Converting a Mailbox to a MailUser (and preserving your custom attributes)

It’s not often that you’ll need to convert a mailbox to a mail-user, but when you do, you’ll soon realize the steps go like this:

1. Mail-Disable the user (delete the mailbox)
2. Mail-Enable the user

So what’s the problem?  The problem is twofold:

  • First, you’ll want to automate this, and there is no “convert” button or command.  You’ll need to use PowerShell if converting multiple users.
  • Second, and perhaps more importantly, all the Exchange attributes are nullified when you delete the mailbox.  This includes CustomAttribute1-15

As we can see, you are not able to pass mailboxes to the Enable-MailUser (as you are able to do in reverse):

image
I’ve written a script to solve these problems.  Before you run with it, you do need to make one decision:

What do you want the mail-user’s external email address to be?

The below script takes the user’s mailbox alias and then appends @domain.com.  You may wish to modify this with whatever their new external address has become.

You’ll also notice I’m using a static domain controller for all configurations.  I have found in my testing, that if you do not pick the same DC for all operations, the script could out-run replication.

$DomainController = (Get-ADServerSettings).DefaultConfigurationDomainController.domain

$MailboxList= Get-Mailbox

foreach ($Mailbox in $MailboxList) {
    Disable-Mailbox -Id $mailbox.Identity -Confirm:$False -DomainController $DomainController
    Enable-MailUser -Id $mailbox.Identity -ExternalEmailAddress ($mailbox.alias +"@domain.com") -DomainController $DomainController
    Set-MailUser -Id $mailbox.Identity `
     -DomainController $DomainController `
     -CustomAttribute1 $Mailbox.CustomAttribute1 `
     –CustomAttribute2 $Mailbox.CustomAttribute2 `
     –CustomAttribute3 $Mailbox.CustomAttribute3 `
     –CustomAttribute4 $Mailbox.CustomAttribute4 `
     –CustomAttribute5 $Mailbox.CustomAttribute5 `
     –CustomAttribute6 $Mailbox.CustomAttribute6 `
     –CustomAttribute7 $Mailbox.CustomAttribute7 `
     –CustomAttribute8 $Mailbox.CustomAttribute8 `
     –CustomAttribute9 $Mailbox.CustomAttribute9 `
     –CustomAttribute10 $Mailbox.CustomAttribute10 `
     –CustomAttribute11 $Mailbox.CustomAttribute11 `
     –CustomAttribute12 $Mailbox.CustomAttribute12 `
     –CustomAttribute13 $Mailbox.CustomAttribute13 `
     –CustomAttribute14 $Mailbox.CustomAttribute14 `
     –CustomAttribute15 $Mailbox.CustomAttribute15
     }

(add more attributes if necessary, but remember that since you aren’t deleting the Active Directory object itself, most attributes remain…)

Installing and Using Forefront Protection Server Management Console 2010

Do you use Forefront products to protect your Exchange or SharePoint environment?  Do you have more than one server that you’d like to manage centrally?

If your answer is “yes” to both of those questions, this post is for you!  In this multi-part article, I’ll show you how to install and use Microsoft’s latest (free) Forefront management product:

Forefront Protection Server Management Console (FPSMC) 2010 (Release Candidate)

However, before we start, I’d like to provide you with some Forefront orientation.  It seems that title “Forefront” is starting to mean so many things these days.  Hopefully this table will help put some of the product names into perspective:image

(Online services not listed)

That’s quite the moving target for us trying to learn!!

As you can see FPSMC has had a few different names so far.  In fact, Microsoft was going to release this as “Forefront Protection Manager”.  Talk about an identity crisis!

Now, if you are familiar with the existing Forefront Server Security Management Console (FSSMC) product, take a moment to note the differences between it and the new FPSMC:

image

So now that you have some background, let’s get on with it, shall we?

As I suggested above, FPSMC is a product we’d install to centralize our management of Forefront Protection 2010 for Exchange Server and SharePoint.  It does this through a web-interface, SQL and FPSMC agents running on each Forefront-protected server.

For a brief intro on the console, read this help article excerpt:

…[FPSMC] deployment allows administrators to deploy various files and settings to all or selected servers in the enterprise. Using the FPSMC, you can deploy the following to remote servers:

  • FPE and FPSP service packs and patches
  • Policies for configuration management
  • Forefront Protection product activation keys
  • Scan engine signature file updates (to centralize the update procedure)
  • Jobs that send reports on a fixed schedule

In addition, you can retrieve the following from remote servers:

  • Quarantined data.
  • Centralized reporting allows administrators to more closely monitor the servers in the enterprise and evaluate the effectiveness of antivirus software. The FPSMC collects statistics from all of its managed servers and stores them in a central repository for later analysis. Reports provide information about the trends in virus, filter, and update activity for each individual server or the entire enterprise.

Data retrieved by FPSMC will be stored in Microsoft SQL Server®. It can be stored in SQL Server 2008 Express Edition, which is a version of SQL Server with limited features. Alternately, data can also be stored on an existing Enterprise SQL Server 2008—locally or remotely—using SQL or Microsoft Windows® authentication.

In addition to the help article, here are some additional published resources on this product:

    While we’re on the topic of centralized Forefront Server Protection management, I’d like to point out that while we wait for this FPSMC Release Candidate to go Gold, you can manage your multi-server deployment with these scripts:

http://blogs.technet.com/b/fss/archive/2010/08/09/microsoft-forefront-protection-server-script-kit-now-available-for-download.aspx

We’ll compare the scripts to the new FPSMC product later in this article.

In the next part of this article, we’ll identify the prerequisites for FPSMC and begin our installation.

Read Part 2: http://wp.me/pAAoj-8h

Exchange 2010 SP1 IPD (Beta)

UPDATE: RTM:

Launch the download of the IPD Guide for Exchange Server 2010.

——————————————————

I’ve always enjoyed reading the Infrastructure Planning and Design (IPD) guides from the Solution Accelerator folks at Microsoft. The guides aren’t super-technical, but they are a great first step when preparing for an upcoming project. They help me feel like “I’m “doing things right” when I’m aligned with what’s inside.  I also usually assign them as homework, for clients I’m working with, if they are unfamiliar with logic behind some of the decisions that need to be made throughout the engagement.

Additionally, these are a great source when quoting “best practices”. Smile

You can get an “IPD” on many Microsoft technologies.  For a complete list visit here:

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD3921FB-8224-4681-9064-075FDF042B0C&displaylang=en

The reason for the post today however, is to share the announcement of the open beta of the Exchange 2010 SP1 IPD!

The guide covers these key steps in the Exchange Server 2010 infrastructure design process:

  • Defining the project scope by identifying your individual business and IT requirements for a messaging infrastructure.
  • Mapping features and functionality based on the defined scope to develop the appropriate Exchange Server 2010 design.
  • Designing the infrastructure and role requirements for the proposed Exchange Server 2010 architecture.
  • Determining the sizing, fault tolerance, and physical placement of Exchange Server 2010 roles.

Exchange Example

Often, the Word document is accompanied by a Visio diagram, but no such luck for this version.  However, nested in the document are some nice images (Click to enlarge one of the images):

“Beta” of course means not finished, but it’s a good read nonetheless.  I encourage all of you to check it out and send feedback to IPDfdbk@microsoft.com. They have been very responsive in my experience.

Get the beta by visiting the Connect website at:

https://connect.microsoft.com/content/content.aspx?ContentID=6556&SiteID=14.

Stevieg.org: Office 365 – What does it mean for Exchange?

Over the last few days you’ve likely seen a lot of hubbub on Office 365, Microsoft’s next generation of online services. 

Steve Goodman writes a blog over at www.stevieg.org, and earlier today he published an insightful post titled “Office 365 – What does it mean for Exchange”.  In it he provides commentary on multiple aspects of Office 365, from the impact it has on Live@EDU to the Exchange Admin’s job security.

Check it out here:

http://www.stevieg.org/2010/10/office-365-what-does-it-mean-for-exchange

Exchange 2010 SP1: Less Secure?

Exchange 2010 hit the ground more secure than it’s predecessors in many ways; one of which was to enable RPC encryption on Outlook MAPI connections by default.  While Outlook 2007 and Outlook 2010 try to do this anyway, Outlook 2003 does not. 

This caused a few of issues:securitytab-Outlook

  • New Outlook 2003 user profiles require an extra step to enable RPC encryption.
  • During a migration, users moved to Exchange 2010 would stop working if this box was not selected prior to the mailbox move.
  • During a migration, users who were not yet migrated could not access calendars and other mailbox items from users who were migrated.

I believe the easiest way to fix this was with a simple Group Policy setting which enabled RPC encryption in Outlook.

Enable-RPC-Encryption

However apparently this was too much for a number of Microsoft customers, and as such Microsoft disabled RPC encryption by default in Exchange 2010 SP1!

See for yourself here:

Note In Exchange Server 2010 Service Pack 1, the RPC encryption requirement is disabled, by default. Any new Client Access Servers (CAS) deployed in the organization will not require encryption. However, any CAS servers deployed prior to Service Pack 1, or upgraded to Service Pack 1, will retain the existing RPC encryption requirement setting.

ref: http://support.microsoft.com/kb/2006508

 

As the excerpt states, this isn’t an issue for upgrades, but if you plan to deploy new servers in an existing environment, or a new environment all together, you may wish to re-enable this setting on Exchange.

To see what your RPC encryption setting is, run the following command:

image

Get-RPCClientAccess | fl Server, *version, EncryptionRequired

Then to enable the encryption requirement for all Client Access Servers:

image

Get-RPCClientAccess | Set-RpcClientAccess -EncryptionRequired $True

One final note:  This setting is to determine weather Exchange requires encryption.  You’re still welcome to use it even though the setting not doesn’t mandate it.

BES 5.0.2 and Exchange 2010 SP1

I’m pleased to report Blackberry Enterprise Server (BES) 5.0.2 is now supported with Exchange 2010 SP1.

I’ve been checking this page frequently and noticed just this week BES updated the checkbox below:

clip_image002

Notice the (9) after the check mark. If you scroll down you’ll see the footnote:

clip_image003

That KB is called:

Cannot add users to the BlackBerry Enterprise Server 5.0 in an environment that includes Microsoft Exchange 2010 SP1

You can read more about it here:

http://www.blackberry.com/btsc/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=KB24470&sliceId=1&docTypeID=DT_SUPPORTISSUE_1_1

Essentially it states you’ll run into problems if you choose to deploy Exchange 2010 without public folders (click the link for the fix).  While this could have been true with versions prior to SP1 the (9) only shows in the SP1 column.  Not sure why.

MVP Award

I am honored to join the ranks of the Microsoft MVP award winners!  Thank all of you for your visits here as this blog is a primary way I’ve been able to participate in the Exchange Community!

clip_image002

Exchange 2010 Certifications

On occasion I’m asked to comment on topics over at searchexchange.techtarget.com.  Recently I had a discussion with Stephen J. Bigelow, one of their Senior Technical Writers to discuss Exchange certification.

If this is a topic that interests you, see this link:

http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1520343,00.html?track=sy188

I am also to hear your feedback on Exchange certifications.  Are you certified?  Working on it?  Don’t believe in certifications?

Post a comment!

Exchange 2010 SP1 Edge Transport & TMG 2010 SP1 Issue: Fixed.

Microsoft released Exchange 2010 SP1 a few weeks ago and quickly followed up with the following post of oops! known issues: http://msexchangeteam.com/archive/2010/09/01/456094.aspx

One of these issues is that you cannot combine TMG 2010 with Edge 2010 after you apply Exchange 2010 SP1.

It would seem this is now fixed, as Microsoft released “Software Update 1 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1” earlier today.

Personally I’ve been disappointed with the “integration” of TMG and Edge, but if you are using this configuration, go grab this update here:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=695D0709-0D8B-45EE-AFDB-727C4428CA4D&displaylang=en

For more info on this update see: What’s new in Forefront TMG 2010 Update 1.

Gartner: Exchange 2010 Takes 1st Place

Exchange doesn’t even know what the definition of competition is in today’s enterprise environment!  Ok, calm down you Gmail fanatics!  Winking smile

 

See this post from Mohamed Baher (an MCS engineer):

I’m happy to announce Microsoft’s strong position in Gartner’s 2010 MarketScope for E-Mail Systems report, in which Microsoft is the only vendor given the top rating of “Strong Positive”. Microsoft is uniquely positioned to deliver e-mail and calendaring technology to customers in the way that makes most sense to them – on-premise, in the cloud, or a combination of both. See the full report at http://www.gartner.com/technology/media-products/reprints/microsoft/vol10/article19b/article19b.html

clip_image001

-Source: http://blogs.technet.com/b/mbaher/archive/2010/08/31/exchange-is-on-top-gartner-s-2010-marketscope-for-e-mail-systems.aspx

 

From the report itself:

Microsoft released the fifth version of Exchange in November 2009. Exchange 2010, which is starting to increase its market penetration, promises improvements in storage efficiencies, high availability and disaster recovery, as well as more granular administration control and user self-service options. We expect adoption to follow the normal trajectory of previous Exchange releases, peaking at 50% by the end of 2012. The real action, however, is around Microsoft’s Exchange Online service, a subset of the large Business Productivity Online Standard Suite (BPOS) cloud collaboration offering. Throughout 2009 Microsoft added features to the service, and, more importantly, cut the price in half (to $5 per user per month), while quintupling the storage (to 25GB per user) — bringing it close to price and storage parity with Google GAPE. In November 2009, Microsoft said it had 1 million BPOS subscribers. We suspect that number has since doubled.

In 2H10 Microsoft will release the first service pack for Exchange 2010, with an emphasis on archiving, mobility, browser access, resiliency and management services. In 1H11 it will update Exchange Online with the 2010 version of Exchange, which is better suited to working in a multitenant environment. The current 2007 cloud release lacks some essential features, such as password synchronization, a health and performance console, multimailbox search and end-user password resetting. Furthermore, simple e-mail administration requests, such as to track a message, forward mail to an external mail box and disable ActiveSync require submission of a service request to the Exchange Online help desk, which creates operational inefficiencies for customers. Nonetheless, Microsoft continues to prosper in the e-mail market with both its on-premises and cloud options. Longer term, we will see the introduction of numerous hybrid e-mail models from Microsoft, with some mail boxes live in the cloud and others live on-premises. Google has emerged as its closest e-mail competitor, and it will remain so for the next few years.

Rating: Strong Positive

Exchange 2010 SP1 Hotfix Prerequisites

Like many of you, I was excited to see that Exchange 2010 SP1 was released earlier this week.  I downloaded and and ran it right away on my demo lab environment to be immediately disappointed with the following error:

image

Ok, so Exchange needs some prerequisites, no big deal, right?  I wish they were in the Microsoft Update queue, but hey its brand spanikin’ new so maybe they haven’t gotten to it yet.

I then clicked the link(s) to get the downloads and was greeted again by an error!

 

image

Ask my question on Bing… that’s rich.

So finally, I TYPED the links, one at a time to finally get to a page with hotfixes for download.  Yeah, I know typing is required from time to time, but don’t tease me with hyperlinks that don’t work Microsoft!  Smile

Anywho, the links are a grab bag of hotfixes.  Some from the MSDN site, others from the Connect site.  Not very reassuring as many of these links are with a lesser SLA from Microsoft…

Once I installed the updates, Exchange 2010 SP1 did install successfully (it took about an hour).  Also worth noting, while it wants a reboot after each one, I just did them all followed by a single reboot at the end.

Finally, to save you the trouble of rounding up all the updates – here is a ZIP I made with them ready to go:

Exchange2010SP1HotFixes.zip

=========UPDATE=========

Looks like you can also get them from this link as well (one at a time): http://technet.microsoft.com/en-us/library/bb691354.aspx

Exchange 2010 SP1 VHD Download

Microsoft was quick to release this one – you can now try Exchange 2010 SP1 without the trouble of even installing it!

Checkout this pre-canned virtual machine of Exchange 2010 with SP1:

http://www.microsoft.com/downloads/details.aspx?FamilyID=53F7382A-3664-4DE3-8303-31E514D69F02&displaylang=en

You’ll need Hyper-V to use this machine, as Virtual PC doesn’t support x64 guests.

Delayed SMTP Acknowledgement

Exchange 2010 introduces a nifty new feature called Shadow Redundancy. Being one of the bigger changes in this version, it is well documented and discussed.

This post is on Delayed SMTP Acknowledgement, which is a subset of this feature – not Shadow Redundancy as a whole.  However to fully grasp what I will be discussing, it’s important to understand a few basics about Shadow Redundancy to appreciate the purpose and spirit of Delayed SMTP Acknowledgement.

I encourage you to first travel to some of the above links, but most importantly, understand a few points:

Exchange 2007 sent messages to recipients through Transport Servers (Hub/Edge). If a Transport server were to fail with messages in its queue, these messages are lost.  Generally, this is only a small amount of data loss, but loss is loss, and we want to avoid that!

To mitigate this risk you could:

     A. Attempt to replay transaction logs (recover the database) from a separate disk; but this assumes the failure was limited to a single disk or database. More importantly the queue database uses circular logging by default so you cannot assume this approach will work anyway.

     B. Backup your Queue databases. This sounds simple on the surface, but the database is changing each time a message is sent and received. Restoring a queue database is likely irrelevant unless you had truly continuous backups.

     C. Leverage the Transport Dumpster. This feature is used for LCR/CCR environments only, but might resubmit messages in some scenarios.

Exchange 2010’s Shadow Redundancy sends the message down multiple SMTP paths (different Hub or Edge Transport servers) so that if the destination does not confirm successful delivery, another Transport server is able to submit the message. This means, we can sustain a failure of a Transport server/database, provided you have multiple servers.

Let’s take a look at a modified TechNet diagram to see an example:

Shadow Redundancy Example

Note that the Hub server sends the same message to two Edge servers. The lower edge server only submits the [shadow] message if it learns that the top edge server failed to do so.

Please understand I’m greatly simplifying this process. To fully understand all the steps involved, read the documentation linked above.

Ok, so now that we understand Shadow Redundancy, let’s ask the obvious question:

What about servers that do not support Shadow Redundancy?

A very valid concern, as this of course includes all previous versions of Exchange and most servers on the internet today.

Enter: “Delayed Acknowledgement”.

Delayed Acknowledgement is an attempt made by Exchange 2010 Transport servers to protect messages received from less sophisticated mail servers.

This is accomplished by making the sending server wait while the message is delivered behind the scenes of the 2010 environment.

Let’s explore this in more detail via the below illustration:

(Click for higher quality)

Logic Flow Chart

As you can see, this is a best effort attempt to protect email that does not support full Shadow Redundancy. This protection covers the scenario where your receiving Transport server fails after it accepts the message from the sending server, but before it delivers it to the user’s mailbox. If this failure were to happen, the original sending server would never get it’s acknowledgement and therefore it would be that server’s behavior to queue or resubmit the message.

See the below image to visualize this scenario:

(Click for higher quality)

Protection Example

So as you can see, while this isn’t as robust as true Shadow Redundancy, it does attempt to ensure messages are not lost when a Transport server fails.

Now that we see how it works, I’d like to point out some of the gotchas and configurable options:

As we saw in the first diagram, it’s possible for the sending server to think a message was delivered if the background submission takes more than 30 seconds. Because of this, messages that naturally take this long anyway (due to network conditions or latency, or whatever) will not be protected. Now, you can change 30 seconds to something higher, but you risk the sending server timing out on you.

There are additional reasons the Transport server might let the sending server “off the hook”, including:

· Submission queue in suspended state

· Message is in deferred state due to transient error

· Delivery queue is in retry or suspended state

· Delivery queue exceeds DelayedAckSkippingQueueLength value

· Message is routed to unreachable queue

So in closing, Delayed SMTP Acknowledgement is not as robust as it’s bigger brother Shadow Redundancy, but does a best-effort to protect messages in transport. You can configure the MaxAcknowledgementDelay via the Set-ReceiveConnector command.

You shouldn’t have to, but if you need to disable this feature, do so via:

Set-ReceiveConnector "ConnectorName" -MaxAcknowledgementDelay 0

See this sample scenario from TechNet:

Assume that all messages are typically delivered within 20 seconds in your environment, but due to performance requirements, you don’t want to delay acknowledgement more than 15 seconds for messages received from the Internet. After analyzing the message flow, you conclude that 95 percent of messages are delivered within the 15 second interval. This example configures the Receive connector from the Internet to delay acknowledgement for only 15 seconds. In this scenario, your environment provides shadow redundancy for 95 percent of messages received from the Internet.

Set-ReceiveConnector "From the Internet" -MaxAcknowledgementDelay 00:00:15.

References:

· Understanding Shadow Redundancy

· Configure Shadow Redundancy

· TechNet Webcast: Deploying and Managing Microsoft Exchange Server 2010 Transport Servers

=========UPDATE=========

New to SP1:

Shadow Redundancy Promotion

Exchange 2010 introduced the shadow redundancy feature to minimize the loss of any message during delivery after it enters the Exchange organization. Exchange Transport servers achieve this by using the shadow redundancy SMTP protocol extension.

However, in any organization Exchange Transport servers need to communicate with other third-party SMTP servers that may not support the shadow redundancy protocol. This is especially true with Edge Transport servers that handle message traffic with various hosts on the Internet. When receiving messages from hosts that don’t support shadow redundancy in Exchange 2010 RTM, Transport servers delay sending acknowledgement to incoming messages until they verify final delivery within the organization. However, when a specific threshold was reached, the Transport server issued an acknowledgement even if final delivery wasn’t verified. This presented a scenario where messages received from hosts that don’t support shadow redundancy can be lost in transit.

To address this issue, a new feature called shadow redundancy promotion is introduced in Exchange 2010 SP1. When faced with the scenario described above, instead of issuing an acknowledgment without delivery confirmation, a Transport server now routes the message to any other Transport server within the site so that the message is protected by shadow redundancy.

-Source: http://technet.microsoft.com/en-us/library/ff629378.aspx

Respect the DAG!

image Exchange 2010’s Database Availability Group configuration allows you to build a highly available Mailbox Server environment without being an expert in clustering technologies; but did you know that DAGs install and configure Failover Clustering behind the scenes?

So while you don’t need to be an expert in Failover Clustering, or even remember to install it – you should at least know that it exists and treat it as such.

There are many videos and articles on the DAG configuration, but I wanted to point out a few common mistakes I’ve seen.  The New DAG wizard doesn’t adhere to these best practices, so manual fix-up is required (If you aren’t using EMS).

 

Below are 4 tips:

 

  • When you create a Windows Cluster, a computer account is created and in Active Directory!  You should treat this account like you would any other server object.
    image This could mean lots of things, but at the least, you should move the object to the same OU as the mailbox server accounts.  By default the DAG account will be placed in the “Domain\Computers” container.  You wouldn’t want a weird GPO messing with your Exchange environment!
  • Set a static IP.  You’ll learn this real quick 🙂 if your server’s subnet doesn’t have DHCP; but if it does, you may go on for a long time not realizing you aren’t in control of the IP used for DAG communication.  If you created your DAG in PowerShell (hey, I like PS too, but there’s a GUI so I use it!) you could have used the following commands:
    New-DatabaseAvailabilityGroup -Name DAG1 -DatabaseAvailabilityGroupIPAddresses 10.2.3.4
    If you used the wizard, the option to use a static IP is not exposed.  To fix this you can either use the abovementioned command, but with “Set” instead of “New” – or you can go right into the Failover Cluster Manager MMC.image
    Start, Administrative Tools, Failover Cluster Manager.  Expand Cluster Core Resources (collapsed in the center by default).  Expand your DAG name and double-click IP Address.image

Select the Static IP Address bubble and fill out the appropriate IP address.

 

 

 

 

  • Rename your DAG Networks.  By default they are named generically, but you can fix this by clicking the Database Availability Groups tab under the global mailbox configuration.  You can also use the Set-DatabaseAvailabilityGroupNetwork cmdlet.  If you don’t know what to name them, I’d suggest simply calling the one facing the Client Access Servers “Public” and the 2nd one “Private”.  Of course the name itself isn’t too important, as long as it is meaningful to you!
  • Rename your Cluster Networks.  This is not required, but I like a tidy shop, so I always rename the “Cluster Networks” to match the DAG network.image

I hope you find these four tips useful.  They are not required, but based on my experience I can say they will make your life easier.  And a little disclaimer before you go:  This post is not intended to educate you on creating a DAG; rather point out a few best practices often overlooked.  For complete guidance see this great step-by-step guidance from MVP Henrik Walther here.

 

Have a happy and safe Independence Day!!