With the release of Exchange Server 2013 Service Pack 1 organizations can begin to plan the upgrade of their existing Exchange 2013 servers.

Before proceeding I encourage you to review the release notes and if possible deploy SP1 first in a test lab environment where you can perform testing of any deployment or integration scenarios that are relevant to your unique environment.

Deploying Service Pack 1 for Exchange Server 2013 is essentially the same process as any cumulative update deployment.

Note: After an upgrade to Exchange Server 2013 SP1 you may find that external mail flow is not working until the Frontend Transport Service is restarted.

First, you will need to remove any UM language packs that you have installed. From an elevated cmd prompt navigate to the folder where you have extracted the Exchange 2013 SP1 files and run setup with the /RemoveUMLanguagePack switch. For example, to remove the “de-DE” language pack:

C:\Admin\exchange2013sp1>setup.exe /RemoveUMLanguagePack:de-DE

Until new SP1-specific UM language packs have been released you can reinstall the CU3 language packs after the SP1 upgrade is complete.

Exchange Server 2013 SP1 includes a schema update and Active Directory changes. This will be applied automatically when you upgrade the first server, or you can manually apply it by running setup with the /PrepareSchema parameter for just the schema update first, or /PrepareAD to apply all the Active Directory changes in one step.

C:\Admin\exchange2013sp1>Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms

Use Michael B Smith’s script to verify that the schema update applied successfully. The SP1 schema version is 15292.

When you’re ready to upgrade the servers themselves use setup with the /Mode:Upgrade switch.

C:\Admin\exchange2013sp1>setup.exe /mode:upgrade /IAcceptExchangeServerLicenseTerms

Remember to refer to the update procedures here for the order of upgrades for each server role as well as the preparation tasks for database availability group members.

This article Upgrading Exchange Server 2013 Servers to Service Pack 1 is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• Exchange Server 2013 Service Pack 1 Released
• Exchange Server 2013 FAQ: Where is Cumulative Update 4?
• Restoring a Mailbox from an Exchange Server 2013 Recovery Database

 

After an upgrade to Exchange Server 2013 Service Pack 1 you may discover that external email flow has stopped working.

If your inbound email is via a smart host you may notice queuing of mail on that server, or when testing inbound external using the Microsoft Remove Connectivity Analyzer the test may fail.

In the Application event log of the Exchange server the following event may be logged.

Log Name: Application
Source: MSExchangeFrontEndTransport
Date: 26/02/2014 4:18:38 PM
Event ID: 7012
Task Category: Components
Level: Warning
Keywords: Classic
User: N/A
Computer: E15MB1.exchange2013demo.com
Description:
The service state for frontend transport is inconsistent. Current state – Inactive. Expected state – Active.

To resolve the issue, restart the Microsoft Exchange Frontend Transport service.

After the service has restarted you should find the following event log entry.

Log Name: Application
Source: MSExchangeFrontEndTransport
Date: 26/02/2014 4:19:40 PM
Event ID: 7009
Task Category: Components
Level: Information
Keywords: Classic
User: N/A
Computer: E15MB1.exchange2013demo.com
Description:
Retrieved the service state. Host service – FrontendTransport, Service state data – Active.

In addition, the Remote Connectivity Analyzer Inbound SMTP test should now be successful, and the test emails should arrive in the inbox of the email address you use for testing.

This article External Mail Flow Not Working After Exchange Server 2013 SP1 Upgrade is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• Exchange Server 2013 Error: An Inconsistency in the Active Directory Was Detected
• Upgrading Exchange Server 2013 Servers to Service Pack 1
• Exchange Server 2013 FAQ: Where is Cumulative Update 4?

 

With the release of Exchange Server 2010 SP3 Update Rollup 5 we now have support for running Exchange Server 2010 in Windows Server 2012 R2 Active Directory environments.

To be clear, this means that the following is supported with Exchange Server 2010 SP3 RU5:

• Active Directory Domain Controllers running Windows Server 2012 R2
• Active Directory Forest Function Level and Domain Functional Level of Windows Server 2012 R2

The following is not supported:

• Installing Exchange Server 2010 SP3 RU5 on a Windows Server 2012 R2 server

So in other words, Exchange Server 2010 is no longer a roadblock to an Active Directory upgrade to Windows Server 2012 R2.

More information is available at the Exchange Server Supportability Matrix.

This article Exchange Server 2010 Support for Windows Server 2012 R2 is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• Exchange Server 2013 FAQ: Where is Cumulative Update 4?
• Using PowerShell Custom Objects in Exchange Server Reporting Scripts
• How to Decommission a Shared SMTP Namespace in Exchange Server

 

Customers have reported issues with Exchange Server 2013 Transport services not starting after the upgrade to Service Pack 1. You can see some of the reports in the comments of the Service Pack 1 release post on the Exchange team blog.

The problem is appearing on servers that have integrated 3rd party transport agents, for example antivirus software, disclaimer software, and fax software.

The issue has also been reported on the blogs of fellow Exchange MVPs Jason Sherry and Michel de Rooij.

CodeTwo, who make a variety of add-on products for Exchange including disclaimer/signature software, also posted a KB article with their analysis of the issue.

The problem lies with assembly redirection policies files being improperly formatted – they contain unsupported commenting style what makes them being unrecognized as valid XML and therefore ignored by Microsoft .NET. A solution is to remove invalid comments line. Two config files in your Global Assembly Cache folder contain unwanted comments.

The two files in question are:

• C:\Windows\Microsoft.NET\assembly\GAC_MSIL\policy.8.0.Microsoft.Exchange.Data.Common\v4.0_15.0.847.30__31bf3856ad364e35\Microsoft.Exchange.Data.Common.VersionPolicy.cfg
• C:\Windows\Microsoft.NET\assembly\GAC_MSIL\policy.8.0.Microsoft.Exchange.Data.Transport\v4.0_15.0.847.30__31bf3856ad364e35\Microsoft.Exchange.Data.Transport.VersionPolicy.cfg

Microsoft have published KB2938053 with a fix for this issue.

• Third-party transport agents cannot be loaded correctly in Exchange Server 2013

Because this problem impacts multiple vendors there may additional pre or post tasks required, such as removing the third party software first, or running additional steps after the server restart to repair the integration of the transport agent. Refer to your vendor support if necessary for further details.

Tony Redmond has published a more detailed version of the events surrounding this issue.

This article Exchange Server 2013 Transport Services Won’t Start After Service Pack 1 Upgrade is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• External Mail Flow Not Working After Exchange Server 2013 SP1 Upgrade
• Upgrading Exchange Server 2013 Servers to Service Pack 1
• Exchange Server 2013 FAQ: Where is Cumulative Update 4?

 

After installing Exchange Server 2013 Service Pack 1 on a new server you may find that the Exchange Management Shell icon is not present on the Start screen.

In comparison, a server installed with earlier versions of Exchange Server 2013, whether it is upgraded to Service Pack 1 or not, has the Exchange Management Shell icon on the Start screen.

The solution is to use the arrow at the bottom of the Start screen to scroll down to the Apps list, where the icon is visible.

You can then right-click the icon and pin it to the Start screen or taskbar if you like.

You will probably only notice this if you log in directly to your Exchange servers to perform administrative tasks.

H/T to Exchange MVP Damian Scoles who first noticed this.

This article Exchange Server 2013 Management Tools Missing is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• Exchange Server 2013 Transport Services Won’t Start After Service Pack 1 Upgrade
• External Mail Flow Not Working After Exchange Server 2013 SP1 Upgrade
• Exchange Server 2013 Error: An Inconsistency in the Active Directory Was Detected

 

The system requirements for Exchange Server 2013 include the following for Active Directory:

• Forest and domain functional level of Windows Server 2003 or higher (up to Windows Server 2012 R2 is supported with Exchange Server 2013 SP1 or later)
• Schema Master running Windows Server 2003 SP2 or later
• At least one global catalog server in each Active Directory site where Exchange 2013 will be installed that runs Windows Server 2003 SP2 or higher

Using PowerShell we can retrieve all of this information quickly.

Here is a quick and dirty script I wrote that breaks a whole lot of PowerShell “rules” but gets the job done. I’ll probably try and improve it in the near future, but for now it gets me the information I need, which is all I really need any script to do.

Import-Module ActiveDirectory
$forest = Get-ADForest
Write-Host ""
Write-Host -ForeGroundColor Yellow "*** Forest: $($forest.RootDomain) ***"
Write-Host ""
Write-Host "Forest Mode: $($forest.ForestMode)"
Write-Host "Schema Master: $($forest.SchemaMaster)"
$domains = @($forest | Select -ExpandProperty:Domains)
Foreach ($domain in $domains)
{
    Write-Host ""
    Write-Host -ForeGroundColor Yellow "*** Domain: $domain ***"
    Write-Host ""
    $domaindetails = Get-ADDomain $domain
    Write-Host "Domain Mode: $($domaindetails.DomainMode)"
    Write-Host "PDC Emulator: $($domaindetails.PDCEmulator)"
    Write-Host "Infrastructure Master: $($domaindetails.InfrastructureMaster)"
    Write-Host "RID Master: $($domaindetails.RIDMaster)"
}
$domaincontrollers = @(Get-ADDomainController -Filter {IsGlobalCatalog -eq $true})
$gcs = $domaincontrollers | Group-Object -Property:Site,OperatingSystem | Select @{Expression="Name";Label="Site, OS"},Count | Sort Name
Write-Host ""
Write-Host -ForeGroundColor Yellow "*** Global Catalogs by Site/OS ***"
$gcs | ft -auto

The script requires the ActiveDirectory PowerShell module, and in a multi-domain forest should be run in the forest root domain with an admin account that can access each domain.

Example output:

PS C:\Scripts\Exchange2013Planning> .\ADInfo.ps1
*** Forest: exchangeserverpro.net ***
Forest Mode: Windows2003Forest
Schema Master: HO-DC.exchangeserverpro.net
*** Domain: exchangeserverpro.net ***
Domain Mode: Windows2003Domain
PDC Emulator: HO-DC.exchangeserverpro.net
Infrastructure Master: HO-DC.exchangeserverpro.net
RID Master: HO-DC.exchangeserverpro.net
*** Global Catalogs by Site/OS ***
Site, OS                                      Count
--------                                      -----
HeadOffice, Windows Server 2008 R2 Enterprise     1
HeadOffice, Windows Serverr 2008 Standard         1
BranchOffice, Windows Serverr 2008 Standard       1

This article PowerShell Script to Check Active Directory System Requirements is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• Exchange Server 2013 Management Tools Missing
• Exchange Server 2013 Transport Services Won’t Start After Service Pack 1 Upgrade
• External Mail Flow Not Working After Exchange Server 2013 SP1 Upgrade

 

When planning an Exchange migration I like to review the storage quotas configured on the existing databases. This ensures that new databases are configured with at least the same quota level and not inadvertently left with a smaller quota level, and also presents an opportunity to review quotas in the organization in case they can be increased or removed entirely.

In the days of migrating from Exchange 2003 this was a tedious task, but fortunately thanks to PowerShell it is now quite simple.

Here is a basic script that can be used to check all mailbox and public folder databases and report their storage quotas.

Download the script file here: StorageQuotas.ps1 (downloaded 26 times so far)

Simply run the script from the Exchange Management Shell.

[PS] C:\Scripts\Exchange2013Planning>.\StorageQuotas.ps1
Processing MB-HO-01
Processing MB-BR-01
Processing MB-HO-Archive
Processing MB-BR-02
Processing MB-HO-04
Processing MB-HO-02
Mailbox database storage quota report saved as C:\Scripts\Exchange2013Planning\StorageQuotas-MailboxDB.csv
Processing PF-BR-01
Processing PF-HO-01
Public folder database storage quota report saved as C:\Scripts\Exchange2013Planning\StorageQuotas-PublicFolderDB.csv

The two CSV files are written to the folder where the script is run from.

This article PowerShell Script to Audit Exchange Server Database Storage Quotas is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• How to Decommission a Shared SMTP Namespace in Exchange Server
• PowerShell Script to Check Active Directory System Requirements
• Upgrading Exchange Server 2013 Servers to Service Pack 1

 

In Exchange Server 2007 the Get-ExchangeCertificate cmdlet only allowed us to view the local server’s certificates. But in Exchange Server 2010 Get-ExchangeCertificate has a -Server parameter that allows us to view certificates on remote servers as well.

This means we can run a PowerShell script to collect information about the SSL certificates on all of our Exchange servers, which is useful during Exchange 2013 migration planning.

This script, CertificateReport.ps1, is executed from the Exchange Management Shell and produces a HTML report in the same folder where the script is run from.

[PS] C:\Scripts\Exchange2013Planning>.\CertificateReport.ps1
Server: BR-EX2010-MB (Mailbox, ClientAccess, HubTransport)
Server: HO-EX2010-MB1 (Mailbox, ClientAccess, HubTransport)
Server: HO-EX2010-MB2 (Mailbox, ClientAccess, HubTransport)
Server: HO-EX2010-PF (Mailbox)
Server: HO-EX2010-EDGE (Edge)

Download the script file here: CertificateReport.ps1 (downloaded 0 times so far)

This article PowerShell Script to Generate Exchange Server SSL Certificate Report is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• PowerShell Script to Check Active Directory System Requirements
• PowerShell Script to Audit Exchange Server Database Storage Quotas
• Using PowerShell Custom Objects in Exchange Server Reporting Scripts

 

As regular visitors would already know I mostly write technical articles here on Exchange Server Pro and tend to stay away from writing content that might be considered to be “sales and marketing” material.

By that I mean I do not dedicate pages of this website to promoting one particular product over some other competing product*. In fact, as I’ve discussed with Microsoft staff in person, I see my contribution to the Exchange Server community to be one of assistance for people who have already decided to migrate to, or are already operating, an Exchange Server environment.

So I read with great interest two blog posts (part 1 and part 2) by Cloud Sherpas, a cloud services company that is partnered with companies such as Salesforce and Google.

The articles exist to debunk the myth that “Google is too big of a change for my users, Office 365 is easier and more familiar.”

I disagree with some of the statements in the article and have left a comment on one of the articles pointing out in particular the infographic used in the article. When my comment emerges from moderation it will be interesting to see their response and whether others agree.

Aside from that a healthy rebuttal has already appeared from fellow MVPs Tony Redmond and Sean McNeill. I could add to the debate but I think another single voice isn’t what this discussion needs.

I would rather hear from you actually.

I’m sure many of you have points of view based on personal experience, or the experiences of your customers, on how good/bad the transition from one service to another was, or how confusing/simple your end users find one service compared to another.

Please feel free to leave a comment below, or if you’re especially keen by all means join the debate on Cloud Sherpas’ blog as well.

* To the best of my recollection, and a search of this site, the only previous “comparison” posts I’ve written were this one in 2010, and my recent move from Google Apps to Office 365.

This article Google Apps vs Microsoft Office 365 is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• My Move From Google Apps to Office 365
• Exchange Server 2010 Support for Windows Server 2012 R2
• Exchange Server 2013 FAQ: Where is Cumulative Update 4?

 

Exchange Server 2013 supports the following minimum versions of Microsoft Outlook and Microsoft Entourage for Mac:

• Outlook 2013 (15.0.4420.1017)
• Outlook 2010 Service Pack 1 with the Outlook 2010 November 2012 update (14.0.6126.5000).
• Outlook 2007 Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000).
• Entourage 2008 for Mac, Web Services Edition
• Outlook for Mac 2011

Although these are the minimum versions please also take into consideration this important note from Microsoft:

The information above provides the minimum versions required for a client to connect to Exchange and Exchange Online. We strongly recommend that you install the latest available service packs and updates available so that your users receive the best possible experience when connecting to Exchange and Exchange Online.

Outlook clients earlier than Outlook 2007 are not supported. Email clients on Mac operating systems that require DAV, such as Entourage 2008 for Mac RTM and Entourage 2004, are not supported.

Support for Outlook Web App on the wide variety of operating systems and devices is also documented by Microsoft here.

Updated information on the latest available updates for Outlook is documented by Microsoft here. Unless there is some other reason in your environment not to, it is recommended to deploy the very latest available updates for Outlook and Office when planning to deploy Exchange Server 2013.

Knowing the minimum Outlook versions supported we can now look at what versions are running in our environment as we plan the upgrade to Exchange Server 2013.

Often customers have no software inventory system that can provide a fast and accurate report of this information, so other tools need to be used instead. Here are two methods.

Using the Exchange User Monitor (ExMon) to Discover RPC Client Versions

The Microsoft Exchange Server User Monitor can be used to display the client versions for connected users.

Simply install and run the tool on your Exchange servers and observe the client versions connecting in real time.

You can use the “By User” tab to identify specific users of any client versions that need further attention from you.

More detailed information on how to use ExMon is available on TechNet.

Using Log Parser to Discover RPC Client Versions

Another method for discovering client versions is to use Log Parser to analyse the RPC Client Access logs on the Client Access servers.

The RPC Client Access logs are stored in the \Logging\RPC Client Access folder of the Exchange installation path, eg C:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access.

The log files are in CSV format and therefore can be analysed using Log Parser. Two of the fields of interest are:

• client-software
• client-software-version

So a Log Parser query to show us the number of hits per client software version would look like this.

SELECT client-software as Software,
client-software-version as Version,
Count(*) as Hits
FROM *.log
GROUP BY Software,Version
ORDER BY Software

To run this query in Log Parser from the location of the RPC Client Access log files:

"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT client-software as Software,Client-software-version as Version,Count(*) as Hits FROM *.log GROUP BY Software,Version ORDER BY Software" -i:CSV -nSkipLines:4 -rtp:-1

Depending on the applications and systems running in your environment you will likely see software other than Outlook appearing in the output of that command. For example, Symantec Enterprise Vault services make RPC/MAPI connections to Exchange, so would likely appear in the report.

Software                  Version                 Hits
------------------------- ----------------------- -------
OUTLOOK.EXE               11.0.8303.0             16
OUTLOOK.EXE               12.0.6606.1000          47
OUTLOOK.EXE               14.0.6025.1000          420
OUTLOOK.EXE               14.0.6126.5000          6969
OUTLOOK.EXE               14.0.6131.5002          77698
OUTLOOK.EXE               14.0.7010.1000          995
OUTLOOK.EXE               14.0.7104.5000          7221
OUTLOOK.EXE               14.0.7108.5000          583320
OUTLOOK.EXE               15.0.4420.1017          379
OUTLOOK.EXE               15.0.4551.1004          388

If you spot versions of Outlook that do not meet the minimum supported version you can run additional queries to find the specific user accounts for those versions so that you can investigate further.

For example, this query will return the client names for any version 11.x or 12.x client software that is appearing in the logs.

SELECT EXTRACT_SUFFIX(client-name,0,'=') as Name,
client-software as Software,
client-software-version as Version,
Count(*) as Hits
FROM *.log
WHERE Version LIKE '11.%' OR Version LIKE '12.%'
GROUP BY Name,Software,Version
ORDER BY Name

To run this query in Log Parser from the location of the RPC Client Access log files:

"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT EXTRACT_SUFFIX(client-name,0,'=') as Name,client-software as Software,Client-software-version as Version,Count(*) as Hits FROM *.log WHERE Version LIKE '11.%' OR Version LIKE '12.%' GROUP BY Name,Software,Version ORDER BY Name" -i:CSV -nSkipLines:4 -rtp:-1

Summary

As you can see even without robust software inventory tools we can still gather information about the names and versions of software connecting to Exchange when planning an Exchange Server 2013 migration.

This article Exchange Server 2013 Planning and Discovery – Client Versions is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• PowerShell Script to Audit Exchange Server Database Storage Quotas
• PowerShell Script to Generate Exchange Server SSL Certificate Report
• PowerShell Script to Check Active Directory System Requirements

 

In a few days from now Exchange folks from all over the world will get together in Austin, Texas for the Microsoft Exchange Conference.

I’ll be there, soaking up in the information in the sessions and enjoying the downtime at the parties. Speaking of which, if you haven’t already done so make sure you register for the Scheduled Maintenance party (listen to episode 35 of the UC Architects podcast to find out the promo code to increase your chances of securing a spot at the party).

So if you spot me there please feel free to say hello. I always enjoy meeting new people in the Exchange community

The MEC session schedule is absolutely packed with awesome content. Fortunately many of the sessions will be recorded, which is a relief as I have as many as 5 sessions in a single time slot that I would like to attend.

If you’re having trouble like I am narrowing down your selections check out Tony Redmond’s recommendations here and here, as well as Dave Stork’s and Jeff Guillet’s.

And don’t forget to mark in your schedule the final session on Wednesday with the UC Architects Live @ MEC, where there will surely be plenty to discuss after three days of MEC sessions.

See you in Austin.

#iammec

This article MEC 2014 Here We Come! is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

     

The 2014 Microsoft Exchange Conference has come to a close. Three days of announcements and technical deep dives is an exhausting experience but every attendee I’ve spoken to has agreed that it is worth the travel and the long days to attend this event.

The Sessions

MEC 2014 featured somewhere around 100 sessions making it impossible to see everything during the 3 day event. For some of the time slots I had as many as five sessions on my wish list!

Unfortunately we can only be in one place at a time so some tough decisions were made, and overall I ended up attending strong sessions on a variety of topics on architecture, deployment, security, and high availability, as well as others.

The “Experts Unplugged” sessions turned out to be highly valuable in most cases, with a good flow of Q&A between the audience and panel.

As these sessions were not recorded I tended to favour them over the regular breakout sessions, which I have a long list of videos downloaded now to catch up on. The Exchange team has announced that the session recordings will be publicly available in about one month from now.

Cloud First

Microsoft’s message of “leading with the cloud” was repeated. Many of the new features announced for Exchange will appear in Office 365 first, mostly in Outlook Web App, before making their way into the full Outlook client and then eventually into the on-premises version of Exchange (likely vNext, not Exchange 2013).

During a “Geek Out with Perry” section of the keynote, Perry Clarke (the Corporate VP for Microsoft Exchange) dismissed the myth that cloud-first means on-premises features are deliberately withheld or delayed to drive Office 365 uptake.

Instead, as became increasingly clear during the conference, the Exchange product group is able to take advantage of the level of control and standardisation in “The Service” and deploy changes and new features into that environment with fewer hoops to jump through than it takes to get the features developed into Outlook and the on-premises builds of Exchange.

My advice – don’t fight the cloud. Find ways to leverage it to your advantage.

The Social Workplace

From the beginning of MEC there was a lot of activity and focus on Yammer, the enterprise social network that Microsoft acquired.

Yammer was positioned as the “second screen” of the conference, where slide decks could be accessed during sessions and group conversations could occur on anything from the current sessions running to who can take the best selfie with Jon Orton.

Running multiple social channels at an event is tough, and I think Yammer lost the battle for attention during MEC to the more popular and active Twitter. However, I am very interested in the Yammer-like features that were announced for the future of Exchange.

Machine Learning in Action

The Office Graph is Microsoft’s way of enabling the “social workplace”, unifying our communications, and in turn unlocking more productivity.

Based on the information that individuals have access to (such as their email conversations, and documents they work on) Microsoft is able to personalize your experiences in ways such as cleaning up your inbox for you (intelligent triage, instead of requiring users to create a lot of inbox rules, flags, categories and so on) by moving all “clutter” (such as newsletters you rarely read) out of your normal inbox view, and by providing other views for the people you communicate with the most and the groups that are most relevant to you.

Productivity Boosts

We also saw a demonstration of how document collaboration is becoming smarter thanks to OneDrive for Business integration into Office. For example, the “Insert Attachment” dialog in Office Web App will offer OneDrive as a source of documents to send, as well as presenting an option to upload a file to OneDrive instead of attaching it directly to the email. The recipients of your email then automatically get view/edit permissions to that OneDrive file, and multiple authors can edit the file simultaneously and see live updates from other authors.

This type of document collaboration will sound familiar to Google Apps users, however the user experience demonstrated by Microsoft was incredibly slick and in my opinion is also more intuitive.

The Community

I love the Exchange community and was not disappointed by my time at MEC. After travelling a long way to attend it was great to be among so many other MVPs, Exchange product group members, and Exchange folks from all over the world.

From the moment I arrived at my hotel to the day that I left it seemed like there was always something going on, whether it be just a few people having a drink and a laugh, a full blown MEC attendee party, or the fun of the “Exchange Oscars”.

Overall a terrific event, both educational and enjoyable, and I’m glad that I was there.

More Roundups

Here are a few other perspectives on the event.

• Understanding the messages from the Exchange Conference keynote
• Day 2 of MEC delivers great sessions, great content
• Microsoft Exchange Conference 2014 finishes on a high
• The colorful side of MEC 2014: All the stuff that makes a conference
• MEC RECAP – It was great
• This was MEC 2014 (in a nutshell)

This article Microsoft Exchange Conference 2014 Roundup is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• MEC 2014 Here We Come!

 

Exchange servers can accumulate a lot of IIS log files over time. Some administrators configure IIS to store logs on a different disk to avoid problems, while others just wait for free disk space alerts and manually remove old logs from time to time.

I found a number of PowerShell scripts online for automating the cleanup of IIS log files, but none were an exact match for what I wanted. I had a few objectives for this script:

• No external dependencies (many scripts rely on command line versions of zip utilities like 7-Zip)
• Must compress log files into monthly archive zip files, not just delete them
• Must have the ability to store the zip files in a central archive location

So I wrote IISLogsCleanup.ps1, which I am making available for download here.

Download the script file here: IISLogsCleanup.ps1 (downloaded 157 times so far)

How to Run IISLogsCleanup.ps1

Please test the script on a non-production server first or at least make sure you have backed up your IIS log files before trying this script for the first time.

The script takes two parameters:

• Logpath – this is a mandatory parameter to specify the path to the IIS logs you want to clean up, such as “D:\IIS Logs\W3SVC1″
• ArchivePath – this is an optional parameter to specify the path to the central archive location, such as “\\nas01\archives\iislogs”

When you run IISLogsCleanup.ps1 it performs the following:

• Calculates the first day of the previous month (so there will always be at least 1 month of retained logs)
• Zips up log files from before the first day of the previous month into zip files per month
• Verifies the results of the zip action and removing the log files if safe to do so
• Optionally, moves the zip file to the central archive location
• Writes a log file of progress and actions taken

Examples:

.\IISLogsCleanup.ps1 -Logpath "D:\IIS Logs\W3SVC1"
.\IISLogsCleanup.ps1 -Logpath "D:\IIS Logs\W3SVC1" -ArchivePath "\\nas01\archives\iislogs"

Scheduling IISLogsCleanup.ps1

To run the script as a scheduled task use the following task settings (replace server names and file paths as necessary):

• Run whether user is logged on or not
• Triggers: I recommend the first day of each month
• Action: Start a program
  • Program: powershell.exe
  • Arguments: -command “C:\Scripts\IISLogsCleanup.ps1 -LogPath ‘C:\inetpub\logs\LogFiles\W3SVC1′ -ArchivePath ‘\\ho-mgt\iislogbackups’”

To run the task with a least privilege service account the account needs:

• Rights to “Log on as a batch job” for the local server
• Read/write access to the IIS logs directory
• Write access to the archive location
• Read/write/execute to the location where the script is running from

Download the script file here: IISLogsCleanup.ps1 (downloaded 157 times so far)

As always if you have any questions or feedback please leave a comment below.

This article PowerShell Script: IIS Log File Cleanup and Archive is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• PowerShell Script to Generate Exchange Server SSL Certificate Report
• PowerShell Script to Check Active Directory System Requirements
• Using PowerShell Custom Objects in Exchange Server Reporting Scripts

 

Exchange Server 2010 provides the capability to control where sent items are stored when they are sent by a delegate of a shared mailbox. This is useful for ensuring the copies of emails sent using either “Send as” or “Send on behalf” are stored in the mailbox that they are sent from, rather than only stored in the mailbox of the person who actually sent the email.

To demonstrate this, consider the following scenario.

A shared mailbox named Marketing:

[PS] C:\>New-Mailbox -Shared "Marketing"

A user, Alan Reid, who has “Send As” rights for the Marketing mailbox:

[PS] C:\>Get-Mailbox "Marketing" | Add-ADPermission -User Alan.Reid -ExtendedRights "Send As"

For the purposes of this demonstration the term “shared mailbox” could refer to a generic mailbox such as “Marketing” or a mailbox such as an executive who has delegates.

Under the default behaviour, Alan sends an email from the Marketing mailbox.

The sent item is stored in Alan’s mailbox.

However a copy of the mail item is not in the Marketing mailbox Sent Items folder.

This is a problem for some organizations who want all shared mailbox sent items to be stored in the shared mailbox.

Note: This is fine for storage/filing purposes, but if you’re looking for auditing of shared mailbox usage a better approach is to use mailbox audit logging.

To configure the sent items behaviour for shared mailboxes we use the Set-MailboxSentItemsConfiguration cmdlet. This is available in Exchange Server 2010 SP3 but not yet available in Exchange Server 2013 at the time this article is being written.

There are two parameters we can use:

• -SendAsItemsCopiedTo
• -SendOnBehalfOfItemsCopiedTo

So we can configure “send as” and “send on behalf” behaviour separately.

There are two values we can use when configuring the sent items behaviour:

• Sender – messages are stored in the Sent Items folder of the user that send the message
• SenderAndFrom – messages are stored in both the Sent Items of the user who sent the message, and the Sent Items of the shared mailbox

There is an additional value of “From” that is reserved for future use.

To configure the Marketing mailbox we can run the following command in the Exchange Management Shell:

[PS] C:\>Set-MailboxSentItemsConfiguration "Marketing" -SendAsItemsCopiedTo:SenderAndFrom -SendOnBehalfOfItemsCopiedTo:SenderAndFrom

The change does not take effect immediately. In my test lab it took around 10 minutes before it began working.

Now when Alan Reid sends emails as the Marketing mailbox…

…they are stored in the Sent Items of the Marketing mailbox as well as his own.

This article Configuring Mailbox Sent Items Behaviour for Delegates and Shared Mailboxes is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• PowerShell Script: IIS Log File Cleanup and Archive
• PowerShell Script to Generate Exchange Server SSL Certificate Report
• PowerShell Script to Audit Exchange Server Database Storage Quotas

 

If you’ve deployed mailbox sent items configurations in your organization, and are planning to upgrade to Exchange Server 2013 (which does not currently support mailbox sent items configurations like Exchange 2010 SP3 does), then you may wish to run an audit of those configurations to determine the impact of the upgrade.

I’ve written a PowerShell script to perform this audit and produce a CSV file with the results.

Download the script file here: AuditMailboxSentItemsConfiguration.ps1 (downloaded 18 times so far)

Running AuditMailboxSentItemsConfiguration.ps1

The script is run from the Exchange Management Shell and uses switches to control the scope of the audit.

• -All audits all mailboxes in the organization
• -Database audits the mailboxes on a specified database
• -Server audits the mailboxes on a specified server

For smaller organizations -All is probably going to be fine to use, but larger orgs may consider using -Database or -Server instead. Example:

[PS] C:\Scripts\AuditMailboxSentItemsConfiguration>.\AuditMailboxSentItemsConfiguration.ps1 -all -Verbose
WARNING: Active Directory server settings remained unchanged.
VERBOSE: Fetching mailbox list
Processing Mary Friel
Processing Administrator
Processing Alan Reid
Processing Alex Heyne
....
Processing Sharnjit Mcilroy
Processing Ben Brook
Processing Jennifer Tind
Processing Karen Roberts
Processing John Tilleray
Processing zhire test
Processing test01
Processing James Blanko
Processing Marketing
VERBOSE: - Send as: SenderAndFrom
VERBOSE: - Send on Behalf: SenderAndFrom
VERBOSE: Adding Marketing to report
Results output to MailboxSentItemsConfigReport-20140412-1528-D9zJPX.csv.

If any mailboxes with a non-default sent items configuration are found they are included in the CSV file that is output to the same folder where the script is running from. As always for any feedback or problems you encounter with script please leave a comment below.

This article PowerShell Script: Audit Mailbox Sent Items Configurations is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• PowerShell Script: IIS Log File Cleanup and Archive
• PowerShell Script to Generate Exchange Server SSL Certificate Report
• PowerShell Script to Check Active Directory System Requirements

 

I’ve had some questions from readers asking whether it is possible to tell when a mailbox user has deleted items from their own mailbox. This question seems to come from those very special support situations where an end user is blaming others for email going missing. I guess if the situation is serious enough then some audit trail would certainly be useful for proving who deleted the mailbox items.

I’ve previously covered mailbox audit logging, which is a feature of both Exchange Server 2010 and 2013. In my demonstrations of mailbox audit logging I tend to focus on auditing administrator and delegate actions, which are a more common support scenario in my experience. However, auditing of mailbox owner actions is also possible, it is just not enabled by default.

Before we proceed I’ll just highlight that mailbox audit logging does consume storage on the Exchange server. For admin/delegate situations this is usually a negligible amount, however mailbox owner actions occur much more frequently so they have a greater potential to consume a large amount of storage.

To mitigate that risk I would recommend only enabling mailbox audit logging of mailbox owners for actions that involve deleting email.

So let’s take a look at how this works.

First, the mailbox must be enabled for mailbox audit logging before you can use the audit logs to prove anything.

[PS] C:\>get-mailbox alan.reid | Set-Mailbox alan.reid -AuditEnabled:$true

Now we can see that auditing is enabled for the mailbox, but no owner actions are being audited.

[PS] C:\>get-mailbox alan.reid | fl *audit*
AuditEnabled     : True
AuditLogAgeLimit : 90.00:00:00
AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}
AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}
AuditOwner       : {}

So next we need to configure the owner actions to audit. In this example I’m only configuring delete actions to be audited. If I included other actions such as Create, Move, etc, then a lot of audit logging would be generated as the mailbox owner read and dealt with their emails.

[PS] C:\>Set-Mailbox Alan.Reid -AuditOwner "HardDelete,SoftDelete,MoveToDeletedItems"

After waiting a short period of time I logged in as Alan and made a variety of delete-type actions, such as manually moving an item to the Deleted Items folder, soft deleting an email (so it goes to Deleted Items), and hard deleting an email (Shift+Delete so it skips the Deleted Items folder).

Finally, in the Exchange Management Shell, I can run a mailbox audit logging search of Alan’s mailbox to see the audit log entries for the delete actions I performed.

[PS] C:\>Search-MailboxAuditLog -Identity alan.reid -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails

You can see I use Get-Date to set the start date to 1 hour ago. Also, when the LogonType is “Owner” we must also use the -ShowDetails switch.

The output of the above command is quite long, so here is a shorter version for the sake of demonstration. In a real world scenario I would recommend looking at the complete output, not this truncated version.

[PS] C:\>Search-MailboxAuditLog -Identity alan.reid -LogonTypes Owner -StartDate (Get-Date).AddHours(-1) -ShowDetails | fl operation*,logonuserdisplayname,sourceitemsubject*,sourceitemfolder*
Operation                     : SoftDelete
OperationResult               : Succeeded
LogonUserDisplayName          : Alan Reid
SourceItemSubjectsList        :  I'm sorry I spammed you
SourceItemFolderPathNamesList : Inbox
Operation                     : MoveToDeletedItems
OperationResult               : Succeeded
LogonUserDisplayName          : Alan Reid
SourceItemSubjectsList        :  Marketing newsletter
SourceItemFolderPathNamesList : Inbox
Operation                     : MoveToDeletedItems
OperationResult               : Succeeded
LogonUserDisplayName          : Alan Reid
SourceItemSubjectsList        :  Cryptic unearth plaque
SourceItemFolderPathNamesList : Inbox

So, you can see the tracking mailbox owner deletes is possible using mailbox audit logging. The important considerations are to enable audit logging first so that it is in place before any support situations arise, and also to limit the auditing only to the actions (such as deletes) that are needed so that the impact to database storage is kept under control.

This article Tracking Mailbox Owner Deletes Using Mailbox Audit Logging is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• Configuring Mailbox Sent Items Behaviour for Delegates and Shared Mailboxes
• PowerShell Script: Audit Mailbox Sent Items Configurations
• PowerShell Script: IIS Log File Cleanup and Archive

 

Ricky asks:

How do you export a copy of the list of users in the resource in policy tab?

What Ricky is referring to are calendar processing settings, often used on room and equipment mailboxes, that can be used to control who can do such things as make booking requests for a meeting room.

For example, this meeting room has a list of users who are allowed to submit in-policy requests that will be automatically approved.

We can use Get-CalendarProcessing to query the setting with the Exchange Management Shell.

[PS] C:\>Get-CalendarProcessing "HO Meeting Room 1" | fl bookinpolicy
BookInPolicy : {exchangeserverpro.net/Company/Head Office/Users/Aleisha.Harrison, exchangeserverpro.net/Company/Head Of
               fice/Users/David.Gower, exchangeserverpro.net/Company/Head Office/Users/Fran.Durrant}

The formatting of that output is not very useful though, if we’re trying to export a list of the users.

Instead, we can pipe to Select-Object.

[PS] C:\>Get-CalendarProcessing "HO Meeting Room 1" | Select-Object -ExpandProperty:bookinpolicy
IsDeleted         : False
Rdn               : CN=Aleisha.Harrison
Parent            : exchangeserverpro.net/Company/Head Office/Users
Depth             : 5
DistinguishedName : CN=Aleisha.Harrison,OU=Users,OU=Head Office,OU=Company,DC=exchangeserverpro,DC=net
IsRelativeDn      : False
DomainId          : exchangeserverpro.net
ObjectGuid        : 9d3378be-7985-4932-b580-fe3057f00a6b
Name              : Aleisha.Harrison
IsDeleted         : False
Rdn               : CN=David.Gower
Parent            : exchangeserverpro.net/Company/Head Office/Users
Depth             : 5
DistinguishedName : CN=David.Gower,OU=Users,OU=Head Office,OU=Company,DC=exchangeserverpro,DC=net
IsRelativeDn      : False
DomainId          : exchangeserverpro.net
ObjectGuid        : 8a37caa8-cbfe-4c9c-92ff-40d44b4890df
Name              : David.Gower
IsDeleted         : False
Rdn               : CN=Fran.Durrant
Parent            : exchangeserverpro.net/Company/Head Office/Users
Depth             : 5
DistinguishedName : CN=Fran.Durrant,OU=Users,OU=Head Office,OU=Company,DC=exchangeserverpro,DC=net
IsRelativeDn      : False
DomainId          : exchangeserverpro.net
ObjectGuid        : c2516789-67cf-48b0-9cb0-fa02eb541ca8
Name              : Fran.Durrant

Still, that is more output than we really want in this situation. So instead I would run this command to see a nice, neat list of the users.

[PS] C:\>Get-CalendarProcessing "HO Meeting Room 1" | Select-Object -ExpandProperty:bookinpolicy | Select Name
Name
----
Aleisha.Harrison
David.Gower
Fran.Durrant

This article Output a List of In-Policy Users for a Resource Mailbox Using PowerShell is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• Tracking Mailbox Owner Deletes Using Mailbox Audit Logging
• Configuring Mailbox Sent Items Behaviour for Delegates and Shared Mailboxes
• PowerShell Script: Audit Mailbox Sent Items Configurations

 

A common load balancer configuration for Exchange Server scenarios involves using source NAT.

Although some load balancing terminology differs from vendor to vendor, for the context of this article “source NAT” will refer to a configuration where the source IP address of a connection is changed from the client IP address to one of the IP addresses of the load balancer.

In this scenario the client connects to the load balancer Virtual IP address (VIP), the load balancer connects to the Exchange server, and then the Exchange server replies to the load balancer, which sends the reply back to the client.

Although there may be nothing technically wrong with this from a functionality point of view (ie, everything works for your clients without any issues), it may become a problem for you in any support situation where you need to look at IIS logs on the Exchange server. The reason this may be a problem is that the IIS logs will show a “client IP” of the load balancer, not the originating client computer or device.

For example, here the client IP of 10.1.1.9 is logged for some OAB download connections from an Outlook client, which is actually the IP address of the load balancer.

Assuming you can’t change your load balancer topology or configuration to resolve this, there are options with IIS itself that can resolve the problem instead. Two of these options are:

• Using the Advanced Logging module for IIS from Microsoft
• Using the F5XForwardedFor ISAPI filter from F5

As a side note, both of these rely on the X-Forwarded-For header being sent by the load balancer to the Exchange servers. Refer to your load balancer documentation for how to configure this option. For example, on F5 load balancers you can enable it on the HTTP profile associated with a virtual service. And on my Kemp VLM I can change the L7 configuration from default X-ClientSide to X-Forwarded-For instead.

Option 1 – Advanced Logging Module

The Advanced Logging module can be installed and configured on your Client Access servers and enables you to configure a log definition that includes the X-Forwarded-For IP address details.

This is relatively easy to do, however it means an additional set of IIS logs is being generated on your server that you’ll need to manage. It also means you’ll need to look in two sets of logs whenever you’re investigating something and need to know the client IP address. In addition, my servers were not logging the client username correctly, which is apparently a common issue. I tried this fix, but it seemed to break Advanced Logging entirely. Your mileage may vary.

Installation and configuration instructions here.

Option 2 – F5XForwaredFor ISAPI Filter

The other option I looked at is an ISAPI filter from F5. This filter looks for the X-Forwarded-For header and, if found, replaces the client IP address with the X-Forwarded-For IP address instead. Effectively this means the IIS logs contain the correct client IP address instead of the load balancer’s IP address.

This is a better approach than the Advanced Logging module from the point of view that it doesn’t require a separate set of log files to be managed. However, although it works fine in my testing (it even worked with non-F5 load balancers) I am not sure whether any support is available from F5 for the filter, though they do provide the source code.

Download and installation instructions here.

Summary

If you are running a load balancer for your Exchange Server environment and you are doing source NAT then this is an issue that you should look into sooner rather than later. It is no good to wait for a support scenario where you need to know client IP addresses and then discover that the data simply isn’t available. Instead I recommend you get ahead of the issue and implement a solution that will give you the right data when you need it.

This article Logging Client IP Address in IIS When Using Load Balancing with Source NAT is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• PowerShell Script: IIS Log File Cleanup and Archive
• PowerShell Script: Audit Mailbox Sent Items Configurations
• PowerShell Script to Generate Exchange Server SSL Certificate Report

 

I’ve received a number of questions lately from people who are concerned about database failover behaviour in their Exchange Server environment.

The scenario is usually that a failure has occurred, and the active database copy moved to a server that they were not expecting it to move to.

Their expectations are based on the activation preference they have configured on their database copies. Basically they expected the database copy with AP=2 to become active, but instead the database copy with AP=3 or AP=4 became active.

The issue here is a misunderstanding about how activation preference works. AP is an administrator-assigned preference for the order in which database copies should become active, but it is not a hard and fast rule.

Instead, “targetless” database switchovers/failovers (ie, *-overs in which an administrator has not explicitly specified which database copy should become active) involve a process called “best copy selection” to determine which database copy becomes active.

Let’s take a look at a simple example. In this scenario there are four database availability group members across two datacenters. The Exchange administrator has configured the database copies in datacenter 1 to have AP=1 and AP=2, because that is the datacenter in which they prefer the database copies to be active.

Some problem occurs on the server hosting the active database copy causing it to dismount, and the Primary Active Manager (PAM) begins the best copy selection process.

Best Copy Selection

Best copy selection is a complex process involving a number of variables that are assessed by the DAG so that a database copy can be chosen to become active to restore availability of service, while balancing that objective against the risk of data loss if a database copy that is not fully up to date with the latest changes was made active.

Database copies that are considered failover candidates are sorted depending on a number of variables.

The first is the AutoDatabaseMountDial setting, which is configured on each Mailbox server in the DAG. This setting configures the threshold for the number of missing log files (or the copy queue length) for the database copy for it to be considered unmountable. There are three possible settings:

• GoodAvailability – this is the default setting and allows a database copy to be automatically mounted if it has a copy queue length of six or less.
• BestAvailability – allows a database copy to be automatically mounted if it has a copy queue length of 12 or less.
• Lossless – allows a database copy to be automatically mounted only if there are no missing log files.

Note: It may seem like “Lossless” is the only logical choice here, because who would willingly choose an option that may result in data loss? However it is often better to allow service to be restored by mounting a database copy that has some missing log files, and then data loss can be mitigated by other means such as by requesting email messages to be resubmitted from Safety Net.

Here is where activation preference comes into play:

• When AutoDatabaseMountDial is set to Lossless on any of the Mailbox servers hosting a copy of the database, the failover candidates are sorted in ascending order of activation preference.
• When AutoDatabaseMountDial is set to GoodAvailability or BestAvailability, the failover candidates are sorted by their copy queue length, in order of shortest to longest. If two database copies have the same copy queue length then the activation preference is used as the tie breaker.

Note: The recommended practice is to set the AutoDatabaseMountDial to the same value for all servers within the DAG.

At this stage in the process even database copies that have missing log files in excess of the AutoDatabaseMountDial threshold are still in consideration as a potential activation candidate, because a process called “attempt copy last logs” (ACLL) will run to try and copy the missing log files from the server that last hosted the active database copy before the failure occurred.

ACLL is useful in situations where the failure is not a total server failure, and the log files are still accessible, which allows a passive database copy that may be excluded from consideration as a failover candidate due to missing log files to copy the missing files and therefore get itself back into consideration.

However, before ACLL runs the best copy selection process needs to choose a database copy to be the candidate to become the active database copy. For that to occur a series of checks is performed on the activation candidates, that includes the following characteristics:

• Copy queue length – the number of transaction log files yet to be shipped from the server hosting the active database copy
• Replay queue length – the number of transaction log files that have been shipped to the passive copy’s server but have not yet been replayed into the passive database copy
• Database status – such as “Healthy” or “Failed”, among other possible values
• Content index status – such as “Healthy” or “Failed”, among other possible values

In Exchange Server 2013 the process is now called “best copy and server selection” (BCSS) because it also takes into account the health of other server components thanks to Managed Availability. This is a significant improvement because, of course, there is little gain to be had from failing over a database to a Mailbox server that has a client protocol in an unhealthy state if there are other more healthy servers to choose from.

You can read more about BCS for Exchange 2010 and BCSS for Exchange 2013 on TechNet, which also includes some example scenarios, but let’s go back to our simple example scenario here for now. For the sake of ease I will use the acronym BCS to refer to both versions of Exchange.

Assuming in this failure scenario that the AutoDatabaseMountDial is set to the default value of GoodAvailability, and that all other server components are equally healthy.

If all three database copies are healthy, have an equal copy queue length of 0, and have healthy content indexes, then the activation preference is used as a tie breaker and the copy with the lowest AP value will be mounted. With this result the administrator is happy that database failover has adhered to their preferences.

However, if the database copy with AP=2 has a copy queue length higher than the others (which is quite possible even under normal healthy conditions), when the failover candidates are sorted based on copy queue length it will not be the first candidate for mounting. In this situation the database copy with AP=3 may mount instead.

What if You Don’t Want a Database Copy to Become Active?

Is this best copy selection behaviour a bad thing?

Well, from the perspective of wanting the most viable database copy to become active in a failover situation, no it is not a bad thing. In fact, considering the architectural changes in Exchange Server 2013, it may be preferable to allow this type of failover scenario to occur in the interests of high availability.

However, I appreciate that in some Exchange Server environments it may not be desirable for databases to failover unexpectedly to a different datacenter.

An AutoDatabaseMountDial setting of Lossless isn’t the answer because even though it causes BCS to sort the database copies in order of activation preference, if the next database copy is missing even a single log file then it won’t be considered mountable.

Instead, we can block database copies from activating using one of two methods.

To block a specific database copy from activating we can use Suspend-MailboxDatabaseCopy with the -ActivationOnly switch.

[PS] C:\>Suspend-MailboxDatabaseCopy DB1\E15MB3 -ActivationOnly

To block an entire Mailbox server from activating database copies we can set the DatabaseCopyAutoActivationPolicy for the server.

[PS] C:\>Set-MailboxServer E15MB3 -DatabaseCopyAutoActivationPolicy Blocked

Why Do You Flag Activation Preference as a Warning in Your Scripts Then?

If you’ve used my Test-ExchangeServerHealth.ps1 or Get-DAGHealth.ps1 PowerShell scripts then you may be wondering why I chose to flag a warning if a database is active on a copy other than the copy with AP=1.

The reason is that many Exchange administrators were telling me about their problems with unexpected database failovers, specifically that they wanted to know when failovers had occurred so that they could troubleshoot the root causes and make sure that, for example, a failed database copy doesn’t sit unnoticed for days at a time.

Which is fair enough. If you don’t have a monitoring system telling you about database failovers, and the end users aren’t complaining, then you run the risk of your DAG health slowly degrading until all of a sudden a database goes offline and you discover you’ve got no healthy copies to mount.

What Else is Activation Preference Useful For?

Since activation preference is only one of many factors in BCS you might be wondering whether they are useful for anything else.

The answer is yes, they are useful when you are rebalancing your DAG using the RedistributeActiveDatabases.ps1 script that ships with Exchange Server 2010 and 2013.

Summary

Best copy selection runs every time a “targetless” database switchover or failover occurs within the database availability group.

For a lot of environments the DAG is healthy enough that the database copy that is next in order of activation preference will mount, because the activation preference value was used as a tie breaker between multiple database copies with equal copy queue lengths (often 1 or 0 in a healthy environment). This is why many administrators simply assume that activation preference is the sole determining factor for which database copy becomes active in a failover scenario.

However as you can see above, it is important to be aware that activation preference is not a hard and fast rule, and that BCS may mount other database copies instead of the next one in order of AP if it finds one that is a better candidate.

This article Why Did My Database Failover to the Wrong Server? is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• Logging Client IP Address in IIS When Using Load Balancing with Source NAT
• Output a List of In-Policy Users for a Resource Mailbox Using PowerShell
• Tracking Mailbox Owner Deletes Using Mailbox Audit Logging

 

A reader asks whether it is possible to block external emails sent to an Exchange Server 2013 mailbox user.

Here are two ways to achieve this. I will use one of my mailbox users Alex Heyne for these examples.

Transport Rule

Using an Exchange 2013 transport rule we can block emails sent from external senders to the mailbox user.

In the Exchange Admin Center navigate to Mail Flow -> Rules.

Start a new Transport Rule.

Although there are some pre-canned rule templates that help get you started I prefer to just choose “Create a new rule…” and build it from scratch in this case.

Set the first condition to “The sender is located…” and choose “Outside the organization”. Then click the “More options…” link.

You can then add the second condition that specifies which recipient the messages are being sent to.

Next, set the action to reject the message. There are three rejection options. I prefer to use one that sends back an explanation if the situation is relatively harmless, but for blocking malicious emails it is probably better to just drop them without notifying the sender.

Since you are rejecting the message you probably also want to stop processing other rules.

Save the rule when you have completed the configuration.

The email messages from external senders to that recipient will now be blocked in the transport pipeline, which will show up in message tracking logs.

Timestamp               : 6/05/2014 8:15:33 PM
ClientIp                :
ClientHostname          : E15MB1
ServerIp                :
ServerHostname          :
SourceContext           : Transport Rule Agent
ConnectorId             :
Source                  : AGENT
EventId                 : FAIL
InternalMessageId       : 49443663511553
MessageId               : <CAPOW2OCFFOcjBXjviMqxoscn3HPqH-Zc95Qvgiw101kUGijM+A@mail.gmail.com>
Recipients              : {alex.heyne@exchange2013demo.com}
RecipientStatus         : {550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy}
TotalBytes              : 3095
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Test 2 Inbound
Sender                  : exchangeserverpro@gmail.com
ReturnPath              : exchangeserverpro@gmail.com
Directionality          : Incoming
TenantId                :
OriginalClientIp        :
MessageInfo             : 2014-05-06T10:14:46.526Z;SRV=E15MB1.exchange2013demo.com:TOTAL=30|SMS=30;SRV=E15MB1.exchange2
                          013demo.com:TOTAL=15;CAT|CATRS|CATRS-Transport Rule Agent
MessageLatency          :
MessageLatencyType      : None
EventData               : {[E2ELatency, 47], [DeliveryPriority, Normal], [ExternalOrgIdNotSetReason, ]}

Although this rule will result in external emails being rejected it will also reject emails sent via a relay connector, unless you set exceptions on the rule for email addresses that you know will be sending via that method.

Message Delivery Restrictions

Another method is using message delivery restrictions on the mailbox itself. This may be a better approach if you want your help desk to manage this type of restriction without having to give them the rights to manage transport rules in your organization.

Open the properties of the mailbox and select Mailbox Features, then scroll down to the Message Delivery Restrictions and click View Details.

Enabling the option to “Require that all senders are authenticated” will have the effect of rejecting emails from external senders.

However…

• You don’t get to choose whether to send an NDR or not, it is always sent
• The NDR is slightly unfriendly compared to a custom rejection message you can use with transport rules
• This option will also reject email sent via relay connectors, as with the transport rule option; but
• There is no way to set exceptions for this option

So what you gain in handing off this administrative task to your help desk you lose in flexibility.

Summary

As you can see there are options available for blocking external emails sent to an Exchange Server 2013 mailbox user. However each has pros and cons, and so requires some consideration before you choose which option to implement.

This article Block External Emails for an Exchange Server 2013 Mailbox is © 2014 ExchangeServerPro.com

Get more Exchange Server tips at ExchangeServerPro.com

    

Related Stories

• Logging Client IP Address in IIS When Using Load Balancing with Source NAT
• PowerShell Script: Audit Mailbox Sent Items Configurations
• PowerShell Script: IIS Log File Cleanup and Archive