Exchange 2010 Relay Permissions

Wednesday, November 3, 2010 Posted by

By default Exchange 2010 is configured to only accept SMTP email for domains it is authoritative for, and will only relay email onto other domains for authenticated local users. This is the best practice. So nobody like spammers can send mail to external people from your mail domain. But when you have an application that must relay mail. You should think about what you want to do for your relay permissions. For security reasons I should always make a new special Receive Connector and lock down so only that wants needed is open. But how we do it. We want that the application can authenticate. Because we want to send mail to distribution list with the option “Require that all senders are authenticated”


Like its predecessor, Exchange 2010 is configured to accept and relay email from hosts that authenticate by default. Both the “Default” and “Client” receive connectors are configured this way out of the box. Authenticating is the simplest method to submit messages, and preferred in many cases.

The Permissions Group that allows authenticated users to submit and relay is the “ExchangeUsers” group. The permissions that are granted with this permissions group are:

NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Submit} NT AUTHORITY\Authenticated Users {ms-Exch-Accept-Headers-Routing} NT AUTHORITY\Authenticated Users {ms-Exch-Bypass-Anti-Spam} NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Recipient}

Here are the equivalent options for how to configure this in Exchange 2010.


The next screen you must specify on with local ip and port this receive connector must listen. I’ve chosen all available ip addresses on port 26.


The next screen you must pay particular attention to is the “Remote Network settings”. This is where you will specify the IP ranges of servers that will be allowed to submit mail. You definitely want to restrict this range down as much as you can. In this case, I want my application server, 172.16.16.24 to be allowed to relay.


The next step is to create the connector, and open the properties. Now you have two options, which I will present. The first option will probably be the most common.

Option 1: User permissions

We must select what permission is set to this connector. Because we want the application to authenticate. We select Exchange Users.


Next, continue to the authentication mechanisms page and add the Basic Authentication with TLS and Integrated Windows euthentication.


The connector is Ready. If you are authenticated you can send mail like you do from your outlook client. Now we want to give the specified user that right rights mail can relayed.

Add the right permissions to the receive connector.

[PS] Get-ReceiveConnector -Identity “HubServer”\Relay_ReceiveConnector | add-ADPermission -user Relay_User -ExtendedRights “Ms-Exch-Accept-Headers-Routing”,”Ms-Exch-SMTP-Accept-Any-Sender”,”Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”,”Ms-Exch-SMTP-Submit”,”Ms-Exch-SMTP-Accept-Any-Recipient”

Ms-Exch-SMTP-Accept-Any-Sender
Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
Ms-Exch-SMTP-Submit
Ms-Exch-SMTP-Accept-Any-Recipient
Ms-Exch-SMTP-Accept-Authentication-Flag

Basically you are telling Exchange to ignore internal security checks because you trust these user. The nice thing about this option is that it is simple and grants the common rights that most people probably want.

Option 2: Grant the relay permission to Anonymous on your new scoped connector

This option grants the minimum amount of required privileges to the submitting application.

Taking the new scoped connector that you created, you have another option. You can simply grant the ms-Exch-SMTP-Accept-Any-Recipient permission to the anonymous account. Do this by first adding the Anonymous Permissions Group to the connector.


This grants the most common permissions to the anonymous account, but it does not grant the relay permission. This step must be done through the Exchange shell:

[PS] Get-ReceiveConnector “Relay_ReceiveConnector” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

 Summary Extended Rights 

Permission Display name
ms-Exch-SMTP-Submit Submit Messages to Server
ms-Exch-SMTP-Accept-Any-Recipient Submit Messages to any Recipient
ms-Exch-SMTP-Accept-Any-Sender Accept any Sender
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender Accept Authoritative Domain Sender
ms-Exch-SMTP-Accept-Authentication-Flag Accept Authentication Flag
ms-Exch-Accept-Headers-Routing Accept Routing Headers
ms-Exch-Accept-Headers-Organization Accept Organization Headers
ms-Exch-Accept-Headers-Forest Accept Forest Headers
ms-Exch-SMTP-Accept-Exch50 Accept Exch50
ms-Exch-SMTP-Send-Exch50 Send Exch50
ms-Exch-Send-Headers-Routing Send Routing Headers
ms-Exch-Send-Headers-Organization Send Organization Headers
ms-Exch-Send-Headers-Forest Send Forest Headers
ms-Exch-Bypass-Message-Size-Limit Bypass Message Size Limit
ms-Exch-Bypass-Anti-Spam Bypass Anti-Spam

 Full description Extended Rights

ms-Exch-SMTP-Submit If the SMTP receive session does not have this permission, it will fail to submit messages. It will fail both the “MAIL FROM” and “AUTH” command. The “AUTH” command will also fail as the credential might have been correct, but the authenticated user or computer will have no chance to do anything useful with the session.

ms-Exch-SMTP-Accept-Any-Recipient If the SMTP receive session does not have this permission, the server will reject the “RCPT TO” command if the recipient domain does not match any accepted domain. You could call this permission also the Relay permission.

ms-Exch-SMTP-Accept-Any-Sender If the SMTP receive session does not have this permission, the server will check sender address spoofing. If the spoofing check fails, the message gets rejected at either “MAIL FROM” or EOD (End Of Data), depending on which sender

(envelop or message/header) was found to be spoofed.

ms-Exch-SMTP-Accept-Authoritative-Domain-Sender If the SMTP receive session does not have this permission, the server will reject “MAIL FROM” if the specified address is at an authoritative domain. (An authoritative domain is an administrative domain with at least one mail server responsible for the final delivery of messages addressed to that domain.)

ms-Exch-SMTP-Accept-Authentication-Flag If the SMTP receive session does not have this permission, the server will ignore the AUTH= option that was specified on the “MAIL FROM” command. (Internally, Exchange Servers transfer anonymous messages using “AUTH=<>”.)

ms-Exch-Accept-Headers-Routing If the SMTP receive session does not have this permission, the server will strip all “Received:” headers. Note: This should only happen for client message submissions over SMTP, which is why by default ExchangeUsers do not get this permission. (See RFC 2476.)  

ms-Exch-Accept-Headers-Organization If the SMTP receive session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Organization-“.  

ms-Exch-Accept-Headers-Forest If the SMTP receive session does not have this permission, the server will strip all forest headers. Those headers all start with “X-MS-Exchange-Forest-“.  

ms-Exch-SMTP-Accept-Exch50 If the SMTP receive session does not have this permission, the server will not accept the “XEXCH50” command. Note: This command is necessary for interoperability with Exchange2000 and Exchange2003. In an environment with only Exchange2007 servers, the “XEXCH50” command won’t be used once disabled.  

ms-Exch-SMTP-Send-Exch50 If the SMTP send session does not have this permission, the server will not send the “XEXCH50” command.  

ms-Exch-Send-Headers-Routing If the SMTP send session does not have this permission, the server will strip all “Received:” headers.  

ms-Exch-Send-Headers-Organization If the SMTP send session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Organization-“.  

ms-Exch-Send-Headers-Forest If the SMTP send session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Forest-“.  

ms-Exch-Bypass-Message-Size-Limit If the SMTP receive session has this permission, the server will skip message size restrictions at the protocol level.  

ms-Exch-Bypass-Anti-Spam If the SMTP receive session has this permission, the server will pass this permission to anti spam agents, as to skip this message for anti-spam checks.

Microsoft Released: Exchange 2010 Architecture Poster

Thursday, October 28, 2010 Posted by

For all who want this nice Poster on the wall.

Download
Exchange Server 2010 Architecture Poster

Kind Regads,

Rene van Maasakkers

Exchange Processor Query Tool to quickly to locate the SPECInt 2006 Rate value

Thursday, October 28, 2010 Posted by

Microsoft released a new “Exchange Processor Query tool” to enable you to quickly locate the SPECInt 2006 Rate value for your server. This tool automates the manual steps, described in Mailbox Server Processor Capacity Planning TechNet article, to determine your planned processor’s SPECInt 2006 Rate Value.

MS Exchange Team Blog:

This tool automates the manual steps, described in the Mailbox Server Processor Capacity Planning TechNet article, to determine your planned processor’s SPECInt 2006 Rate Value.  To run this tool you must be connected to the Internet.  The tool will take your planned processor model as input and execute a web query against the spec.org website returning all test result data for that particular processor model.    The tool will also calculate an average SPECint 2006 Rate Value based on the number of processors planned to be used in each mailbox server.  Once you complete the steps below you can plug the result value for your planned processor into the megacycles per core field in step 5 of the input range in the Mailbox Role Calculator to assist in your Exchange 2010 server planning.  If your particular server model is not listed in the dataset returned by the web query you can use the calculated average value and input that number into the megacycles per core field.”

Download hier

Exchange 2010 (SP1) Unable to Manage Distribution Groups

Thursday, September 30, 2010 Posted by

In Exchange 2010 you are able to manage distribution lists in Outlook Web App.
By design you are not able to modify the distribution groups where you are the owner from.

If you want that all the owners of a distribution list can manage there own distribution list follow the steps below. With the great feature RBAC (Role Based Access Control) in Exchange 2010 we are able to give the users the right permissions to manage there own distribution lists. So we have more time to drink coffee.

1. Create a new Custom Role based on the default ‘MyDistributionGroups’ Role.
 

[PS] New-ManagementRole -Name Custom_OwnerDistributionGroups -Parent MyDistributionGroups –Description “This role enables individual users to view distribution groups and add or remove members to distribution groups they own or add a Mailtip.”

Parameters
Name: The Name parameter specifies the name of the role. The maximum length of the name is 64 characters. If the name contains spaces, enclose the name in quotation marks (“).
Parent: The Parent parameter specifies the identity of the role to copy. If the name of the role contains spaces, enclose the name in quotation marks (“). If you specify the Parent parameter, you can’t use the UnScopedTopLevel switch.
Description: The Description parameter specifies the description that’s displayed when the management role is viewed using the Get-ManagementRole cmdlet. Enclose the description in quotation marks (“).

2. Modify the new Custom Role.

Because we’ve made a new Role based on MyDistributionGroups we have to make change to we dont have the same settings as MyDistributionGroups. We remove the settings for make new distribution groups, Remove distribution groups and set group. These powershell commando’s are not availeble for those users if we remove them. We also make some changes to the powershell commando Set-distributiongroup. Now have the users the permissions to add or remove members from the distribution groups and make changes to the mailtip.

[PS] Remove-ManagementRoleEntry Custom_OwnerDistributionGroups\New-DistributionGroup -Confirm:$false
[PS] Remove-ManagementRoleEntry Custom_OwnerDistributionGroups\Remove-DistributionGroup -Confirm:$false
[PS] Remove-ManagementRoleEntry Custom_OwnerDistributionGroups\Set-Group -Confirm:$false
[PS] set-ManagementRoleEntry Custom_OwnerDistributionGroups\Set-DistributionGroup -parameter Confirm ,ErrorAction ,ErrorVariable ,Identity ,MailTip ,MailTipTranslations , OutBuffer ,OutVariable ,WarningAction ,WarningVariable ,WhatIf

 

3. Add the new Custom Role to the “Default Role Assignment Policy”

If you want that all people get these setting you must add the new role to the existing “Default Role Assignment Policy” which is applied to every one. You can also go to Outlook Web App change the “Default Role Assignment Policy” there.

[PS] New-ManagementRoleAssignment -Role VU_OwnerDistributionGroups -Policy “Default Role Assignment Policy”

 

4. Add the right owners to the distribution lists

Finaly you must add the owners to the distribution list so the owners can modify the members of the Distribution Group.

5. Outlook Web App

If the users logon into Outlook Web App they will see the next pages.

 

For more information see also the technet sites from microsoft:

Installation Exchange 2010 SP1

Thursday, September 30, 2010 Posted by

Installation Exchange 2010 SP1

In this article I will describes the installation procedure for the installation of Service Pack 1 for Exchange 2010 prerequisites and Known Issues.

Prerequisites

Exchange 2010 SP1 has a number of prerequisites that must be performed before the Service Pack installation is started. These are:

– Installation Hotfixes

– Schema Update Active Directory

Installation hotfixes

The Exchange installation Setup will tell you which hotfixes you must have. If you are up2date you should see that you must have the hostfixes as below. But i recommended dat you run setup to show which hotfixes you must have.

  1. Here’s a matrix of the updates required, including download locations and file names.
Hotfix
Download
Windows Server 2008
Windows Server 2008 R2
Windows 7 & Windows Vista
979744
A .NET Framework 2.0-based Multi-AppDomain application stops responding when you run the application
MSDN
or Microsoft Connect
Windows6.0-KB979744-x64.msu (CBS: Vista/Win2K8)
Windows6.1-KB979744-x64.msu (CBS: Win7/Win2K8 R2)
N. A.
983440
An ASP.NET 2.0 hotfix rollup package is available for Windows 7 and for Windows Server 2008 R2
Request from CSS
N. A.
Yes
N.A.
977624
AD RMS clients do not authenticate federated identity providers in Windows Server 2008 or in Windows Vista. Without this update, Active Directory Rights Management Services (AD RMS) features may stop working
Request from CSS
Select the download for Windows Vista for the x64 platform.
N.A.
N.A.
979917
Two issues occur when you deploy an ASP.NET 2.0-based application on a server that is running IIS 7.0 or IIS 7.5 in Integrated mode
MSDN
Windows6.0-KB979917-x64.msu (Vista)
N. A.
N. A.
973136,
FIX: ArgumentNullException exception error message when a .NET Framework 2.0 SP2-based application tries to process a response with zero-length content to an asynchronous ASP.NET Web service request: “Value cannot be null”.
Microsoft Connect
Windows6.0-KB973136-x64.msu
N.A.
N. A.
977592
RPC over HTTP clients cannot connect to the Windows Server 2008 RPC over HTTP servers that have RPC load balancing enabled.
Request from CSS
Select the download for Windows Vista (x64)
N.A.
N. A.
979099
An update is available to remove the application manifest expiry feature from AD RMS clients.
Download Center
N. A.
Windows6.1-KB979099-x64.msu
N. A.
982867
WCF services that are hosted by computers together with a NLB fail in .NET Framework 3.5 SP1
MSDN
Windows6.0-KB982867-v2-x64.msu (Vista)
Windows6.1-KB982867-v2-x64.msu (Win7)
X86: Windows6.1-KB982867-v2-x86.msu (Win7)
x64: Windows6.1-KB982867-v2-x64.msu (Win7)
977020
FIX: An application that is based on the Microsoft .NET Framework 2.0 Service Pack 2 and that invokes a Web service call asynchronously throws an exception on a computer that is running Windows 7.
Microsoft Connect
N. A.
x64: Windows6.1-KB977020-v2-x64.msu
x64: Windows6.1-KB977020-v2-x64.msuX86: Windows6.1-KB977020-v2-x86.msu

On all the Hub and Mailbox severs the Office 2010 Filter Pack must be installed.

http://www.microsoft.com/downloads/en/details.aspx?familyid=5CD4DCD7-D3E6-4970-875E-ABA93459FBEE&displaylang=en

You can run setup to find all the hotfixes you need.

Update Active Directory Schema

Before install Exchange 2010 SP1 we must run a schema update.

How to find the server with the schema master role:

  1. Start MMC
  2. Load the Schema Snap in
  3. In the Snap in, Right click on Active Directory Schema
  4. Choose Operations Master…
  5. By Current Schema is listed the Schema Master

From this schema master you can run the command:

  1. Logon locally on the Schema Master Server
  2. Start Command Prompt
  3. From the Exchange 2010 SP1 location, start this command:
  4. “setup.com / prepareAD”

Installation Service Pack 1

It’s important to install also this Service Pack from out-side to in-side. So we must first upgrade the edge servers and the last server should be the mailbox servers. You should always apply hotfixes/service packs as described.

  1. Edge Transport Servers
  2. Client Access Servers
  3. Hub Transport Servers
  4. Unified Messaging Servers
  5. Mailbox Servers

Start setup.exe from the media kit.

Choose Exchange Language option for upgrade  
Upgrade all languages from the language bundle  
Download the latest language pack bundle from the internet  
Setup download the latest language pack from internet  
After download choice “Finish”.  
Install Microsoft Exchange Server Upgrade  
Next  
Accept the License Agreement  
Upgrade” after all Readiness Checks are finish. If you not installed all hotfixes, Setup tells you to install before you can upgrade  
Show progress  
Finish  

Update Microsoft Exchange Server 2010 Service Pack 1 (SP1)

Thursday, August 26, 2010 Posted by

Overview

Microsoft Exchange Server 2010 helps IT Professionals achieve new levels of reliability with greater flexibility, enhanced user experiences, and increased protection for business communications.

  • Flexible and reliable – Exchange Server 2010 gives you the flexibility to tailor your deployment based on your company’s unique needs and a simplified way to keep e-mail continuously available for your users.
  • Anywhere access – Exchange Server 2010 helps your users get more done by giving them the freedom to securely access all their communications – e-mail, voice mail, instant messaging, and more – from virtually any platform, Web browser, or device.
  • Protection and compliance – Exchange Server 2010 delivers integrated information loss prevention, and compliance tools aimed at helping you simplify the process of protecting your company’s communications and meeting regulatory requirements.

This software is intended for evaluation purposes only. You must accept the license terms before you are authorized to use the software. There is no product support for this trial software. You are welcome to participate in the forums to share your trial experiences with others and to ask for advice.

Download Exchange Service Pack 1

http://www.microsoft.com/downloads/details.aspx?FamilyID=50b32685-4356-49cc-8b37-d9c9d4ea3f5b&displaylang=en

Update Rollup 4 for Exchange Server 2010 (KB982639)

Friday, July 16, 2010 Posted by
Date Published: 17/6/2010

Microsoft has  just released the Exchange 2010 Update Rollup 4. You can download the update here and read more information about fixes included in the following KB article:

http://support.microsoft.com/?kbid=982639

This is a cumulative update rollup and replaces the following:

  • KB976573 Update Rollup 1 for Exchange Server 2010 (KB976573)
  • KB979611 Update Rollup 2 for Exchange Server 2010 (KB979611)
  • KB981401 Update Rollup 3 for Exchange Server 2010 (KB981401)

Exchange 2010 Recovery Database

Tuesday, June 29, 2010 Posted by

Legacy Exchange Recovery Storage Groups

Exchange 2010 no longer includes the concept of storage groups. In earlier versions of Exchange, one or more Exchange store databases can be grouped into a storage group, which can then be managed as a unit. However, storage groups complicate many high-availability scenarios, and make single-database restores more complex.

Exchange 2010–compatible backup and restore applications that work with the Windows Volume Shadow Copy Service (VSS) no longer provide storage group identifiers in the VSS backup component paths.

Recovery Storage Group Replaced with Recovery Database

Because storage groups were removed from Exchange Server 2010, the recovery storage group no longer exists. Instead, if your application needs to restore, recover, and mount an Exchange database to a different location or server, it will use a recovery database. The recovery database is not tied to any original server or database. Each Exchange 2010 server can have no more than one mounted recovery database. There can be multiple recovery databases, but only one can be mounted at a time.

You can use the Restore-Mailbox cmdlet to extract data from an RDB. After extraction, the data can be exported to a folder or merged into an existing mailbox. RDBs enable you to recover data from a backup or copy of a database without disturbing user access to current data.

Microsoft Exchange Server 2010 supports the ability to restore data directly to a recovery database. Mounting the recovered data as a recovery database allows the administrator to restore individual mailboxes or individual items in a mailbox. Restoring to a recovery database can be accomplished in two ways:

  • If a recovery database already exists, the application can dismount the database, restore the data onto the recovery database and log files, and then remount the database.
  • The database and log files can be restored to any disk location. Exchange analyzes the restored data and replays the transaction logs to bring the databases up to date, and then a recovery database can be configured to point to already recovered database files.

 

Steps how to restore a mailbox

1.   Restore EDB, Logs and Replay the logs

First you have to Recover the edb and log files to a recovery directory. We have restored the files to D:\restore

The EDB file we have restored will not include any data that is contained in the log files as these are committed to the database AFTER we perform the backup.

We need to know the log file numbering before we can run ESEUTIL.  To do this, navigate to the folder you restored the EDB & Log files to (in the case of this article it is D:\Restore) and look for the file that starts with an E and has 2 numbers after the E and an extension of .chk, so for example E00.chk.  This is what is known as the checkpoint file, or the working log file.  All the other log files will start with the same 3 digits and they are created when the checkpoint file gets full.

So assuming your checkpoint file is called E00.chk we now need to run the command to replay the log files in the Exchange Management Console.

Once the Exchange Management Shell is open type the following commands:

Cd \ <enter>
CD Restore
ESEUTIL /R E00 /L “path of logfiles” /D “Path of database” /i

This will replay the log files that you have restored from the backup into the database.

When you don’t use the /i you might get this error:

“Operation terminated with error -1216 (JET_errAttachedDatabaseMismatch, An outstanding database attachment has been detected at the start or end of recovery, but database is missing or does not match attachment info) after n seconds.”

To resolve this, run soft recovery with the “/i ” switch at the end and it will override the EDB-STM mismatch.

You also may Use /a . Use the /a – allow recovery to lose committed data if database integrity can still be maintained.

Run Eseutil /mh “Path of the database *.edb” to check if the database is in a state: Clean shutdown

2.   Create a Recovery Database from the EDB file

Once we have restored the EDB file and Log files, we then need to create a Recovery Database.  This process can only be performed using the Exchange Management Shell.
Assuming the following Information:

  • Servername is MBX1 (must be an Exchange Server that holds the Mailbox Role)
  • The EDB & Log files have been restored to D:\Restore\
  • EDB File Name is databases01.edb
  • The recovery database name will be RecoveryDatabase01

Run the following command in the Exchange Management Shell:

[PS] New-MailboxDatabase -Recovery -Name “RecoveryDatabase01” -Server MBX1 -EdbFilePath “D:\Restore\Databases01.edb” -LogFolderPath “D:\Restore”

If there are problems to mount the recovery databas. Use the /a – allow recovery to lose committed data if database integrity can still be maintained.

[PS] New-MailboxDatabase -Recovery -Name “RecoveryDatabase01” -Server MBX1 -EdbFilePath “D:\Restore\Databases01.edb” -LogFolderPath “D:\Restore”

 

The next step is to mount the Recovery Database.  To do this we run the following command from the Exchange Management Shell:

Mount-Database RecoveryDatabase01

We can confirm the database has been created and that it is a recovery database by running the following command from the Exchange Management Shell:

Get-MailboxDatabase

The important part of this screenshot is that the database listed as RecoveryDatabase1 has the value of True under the Recovery setting.

We now have a recovery database created.  

 

3.    Show list of mailboxes in the recovery database

To show all the mailboxes which are in the recovery database use the following command from the Exchange Management Shell:

[PS] Get-MailboxStatistics -Database RecoveryDatabase01 

 

4.   Recover the required mailbox/mail items

Unlike previous versions of Exchange, there is no Graphical User Interface for the recovery process.  To recover mail items we need to use the Exchange Management Shell.

4.1 Restore the completed mailbox

So for example, we have a user called Rene_vm and he has deleted the entire contents of his mailbox and you need to recover all his mail.

We have a copy of the mailbox belonging to Rene_vm in our Recovery Database.  To restore the required mailbox, we would use the Exchange Management Shell and run the following command:

[PS] Restore-Mailbox -Identity rene_vm -RecoveryDatabase RecoveryDatabase01

This will recover a mailbox called rene_vm from the Recovery Database called RecoveryDatabase01 to the rene_vm mailbox in the live database.  This method relies on the original mailbox still being intact. 

4.2 Restore to a Folder

The next option is to recover the rene_vm mailbox from the Recovery Database and place it into a folder called “Rene_vm Recovery” within a mailbox called servicedesk.

[PS] Restore-Mailbox -Identity servicedesk -RecoveryDatabase RecoveryDatabase01 -RecoveryMailbox Rene_vm -TargetFolder “Rene_vm Recovery”

4.3 Restore selective Mail

Restores only the mail with the subject more2know, with the message body containing the word business, and with the message location either in the Inbox or Calendar folder. This example assumes that the mailbox is in English. Place the restored items into a recovery folder.

[PS] Restore-Mailbox -Identity info -RecoveryDatabase RecoveryDatabase01 -RecoveryMailbox rene_vm -SubjectKeywords “more2know” –ContentKeywords “business” –IncludeFolders \inbox,\calendar –TargetFolder “Rene_vm recovery with more2know”

4.4      Bulk Restore

Bulk restores all the mailboxes in the Databases01 mailbox database that are also present in RecoveryDatabase01

[PS] Get-Mailbox -Database Databases01 | Restore-Mailbox -RecoveryDatabase RecoveryDatabase01

 

5.   Removing the recovery database

After the restore is completed we must remove de recovery database. To do this we would run the following command:

[PS] Remove-MailboxDatabase -Identity RecoveryDatabase01

 

For more information see also the technet sites from microsoft:
Recovery Databases http://technet.microsoft.com/en-us/library/dd876954.aspx
Understanding Backup, Restore and Disaster Recovery http://technet.microsoft.com/en-us/library/dd876874.aspx
Restore-Mailbox http://technet.microsoft.com/en-us/library/bb125218.aspx

Exchange 2007 Recovery Storage Group (RSG)

Tuesday, June 15, 2010 Posted by

Using Recovery Storage Group (RSG) in Exchange 2007

Recovery Storage Group (RSG) has been operational since Exchange 2003 SP1 and gives us the ability to restore a single mailbox or a single item from a backup, using the simplest backup software like Ntbackup, without using expensive backup tools like brick level agents and while the production Database is up and running.

There are some major and significantly good changes in the Exchange 2007 RSG in comparison to the Exchange 2003 RSG and most of them are as a result of the powerful power shell capabilities.

In this article I will describe, step by step, how to configure RSG and how to restore an item or a mailbox from backup.

Requirements and naming conventions

For the purpose of this article, I’ve used the following objects:

  • SQA-LCS2005 – Exchange 2007 standard edition.
  • Administrator – Source & destination mailbox on SQA-LCS2005 to restore the selected items from the RSG.
  • Backup software – Ntbackup (C:\Backup\ExchDB.bkf – is the backup device that I used).

The process is divided into 4 parts:

  1. Having a backup of the DB, a backup that contains the items that were deleted.
  2. Create the RSG in the Exchange server.
  3. Restore the relevant items / mailbox – Using GUI.

Optional: Restore the relevant items / mailbox – Using MSH.

  1. Dismount and remove the RSG.

Having a backup of the DB, a backup that contains the items that were deleted

Note that the backup process usually should run every day automatically; therefore you may skip this step.

Open the Ntbackup software, mark the DB you want to backup and verify that the backup completed successfully.

 

Create the RSG in the Exchange server

1. Open the EMC (Exchange Management Console), from the Toolbox node, click on the Database Recovery Management:

2. Type the name of your Exchange server and Domain Controller server name and then click Next at the bottom of the screen:

3. From the Tasks options, choose Manage Recovery Storage Group and then click on the Create a Recovery Storage Group

4. Select the Storage Group that you want to restore from and click Next:

5. Choose the location of the original SG files (DB + Logs).

6. Finish the RSG creation.

7. Verify that the RSG was created using the Exchange Management Shell (MSH):

Get-mailboxdatabases

Restore the relevant items / mailbox – Using GUI

Note that the Administrator mailbox, before the emails deletion, looks as follows:

1. The first step in this section is restoring the DB from the backup.Open the backup software and choose the DB you want, and marked it to restore:

2. Mark the next parameters, as shown in the next screen:

3. Verify that the restore completed successfully.

4.  After the restore completed successfully, click the Merge or copy mailbox contents from the Manage Recovery Storage Group:

5. In the mounted Database in the RSG that you restored, click Gather Merge information:

6. The next screen gives you the ability to restore the whole mailbox or all the items in the mailbox from the backup in a simple way by clicking the Perform pre-merge tasks:

7. If you want to filter the items that you want to restore, like items from a specific range of dates, restore the items with a specific subject from all mailboxes to a specific mailbox – you should select the Show advanced Options:

Note: In this example I have chosen to restore all the items with the word TEST (the search is not case sensitive) to the Test_Folder folder in the Administrator’s mailbox.

Search by subject (TEST) and copy all the items that will be found to the Administrator’s mailbox:

Search the TEST word in the next mailboxes:

8. The result of the process, is shown in the next screen:

9. We can see all the folders that were created in the Administrator’s mailbox under the TEST_Folder (for each user’s mailbox – Recovered Data – Username – Date of restore): For example: Recovered Data – Tzahi Kolber – 2/22/2007

Optional: Restore the relevant items / mailbox – Using MSH

The alternative way to restore items from specific dates, specific subjects and from user’s mailboxes, is using the Exchange Management Shell (MSH). In the following examples, I will demonstrate how to restore items that were deleted from the Administrator’s mailbox.

Example 1:

The Goal:

Restore items (all items in mailbox) from Administrator mailbox in RSG back to the live mailbox, under the Restore folder:

The Command:

Note: Any mailbox that is restored from RSG can be restored to any mailbox on the production Database. In this case, instead of restoring the data to back to the Administrator’s mailbox, we can restore it to Tkolber’s mailbox, by running the next command:

The Process:

Restore to Restore Folder

After running the command, you are asked to approve the process:

After approving the process, the tasks are shown in the background:

When the process ends, a summery of the process is presented on the screen:

The Result:

When the process ends, we can see the destination folder (Restore) in the user’s mailbox:

Example 2:

The Goal:

Restore items from Administrator mailbox in RSG, from January 15th to February 27th, back to the live mailbox, under the Date_Range_Jan15th to Feb27th folder:

  • In this process, we MUST configure a target folder, but if you didn’t write it in the command, you are asked to fill the target folder’s name.
  • The dates should be written as the following syntax: MM/DD/YY.

The Command:

The Result:

When the process ends, we can see the destination folder (Date_Range_Jan15th to Feb27th) in the user’s mailbox from the relevant dates only:

Example 3:

The Goal:

Restore all mailbox content from Administrator’s mailbox in RSG, back to the live mailbox:

The Command:

The Result:

When the process ends, all the data that was in the Administrator’s mailbox, merged into his production mailbox.

Dismount and remove the RSG

After you complete the restore from RSG, you should dismount the RSG, the main reason to do it is to enable the production DB (any live DB) restore.

1. Open the EMC (Exchange Management Console), from the Toolbox node, click on the Database Recovery Management:

2. Type the name of your Exchange server and Domain Controller server name and then click Next at the bottom of the screen:

3. From the Tasks options, choose Manage Recovery Storage Group and then click on the Mount or Dismount Database in the Recovery Storage Group:

4. Now select the Database that you want to dismount, mark it with V and click on Dismount Selected database:

5. After dismounting the database, you will get a report with a result of the process:

In order to remove the RSG:

6. Repeat steps 1 and 2 in this paragraph and from the tasks options, click on Remove the Recovery Storage Group:

7. Click the Remove the Recovery Storage Group option again:

8. After removing the RSG, you will get a report with a result of the process:

9. If you want to verify from the Exchange Management Shell, that the RSG was removed, you can type the command: Get-MailboxDatabase –Status

Exchange Autodiscover and Multiple Domains

Tuesday, May 18, 2010 Posted by

The Autodiscover service makes it easier to configure Outlook 2007 or Outlook 2010 and some mobile phones. You can’t use the Autodiscover service with earlier versions of Outlook, including Outlook 2003. In earlier versions of Microsoft Exchange (Exchange 2003 SP2 or earlier) and Outlook (Outlook 2003 or earlier), you had to configure all user profiles manually to access Exchange.

The Autodiscover service does the following:

  • Automatically configures user profile settings for clients running Microsoft Office Outlook 2007 or Outlook 2010, as well as supported mobile phones. Phones running Windows Mobile 6.1 or a later version are supported. If your phone isn’t a Windows Mobile phone, check your mobile phone documentation to see if it’s supported.
  • Provides access to Exchange features for Outlook 2007 or Outlook 2010 clients that are connected to your Exchange messaging environment. (Offline Addressbook, Out Of Office, ect)
  • Uses a user’s e-mail address and password to provide profile settings to Outlook 2007 or Outlook 2010 clients and supported mobile phones. If the Outlook client is joined to a domain, the user’s domain account is used.

How does Outlook/Entourage check for autodiscover functionality?

  1. Autodiscover check https://<smtpdomain>/Autodiscover/Autodiscover.xml.
  2. Autodiscover check https://autodiscover.<smtpdomain>/Autodiscover/Autodiscover.xml.
  3. Autodiscover check http://autodiscover.<smtpdomain>/Autodiscover/Autodiscover.xml.
  4. Autodiscover check for SRV lookup for _autodiscover._tcp.<smtpdomain>.

When you have multiple domains configured for your users. You must redirect your autodiscover functionality to your primary SMTP domain. You can use these different methods:

Method Pros Cons
1) 1 Single-name SSL Certificate with DNS SRV Lookup. – Simple configuration- Requires only 1 website and 1 public IP.- Only requires 1 single-name SSL certificate – Not all DNS hosting providers support DNS SRV records.- Additional dialog is displayed to the Outlook users asking if they trust the redirected URL. It ask you to don’t display it anymore if you want.  – Requires Outlook 2007 client-side hotfix.
2) 1 SSL Certificate that is valid for multiple DNS names (or Subject Alternative Names) – Simple configuration- Requires only one Certificate.- Requires only 1 website and 1 public IP. – Cost of additional DNS names for SSL Certificates can be more expensive.
3) 2 single-name SSL Certificates (one specifically for autodiscover). – 2 single-name certificates may be less costly than a certificate with multiple names. – Complex configuration. – Requires 2 websites and 2 Public IP’s.- Difficult to load balance 2 sites.
4) 1 single-name SSL Certificate with a second HTTP redirection website. – Only requires 1 single-name SSL certificate. – Complex configuration. – Requires 2 websites and 2 Public IP’s.- Difficult to load balance 2 sites.

– Additional dialog is displayed to the Outlook users asking if they trust the redirected URL. It ask you to don’t display it anymore if you want.  

I will explain how you can use a srv record.

1. DNS SRV Record (Service record)

 When you use a SRV record your clients must have update 939184 installed for office 2007 clients. ((http://support.microsoft.com/kb/939184/ ) Description of the update rollup for Outlook 2007: June 27, 2007). It’s included in Service pack 1.

In your srv record you can redirect your autodicover srv record from your subdomain to your primairy domain. To do this you don’t need difficult certificate constructions. One certificate for your primaire domain is needed.

How configure a SRV record to redirect:

If you are using Windows DNS, the steps to create an SRV Record are as follows:

  1. Open the DNS Management MMC snap-in.
  2. Expand Forward Lookup Zones.
  3. Locate and right-click the external DNS zone, and then click Other New Records.
  4. Click Service Location (SRV).
  5. Enter the parameters by using the required values.
  6. Click OK.

SRV record

1.  Service: _autodiscover

2.  Protocol: _tcp

3.  Port Number: 443

4.  Host: autodiscover.<primairy smtp domain>.

Example

Redirect smtp domain contoso.nl to contoso.com

Make a new srv record: _autodiscover._tcp.contoso.nl. with these settings:

_autodiscover._tcp.contoso.nl. 0  0 443 autodiscover.contoso.com.

Remember that it must end with the .

Check your settings with nslookup

Nslookup->

Set type=all

_autodiscover._tcp.contoso.nl

_autodiscover._tcp.contoso.nl SRV service location:

 priority       = 0

weight         = 0

port           = 443

svr hostname   = autodiscover.contoso.com