Category Archives: Exchange 2010

Exchange 2010 Archive Mailbox and Retention Policies–Part 2

DAG, Exchange 2010

We’ll really long time in the making, but one of my most popular articles.  With 2013 out there, I figured I would finish this off, and then add a part 3 that shows a quick rundown of how to do the same thing with 2010. 

So, we have our Archive Mailbox created.  Now, we want to assign a policy so that we perform some automated action, and give users the ability to also make some changes.  There are a ton of posts out there over the mechanics of how the Exchange Archive system works.  I wont revisit it.  Ill try to do so with a more real world example.  So for this example, we want to assign our users with a policy that performs the following:

 

  1. Users should have the ability to tag emails to move to archive ASAP
  2. Users should have the ability to tag emails to move to archive if they are older than 30 days
  3. Users should have the ability to tag emails to be deleted older than one week
  4. Users should have the ability to mark emails to never be archived
  5. All Emails in the sent items are deleted after 30 days
  6. All Emails older than 90 days are automatically moved to archive if another policy doesn’t apply

It should be noted, that the delete actions and never delete actions work on any mailbox, and the Archive options require an archive mailbox to be enabled for the user.  If an archive mailbox is not enabled, the archive policies have no effect.

Now, if you look at the above, a common question that pops up is around the Never Archive option.  If they have this ability, won’t they be able to completely override the archive setup and store everything in their mailbox?  The answer is technically yes, but if you combine your archive mailbox’s with mailbox limit’s, then the user will hit a point where they can no longer send and/or receive messages, and are forced to archive messages. 

So, next we need to create the Archive Policy and the Archive Tag’s.  Real quick, each email or folder can only have one “tag” assigned to them.  Email’s and folders inherit their parent folder’s tag, but it can be overridden.  The process that handles processing the tags on items is the Managed Folder Assistant. The Assistant checks each item for tags.  If the item doesn’t have a tag explicitly set on it, then the assistant check’s the parent folder for the appropriate tag.  Once it finds a tag, it takes that action on it according to that tag.  So, lets create the needed tag’s for our example above.  Navigate to Organization Configuration->Mailbox->Retention Policy Tags.  Click New Retention Policy Tag and you’ll be presented with the following screen:

image

So, let’s create the first tag of move items to archive ASAP.  Since there is no ASAP, we will set the Age Limit to 1 day, and change the action to be Move to Archive. The next thing to change is the Tag Type.  If you are giving the users the options to set the tag themselves, it should always be a Personal Tag.  The other tag’s are scoped to a specific folder type.  We will cover this later.  So our configuration looks like the following:

image

Create the rest of the tags, which should be the same settings, just a different name and age limit.  The only one that is different is the Never Archive.  Here is the config for that:

image

 

This will set to tag to never take action. 

So, next are the specific folder actions.  The Sent Items, delete after 30 days for example.  The different here, is that we change the Tag Type to be Sent Items

 

image

And for the last step, which is the if another policy doesn’t apply and the emails older than ninety days, move it to archive:

image

Here, we change the Tag Type to All Other Folders in the Mailbox.

Something to note, there can only ever be 1 specific folder tag’s within a particular policy.  In the next step, we will create our policy and assign it to the users.  We can only include one tag per specific folder.  Meaning if we had two tags that targeted sent items, we cannot include them in the same policy.

So, lets create the policy.  Navigate to Organization Configuration –> Mailbox –> Retention Policies

Create a New Retention Policy, and give it a descriptive name.  Add the tags we just created:

image

On the next screen, you can select mailbox’s to assign this policy to:

image

Then create the policy.

We can also assign a policy specifically to a user by going to the Mailbox –> Properties->Mailbox Settings->Message Records Management, and selecting and applying a Retention Policy:

image

So then you can wait for the Exchange Server to apply the policies.  Remember, Exchange 2010 does it on a work cycle base.  This means Exchange is told to complete a the task of tagging and moving to archive at least x times in y days.  You can check your server by running the command:

Get-MailboxServer –Identity SERVERNAME | Select *ManagedFolderWork*

image

This should get you a completed run, at least once per day.  You can also run it manually yourself against the mailbox by running the command Start-ManagedFolder usersaccount:

image

Note, that it can take more than one run for this to work, as it needs to go through first, tag the items, and then the second run will take action on those items.  Now lets look at what the client sees.  Keep in mind you can see it both from Outlook 2010 and later and OWA:

In Outlook, if the user right clicks on a folder and goes to the policy tab.  Here the user will see two drop downs, one for Retention and one for Online Archive:

image

The default policies for say sent items and all items move to archive over ninety days, the user will never see.  They will only see Personal Tags.  So let’s say I want to set this folder to Never Archive

image

I change the Online Archive policy to Never.  If I want the policy to delete everything in the folder and subfolders after one week, I change the Retention Policy to be One Week Delete:

image

Look for my Exchange 2013 one, hopefully in a shorter time frame than it took for Part 2!

How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 4

ActiveSync, Blackberry, Client Access, Exchange 2010, Exchange 2013, Hosting, Netscaler, Security, Xenmobile

See the previous posts in the series:

Part 1

Part 2

Part 3

 

In this post, we will configure the XenMobile Netscaler Connector and configure the Netscaler itself to query the Netscaler Connector on ActiveSync Connections. 

Lets download the Netscaler Connector from http://www.citrix.com/downloads/xenmobile/product-software/xenmobile-86-mdm-edition.html

image_thumb1

Copy the installer to PHDC-XENNC01.  We need to ensure that we have Net Framework 3.5 installed before we install Netscaler Connector.  But once that is done, lets begin the install.

This is a very simple, next, next finish install:

image_thumb3

Next, lets run the XenMobile Connector Configuration:

On the Web Service Tab, select HTTP and leave it as the default port of 9080

image_thumb51

Next, go to the Config Providers tab and click add.  Fill out the information for your Device Manager Server:

image_thumb7

Leave everything else default and click save.

Next navigate to the Path Filters tab. Select the only path there, and select edit.

Change the policy to be Static + mobile.accessabacus.com : Block Mode

image_thumb10

What this does is tell the system that it will check local rules on the Netscaler Connector, then the Device Manager.  If neither of those rules apply, it will deny the connection. 

After you have made your changes, start up services.msc and manually start these three services:

image_thumb12

Next, we configure the Netscaler to check in with the Netscaler Connector during ActiveSync connections.

Log into the Netscaler and go to Service Groups.  Select Add.  Name it NETSCALER-CONNECTOR

Add in your netscaler connector IP and set the Port to 9080, and protocol HTTP

image_thumb17

Next go to Virtual Servers and click add to create a new one.

Name it NETSCALER-CONNECTOR, select the protocol as HTTP.  Also uncheck “Directory Addressable” which will clear the IP address and port.  This is completely expected.

Add the service group you created to the server:

image_thumb191

 

Next go to AppExpert->HTTP Callouts->Add

Create the name as active_sync_filter.  Set the virtual server to the NETSCALER CONNECTOR server you created earlier.

image_thumb241

Click on Configure Request Attributes:

Method –> get

Host Expression – > “callout.asfilter.internal”

URL Stem Expression-> “/services/ActiveSync/Authorize”

 

user-> HTTP.REQ.HEADER(“authorization”).AFTER_STR(“Basic”).B64DECODE.BEFORE_STR(“:”).HTTP_URL_SAFE

agent –> HTTP.REQ.HEADER(“user-agent”).HTTP_URL_SAFE

ip –> CLIENT.IP.SRC

url –> (“https://”+HTTP.REQ.HOSTNAME+HTTP.REQ.URL).B64ENCODE

resultType->”json”

 

image_thumb31

image_thumb331

Under Server Response:

Return Type –> Text

Expression to extract data from the response –>HTTP.RES.BODY(20)

image_thumb35

Now, create a second callout called active_sync_filter_deviceid.  Create everything identical to the callout active_sync_filter, except under Parameters, add one additional

DeviceId-> HTTP.REQ.URL.QUERY.VALUE(“DeviceID”)

Next go to Responder->Policies->Add

Create a new policy named active_sync_filter

Select Action = Drop

Expression equals below:

 

HTTP.REQ.URL.QUERY.CONTAINS("DeviceId") && HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT && SYS.HTTP_CALLOUT(active_sync_filter).SET_TEXT_MODE(IGNORECASE).CONTAINS("allow").NOT

image_thumb38

Create a second policy named active_sync_filter_deviceid

Again, set the Action = Drop

Expression equals below:

HTTP.REQ.URL.QUERY.CONTAINS("DeviceId") && HTTP.REQ.URL.STARTSWITH("/Microsoft-Server-ActiveSync") && HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.HOSTNAME.EQ("callout.asfilter.internal").NOT && SYS.HTTP_CALLOUT(active_sync_filter_deviceid).SET_TEXT_MODE(IGNORECASE).CONTAINS("allow").NOT 

 

image_thumb40

Okay, hang in there, we are almost done.  Now, we need to find our Exchange Load Balancer server in the Netscaler.

Navigate to the Policy tab, select Responder.  Add the policies so that active_sync_filter_deviceid is lower number priority than active_sync_filter

image_thumb42

Okay, that’s enough for now.  Next time we will configure Device Manager to deny certain devices based on set criteria and test it out!

How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 3

ActiveSync, Client Access, Exchange 2010, Exchange 2013, Netscaler, Xenmobile

See the previous posts in the series:

Part 1

Part 2

Part 4

In the last article, we installed Device Manager.  Now we will configure basic policies and settings.  Log into your instance by going to http://servername/zdm

image_thumb84

You will get treated to a “Getting Started with Device Manager” screen which will allow you build the basic policies.

Select that you are not using App Controller:

image_thumb86

Leave the Base Package as the name:

image_thumb88

Select the Passcode bubble to add to the policy, then configure the passcode you want to configure:

image_thumb90

Select Yes, enroll in corporate credentials:

image_thumb92

This will bring you to the LDAP directory screen:

image_thumb94

Configure your active directory connection.  Ensure to enter a user account that can read from the directory, it only needs to be a Domain User:

image_thumb97

Select Next, accept the defaults for the LDAP attributes import:

image_thumb100

At the groups to add, you need to select two groups.  One that can be admins of the XenMobile Device Manager server. And the other that can enroll their devices.  We will use Domain Admins to Administrator, and Domain Users to users:

image_thumb102

Select Next and then Finish.  The Test Enrollment Screen will show you how you can test from mobile devices:

image_thumb105

Click Next->Next-> Go to Device Manager.

Now, we need to configure the Netscaler to present the Device Manager server to the internet as mobile.accessabacus.com.

Log into your Netscaler and go to Traffic Management->Load Balancing->Service Groups

Click Add.  Give a name for the service group, for example XENMOBILE-DEVICEMANAGER-443.  Choose Protocol as SSL Bridge.  Add PHDC-XENDM01 to the members, and select Port 443

image_thumb108

Save the group.  Make sure to do the same thing for port 8443:

image_thumb111

Finally, create one for HTTP as the protocol on port 80:

image_thumb114

Next go to Virtual Servers and click Add:

Create a name for the virtual server, and select Protocol as SSL Bridge, and the Port as 443.  Assign it an IP address.  On the service groups tab, select the service group you created above:

image_thumb130

Do the same thing for port 8443:

image_thumb126

Finally create the virtual server for HTTP and select the HTTP protocol and service group

image_thumb132

Next, point your DNS to the IP address you assigned the load balancer and see if you can resolve the web page.  Remember, you need ports 80, 443 and 8443 open from the external world to the Device Manager Server.

In the next article, we will install XenMobile Netscaler Connector and attach it to the XenMobile Device Manager.

How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 2

ActiveSync, Exchange 2010, Exchange 2013, Netscaler, Xenmobile

See other articles in the series:

Part 1

Part 3

In the first article, we went over the basic architecture.  Now we are going to go about installing XenMobile Device Manager on our PHDC-XENDM01 server.

First, lets go to www.citrix.com and download the needed software:

http://www.citrix.com/downloads/xenmobile/product-software/xenmobile-86-mdm-edition.html

image_thumb4

Besides that, we also need to install Java on the server.  At the time of this writing, I used Java version 7 Update 51:

image_thumb5

We also need to download a specific Java policy, Java Cryptography Extension Unlimited Strength from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Once, we have the software, lets log into PHDC-XENDM01, which is running Windows Server 2012 STD.

First, lets disable IPV6 on the server.  Run the following command from powershell:

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters -Name DisabledComponents -PropertyType DWord -Value 0xffffffff

Also, run msconfig and disable UAC:

image_thumb71

After, reboot the server.

Once it comes back up, it’s time to install Java.  This is a simple, next, next finish install:

image_thumb11

Next, we need to go into UnlimitedJCEPolicy folder.  We need to copy the two files local_policy.jar and US_Export_policy.jar:

image_thumb13

To the following two locations:

C:\Program Files\Java\jdk1.7.0_51\jre\lib

C:\Program Files\Java\jre7\lib

If you don’t complete the above steps, you will get an error when you launch the Device Manager console, and iOS devices will not be able to register.

Next, lets get SQL ready.  We need to open SQL Management Studio on PHDC-SQL01.  Navigate to Security->Logins->New Login

image_thumb15

Make sure you create the login as SQL Server authentication.  We will use the login name xenmobile and set the password to whatever you like.  Next click the server roles tab, and we will select sysadmin.  Make sure that this security is allowed in your environment before making this setup.

image_thumb171

Before we start the install of Device Manager, if we are registering iOS devices, we need to request a certificate from Apple for an APNS certificate.  We then need to submit that request to XenMobile helpdesk for them to sign the request before completing the request with apple.

On a server with IIS installed (not the XenMobile Device Manager server, as IIS will break Device Manager), we need to create a certificate request for our Device Manager namespace, which in our case is mobile.accessabacus.com .  Open IIS Manager and click on Server Certificates:

image_thumb19

Then click on create Certificate Request, and fill out the certificate.  Ensure the common name is the one that devices will be hitting to register with Device Manager.  Again ours is mobile.accessabacus.com

image_thumb22

Select Next, and on Cryptographic Service Provider Properties, change the Bit Length to 2048:

image_thumb24

Select next, and save the request to your c drive:

image_thumb26

Next create an email to support@zenprise.com and request to have the certificate signed, ensure to attach the request you created above.  You will receive an email back with the signed request.

Take the file you get back, and log into https://identity.apple.com/pushcert.  If you don’t have a developer ID, create one, its free.

Click Create a Certificate:

image_thumb28

Accept the agreement, and upload the signed request file.  You can then download your complete certificate request:

image_thumb30

Now, log back into the same server where you created the certificate request and go back to IIS->Server Certificates.  Now click on Complete Server Certificate, and select the file you downloaded from the Apple website.  Give it a friendly name so you can easily identify it.  In my case I’ll call it iOS MDM.

image_thumb33

Next, open up MMC on the same server you completed the certificate request on. Click on File->Add/Remove Snap in, select certificates and add it, select local computer:

image_thumb351

Navigate to Certificates->Personal->Certificates.  Select the iOS MDM you created before, right click and select all tasks, export:

image_thumb37

Ensure you select Yes Export the private key:

image_thumb39

It will ask you to password protect the file, ensure you remember it as you will need it when you install Device Manager.

image_thumb401

Select a file name and save the file:

image_thumb421

Okay, we are FINALLY ready to install Device Manager.

Copy the PFX file you exported to PHDC-XENDM01.  Then, lets run the XenMobileDeviceManager Installer.

Select Next until you get to the component screen.  Unselect Database Server.  This will allow us to use Microsoft SQL and not the Postgres SQL that comes with Device Manager:

image_thumb45

Select the default install path and click next, let the installer begin.  It will ask you for the license file for the install, browse to it and select the file.  You can request free trials from Citrix as well:

image_thumb47

Next brings you to Configure Database Connection.  Select SQL Server/jTDS.  Fill out the info:

 

image_thumb52

The user name should be the user we created in SQL before.  The database name can be anything you want.  the installer will realize its missing and ask if you want to create it when you select Check the connection:

image_thumb54

Click create, and then next.

Leave this screen blank, and select next:

image_thumb56

Select next at the Configure iOS usage screen:

image_thumb58

Then click on next through all the IP configuration:

image_thumb60

image_thumb62

image_thumb64

Next we will come to the Define the Root Certification Authority.  This will create a self signed certificate store.  Enter a keystore password to create, to the same for the next three screens:

image_thumb66

image_thumb68

image_thumb71[1]

For the last one, define a certificate for HTTPS, you need to add the FQDN that users are connecting to this server on.  In our case, its mobile.accessabacus.com:

image_thumb73

**If after you want to replace this certificate with your own, complete the install and then follow my article here: http://port25guy.com/2013/11/18/import-a-3rd-party-certificate-into-xenmobile/**

Next page, browse to the PFX file that holds your Apple APNS certificate, and enter the password you used to protect it:

image_thumb75

Select next, leave the default port for Remote Support tunnels:

image_thumb77

Next, select the default admin username and password:

image_thumb80

Click Next, and then finish.

Next time, we will go over configuring the XenMobile Device Manager Server and publishing it using the Netscaler.

How to Install XenMobile 8.6 with XenMobile Netscaler Connector and XenMobile Mail Manager–Part 1

ActiveSync, Exchange 2010, Exchange 2013, Xenmobile

Read other articles in the series:

Part 2

Part 3

Citrix XenMobile is a Mobile Device Management software that allows you to control ActiveSync devices at the corporate level.  While many people assume this means pushing email profiles to the device and controlling ActiveSync access, it is in fact much more than that.  You have the ability to control and push applications to the devices, security on the devices among many other things.  That being said, there can be a lot of complexity and moving parts to get the solution working.  I thought it would be good, for my own sanity, but also for others to see the steps to set up a real world example.  I’ll do it in the style of a business case so we can outlay what the business requirements are, how the architecture looks, and then go about installing and configuring the necessary items.

Requirements:

There are several goals for the SOA Corporation that they want to achieve out of this Mobile Device Management implementation.

  1. Restrict unmanaged devices from being able to connect to the Exchange environment using ActiveSync.
  2. Force all devices, employee owned or not, to first be registered with XenMobile before they are allowed to receive corporate resources such as ActiveSync profiles and applications.
  3. Management wants to be able to wipe just the corporate data off of the devices and leave the rest of the employee owned device alone.
  4. Management would like to minimize the helpdesk from having to manually allow devices for users.

 

Existing Architecture:

The existing Exchange architecture is simple for this case.  We have a single, multi-role Exchange  server sitting in our datacenter.  We also are utilizing Citrix Netscalers to publish Exchange resources to the internet.  Users access ActiveSync currently by using the namespace mobilemail.accessabacus.com.

XenMobile---Part-1_thumb5

Now, after we implement the XenMobile Solution, are architecture will look like the following:

XenMobile---Part-1_thumb9

Now, there are a couple things to note.  First off, I stink at Visio, so I did the best that I could.  After our installation though, we will have the following servers:

  1. PHDC-SOAEXC1 – Exchange Multi Role Server
  2. PHDC-XENDM01 – XenMobile Device Manager Server
  3. PHDC-XENNC01 – XenMobile Netscaler Connector Server
  4. PHDC-XENMM01 – XenMobile Mail Manager Server
  5. PHDC-SQL01 – SQL Server to host the XenMobile Device Manager and XenMobile Mail Manager Databases

 

The external namespaces will be:

  1. Mobilemail.accessabacus.com – Exchange ActiveSync URL
  2. Mobile.accessabacus.com – XenMobile Device Registration Site

 

What Does Each Component Do?

XenMobile Device Manager Server

This is the “brains” of the XenMobile operation.  It is the management server where you device policies, manage user devices and have visibility into the environment.  This server hosts the Mobile.accessabacus.com web page, and is where we need to point our mobile devices at in order to register them with XenMobile.

XenMobile Netscaler Connector

This server runs a service that will be responsible for “intercepting” Exchange ActiveSync requests from end user devices.  It does this via HTTP callouts in the Netscaler (which we will explain and discuss later in the article).  When it intercepts, it will then ask the XenMobile Device Manager server about the device in question.  Based on the policies in place, the Device Manager server will tell the Netscaler Connector whether the ActiveSync device should be allowed or not.  If it shouldn’t be allowed, it will tell the Netscaler to drop the connection and the users device will get a “cannot connect to error” message.  If it should be allowed, the Netscaler Connector tells the Netscaler to allow the device to connect to the Exchange Server as normal.  Think of Netscaler Connector has a network level firewall for Exchange ActiveSync.

XenMobile Mail Manager

This server runs a service that interrogates Exchange through remote PowerShell.  It allows XenMobile to see all devices that have Exchange ActiveSync connections, regardless of if they are managed by XenMobile or not.  It essentially is running the Get-ActiveSyncDevice command for every mailbox in the environment and reporting back to XenMobile Device Manager. It also though will get updates from Device Manager about whether a device should be allowed or not.  For instance, a user device connects to ActiveSync, then violates a company rule, say removing the passcode from their device.  XenMobile Device Manager will realize this, and send a command to Mail Manager.  Mail Manager will then, using PowerShell, apply an Exchange ActiveSync block on this particular device for the user, stopping it from connecting to ActiveSync.  Just how the Netscaler Connector is a network level firewall for Exchange ActiveSync, think of Mail Manager as an application level firewall for Exchange ActiveSync.

Mail Manager also works with Exchange’s Quarantine functionality.  This means that you set Exchange to quarantine every new device that starts an ActiveSync relationship.  Usually, an admin needs to go in and manually allow each device.  In XenMobile, if that user registers their device with XenMobile Device Manager, Device Manager will then send a command to Mail Manager to create an ActiveSync allow rule for that user, automating the entire process!

As of this writing though, Mail Manager does not yet support Exchange 2013 so you need to point it to a server running the Exchange Management Tools for Exchange 2010.  Just an FYI.

Well, that is the basic architecture and overall goal of the project.  Next, we will jump into install XenMobile Device Manager.

How to Delete Emails from Mailboxes in Exchange 2010 Using Search-Mailbox

Exchange 2010, Exchange 2013, Scripting, Security

Quick post today.  If you have an criteria of emails that you want to delete from all mailbox’s you can use Search-Mailbox to delete the message from users mailbox.  For example, you get hit with a virus email that has the subject “I am a virus” from the user virussender@virus.com.

The below search goes through all mailbox’s and deletes any email with the subject “I am a virus”:

 

get-mailbox | Search-Mailbox -SearchQuery ‘subject:”I am a virus.” ‘ -TargetMailbox “adminmailbox” -TargetFolder “DeleteVirus” -LogLevel Full –DeleteContent

 

That above command will delete the emails from the users mailbox’s and copy them to the adminmailbox in the folder DeleteVirus

The next search does it based on the sender of the email:

get-mailbox | Search-Mailbox -SearchQuery ‘from:virussender@virus.com ‘ -TargetMailbox “adminmailbox” -TargetFolder “DeleteVirus” -LogLevel Full –DeleteContent

 

The above search does the same thing as the first, except this query does it based on the from address of the sender versus the subject.

If you log into the admin mailbox, you can see the results of the search and log files for it:

 

image

You can also run the same commands without the –DeleteContent switch to copy the messages to the admin mailbox for review before running the commands to delete.

Remember, do this at your own risk and test test test before you run it!

User Cannot Set an Out of Office in Exchange 2010/2013 or EventID 3004 Appears in your Event Log

exchange 2007, Exchange 2010, Exchange 2013

Recently had an issue where a user was setting an out of office in their Outlook client, but when a different user emailed them, no Out of Office was sent.  We did the traditional troubleshooting steps, check rules on the far side, check junk box, check OWA to ensure the Out of Office was set.  Everything looked good.  Strange enough, if an internal user went to email the person going on vacation, they would receive a MailTip to that effect:

image

But, went you sent the email to Paul Ponzeka, you would not get an Out of Office back.  So what gives?

One of the steps we took was to check if Microsoft Exchange Mailbox Assistants service was running.  It was, we restarted it, but still same effect.  One of the responsibilities of the Microsoft Exchange Mailbox Assistants service is to handle enabling the Out of Office.  In this case, it didn’t resolve anything.

The next step we took was to try disabling, and re-enabling the Out of Office message, and then checking the event log on the Mailbox server.  Low and behold, we found our answer:

Untitled

The above is EventID 3004 from the MsExchangeMailboxAssistants.  As you can see, there is an error stating the rules quota of the mailbox has been reached and the automatic reply rules can’t be enabled or updated.

Well, we found our issue, how do we fix it?  There are two ways.

The first the user can go through their Outlook rules and edit or delete existing rules.  Keep in mind that the length of both the rule actions, as well as the NAMES of the rules themselves will affect the size of the rule

The second is, the Exchange admin can increase the size of the rules quota.  By default, all mailboxes have a 64 KB quota, think of this as mailbox limits for Outlook rules.  We can increase this up to 256 KB on Exchange 2007 and later.  Exchange 2003 we cannot increase the rule size unfortunately, but that’s okay, because you should be off Exchange 2003 by now!

So, how do we increase the quota?  Easy.  Open Exchange Management Shell.  We can check the existing quota of the user pponzeka by running the command:

Get-Mailbox –Identity pponzeka | select RulesQuota

image

As we can see, its set to 64 KB.  To increase it, we run:

Set-Mailbox –Identity pponzeka –RulesQuota 256KB

image

And there we go, we can check by running the same Get-Mailbox as above to confirm:

image

Now, you cannot go past 256KB, this is the error you get, in this example I tried to set it to 512KB:

Untitled2

(UPDATED) How to Get a Report of Active Sync Devices in Exchange 2010/Exchange 2013

ActiveSync, Exchange 2010, Exchange 2013, Scripting

***UPDATE***

 

There was a lot of feedback from people who wanted extra items and fields added in so I edited the original script.  It will now also include the users Primary SMTP Address, LastSyncAttemptTime, and LastSyncSuccessTime.  Also edited it for environments with over a thousand mailboxes. Below is the updated script code:

The new output will look like this:

image

image

 

Ever had the need to get a nice report of all active sync devices in your Exchange organization?  Well then I have the script for you!

This script will get through all active sync devices, and match them up with their respective owners.  It will also output the Device Type, Device Model, and most importantly the Device OS.

Why is this important?  As some of you remember shortly back, there was an issue with Apple iOS devices causing excessive logging on Exchange Mailbox servers.  As part of the way to fix that you could block or quarantine those devices.  You most likely want to be able to see who you are blocking though, so you you know who your going to annoy and warn them preemptively.

The script requires 4 parameters to run, and should be run from an Exchange Management Shell:

  1. SMTPServer = SMTP server as the report will send you a copy of the report
  2. SMTPFrom = The FROM address of the email
  3. SMTPTo = The recipient of the email
  4. ExportPath = The folder location where you want the CSV export of the report. 

For example, to send the report to admin@port25guy.com using the SMTP server relay.port25guy.com, have the from address be reports@port25guy.com and export the CSV to C:\Reports:

Get-ActiveSyncReport.ps1 –exportpath C:\Reports –smtpserver relay.port25guy.com –smtpfrom reports@port25guy.com –smtpto admin@port25guy.com

After running that, if we check the C:\reports folder we should have a nice CSV export:

image

And a nice email report in your inbox:

 

image

You can download the script from the link below, just rename the file to extension .ps1

Here is the ***UPDATED** script block as well:

 

### BEGINNING OF SCRIPT

#####
#
# Get-ActiveSyncDeviceReport
# Author: Paul Ponzeka
# Website: port25guy.com
# email ponzekap2 at gmail dot com
#
######
param(
    [Parameter(Mandatory = $true)]
    [string] $SMTPServer = “”,
    [Parameter(Mandatory = $true)]
    [string] $SMTPFrom = “”,
    [Parameter(Mandatory = $true)]
    [string] $SMTPTo = “”,
    [Parameter(Mandatory = $true)]
    [string] $exportpath = “”
    )

#######
#
# HTML Formatting Section
# Thanks to Paul Cunningham at http://exchangeserverpro.com/
#
#######
#
#
#
######
$style = “<style>BODY{font-family: Arial; font-size: 10pt;}”
$style = $style + “TABLE{border: 1px solid black; border-collapse: collapse;}”
$style = $style + “TH{border: 1px solid black; background: #dddddd; padding: 5px; }”
$style = $style + “TD{border: 1px solid black; padding: 5px; }”
$style = $style + “</style>”

$messageSubject = “ActiveSync Device Report”

$message = New-Object System.Net.Mail.MailMessage $smtpfrom, $smtpto
$message.Subject = $messageSubject
$message.IsBodyHTML = $true

####  Get Mailbox

$EASDevices = “”
$AllEASDevices = @()

$EASDevices = “”| select ‘User’,’PrimarySMTPAddress’,’DeviceType’,’DeviceModel’,’DeviceOS’, ‘LastSyncAttemptTime’,’LastSuccessSync’
$EasMailboxes = Get-Mailbox -ResultSize unlimited
foreach ($EASUser in $EasMailboxes) {
$EASDevices.user = $EASUser.displayname
$EASDevices.PrimarySMTPAddress = $EASUser.PrimarySMTPAddress.tostring()
    foreach ($EASUserDevices in Get-ActiveSyncDevice -Mailbox $EasUser.alias) {
    $EASDeviceStatistics = $EASUserDevices | Get-ActiveSyncDeviceStatistics
    $EASDevices.devicetype = $EASUserDevices.devicetype
    $EASDevices.devicemodel = $EASUserDevices.devicemodel
    $EASDevices.deviceos = $EASUserDevices.deviceos
    $EASDevices.lastsyncattempttime = $EASDeviceStatistics.lastsyncattempttime
    $EASDevices.lastsuccesssync = $EASDeviceStatistics.lastsuccesssync
    $AllEASDevices += $EASDevices | select user,primarysmtpaddress,devicetype,devicemodel,deviceos,lastsyncattempttime,lastsuccesssync
    }
    }
$AllEASDevices = $AllEASDevices | sort user
$AllEASDevices
$AllEASDevices | Export-Csv $exportpath\ActiveSyncReport.csv

######
#
# Send Email Report
#
########

$message.Body = $AllEasDevices | ConvertTo-Html -Head $style

$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($message)

##END OF SCRIPT

Also, special thanks to Paul Cunningham at http://exchangeserverpro.com.  He wrote the HTML formatting section in the script that makes this look nice and pretty, versus my junky plain text (http://exchangeserverpro.com/powershell-html-email-formatting).  If you haven’t check out Paul’s site you should, he has great information on there. 

Hope you find the script helpful!

Witness Server Boot Time, GetDagNetworkConfig and the pain of Exchange 2010 DR Tests

Exchange 2010, High Availability

 

So we recently had a client who wanted to perform a DR test of their Exchange 2010 DAG.  The DAG consisted of a single, all in one server in production, and a single all in one server in DR.  The procedure for this test was to disconnect all network connectivity between prod and DR, shutdown the exchange server and the domain controller, snapshot them, and then start them back up.

Now, we can all agree that snapshots and domain controllers are inherently dangerous, so its up to you to ensure that you have your ducks in a row to ensure that this doesn’t replicate back to production.  That discussion is outside this article.

Now, initially they had trouble bringing up the databases in DR, as well as many components of the DAG.  This article will walk through an example, and try to make sense of what’s causing these issues.

So, here is our setup, we have a two node DAG cluster, stretched across two sites. 

Production

PHDC-SOAEXC01 – Prod all in one Exchange Server

PROD-DC01 – Prod domain controller

PHDC-SOADC01 – Primary witness server

DR

SFDC-SOAEXC01 – DR all in one Exchange Server

DR-DC01 – DR domain controller

SFDC-SOADC01 – Alternate witness server

The DAG name is SOA-DAG-01 and the Active Directory Sites are:

Prod = PH

DR = SF

So in our scenario, we shutdown both PHDC-SOAEXC01 and PHDC-SOADC01.  This will cause the databases in DR to dismount because quorum has been lost by the DR server.

Now, in a DR “test”, we would shutdown the DR exchange server, and the DR domain controller to snapshot them.  I just want to warn you, DO NOT EVER roll a domain controller back to a snapshot in a production environment.  This is a purely hypothetical setup.  Rant over.

Now, in our case, we have snapshotted and rebooted DR-DC01 and SFDC-SOAEXC01.  When we open the Exchange Management Console, we see that the DR servers databases is in a failed state:

image

Now, lets start running through the DR activation steps.  Here is what the process should normally be:

  1. Stop the mailbox servers in the prod site
  2. Stop the cluster service on all mailbox servers in the DR site
  3. Restore the mailbox servers in the DR site, evicting the prod servers from the cluster

After step 3, the database’s should mount, but as you will see, they wont, and I’ll try to explain why.

So, step 1, lets mark the prod servers as down:

   1: Stop-DatabaseAvailabilityGroup SOA-DAG-01 -ActiveDirectorySite PH -ConfigurationOnly

You should expect to see some errors, this is completed expected because the prod site is unable, hence the –configurationonly option:

image

Now, step 2, we will stop the clustering service on SFDC-SOAEXC01 with the powershell command:

   1: Stop-Service ClusSvc

Now, step 3, we will restore the dag with just the servers in DR:

   1: Restore-DatabaseAvailabilityGroup SOA-DAG-01 -ActiveDirectorySite SF

You may get an error stating

Server ‘PHDC-SOAEXC01’ in database availability group ‘SOA-DAG-01’ is marked to be stopped, but couldn’t be removed fro

m the cluster. Error: A server-side database availability group administrative operation failed. Error: The operation f

ailed. CreateCluster errors may result from incorrectly configured static addresses. Error: An error occurred while attempting a cluster operation. Error: Cluster API ‘"EvictClusterNodeEx(‘PHDC-SOAEXC01.SOA.corp’) failed with 0x46.

Simply re-run the command again and it should complete:

image

So now, we should have the databases mounted, and we should be able to see the prod servers as stopped by running the following command:

Get-DatabaseAvailabilityGroup -Status | FL

But, behold, we get an error stating GetDagNetworkConfig failed on the server.  Error: the NetworkManager has not yet been initialized

image

So, here is the first road block, what happened is that since the DR server is one node, it uses the boot time of the alternate file share witness to determine if it is allowed to form quorum.  This is due to a one node cluster, always having cluster, and it trying to prevent split brain.  Tim McMichael does a great job of explaining it Tim McMichael Blog Post.  Essentially the boot time is stored in the registry of the Exchange Server under:

HKEY_LOCAL_MACHINESoftwareMicrosoftExchangeServerv14ReplayParameters

The Exchange Server checks if it was rebooted more recently than the AFSW, it will not form quorum.  So how do we fix?  We can start by rebooting the AFSW to see what behavior changes.

After we do so, we can re-run:

Get-DatabaseAvailabilityGroup -Status | FL

Now, we get the network and stopped servers info, but there are some entries that are in a broken state, and we get the message that the DAG witness is in a failed state:

image

Note the WitnessServerinUse field reports InvalidConfiguration

We have to re-run our Restore-DatabaseAvailabilityGroup command to resolve this:

Restore-DatabaseAvailabilityGroup SOA-DAG-01 -ActiveDirectorySite SF

Now if we re-run Get-DatabaseAvailabilityGroup –Status | FL we get an expected output:

image

Now, we see that the WitnessShareInUse is set to the alternate.

So, are the databases mounted!? If we check, they are no longer failed, but are “Disconnected and Resyncing”

image

We need to force the server in DR to start because of the single node quorum issue.  This can be done with the following command:

Start-DatabaseAvailabilityGroup SOA-DAG-01 -ActiveDirectorySite SF

Now the database is mounted:

image

So, you can see, the testing can affect what occurs with the DR test, but also the setup with the single node cluster can cause this issue.  The boot time of the alternate file share witness is also extremely important to what the node can do when it restarts.

Hopefully you find the info useful!  Happy Holidays to all!

Cisco Call Manager and Exchange 2010 Unified Messaging–Fast Busy Signal When Calling Voicemail

Exchange 2010, Unified Messaging

 

In this article I spoke about how to configure the Exchange 2010 side of Unified Messaging with Cisco Call Manager:

http://port25.wordpress.com/2012/07/18/cisco-call-manager-and-exchange-2010-unified-messaging/

I wanted to point out this issue in a separate article because it seems a decent amount of people are having the same issue.

After we configured Exchange 2010 UM with Cisco Call Manager, we got a fast busy signal when calling the users voicemail.  After turning up diagnostic logging on all of the Exchange UM servers, we would see the SIP connection hit:

image

But the user would get a fast busy, and we saw event ID 1006 in the event log, which stated The Unified Messaging server has ended a call with ID … because the user at the far end disconnected

image

We checked the trunk between Exchange and CCM, and it was set to the G.711 codec (as Exchange doesn’t support G.729).

After some digging inside the call manager, I changed this setting inside Cisco Call Manager:

System->Service Paramters

Select one of your call manager servers, and select the serviceCisco CallManager (Active):

Change the Default Interregion Max Audio Bit Rate from the default setting of 8 kbps (G.729) to 64 kbps (G.722, G.711).

BEFORE:

image

AFTER:

image

After this change, everything worked!

Enjoy.