Sunday, 28 November 2010

Transport Rules on Exchange 2007 and Exchange 2010

Transport rules, like journaling rules in the previous post, occur at the organisation level on transport servers. All messages must pass through a transport server and so we can apply rules to determine how a message is processed.

Imagine you suspect employees selling company secrets regarding a new product currently under development to a rival drug company. Lets say the new product is known to internal employees only and no outside parties are aware of the products development. How can you route out the dodgy emailers? With transport rules! The following screen shots should help show how its done:

Open the EMC and browse to the Organization Configuration Hub Transport node in the Console     tree.In the Work area, select the Transport Rules tab.

In the Actions pane, click the New Transport Rule action. This launches the New Transport Rule wizard.

Write a suitable name and optional comment. Select Enable Rule and click next.

Under the Conditions, select 'sent to users inside or outside the organisation' and select 'the subject field or the body of the message contains specific words'. Make sure to select the link 'inside' and change the scope to 'outside'. Also click the link 'Specific Words' and add a suitable key word. Click next.

Select 'Blind Carbon Copy' and add the journal mailbox to define a recipient of messages.

Transport Rules Conflicting with Journal Rules

Perhaps you might have a transport rule which prevents certain messages from being sent from certain recipients to others. If emails are being dropped, then how can they be journaled?  You will need to change the order of agent priority. The Transport Agent will by default process the message before the Journaling Agent. To determine the current state of priority, type the following cmdlet:

[PS] Get-TransportAgent

As you can see above, the Transport Agent is set to run before the Journaling Agent. Emails will be dropped before they can be journaled. To change the priority, type the following:

[PS] Set-TransportAgent -Identity "Journaling Agent" -Priority 1

Finally as show in the Powershell, you must restart the Transport Service

Journaling on Exchange 2007 & 2010

Journaling allows you  to record all messages flowing in and out of an organization and helps with legal and regulatory compliance.
In Exchange, you can configure journaling on a mailbox database. Every message sent or received by every user on that database will be sent to the Journaling mailbox. When you turn on journaling at the database level, this is known as standard journaling.
You can also enable standard journaling with the EMS using the Set-MailboxDatabase cmdlet. Specify the JournalRecipient parameter and include the address of the journal mailbox. The following command
demonstrates this usage:

[PS] Set-MailboxDatabase “DB1” -JournalRecipient

As the above command shows, an already created mailbox called journal is used (of course any recipient can be used!)

If you want to turn off journaling on a mailbox database, you use the same command, except specify $null instead of a journal mailbox:
[PS] Set-MailboxDatabase “DB01” -JournalRecipient $null 

Configure Journaling for Specific Users

You can configure a journaling rule which will journal messages written by a recipient (in this case Jocelyn) and will be sent to a specific mailbox like the journal mailbox we saw earlier.

[PS] New-journalRule -Name 'Monitor Jocelyn' -JournalEmailAddress -Scope 'Global' -Enabled $true -Recipient ''

The 'Scope' determines which type of messages are journaled. This can be Global (all messages), Internal (messages inside the organization) or External (messages outside the organization).

An important consideration is that messages sent to come from the established rule. Infact the journal mailbox used here should only accept messages from the journal agent. Its the journal agent that is responsible for applying the journaling rule (Monitor Jocelyn) and for sending reports to the journal mailbox. You must make sure that no false data is sent to the journal mailbox. To complete what we have done so far, type the following:

[PS] Set-Mailbox “Journal Mailbox” -AcceptMessagesOnlyFrom “Microsoft Exchange” -RequireSenderAuthenticationEnabled $true

Friday, 26 November 2010

BackUp of Exchange 2007 SP1 on Server 2003

The main backup types considered here are
  • Full and Copy
  • Differential
  • Incremental
Here are just a few notes...

    The backup process is quite straight forward with Server 2003's NTBackup:
    1. Launch NTBackup by typing NTBackup in the the Run box
    2. Select the 'Advanced Mode' link
    3. Select the 'Backup' tab
    4. Select Microsoft Exchange Server and drill down to the storage group needed to back up
    5. Define a suitable backup location
    6. Click the Start Backup button
    7. As this will be a Full backup, select the 'Replace the data on the media with this backup'
    8. Click the 'Start Backup' button
    To simulate a corrupt database
    1. Now dismount the database you just backed up using the console
    2. Now delete the database in Windows Explorer C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group. 
    3. Delete the .edb file
    4. Open NTBackup as you did above but this time select the 'Restore and Manage Media' tab
    5. Select the appropriate backup
    6. Click Start Restore
    7. Define a temporary location for log and patch files
    8. Select Last restore set
    9. Select Mount Database After Restore. Click OK.
    10. Check out the storage group in Windows Explorer and you should see the database is back (and you should still have access to your email)
    Recovery Storage Groups

    Its possible we may need to restore a particular mail message or an entire mailbox. You can retrieve deleted messages using outlook but if you permanently delete the message (hold the shift key down when you delete the message) or you go beyond the 14 day retention limit you would need to restore from backup. If you delete a mailbox it is kept in the database for 30 days, but if you go over this you will need to restore the mailbox from backup. The problem is that when you restore from backup, you will restore all the mailboxes not just the mailbox of interest.

    I will show you how to create and use a Recovery Storage Group using Powershell:

    Create a Recovery Storage Group
    1. Login as a valid Exchange recipient and make sure you have email in your Inbox.
    2. Using the methods shown above, backup your mailbox server
    3. Now, login as the user in step 1. and delete an email message (permanently using the shift key)
    4. Now create a Recovery Storage Group in the Powershell: [PS] New-StorageGroup –Server SRV161 –LogFolderPath “C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\RSG" –Name “Recovery Storage Group” –SystemFolderPath “C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\RSG” –Recovery
    You can determine if the RSG has been built by using the Get-StorageGroup cmdlet (observe the 'Recovery' attribute)

    In the next three steps we create a new mailbox database in the recovery storage group, allow it to be overwritten and finally overwrite it by restoring the backed up database. 

    Add a Recovery Database

    1. [PS] New-MailboxDatabase –MailboxDatabaseToRecover “DB1” –StorageGroup “SRV161\Recovery Storage Group” –EDBFilePath “C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\RSG\DB1.edb”  The -MailboxDatabaseToRecover references the production database that has been backedup and contains our deleted email.
    2. With the Mailbox Database created in the Recovery Storage Group we now need to configure it to allow overwrites by running the Set-MailboxDatabase cmdlet with the –AllowRestore parameter. [PS]Set-MailboxDatabase -Identity "SRV161\Recovery Storage Group\DB1" -AllowFileRestore $true
    3. Now restore the database using NTBackup
    4. We now need to mount the restore Mailbox Database using the Mount-Database cmdlet:           [PS] Mount-Database –Identity “SRV161\Recovery Storage Group\DB1” 
    5. Now we want to merge the mailbox data of an existing user in the recovery database to the production mailbox database: [PS]Restore-Mailbox –Identity paulwest -RSGDatabase “servername\RSG name\database name” 

    If you need to recover mailbox data for all users in the RSG, you would need to use the following command:
    [PS]Get-MailboxStatistics  -Database “Recovery Storage Group\Mailbox Database” | Restore-Mailbox

     You should now remove the recovery database and recovery storage group using the following cmdlets:

    [PS]Remove-MailboxDatabase –Identity “SRV161\Recovery Storage Group\DB1” 

    [PS]Remove-StorageGroup –Identity “SRV161\Recovery Storage Group”

    Saturday, 20 November 2010

    Message Retention Compliance in Exchange 2010

    Keeping particularly important emails in a users mailbox over a long period of time chews into available disk space. One common option is to transfer these emails to a PST file either on the users machine or a network share. Doing this will save space on the mailbox server but will most likely cause problems when you try to collect the data again. You have to search for the PST files, hope they are not password protected and after that search through the files themselves looking for the emails you want to restore.

    There are two methods of managing retention compliance in Exchange 2010:
    1. Use 'Managed Folders' as used in Exchange 2007
    2. Use 'Retention Tags' a new approach used only in Exchange 2010

    Using Managed Folders

    Managed folders involves the user deliberately dragging their important emails into administrator built folders which are visible in Outlook. The point to take home here is that the user has to do some dragging action! A lot of people simply can't be bothered to file emails into folders and prefer to search through their mail looking for key words.This is where retention tags can be used. We will talk about that later.

    There are 4 main steps to managed folder configuration:
    1. Create managed folders
    2. Set managed content settings
    3. Create managed folder policies
    4. Apply the managed folder policy to the mailbox
    5. Schedule the messaging records management enforcement process
    1. Create the Managed Folder

    Managed folders come in two flavours. Default and custom. The default managed folders include the familiar folders like 'Inbox' and 'Sent Items'. You can create a custom managed folder that appears under the folder 'Managed Folder'.

    1. Open the EMC and browse to the Organization Configuration Mailbox node in the Console tree.

    2. In the Actions pane, click the New Managed Custom Folder task to launch the configuration wizard.

    3. Enter the name of the folder in the Name field. The field below it can be used to define a different name when the folder is viewed in Outlook. By default, this field is set to the same value that you type in the Name field. You can define a storage quota in KB and also set a comment for this folder that the user sees when the folder is opened. Enter this comment in the field Display The Following Comment When The Folder Is Viewed In Outlook. If you check the box Do Not Allow Users To Minimize This Comment In Outlook, then the comment is always visible to the user.

    You can do the same in the shell:

    [PS] New-ManagedFolder -Name 'Test Folder' -StorageQuota '51 MB' -Comment 'This folder is used only testing' -MustDisplayCommentEnabled $true 

    2. Set Managed Content Settings

    In this step you define how long items stay in a folder before an action is performed. You can also choose to forward a copy of any message placed in the folder to another mailbox (journaling).

    1. Right click the Custom Managed Folder created in step one. This will launch the following window:

    2. In the New Managed Content Settings wizard, type a name for content settings, such as Delete After 12 Months.

    3. From the Message Type drop-down list, select the type of content that you want this setting to  apply to. For example, you can apply the setting to specific items such as email only. Or you can apply the setting to every item type by choosing All Mailbox Content.

    4. Check the Length Of Retention Period (Days) box and type the number of days that you want the items to be retained before an action is taken on them.

    5. In the Retention Period Starts box, you can choose when the retention period starts. It can start either when the item is delivered or when it is moved into the folder. For example, if you want to create a setting to delete items after one year, you could set the retention period for 365 days.

    6. In the field Action To Take At The End Of The Retention Period, choose what happens to the item when the period is over. If you choose to move it to a managed folder, click the Browse button to select that folder. Then click next.

    7. At the Journaling screen, you can choose to forward copies of the message to a mailbox when it’s placed in the folder. Check the Forward Copies To option and click the Browse button to select the mailbox. You can also define a label for the message in the field Assign The Following Label To The Copy Of The Message. Doing so can make the messages easier to sort through. Click Next to continue.

    The settings for the managed folder are now configured and the folder is ready to be added to a managed folder policy.

    3. Create Managed Folder Policy

    A managed folder policy will be used to link the created managed folder to your mailboxes.

    1. Open the EMC and browse to the Organization Configuration Mailbox node in the Console tree

    2. Select the New Managed Folder Mailbox Policy task in the Actions pane.

    3. In the New Managed Folder Mailbox Policy wizard, enter a name for this policy in the field
    Managed Folder Mailbox Policy Name.

    4. Click the Add button to add a managed folder to this policy. The Select Managed Folder dialog box will be displayed. Select either a managed default folder or a managed custom folder and click OK.

    4. Apply the Managed Folder Policy to Mailboxes

    1. Browse to the Recipient Configuration Mailbox node in the Console tree.

    2. From the list of mailboxes displayed in the Results pane, select one or more mailboxes that you want to apply the policy to.

    3. Click the Properties option for the selected mailboxes in the Actions pane.

    4. In the properties dialog box, select the Mailbox Settings tab.

    5. Select the Messaging Records Management option in the list of mailbox settings and click the Properties button above the list.

    6. In the Messaging Records Management dialog box, select the Managed Folder Mailbox Policy check box. Click the Browse button to select the policy that you just created.

    7. click OK to close the Messaging Records Management dialog box.

    5. Schedule the Messaging Records Management Enforcement Process

    The final thing we need to do is to schedule the messaging records management enforcement process to run at a specified time. The messaging records management enforcement process is disabled by
    default. This means that although you have applied a managed folder mailbox policy to one or more recipients, the respective managed folders will not show up in the user’s client (Outlook 2007 or OWA 2007) until the process has run at least one time.

    1. In the Exchange Management Console, click the Mailbox subnode under the Server Configuration work center node.
    2. Select the respective Mailbox server in the Result pane.
    3. Now click the Properties link under the mailbox server name in the Action pane.
    4. Click the Messaging Records Management tab.
    5. The Messaging Records Management Enforcement Process is set to Never Run. Change that to Use Custom Schedule, then click the Customize button
    6. In the schedule, specify the times and days when the managed folder assistant
      should run.
    If you want to force a newly created managed folder to appear in the mailboxes, before the schedule runs you can use the Start-ManagedFolderAssistant CMDlet in the EMS to process all mailboxes immediately. This can be a resource-intensive process for the mailbox server and the network in general so be careful!

    Sunday, 14 November 2010

    How to Obtain an Exchange Certificate (SAN) from a 2008 StandAlone CA

    This post will help you obtain a SAN certificate from a StandAlone CA (on Server 2008). You will need this for correct configuration of autodiscovery and outlookanywhere/availability service.

    1. On your Exchange 2007 server (CAS), type the following cmdlet to make the necessary SAN certificate request which will be stored in the root of c:\. Notice the use of multiple names in the request.
      [PS] New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.txt -KeySize 2048 -SubjectName "c=UK, s=London, l=London, o=CompulinxTraining, ou=ExchangeServers," -DomainName, srv1.compulinxtraining.local, srv1, -PrivateKeyExportable:$True

      It should be noted that Exchange 2010 does NOT use the -path parameter as mentioned in step one. You will need to establish a variable. You could try the following:

      $Data=New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=UK, s=London, l=London, o=CompulinxTraining, ou=ExchangeServers," -DomainName, srv1.compulinxtraining.local, srv1, -PrivateKeyExportable:$True
      Set-Content -path "C:\req.req" -Value $Data
      2. Once you have generated the request, visit your CA by opening a browser and type http://TheCAName/certsrv. Select 'Request a Certificate' and then select 'Advanced Certificate Request'. Then select 'Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file'. Copy and paste the contents of the request (all of it... even the lines!) into the 'Saved Request field and 'Submit' the request to your CA.

      3. On the CA select 'Pending Request' and 'issue' the certificate. 

      4. Back on the Exchange Server, visit the home page again and check for the pending request. Save the the .cer file to a easy to find location on the server.

      5. Create an MMC and add your Local Computer Certificate snap-in. Under personal 'import' your saved certificate. Once imported you will probably find that if you open it that it will not be trusted. You will have to download the root CA and import it to the trusted root store on the Exchange Certificate.
      You may also find that the certificate has no private key. This will cause problems later on so you should repair the certificate by following these steps:

      >Open MMC and add the Certificate Snap-In for the Local Computer account.

      >Double-Click on the recently imported certificate. Note: In Windows Server 2008 it will be the certificate missing the golden key beside it.

      >Select the Details tab.

      >Click on the Serial Number field and copy that string.Note: You may use CTRL+C, but not right-click and copy.

      >Open up a command prompt session. (cmd.exe aka DOS Prompt)

      >Type: certutil -repairstore my "SerialNumber" (SerialNumber is that which was copied down in step 4.)

      >After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC)

      >Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."Note: In Windows Server 2008 there will be a golden key to the left of the certificate, so there is no need to double-click the certificate.

      Now that the Private Key is attached to the certificate, please proceed to enable Exchange Services via Enable Exchange Certificate (Courtesy of

      6. Now you need to enable your certificate and bind it to the correct exchange services. Type the following cmdlet:
      [PS] Get-ExchangeCertificate -Thumbprint ABCDEFetc. | Enable-ExchangeCertificate -Services IIS,SMTP