Wednesday, 24 August 2011

Move Arbitration Mailboxes In Exchange 2010

Quite simple really. I have found that in certain situations, (help in backup) I have needed to delete databases (perhaps several databases exist on a single drive). You can move mailboxes from one database to another simply by typing the following cmdlet:

[PS] Get-Mailbox –Database TheDatabaseID  | New-MoveRequest –TargetDatabase TheDatabaseID

Now this will move the ‘regular’ mailboxes but not those marked as arbitration mailboxes. You can identify those by using the following:

[PS] Get-Mailbox –Database TheDatabaseID –Arbitration

Now you know what mailboxes to look out for, move them to the database of preference.

[PS] Get-Mailbox –Database TheDatabaseID –Arbitration | New-MoveRequest –TargetDatabase TheDatabaseID.

And then check that the arbitration mailboxes have been moved to an alternative database. You can also check out the move requests themselves:

[PS] Get-MoveRequest

Now that the mailboxes (hidden ones included) have been moved, try deleting the database now. It should work but remember that you will still have to remove the database files manually.

For Matt and Mark!

Sunday, 21 August 2011

Exchange 2010 MountDial

The setting is set per server. You can determine the value on your server by typing the following cmdlet:

[PS] Get-MailboxServer | FL Name,AutoDatabaseMountDial

MountDial determines if a passive copy of a DAG can automatically come online based on how many log files being copied to it. If you run the above command, you will see one of several values for AutoDatabaseMountDial including:

  1. BestAvailability
  2. GoodAvailability
  3. Lossless

These mean the following:


If you specify this value, the database automatically mounts immediately after a failover if the copy queue length is less than or equal to 12. The copy queue length is the number of logs recognized by the passive copy that needs to be replicated. If the copy queue length is more than 12, the database doesn't automatically mount. When the copy queue length is less than or equal to 12, Exchange attempts to replicate the remaining logs to the passive copy and mounts the database.


If you specify this value, the database automatically mounts immediately after a failover if the copy queue length is less than or equal to six. The copy queue length is the number of logs recognized by the passive copy that needs to be replicated. If the copy queue length is more than six, the database doesn't automatically mount. When the copy queue length is less than or equal to six, Exchange attempts to replicate the remaining logs to the passive copy and mounts the database.


If you specify this value, the database doesn't automatically mount until all logs that were generated on the active copy have been copied to the passive copy.


This will mount no matter the copy queue length. Be careful with this setting as you could loose a lot of mailbox data!


To manually switch from passive to active type the following cmdlets:

[PS] Move-ActiveMailboxDatabase DB4 -ActivateOnServer MBX3 -MountDialOverride:None
As the MountDialOverride property is set to ‘none’ whatever is currently set (probably the default) remains. 
The default on my server is GoodAvailability. So, replace none with one of the three options listed above to change this.
Read an earlier post regarding DAGs 

Saturday, 20 August 2011

How to Export Exchange 2010 Queues

You can use the Shell to export messages from a queue on a computer that has the Microsoft Exchange Server 2010 Hub Transport server role or the Edge Transport server role installed to a specified file path. You can't use Queue Viewer to perform this task. However, you can use Queue Viewer to locate, identify, and suspend the messages before you perform this task.

Messages that get ‘stuck’ in a queue can be exported to a folder and you can later resubmit the messages once you fix the mail flow problem. To export a message (or all messages in a queue) you should first suspend the queue. Suspension does not prevent messages entering the queue, but it will stop them leaving. The following cmdlet suspends the queue.

[PS] Get-TransportServer | Get-Queue

This command will show you the queues on your transport servers (you may have more than one in your site).

You might have an example where your messages are failing to be sent because of name resolution:




You can see that the DeliveryType is set to DNSConnectorDelivery. The messages are queued for delivery to an external recipient by using an SMTP connector that's located on the local server and that's configured to use Domain Name System (DNS) for routing resolution.

To export the messages, first suspend the queue:

[PS] Suspend-Queue –Identity SRV1\20

Now that the queue is suspended you suspend the messages.

[PS]Get-Queue -Identity srv1\20 | Get-Message -ResultSize unlimited | Suspend-Message –Confirm:$False

-ResultSize unlimited is used as the default is set to 1000.

Now the messages are suspended you can export them. To see the list of messages in the queue type the following:

[PS] Get-Queue -Identity srv1\20 | Get-Message -ResultSize unlimited

The status should show the messages are suspended and you should see the Email subject heading and from address. Notice how the message ID is created and includes the Queue ID.

Now to export a single message:

[PS] Get-Message -Identity srv1\20\75 | AssembleMessage -Path c:\exportfolder\email1


To export all the messages from the queue is a bit more complicated. Try the following:

  • [PS] $array = @(Get-Message -Queue srv222\20 -ResultSize unlimited)
  • [PS] $array | ForEach-Object {$i++;Export-Message $_.Identity | AssembleMessage -Path ("c:\exportfolder\"+ $i +".eml")}

The above cmdlets will produce .eml files in c:\exportfolder\ with names like 1.eml, 2.eml. At a later stage you can ‘import’ the messages back into the submission queue by using the replay directory. The Replay directory receives messages from foreign gateway servers and can also be used to resubmit messages that administrators export from the queues of Exchange 2010 servers. Read this post for more.

Tuesday, 16 August 2011

How to Change the Version of Windows 2008 r2 Standard to Enterprise Without Reinstalling

Useful procedure for changing the product version of windows 2008 r2 standard to enterprise without reinstalling from media.

To determine the installed edition, run:
DISM /online /Get-CurrentEdition

To check the possible target editions, run:
DISM /online /Get-TargetEditions

Finally, to initiate an upgrade, run:
DISM /online /Set-Edition:<edition ID> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

For example, to upgrade to Enterprise from a downlevel version, run:
DISM /online /Set-Edition:ServerEnterprise /ProductKey:YOUR SETUP KEY

(Thanks to Kimani and Jon)

Friday, 12 August 2011

Role-Based Access Control (RBAC) Exchange 2010 Legal Hold and Discovery Search

RBAC can be used to allow administrators to perform a specific exchange task by being assigned a management role that has permissions to perform the task. Administrators can be assigned these roles directly, or multiple roles can be grouped together into management role groups. Management role groups are infact AD universal security groups. As you will see however, Exchange administrators should NOT be added to these groups using AD tools directly!

Each management role consists of management role entries. A management role entry is an EMS cmdlet or a script that users in a management role can execute.

For a list of management roles, type the following cmdlet:

[PS] Get-ManagementRole | Get-ManagentRoleEntry

The list you will see has quite a few roles!

If you take just one role for example, say ‘databases’ you will begin to see what's involved:

[PS] Get-ManagementRole –Identity Databases | Get-ManagementRoleEntry


So, users are assigned a management role (that can execute scripts that are defined by management role entries) by being assigned to a management role group. This can be very useful. For example we can create a management role group that only allows users to create exchange recipients. After we create the group and add users, management role(s) are then assigned to the group.

Several role groups exist in Exchange 2010 by default.

[PS] Get-RoleGroup


If we take a single role group for example ‘Help Desk’

[PS] Get-RoleGroup –Identity “Help Desk” | fl

The will list associated parameters for this group.


As you can see from the above screenshot, the roles assigned to the Help Desk management role group are shown. These are ‘User Options’ and ‘View Only’. You can also see under role assignments that it shows that these roles are assigned to help-desk! These default role groups can be found in AD in the Microsoft Exchange Security Groups

To add users to the role group of Help Desk use the following cmdlet:

[PS] Add-RoleGroupMember –Identity “Help Desk”  -Member “Andrew Stevens”

This will add Andrew Stevens to the Help Desk role group. To determine the membership of the management role group try the following:

[PS] Get-RoleGroupMember -Identity "Help Desk"

This is great if the Help Desk group has the needed management roles assigned to it. From the screenshot above this includes management roles of “User Options” and View-only Recipients”.

User Options is a management role with the following management role entries, determined by typing the following:

[PS] Get-ManagementRole -Identity "User Options" | Get-ManagementRoleEntry


View-Only Recipients is a management role with the following management role entries, determined by typing the following:

[PS] Get-ManagementRole -Identity "View-only Recipients" | Get-ManagementRoleEntry


So you can see what Andrew Stevens can do having been placed in the Help Desk group.


You can also customize a role group to contain the roles that you need if you find the default roles assigned to a group do not fit correctly. If you find yourself changing the roles assigned to the default groups beyond recognition you might as well create a new group.

So, to add a role to an existing group try the following:

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk" -Role "MailBox Import Export"

Now type the following again to determine the roles now ‘held’ by the Help Desk group:

[PS] Get-RoleGroup –Identity “Help Desk” | fl

You will notice that the RoleAssignments has changed to include Mailbox Import Export!

To remove the assignment type the following:

[PS] Remove-ManagementRoleAssignment -Identity "Mailbox Import Export-Help Desk"

If you need to you can create a role group from scratch. Lets create a role group called London Help Desk and assign roles to the group:

[PS] New-RoleGroup "Help Desk London" -Roles "User Options","View-Only Recipients"

Try the Get-RoleGroup cmdlet and you should see it listed.

So far the London help Desk team have the role of View-Only recipients and User Options. This is no different to the default Help Desk assignments. However you can add to it

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk London" -Role "MailBox Import Export"


Legal Hold

An interesting role is Legal Hold. A legal hold in Exchange 2010 will keep e-mails even if the user tries to delete them. Note, the user will think the e-mail is deleted. The only way to actually see the e-mails is by doing a discovery search, and opening the discovery mailbox.

The legal hold role has the following assignments:

[PS] Get-RoleGroup | Where-Object {$_.roleassignments -match "Legal Hold"}

The output will show you that both Organization and Discovery Management groups have this role by default.

To grant our London Help Desk team Legal Hold type the following cmdlet:

[PS] New-ManagementRoleAssignment -SecurityGroup "Help Desk London" –Role “Legal Hold”

Type the following cmdlet for confirmation:

[PS] Get-RoleGroup | Where-Object {$_.roleassignments -match "Legal Hold"}

You should now see Help Desk London listed.

To turn this feature on we need to enable it for specific mailboxes. First you must have the role to do so. As mentioned, those in the Organization Management (and Discovery Management) have the Legal Hold role assigned. If you are doing this as a Domain Administrator then you are a member of Organization Management already.

[PS] Get-RoleGroup -Identity "Organization Management" | ft name,members

Now, determine which recipients you wish to define Legal Hold to and type the following:

[PS] Set-Mailbox –Identity “A User” –LitigationHoldEnabled $True

To check to see which mailbox has been enabled, type the following cmdlet:

[PS] Get-Mailbox  | ft name,lit* –au


Performing a Discovery Search

You can still find and open the deleted emails using a discovery search. A discovery search can be made against any organisation mailbox (not just those on litigation hold). Here’s what happens:

  1. User deletes a message.
  2. The message moves to a 'Deleted Items' folder. At this point the user can see the deleted messages and can move the deleted message back to the inbox. This is known as a 'soft delete'. Messages can also be moved to the 'dumpster' by emptying the deleted items folder.This is a 'hard delete'.
  3. Message moves to the 'Dumpster'. This removes the message from view. Deleted item retention is 14 days by default. Users can still recover items by using the recover deleted items tool (right click deleted items in OWA and select 'recover deleted items')
  4. If the end user purges data from the "Recover Deleted Items" view (hard delete from the Recoverable Items\Deletions folder), the item will be moved to the Recoverable Items\Purges folder. The purges folder is a special folder that sits within the dumpster. The user will not be able to see the deleted message from this folder. However administrators granted the rights to perform 'discovery searches' can search through the purges folder and restore deleted items.

Enabling Litigation Hold means that items never will be purged from the “Purges” subfolder, which of course results mailboxes growing considerably in size over time!

To perform a discovery search perform the following steps:

1. Perform a discovery search for the item you need to restore. This first involves navigating a browser to https://servername/ecp. This is on the CAS role (ecp is the exchange control panel). In Figure 1, the user ‘Al Pacino’ is in the LegalAdmins role group. This group has been assigned the roles ‘User Options and View-only Recipients’ (which is the same as the default Help Desk role). At this point Al cannot perform a discovery search and this is his ECP view (only Users & Groups). 


2. Assign the Mailbox Search role to the LegalAdmins group using the following cmdlet: [PS] New-ManagementRoleAssignment -SecurityGroup LegalAdmins -Role "Mailbox Search"


3. The above screenshot shows us the ECP view after applying this step. You can now see that the ‘Reporting’ link is shown. Select this link.


4. After you select this link you should see a similar view as shown above. Remember that you can also add a user to the Discovery Management role group instead of creating a group and assigning roles to it.

Select 'New'.


5. As you can see there are a number of search methods. Select mailbox to search and select the user mailbox that has purged deleted items.

6. Provide a search name

7. Select 'Select a mailbox in which to store the search results' and choose the 'Discovery Search Mailbox' and click save.

8. After the search has completed (you may have to refresh) select the link that says open by the results output on the right hand side.

9. If you cant open the discovery search mailbox, you will need to grant the user access to it by typing in the following:

[PS] Add-MailboxPermission DiscoverySearchMailbox -User al -AccessRights FullAccess
NB. I changed the alias of the mailbox to this simpler name

10. You should now be able to open the discovery search mailbox. Once opened, navigate on the left to the search name and open the sent\deleted items folder. You should be able to find the item that was purged.

NB. If you wish you can create a new discovery search mailbox by using the following cmdlet:

[PS] New-Mailbox "HelpDeskDiscovery" -UserPrincipalName –Discovery.

[PS] Add-MailboxPermission HelpDeskDiscovery -User al -AccessRights FullAccess


In the above example, our test user Al, can perform the discovery search and open the discovery search mailbox to find deleted items.

Thursday, 4 August 2011

RMS Shared Identity user FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 Not Found

Having removed an Exchange Server (and arbitration mailboxes), reinstalling a second  Exchange 2010 can be problematic. The deletion of the discovery mailbox will mean that the reinstallation of your Exchange 2010 server will fail. Run the following command:

[PS] New-Mailbox -Arbitration -Name FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 -UserPrincipalName FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@<Default_Accepted_Domain>

This should allow you to now rerun the installation program without failure.

Wednesday, 3 August 2011

Cannot Uninstall Exchange 2010 Because of Arbitration Mailboxes

To list the arbitration mailboxes type the following command:

[PS] Get-Mailbox –Database database name  -Arbitration

This will list all the mailboxes that can be moved or removed.

To move them to another database, type the following command:

[PS] Get-Mailbox -Arbitration -Database db1 | New-MoveRequest -TargetDatabase db2

To remove the mailboxes, type the following command:

[PS] Get-Mailbox -Arbitration -Database db1 | Remove-Mailbox -Arbitration –RemoveLastArbitrationMailboxAllowed

Once you do this hopefully you should be able to uninstall Exchange using the Control panel