30 October 2013

Automatically enable users in a particular OU for Lync 2010

I was trying to get Forefront Identity Management to provision a new user and enable Lync for this user through provisioning code.
Turns out this is a not supported feature, and can only be done through codeless provisioning.

A way to to do this is by running a script on the lync server (frontend).
This script searches for all users in a specific OU and checks if the value "enabled" is set to true.
If not (blank) then according to the email address the users gets enabled for lync and set to the correct pool.

The script:

import-module 'C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1'
get-csaduser -filter {Enabled -ne $True} -OU "ou=Employees,dc=domain,dc=lan" | Enable-CsUser -RegistrarPool lyncpool.domain.lan -SipAddressType EmailAddress



Source

Forefront Protection Server Management Console 2010 403 forbidden

Trouble accessing your newly installed Forefront protection for exchange 2010 management console from a remote machine by browser?

After a new install, forefront doesn't out of the box let you access the Frontpage of the management console.

If you try, you get a 403 Forbidden.


After adding your user account to the local admin group, you are able to access the Frontpage.

08 October 2013

How to Install Updates on Exchange Server 2010 Database Availability Groups

This one is a must read for every Exchange admin, thanks to Paul Cunningham who posted this excellent topic on how to and why you should use the DAG maintenance scripts provided by Microsoft.

How to Install Updates on Exchange Server 2010 Database Availability Groups

  
An Exchange Server 2010 Database Availability Group (DAG) provides several benefits to an organization, primarily that of continuous availability of mailbox databases.
To update the DAG members with new patches, update rollups or service packs, the update process should be managed to prevent all of the DAG members from being offline at the same time.
To do this you can move the active mailbox databases off a particular server so that it can be patched, and if necessary rebooted, without causing any downtime for mailbox users on that database.
This tutorial demonstrates how to update the servers in an Exchange Server 2010 Database Availability Group without causing downtime. Because this process differs depending on the version of Exchange Server 2010 you’re running I’ve covered each method here.
  • Preparing an Exchange Server 2010 RTM DAG member for updates, or
  • Preparing an Exchange Server 2010 SP1 DAG member for updates
  • Stopping Conflicting Services
  • Disabling Server Monitoring
  • Updating the Server
  • Verifying the Update
  • Returning an Exchange Server 2010 RTM DAG member to production, or
  • Returning an Exchange Server 2010 SP1 DAG member to production
For this tutorial Update Rollup 4 for Exchange Server 2010 is being installed.

Preparing an Exchange Server 2010 RTM DAG Member for Updates

The first step is to move active mailbox databases to another DAG member so that the server can be updated.
To see a list of mailbox databases and their current active server use the Get-MailboxDatabase cmdlet.

[PS] C:\>Get-MailboxDatabase

Name                           Server          Recovery        ReplicationType
----                           ------          --------        ---------------
Mailbox Database 02            EX1             False           Remote
Mailbox Database 01            EX2             False           Remote

In this example I want to apply updates to server EX1, and I can see that it currently hosts the active copy of Mailbox Database 02.
If your environment has a lot of DAG members and mailbox databases you can refine this query to only show active mailbox databases for a specific server.
 
[PS] C:\>Get-MailboxDatabase | where {$_.Server -eq "EX1"}

Name                           Server          Recovery        ReplicationType
----                           ------          --------        ---------------
Mailbox Database 02            EX1             False           Remote

Move the mailbox databases using the Move-ActiveMailboxDatabase cmdlet.
 
[PS] C:\>Move-ActiveMailboxDatabase "Mailbox Database 02" -ActivateOnServer EX2

Confirm
Are you sure you want to perform this action?
Moving mailbox database "Mailbox Database 02" from server "ex1.exchangeserverpro.local" to server
"EX2.exchangeserverpro.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Identity        ActiveServerAtS ActiveServerAtE Status     NumberOfLogsLost   RecoveryPoint MountStatus MountStatus
                tart            nd                                            Objective     AtMoveStart AtMoveEnd
--------        --------------- --------------- ------     ----------------   ------------- ----------- -----------
Mailbox Data... ex1             ex2             Succeeded  0                  14/09/2010... Mounted     Mounted

All of the mailbox databases are now active on server EX2.
 
[PS] C:\>Get-MailboxDatabase

Name                           Server          Recovery        ReplicationType
----                           ------          --------        ---------------
Mailbox Database 02            EX2             False           Remote
Mailbox Database 01            EX2             False           Remote

As another example, if there were multiple databases active on a server you can move all of them with a single command.
 
[PS] C:\>Get-MailboxDatabase | where {$_.Server -eq "EX1"} | Move-ActiveMailboxDatabase -ActivateOnServer EX2 -Confirm:$false

Identity        ActiveServerAtS ActiveServerAtE Status     NumberOfLogsLost   RecoveryPoint MountStatus MountStatus
                tart            nd                                            Objective     AtMoveStart AtMoveEnd
--------        --------------- --------------- ------     ----------------   ------------- ----------- -----------
Mailbox Data... ex1             ex2             Succeeded  0                  14/09/2010... Mounted     Mounted
Mailbox Data... ex1             ex2             Succeeded  0                  14/09/2010... Mounted     Mountede

Note the use of -Confirm:$false to avoid having to confirm each move. Use this option with caution.
After moving all active mailbox databases off the server that you are planning to update, the final preparation step is to block activation on the server to prevent it from automatically reactiving a database copy while you are performing maintenance.
First check the current activation policy on the server using Get-MailboxServer.
 
[PS] C:\>Get-MailboxServer EX1 | fl Name,DatabaseCopyAutoActivationPolicy

Name                             : EX1
DatabaseCopyAutoActivationPolicy : Unrestricted
Next, use Set-MailboxServer to block activation.
[PS] C:\>Set-MailboxServer EX1 -DatabaseCopyAutoActivationPolicy Blocked

Preparing an Exchange Server 2010 SP1 DAG Member for Updates

For Exchange 2010 with Service Pack 1 the process is a little easier thanks to some scripts provided by Microsoft. Open the Exchange Management Shell and navigate to the scripts folder on the Exchange server.
 
cd $exscripts

Next run the StartDagServerMaintenance.ps1 PowerShell script.
 
.\StartDagServerMaintenance.ps1 -serverName ho-ex2010-mb1

The script will automatically do the following tasks for you:
  • Calls Suspend-MailboxDatabaseCopy on the database copies.
  • Pauses the node in Failover Clustering so that it can not become the Primary Active Manager.
  • Suspends database activation on each mailbox database.
  • Sets the DatabaseCopyAutoActivationPolicy to Blocked on the server.
  • Moves databases and cluster group off of the designated server.

Stopping Conflicting Services

If the mailbox server is running any Exchange-integrated services, such as antivirus software, these should be disabled prior to the update.
For example to disable Forefront use the FSUtility command.
 
C:\> fsutility /disable

Another example is Data Protection Manager 2010, which may be configured to perform Copy backups from passive database copies at frequent intervals through the day. Make sure these jobs are paused to prevent errors or conflicts from occuring.

Disabling Server Monitoring

If the DAG members are monitored using SCOM or a similar system then this should also be disabled or placed into maintenance mode.
This will prevent alarms from being raised as well as prevent any automatic remediation actions from being run by the monitoring agent that may cause the server updates to fail.

Updating the Server

Install the update following the deployment notes for that update type.
Update rollups come in the form of a .MSP file (Windows Installer Patch) that is applied to the server. Simply double-click the file or launch it from a command line window.
Service packs are a complete reissue of the Exchange Server setup files and are installed by running setup in upgrade mode, which can be run in either graphical or command line mode.
 
C:\> setup /m:upgrade

Both update rollups and service packs can take some time to install, so plan a large window of time for these updates.


Verifying the Update

After the update has completed, and if necessary the server rebooted, you should check the server’s health before placing it back into production in the CAS array.
Event Logs – look for error or warning events that have started since the update was applied.
Setup Logs – service packs write a complete setup log file to C:\ExchangeSetupLogs
Services – check the Exchange services are running (or at least those that you expect to be running, some such as IMAP and POP will be stopped if you have not explicitly enabled them)
 
[PS] C:\>Get-Service *exchange*

Status   Name               DisplayName
------   ----               -----------
Running  MSExchangeADTop... Microsoft Exchange Active Directory...
Running  MSExchangeIS       Microsoft Exchange Information Store
Running  MSExchangeMailb... Microsoft Exchange Mailbox Assistants
Running  MSExchangeMailS... Microsoft Exchange Mail Submission
Stopped  MSExchangeMonit... Microsoft Exchange Monitoring
Running  MSExchangeRepl     Microsoft Exchange Replication
Running  MSExchangeRPC      Microsoft Exchange RPC Client Access
Running  MSExchangeSA       Microsoft Exchange System Attendant
Running  MSExchangeSearch   Microsoft Exchange Search Indexer
Running  MSExchangeServi... Microsoft Exchange Service Host
Running  MSExchangeThrot... Microsoft Exchange Throttling
Running  MSExchangeTrans... Microsoft Exchange Transport Log Se...
Running  msftesql-Exchange  Microsoft Search  (Exchange)
Running  vmickvpexchange    Hyper-V Data Exchange Service
Stopped  wsbexchange        Microsoft Exchange Server Extension...

Returning an Exchange Server 2010 RTM DAG Member to Production

If the update was successful and the server healthy then it can be placed back into production.
Re-enable services such as Forefront Protection for Exchange.
 
C:\> fsutility /enable

Re-enable monitoring agents and alarms for the server.
Set the server’s activation policy back to its original setting.
 
[PS] C:\>Set-MailboxServer EX1 -DatabaseCopyAutoActivationPolicy Unrestricted

At this stage you might move all of the active mailbox databases to the server that was just updated so that you can update the other servers in the DAG. After all of the DAG members have been updated it is likely that mailbox databases will be active on servers that are not their first activation preference.
For Exchange Server 2010 RTM you can view the activation preferences for each database, and manually move active mailbox databases to their preferred server.
 
[PS] C:\>Get-MailboxDatabase | fl name,activationpreference

Name                 : Mailbox Database 02
ActivationPreference : {[EX2, 1], [EX1, 2]}

Name                 : Mailbox Database 01
ActivationPreference : {[EX1, 1], [EX2, 2]}
[PS] C:\>Move-ActiveMailboxDatabase "Mailbox Database 01" -ActivateOnServer EX1

Confirm
Are you sure you want to perform this action?
Moving mailbox database "Mailbox Database 01" from server "EX2.exchangeserverpro.local" to server
"ex1.exchangeserverpro.local".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Identity        ActiveServerAtS ActiveServerAtE Status     NumberOfLogsLost   RecoveryPoint MountStatus MountStatus
                tart            nd                                            Objective     AtMoveStart AtMoveEnd
--------        --------------- --------------- ------     ----------------   ------------- ----------- -----------
Mailbox Data... ex2             ex1             Succeeded  0                  14/09/2010... Mounted     Mounted

Returning an Exchange Server 2010 SP1 DAG Member to Production

Once again Exchange 2010 with Service Pack 1 makes this task easier thanks to a script provided by Microsoft. Open the Exchange Management Shell and navigate to the scripts folder on the Exchange server.
 
cd $exscripts

Next run the StopDagServerMaintenance.ps1 PowerShell script.
 
.\StopDagServerMaintenance.ps1 -serverName ho-ex2010-mb1

The script will automatically reverse each of the actions made by StartDagServerMaintenance.ps1 except that it will not move active mailbox databases back to the server.
To move the active mailbox databases you can continue to go to each mailbox server in the DAG and run StartDagServerMaintenance.ps1 and perform your updates. When all of the servers have been updated you can rebalance the DAG automatically using a script from Microsoft which is demonstrated here.

07 October 2013

Adding multiple Remote IP Addresses to existing Receive Connectors

I had to add a lot of ip addresses to our receive connector, but not overwrite the existing ip addresses in the receive connector.
For that I came across this excellent Powershell script that does just that:
<#
.DESCRIPTION
   Simple Powershell script that can bulk import remote IP ranges from a text file in a determined Exchange Receive Connector.
   The Import of the Remote IP ranges maintains the original values which are already present on the Selected Connector.
.PARAMETERS
   None - execute directly from the Exchange Management Shell
.Version
 0.1
.Author
 Andy Grogan
 http://www.telnetport25.com
.Compatibility
   Exchange 2007
   Exchange 2010
   Exchange 2013
.Release Date
 Jan 2013
#>

function Select-FileDialog 
{
      param([string]$Title,[string]$Directory,[string]$Filter="Text Files (*.txt)|*.txt")
      [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
      $objForm = New-Object System.Windows.Forms.OpenFileDialog
      $objForm.InitialDirectory = $Directory
      $objForm.Filter = $Filter
      $objForm.Title = $Title
      $objForm.ShowHelp = $true
      
      $Show = $objForm.ShowDialog()
      
      if ($Show -eq "OK")
      {
            return $objForm.FileName
      }
      else
      {
            exit
      }
}

function get_RecConnector{

 $RecConns = Get-ReceiveConnector | Select -ExpandProperty Identity
 $Count = 0;
 Write-Host "Bulk Import of Remote IP Addresses for Exchange Receive Connectors" -ForegroundColor Green
 Write-Host "Version 0.1" -ForegroundColor Green
 Write-Host "www.telnetport25.com" -ForegroundColor Green
 Write-Host ""
 Write-Host "Detected Receive Connectors: " -ForegroundColor Cyan
 Write-Host ""
 foreach($Connector in $RecConns){
  Write-Host $Count "." $Connector -ForegroundColor White
  $Count ++
 }
 Write-Host ""
 $Choice = Read-Host "Please select the Receive Connector that you wish to work with."
 Write-Host ""
 import_RemoteIPRanges $RecConns[$Choice]
}

function import_RemoteIPRanges{

 param($ConnectorID)
 
 $FileName = Select-FileDialog "Open IP Range Text File..."
 $IPs = Get-Content $FileName
 
  foreach($IP in $IPs){
   Write-Host "Adding IP Address :" $IP " to "$ConnectorID -ForegroundColor Cyan
        $Rcnn = Get-ReceiveConnector "$ConnectorID"
        $Rcnn.RemoteIPRanges += $IP
        Set-ReceiveConnector "$ConnectorID" -RemoteIPRanges $Rcnn.RemoteIPRanges

  }
}

get_RecConnector
Write-Host ""
Write-Host "Script Completed." -ForegroundColor Yellow

Source

Export Receive connector RemoteIpRanges

Backing up your Receive connector RemoteIpRanges seem like a good idea, to me at least.
We currently have several hundred ip addresses added to our relay connector.

Losing all that work by some(ones) mistake would take a lot of work to recreate.

So here's how to do it:

First set your output higher, otherwise more than 16 ip addresses added to your connector will be truncated in the powershell output.
[PS] C:\>Get-ReceiveConnector "Relay Connector" | fl remoteipranges


RemoteIPRanges : {10.0.0.14, 10.0.0.20, 10.0.0.19, 10.0.0.18, 10.0.0.17, 10.0.0
                 .16, 10.0.0.15, 10.0.0.10, 10.0.0.9, 10.0.0.8, 10.0.0.7, 10.0.
                 0.6, 10.0.0.5, 10.0.0.4, 10.0.0.13, 10.0.0.12...}
As you can see the ...} at the end of the output means there's more than Powershell shows.

To unlimit the output for your current Powershell session:
$FormatEnumerationLimit =-1

Now we can list all the output to a file:
[PS] C:\>Get-ReceiveConnector "sr-XXXXX\smtp relay" | fl remoteipranges
 | out-file "d:\temp\smtp relay sr-XXXX.txt"
This file can be edited to your needs.
Source