Things that frequently get forgotten when migrating

Public Folders are not replicated or moved

To replicate public folders:

Use either PFDAVADMIN or Exchange system manager from 2003

PFDAVADMIN

•  

ESM

• You can set by adding the replication partners on each folder by right click the folder -> properties -> replication tab -> add
• 
• Or by right click the folder -> all tasks -> manage settings -> next -> modify list of replica servers -> -> add servers

To move public folder replicas

• From Exchange Powershell “.\MoveAllReplicas.ps1 -Server <MySourceServer> -NewServer <MyTargetServer>”

Exchange Team Article on the matter http://msexchangeteam.com/archive/2007/07/09/445967.aspx

Address Lists are not upgraded

To upgrade all address lists: (Just the default lists)

set-EmailAddressPolicy “Default Policy” -IncludedRecipients AllRecipients
Set-AddressList “All Users” -IncludedRecipients MailboxUsers
Set-AddressList “All Groups” -IncludedRecipients MailGroups
Set-AddressList “All Contacts” -IncludedRecipients MailContacts
Set-AddressList “Public Folders” -RecipientFilter { RecipientType -eq ‘PublicFolder’ }
Set-GlobalAddressList “Default Global Address List” -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq ‘user’ -or ObjectClass -eq ‘contact’ -or ObjectClass -eq ‘msExchSystemMailbox’ -or ObjectClass -eq ‘msExchDynamicDistributionList’ -or ObjectClass -eq ‘group’ -or ObjectClass -eq ‘publicFolder’))}

OAB is not moved or upgraded

• From Powershell: Move-OfflineAddressBook -Identity <OfflineAddressBookIdParameter> -Server <ServerIdParameter>

Quick and Easy Remote ExchangePowerShell

1. Configure the powershell virtual directory with basic auth
   1. 
   2. 
2. Forward 443 through your firewall (or publish with ISA)
3. Copy this script, change the FQDN to match your server and save as RemoteExchange.ps1
   $usercredential = get-credential
   $pso = new-pssessionoption -skipcacheck -SkipCNCheck -SkipRevocationCheck
   $session= New-PSSession -configuration Microsoft.EXchange -ConnectionUri https://FQDN/powershell -credential $usercredential -authentication basic -sessionoption $pso
   import-pssession $session
4. open powershell and run the script ./RemoteExchange.ps1
5. Disconnect with “Remove-PSSession $Session”

Note: this script ignores Certificate checks, only use if you can trust the server you are connecting to!

You may need to set the Powershell Execution Policy so you can run the scripts

Set-ExecutionPolicy Unrestricted or Set-ExecutionPolicy RemoteSigned

*Note: you do have to enable remote powershell access for the user

Problem logging into OWA after installing Exchange 2010

(UPDATE: This is resolved by Exchange RU9)

Do you still have have Exchange 2007 and 2010  coexisting in the same environment and after you installed 2010 come users couldn’t access OWA anymore.?

Your getting this error:

“The mailbox you’re trying to access isn’t currently available. If the problem continues, contact your helpdesk”

AND in the application event log you have and Event ID 46 source MSExchange OWA

The issue may be you are trying to us CAS 2010 to CAS 2007 proxy and you don’t have the correct files on the 2010 server.

To resolve

1. From the 2007 Exchange server copy the following folder to 2010:

      “\Program Files\Microsoft\Exchange Server\Client Access\Owa\8.x.xxx.x“

Copy the highest numbered 8.x.xxx.x folder to the Exchange 2010 Client Access server:

      “\Program Files\Microsoft\Exchange Server\V14\Client Access\Owa”

the 2010 OWA directory should look some thing like this

2. Then run IISRESET from and elevated command prompt

SBS 2008 and RU3 and Outlook Repeat Login Prompt

UPDATE Exchange RU9 is supposed to fix this

On Small Business Server 2008 we have see that if you install RU3 you may start getting repeatedly prompted for log in credentials when opening outlook.

I believe that is because of some additional NTLM security that is put in place which I believe is included with RU3 based on this blurb in the update documentation

“After you install this update, the authentication mode that is set for the Web site at http://companyweb changes from the NTLM authentication to the Kerberos authentication. The reason this change occurs is because we recommend that you use the Kerberos authentication instead of the NTLM authentication.”

The solution I found so far was

1. Remove RU3 for now.
2. re-apply the Windows Authentication on the EWS, OAB, and Autodiscover virtual directories
   1. Open Internet information Services (IIS) Manager
   2. Expand the Server -> Sites -> SBS Web Applications
   3. Click on autodiscover -> authentication ->
      
   4. windows Authentication -> Disable -> enable
      
   5. Repeat for OAB and EWS virtual directories
3. restart the server

Note: It may be necessary to add the root exchange URL to the “intranet sites” for on the clients

Tools -> Internet options -> security tab -> Local Intranet -> Sites -> advanced -> add -> https://remote.domain.com

Mail Flow Troubleshooting

Mail flow issues should be troubleshot by first determining what direction the issue

• Internal to Internal
• Internal to External
• External to Internal

MX Record – You need to make sure that the MX record for you domain points to a host record that points to your IP

Example(purely theory): If my IP was 65.55.88.22 and my domain is Domain.com then I my MX should look something like this

Domain	Pref	Hostname	IP Address	TTL
Domain.com	10	mail.domain.com	254.63.63.63	60

• you can use tools like
  MXtoolbox.com = Test your mail server and check MX record
• whatismyip.com = find out your public IP

Services

Make sure the services are running (in order 2003, 2007, 2010)

 

Firewall

Email uses port 25(SMTP) primarily for mailflow, you need to be sure that port 25 is forwarded through your firewall to the exchange server
Also if you have (you can test with MXtoolbox.com or Manual SMTP test (below) to verify that you can get to the mail server.

Accepted domains

In order to receive mail to a domain name you need to have that name listed in the  accepted domains (2007\2010)

 

Email Address Policy (2007\2010)

In addition to the accepted domains you need your users to have the domain address stamped on the users, to do that you need to add it to the Address Policy

(Left is 2010\2007, Right is 2003)

 

Next -> Next -> Finish

Active directory lookups

Make sure you can access a Global catalog Domain controller in your site

Also make sure that replication is ok between servers
(Active Directory Sites and Services -> Site Name -> Servers -> ServerName -> NDTS Settings -> Rt Click the connection in the right window and choose “Replicate Now”)

Manual SMTP Testing (Red TXT is typed commands)

Click Start -> run -> CMD (enter)

telnet mail.domain.com 25220 mail.domain.com Microsoft ESMTP MAIL Service ready at Sat, 19 Dec 20 09 15:57:35 -0600 ehlo domain.com 250-mail.domain.com Hello [192.168.3.10] 250-SIZE 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-X-ANONYMOUSTLS 250-AUTH NTLM 250-X-EXPS GSSAPI NTLM 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250-XEXCH50 250 XRDST mail from: me@domain.com 250 2.1.0 Sender OK rcpt to: administrator@domain.com250 2.1.5 Recipient OK data 354 Start mail input; end with <CRLF>.<CRLF> this is a test . 250 2.6.0 <f23d11e3-fcac-4033-8450-9f1b5451430c@mail.domain.com> Queued mail for delivery

Problem after deleting legacy exchange administrative group

To start with you generally do not want to delete it but if you already did…..Start ADSI Edit. In the CN=Configuration container, locate the following container:

CN=Services,CN=Microsoft Exchange,CN=ORGANIZATION,CN=Administrative Groups,CN=administrative_group,

Now we were missing the ‘Folder Hierarchies’ folder – All we have to do is recreate it as follows:
Create the “Folder Hierarchies” under the Exchange Administrative Group

1. Right click on Exchange Administrative Group
2. Select New Object
3. Select msExchPublicFolderTreeContainer for the class and click Next
4. Enter the following for the value: Folder Hierarchies, click Next
5. Click Finish

Create Public Folder Tree Object

1. Right click CN=Folder Hierarchies -> New Object
2. Selected msExchPFTree for the class
3. For the value we entered, “Public Folders” and clicked next
4. Clicked on the “More Attributes” button, selected msExchPFTreeType and set the
value to 1. Note: This is very important that this value is set to a value of 1 as
this tells Exchange that this is a MAPI Tree
5. Click Ok and then finish

Populate msExchOwningPFTreeBL attribute object of the PF Stores in the organization
(Since this attribute is not directly editable, you have to follow the below steps
to do this for each PF store)

1. Get properties of the newly created “Public Folders” Tree object in ADSIEdit.
2. Copy the distinguishedname value to the clipboard and then click cancel.
3. Navigate to the Storage group that contains the Public Folder Store for this
server and get properties of the server database.
4. Locate the msExchOwningPFTree attribute and paste in the value that was copied
to the clipboard in step 2. Click OK.
5. Restart the Information Store Service

Set permissions on the Public Folders

1. Start ADSI Edit. In the CN=Configuration container, locate the following container:
   • CN=Services,CN=Microsoft Exchange,CN=ORGANIZATION,CN=Administrative Groups,CN=administrative_group,CN=Folder Hierarchies,CN=Public Folders
   • Note In this container, ORGANIZATION is the name of the Exchange Server organization and administrative_group is the name of your administrative group.
2. Right-click CN=Public Folders, and then click Properties.
3. Click the Security tab.
4. Make sure that the Allow inheritable permissions from parent to propagate to this object check box is selected.
5. Make sure that the Everyone group has the following Allow permissions:
   • Create named properties in the information store
   • Create public folder
   • Create top level public folder
   • If the Allow inheritable permissions from parent to propagate to this object check box is selected, the Everyone group should already have these permissions. Make sure that the Deny check boxes are not selected.
6. Now try to mount the PF store and see if we can access it fine now.

• http://support.microsoft.com/?id=313866
• http://technet.microsoft.com/en-us/library/cc817865.aspx
• http://social.technet.microsoft.com/Forums/en-US/exchangesvravailabilityandisasterrecovery/thread/35769dc6-1b32-4409-a2c2-38d1de37db01/

Exchange Prerequisites Scripts

Exchange 2010 on windows 2008 R2

Copy this to a notepad and save with a .ps1 extension to install pre-req, run From elevated Powershell prompt  – Kudos to Anderson Patricio for the script

or you can get the version that downloads the filter pack from Bhargav

You also need to set the Powershell Execution Policy so you can run the scripts

Set-ExecutionPolicy Unrestricted or Set-ExecutionPolicy RemoteSigned

clear
write-host
write-host Exchange Server 2010 – Pre-requisites script
write-host Please, select which role you are going to install..
write-host
write-host ‘1) Hub Transport’
write-host ‘2) Client Access Server’
write-host ‘3) Mailbox’
write-host ‘4) Unified Messaging’
write-host ‘5) Edge’
write-host ‘6) Typical (CAS/HUB/Mailbox)’
write-host ‘7) Client Access and Hub Transport’
write-host
write-host ‘9) Configure NetTCP Port Sharing service’
write-host ’10) Install 2007 Office System Converter: Microsoft Filter Pack – Only if you are installing Hub or Mailbox Server role’
write-host
write-host ’13) Restart the computer’
write-host
write-host
write-host “Select an option.. [1-13]? ”
$opt = read-host

Import-module ServerManager

switch ($opt)
    {
        1 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server }
        2 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy }
        3 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server}
        4 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience }
        5 { Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS }
        6 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy }
        7 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy }
        9 { Set-Service NetTcpPortSharing -StartupType Automatic }
        10 { Write-warning ‘Download it from here: http://tinyurl.com/36yrlj’}
        13 { restart-computer }
        default {write-host “You haven’t selected any of the available options. “}
    }

Exchange 2010 on windows 2008 R1

Dejan Foro has made a script to install 2010 on 2008 R1

Exchange 2007 on windows 2008 R1

Simon Gallagher has a script for 2k7/R1

Exchange 2007 on windows 2003

Still have to do it manually 😦

MS KBS with prerequisite info

• 2010 prerequisites
• 2007 prerequisites
• 2007 prerequisites XML File

Exchange 2007\2010 Database Replication issues – Re-seed

Database replication problems can be caused by many things

• Hardware Failure
• Network Outage
• Administrative Change
• Log Corruption

If you have replication issues this WILL cause problems in moving the over the active node of your cluster, that is one reason it is very important you do not use cluster administrator to perform the move but rather use either EMC or EMS.

EMS Process = Move-ClusteredMailboxServer -id ClusterName -TargetMachine Node2 (2007)
                      Move-ActiveMailboxDatabase “Mailbox Database” -ActivateOnServer Node2 (2010)
EMC Process =
Server Configuration -> Mailbox -> Right Click ServerName -> Manage Clustered Mail Box Server -> browse for server -> next -> move (2007)
Organization Configuration -> Mailbox -> Database management -> Rt Click Database -> Move Active mailbox Database -> browse for server -> ok -> move (2010)

If you suspect you have a replication issue or you did but have now resolve the problem and are ready to “Re-Seed” your databases here is the process

EMS Process = Open Exchange management Shell ON the PASSIVE NODE

1. First verify that the database is not replicating correctly
   “get-storagegroupcopystatus or (Get-MailboxDatabaseCopyStatus for 2010)”
   If the state is other than healthy or the numbers for the queues are increasing then you have a replication issue.
   CopyQueue length (Logs queuing up to be sent to the passive node)
   ReplayQueue length (Logs queuing up to be replayed to the passive node database)
    
2. To re-seed a database (remove all the passive contents and re-copy)
   • On the PASIVE node first suspend the Storage group in question
     “Suspend-StorageGroupCopy -id clustername\storagegroup” (2007)
     “Suspend-MailboxDatabaseCopy -id mailboxname\servername” (2010)
     then force an update removing the old data on the passive.
     “Update-storagegroucopy -id clustername\storagegroup -DeleteExistingFiles” (2007)
     “Update-MailboxDatabasecopy -id mailboxname\servername -DeleteExistingFiles” (2010)
     Or if you just want to reseed the entire Server (2007)
     • Get-StorageGroup -Server clustername | suspend-StorageGroupCopy
     • Get-StorageGroup -Server clustername| Update-StorageGroupCopy -DeleteExistingFiles

EMC Process = Open Exchange Management Console on the PASSIVE NODE

1. Server Configuration -> Mailbox -> Select Cluster– > rt click Storage Group -> Suspend Storage group Copy (2007)
   Organization Configuration -> Mailbox -> Database management -> Rt Click Database copy -> suspend database copy (2010)
2. Server Configuration -> Mailbox -> Select Cluster– > rt click Storage Group -> update storage group copy -> -> check “Delete Existing”->  Next -> Update (2007)

                                     

Organization Configuration -> Mailbox -> Database management -> Rt Click Database copy -> update Database copy -> update (2010)

                                                  

Glossary
EMS = Exchange Management Shell
EMC = Exchange Management Console
Variable
Powershell command

How to reinstall a dynamic DNS Active Directory-integrated zone

Info based on KB294328 and revamped for 2003 and 2008

The following steps can remove the defective information in Active Directory-integrated DNS:

1. Go to the properties of the DNS zone files and change them to be a “Standard Primary”. (on 2008 un check the Box “Store the Zone in active directory”)
2. In the %Systemroot%\windows\System32\DNS folder, delete the text DNS Zones files.
3. Delete the object in Active Directory Users and Computers.
4. On the View menu, click Advanced Features, expand the System folder, click MicrosoftDNS, and then delete the zone file objects. (they may not exist here and that is OK)
5. For each Active Directory-integrated DNS server, repeat steps 1-3.
6. In the Transmission Control Protocol/Internet Protocol (TCP/IP) properties of the first Active Directory-integrated DNS server, point it to itself. For any other DNS servers, point all of them to the first DNS server that you bring up.
   NOTE: Do not change the properties of any additional Active Directory-integrated DNS servers to point to themselves until you have confirmed that a full and complete zone transfer has occurred from the first Active Directory-integrated DNS server after the rebuild process.
7. To obtain proper resolution, you must clear the Caching Resolver, which is the DNS client on the DNS server. At the command prompt, type: ipconfig /flushdns.
8. 8.Remove and re-add the DNS service (add remove/programs Windows Components->Networking services ),
9. In the DNS Server under the forward lookup Zones right click the domain (i.e. my domain.com) and the _msdcs Zones and select delete. (this will remove all static and stale data and allow DNS to re-generate Dynamic Data)
10. Now Re-create the zone you deleted (ie mydomain.local)
11. Stop and restart DNS and the NetLogon service..
    NOTE: You can use the net stop netlogon command and the net start netlogon command for the NetLogon service that registers information in DNS. Also, you can use the net stop dns and net start dns commands (to stop and start the DNS service) if DNS has not been totally removed. Or, you can stop and start the NetLogon service and the DNS service in Control Panel, in Services, or you can restart the computer.

You have completed the process to clear out a DNS server.

You must complete the process for any additional DNS servers that you plan to integrate with Active Directory.

The following steps can assist you to build a strong foundation for DNS, Active Directory, and FRS:

1. Configure all DNS servers to point to the same DNS server in the domain or forest under TCP/IP properties in DNS: Right-click My Network Places, click Local Area Connection, right-click Local Area Connection, click Properties, select the properties of TCP/IP, and then point all DNS servers to the same DNS server. Also, click the Advanced DNS tab, and then confirm that secondary DNS servers are not configured.
2. Re-add the DNS service, or re-add the zones and configure them to be Active Directory integrated. For troubleshooting purposes, you may want to set “Allow Dynamic Updates?” to Yes. Later, you can change this setting to “Allow Only Secure Updates”.
3. Stop the DNS service and the NetLogon service by using either a command or the Computer Management snap-in.
4. Run the ipconfig /flushdns command, and then run the ipconfig /registerdns comand. This command can help you to register your A resource record for DNS as well as your start of authority (SOA). You may want to run this command on any other servers that are critical to you.
   NOTE: The Dynamic Host Configuration Protocol (DHCP) client service needs to be running on each of these computers to register the records in Dynamic DNS. It is not relevant if the computer is a DHCP client or not. You must have this service set to “start” and the “Start up” type set to “automatic.” The DHCP client service is what registers records in Dynamic DNS. (Refer to the description in the Computer Management snap-in.)
5. Active Directory-integrated DNS is now working on your first Dynamic DNS server. You must point additional Dynamic DNS servers to the first DNS server under TCP/IP properties. You must confirm that a full and complete replication process has occurred before you change the TCP/IP properties to point to itself for any additional DNS servers.

Recipients Creation Script For Exchange 2010 or 2007

I have been building labs constantly and found that I needed a way to quickly populate my exchange environments with users. here is the powershell scripts I use

1. Save the following as Provisionusers.ps1

$Password=Read-Host “Enter Password” -AsSecureString
Import-CSV CreateRecipients.csv | foreach {new-mailbox -alias $_.name -name $_.Name -userPrincipalName $_.userPrincipalName -database $_.Database -org $_.OrganizationalUnit -lastname $_.Lastname -firstname $_.Firstname -Password $Password}

2. Save this as CreateRecipients.csv

Database,UserPrincipalName,OrganizationalUnit,Name,LastName,FirstName
Mailbox Database 1936175296,user@domain.com,Domain.local/Lab Users/OU1,User1,Last1,First1
2k3server\First Storage Group\Mailbox Store (2k3server),user@domain.com,Domain.local/Lab Users/OU2,User2,Last2,First2
2k7Server\First Storage Group\Mailbox Database,user@domain.com,Domain.local/Lab Users/OU3,User3,Last3,First3

3. Edit the csv file with the users you want to load

4. Open Exchange Powershell and CD to the directory where the files are saved, and then type ./Provisionusers.ps1, it will prompt you for a password, this is the default password that will be used.

Note: You may have to change the Powershell Security policy
Set-ExecutionPolicy Unrestricted or Set-ExecutionPolicy RemoteSigned

Mail Box Creation parameters http://technet.microsoft.com/en-us/library/aa997663.aspx
Thanks for the info Bharat to get me going