Exchange 2010 PowerPack Available…

I take that everyone is familiar with the popular PowerGUI, a FREE tool that provides a graphical user interface to manage products that understands Powershell, like Exchange 2007. I highly recommend the tool if you are not familiar with it. The tool comes with a Powershell Script Editor as well, with help built-in to the product. Download PowerGUI here

PowerGUI can be used to manage Exchange 2003, 2007 & now 2010… Download the 2010 PowerPack here.

PowerPacks are extensible open source add-ons for PowerGUI Administrative Console. Once you import them into the console, you get rich user interface to manage the particular product.

TMG 2010, Exchange Edge 2010 & Forefront Protection For Exchange 2010 – All In The Same Box…

Microsoft had released the latest version of ISA server couple of months ago and it has undergone a name change. The new release is named Forefront Threat Management Gateway (TMG) 2010. This version supports running Exchange Edge 2010 and Forefront Protection For Exchange 2010 along with it in the same box.

I bet you know where I am heading! You don’t need different servers like in the old times. You can have a couple of servers in the DMZ with all three components. The same box will publish Exchange services like OWA, OA & ActiveSync and at the same time act as the first layer of defence for incoming emails.

TMG provides central management for Exchange Edge and Forefront Protection 2010 for Exchange when located on the same server. It does not include either Exchange or Forefront Protection 2010 for Exchange. Both must be purchased and installed separately. TMG 2010 also comes with a long list of new features.

Install TMG, Edge 2010 & then Forefront Protection. Make sure you update the scanning engines & enable all antispam & antivirus filters before connecting it to production network.

Check this article for installation steps.

Exchange 2010 Pre-Deployment Analyzer Released…

One more tool for Exchange admins! The Exchange Pre-Deployment Analyzer performs an overall topology readiness scan of your environment and provides you with a list of decisions that need to be made before you deploy Exchange Server 2010. The tool is based on the Exchange Best Practice Analyzer (ExBPA) and has the same look and feel. The tool provides a detailed report that will alert you if there are any issues within your organization, which could prevent you from deploying Exchange 2010. For example, the analyzer will notify you if you haven't deployed the minimum required Exchange service pack on all your existing Exchange servers.

This tool focuses only on overall topology readiness and not the ability to run Exchange 2010 on the local computer.

Download the tool here

Launching the tool bring a familiar interface.

I ran the tool on my Exchange 2007 server and everything was ok from the report. I am good to go with a 2010 deployment in my environment.

Running the Exchange Server Pre-Deployment Analyzer is now a recommended step within the pre-requisites section of the Exchange 2010 Deployment Assistant.

Failure [0xC3EC796C] One or more errors occurred during execution of the wizard; the wizard was unable to complete successfully…

I was setting up OCS 2007 R2 in my lab along with Exchange 2010 and I came across the error above. While installing the OCS 2007 R2, all steps completed successfully except the last one. The last wizard read “Deploy Server Wizard has failed”.

Clicking “Finish” opens the log file in internet explorer which gave an error code and more explanation for the failure.

Failure
[0xC3EC796C] One or more errors occurred during execution of the wizard; the wizard was unable to complete successfully. Please check the log file for more information.

Checking the event log showed an entry for the failure.

It turned out that the issue is caused by one of the update. Microsoft has released a fix to resolve the issue. I downloaded and ran the patch and everything started working!

Exchange 2010 Mailbox Role Requirements Calculator v3.2, 3.5 & 4.5…

The Exchange 2010 Mailbox Role Requirements Calculator has been updated again, the latest version being 4.5. I would urge all readers to keep an eye on this space, as new versions will be uploaded. The latest version has included new options like considering whether you have a 32 or 64bit GC in the environment. The calculator only supports active/passive environment even now.

Download v4.5 here and read the explanation of all the options here

Administrator Audit Logging In Exchange 2010…

Exchange 2010 brings a new feature to the table, to audit all actions performed by users & administrators in your messaging environment. All actions performed, irrespective of whether they are done in Console, Shell or ECP will be logged. The “Get” cmdlets won’t be logged, as it is unnecessary and will generate a large number of log files on a daily basis. This option gives your Manager (who may not be technical) the facility to trace back who performed what & when.

The following actions need to be completed before the feature becomes available. The cmdlet we use for most of these settings is Set-AdminAuditLogConfig.

1. Configure a dedicated mailbox for storing all audit logs. Whenever an action is audited, full information is logged & sent as an email to this mailbox. Access to this mailbox has to be tightly controlled.
2. The auditing feature needs to be enabled.
3. Configure the audit agent to send logs to audit mailbox.
4. The cmdlets to be audited needs to be configured, if you don’t want to audit everything.
5. The parameters to be audited needs to be configured.

First step can be easily accomplished by creating a mailbox with a suitable name (say “Audit Mailbox”) and restrict access.

Admin auditing is disabled by default. Run Get-AdminAuditLogConfig | fl to confirm.

In order to enable auditing, run the following cmdlet.

Set-AdminAuditLogConfig –AdminAuditLogEnabled $true

Run the following cmdlet to configure the auditing agent to send logs to “Audit Mailbox”

Set-AdminAuditLogConfig –AdminAuditlogMailbox “AuditMailbox@Hew10.local”

You can audit the cmdlets of your choice. For example, in order to audit any changes made to mailbox & transport features, we can use the wildcards *mailbox* and *transport*. Run the cmdlet below to audit just these cmdlets.

Set-AdminAuditLogConfig –AdminAuditLogCmdlets *mailbox*, *transport*

In the same way, you can select the parameters of your choice. Run the cmdlet below to audit the parameters database and server,

Set-AdminAuditLogConfig –AdminAuditLogParameters database, server

For demonstration of admin logging feature, I have created a new mailbox named “Audit Test”.

Logging into the “Audit Mailbox” using OWA shows me a new email with detailed information on the task (creating the mailbox) that I had completed.

The subject of the email specifies the user account used to run the cmdlet & the cmdlet that was executed.

The Run Date in the email shows the date & time when the cmdlet was run. The log also shows whether the cmdlet was executed successfully.

Next time you do something, beware! The auditing might be enabled!

Exchange 2010 VHD For Evaluation…

Microsoft has released a pre-configured VHD with Exchange 2010. This download lets you evaluate Exchange 2010 for 60 days. A 64-bit physical machine running Windows 2008 Hyper-V or higher is necessary for running the VHD.

Login details for the VHD is as follows.

UserName: contoso\Administrator
Password: pass@word1

Download the VHD here

Blocking Web Beacons & HTML Forms In Outlook Web App…

Web Beaconing is a method used to retrieve email addresses and recipient information, mostly used by spammers. A Web beacon is a file object, such as a transparent graphic or an image, that is put on a website or email. Web beacons are typically used together with HTML cookies to monitor user behaviour on a website or to validate a recipient's email address when an email that contains a web beacon is opened.

By default, Web beacons and HTML forms are set to “UserFilterChoice”, which means that they are blocked, but the user can unblock them if needed.

If you are a strict administrator or your company policies force you to block the beacons, you can do so with exchange shell.

The parameter which defines the behaviour is “FilterWebBeaconsAndHtmlForms” and we have three values.

• UserFilterChoice – Blocks, but user can unblock
• ForceFilter – Blocks all.
• DisableFilter – Allows all.

In order to block beacons forcefully and not give the end user the option to unblock, run the following cmdlet,

Set-OWAVirtualDirectory –identity “OWA (Default Web Site)” –FilterWebBeaconsAndHtmlForms ForceFilter

New Options In Data Protection Manager (DPM) 2010 RC…

Exchange admins who are/were backing up Exchange 2007 servers using Data Protection Manager (DPM) 2007 should have come across the issues of expanding the volumes used for backups manually and to perform a consistency check manually whenever the data was in an inconsistent state.

Guess what? Those two issues have been fixed in DPM 2010 RC. The two options are enabled by default when you create a protection group in DPM 2010.

1. Automatically grow the volume when more disk space is required for protecting the items in the protection group.

2. Run a consistency check if the replica become inconsistent.

A welcome fix indeed!

Forefront Threat Management Gateway (TMG) 2010 Capacity Planning Tool Released…

Looks like too many applications and tools are getting RTM’d, adding to the list is the Capacity Planning Tool for Forefront Threat Management Gateway (TMG) 2010.

The Forefront TMG 2010 Capacity Planning Tool, a Microsoft Excel spreadsheet with built-in workflow, allows you to calculate the WAN bandwidth and number of users a particular a hardware configuration will support and can recommend server hardware based on the features, bandwidth and users your deployment needs to support.

Download the tool here

Office 2010 Release Candidate Now Available For Download For Beta Participants…

The Release Candidate (RC) bits of Office 2010 along with Office Web Applications are now available for technical beta participants via Connect. Microsoft is in the process of sending out invites for Office 2010 RC program. If you have received one, you can immediately download and evaluate Office 2010 RC before the public availability. Office 2010 RC is available in both 32 and 64-bit editions.

DPM 2010 RC Released…

The Release Candidate of Data Protection Manager (DPM) 2010 is available now. This version supports all the latest products including Exchange & SharePoint 2010.

Download the RC here

A good Q&A on DPM 2010 is available here

Dell’s Exchange 2010 Advisor Tool…

I had written an article previously explaining the HP & Dell sizing tools for Exchange 2007. HP has released a similar tool for Exchange 2010, more info here. Dell has followed the path and has released a sizing advisor tool for Exchange 2010. Unlike other sizing tools, Dell Advisor is an online one and hence solutions cannot be reused. The tool supports DAG and DAS/SAN based storage.

Access the Exchange 2010 Advisor here

Points To Note While Designing Database Availability Group…

I had covered the topic of what to look for before creating a DAG in one of my previous article. In this one, I am going to highlight the facts you need to consider while designing a Database Availability Group. Without going over the DAG feature again, let me list the points to note.

• Each member of the DAG must be running the same operating system.
• It is not supported to add an Exchange 2010 mailbox server that is also a directory server to a DAG.
• A DAG can contain a mix of servers running Exchange 2010 Standard and Enterprise editions.
• Each DAG must have no more than one MAPI network.
• DAG members with a single NIC (for both MAPI & Replication) is supported.
• Each DAG member must have the same number of networks. For example, if you use a single NIC in one DAG member, then all members of the DAG must also use single NIC.
• Regardless of whether you use static or DHCP addresses, any IP address assigned to the DAG must be on the MAPI network.
• DAG networks support IPv4 and IPv6. IPv6 is supported only when IPv4 is also used. A pure IPv6 environment is not supported.
• Configure the network connection order so that the MAPI network is at the top of the connection order.
• It is not a requirement that the version of operating system of the witness server should match the operating system used by the DAG members.
• MAPI networks should be isolated from Replication networks.
• Use static routes to configure connectivity across Replication networks.
• When a DAG is extended across multiple datacenters, it should be designed so that either the majority of the DAG members are located in the primary datacenter or when each datacenter has the same number of members, the primary datacenter hosts the witness server.
• Each time the DAG's MAPI network is extended across an additional subnet, an additional IP address for that subnet must be configured for the DAG.
• Each IP address that is configured for the DAG is used by the failover cluster. The name of the DAG is also used as the name for the underlying failover cluster.
• If the replication network fails and the MAPI network is unaffected, log shipping & seeding will revert to use the MAPI network. When the failed replication network is restored, log shipping & seeding will revert back to the replication network.
• Each server in the DAG can be on a different subnet, but the MAPI and Replication networks must be routable and provide connectivity.

Exchange 2010 Public Folders Are Not Protected By DAG…

Public folder replication is the process by which public folder content and hierarchy are replicated across multiple servers for fault tolerance. Public folder databases replicate two types of public folder information, hierarchy and content. Each public folder database retains a copy of the hierarchy where as content replicas exist only on the public folder databases that you configure. If you find that the public folder hierarchy on one server is different from the public folder hierarchy on other servers, you can synchronize the hierarchy using Update-PublicFolderHierarchy cmdlet.

Unlike in Exchange 2007 (CCR with only one public folder database in the org), you can't use continuous replication in Exchange 2010 to replicate public folders. In Exchange 2010, continuous replication is only for mailbox databases. A public folder database can be hosted on a mailbox server which is a member of a DAG, but you must configure multiple public folder databases across servers and configure public folder replication for data redundancy.

Lagged Database Copies In Exchange 2010 DAG…

The concept of lagged database copies was introduced in Exchange 2007, implemented using Standby Continuous Replication (SCR). With SCR, we can delay the time when the logs have to be replayed to the SCR target. There is also the option of specifying truncation lag time, the option which allows us to delay the time before the log files are truncated. The maximum lag time for both the options is 7 days in Exchange 2007.

With Exchange 2010 DAG, the lag time for both replaying and deleting the logs have been increased to 14 days. This is good if your company wants to go backup-less. Of course, the company has to be aware of the risk of going without backups, as lagged database copies can’t be a solution for all recovery/restore issues.

The two parameters you need to know are ReplayLagTime and TruncationLagTime. The ReplayLagtime parameter specifies the amount of time that the Exchange Replication Service should wait before replaying log files that have been copied to the database copy location. The format for this parameter is Days.Hours:Minutes:Seconds. The default value is zero seconds.

The TruncationLagTime parameter specifies the amount of time that Exchange Replication Service should wait before truncating the log files that have replayed into a database copy. The time period begins after the log has been successfully replayed into the database copy. The format for this parameter is Days.Hours:Minutes:Seconds.

The lag times can be configured either while setting up the database copy (Add-MailboxDatabaseCopy) or after setting up (Set-MailboxDatabaseCopy).

For example, in order to setup the database copy of mailbox database MD1 to server Server1 with a replay lag time of 12 hours, run Add-MailboxDatabaseCopy –identity “MD1” –MailboxServer “Server1” –ReplayLagTime 12:00:00

Exchange 2010 Design Exam (70-663) Now Available…

The 70-663 exam, Pro: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 is now available for candidates wishing to progress to the Microsoft Certified IT Professional (MCITP) Enterprise Messaging Administrator 2010 certification.

This exam is designed for candidates who are responsible for the Exchange messaging environment in an enterprise environment. They are senior administrators who act as the technical lead over a team of administrators. These candidates are a third level of support between the Exchange Recipient Administrator and the Exchange Server Administrator.

More information about the exam including skills measured is available here

Candidates who had already booked the beta exam successfully, but eventually got cancelled by Prometric/Microsoft can get a voucher code for a free 70-663 exam. Check my previous article for more information.

Forefront 2010 For Exchange Provides DNS Blocklist (DNSBL) Out Of The Box…

The new Forefront version for Exchange server provides a DNS Blocklist service out of the box. This means that we don’t have to subscribe to other third party companies for getting real-time blocklists. Forefront customers get the service for free. Forefront DNSBL is an aggregated list of multiple feeds from various RBL providers combined into a single lookup and hosted by Forefront Security on its own DNS infrastructure. The list of feeds includes both Microsoft internal contributing teams and external vendors like Spamhaus.

DNSBL solution is enabled out of the box without any manual work needed from the administrator to configure and maintain the filter.  The DNSBL will start working immediately after the setup and there is nothing to configure. The feature is enabled by default, although it is advised to check whether the selection box is checked in the Forefront Console.

The query from DNSBL agent to the DNSBL provider is encrypted to make sure that the data is not used by non-Forefront customers. Only Forefront agent knows how to encrypt & decrypt the query.

A welcome feature and one more reason to deploy Forefront 2010 for Exchange!

Setting Maximum Active Databases Limit On Exchange 2010 DAG Members…

Many exchange admins will be a bit confused when it comes to designing an Exchange 2010 environment with large number of users and three or more copies of databases. The question is how to design the 2010 system to withstand the worst possible failure and still provide a good experience for the users during failover.

One design recommended by Microsoft is to design for all database copies to be activated. For example, if you have 30 databases (active & passive together) hosted on one server, then the design should have processor and memory requirements for all those 35 databases to become active on the server during a failure. This is the best possible design but will be very expensive.

Another approach recommended by Microsoft is to design for targeted failure scenarios. A simple rule is to design for automatic single node failure in a two node configuration, double node failure in three server configuration (manual activation for second failure) and for automatic double node failures where the DAG has four or more nodes. The appropriate number of database copies is required to meet each of these configurations and the copies be randomly & evenly distributed. In this design approach, it is recommended to restrict the number of databases that can be activated on a server during a failover, so that the server doesn’t activate more databases than it was designed to handle and thereby giving a very poor user experience.

You can configure a hard limit for the number of databases that can be activated using the cmdlet below. For limiting the server to 25 databases, run

Set-MailboxServer –identity “servername” –MaximumActiveDatabases 25

When the maximum number is reached, the database copies on the server won't be activated if a failover or switchover occurs. If the copies are already active on a server, the server won't allow databases to be mounted. This is something that needs to be looked into while designing a highly available, high performance Exchange 2010 environment.

Exchange 2010 How-To-Do Videos…

Technet has few How-To-Do videos based on Exchange 2010 which is worth having a look at. The Exchange team has started a series of Exchange 2010 webcasts as well.

Check the ExchangeTeam blog for more info.

• Getting Started with Archiving in Exchange 2010
• Getting Started with Remote Management
• Getting Started with Message Retention in Exchange 2010
• Getting Started with Message Discovery
• Introduction to Exchange 2010
• Get Started with Role Based Access Control
• Get Started with DAGs
• Create and Configure Certificates
• Transitioning from Exchange 2007 to Exchange 2010 Part 1
• Transitioning from Exchange 2007 to Exchange 2010 Part 2
• Transitioning from Exchange 2007 to Exchange 2010 Part 3
• Coexisting Exchange 2010 with Exchange 2007
• Securely publish Exchange 2010 using ISA Server 2006 SP1