simplifies deployment and management. And the co-existence story for Exchange Server 2016 with Exchange 2013 and 2010 is set to make this one of the lowest friction upgrade paths in Exchange history.
• High availability – many performance and stability improvements that have flowed down to the on-premises product from Microsoft ongoing experience running Exchange Online.

The new features are certainly interesting, but what about features that didn’t make the cut? A number of items that have been publicly discussed in Microsoft blog posts and sessions at Ignite are absent from Exchange 2016 RTM. Of course, all such information was subject to change before RTM. No doubt the primary driver here is to ensure features are fully developed and stable before shipping them in a future Cumulative Update for Exchange 2016.

A few of the missing features:

• Search index from passive – the goal here is to have content indexes for passive database copies build/update from the passive database copy rather than replicate from the active database copy, which should reduce DAG replication traffic. No timeline on when this feature will appear.
• Auto-expanding archives – the goal here is to have Exchange 2016 automatically provision additional archives for a user when their archive mailbox reaches 100Gb. This feature is still marked as “in development” on the Office 365 roadmap, so you should expect to wait at least until it is rolling out in Office 365 before it will appear in an on-premises CU.
• Delayed lag playdown – lagged copy playdown will be enabled by default, causing lagged copies to automatically replay their log files and bring the database up to date if the DAG detects a loss of database redundancy, something that has reportedly avoided some potentially bad outage scenarios in Office 365. Delayed lag playdown will throttle that replay process based on the server workload, ensuring it does not overload the server.

It may be disheartening to see key features not make it into the RTM build. But on the other hand, most Exchange Server RTM builds are missing something that many of us would consider important. The quarterly update cycle (for now) with features shipping in Cumulative Updates should deliver these key features to us in the near future. But they have to be stable first.

Do you plan to deploy Exchange Server 2016? Let us know in the comments below.

This article Exchange Server 2016 is Now Available is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

Q: Can a Database Availability Group have a mix of Exchange Server 2013 and Exchange Server 2016 members?

A: No.

When information about Windows Server 10 began to emerge one of the interesting items was mixed-mode clusters, which will allow a rolling upgrade of the operating systems on cluster members without having to take the entire cluster offline or build an entirely new cluster. Naturally this lead to speculation that Exchange might support mixed-mode DAGs as well.

While I agree that would be a terrific feature, Microsoft has clearly stated that it is not supported to run different versions of Exchange Server within the same DAG.

The problem right now is that Exchange Server 2016 RTM has shipped without the necessary blocks to prevent a customer from adding 2013 and 2016 servers to the same DAG. Microsoft has included information in the release notes for Exchange Server 2016 to clarify this.

Mailbox servers running different versions of Exchange can be added to the same database availability group The Add-DatabaseAvailabilityGroupServer cmdlet and the Exchange Admin Center incorrectly allow an Exchange 2013 server to be added to an Exchange 2016-based database availability group (DAG), and vice versa. Exchange supports adding only Mailbox servers running the same version (Exchange 2013 versus Exchange 2016, for example) to a DAG. Additionally, the Exchange Admin Center displays both Exchange 2013 and Exchange 2016 servers in the list of servers available to add to a DAG. This could allow an administrator to inadvertently add a server running an incompatible version of Exchange to a DAG (for example, adding an Exchange 2013 server to an Exchange 2016-based DAG).

There is currently no workaround for this issue. Administrators must be diligent when adding a Mailbox server to a DAG.

So yes, it is technically possible today to do it, but it is completely unsupported to do so.

This definitely wins the award for Bug That Should Never Have Shipped in RTM.

This article Can Exchange 2013 and Exchange 2016 Servers Be Added to the Same Database Availability Group? is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

My guest for this episode of the Exchange Server Pro podcast is Chris Brown.

Chris is an IT consultant living and working in Melbourne. A reformed Exchange Server administrator, he works with customers all across Australia and spends most of his time on Office 365 Identity Management, Exchange Online, and Active Directory.

In this episode we discuss Active Directory Federation Services (AD FS) for Office 365 identity management.

Subscribe on iTunes, Stitcher, or RSS.

Links:

• Chris’ blog Flaming Keys
• Follow @chrisbrownie on Twitter

This article Podcast Episode 2: Active Directory Federation Services (AD FS) with Chris Brown is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

My guest for this episode is Andrew Higginbotham.

Andrew is a Microsoft Certified Master in Exchange 2010 and a Microsoft Certified Solutions Master in Exchange 2013. He is also an Exchange Server MVP. Andrew works for Dell as a principal engineer in the Global Support and Deployment organization.

In this episode Andrew and I discuss the release of Exchange Server 2016 RTM, new features for customers to look forward to, some features that didn’t make it into the RTM release, and a few cautionary notes to beware of.

Subscribe on iTunes, Stitcher, or RSS.

Links:

• Andrews blogs, A Little Bit of Exchange and Office 365 and Troubleshooting Exchange
• Follow @ashdrewness on Twitter
• /r/exchangeserver on Reddit

This article Podcast Episode 3: Exchange Server 2016 RTM with Andrew Higginbotham is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

If you’re planning an Exchange Server 2016 deployment you will need to consider which edition of the product to deploy on your servers.

For Exchange Server 2016 there are two editions of the server product itself, and there is only one difference between them which is the number of mounted databases per server.

• Exchange Server 2016 Standard Edition – maximum of 5 mounted databases per server
• Exchange Server 2016 Enterprise Edition – maximum of 100 mounted databases per server

Microsoft’s definition of a “mounted database” is:

A mounted database can be an active mailbox database that is mounted for use by clients, or a passive mailbox database that is mounted in recovery for log replication and replay. While you can create more databases than the limits described above, you can only mount the maximum number specified above. The recovery database does not count towards this limit.

Here’s a few examples. In this example a single Mailbox server running Standard Edition has 5 mailbox databases. All 5 databases will be able to mount, and an additional recovery database can also be created and mounted for any data restoration scenarios.

The same server running Standard Edition with 6 mailbox databases will not be able to mount all of the databases at the same time. However, if it is running Enterprise Edition it will be able to mount all 6 databases, or up to 100 databases.

What about a database availability group? DAGs can have up to 16 members, and each member is limited by the edition of Exchange Server 2016 that is installed. So a Standard Edition DAG member can host up to 5 active or passive database copies, and an Enterprise Edition DAG member can host up to 100 active or passive database copies. The DAG itself is only limited by the capabilities of all of its members. A DAG made up of 16 Standard Edition members, with each database having 4 copies, could therefore host up to 20 databases.

To be clear, there is no requirement to run Exchange Server 2016 Enterprise Edition just because you’re deploying a DAG. The choice of server edition is purely driven by the number of mounted databases each server will be hosting.

For the Edge Transport role, given it does not host any databases, it makes sense to use a Standard Edition server license.

When you purchase your Exchange Server 2016 server licenses you’ll be provided with a license key that needs to be entered on the server. The license keys determines which server edition is installed, there is no different in installation media or installation method for each edition. All servers are first installed as a Trial Edition, and then you add your license key after installation is complete. You can upgrade from Trial to Standard, or from Trial to Enterprise. You can also upgrade from Standard to Enterprise. However, you can’t downgrade from Enterprise to Standard without completely reinstalling the server. This means it is feasible to initially license your servers as Standard Edition, and then later upgrade them to Enterprise Edition if your environment scales up (e.g. if there is a corporate acquisition or merger).

As a final note, the information above applies only to the server licenses. The Client Access Licenses (CALs) are considered separately, and have no impact on the server license you choose to deploy and vice versa.

This article Which Edition of Exchange Server 2016 to Deploy? is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

This week we’ve seen reports spreading of an attack on Exchange Server that leverages Outlook Web App (OWA) to steal network logon credentials.

Before I get into the details here’s a quick summary of the main points:

• A company named Cybereason published a report titled “Webmail Server APT: A New Persistent Attack Methodology Targeting Microsoft Outlook Web Application (OWA)”
• Arstechnica ran with the story, using a title of “New Outlook mailserver attack steals massive number of passwords”
• Microsoft has subsequently published a blog post titled “No new security vulnerability in Outlook Web Access (OWA)”

If you’re in a rush and you just want something to go and tell your boss or infosec team, the takeaway based on everything currently available is that there’s no new OWA vulnerability at play here.

Now for a little more detail. Cybereason’s report is interesting enough, if a little clumsily worded, and these stories can be educational for us IT professionals.

Basically a customer noticed some abnormal behaviour, and Cybereason used their “platform” to detect a suspicious DLL loaded on the Exchange Server that is used for external access to Outlook Web App (OWA). There is no detail as to which version of Exchange Server their customer was running, which version of Windows Server it was running on, whether both products were fully patched, whether that server was the initial point of compromise or whether another host on the network was compromised first, and so on. The report is primarily written to be a marketing tool for Cybereason, and in that respect they’ve been successful.

Cybereason has later clarified in a comment on Graham Cluley’s blog:

The hackers managed to obtain access to this server using stolen credentials.

Ok, so clearly not a vulnerability in Exchange or Windows used to compromise the host in the first place. As Microsoft noted themselves in their own blog post:

One of the reports in question skips over the important details of how an attacker might ‘gain a foothold into a highly strategic asset’ if a system is properly managed, secured, and up-to-date. The “attack” in question could only be initiated by an individual who had administrative access to a server’s file system and services, or who had permission to logon to an Exchange Server console with the rights to replace Exchange system files, and perform an Internet Information Server (IIS) reset.

Someone with credentials to access the server and replace code was able to sniff network credentials used against an application running on that server. Not exactly breaking news, but it’s a good reminder to all of us to consider the security of our environments in depth.

Unfortunately Cybereason does not appear to have consulted with anyone familiar with the workings of Exchange Server when writing their report, as evidenced by phrases such as:

Almost by definition, OWA requires organizations to define a relatively lax set of restrictions; and in this case, OWA was configured in a way that allowed internet-facing access to the server.

The first part of that statement is not true, and the second part is basically how OWA is used in most organizations (for external access to Exchange mailboxes). Even if in this case OWA was only used internally, the outcome would have been the same. And if the attackers had chosen to compromise a domain controller, or VPN server, or web server, or any application server on the network that uses domain credentials to authenticate, then the outcome would also have been the same.

As Tony Redmond concludes:

The customer they were working with badly needs some help and advice to manage Exchange servers properly or they will continue to shoot themselves in the foot.

Cybereason has helped a customer, and published a report about it, but other than that there is not much to see here.

References:

• Microsoft statement
• Tony Redmond’s analysis
• Cybereason’s report
• Arstechnica’s article
• Graham Cluley’s blog post

This article Misleading Reports of Outlook Web App Vulnerability in Exchange Server is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

Microsoft’s Resilient File System (ReFS) was introduced with Windows Server 2012. ReFS is not a direct replacement for NTFS, and is missing some underlying NTFS features, but is designed to be (as the name suggests) a more resilient file system for extremely large amounts of data.

ReFS maintains high degree of compatibility with NTFS while providing enhanced data verification and auto-correction techniques as well as an integrated end-to-end resiliency to corruptions especially when used in conjunction with the storage spaces feature.

One example that springs to mind for extremely large amounts of data is Exchange databases, which have a theoretical maximum of 16TB per database file. In reality of course we tend to run much smaller database sizes. Microsoft reportedly uses 2TB as their ideal maximum database size in Exchange Online. In customer environments I’ve worked in the trend is towards more, smaller databases such as 200GB maximum for single server scenarios, and 500GB maximum for multi-server high availability (database availability group) deployments. Even falling well short of the 16TB maximum a 2TB or even 500GB database file is still “big”.

Support for ReFS with Exchange Server

From Exchange Server 2013 and upwards (which includes Exchange Server 2016 today) Microsoft supports the use of ReFS for Exchange servers, and in fact they now recommend it as the preferred file system for Exchange Server 2016, within the following guidelines.

For Exchange Server 2013:

• ReFS is supported for volumes containing Exchange database files, log files, and content index files.
• ReFS is not supported for volumes containing Exchange binaries (the program files).
• ReFS is not supported for volumes containing the system partition.
• ReFS data integrity features must be disabled for the database (.edb) files or the entire volume that hosts database files.
• Hotfix KB2853418 must be installed.
• For Windows 2012, the following hotfixes must be installed:
  • KB2822241
  • KB2884597
  • KB2894875

This means that you should continue to use NTFS for your operating system and Exchange Server 2013 installation volume, but you can consider using ReFS for the volumes hosting Exchange databases, log files, and index files.

For Exchange Server 2016:

• ReFS is supported for volumes containing Exchange database files, log files, and content index files.
• ReFS is not supported for volumes containing Exchange binaries (the program files).
• ReFS is not supported for volumes containing the system partition.
• ReFS data integrity features are recommended to be disabled.
• For Windows 2012, the following hotfixes must be installed:
  • KB2822241
  • KB2884597
  • KB2894875

This means that you should continue to use NTFS for your operating system and Exchange Server 2016 installation volume, and it is recommended ReFS for the volumes hosting Exchange databases, log files, and index files. Note also that at this time there is no guidance directing you to disable ReFS data integrity features or install additional hotfixes when using ReFS with Exchange Server 2016. Updated the guidance above with some additional information that is expected to be added to TechNet soon.

Creating an ReFS Formatted Volume

In Windows Server 2012 or R2 during the New Volume Wizard when you get to the step for configuring File System Settings change the file system from NTFS to ReFS.

However, using the New Volume Wizard does not give you the option to disable data integrity at the volume level. To set it at the volume level itself use PowerShell when configuring new volumes. On my demo server disk 3 has been added to the server and is ready to initialize and format with ReFS.

PS C:\> Get-Disk
Number Friendly Name                            OperationalStatus                    Total Size Partition Style
------ -------------                            -----------------                    ---------- ---------------
2      Microsoft Virtual Disk                   Online                                   100 GB GPT
1      Microsoft Virtual Disk                   Online                                   100 GB GPT
3      Microsoft Virtual Disk                   Online                                   100 GB RAW
0      Virtual HD ATA Device                    Online                                    95 GB MBR
PS C:\> Get-Disk 3 | Initialize-Disk -PartitionStyle GPT -PassThru | New-Partition -UseMaximumSize | Format-Volume -FileSystem REFS -NewFileSystemLabel Volume3 -SetIntegrityStreams $false
Confirm
Are you sure you want to perform this action?
Warning, all data on the volume will be lost!
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
DriveLetter       FileSystemLabel  FileSystem       DriveType        HealthStatus        SizeRemaining             Size
-----------       ---------------  ----------       ---------        ------------        -------------             ----
                  Volume3          ReFS             Fixed            Healthy                  99.31 GB         99.81 GB

Additional Considerations

When you are deploying an Exchange 2016 database availability group and using Autoreseed the disk reclaimer needs to know which file system to use when formatting spare disks.

C:\> Set-DatabaseAvailabilityGroup NameOfYourDAG -FileSystem ReFS

For Exchange Server 2013 DAGs, manually format the spare volumes with ReFS.

Summary

If you are running Exchange Server 2013 on Windows Server 2012/R2 today and you are using NTFS volumes then the effort to provision new ReFS volumes and migrate your data likely exceeds the benefits of ReFS over NTFS for that scenario. If you’re deploying a new Exchange Server 2013 server today you can consider using ReFS within the support guidelines mentioned in the article above.

For Exchange Server 2016 deployments ReFS is now the recommended file system, so you should plan any new deployments to use ReFS volumes for Exchange databases, log files, and content indexes.

References:

• Exchange 2013 storage configuration options
• Exchange 2016 Preferred Architecture
• Exchange Storage for Insiders: It’s ESE (Ignite video)

Thanks to Ross Smith IV from Microsoft for helping to clarify some of the missing and fragmented information on this topic.

This article Resilient File System (ReFS) and Microsoft Exchange Server is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

Let’s face it, the internet is full of bad advice, especially when it comes to technical topics. And I’m not talking about articles or blog posts you might find that are just badly written, or are wrong for your specific scenario but correct for others. I’m talking about advice that is wrong on every level and should not be followed.

Case in point, the question of whether to disable the Windows Firewall on Exchange servers.

I get it. The Windows Firewall has caused you some problems in the past (I’ve been there, it’s not fun). So you turn it off on all your server builds, because your servers are sitting safely on your internal network protected by your network firewall. But the fact is that is a bad practice, and one you should move away from. Especially when it comes to Exchange servers.

Exchange setup will add rules to the Windows Firewall to allow Exchange to work, it’s that simple. You don’t need to disable the Windows Firewall. If you have extra requirements for your Windows servers (such as a special port used by your monitoring system agent) then add a rule to the server’s firewall. Use Group Policy to do it, if you want to save some time.

And if you see advice like this on the internet, ignore it. It’s wrong and dangerous.

This article Beware of Bad Advice About Exchange Servers and Windows Firewall is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

My guest for this episode is Mike Crowley.

Mike is a 6 time Exchange Server MVP… and works as an Executive Consultant for Baseline Technologies in the Washington DC Metro area.

This episode of the Exchange Server Pro Podcast is brought to you by Office 365 for Exchange Professionals, the most comprehensive and up to date guide to Microsoft’s Office 365 cloud services. Find out more at Office365forExchangePros.com.

In this episode Mike and I discuss recent incorrect reports of a vulnerability in Outlook Web App (OWA) for Exchange Server, what you should think about when it comes to securing OWA and your Exchange servers, as well as Mike’s directory synchronization health check scripts.

Subscribe on iTunes, Stitcher, or RSS.

Links:

• Mike’s blog
• Follow @miketcrowley on Twitter
• Mike’s Dirsync report script
• Misleading Reports of OWA Vulnerability in Exchange Server
• Dell Secureworks Analysis
• Exchange, Firewalls and Support

This article Podcast Episode 4: Securing Outlook Web App (OWA) and Exchange Server with Mike Crowley is © 2015 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com