Office 365 – compauth=fail reason=601

Mails received from mailchamp.com, were declared as spam. Following errors arrives in mailbox:

Authentication-Results: spf=pass (sender IP is 10.20.30.40)
smtp.mailfrom=something.example.com dkim=pass (signature was verified)
header.d=something.example.com;dmarc=fail action=none
header.from=example.com;compauth=fail reason=601
Received-SPF: Pass (protection.outlook.com: domain of something.example.com
designates 10.20.30.40 as permitted sender) receiver=protection.outlook.com;
client-ip=10.20.30.40; helo=m42-181.mailchimp.com;
Received: from m42-181.mailchimp.com (10.20.30.40) by
DB5EUR03FT015.mail.protection.outlook.com (10.152.20.145) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.4930.15 via Frontend Transport; Tue, 1 Feb 2022 12:25:07 +0000
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=something.example.com; q=dns/txt;

SPF record:

something.example.com TXT v=spf1 include:mailchimp.com ~all

DMARC record:

v=DMARC1; p=none; sp=none; adkim=s; aspf=s; rua=mailto:dmarc_agg@example.com,mailto:dmar@domain.com

After spending some time googling decided to change SPF record

something.example.com TXT v=spf1 include:mailchimp.com include:spf.protection.outlook.com include:protection.outlook.com ~all

Then emails from mailchimps started to land into inbox

Advertisement

Exchange server – Renewed SSL cert have no private key

Exchange server SSL certificate was about to expire,in Exchange control panel created Certificate request

Created Certificate request, purchased new cert and after importing it, i still was seeing “Pending request” instead of new certificate.

Cert was installed in Local machine personal store but without private key (missing “key” icon)

Obtained SSL cert serial number

Created new private key for SSL certificate

certutil -repairstore my "4efaf9cf77fe59a448506e8a92a2b941"

Also, noted cert had no friendly name, so had to create it too:

Get Cert thumbprint:

(Get-ChildItem -Path Cert:\LocalMachine\My\<The thumbprint of your certificate>).FriendlyName = 'exchange.example.com'

(Get-ChildItem -Path Cert:\LocalMachine\My\e3c38169c22034de908e59c86171aa23c6ad01cc).FriendlyName = 'exchange.example.com'

After refreshing Exchange control panel, certificate finally appeared, with friendly name, now what’s left was to activate new cert

Enable-ExchangeCertificate –Thumbprint e3c38169c22034de908e59c86171aa23c6ad01cc –Services "IIS, SMTP, POP, IMAP"

Now delete old certificate, after testing access https://exchange.example.com/owa, in web browser i still saw old cert, had to restart IIS service to see new certificate.

Powershell-Extract email body stored in custom folder using EWS-Office 365

I had a need to extract email body from Office 365 mailbox from “non standard” mailbox folder (Not Inbox), so i edited this nice script to satisfy my need:https://sysadminben.wordpress.com/2015/10/27/reading-emails-from-office365-account-using-powershell/

Download and install Microsoft Exchange Web Services Managed API 2.0

By default it’s installed in

C:\Program Files\Microsoft\Exchange\Web Services\2.0\Microsoft.Exchange.WebServices.dll

This script will look for all emails with “Remove” word in subject,stored in “Processed” folder, get email subject and body, then move email to “done” folder.

$mail="mail@company.com"
$password="pass"

$USER_DEFINED_FOLDER_IN_MAILBOX = "Processed"

# Set the path to your copy of EWS Managed API
$dllpath = "C:\Program Files\Microsoft\Exchange\Web Services\2.0\Microsoft.Exchange.WebServices.dll"
# Load the Assemply
[void][Reflection.Assembly]::LoadFile($dllpath)

# Create a new Exchange service object
$service = new-object Microsoft.Exchange.WebServices.Data.ExchangeService

#These are your O365 credentials
$Service.Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials($mail,$password)

# this TestUrlCallback is purely a security check
$TestUrlCallback = {
param ([string] $url)
if ($url -eq "https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml") {$true} else {$false}
}
# Autodiscover using the mail address set above
$service.AutodiscoverUrl($mail,$TestUrlCallback)

# get a handle to the inbox
$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)

$MailboxRootid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Root, $mail) # selection and creation of new root
$MailboxRoot = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service,$MailboxRootid)
# switch to "Processed" folder
$fvFolderView = new-object Microsoft.Exchange.WebServices.Data.FolderView(100) #page size for displayed folders
$fvFolderView.Traversal = [Microsoft.Exchange.WebServices.Data.FolderTraversal]::Deep; #Search traversal selection Deep = recursively
$SfSearchFilter = new-object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.FolderSchema]::Displayname,$USER_DEFINED_FOLDER_IN_MAILBOX)
$findFolderResults = $MailboxRoot.FindFolders($SfSearchFilter,$fvFolderView)

$Folder = ""

# create Property Set to include body and header of email
$PropertySet = New-Object Microsoft.Exchange.WebServices.Data.PropertySet([Microsoft.Exchange.WebServices.Data.BasePropertySet]::FirstClassProperties)

# set email body to text
$PropertySet.RequestedBodyType = [Microsoft.Exchange.WebServices.Data.BodyType]::Text;

# extract email subject and body
foreach ($Fdr in $findFolderResults.Folders)
{
$theDisplayName = $Fdr.DisplayName
if($theDisplayName -eq $USER_DEFINED_FOLDER_IN_MAILBOX)
{
$Folder = $Fdr
}
}

# Now to actually try and search through the emails
$textToFindInSubject = "Remove"

$emailsInFolder = $Folder.FindItems(9999) # <-- Successfully finds ALL emails with no filtering, requiring iterative code to find the ones I want.
foreach($individualEmail in $emailsInFolder.Items)
{
if($individualEmail.Subject -match "$textToFindInSubject")
{
# found the email
echo "Successfully found the email!"
}
}

$searchfilter = new-object Microsoft.Exchange.WebServices.Data.SearchFilter+ContainsSubstring([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::Subject,$textToFindInSubject)
$itemView = new-object Microsoft.Exchange.WebServices.Data.ItemView(999)
$searchResults = $service.FindItems($Folder.ID, $searchfilter, $itemView)

# Find destination folder

$TargetFolderSearch = new-object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.FolderSchema]::Displayname,"done") #for each folder in mailbox define search
$TargetFolder = $MailboxRoot.FindFolders($TargetFolderSearch,$fvFolderView) 

foreach($result in $searchResults)
{
# load the additional properties for the item
$result.Load($PropertySet)
$subj = $result.Subject

echo "Subject"$subj
echo "Body: $($result.Body.Text)"

# move email to "done" folder

[VOID]$result.Move($TargetFolder.Id)

}

Restoring Exchange Server 2013 to Recovery Database

In my previous article we performed database backup using Windows Backup,and in this one we’ll restore database to folder c:\b

Available backups are shown:

Because i backed up folders,not entire drive,i chose Files and folders

I selected mailboxdatabase folder

Click recover

Database and transaction log files are restored to same folder (c:\b)

Restoring to recovery database

A recovery database is a special  mailbox database that allows mounting and extracting data from a restored mailbox database.

Database we just has restored is in dirty shutdown state (there are transactions that are await to be committed to the database).

We’ll use eseutil utility which is part of Exchange to bring database to clear shutdown mode (database is correctly detached-so we can mount this database file to recovery database)

PS C:\b> eseutil /mh '.\bigfirm_db01,on_bigfirm.edb'

/m displays headers of database files and transaction log files

/h – dump database header

To get Clean Shutdown,we must perform soft database recovery (transaction logs are replayed into an offline file backup copy of a database)

PS C:\b> eseutil /R E00 /l .\ /d .\

/R replays transaction log files or rolls them forward to restore a database to internal consistency or to bring an older copy of a database up to date-https://technet.microsoft.com/en-us/library/aa998075(v=exchg.65).aspx

/l path to log files

/d path to database file

Both log and database files are in same folder-c:\b,(I cd into that folder,that’s why  .\ is used -current folder)

E00 logfile prefix (note that all log files start with E0)

Check database status,it should be in clean shutdown mode now

Now we can mount edb file to recovery database

Creating recovery database

Recovery database is created as any other mailbox database except we need to specify -recovery switch,

edb path is fedb file to database we recovered using Windows Backup and log files are in c:\b folder (also restored from backup)

[PS] C:\Windows\system32>New-MailboxDatabase -Server dc -Name recoverydatabase -Recovery -EdbFilePath 'C:\b\bigfirm_db01,on_bigfirm.edb' -LogFolderPath 'c:\b'
[PS] C:\Windows\system32>Mount-Database recoverydatabase

 

Performing restore from recovery database

In this example we will recover emails from deleteditems folder from recovery database

[PS] C:\Windows\system32>New-MailboxRestoreRequest -SourceDatabase recoverydatabase -SourceStoreMailbox "don hall" -TargetMailbox "don hall" -IncludeFolders delete items

Exchange Server 2013 backup

In this post we will backup Exchange Server using Windows backup as well as PowerShell and Batch script

-Backup should be created on remote share

-Full backup should be performed

-The backup should be performed locally on the server

-If we chose full VSS backup,log truncation will occur

Checking if Windows backup is installed:

PS C:\Users\Administrator>Get-WindowsFeature -Name *backup*

Display Name Name Install State
------------ ---- -------------
[ ] Windows Server Backup Windows-Server-Backup Available

Install it:

PS C:\Users\Administrator>Install-WindowsFeature windows-server-backup

Run GUI (windows server backup)

We can perform one time or scheduled backup,in this example i used scheduled backup:

Select Custom (we will backup only Exchange server data)

I chose to backup logging and database folders

If you want to truncate log files choose Advanced settings and click VSS full backup,othervise,leave VSS copy backup

Set the time at which you want the backup to be performed

Set backup destination

Because we selected VSS full backup,log files are erased

Check backup status:

[PS] C:\Windows\system32>Get-MailboxDatabase -Status | select name,LastFullBackup

Name LastFullBackup
---- --------------
bigfirm_db01,on:bigfirm 07.09.2015. 21:57:56

PowerShell alternative:

Instead of GUI,we can use wbadmin utility,create a scheduled task and run it in predefined time

PS C:\Users\Administrator> wbadmin start backup -backuptarget:\\192.168.0.41\backup -user:gordon -password:1234 "-include:C:\Program Files\Microsoft\Exchange Server\V15\Logging,C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\bigfirm_db01*" -vssfull -quiet > C:\Backup.txt

Backup.txt will be created at the end of backup procedure

CMD Batch:

C:\Users\Administrator> wbadmin start backup -backuptarget:\\192.168.0.41\backup -user:gordon -password:1234 -include:"C:\Program Files\Microsoft\Exchange Server\V15\Logging,C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\bigfirm_db01*" -vssfull -quiet > C:\Backup.txt

Message Classifications in Exchange 2013

Message Classifications allow users to assign a tag to a message, such as marking it confidential.These informations Exchange Server and Outlook treat in a special fashion.When a message is classified, the message contains specific metadata that describes the intended use or audience of the message.

Classifications can be created only through EMS:

[PS] C:\Windows\system32>New-MessageClassification -Name "my classification" -DisplayName "MC" -RecipientDescription "This message may containt confidental information" -SenderDescription "Handle with care"

-RecipientDescription specifies text visible on recipient side

-SenderDescription text visible on sender side

After creating,Classifications need to be exported to xml file.Scripts folder in Exchange install directory contains script Export-OutlookClassification.ps1 which exports classifications

[PS] C:\>cd "C:\Program Files\Microsoft\Exchange Server\V15\Scripts"
[PS] C:\>C:\Program Files\Microsoft\Exchange Server\V15\Scripts>.\Export-OutlookClassification.ps1 > C:\1.xml

Classifications needs to be imported to outlook on every workstations through registry keys.

I am suprised Microsoft didn’t find more elegant way for importing classifications.

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Policy]  office 2007
"AdminClassificationPath"="C:\\Users\\Public\\MessageClassifications.xml"
"EnableClassifications"=dword:00000001
"TrustClassifications"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Policy]  office 2010
"AdminClassificationPath"="C:\\Users\\Public\\MessageClassifications.xml"
"EnableClassifications"=dword:00000001
"TrustClassifications"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Policy] office 2013
"AdminClassificationPath"="C:\\Users\\Public\\MessageClassifications.xml"
"EnableClassifications"=dword:00000001
"TrustClassifications"=dword:00000001

AdminClassificationPath Specifies the full path and filename of the exported XML

EnableClassifications  enables (1) or disables (0) classifications

TrustClassifications  Outlook trusts classifications on messages that are sent to users on legacy Exchange Server Mailbox servers (1) or not (0)

In case you must deploy classifications on many computers (outlook 2013),i created a little batch script which can be deployed via GPO or PSExec tool

REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Policy /f /v AdminClassificationPath /t REG_SZ /d c:\\1.xml
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Policy /f /v EnableClassifications /t REG_DWORD /d 00000001
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Policy /f /v TrustClassifications /t REG_DWORD /d 00000001

Restart outlook,compose new message-options-permission (click little “triangle” and choose classification

Sender’s perspective

Receiver’s side:

Data Loss Prevention (DLP) Policies in Exchange 2013

The Data Loss Prevention Policy allows users to define policies and policy rules for the organization to improve protection of information usually sent through email, including financial and personal data.DLP policies contain sets of conditions, which are made up of transport rules, actions, and exceptions.

In this example we’ll create policy which,in case someone in organization,send a mail with word “salary” in subject or body,report will be sent to administrator.

From ECP click compliance management,data loss prevention,’triangle” near + and choose New custom DLP policy:

Select policy and edit it (pencil icon)

Click rules,select “triangle” again 🙂 and select Notify sender when sensitive information is sent outside the organization

Select “the sender is this person” (track messages sent by specific people-don hall)

Select desired user,click add and click OK again

We now need to add second condition-track specific word in subject or body (salary)

What to do when condition is met-add action (notify adminstrator)

On first “select one” choose administrator

and the second select one choose “Include original mail”

When we click save,transport rule is automatically created (mail flow-rules)

Testing and verifification:

From don.hall  i sent email to my hotmail account with subject salary and administrator got this email

Retention Policies in Exchange 2013

Retention policies are applied to mailboxes to apply message retention settings. A mailbox can’t have more than one retention policy.It’s a collection of retention tags that can be applied to a mailbox.

Personal tags can apply to folders users create themselves or to individual items.It’s premium Exchange feature and requires an Exchange Enterprise client access license (CAL).

A retention policy tag (RPT) applies retention settings to the default folders (Inbox, Deleted Items, and Sent Items) in a mailbox, and all items that are in these default folders inherit the folders’ policy tag.

More about tags:https://technet.microsoft.com/en-us/library/dd297955(v=exchg.150).aspx

To create policy,retention policy tag must be created first (action we want po pertorm)

In this example i’ll create 2 retention policy tags,one will archive messages after 30 days and another will permanently delete messages after 5 days:

[PS] C:\Windows\system32>New-RetentionPolicyTag "delete after 5 days" -Type deleteditems -RetentionEnabled $true -AgeLimitForRetention 5 -RetentionAction permanentlydelete
[PS] C:\Windows\system32>New-RetentionPolicyTag "archive" -RetentionEnabled $true -AgeLimitForRetention 30 -RetentionAction movetoarchive -Type personal

-Type deleteditems applies tag to deleted itelms folder

-Type personal applies tag to custom user folder (user can apply this tag to any custom created folder)

-retentionenabled $true activates/enables tag

-agelimitforretention retention period (in days)

Tags can be created from GUI too,using Exhange control panel:

compliance management-retention tags-“+” sign:

We can add these policy tags to default retention policy (Default MRM Policy) or create a new one.

I created new (delete & archive) and addedd two policy tags:

[PS] C:\Windows\system32>New-RetentionPolicy "delete & archive" -RetentionPolicyTagLinks "delete after 5 days","archive"

Using ECP

compliance management-retention policies-“+” sign,add previouslu created tags:

Check if we did it right:

[PS] C:\Windows\system32>(Get-RetentionPolicy "delete & archive").RetentionPolicyTagLinks | Format-Table name

We can assign policy to individual mailbox(es)

[PS] C:\Windows\system32>Set-Mailbox "don hall" -RetentionPolicy "delete & archive"

or to all mailboxes:

[PS] C:\Windows\system32>Get-mailbox | Set-Mailbox -RetentionPolicy "deleted items"

To apply policy immediately,we need to start ManagedFolderAssistant (It processes retention policies for managed folders and applies retention policy tags to items in mailboxes)

Start assistant for specific mailbox:

[PS] C:\Windows\system32>Start-ManagedFolderAssistant -Identity "don hall"

or to all mailboxes

[PS] C:\Windows\system32>get-mailbox | Start-ManagedFolderAssistant

From Outlook Web Access,select folder and assign policy tag (for deleted items it’s set by default)

Or in outlook,right click folder-properties,policy to see which policy tags are applied

Role Based Access Control in Exchange 2013

Role Based Access Control (RBAC) was first introduced in Exchange 2010 as a way to give an excange administrator granular control over Exchange Server,in other words what privileges administrator has.RBAC consists of four “modules” which,combined together form a permission model that forms level of access to Exchage features:

–Management Role scope “Where” does something applies (OU,user,group)

–Management role “What” actions (cmdlets-expressed via Management Role Entries) we want to apply to user

–Management role group “Who” can execute cmdlets (Powershell commands) specified in Management Role entries

–Management role assignment binds users to actions that we want to assign to them

In this example i’ll remove administrator right to create new mailbox database

First,we need to identify existing managementrole  contains new-mailboxdatabase cmdlets

[PS] C:\Users\administrator.JA\Desktop>get-managementrole "databases" | fl description

To make sure,review powershell commands covered by “database” managementrole:

[PS] C:\Users\administrator.JA\Desktop>get-managementroleentry "databases\*" | fl

In case you wonder why i didn’t use “databases*” instead “databases\*”:

We will use “databases” roleentry as a base for our own,named “prohibit database creation” management entry (“What” cmdlets are allowed to run):

[PS] C:\Users\administrator.JA\Desktop>New-ManagementRole "prohibit database creation" -Parent "databases"

To make sure it contains needed powershell commands:

Because we want to remove new-mailboxdatabase cmdlet,we need to remove it from our newly created entry

[PS] C:\Users\administrator.JA\Desktop>remove-ManagementRoleEntry "prohibit database creation\new-mailboxdatabase" -Confirm:$false

Check again to see that new-mailboxdatabase was removed from “prohibit database creation” managemententry:

[PS] C:\Users\administrator.JA\Desktop>Get-ManagementRoleEntry "prohibit database creation\*" | ft

I created OU for admins who will have cmdlets assigned from “prohibit database creation” entry,and created administrator named test and put him to OU

C:\Documents and Settings\Administrator>dsadd ou ou="fake exchange admins",dc=ja,dc=com

We need now to create role group (“Who“) can perform cmdlets specified in “prohibit database creation” managemententry,

and where (OU “fake exchange admins”)

[PS] C:\Users\administrator.JA\Desktop>new-rolegroup "no database creation allowed" -Roles "prohibit database creation" -RecipientOrganizationalUnitScope "ja.com/fake exchange admins"
[PS] C:\Users\administrator.JA\Desktop>add-rolegroupmember "no database creation allowed" -member test

New rolegroup “no database creation allowed” was created and assigned our managementroleentry,and rolegroup is bound to OU “fake exchange admins”

Rolegroup can be created using ECP:

Permissions-Admin roles,”+” sign:

Now i logged admin test and tried to run new-mailboxdatabase cmdlet:

Database availability group in Exchange 2013

A database availability group (DAG) is a high availability and data recovery feature of Exchange Server.It’s introduced with Exchange 2010.DAG member server can host a copy of mailbox database from any other servers in DAG.DAG member provide automatic recovery from database failures ( disk,server, or network)

In this example i created DAG with two members (m1 and m2)

It’s advisable (but not neccessary)  to have separate DAG subnet (replication network),in this example,subnet 10.10.10.0 was used as replication network.If DAG replication network is configured,it needs to be exempted from DNS registration

Check box Register this connection’s addresses in DNS has to be unchecked

192.168.0.0 is LAN (MAPI) network in which client computers are connected.

Prestaging CNO in Active Directory

One of the first steps in DAG configuration is to pre-stage Cluster Name Object (CNO) in Active Directory.CNO is needed for providing an identity to DAG and cluster.CNO is computer object in AD.

On domain controller,create new computer object,add Full Control permissons to Exchange Trusted Subsystem and first DAG member (m1)

Exchange Trusted Subsystem is a highly privileged group and has read/write access to every Exchange-related object in all Exchange-prepared domains in the forest

Enable Advanced Featurs,(it’s neccessary to enable security tab in newly created object)

Click on security tab,add Exchange Trusted Subsystem and m1  (check computers in object types) in and give it full control

And finally disable dag computer account:

Configuring witness server (quorum.ja.com)

Witness server is used to host shared folder for DAG and is used to maintain an quorum (configuration in a failover cluster that determines the number of failures that the cluster can sustain while still remaining online)

More about quorum:http://blogs.msdn.com/b/clustering/archive/2011/05/27/10169261.aspx

Witness server is only used when there is an even number of nodes in the DAG (vote counts).You can use domain controller as witness server but it is not recommended.A DAG member can not be configured as witness server.A DAG must  have “quorum” to mount databases and if it loses it, mailbox database won’t be mounted.Each DAG member participate in “voting”.Formula for calculating enough number of vote members to maintain the cluster online is (number of nodes / 2) +1. In our case,with 2 nodes,we need 2 online members for cluster to be up and running.In normal circumstances,witness is not needed,because we have 2 DAG members online,but if one of DAG nodes goes down,remaining DAG member will use our witness server to maintain cluster online.(Witness gives it’s “vote”).But,if we restart the witness server,database will dismount until failed DAG member goes online again.

We must add Exchange Trusted Subsystem to local administrators group on witness server.In this example,quorum.ja.com is witness server.In run box,type lusrmgr.msc and add Exchange Trusted Subsystem to local administrators group:

On witness server,open ports for file and print sharing,port 135 (for RPC connection) and RemoteAdmin

netsh firewall set service RemoteAdmin enable
netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135

Creating DAG

Using ECP:

Click Servers-Database Availability Groups (+) sign

Enter dag name,witness server,path to shared folder on witness server (you don’t need to create that folder manually,it will be created automatically), and dag IP address (it’s address from LAN-MAPI network)

Using PowerShell:

[PS] C:\Users\administrator.JA\Desktop>New-DatabaseAvailabilityGroup -Name dag -WitnessServer quorum.ja.com -WitnessDirectory c:\DAG -DatabaseAvailabilityGroupIpAddresses 192.168.0.60

Note! if you get error that “The Exchange Trusted Subsystem is not a member of the local Administrators group on specified witness server <ServerName>.”,and you addedd Trusted subsystem to local Admin group,just ignore that warning

https://support.microsoft.com/en-us/kb/2644540

On witness server,shared DAG folder is created automatically,CNO object dag,we have created earlier,have full share permissions.(That’s why we have added Exchange Trusted Subsystem into Local Admins group on witnes server)

Adding DAG members

We now need to add m1 and m2 as DAG members

Using ECP:

Click marked (“cog” sign with server simbol)

Click + and add DAG members

Powershell:

[PS] C:\Users\administrator.JA\Desktop>Add-DatabaseAvailabilityGroupServer -Identity dag -MailboxServer m1
[PS] C:\Users\administrator.JA\Desktop>Add-DatabaseAvailabilityGroupServer -Identity dag -MailboxServer m2

On both DAG members (m1 and m2),Failover cluster is installed,with Node and File Share Majority.

Configuring Database Copies

During Exchange install,mailbox database “Mailbox Database 0677329633” was created.We want to replicate this database to m2 DAG member Exchange server (no databases exist)

using ECP:

click servers-databases-select database we want to replicate and then click on “three dots”

Click on Add Database copy

Type database name,click browse and select server to which you want to replicate database (m2).Activation preference number

(During database activation, when multiple database copies satisfy the criteria for activating, the Activation Preference Number is used to decide which database copy is to be activated) is automatically increased to next available number-2.(m1 already host the database with preference number of 1)

Powershell:

[PS] C:\Users\administrator.JA\Desktop>Add-MailboxDatabaseCopy -Identity "Mailbox Database 0677329633" -MailboxServer m2 -ActivationPreference 2

On m2,database folder is automatically created:

In Exchange Control Panel,we can see that database is hosted on both servers

Or with PowerShell:

[PS] C:\Users\administrator.JA\Desktop>Get-MailboxDatabaseCopyStatus -Identity "Mailbox Database 0677329633" | ft

Moving Database Copy between DAG members

In this example,we will move “Mailbox Database 0677329633” from m1 to m2.It is planned “switchover”

Using ECP:

on m1 select the database and click Activate

Powershell:

[PS] C:\Users\administrator.JA\Desktop>Move-ActiveMailboxDatabase "Mailbox Database 0677329633" -ActivateOnServer m2 -MountDialOverride:None -Confirm:$false

-MountDialOverride:None-m2 mounts the database using its own defined database auto mount dial settings
-MountDialOverride:GoodAvailability-the database automatically mounts immediately after a failover if the copy queue length is less than or equal to six. The copy queue length is the number of logs recognized by the passive copy that needs to be replicated. If the copy queue length is more than six, the database doesn’t automatically mount. When the copy queue length is less than or equal to six, Exchange attempts to replicate the remaining logs to the passive copy and mounts the database.
-MountDialOverride:BestAvailability-the database automatically mounts immediately after a failover if the copy queue length is less than or equal to 12
-MountDialOverride:Lossless- the database doesn’t automatically mount until all logs that were generated on the active copy have been copied to the passive copy.

Conclusion

DAGs only provide high availability for mailbox databases not for the other Exchange Server role.Database availability groups provide high availabilty solutions in single data center environments,but are not suited in stretched DAGs.