Talking IRM on RunAS Radio

Recently, I had a chance to chat with Richard Campbell and Greg Hughes on the popular RunAS Radio Show.  The topic was Information Rights Management and how it relates to Exchange Server.  This was also a feature I demonstrated on stage at the Exchange Connections event in Orlando earlier this year.

If you’re not sure what IRM is or does, or if you wish to learn more about it, be sure to tune in on May 4th to listen to show #210!

www.runasradio.com

Cloud-Based BES Services With BPOS / Office 365

blackberry_logoTwo big pieces of news hits the Blackberry administrators and users today:

 

  1. Microsoft’s Hosted Exchange (BPOS / Office 365) will offer free Blackberry licenses (provided you’re already paying for your mailbox)
  2. RIM will soon offer a cloud-based BES service

Read more here:

http://community.office365.com/enus/office365/b/microsoft_office_365_blog/archive/2011/03/16/office-365-and-blackberry.aspx

Speaking at Exchange Connections: March 27-30 in Orlando Florida

Exchange Connections is Exchange Connections 2011an event held twice a year for the purpose of learning about Exchange Server and meeting other professionals working with the technology.  It is held alongside several other “Connections” events and has always been a lot of fun!

For a list of sessions checkout this link:

http://www.devconnections.com/conf/sessions.aspx?s=163

If you’re planning on attending, please come say hello.  I will be delivering the following sessions:

EXC13: Forefront TMG Client Access Publication and Edge Transport Integration
During this session, Mike will cover two aspects of Exchange and TMG integration. In the beginning, he’ll discuss the installation procedures and configuration requirements of TMG and Edge’s residence on the same server. In the second half, he’ll demonstrate the steps of publishing Exchange client access through TMG.
EXC14: Information Rights Management Explored
During this session, we will discuss and then demo IRM and S/MIME, the infrastructure requirements for both, the pros and cons, and configuration.
EXC15: Office 365
This session will cover capabilities, migration, and administration of the Office 365 and Live@EDU environments. It will include demonstrations and best practices.

Exchange 2010 SP1 Hotfix Prerequisites – Part 2

A while back, I complained about the difficulty in obtaining the necessary hotfixes for Exchange 2010’s Service Pack 1.  I just took a peek at the “Hotfixes and Security Updates included in Windows 7 and Windows 2008 R2 Service Pack 1 (http://go.microsoft.com/fwlink/?LinkId=194725)” article and verified all necessary hotfixes are within. 

So if you’re planning on Installing Exchange 2010 SP1, it may save you time to install Windows 2008 R2 Service Pack 1 first.

Installing and Using Forefront Protection Server Management Console 2010 – Part 2

In a previous post, we took a look at Microsoft’s Forefront product line and saw where the new server management tool: Forefront Protection Server Management Console (FPSMC) fit in.  In this article, we will install FPSMC.

Before we start clicking, I’d like to point out a few important notes:

  • FPSMC cannot be deployed on a domain controller, an FPE server or an FPSP server.
  • FPSMC will not install on a server running any other Forefront product.
  • FPSMC will only support FPE and FPSP. It will not manage Forefront Security for Exchange server v10.x, Forefront Security for SharePoint v10.x and Antigen for Exchange and SMPT v9.x products – these still require Forefront Server Security Management Console (FSSMC).
  • FPSMC cannot redistribute the Cloudmark micro-updates.
  • FPSMC Beta will only support up to 100 servers per management console deployment.
  • FPSMC UI requires JavaScript to be enabled.
  • FPSMC must be installed on a domain-joined server.
  • FPSMC will not install on a server running any version of Microsoft Exchange Server or Microsoft SharePoint Server.

As well as some system requirements:

  • Windows Server 2008 R2
  • 300MB free RAM
  • 30MB free disk space (for the console)
  • 900MB free disk space (for SQL)
  • 4GB free disk space (for signature distribution)
  • .Net Framework 3.5 SP1 or later
  • Microsoft Chart Controls for Microsoft .NET Framework 3.5
  • IIS (for subcomponents visit TechNet)
  • SQL Express installs by default, but a licensed version of SQL recommended

You’ll also want to create a service account for the encryption of data between primary and backup servers.

Once you’ve got the above prerequisites in place, you’ll run the setup file and complete the product installation.  In the below demonstration, I did not deploy a SQL server, so the installer configured SQL 2008 Express on my behalf.  Additionally, if you do not have the Chart Control component listed above, you’ll be given a link to go get it.

Here are the installation screenshots:

clip_image002[4]     clip_image003

clip_image004     clip_image006[4]

clip_image008[4]     clip_image010[4]

clip_image012[4]     clip_image014[4]

clip_image016[4]     clip_image018[4]

clip_image020     clip_image021

           clip_image022

 

Once the installation has completed, a program shortcut will be placed in the Start menu’s program list.  You can launch FPSMC from here, or directly via the following hyperlink:

    image

 

In the next article, we’ll discuss adding and managing servers running Forefront Protection for Exchange 2010.

Converting a Mailbox to a MailUser (and preserving your custom attributes)

It’s not often that you’ll need to convert a mailbox to a mail-user, but when you do, you’ll soon realize the steps go like this:

1. Mail-Disable the user (delete the mailbox)
2. Mail-Enable the user

So what’s the problem?  The problem is twofold:

  • First, you’ll want to automate this, and there is no “convert” button or command.  You’ll need to use PowerShell if converting multiple users.
  • Second, and perhaps more importantly, all the Exchange attributes are nullified when you delete the mailbox.  This includes CustomAttribute1-15

As we can see, you are not able to pass mailboxes to the Enable-MailUser (as you are able to do in reverse):

image
I’ve written a script to solve these problems.  Before you run with it, you do need to make one decision:

What do you want the mail-user’s external email address to be?

The below script takes the user’s mailbox alias and then appends @domain.com.  You may wish to modify this with whatever their new external address has become.

You’ll also notice I’m using a static domain controller for all configurations.  I have found in my testing, that if you do not pick the same DC for all operations, the script could out-run replication.

$DomainController = (Get-ADServerSettings).DefaultConfigurationDomainController.domain

$MailboxList= Get-Mailbox

foreach ($Mailbox in $MailboxList) {
    Disable-Mailbox -Id $mailbox.Identity -Confirm:$False -DomainController $DomainController
    Enable-MailUser -Id $mailbox.Identity -ExternalEmailAddress ($mailbox.alias +"@domain.com") -DomainController $DomainController
    Set-MailUser -Id $mailbox.Identity `
     -DomainController $DomainController `
     -CustomAttribute1 $Mailbox.CustomAttribute1 `
     –CustomAttribute2 $Mailbox.CustomAttribute2 `
     –CustomAttribute3 $Mailbox.CustomAttribute3 `
     –CustomAttribute4 $Mailbox.CustomAttribute4 `
     –CustomAttribute5 $Mailbox.CustomAttribute5 `
     –CustomAttribute6 $Mailbox.CustomAttribute6 `
     –CustomAttribute7 $Mailbox.CustomAttribute7 `
     –CustomAttribute8 $Mailbox.CustomAttribute8 `
     –CustomAttribute9 $Mailbox.CustomAttribute9 `
     –CustomAttribute10 $Mailbox.CustomAttribute10 `
     –CustomAttribute11 $Mailbox.CustomAttribute11 `
     –CustomAttribute12 $Mailbox.CustomAttribute12 `
     –CustomAttribute13 $Mailbox.CustomAttribute13 `
     –CustomAttribute14 $Mailbox.CustomAttribute14 `
     –CustomAttribute15 $Mailbox.CustomAttribute15
     }

(add more attributes if necessary, but remember that since you aren’t deleting the Active Directory object itself, most attributes remain…)

Installing and Using Forefront Protection Server Management Console 2010

Do you use Forefront products to protect your Exchange or SharePoint environment?  Do you have more than one server that you’d like to manage centrally?

If your answer is “yes” to both of those questions, this post is for you!  In this multi-part article, I’ll show you how to install and use Microsoft’s latest (free) Forefront management product:

Forefront Protection Server Management Console (FPSMC) 2010 (Release Candidate)

However, before we start, I’d like to provide you with some Forefront orientation.  It seems that title “Forefront” is starting to mean so many things these days.  Hopefully this table will help put some of the product names into perspective:image

(Online services not listed)

That’s quite the moving target for us trying to learn!!

As you can see FPSMC has had a few different names so far.  In fact, Microsoft was going to release this as “Forefront Protection Manager”.  Talk about an identity crisis!

Now, if you are familiar with the existing Forefront Server Security Management Console (FSSMC) product, take a moment to note the differences between it and the new FPSMC:

image

So now that you have some background, let’s get on with it, shall we?

As I suggested above, FPSMC is a product we’d install to centralize our management of Forefront Protection 2010 for Exchange Server and SharePoint.  It does this through a web-interface, SQL and FPSMC agents running on each Forefront-protected server.

For a brief intro on the console, read this help article excerpt:

…[FPSMC] deployment allows administrators to deploy various files and settings to all or selected servers in the enterprise. Using the FPSMC, you can deploy the following to remote servers:

  • FPE and FPSP service packs and patches
  • Policies for configuration management
  • Forefront Protection product activation keys
  • Scan engine signature file updates (to centralize the update procedure)
  • Jobs that send reports on a fixed schedule

In addition, you can retrieve the following from remote servers:

  • Quarantined data.
  • Centralized reporting allows administrators to more closely monitor the servers in the enterprise and evaluate the effectiveness of antivirus software. The FPSMC collects statistics from all of its managed servers and stores them in a central repository for later analysis. Reports provide information about the trends in virus, filter, and update activity for each individual server or the entire enterprise.

Data retrieved by FPSMC will be stored in Microsoft SQL Server®. It can be stored in SQL Server 2008 Express Edition, which is a version of SQL Server with limited features. Alternately, data can also be stored on an existing Enterprise SQL Server 2008—locally or remotely—using SQL or Microsoft Windows® authentication.

In addition to the help article, here are some additional published resources on this product:

    While we’re on the topic of centralized Forefront Server Protection management, I’d like to point out that while we wait for this FPSMC Release Candidate to go Gold, you can manage your multi-server deployment with these scripts:

http://blogs.technet.com/b/fss/archive/2010/08/09/microsoft-forefront-protection-server-script-kit-now-available-for-download.aspx

We’ll compare the scripts to the new FPSMC product later in this article.

In the next part of this article, we’ll identify the prerequisites for FPSMC and begin our installation.

Read Part 2: http://wp.me/pAAoj-8h

Exchange 2010 SP1 IPD (Beta)

UPDATE: RTM:

Launch the download of the IPD Guide for Exchange Server 2010.

——————————————————

I’ve always enjoyed reading the Infrastructure Planning and Design (IPD) guides from the Solution Accelerator folks at Microsoft. The guides aren’t super-technical, but they are a great first step when preparing for an upcoming project. They help me feel like “I’m “doing things right” when I’m aligned with what’s inside.  I also usually assign them as homework, for clients I’m working with, if they are unfamiliar with logic behind some of the decisions that need to be made throughout the engagement.

Additionally, these are a great source when quoting “best practices”. Smile

You can get an “IPD” on many Microsoft technologies.  For a complete list visit here:

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD3921FB-8224-4681-9064-075FDF042B0C&displaylang=en

The reason for the post today however, is to share the announcement of the open beta of the Exchange 2010 SP1 IPD!

The guide covers these key steps in the Exchange Server 2010 infrastructure design process:

  • Defining the project scope by identifying your individual business and IT requirements for a messaging infrastructure.
  • Mapping features and functionality based on the defined scope to develop the appropriate Exchange Server 2010 design.
  • Designing the infrastructure and role requirements for the proposed Exchange Server 2010 architecture.
  • Determining the sizing, fault tolerance, and physical placement of Exchange Server 2010 roles.

Exchange Example

Often, the Word document is accompanied by a Visio diagram, but no such luck for this version.  However, nested in the document are some nice images (Click to enlarge one of the images):

“Beta” of course means not finished, but it’s a good read nonetheless.  I encourage all of you to check it out and send feedback to IPDfdbk@microsoft.com. They have been very responsive in my experience.

Get the beta by visiting the Connect website at:

https://connect.microsoft.com/content/content.aspx?ContentID=6556&SiteID=14.

Stevieg.org: Office 365 – What does it mean for Exchange?

Over the last few days you’ve likely seen a lot of hubbub on Office 365, Microsoft’s next generation of online services. 

Steve Goodman writes a blog over at www.stevieg.org, and earlier today he published an insightful post titled “Office 365 – What does it mean for Exchange”.  In it he provides commentary on multiple aspects of Office 365, from the impact it has on Live@EDU to the Exchange Admin’s job security.

Check it out here:

http://www.stevieg.org/2010/10/office-365-what-does-it-mean-for-exchange

Exchange 2010 SP1: Less Secure?

Exchange 2010 hit the ground more secure than it’s predecessors in many ways; one of which was to enable RPC encryption on Outlook MAPI connections by default.  While Outlook 2007 and Outlook 2010 try to do this anyway, Outlook 2003 does not. 

This caused a few of issues:securitytab-Outlook

  • New Outlook 2003 user profiles require an extra step to enable RPC encryption.
  • During a migration, users moved to Exchange 2010 would stop working if this box was not selected prior to the mailbox move.
  • During a migration, users who were not yet migrated could not access calendars and other mailbox items from users who were migrated.

I believe the easiest way to fix this was with a simple Group Policy setting which enabled RPC encryption in Outlook.

Enable-RPC-Encryption

However apparently this was too much for a number of Microsoft customers, and as such Microsoft disabled RPC encryption by default in Exchange 2010 SP1!

See for yourself here:

Note In Exchange Server 2010 Service Pack 1, the RPC encryption requirement is disabled, by default. Any new Client Access Servers (CAS) deployed in the organization will not require encryption. However, any CAS servers deployed prior to Service Pack 1, or upgraded to Service Pack 1, will retain the existing RPC encryption requirement setting.

ref: http://support.microsoft.com/kb/2006508

 

As the excerpt states, this isn’t an issue for upgrades, but if you plan to deploy new servers in an existing environment, or a new environment all together, you may wish to re-enable this setting on Exchange.

To see what your RPC encryption setting is, run the following command:

image

Get-RPCClientAccess | fl Server, *version, EncryptionRequired

Then to enable the encryption requirement for all Client Access Servers:

image

Get-RPCClientAccess | Set-RpcClientAccess -EncryptionRequired $True

One final note:  This setting is to determine weather Exchange requires encryption.  You’re still welcome to use it even though the setting not doesn’t mandate it.

Why PCNS Stopped Working

I recently visited a customer site who has student email hosted by Microsoft’s Live@EDU program.

While on-site, they reported the ILM/OLSync/PCNS (Password Sync) had stopped working. Users were able to change their LiveID password with Microsoft, but the one-way password-reset sync from Active Directory no longer worked.

For those unfamiliar with any of those above phrases, this article is not for you. But you can read about them here:

A quick overview of PCNS requirements and configuration:

  1. PCNS schema extension is in place
  2. PCNS is installed on all domain controllers in the user’s domain
  3. Inclusion Group(s) Defined
  4. Password Synchronization is configured within the ILM software

For my customer, this was all configured. And PCNS worked when I left them a few months back. What changed?

I stopped by the ILM server to have a look at things. PCNS is not so great about reporting errors by default, so I wanted to enable more logging. To do this you need to create a registry key called FeaturePwdSyncLogLevel.

FeaturePwdSyncLogLevel isn’t documented much on TechNet as far as I’m aware, but it is explained on this public forum here:

http://social.technet.microsoft.com/forums/en-US/identitylifecyclemanager/thread/4686507a-2acc-4a4d-9e64-4f6f15d5e165

PCNS

For PCNS, four logging levels are controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters

· 0 = Minimal logging

· 1 = Normal logging (default)

· 2 = High logging

· 3 = Verbose logging

MIIS 2003

For MIIS 2003, four logging levels are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\miiserver\Logging

· 0 = Minimal logging

· 1 = Normal logging (default)

· 2 = High logging

· 3 = Verbose logging

So after configuring my ILM 2007 FP1 server (despite the above quote saying “MIIS 2003”) with this value (and restarting) I once again attempted a password reset.

Now I am able to see the following error in the application log:

image

Log Name: Application
Source: MIIServer
Event ID: 6905
Task Category: (8)
Level: Information
Keywords: Classic
Computer: gcilm.domain.com
Description:
A password notification was received but could not be processed because the corresponding object is a disconnector.
Additional information:
Reference ID: {6BC69D88-9392-4FEE-B050-940537F4063F}
Source Object GUID: {75562CF8-BF46-4CE2-94FA-89B3EABA60D8}
Source DN: CN=10187,OU=Y2013,OU=Students,OU=User Accounts & Groups,DC=domain,DC=com
Source MA Name: OnPremise

What we see in this error is that ILM cannot sync the password to the Live@EDU mailbox because ILM thinks the account is a “disconnector”.

Essentially this means ILM doesn’t have a matching object for this user.  This does not mean the mailboxes in Live@EDU are gone or damaged – just that ILM doesn’t have a relationship between them and an on-premise AD account anymore.

For more about disconnectors, see the article: Don’t call me disconnector !!!

So how do we fix this?

Objects become disconnected in OLSync when the rules defined by the OLSync code are violated.  So let’s look at the rules.  Our best public source for these rules is in this article, titled: How Outlook Live Directory Sync Works.  Within you’ll find a section called OLSync filtering logic:

When OLSync runs, ILM filters out objects in the following order. After an object is filtered out, ILM won’t evaluate it again, nor will the object be copied to the ILM metaverse for synchronization.

1. Recipient objects that don’t have required attributes ILM reads the following recipient objects. If any of the required attributes are empty (null), the recipient object is filtered out.

Recipient object type Required attributes
Mailbox-enabled user mail, legacyExchangeDN, proxyAddresses
Mail-enabled user mail, targetAddress
User (AD DS or Active Directory only; no Microsoft Exchange installed) mail
Mail-enabled contact mail, targetAddress
Distribution group, dynamic distribution group, or security group mail, proxyAddresses, mailNickName

2. Recipient objects where the adminCount attribute is set to 1 The adminCount attribute is used to identify users in protected administrator groups, such as the Domain Admins and Administrators. If the adminCount attribute is set to 1 on any recipient object, it is filtered out.

3. Mailbox-enabled user objects that are specified as mailbox plans, discovery mailboxes, or arbitration mailboxes The msExchRecipientTypeDetails attribute is used to identify mailboxes that are specified as mailbox plans, discovery mailboxes, or arbitration mailboxes. These mailbox-enabled users are filtered out.

4. The mail attribute on an AD DS or Active Directory-only user that doesn’t match the provisioning domain In an on-premises environment where Microsoft Exchange hasn’t been installed, OLSync filters out all user objects where the mail attribute doesn’t contain an SMTP address that matches the provisioning domain.

5. The attribute used to generate the Windows Live ID doesn’t match any of the accepted domains The final pass filters out recipient objects that are configured for auto-provisioning but don’t have an accepted domain match in the attribute that is used to generate the Windows Live ID.
The attribute used to generate the Windows Live ID must contain a domain name that matches one of the accepted domains that you have configured in Outlook Live. As described in step 4, by default, OLSync looks to the user principal name (UPN) for a match unless you have set the MVWindowsLiveIdAttributeName parameter to use a different attribute. In this case, OLSync matches the SMTP address that is stored in the attribute that you have specified in the MVWindowsLiveIdAttributeName parameter. In any case, if OLSync can’t find a match to an accepted domain, the recipient object is filtered out.

After ruling out many of the above conditions, I thought more on item 2.  I checked and realized the adminCount attribute on ALL of my users now is populated with a “1”!

This attribute is automatically populated by the PDC emulator for all users in “restricted” groups.  Sadly, if you remove users from these groups, the same process doesn’t bother to clear that attribute!  You have to do it manually.

More on this topic here: AdminSDHolder – or where did my permissions go?

When clearing this attribute make sure you set it to null. ADSIedit has a “clear” button to nullify an attribute:

image

Of course I have a few remaining questions:

  1. Will this “1” return?
  2. How did this occur?
  3. How do I script this fix?
      The answer to #1 is yes – if you don’t fix the root cause.  Every hour the protected groups are evaluated and 1’s re-stamped if appropriate.  So we need to fix the

cause

    before we fix the symptom.
    How did this occur?
      After looking at the group memberships of each user I verified users were NOT in a protected group; or at least until I checked

nested

    group memberships – Bingo!
    Someone had added the Domain Users group to Print Operators; a protected group!  Why was this done – who knows.  But I removed this membership.
    Now time for cleanup.

Using the free Quest PowerShell tools, I wrote the following script to identify the scope of the problem:

Get-QADUser –SizeLimit 0 -IncludeAllProperties -SearchRoot “domain.com/User Accounts & Groups/Students” | where {$_.admincount -eq “1”}

And followed up with this one to clear the attribute:

Get-QADUser –SizeLimit 0 -IncludeAllProperties -SearchRoot “domain.com/User Accounts & Groups/Students” | where {$_.admincount -eq “1”} | Set-QADUser -ObjectAttributes @{adminCount= $null}

Note, in the scripts I am only looking in a specific OU.  You’ll need to adjust this for your environment.  In fact, you can remove the SearchRoot switch all together if you want, as the adminCount will be re-populated for users in protected groups in the next hour anyway.

After running this script you can re-run the “startsync.ps1 –firstrun” to repair the relationships between the objects.

That’s it – bye for now!

BES 5.0.2 and Exchange 2010 SP1

I’m pleased to report Blackberry Enterprise Server (BES) 5.0.2 is now supported with Exchange 2010 SP1.

I’ve been checking this page frequently and noticed just this week BES updated the checkbox below:

clip_image002

Notice the (9) after the check mark. If you scroll down you’ll see the footnote:

clip_image003

That KB is called:

Cannot add users to the BlackBerry Enterprise Server 5.0 in an environment that includes Microsoft Exchange 2010 SP1

You can read more about it here:

http://www.blackberry.com/btsc/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=KB24470&sliceId=1&docTypeID=DT_SUPPORTISSUE_1_1

Essentially it states you’ll run into problems if you choose to deploy Exchange 2010 without public folders (click the link for the fix).  While this could have been true with versions prior to SP1 the (9) only shows in the SP1 column.  Not sure why.

MVP Award

I am honored to join the ranks of the Microsoft MVP award winners!  Thank all of you for your visits here as this blog is a primary way I’ve been able to participate in the Exchange Community!

clip_image002

Exchange 2010 Certifications

On occasion I’m asked to comment on topics over at searchexchange.techtarget.com.  Recently I had a discussion with Stephen J. Bigelow, one of their Senior Technical Writers to discuss Exchange certification.

If this is a topic that interests you, see this link:

http://searchexchange.techtarget.com/tip/0,289483,sid43_gci1520343,00.html?track=sy188

I am also to hear your feedback on Exchange certifications.  Are you certified?  Working on it?  Don’t believe in certifications?

Post a comment!