Archive for the ‘Exchange’ Category

In my previous article we performed database backup using Windows Backup,and in this one we’ll restore database to folder c:\b

Untitled9

Untitled9

Untitled9
Untitled9
Available backups are shown:
Untitled9

Because i backed up folders,not entire drive,i chose Files and folders
Untitled9

I selected mailboxdatabase folder

Untitled9

Untitled9

Click recover

Untitled9

Database and transaction log files are restored to same folder (c:\b)

Restoring to recovery database

A recovery database is a special  mailbox database that allows mounting and extracting data from a restored mailbox database.

Database we just has restored is in dirty shutdown state (there are transactions that are await to be committed to the database).

We’ll use eseutil utility which is part of Exchange to bring database to clear shutdown mode (database is correctly detached-so we can mount this database file to recovery database)

PS C:\b> eseutil /mh '.\bigfirm_db01,on_bigfirm.edb'

/m displays headers of database files and transaction log files

/h – dump database header

Untitled2

To get Clean Shutdown,we must perform soft database recovery (transaction logs are replayed into an offline file backup copy of a database)

PS C:\b> eseutil /R E00 /l .\ /d .\

/R replays transaction log files or rolls them forward to restore a database to internal consistency or to bring an older copy of a database up to date-https://technet.microsoft.com/en-us/library/aa998075(v=exchg.65).aspx

/l path to log files

/d path to database file

Both log and database files are in same folder-c:\b,(I cd into that folder,that’s why  .\ is used -current folder)

E00 logfile prefix (note that all log files start with E0)

Untitled9

Untitled

Check database status,it should be in clean shutdown mode now
Untitled3

Now we can mount edb file to recovery database

Creating recovery database

Recovery database is created as any other mailbox database except we need to specify -recovery switch,

edb path is fedb file to database we recovered using Windows Backup and log files are in c:\b folder (also restored from backup)

[PS] C:\Windows\system32>New-MailboxDatabase -Server dc -Name recoverydatabase -Recovery -EdbFilePath 'C:\b\bigfirm_db01,on_bigfirm.edb' -LogFolderPath 'c:\b'
[PS] C:\Windows\system32>Mount-Database recoverydatabase

Untitled4 

Performing restore from recovery database

In this example we will recover emails from deleteditems folder from recovery database

[PS] C:\Windows\system32>New-MailboxRestoreRequest -SourceDatabase recoverydatabase -SourceStoreMailbox "don hall" -TargetMailbox "don hall" -IncludeFolders delete items

Exchange Server 2013 backup

Posted: September 8, 2015 in Exchange

In this post we will backup Exchange Server using Windows backup as well as PowerShell and Batch script

-Backup should be created on remote share

-Full backup should be performed

-The backup should be performed locally on the server

-If we chose full VSS backup,log truncation will occur

Checking if Windows backup is installed:

PS C:\Users\Administrator>Get-WindowsFeature -Name *backup*

Display Name Name Install State
------------ ---- -------------
[ ] Windows Server Backup Windows-Server-Backup Available

Install it:

PS C:\Users\Administrator>Install-WindowsFeature windows-server-backup

Run GUI (windows server backup)

Untitled

We can perform one time or scheduled backup,in this example i used scheduled backup:

Untitled1

Select Custom (we will backup only Exchange server data)

Untitled2

Untitled3

I chose to backup logging and database folders

Untitled4

Untitled5

If you want to truncate log files choose Advanced settings and click VSS full backup,othervise,leave VSS copy backup

Untitled

Set the time at which you want the backup to be performed

Untitled6

Untitled8

Set backup destination

Untitled9

Untitled10

Untitled11

Because we selected VSS full backup,log files are erased

Untitled

Check backup status:

[PS] C:\Windows\system32>Get-MailboxDatabase -Status | select name,LastFullBackup

Name LastFullBackup
---- --------------
bigfirm_db01,on:bigfirm 07.09.2015. 21:57:56

PowerShell alternative:

Instead of GUI,we can use wbadmin utility,create a scheduled task and run it in predefined time

PS C:\Users\Administrator> wbadmin start backup -backuptarget:\\192.168.0.41\backup -user:gordon -password:1234 "-include:C:\Program Files\Microsoft\Exchange Server\V15\Logging,C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\bigfirm_db01*" -vssfull -quiet > C:\Backup.txt

Backup.txt will be created at the end of backup procedure

Untitled12

CMD Batch:

C:\Users\Administrator> wbadmin start backup -backuptarget:\\192.168.0.41\backup -user:gordon -password:1234 -include:"C:\Program Files\Microsoft\Exchange Server\V15\Logging,C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\bigfirm_db01*" -vssfull -quiet > C:\Backup.txt

Message Classifications allow users to assign a tag to a message, such as marking it confidential.These informations Exchange Server and Outlook treat in a special fashion.When a message is classified, the message contains specific metadata that describes the intended use or audience of the message.

Classifications can be created only through EMS:

[PS] C:\Windows\system32>New-MessageClassification -Name "my classification" -DisplayName "MC" -RecipientDescription "This message may containt confidental information" -SenderDescription "Handle with care"

-RecipientDescription specifies text visible on recipient side

-SenderDescription text visible on sender side

After creating,Classifications need to be exported to xml file.Scripts folder in Exchange install directory contains script Export-OutlookClassification.ps1 which exports classifications

[PS] C:\>cd "C:\Program Files\Microsoft\Exchange Server\V15\Scripts"
[PS] C:\>C:\Program Files\Microsoft\Exchange Server\V15\Scripts>.\Export-OutlookClassification.ps1 > C:\1.xml

Classifications needs to be imported to outlook on every workstations through registry keys.

I am suprised Microsoft didn’t find more elegant way for importing classifications.

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Policy]  office 2007
"AdminClassificationPath"="C:\\Users\\Public\\MessageClassifications.xml"
"EnableClassifications"=dword:00000001
"TrustClassifications"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Policy]  office 2010
"AdminClassificationPath"="C:\\Users\\Public\\MessageClassifications.xml"
"EnableClassifications"=dword:00000001
"TrustClassifications"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Policy] office 2013
"AdminClassificationPath"="C:\\Users\\Public\\MessageClassifications.xml"
"EnableClassifications"=dword:00000001
"TrustClassifications"=dword:00000001

AdminClassificationPath Specifies the full path and filename of the exported XML

EnableClassifications  enables (1) or disables (0) classifications

TrustClassifications  Outlook trusts classifications on messages that are sent to users on legacy Exchange Server Mailbox servers (1) or not (0)

In case you must deploy classifications on many computers (outlook 2013),i created a little batch script which can be deployed via GPO or PSExec tool

REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Policy /f /v AdminClassificationPath /t REG_SZ /d c:\\1.xml
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Policy /f /v EnableClassifications /t REG_DWORD /d 00000001
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Common\Policy /f /v TrustClassifications /t REG_DWORD /d 00000001

Restart outlook,compose new message-options-permission (click little “triangle” and choose classification

Untitled

Sender’s perspective

Untitled

Receiver’s side:

Untitled

The Data Loss Prevention Policy allows users to define policies and policy rules for the organization to improve protection of information usually sent through email, including financial and personal data.DLP policies contain sets of conditions, which are made up of transport rules, actions, and exceptions.

In this example we’ll create policy which,in case someone in organization,send a mail with word “salary” in subject or body,report will be sent to administrator.

From ECP click compliance management,data loss prevention,’triangle” near + and choose New custom DLP policy:

Untitled

Select policy and edit it (pencil icon)

Untitled

Click rules,select “triangle” again 🙂 and select Notify sender when sensitive information is sent outside the organization

Untitled

Select “the sender is this person” (track messages sent by specific people-don hall)

Untitled

Select desired user,click add and click OK again

Untitled

We now need to add second condition-track specific word in subject or body (salary)

Untitled

Untitled

What to do when condition is met-add action (notify adminstrator)

Untitled

On first “select one” choose administrator

Untitled

Untitled

and the second select one choose “Include original mail”

Untitled

Untitled

When we click save,transport rule is automatically created (mail flow-rules)

Untitled

Testing and verifification:

From don.hall  i sent email to my hotmail account with subject salary and administrator got this email

Untitled

Retention Policies in Exchange 2013

Posted: September 2, 2015 in Exchange

Retention policies are applied to mailboxes to apply message retention settings. A mailbox can’t have more than one retention policy.It’s a collection of retention tags that can be applied to a mailbox.

Personal tags can apply to folders users create themselves or to individual items.It’s premium Exchange feature and requires an Exchange Enterprise client access license (CAL).

A retention policy tag (RPT) applies retention settings to the default folders (Inbox, Deleted Items, and Sent Items) in a mailbox, and all items that are in these default folders inherit the folders’ policy tag.

More about tags:https://technet.microsoft.com/en-us/library/dd297955(v=exchg.150).aspx

To create policy,retention policy tag must be created first (action we want po pertorm)

In this example i’ll create 2 retention policy tags,one will archive messages after 30 days and another will permanently delete messages after 5 days:

[PS] C:\Windows\system32>New-RetentionPolicyTag "delete after 5 days" -Type deleteditems -RetentionEnabled $true -AgeLimitForRetention 5 -RetentionAction permanentlydelete
[PS] C:\Windows\system32>New-RetentionPolicyTag "archive" -RetentionEnabled $true -AgeLimitForRetention 30 -RetentionAction movetoarchive -Type personal

-Type deleteditems applies tag to deleted itelms folder

-Type personal applies tag to custom user folder (user can apply this tag to any custom created folder)

-retentionenabled $true activates/enables tag

-agelimitforretention retention period (in days)

Tags can be created from GUI too,using Exhange control panel:

compliance management-retention tags-“+” sign:

Untitled

We can add these policy tags to default retention policy (Default MRM Policy) or create a new one.

I created new (delete & archive) and addedd two policy tags:

[PS] C:\Windows\system32>New-RetentionPolicy "delete & archive" -RetentionPolicyTagLinks "delete after 5 days","archive"

Using ECP

compliance management-retention policies-“+” sign,add previouslu created tags:

Untitled3

Check if we did it right:

[PS] C:\Windows\system32>(Get-RetentionPolicy "delete & archive").RetentionPolicyTagLinks | Format-Table name

Untitled12

We can assign policy to individual mailbox(es)

[PS] C:\Windows\system32>Set-Mailbox "don hall" -RetentionPolicy "delete & archive"

or to all mailboxes:

[PS] C:\Windows\system32>Get-mailbox | Set-Mailbox -RetentionPolicy "deleted items"

To apply policy immediately,we need to start ManagedFolderAssistant (It processes retention policies for managed folders and applies retention policy tags to items in mailboxes)

Start assistant for specific mailbox:

[PS] C:\Windows\system32>Start-ManagedFolderAssistant -Identity "don hall"

or to all mailboxes

[PS] C:\Windows\system32>get-mailbox | Start-ManagedFolderAssistant

Untitled7

From Outlook Web Access,select folder and assign policy tag (for deleted items it’s set by default)

Untitled8

Or in outlook,right click folder-properties,policy to see which policy tags are applied

Untitled11

Role Based Access Control (RBAC) was first introduced in Exchange 2010 as a way to give an excange administrator granular control over Exchange Server,in other words what privileges administrator has.RBAC consists of four “modules” which,combined together form a permission model that forms level of access to Exchage features:

Management Role scope “Where” does something applies (OU,user,group)

Management role “What” actions (cmdlets-expressed via Management Role Entries) we want to apply to user

Management role group “Who” can execute cmdlets (Powershell commands) specified in Management Role entries

Management role assignment binds users to actions that we want to assign to them

In this example i’ll remove administrator right to create new mailbox database

First,we need to identify existing managementrole  contains new-mailboxdatabase cmdlets

[PS] C:\Users\administrator.JA\Desktop>get-managementrole "databases" | fl description

Untitled

To make sure,review powershell commands covered by “database” managementrole:

[PS] C:\Users\administrator.JA\Desktop>get-managementroleentry "databases\*" | fl

Untitled1

In case you wonder why i didn’t use “databases*” instead “databases\*”:

Untitled

We will use “databases” roleentry as a base for our own,named “prohibit database creation” management entry (“What” cmdlets are allowed to run):

[PS] C:\Users\administrator.JA\Desktop>New-ManagementRole "prohibit database creation" -Parent "databases"

To make sure it contains needed powershell commands:

Untitled2

Because we want to remove new-mailboxdatabase cmdlet,we need to remove it from our newly created entry

[PS] C:\Users\administrator.JA\Desktop>remove-ManagementRoleEntry "prohibit database creation\new-mailboxdatabase" -Confirm:$false

Check again to see that new-mailboxdatabase was removed from “prohibit database creation” managemententry:

[PS] C:\Users\administrator.JA\Desktop>Get-ManagementRoleEntry "prohibit database creation\*" | ft

Untitled3

I created OU for admins who will have cmdlets assigned from “prohibit database creation” entry,and created administrator named test and put him to OU

C:\Documents and Settings\Administrator>dsadd ou ou="fake exchange admins",dc=ja,dc=com

We need now to create role group (“Who“) can perform cmdlets specified in “prohibit database creation” managemententry,

and where (OU “fake exchange admins”)

[PS] C:\Users\administrator.JA\Desktop>new-rolegroup "no database creation allowed" -Roles "prohibit database creation" -RecipientOrganizationalUnitScope "ja.com/fake exchange admins"
[PS] C:\Users\administrator.JA\Desktop>add-rolegroupmember "no database creation allowed" -member test

New rolegroup “no database creation allowed” was created and assigned our managementroleentry,and rolegroup is bound to OU “fake exchange admins”

Rolegroup can be created using ECP:

Permissions-Admin roles,”+” sign:

Untitled4

Untitled5

Now i logged admin test and tried to run new-mailboxdatabase cmdlet:

Untitled7

A database availability group (DAG) is a high availability and data recovery feature of Exchange Server.It’s introduced with Exchange 2010.DAG member server can host a copy of mailbox database from any other servers in DAG.DAG member provide automatic recovery from database failures ( disk,server, or network)

In this example i created DAG with two members (m1 and m2)

Untitled8

It’s advisable (but not neccessary)  to have separate DAG subnet (replication network),in this example,subnet 10.10.10.0 was used as replication network.If DAG replication network is configured,it needs to be exempted from DNS registration

Check box Register this connection’s addresses in DNS has to be unchecked

Untitled10

192.168.0.0 is LAN (MAPI) network in which client computers are connected.

Prestaging CNO in Active Directory

One of the first steps in DAG configuration is to pre-stage Cluster Name Object (CNO) in Active Directory.CNO is needed for providing an identity to DAG and cluster.CNO is computer object in AD.

On domain controller,create new computer object,add Full Control permissons to Exchange Trusted Subsystem and first DAG member (m1)

Exchange Trusted Subsystem is a highly privileged group and has read/write access to every Exchange-related object in all Exchange-prepared domains in the forest

Untitled10

Enable Advanced Featurs,(it’s neccessary to enable security tab in newly created object)

Untitled10

Click on security tab,add Exchange Trusted Subsystem and m1  (check computers in object types) in and give it full control

Untitled10

Untitled10

And finally disable dag computer account:

Untitled10

Configuring witness server (quorum.ja.com)

Witness server is used to host shared folder for DAG and is used to maintain an quorum (configuration in a failover cluster that determines the number of failures that the cluster can sustain while still remaining online)

More about quorum:http://blogs.msdn.com/b/clustering/archive/2011/05/27/10169261.aspx

Witness server is only used when there is an even number of nodes in the DAG (vote counts).You can use domain controller as witness server but it is not recommended.A DAG member can not be configured as witness server.A DAG must  have “quorum” to mount databases and if it loses it, mailbox database won’t be mounted.Each DAG member participate in “voting”.Formula for calculating enough number of vote members to maintain the cluster online is (number of nodes / 2) +1. In our case,with 2 nodes,we need 2 online members for cluster to be up and running.In normal circumstances,witness is not needed,because we have 2 DAG members online,but if one of DAG nodes goes down,remaining DAG member will use our witness server to maintain cluster online.(Witness gives it’s “vote”).But,if we restart the witness server,database will dismount until failed DAG member goes online again.

We must add Exchange Trusted Subsystem to local administrators group on witness server.In this example,quorum.ja.com is witness server.In run box,type lusrmgr.msc and add Exchange Trusted Subsystem to local administrators group:

Untitled10

On witness server,open ports for file and print sharing,port 135 (for RPC connection) and RemoteAdmin

netsh firewall set service RemoteAdmin enable
netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135

Untitled10

Creating DAG

Using ECP:

Click Servers-Database Availability Groups (+) sign

Untitled10

Enter dag name,witness server,path to shared folder on witness server (you don’t need to create that folder manually,it will be created automatically), and dag IP address (it’s address from LAN-MAPI network)

Untitled10

Using PowerShell:

[PS] C:\Users\administrator.JA\Desktop>New-DatabaseAvailabilityGroup -Name dag -WitnessServer quorum.ja.com -WitnessDirectory c:\DAG -DatabaseAvailabilityGroupIpAddresses 192.168.0.60

Note! if you get error that “The Exchange Trusted Subsystem is not a member of the local Administrators group on specified witness server <ServerName>.”,and you addedd Trusted subsystem to local Admin group,just ignore that warning

https://support.microsoft.com/en-us/kb/2644540

On witness server,shared DAG folder is created automatically,CNO object dag,we have created earlier,have full share permissions.(That’s why we have added Exchange Trusted Subsystem into Local Admins group on witnes server)

Untitled10

Adding DAG members

We now need to add m1 and m2 as DAG members

Using ECP:

Click marked (“cog” sign with server simbol)

Untitled10

Click + and add DAG members

Untitled10

Powershell:

[PS] C:\Users\administrator.JA\Desktop>Add-DatabaseAvailabilityGroupServer -Identity dag -MailboxServer m1
[PS] C:\Users\administrator.JA\Desktop>Add-DatabaseAvailabilityGroupServer -Identity dag -MailboxServer m2

Untitled

On both DAG members (m1 and m2),Failover cluster is installed,with Node and File Share Majority.

Untitled

Configuring Database Copies

During Exchange install,mailbox database “Mailbox Database 0677329633” was created.We want to replicate this database to m2 DAG member Exchange server (no databases exist)

using ECP:

click servers-databases-select database we want to replicate and then click on “three dots”

Untitled

Click on Add Database copy

Untitled

Type database name,click browse and select server to which you want to replicate database (m2).Activation preference number

(During database activation, when multiple database copies satisfy the criteria for activating, the Activation Preference Number is used to decide which database copy is to be activated) is automatically increased to next available number-2.(m1 already host the database with preference number of 1)

Untitled

Powershell:

[PS] C:\Users\administrator.JA\Desktop>Add-MailboxDatabaseCopy -Identity "Mailbox Database 0677329633" -MailboxServer m2 -ActivationPreference 2

Untitled1

On m2,database folder is automatically created:

Untitled5

In Exchange Control Panel,we can see that database is hosted on both servers

Untitled3

Or with PowerShell:

[PS] C:\Users\administrator.JA\Desktop>Get-MailboxDatabaseCopyStatus -Identity "Mailbox Database 0677329633" | ft

Untitled6

Moving Database Copy between DAG members

In this example,we will move “Mailbox Database 0677329633” from m1 to m2.It is planned “switchover”

Using ECP:

on m1 select the database and click Activate

Untitled

Powershell:

[PS] C:\Users\administrator.JA\Desktop>Move-ActiveMailboxDatabase "Mailbox Database 0677329633" -ActivateOnServer m2 -MountDialOverride:None -Confirm:$false

Untitled7
-MountDialOverride:None-m2 mounts the database using its own defined database auto mount dial settings
-MountDialOverride:GoodAvailability-the database automatically mounts immediately after a failover if the copy queue length is less than or equal to six. The copy queue length is the number of logs recognized by the passive copy that needs to be replicated. If the copy queue length is more than six, the database doesn’t automatically mount. When the copy queue length is less than or equal to six, Exchange attempts to replicate the remaining logs to the passive copy and mounts the database.
-MountDialOverride:BestAvailability-the database automatically mounts immediately after a failover if the copy queue length is less than or equal to 12
-MountDialOverride:Lossless- the database doesn’t automatically mount until all logs that were generated on the active copy have been copied to the passive copy.

Conclusion

DAGs only provide high availability for mailbox databases not for the other Exchange Server role.Database availability groups provide high availabilty solutions in single data center environments,but are not suited in stretched DAGs.