Date post: | 01-Nov-2014 |
Category: |
Documents |
Upload: | uday-kiran |
View: | 144 times |
Download: | 0 times |
ptg6842824
ptg6842824
Exchange Server 2010 Portable Command Guide: MCTS 70-662 and MCITP 70-663
Richard Robb Darril Gibson
Pearson Certification
800 East 96th Street
Indianapolis, Indiana
46240
USA
ptg6842824
Exchange Server 2010 Portable Command Guide: MCTS 70-662 and MCITP 70-663
Copyright © 2011 by Pearson Education, Inc. All rights reserved. No part of this book shall be reproduced, stored in a re-
trieval system, or transmitted by any means, electronic, mechanical, photocopy-
ing, recording, or otherwise, without written permission from the publisher. No
patent liability is assumed with respect to the use of the information contained
herein. Although every precaution has been taken in the preparation of this
book, the publisher and author assume no responsibility for errors or omissions.
Nor is any liability assumed for damages resulting from the use of the informa-
tion contained herein.
ISBN-13: 978-0-7897-4736-5
ISBN-10: 0-7897-4736-7
Library of Congress Cataloging-in-Publication data is on file.
Printed in the United States of America
First Printing: June 2011
Trademarks All terms mentioned in this book that are known to be trademarks or service
marks have been appropriately capitalized. Que Publishing cannot attest to the
accuracy of this information. Use of a term in this book should not be regarded
as affecting the validity of any trademark or service mark.
Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as
possible, but no warranty or fitness is implied. The information provided is on
an “as is” basis. The authors and the publisher shall have neither liability nor
responsibility to any person or entity with respect to any loss or damages aris-
ing from the information contained in this book.
Bulk Sales Pearson Certification offers excellent discounts on this book when ordered
in quantity for bulk purchases or special sales. For more information, please
contact
U.S. Corporate and Government Sales
1-800-382-3419
For sales outside the United States, please contact
International Sales
Associate Publisher Dave Dusthimer
Acquisitions Editor Betsy Brown
Development Editor Box Twelve
Communications, Inc.
Series Editor Scott Empson
Managing Editor Sandra Schroeder
Senior Project Editor Tonya Simpson
Copy Editor Bart Reed
Proofreader Leslie Joseph
Technical Editor Brien Posey
Publishing Coordinator Vanessa Evans
Book Designer Gary Adair
Compositor Bronkella Publishing
ptg6842824
iii
Contents at a Glance
Introduction xvi
Part I: An Overview of Windows PowerShell 2.0 for Exchange 2010
CHAPTER 1 New Features and the Exchange Management Shell 1
CHAPTER 2 Basic Techniques 11
Part II: Achieving a Comfort Level with PowerShell
CHAPTER 3 Advanced Techniques 37
CHAPTER 4 Customizing the PowerShell Environment 51
Part III: PowerShell and the Exchange 2010 Deployment Process
CHAPTER 5 Standard Deployments 65
CHAPTER 6 Disaster Recovery Deployments 83
Part IV: PowerShell and Recipient Objects
CHAPTER 7 Working with Recipient Objects 93
CHAPTER 8 Bulk Management of Recipients 121
Part V: PowerShell and the Transport Roles Message Routing
CHAPTER 9 The Hub Transport Role 135
CHAPTER 10 The Edge Transport Role 157
CHAPTER 11 Configuring Rules and Agents on Transport Servers 169
Part VI: PowerShell and the Client Access Server Role
CHAPTER 12 CAS Services 179
CHAPTER 13 Working with Certificates 187
Part VII: PowerShell and the Mailbox Role
CHAPTER 14 Mailbox Servers and Databases 193
CHAPTER 15 Working with Mailboxes 203
CHAPTER 16 Using the Recovery Database (RDB) 213
ptg6842824
Part VIII: PowerShell and the Unified Messaging Role
CHAPTER 17 Working with Unified Messaging (UM) Role Objects 219
CHAPTER 18 Managing Unified Messaging (UM) Users 229
Part IX: PowerShell and Message Routing
CHAPTER 19 Exchange Server 2010 Message Routing 239
CHAPTER 20 Integrating Exchange Server 2010 into an Existing Exchange
Server 2003 Environment 249
Part X: PowerShell and High Availability in Exchange 2010
CHAPTER 21 Database Availability Groups (DAGs) 255
CHAPTER 22 Mailbox Database Copies 269
CHAPTER 23 Using DAG to Mitigate Failures 277
CHAPTER 24 Monitoring Highly Available Databases 289
Part XI: PowerShell and Public Folders
CHAPTER 25 Public Folder Database Management 297
CHAPTER 26 Managing Public Folders 303
CHAPTER 27 Public Folder Permissions 309
Part XII: Troubleshoot Exchange Server 2010 Using PowerShell
CHAPTER 28 Troubleshooting with the Test Cmdlets 315
CHAPTER 29 Event Logging with PowerShell 325
Part XIII: PowerShell and Automating Exchange Server 2010 Administration
CHAPTER 30 Using and Finding Scripts to Automate 331
Part XIV: Monitoring Role-Based Access Control (RBAC) Permissions, Mailbox Audit Logging, and Reporting with PowerShell in Exchange Server 2010
CHAPTER 31 Configuring Role-Based Access Control (RBAC)
Permissions 339
CHAPTER 32 Using Mailbox Audit Logging to Monitor Exchange Server 347
CHAPTER 33 Reporting and Other Useful Cmdlets 355
APPENDIX A Lab Environment Used for This Book 367
APPENDIX B Create Your Own Journal Here 373
iv
ptg6842824
Table of Contents
Introduction xvi
Part I: An Overview of Windows PowerShell 2.0 for Exchange 2010
CHAPTER 1 New Features and the Exchange Management Shell 1
What’s New in PowerShell 2.0 1
What Is a Cmdlet? 4
The Exchange Management Shell 6
CHAPTER 2 Basic Techniques 11
Using the GUI 11
Understanding the Basic Syntax of a cmdlet 12
Basic Syntax: Some Common Cmdlets Using the Get Verb 16
Basic Syntax: Some Common Parameters 27
Finding the Right Cmdlet 31
Finding Help for the Right Cmdlet 32
What’s Included in Each Version of Help 33
Using the Tab Completion Feature 34
Part II: Achieving a Comfort Level with PowerShell
CHAPTER 3 Advanced Techniques 37
Working with Pipelines 37
Running Programs 41
Creating and Running Scripts 42
Registry Modifications with PowerShell 48
Understanding Quotes 48
CHAPTER 4 Customizing the PowerShell Environment 51
Creating and Using PowerShell Profiles 51
Using Built-in Aliases 56
Working with User-Defined Aliases 57
Filtering Output 59
Formatting Output 60
ptg6842824
vi Contents
Part III: PowerShell and the Exchange 2010 Deployment Process
CHAPTER 5 Standard Deployments 65
Deploying Prerequisites for All Versions of Exchange Server 2010 on
Windows Server 2008 Operating Systems 65
Deploying Prerequisites for Exchange Server 2010 RTM (Release-to-
Manufacturing) on Windows Server 2008 SP2 66
Deploying Prerequisites for Exchange Server 2010 RTM on Windows
Server 2008 SP2 67
Deploying Prerequisites for Exchange Server 2010 RTM on Windows
Server 2008 R2 69
Deploying Prerequisites for Exchange Server 2010 SP1 on Windows
Server 2008 R2 72
Setup Options for Exchange Server 2010 RTM 74
Upgrading from Exchange Server 2010 RTM to SP1 78
Using the Exchange 2010 Deployment Assistant 80
CHAPTER 6 Disaster Recovery Deployments 83
Recovering from a Single Role Failure 83
Recovering from a Multiple-Role Failure on the Same Server 85
Recovering from a Database Availability Group (DAG) Member Server
Failure 89
Part IV: PowerShell and Recipient Objects
CHAPTER 7 Working with Recipient Objects 93
Identifying the Exchange 2010 Recipient Types 93
Creating and Managing a User Mailbox 101
Creating and Managing a Mail-Enabled User 104
Creating and Managing a Mail-Enabled Contact 106
Creating and Managing Resource Mailboxes 108
Working with Distribution Groups 109
Converting Recipient Types 112
Creating and Managing Email Address Policies 113
Creating and Managing Address Lists 116
CHAPTER 8 Bulk Management of Recipients 121
Creating Multiple Recipients 121
Modifying Multiple Recipients 129
Reconnecting Multiple Disconnected Mailboxes 133
vi
ptg6842824
Contents vii
Part V: PowerShell and the Transport Roles Message Routing
CHAPTER 9 The Hub Transport Role 135
Configuring Accepted and Remote Domains 135
Get-AcceptedDomain 136
New-AcceptedDomain 136
Set-AcceptedDomain 137
Remove-AcceptedDomain 137
Get-RemoteDomain 138
New-RemoteDomain 138
Set-RemoteDomain 138
Managing Email Address Policies 141
Working with SMTP Connectors and Other Transport Objects 144
Send Connectors 144
Receive Connectors 148
Other Transport Cmdlets 151
Working with Routing Group Connectors 152
Managing Transport Queues 154
CHAPTER 10 The Edge Transport Role 157
Creating an Edge Subscription 157
Edge Synchronization 159
Cloning an Edge Transport 161
Address Rewriting 165
CHAPTER 11 Configuring Rules and Agents on Transport Servers 169
Transport Rules and Transport Agents 169
Transport Rules 169
Transport Agents 173
Journaling Rules and Journaling Agents 174
Journaling Rules 174
Journaling Agents 176
Anti-Spam Agents 177
Part VI: PowerShell and the Client Access Server Role
CHAPTER 12 CAS Services 179
Configuring Outlook Access 179
Enabling and Configuring Outlook Anywhere Access 180
ptg6842824
viii Contents
Enabling and Configuring OWA Access 181
Configuring POP3 and IMAP4 182
Configuring the Autodiscover Service 183
Configuring the Offline Address Book (OAB) 184
CHAPTER 13 Working with Certificates 187
Types of Certificates 187
Generating a Certificate Request 187
Importing the Certificate 191
Enabling the Certificate 192
Part VII: PowerShell and the Mailbox Role
CHAPTER 14 Mailbox Servers and Databases 193
Configuring the Properties of a Mailbox Server 193
Creating and Mounting a New Database 194
Managing an Existing Database 196
Removing an Existing Database 201
CHAPTER 15 Working with Mailboxes 203
Exporting a Mailbox 203
Importing a Mailbox 207
Moving an Online Mailbox 208
Running the Clean-MailboxDatabase Cmdlet 211
CHAPTER 16 Using the Recovery Database (RDB) 213
Creating the Recovery Database (RDB) 213
Restoring a Database to the RDB 216
Removing the RDB 218
Part VIII: PowerShell and the Unified Messaging Role
CHAPTER 17 Working with Unified Messaging (UM) Role Objects 219
Configuring the Properties of a UM Server 219
Creating and Managing Dial Plans 220
Creating and Managing UM IP Gateways 223
Creating and Managing Hunt Groups 224
Creating and Managing UM Mailbox Policies 225
Monitoring and Troubleshooting a UM Server 226
ptg6842824
Contents ix
CHAPTER 18 Managing Unified Messaging (UM) Users 229
Managing the UM Auto Attendant 229
Working with Call Answering Rules 234
Exporting UM Call Data Records 234
Working with UM-Enabled Mailboxes 235
Part IX: PowerShell and Message Routing
CHAPTER 19 Exchange Server 2010 Message Routing 239
Using Default Message Routing 239
Using Exchange Hub Sites 241
Using Exchange-Specific Costs on Site Links 242
Tracking Messages with PowerShell 246
CHAPTER 20 Integrating Exchange Server 2010 into an Existing Exchange
Server 2003 Environment 249
Configuring Routing with Exchange Server 2003 249
Suppressing Link State Updates On Exchange 2003 Bridgehead
Servers 253
Part X: PowerShell and High Availability in Exchange 2010
CHAPTER 21 Database Availability Groups (DAGs) 255
Creating and Configuring a DAG 255
Adding or Removing a DAG Member 260
Recovering a Failed DAG Member 263
Creating and Configuring a DAG Network 265
Removing a DAG 268
CHAPTER 22 Mailbox Database Copies 269
Adding and Configuring a Mailbox Database Copy 269
Moving the Active Mailbox Database Copy to a New Location 272
Suspending or Resuming a Mailbox Database Copy 274
Updating a Mailbox Database Copy 276
Removing a Copy of a Mailbox Database 276
CHAPTER 23 Using DAG to Mitigate Failures 277
Activating a Mailbox Database Copy on Another DAG Member 277
Activating a Lagged Mailbox Database Copy on Another DAG
Member 279
ptg6842824
x Contents
Switching Over to Another DAG Member 282
Switching Over to Another Datacenter 283
Enabling Datacenter Activation Coordination (DAC) Mode 285
CHAPTER 24 Monitoring Highly Available Databases 289
Monitoring Using the Exchange Management Console 289
Monitoring Using PowerShell Cmdlets 290
Monitoring Using Event Viewer 291
Monitoring Using PowerShell Scripts 293
Part XI: PowerShell and Public Folders
CHAPTER 25 Public Folder Database Management 297
Installing Public Folders 297
Creating a Public Folder Database 298
Configuring a Public Folder Database 299
Removing a Public Folder Database 301
CHAPTER 26 Managing Public Folders 303
Assigning a Default Public Folder Database to a Mailbox Database 303
Creating and Managing Public Folders 305
Replicating Public Folders 307
Removing a Public Folder 308
CHAPTER 27 Public Folder Permissions 309
Adding Administrative Permissions to the Folder Structure 309
Controlling Top-level Public Folders 312
Setting Client Permissions to Public Folder Content 312
Part XII: Troubleshoot Exchange Server 2010 Using PowerShell
CHAPTER 28 Troubleshooting with the Test Cmdlets 315
Using Test Cmdlets for All Roles 315
Using Test Cmdlets for the Mailbox Role 317
Using Test Cmdlets for the Transport Roles 318
Using Test Cmdlets for the Client Access Server Role 320
Using Test Cmdlets for the Unified Messaging Role 321
Using Test Cmdlets for Client Connectivity 321
Using Helpful Non-Exchange Test Cmdlets 323
ptg6842824
Contents xi
CHAPTER 29 Event Logging with PowerShell 325
Retrieving Events with Get-EventLog 325
Setting Diagnostic Event Log Levels 328
Part XIII: PowerShell and Automating Exchange Server 2010 Administration
CHAPTER 30 Using and Finding Scripts to Automate 331
Using Scripts to Automate Tasks in PowerShell 331
Finding Scripts to Automate Tasks in PowerShell 335
Part XIV: Monitoring Role-Based Access Control (RBAC) Permissions, Mailbox Audit Logging, and Reporting with PowerShell in Exchange Server 2010
CHAPTER 31 Configuring Role-Based Access Control (RBAC) Permissions 339
Creating and Managing a Management Role Group 339
Adding Members to the Management Role Group 341
Retrieving Information about Role Groups and Role Group
Members 343
Setting and Viewing Management Scopes 345
CHAPTER 32 Using Mailbox Audit Logging to Monitor Exchange Server 347
Enabling Mailbox Audit Logging 347
Initiating Administrative Actions to Test Mailbox Audit Logging 349
Initiating a Search of the Mailbox Audit Log 352
CHAPTER 33 Reporting and Other Useful Cmdlets 355
Obtaining Information about a Mailbox with Get-MailboxStatistics 355
Retrieving Logon Information about Currently Active Sessions with
Get-LogonStatistics 359
Using Other Useful Cmdlets 361
APPENDIX A Lab Environment Used for This Book 367
The Platform on Which the Virtual Machines Ran During the Writing of
This Book 367
The Lab Environment Used in this Book 368
Creating Test Users and Mailboxes for the Lab Environment 369
Conclusion 372
APPENDIX B Create Your Own Journal Here 373
ptg6842824
xii About the Author
About the Author
Richard Robb has been a respected technical trainer and messaging field consultant
on Microsoft Exchange Server for the past 13 years after changing careers. In his “sec-
ond career,” Mr. Robb has earned quite a number of technical certifications, includ-
ing Microsoft Certified Trainer (MCT), Microsoft Certified IT Professional (MCITP)
for Exchange Server 2010, as well as Exchange Server 2007. He is also certified on
Exchange Server 2003. He has worked with every version of Exchange Server back
to Exchange 5.5 and also has experience with other messaging systems, such as Lotus
Notes.
In addition to his Exchange certifications, Mr. Robb has earned other certifications, such
as Microsoft Certified IT Professional (MCITP) for Windows Server 2008, Microsoft
Certified Systems Engineer (MCSE) on Windows Server 2003, 2000, and NT 4.0,
Microsoft Certified Systems Administrator (MCSA) on Windows Server 2003 and 2000,
as well as Microsoft Certified Desktop Support Technician (MCDST). He also holds
Certified Novell Engineer (CNE) and A+ certifications and has delivered classes for
many top Fortune 500 companies as well as many governmental agencies in the United
States and Canada.
Mr. Robb currently works as an independent contractor providing Exchange Server
training and consulting throughout the United States and Canada. He has also been part
owner of a computer consulting company and part owner of a Microsoft and IBM Lotus
training company with a six-room training center in southeastern Pennsylvania. A former
restaurant general manager of a 400-seat full-service seafood restaurant, Mr. Robb was
at the forefront of the move from simple point-of-sale cash registers to network opera-
tion systems in the food service industry and spearheaded the move to using computers
in the restaurant for everything from cash registers to databases for managing inventory.
Richard Robb, an accomplished computer hobbyist in the early 1980s, united his keen
interest of computers with a methodical research into the exploding IT industry and
made the move from food service to information technology full time. He worked as a
field consultant for some time after leaving the restaurant industry, but when the oppor-
tunity arose to instruct, it coupled two things that he loves to do: work with computers
and teach. Mr. Robb is a graduate of Gettysburg College in Gettysburg, Pennsylvania,
with a dual major in Psychology and Economics. He also holds a Bachelor of Arts
degree.
Mr. Robb also authored the book MCITP Guide to Microsoft Windows Server 2008, Enterprise Administration , a lab guide for hands-on exploration of Windows Server
2008, with a focus on studying for and passing Microsoft Certification Exam 70-647.
Darril Gibson is the CEO of Security Consulting and Training, LLC. He regularly
teaches, writes, and consults on a wide variety of security and technical topics. He has
been a Microsoft Certified Trainer for more than 10 years and holds several certifica-
tions, including MCSE (NT 4.0, 2000, 2003), MCDBA (SQL Server), MCITP (Windows
7, Server 2008, SQL Server), ITIL v3, Security+, and CISSP. He has authored, coau-
thored, or contributed to more than a dozen books. You can view a listing of most of his
current books on Amazon ( http://amzn.to/bL0Obo ).
ptg6842824
About the Technical Editor xiii
About the Series Editor
Scott Empson is the associate chair of the Bachelor of Applied Information Systems
Technology degree program at the Northern Alberta Institute of Technology in
Edmonton, Alberta, Canada, where he teaches Cisco routing, switching, and network
design courses. Scott is also the program coordinator of the Cisco Networking Academy
Program at NAIT, a Regional Academy covering Central and Northern Alberta. He
has earned three undergraduate degrees: a Bachelor of Arts, with a major in English; a
Bachelor of Education, again with a major in English/Language Arts; and a Bachelor of
Applied Information Systems Technology, with a major in Network Management. Scott
also has a Masters of Education degree from the University of Portland. He holds several
industry certifications, including CCNP, CCAI, Network+, and C|EH.
Scott is the series creator and one of the authors of the Portable Command Guide Series.
Portable Command Guides are filled with valuable, easy-to-access information to quick-
ly refresh your memory. Each guide is portable enough for use whether you’re in the
server room or the equipment closet.
About the Technical Editor
Brien Posey is a seven-time Microsoft MVP (Windows, IIS, Exchange Server, and File
Systems/Storage) with more than two decades of IT experience. As a freelance techni-
cal writer, Brien has published many thousands of articles and written or contributed
to dozens of books on a variety of IT topics. Before going freelance, Brien served as
CIO for a national chain of hospitals and healthcare facilities. He has also served as a
network administrator for some of the nation’s largest insurance companies and for the
Department of Defense at Fort Knox.
ptg6842824
xiv Acknowledgments
Dedication
From Richard Robb
I am fortunate to have three very strong people supporting me in my ventures during my lifetime. These three people are my wife of 30 years (Janet), my daughter (Jeanna), and my mother (Winnie).
During the writing of this book, my mother, Edwina A. (Winnie) Robb, passed away after a short illness. I’m thankful to have had her for so many years, but I still miss her very much. She was 91 years old.
I love you, Mom!
From Darril Gibson
To my wife, Nimfa, of more than 18 years. Thanks for helping me find success and joy in so much that I do.
Acknowledgments
From Richard Robb
I was amazed when I turned in each chapter. My editor, Jeff Riley, and Darril Gibson
were able to take my work and make it look so much more professional in the finished
product. Their comments were invaluable. I am thankful that Darril saw something in me
that made him feel I could be an author. Without Darril, I would not have written this
book. I would also like to mention Scott Empson. He wrote the first book in this series,
and it is the prototype for this book and others in the series. It took me a while to under-
stand that this is not a book that someone might pick up and read from cover to cover as
they might a novel, but once I got it, the format made so much more sense.
From Darril Gibson
Richard Robb is the real Exchange expert behind the entire contents of this book. His
invaluable real-world experience and depth of knowledge from teaching Exchange so
often over the years brought every page within this book to life. I am grateful to have
been able to work with him again.
ptg6842824
We Want to Hear from You! xv
We Want to Hear from You!
As the reader of this book, you are our most important critic and commentator. We value
your opinion and want to know what we’re doing right, what we could do better, what
areas you’d like to see us publish in, and any other words of wisdom you’re willing to
pass our way.
As an associate publisher for Pearson Certification, I welcome your comments. You can
email or write me directly to let me know what you did or didn’t like about this book—
as well as what we can do to make our books better.
Please note that I cannot help you with technical problems related to the topic of this book. We do have a User Services group, however, where I will forward specific techni-cal questions related to the book.
When you write, please be sure to include this book’s title and author as well as your
name, email address, and phone number. I will carefully review your comments and
share them with the author and editors who worked on the book.
Email: [email protected]
Mail: David Dusthimer
Associate Publisher
Pearson IT Certification
800 East 96th Street
Indianapolis, IN 46240 USA
Reader Services
Visit our website and register this book at pearsonitcertification.com for convenient
access to any updates, downloads, or errata that might be available for this book.
ptg6842824
xvi Introduction
Introduction
Thanks for buying the Exchange Server 2010 Portable Command Guide . This book joins
the other books in the Portable Command Guide series. Before you delve into this book
and start typing cmdlets, I would like to give credit to Scott Empson, who created the
first book in the series, as well as Darril Gibson, who brought the series from its Cisco
roots over to include the Microsoft product line.
Like the other books in this series, this book doesn’t attempt to teach every concept or
explain every detail. It is assumed that you already understand the basic concepts.
Instead, the goal is to provide numerous examples of tasks that can be performed in
Exchange Management Shell that allow you to view the syntax of cmdlets as well as to
provide information to help you remember how to customize cmdlets for other purposes
not directly addressed in this book. Hopefully, you will find the compact size of the
Portable Command Guide to be convenient, so you are able to keep the book with you.
A number of books have been published on Windows PowerShell, but very few of
these are dedicated to Exchange Server 2010. I am an Exchange administrator. I am not
a developer. Yet, I have found an increasing need to improve my development skills
in order to be an effective administrator—first with Exchange Server 2007, then with
Windows Server 2008, and now with Exchange Server 2010. Fortunately, with Windows
PowerShell and Exchange Management Shell, I can do so without having to learn a
complicated language and extensive developmental concepts—something I really have
no desire to do as an administrator. With just a simple verb-noun combination, I can
achieve fantastic things in the Exchange organization and still be able to sleep at night
without pieces of code swirling around in my head as I dream.
Many PowerShell books are written for developers by developers. I have long been
searching for a book written for administrators by an administrator. So, I was quite excit-
ed when I was approached with the opportunity to write just such a book for Exchange
Server 2010. This book is designed to be several things wrapped into one:
■ First, it is designed to be a quick reference guide for all those little cmdlet “gems”
you just know are out there, but can never seem to find when you need them. (For
example, you need a quick-yet-customizable cmdlet to produce only the relevant
information for certain mailboxes that exist in your organization.)
■ Second, as you examine the five Exchange Server 2010 roles, this book provides
a fairly complete list of the common cmdlets used to manage and work with those
roles. I will attempt to analyze the syntax to make it more understandable for you
and point out the common options available for those cmdlets.
■ Third, if you plan to take one or both of the Exchange Server 2010 Microsoft
certification exams (70-662 and 70-663), you will likely want a study guide with
the relevant cmdlets you might expect to see on those exams, along with a brief
description of the cmdlets and the possible options for their use.
ptg6842824
Introduction xvii
If you’re like I was a few years ago, you might be asking yourself, “Why the command
line again?”
This is a good question to ask. It’s very relevant, too, because quite a few Exchange
2003 administrators are now making the leap to Exchange Server 2010 and to Windows
PowerShell.
There are several reasons to use a command-line utility. Let’s examine just one scenario
to illustrate how the command-line interface (and specifically Exchange Management
Shell) can help us do something that might have been tedious, difficult, or simply impos-
sible to do in Exchange Management Console.
Our company, a very large organization, has just acquired a small company that has 33
users. We need the 33 new mailboxes to receive a specific policy. However, there are
33,000 mailboxes in the organization, and the new users are not organized by subsidiar-
ies. This means that some users are in the Managers OU in Active Directory and others
are in regional OUs. Therefore, the 33 mailboxes do not have any attribute in common
that is displayed in Exchange Management Console. However, because a Company
attribute is designated in the AD, if we used it to represent the subsidiaries, we can
leverage that attribute in Exchange Management Shell, as shown next.
PS C:\Users\Administrator>Get-User -Filter {Company -eq "RomacSign" }
| Enable-Mailbox "AssemblyDB"
I know. We’ve not even looked at the makeup of a cmdlet yet and I throw that at you!
However, think of it this way: In that one short line of typed code, we have created 33
mailboxes for the new users who have been recently migrated into our Active Directory,
and we have done so quite easily and economically. Without Exchange Management
Shell, we would have had to find the 33 users who needed mailboxes (which could be
quite tedious) and then manually apply the change. Within a short time, the preceding
cmdlet will not only make sense to you, but you will be writing ones much like it with
little effort.
So, dive right in and start working with Exchange Management Shell, and very soon you
will be amazed with all the tasks that are not only possible, but that are achievable in
just a short period of time.
One other point I’d like to make is that many of the examples in the book have values
for parameters. These match the design documented in the appendix. To help you dis-
tinguish what part of the command you have to enter exactly as shown, and what part
of the command is a parameter you need to provide, the parameters are underlined in
the book. For example, in the previous command RomacSign and AssemblyDB are both
underlined to let you know they are parameters that you’ll need to change to match your
organization.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ What’s new in PowerShell 2.0
■ What is a cmdlet?
■ The Exchange Management Shell
In this chapter, you look at new features in PowerShell 2.0. Then, in preparation for a
look at the Exchange Management Shell (EMS), you briefly review the makeup of a
cmdlet. Finally, you investigate the Exchange Management Shell.
What’s New in PowerShell 2.0
Microsoft Windows PowerShell is a combined command-line shell and scripting lan-
guage designed primarily for administrators, not developers. Prior to the introduction
of Windows PowerShell into operating systems, administrators were forced to learn a
programming language such as Visual Basic to fully manipulate objects in the Active
Directory and Exchange environment if the graphical user interface (GUI) did not pro-
vide an easy means for administration. Mainly, an administrator found the need for
additional tools, such as custom VB scripts, when he or she wanted to manage objects in
bulk. PowerShell 2.0 includes significant changes from the original version.
Several new operators have been added with PowerShell 2.0.
New Operator Description
Splatting operator The passing of a collection of parameters or “splatting” of a
hashtable as input to a cmdlet. (Uses the @ symbol.)
Example: A function can be created to import a CSV file and
convert it to a series of hashtables, as might be the case if you
wanted to add 100 users to a group. Each user to be added to the
local group will become an individual hashtable (so, if 100 users
need to be added to a group, 100 hashtables will be automatically
created by the function). The hashtables can then be pipelined
to a ForEach-Object cmdlet using the splatting operator ( @ )
to achieve the same result more expeditiously than by using a
PowerShell script.
Split operator Splitting strings into separate components. (Uses -split to break
the string into an array.)
Example: Displayname “Dorothy Buhler” can be split into first-name and lastname components “Dorothy” and “Buhler”.
CHAPTER 1
New Features and the Exchange Management Shell
ptg6842824
2 What’s New in PowerShell 2.0
New Operator Description
Join operator Combining the components into one. This concatenates multiple
strings into a single string, separated by a separator character,
such as a comma. (Uses -join to perform the concatenation, add-
ing separators as necessary.)
Example: “Philadelphia” and “PA” become “Philadelphia, PA.”
PowerShell 2.0 also introduces new variables. The four new variables are described in
the following table.
New Variables Description
$CommandLineParameters Accumulates command-line and pipeline param-
eters.
$PSVersionTable PowerShell version information is available
through this variable.
$Culture Current Culture information is available through
this variable.
$UICulture Current UI Culture information is available
through this variable.
Also, 24 new cmdlets have been added in PowerShell 2.0. Some of the more notable
new cmdlets are described in the following table.
New cmdlet Description
Get-PSBreakpoint Retrieves the breakpoints that are set in the current session.
(A breakpoint is a point in a command or script where
execution stops temporarily so that you can examine the
instructions. This is one of several cmdlets designed for
debugging Windows PowerShell scripts and commands.)
New-PSBreakpoint Sets a new breakpoint on a script, command, and on the
read or write of certain variables.
Remove-PSBreakpoint Deletes an existing breakpoint. You must designate a break-
point object or a breakpoint ID.
(When you remove a breakpoint, the breakpoint object is no
longer available or functional.)
Enable-PSBreakpoint Re-enables disabled breakpoints.
(You can use it to enable all breakpoints collectively, or you
can specify individual breakpoints using breakpoint objects
or breakpoint IDs.)
This cmdlet changes the value of the Enabled property of a
breakpoint object to $true .
ptg6842824
What’s New in PowerShell 2.0 3
New cmdlet Description
Disable-PSBreakpoint Disables currently enabled breakpoints so that the script
will not stop at them when it is run.
(You can use it to disable all breakpoints collectively, or
you can specify individual breakpoints using breakpoint
objects or breakpoint IDs.)
This cmdlet changes the value of the Enabled property of a
breakpoint object to $false .
Step-Into Executes the current statement, stopping at the next state-
ment.
(If the current statement is a function or script call, the
debugger steps into that function or script; otherwise, it
stops at the next statement.)
Step-Out Executes the current statement, stopping at the next state-
ment.
(If the current statement is a function or script call, the
debugger executes the whole function or script, and it stops
at the next statement after the function call.)
Step-Over Steps out of the current function and up one level if the
function is nested.
(If in the main body, the script is executed to the end or to
the next breakpoint. The skipped statements are executed
but not stepped through.)
Continue Continues execution to the end or to the next breakpoint.
(The skipped functions and invocations are executed but not
stepped through.)
Get-PSJob Retrieves Windows PowerShell background jobs ( PSJobs )
that are running in the current console.
Start-PSJob Starts a Windows PowerShell background job ( PSJob )
from the current console.
Stop-PSJob Stops a Windows PowerShell background job ( PSJob ).
Wait-PSJob Suppresses the command prompt until one or all of the
Windows PowerShell background jobs ( PSJobs ) running in
the console are complete.
Remove-PSJob Deletes a Windows PowerShell background job ( PSJob ).
Receive-PSJob Retrieves the results of the Windows PowerShell back-
ground jobs ( PSJob ) in the current console.
(You can use this cmdlet to retrieve the output and errors of
background jobs.)
ptg6842824
4 What Is a Cmdlet?
New cmdlet Description
Get-Runspace Retrieves the runspaces that were created in the current
console.
(You would use a runspace to run multiple commands that
share data, such as a function or the value of a variable.)
New-Runspace Creates a persistent connection to a Windows PowerShell
session on a local or remote computer.
Remove-Runspace Closes one or more runspaces.
As you can see, a number of new cmdlets have been built in to Windows PowerShell
2.0. The ones of greatest interest to admins rather than developers are the ones dealing
with background jobs, also known as PSJobs.
What Is a Cmdlet?
The cmdlet (pronounced “command let”) is a basic tenant of Exchange Management
Shell. It always is formatted as a verb-noun combination. (There are never any spaces
between the verb and the noun.) The verb is an action and the noun is the object on
which you perform the action. Unless a pipe character (|) appears in the statement, there
cannot be more than one cmdlet in a single statement. Everything you do in Exchange
Management Shell starts with a cmdlet. Some cmdlets have only a few parameters
associated with them (such as the Mount-Database cmdlet), whereas others have many
parameters that may be associated with them (such as the New-Mailbox cmdlet). The
following table illustrates how two cmdlets could have many differences in terms of
their available parameters.
Mount-Database parameters:
AcceptDataLoss
Confirm
DomainController
Force
Identity
WhatIf Syntax:
Mount-Database -Identity name
Example:
PS C:\Users\Administrator> Mount-Database -Identity
AssemblyDB
The Mount-Database
cmdlet has only
six parameters
available to it,
as shown.
ptg6842824
What Is a Cmdlet? 5
New-Mailbox parameters:
AccountDisabled
ActiveSyncMailboxPolicy
Alias
Arbitration
ArbitrationMailbox
Archive
ArchiveDatabase
ArchiveDomain
BypassLiveId
Confirm
Database
Discovery
DisplayName
DomainController
Equipment EvictLiveId
ExternalDirectoryObjectId
FederatedIdentity
FirstName
Force
ImmutableId
ImportLiveId
Initials
LastName
LinkedCredential LinkedDomainController
LinkedMasterAccount MailboxPlan
ManagedFolderMailboxPolicy
ManagedFolderMailboxPolicyAllowed
ModeratedBy
ModerationEnabled
Name
NetID
Office
Organization
OrganizationalUnit OverrideRecipientQuotas
PartnerObjectId
Password
Phone
PrimarySmtpAddress
QueryBaseDNRestrictionEnabled
RemoteAccountPolicy
RemoteArchive
RemotePowerShellEnabled
RemovedMailbox
ResetPasswordOnNextLogon
ResourceCapacity
RetentionPolicy
Room
RoleAssignmentPolicy
SamAccountName
SendModerationNotifications
Shared
SharingPolicy
SKUAssigned
SKUCapability
ThrottlingPolicy
UsageLocation
UseExistingLiveId
UserPrincipalName
WhatIf WindowsLiveID
Syntax:
New-Mailbox
-Name name -Alias alias
-UserPrincipalName
upn_name
-SamAccountName user_
logon -FirstName first_
name
-LastName last_name
-Password user_password
-ResetPasswordOnNextLogon
$boolean value
Examples:
PS C:\Users\Administrator>
New-Mailbox
- Name 'Dale Syhre' -Alias
'Dale'
-UserPrincipalName
-SamAccountName 'Dale'
-FirstName 'Dale'
-LastName 'Syhre' -Password
Pa$$w0rd
-ResetPasswordOnNextLogon
$false
On the other
hand, the New-Mailbox cmdlet
has 64 param-
eters, as shown.
(There are many
more configura-
tion options nec-
essary when you
create a mailbox
versus when you
simply need to
mount a data-
base.)
ptg6842824
6 The Exchange Management Shell
This is just a single example illustrating the wide variety of parameters available
between two individual cmdlets. It is easy to see that with more than 1,000 avail-
able cmdlets in Windows PowerShell 2.0—each having a unique set of parameters—
PowerShell and EMS will have nearly limitless possibilities as you manage your
Exchange 2010 organization.
The Exchange Management Shell
Figure 1-1 shows the Exchange Management Shell (or “Shell” as some call it), which
is a management interface for Microsoft Exchange Server 2010. It is built on top of
Windows PowerShell 2.0 and provides a command-line interface for Exchange Server.
In the figure, the Get-ExchangeServer cmdlet has been executed and has been directed
to display the output in a list format showing the server’s fully qualified domain name
(FQDN), as well as the Exchange roles installed on the server.
Figure 1-1 The Exchange Management Shell
NOTE Figure 1-1 also shows the Welcome Message and “Tip of the Day” typically
seen immediately after launching EMS.
NOTE You also might see Exchange Management Shell abbreviated as EMS.
An administrator may perform any administrative task from the Exchange Management
Shell. However, individual tasks are not especially the strength of Exchange
ptg6842824
The Exchange Management Shell 7
Management Shell. The strength of Exchange Management Shell lies in its capability to
automate administrative tasks.
The following examples set the IssueWarningQuota parameter value to 500MB for
mailboxes at different levels. (When the IssueWarningQuota parameter is set on a
mailbox, a warning message is sent to the user when the mailbox reaches the designated
size.) It is important to have the ability to set attributes at multiple levels. Sometimes
you want everyone in the organization to have the same value for an attribute. Other
times, you might want everyone in a particular database or with a mailbox on a par-
ticular server to have the same value for an attribute. Occasionally, you might need one
mailbox to be unique. The different levels shown in the examples are as follows:
■ Recipient level with the Set-Mailbox cmdlet
■ OU level using Get-Mailbox -OrganizationalUnit and pipelining
■ Server level using Get-Mailbox -Server and pipelining
■ Organization level using Get-Mailbox without pipelining
You can use the Set-Mailbox cmdlet with the -IssueWarningQuota parameter, as
shown in the following table.
Set-Mailbox
-Identity name
-IssueWarningQuota size
-UseDatabaseQuotaDefaults
$boolean value
Example:
PS C:\Users\Administrator>
Set-Mailbox
-Identity Dorothy
-IssueWarningQuota 500MB
-UseDatabaseQuotaDefaults
$false
You can manage objects at the recipient level,
including the modification of all attributes, as
shown by changing the quota of a single mail-
box. The mailbox that requires the quota change
is represented by the name attribute. You can
set any size by using an integer value and the
appropriate measure (KB, MB, GB, etc.) as an
acceptable size for the quota. You may also type
unlimited as the size if you do not want to set a
quota for this particular mailbox.
The $ false parameter says that the user will not
inherit the quota values set on the database.
If this option were left off, the database settings
would be inherited and applied, even though you
set individual settings on this mailbox. When this
option is set to $false , inheritance is blocked.
If the parameter value is set to $true , the data-
base setting will be reapplied, overwriting the
individual setting.
Additional information regarding this cmdlet
will be covered in Chapter 7 , “Working with
Recipient Objects.”
In the example, you want to change the
IssueWarningQuota parameter on Dorothy’s
mailbox to 500MB and you do not want the data-
base setting to be inherited.
ptg6842824
8 The Exchange Management Shell
That is a lot of typing for just one mailbox. As you can see in Figure 1-2 , you can per-
form this same task with little effort in Exchange Management Console.
Figure 1-2 Setting the IssueWarningQuota for a single mailbox in Exchange
Management Console
However, if that same task is necessary for ten mailboxes (or 10,000), much less admin-
istrative effort will be required if the task is performed with Exchange Management
Shell.
TIP The following cmdlets utilize a feature of PowerShell known as pipelining .
Pipelining enables you to combine multiple cmdlets into a single line of code. It uses
the | character to separate two or more cmdlets in the command that you type. For
example, the Get-Mailbox cmdlet collects the appropriate mailboxes and then passes
that list on to the Set-Mailbox cmdlet, which changes the IssueWarningQuota param-
eter value. The pipelining feature is presented in Chapter 3 , “Advanced Techniques.”
You can use the Set-Mailbox cmdlet with the pipelining feature as shown in the follow-
ing three examples.
ptg6842824
The Exchange Management Shell 9
Get-Mailbox
-OrganizationalUnit “ OUName “ | Set-Mailbox
-IssueWarningQuota warning level -UseDatabaseQuotaDefaults $boolean value
Example:
PS C:\Users\Administrator>
Get-Mailbox -OrganizationalUnit "Assembly" | Set-Mailbox -IssueWarningQuota 500MB-UseDatabaseQuotaDefaults $false
You can manage at the
Organizational Unit (OU) level,
setting IssueWarningQuota for
all users in the Assembly OU to
the same value.
You might wonder whether the
quotes around values such as
OUName are necessary. A good
rule of thumb is that if there
are any spaces in the value, the
quotes are necessary. If there are
no spaces in the value, the quotes
are optional. Because there are no
spaces in the OU name Assembly,
the quotes are optional here, but
it would not be incorrect to use
them.
You might also wonder whether
single quotes or double quotes
may be used. In many cases,
either may be used as long as
you are consistent within the pair
of quotes. (That is to say, if you
open with a double quote, you
must close with a double quote.)
In some cases, the type of quote
is important. For example, sup-
pose you define a variable called
DaysinWeek and assign a value
of 7 to the variable because there
are seven days in a week. When
you reference that variable in
PowerShell, if the result that
you want to output is the name
of the variable ( DaysinWeek ),
enclose it in single quote marks.
However, if the result that you
want to output is the value of the
variable (7), enclose the variable
in double quotes.
ptg6842824
10 The Exchange Management Shell
Mailbox Management at the Server Level:
Get-Mailbox
-Server servername | Set-Mailbox
-IssueWarningQuota warning level -UseDatabaseQuotaDefaults $boolean value
Example:
PS C:\Users\Administrator>
Get-Mailbox -Server Romac-EX3 | Set-Mailbox -IssueWarningQuota 500MB
-UseDatabaseQuotaDefaults $false
You can also manage at the server
or database level.
In this pair of cmdlets, the
IssueWarningQuota parameter
for all users with mailboxes on
Romac-EX3 is set to the same
value.
This would apply to more than
one database if Romac-EX3
hosts multiple databases because
the parameter is set at the server
level.
Mailbox Management at the Database Level:
Get-Mailbox
-Database databasename | Set-Mailbox
-IssueWarningQuota warning level -UseDatabaseQuotaDefaults $boolean value
Example:
PS C:\Users\Administrator>
Get-Mailbox -Database AssemblyDB | Set-Mailbox -IssueWarningQuota 450MB -UseDatabaseQuotaDefaults $false
In this pair of cmdlets, the
IssueWarningQuota parameter
for all users with mailboxes in the
AssemblyDB is set to the same
value.
This would only apply to a single
database on a server because the
parameter is set at the database
level.
Mailbox Management at the Organization Level:
PS C:\Users\Administrator>
Get-Mailbox | Set-Mailbox -IssueWarningQuota 500MB -UseDatabaseQuotaDefaults $false
You can even manage at the
organization level, setting the
IssueWarningQuota parameter
for all users in the organization to
the same value.
(This is very easily accomplished.
Don’t use any parameter with the
Get-Mailbox cmdlet.)
With creative use of the Get-Mailbox cmdlet and other Active Directory parameters,
you can achieve the granularity you require in the management of your Exchange
objects.
TIP It is not a good idea to manage at multiple levels regularly because you might
unintentionally overwrite settings on objects by changing a value on an object higher in
the hierarchy. (The Get statement retrieves all applicable objects and the Set statement
applies the change. A database setting would be overwritten when you execute a cmd-
let changing the value at the server level.)
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Using the GUI
■ Understanding the basic syntax of a cmdlet
■ Finding the right cmdlet
■ Finding help for the right cmdlet
■ Using the Tab Completion feature
In this chapter, you explore the basics of working with cmdlets. You also investigate
how to find the right cmdlet for the job as well as how to find help about using those
cmdlets. Finally, you learn how to use Tab Completion as a means to reduce typing and
errors while using PowerShell.
Using the GUI
There are certainly times when using the GUI makes sense. Any work to be performed
on an individual Exchange 2010 object will most likely be more easily performed from
Exchange Management Console, also known as EMC. Changing a property on a server
or on a database or even on a single recipient is generally much easier from the GUI
interface. EMC in Exchange 2010 is laid out very much like EMC in Exchange Server
2007. It has a hierarchical structure that matches the hierarchy of Exchange Server (that
is, Organization - Server - Recipient). However, there are significant differences if you
are using the EMC 2010 version. One of the differences deals with a new object called a
Database Availability Group (or DAG). A second and very significant difference is the
removal of storage groups in Exchange 2010. Both of these very visible changes will be
discussed in much greater detail, but it is important to use the appropriate version of the
console when working with EMC to obtain the desired results.
More importantly than when to use the GUI, is when not to use the GUI. You are quite
honestly just unable to perform many tasks from EMC. Exchange Management Shell, or
EMS, is required for these tasks. There is simply no other way to perform these tasks.
Exchange 2010 SP1 has added more options to the GUI tools; however, you still will
not be able to do everything from a GUI-based tool. As you progress through this book,
many such tasks will be highlighted, alerting you to the fact that the highlighted task
may only be performed from EMS and not from either of the graphical tools.
EMS is most effective and provides the greatest value when you are managing multiple
objects. The following table shows an example.
CHAPTER 2
Basic Techniques
ptg6842824
12 Understanding the Basic Syntax of a cmdlet
C:\Users\Administrator>
Get-DistributionGroup
MachinistsDG | Get-DistributionGroupMember |
Set-Mailbox - IssueWarningQuota 500MB
You need to set a Warning Quota for
all machinists’ mailboxes. Some of the
mailboxes are in the AssemblyDB and
others are in the ManufacturingDB.
However, all of the users are in the dis-
tribution group called MachinistsDG.
You can very easily perform this task
with a single cmdlet, as shown.
As you can see, without even knowing on which server or in which database the machin-
ists’ mailboxes are located, you could perform this or many other operations on those
distinct mailboxes quite easily. Imagine trying to do something like that in a GUI-based
tool. Just locating the specific recipients to be managed in a large organization could be
a challenge.
Understanding the Basic Syntax of a cmdlet
The following table details the basic syntax of a cmdlet starting with a few of the com-
mon verbs.
Get
Example: PS C:\Users\
Administrator> Get-Mailbox
Read-only verb. Retrieves information
about an Exchange 2010 object.
The example retrieves a list of all mail-
boxes in the organization.
Set
Example: PS C:\Users\
Administrator>
Set-Mailbox
-Identity Dorothy
-RejectMessagesFrom
Modifies a property of an existing
Exchange 2010 object.
The example directs Dorothy’s mailbox
to not accept messages from Dale.
New
Example: PS C:\Users\
Administrator> New-Mailbox -Name 'Dale Syhre' -Alias 'Dale' -UserPrincipalName
-SamAccountName 'Dale'
-FirstName 'Dale' -Initials ''
-LastName 'Syhre' -Password Pa$$w0rd
-ResetPasswordOnNextLogon $false
Creates a new Exchange 2010 object.
This example creates an Active
Directory user account and an Exchange
2010 mailbox for the user Dale Syhre.
ptg6842824
Understanding the Basic Syntax of a cmdlet 13
Disable
Example: PS C:\Users\
Administrator> Disable-Mailbox -Identity Dale -Confirm: $false
Sets the “Enabled” status of an
Exchange 2010 object to $false .
For example, if Dale already has a mail-
box, the Disable-Mailbox cmdlet will
disassociate the user and the mailbox.
The -Confirm: $false option means
that you won’t be prompted for confir-
mation of the disassociation.
The user will still exist and the mailbox
will be marked for removal after the
deleted mailbox retention period has
expired (30 days by default).
Enable
Example: PS C:\Users\
Administrator> Enable-Mailbox -Identity Dale -Alias Dale
Sets the “Enabled” status of an
Exchange 2010 object to $true .
($=string ).
For example, if a Windows user for Dale
already exists, the Enable-Mailboxcmdlet will create a mailbox for Dale
and mail-enable Dale’s user account.
NOTE In the example where the
user Dale was created, the New-Mailbox cmdlet created the Active
Directory user account and assigned
the Exchange mailbox to it all in
one operation. However, in this
most recent example, the Enable-Mailbox cmdlet takes an existing
Active Directory user account that
had been previously created and
assigned an Exchange mailbox to it.
TIP It is important to distinguish
between the two verbs. The New verb
often requires Active Directory permis-
sions, whereas the Enable verb often
only requires Exchange permissions.
Remove
Example: PS C:\Users\
Administrator> Remove-Mailbox -Identity Dale
-Confirm: $false
Deletes an Exchange 2010 object.
For example, if Dale already has a mail-
box, the Remove-Mailbox cmdlet will
delete the user and mark the mailbox
for removal after the deleted mailbox
retention period has expired.
TIP The $false parameter says
that the administrator will not be
prompted to confirm the deletion.
This is often desirable when a script
is being run and no administrator will
be present to confirm the deletion.
ptg6842824
14 Understanding the Basic Syntax of a cmdlet
Test
Example: PS C:\Users\
Administrator> Test-ServiceHealth -Server Romac-EX1
Predefined tests that you can perform
for determining connectivity and laten-
cy for various clients, testing mailflow
between transport components, and ver-
ifying Exchange Server service status.
This example checks the status of
Exchange services running on Romac-
EX1.
TIP There is a distinct difference between the verbs Disable and Remove as seen in
the warning messages in Figures 2-1 and 2-2 . Disabling a mailbox will leave both the
user and the mailbox intact, but no longer associated with each other. However, the
mailbox will be marked for deletion at the end of the deleted mailbox retention period,
which is 30 days by default. Removing a mailbox (despite the implications of the cmd-
let) will actually delete the Active Directory user, not the mailbox. It will also mark the
mailbox for deletion at the end of the deleted mailbox retention period.
Similar messages to what’s in Figure 2-2 are displayed when the MailboxUser is dis-
abled or removed using Exchange Management Shell, as seen in Figure 2-3 .
Figure 2-1 Warning message when a mailbox user is disabled in Exchange
Management Console
ptg6842824
Understanding the Basic Syntax of a cmdlet 15
Figure 2-2 Warning message when a mailbox user is removed in Exchange
Management Console
Figure 2-3 Warning message when a mailbox user is both disabled and removed in
Exchange Management Shell
ptg6842824
16 Understanding the Basic Syntax of a cmdlet
Basic Syntax: Some Common Cmdlets Using the Get Verb
NOTE Although the cmdlets in the following table don’t always use this feature, you
often will want to either reduce the amount of data returned by the cmdlet or view
attributes that are not returned by default by specifying which individual attribute(s) you
would like to have returned.
Active Directory–Level Get Cmdlets
PS C:\Users\
Administrator> Get-User Use this very simple verb-noun combina-
tion to perform an LDAP query against the
Active Directory and retrieve a list of all
users in your Active Directory whether they
have an Exchange mailbox or not.
NOTE The list is unsorted and the
parameter values returned are predefined.
The two parameters returned are Nameand RecipientType .
PS C:\Users\
Administrator> Get-User | Sort-Object Name
Use the same verb-noun combination that
was performed in the preceding LDAP query
against the Active Directory. But now, the
cmdlet retrieves a list of all users in your
Active Directory sorted alphabetically by
first name because of the Sort-Object cmd-
let.
TIP This is an example of pipelining.
(The pipelining feature is explained in
greater detail in Chapter 3 , “Advanced
Techniques.”)
Get-User -Identity name
PS C:\Users\
Administrator> Get-User -Identity Dorothy
Use this to retrieve the name of the
user (Dorothy Buhler) as well as the
RecipientType value of the recipient
(UserMailbox).
Organization-Level Get Cmdlets
PS C:\Users\
Administrator>
Get-AcceptedDomain
Use this to retrieve the list of accepted domains
configured in your organization and their domain
types.
NOTE An accepted domain is necessary in
order for your Exchange server to receive mail
for a namespace. The Mail Exchanger (MX)
record on the public DNS directs the mail
to your doorstep, but without an accepted
domain, your server cannot accept it.
ptg6842824
Understanding the Basic Syntax of a cmdlet 17
PS C:\Users\
Administrator>
Get-AddressList
Use this to perform an LDAP query against the
Active Directory and retrieve a list of all the
address lists in your Active Directory.
PS C:\Users\
Administrator>
Get-EmailAddressPolicy
Use this to perform an LDAP query against the
Active Directory and retrieve a list of all the email
address policies in your Active Directory.
PS C:\Users\
Administrator>
Get-MessageClassification
Use this to perform an LDAP query against the
Active Directory and retrieve a list of all the mes-
sage classifications in use in your organization.
PS C:\Users\
Administrator>
Get-OfflineAddressBook
Use this to perform an LDAP query against the
Active Directory and retrieve a list of all the
offline address books in use in your organization
and their settings.
PS C:\Users\
Administrator>
Get-OrganizationConfig
Use this to retrieve configuration data for an
Exchange organization.
NOTE This includes quite a bit of organiza-
tion-level information such as MailTips, SCL
JunkThreshold, and whether the organization is
in Mixed Mode, to name just a few.
Server-Level Get Cmdlets (All Roles)
PS C:\Users\Administrator>
Get-ExchangeServer
PS C:\Users\Administrator>
Get-MailboxServer
PS C:\Users\Administrator>
Get-TransportServer
PS C:\Users\Administrator>
Get-ClientAccessServer
PS C:\Users\Administrator>
Get-UMServer
Use the first example to retrieve a list
of all Exchange servers in your orga-
nization and their attributes.
Use the other cmdlets to retrieve lists
of servers hosting the appropriate
roles.
(As you can see in Figure 2-4 ,
Romac-EX1 and Romac-EX2 hold
the Mailbox, Hub, and Client Access
roles. Romac-EX3HC holds the Hub
and Client Access roles, but is not a
Mailbox server. There are no Unified
Messaging servers in this organiza-
tion.)
ptg6842824
18 Understanding the Basic Syntax of a cmdlet
Figure 2-4 Retrieving information about the Exchange servers in your environment
As you can see, it is very easy to retrieve information about all servers in your organiza-
tion or about each individual server role in your Exchange organization.
Mailbox Database-Level Get Cmdlets
PS C:\Users\Administrator>
Get-MailboxDatabase
Use this to display information about all of
your mailbox databases.
NOTE This will include, by default, the
parameters Name , Server , Recovery ,
and ReplicationType .
PS C:\Users\Administrator>
Get-MailboxDatabase -Identity "AssemblyDB"
PS C:\Users\Administrator>
Get-MailboxDatabase -Identity "AssemblyDB"
| Format-List Name,
IssueWarningQuota, ProhibitSendQuota,
ProhibitSendandReceiveQuota,
EdbFilePath, LogFolderPath,
DeletedItemRetention
Use this to display information about a spe-
cific mailbox database (AssemblyDB).
NOTE This will also include, by
default, the parameters Name , Server , Recovery , and ReplicationType .
If you would like to view other parameters,
you must specify them by name, as shown
in Figure 2-5 .
(The Format-List cmdlet will be explored
further in Chapter 3 .)
ptg6842824
Understanding the Basic Syntax of a cmdlet 19
Figure 2-5 Using the Format-List cmdlet with the Get-MailboxDatabase cmdlet
Public Folder Database-Level Get Cmdlets
PS C:\Users\Administrator>
Get-PublicFolderDatabase
Use this to perform an LDAP query against
the Active Directory and retrieve a list of all
the public folder databases and their attri-
butes.
Public Folder-Level Get Cmdlets
PS C:\Users\Administrator>
Get-PublicFolder Use this to perform an LDAP query
against the Active Directory and retrieve
a list of all the public folders and their
attributes.
PS C:\Users\Administrator>
Get-PublicFolderItemStatistics Use this to retrieve information about
items within a specified public folder.
TIP You can view the subject, the
last time the item was accessed or
modified, the creation time of the item,
any attachments, the message size,
and the type of item with this cmdlet.
ptg6842824
20 Understanding the Basic Syntax of a cmdlet
Mailbox-Level Get Cmdlets
PS C:\Users\
Administrator> Get-Mailbox | Sort-Object Name
Use this to perform an LDAP query against
the Active Directory and retrieve a list of
all users with Exchange mailboxes in your
Active Directory, sorting them alphabeti-
cally.
NOTE The output is very different
from the Get-User cmdlet. Instead of
name and recipient type, the parameter
values returned are now Name, Alias,
ServerName, and ProhibitSendQuota.
PS C:\Users\
Administrator> Get-Mailbox -Identity name
PS C:\Users\
Administrator> Get-Mailbox -Identity Dorothy
PS C:\Users\
Administrator> Get-Mailbox | Format-Table Name, Database, IssueWarningQuota
Use this to retrieve the name of the user
(Dorothy Buhler) as well as the Alias
(Dorothy), ServerName (Romac-EX1), and
ProhibitSendQuota value of the recipient
(unlimited).
TIP You might want to see other
parameters. For example, in a single-
server environment, the ServerName
will be the same for all of the users, but
you might want to view the database in
which the mailbox resides rather than the
server.
(The Format-Table cmdlet will be explored
further in Chapter 3 .)
Other Recipient-Level Get Cmdlets
PS C:\Users\
Administrator> Get-Contact Use this to perform an LDAP query against
the Active Directory and retrieve a list of all
the mail-enabled contacts.
TIP A mail-enabled contact is an
Exchange object, but it has no Active
Directory account or Exchange mailbox.
However, it does appear in the Global
Address List (GAL).
PS C:\Users\Administrator>
Get-DistributionGroup Use this to perform an LDAP query against
the Active Directory and retrieve a list of all
the existing distribution groups.
PS C:\Users\Administrator>
Get-DistributionGroupMember Use this to perform an LDAP query against
the Active Directory and retrieve a list of all
the members of a distribution group.
ptg6842824
Understanding the Basic Syntax of a cmdlet 21
PS C:\Users\
Administrator> Get-MailUser Use this to perform an LDAP query against
the Active Directory and retrieve a list of all
the mail-enabled users and their attributes.
TIP A mail-enabled user is an Exchange
object that does have an Active Directory
account but does not have an Exchange
mailbox. However, it does appear in the
Global Address List (GAL).
PS C:\Users\
Administrator> Get-Recipient Use this to perform an LDAP query against
the Active Directory and retrieve a list of all
Exchange recipients, which includes Mailbox
Users, Mail-Enabled Users, Mail-Enabled
Contacts, Resource Mailboxes, Distribution
Groups, and Linked Mailboxes.
Information/Reporting-Level Get Cmdlets
PS C:\Users\Administrator>
Get-LogonStatistics Use this to perform an LDAP query that
retrieves logon statistics about the recipient.
TIP This includes user name, logon
time, last access time, client version, and
adapter speed.
PS C:\Users\Administrator>
Get-MailboxStatistics Use this to retrieve mailbox statistics about
the mailbox.
TIP This includes the size of the mail-
box, the number of messages it con-
tains, and the last time it was accessed.
It also will document the move history
and provide a move report of any com-
pleted move requests.
PS C:\Users\Administrator>
Get-MoveRequest Use this to retrieve detailed information
about a mailbox move that was initiated
with a New-MoveRequest cmdlet.
(There will be much more about this
cmdlet in Chapter 7 , “Working with
Recipient Objects,” and Chapter 8 , “Bulk
Management of Recipients.”)
PS C:\Users\Administrator>
Get-MoveRequestStatistics -Identity "RomacSign\Dorothy"
| Format-List
Use this to retrieve detailed information
and statistics in this example for Dorothy’s
mailbox.
TIP This includes the move status,
mailbox size, archive mailbox size, and
the percentage of the move that has
been completed.
ptg6842824
22 Understanding the Basic Syntax of a cmdlet
CAS Role-Level Get Cmdlets
PS C:\Users\Administrator>
Get-ActiveSyncDevice Use this to retrieve a list of all devices
in your organization that have active
Microsoft Exchange ActiveSync partner-
ships.
PS C:\Users\Administrator>
Get-ActiveSyncDeviceStatistics Use this to retrieve a list of all mobile
phones configured to synchronize with a
user’s mailbox.
(This returns statistics about the phone,
not the user.)
PS C:\Users\Administrator>
Get-ActiveSyncMailboxPolicy Use this to retrieve ActiveSync policy
settings for a computer running Microsoft
Exchange Server 2010 that has the Client
Access Server role installed.
PS C:\Users\Administrator>
Get-AutodiscoverVirtualDirectory Use this to retrieve the settings for the
Autodiscover virtual directory on a
computer running Microsoft Exchange
Server 2010 that has the Client Access
Server role installed.
PS C:\Users\Administrator>
Get-CASMailbox Use this to retrieve a complete list of the
attributes of a Microsoft Exchange Server
2010 mailbox on a computer that has the
Client Access Server role installed.
PS C:\Users\Administrator>
Get-ClientAccessArray Use this to retrieve information about
the Active Directory object that repre-
sents a load-balanced array of Client
Access Servers.
TIP The CAS Array is a new high-
availability object for Exchange 2010
and will be discussed in detail in
Chapter 12 , “CAS Services.”
PS C:\Users\Administrator>
Get-Outlook Anywhere Use this to retrieve all Outlook Anywhere
settings on a computer running Microsoft
Exchange Server 2010 that has the Client
Access Server role installed.
PS C:\Users\Administrator>
Get-OutlookProvider Use this to retrieve the global settings
from the AutoDiscoverConfig object
under the Global Settings object in
Active Directory.
PS C:\Users\Administrator>
Get-OwaMailboxPolicy Use this to retrieve all OWA mailbox
policies in a Microsoft Exchange Server
2010 organization.
PS C:\Users\Administrator>
Get-OwaVirtualDirectory Use this to retrieve all OWA vir-
tual directories on a computer running
Microsoft Exchange Server 2010 with
the Client Access Server role installed.
ptg6842824
Understanding the Basic Syntax of a cmdlet 23
PS C:\Users\Administrator>
Get-ResourceConfig Use this to retrieve resource property
schema data from Active Directory.
PS C:\Users\Administrator>
Get-WebServicesVirtualDirectory Use this to retrieve information from the
Active Directory for the virtual direc-
tory EWS from a computer running
Microsoft Exchange Server 2010 with
the Client Access Server role installed.
Transport Role-Level Get Cmdlets (Hub and Edge Transport)
PS C:\Users\
Administrator>
Get-AddressRewriteEntry
Use this to view an existing address rewrite entry
that rewrites the sender and recipient email address-
es mail sent to or from an email organization.
TIP This feature is only a function of the Edge
Transport server role.
PS C:\Users\
Administrator>
Get-AdSite
Use this to retrieve information about one or more
Active Directory sites in which Exchange Hub
Transport servers reside.
TIP You can view your exchange Hub Sites
with this cmdlet.
PS C:\Users\
Administrator>
Get-AdSiteLink
Use this to retrieve information about one or more
Active Directory IP site links that represent physi-
cal links over which mail is sent.
TIP You can view your Exchange-specific site
link costs with this cmdlet.
PS C:\Users\
Administrator>
Get-EdgeSubscription
Use this to retrieve information about the Edge
Subscriptions that have been configured in a
Microsoft Exchange Server 2010 organization.
PS C:\Users\
Administrator>
Get-JournalRule
Use this to display the journal configuration on a
server that has the Hub Transport role installed.
PS C:\Users\
Administrator>
Get-MailboxSearch
Use this to display mailbox searches that are in
progress, have completed, or have been stopped.
NOTE If you are unable to get this example to
function, it may be because you do not have
permission to run it. Even as an administrator,
you must explicitly assign yourself this permis-
sion through Role-Based Access Control (RBAC)
in order to even see this as a valid cmdlet.
PS C:\Users\
Administrator>
Get-Message
Use this to view information about one or more
messages in a queue on a computer that has the
Hub Transport server role or the Edge Transport
server role installed.
PS C:\Users\
Administrator>
Get-MessageTrackingLog
Use this to search message information stored in
the message tracking log.
ptg6842824
24 Understanding the Basic Syntax of a cmdlet
PS C:\Users\
Administrator>
Get-OutlookProtectionRule
Use this to retrieve the list of Microsoft Outlook
protection rules configured in an organization.
PS C:\Users\
Administrator>
Get-Queue
Use this to view detailed information for queues
on a computer that has the Hub Transport server
role or the Edge Transport server role installed.
PS C:\Users\
Administrator>
Get-ReceiveConnector
Use this to view the configuration information for
a Receive connector on a computer that has the
Hub Transport server role or the Edge Transport
server role installed.
PS C:\Users\
Administrator>
Get-RemoteDomain
Use this cmdlet to view the configuration informa-
tion for the remote domains in your organization.
TIP You can view the remote domain configu-
ration either from inside the Exchange organi-
zation or from a computer that has the Edge
Transport server role installed on the outside of
your organization.
PS C:\Users\
Administrator>
Get-SendConnector
Use this to view the configuration information for
a Send connector on a computer that has the Hub
Transport server role or the Edge Transport server
role installed.
PS C:\Users\
Administrator>
Get-TransportAgent
Use this to view the configuration of a transport
agent on a computer that has the Edge Transport
server role or the Hub Transport server role
installed in a Microsoft Exchange Server 2010
organization.
PS C:\Users\
Administrator>
Get-TransportConfig
Use this to view the organization-wide email
transport configuration settings on computers that
have the Hub Transport server role or the Edge
Transport server role installed.
PS C:\Users\
Administrator>
Get-TransportRule
Use this to display the list of transport rules that
have been configured for your Hub Transport
servers in the Active Directory or locally on your
Edge Transport server.
Unified Messaging (UM) Role-Level Get cmdlets
PS C:\Users\
Administrator>
Get-UMDialplan
Use this to display the settings of all Unified Messaging
(UM) dial plans associated with a Unified Messaging
server.
PS C:\Users\
Administrator>
Get-UMHuntGroup
Use this to display the settings for an existing Unified
Messaging hunt group.
PS C:\Users\
Administrator>
Get-UMMailbox
Use this to display the Unified Messaging settings for a
UM-enabled recipient.
ptg6842824
Understanding the Basic Syntax of a cmdlet 25
High Availability-Level Get Cmdlets
PS C:\Users\Administrator>
Get-DatabaseAvailabilityGroup Use this to retrieve a list of all
Database Availability Groups.
TIP This cmdlet can also
display the list of servers that
are members of the Database
Availability Group (DAG) as well
as real-time status information
about the DAG.
PS C:\Users\Administrator>
Get-DatabaseAvailabilityGroupNetwork Use this to retrieve a list of all
Database Availability Group net-
works.
TIP This cmdlet can also
display configuration and state
information for a Database
Availability Group (DAG) net-
work.
PS C:\Users\Administrator>
Get-MailboxDatabaseCopyStatus Use this to retrieve status informa-
tion about mailbox databases that
have been configured with one or
more database copies.
Permission-Level Get Cmdlets
PS C:\Users\Administrator>
Get-ADPermission Use this to retrieve the permissions on an
Active Directory object.
PS C:\Users\Administrator>
Get-MailboxPermission Use this to retrieve permissions on a mailbox.
PS C:\Users\Administrator>
Get-ManagementRole Use this to retrieve the list of management
roles that have been created in your organiza-
tion.
PS C:\Users\Administrator>
Get-ManagementRoleAssignment Use this to retrieve the existing management
role assignments.
NOTE A management role assignment
links a management role and a role group
and is new to Exchange 2010.
PS C:\Users\Administrator>
Get-ManagementRoleEntry Use this to retrieve the entries on a manage-
ment role that allow access to cmdlets, scripts,
and other permissions.
NOTE This is what allows a user or group
to perform a specific task.
ptg6842824
26 Understanding the Basic Syntax of a cmdlet
PS C:\Users\Administrator>
Get-ManagementScope Use this to retrieve the list of possible man-
agement scopes that have been defined.
NOTE A management role scope is the
boundary defining where the action may
be performed. For example, if the scope of
management is in the Philadelphia OU, the
action may only be performed on objects in
that Organizational Unit (OU).
PS C:\Users\Administrator>
Get-RoleAssignmentPolicy Use this to retrieve the existing management
role assignment policy on a server running
Microsoft Exchange Server 2010.
PS C:\Users\Administrator>
Get-RoleGroup Use this to retrieve a list of management role
groups.
NOTE A management role group is an
Active Directory group that uses the Role-
Based Access Control (RBAC) permissions
model in Microsoft Exchange Server 2010.
PS C:\Users\Administrator>
Get-RoleGroupMember Use this to retrieve a list of members of a
management role group.
Compliance-Level Get Cmdlets
PS C:\Users\Administrator>
Get-MailboxComplianceConfiguration Use this to retrieve the status of the
AutoTagging attribute on a mailbox.
PS C:\Users\Administrator>
Get-ManagedContentSettings Use this to retrieve the managed con-
tent settings associated with default
and custom managed folders.
PS C:\Users\Administrator>
Get-ManagedFolder Use this to retrieve the list of man-
aged folders and their attributes in use
in your organization.
PS C:\Users\Administrator>
Get-ManagedFolderMailboxPolicy Use this to retrieve information about
the managed folder mailbox policies
in use in the organization.
PS C:\Users\Administrator>
Get-RetentionPolicy Use this to retrieve the retention poli-
cies, tags associated with the policies,
and settings for the policies in use in
the organization.
PS C:\Users\Administrator>
Get-RetentionPolicyTag Use this to retrieve the retention
policy tags and settings for tags in use
in the organization.
PS C:\Users\Administrator>
Get-TransportRuleAction Use this to retrieve the list of all
available transport rule actions that
can be performed by a transport
agent on a Hub Transport or an Edge
Transport server.
ptg6842824
Understanding the Basic Syntax of a cmdlet 27
PS C:\Users\Administrator>
Get-TransportRulePredicate Use this to retrieve the list of all
available rule predicates (subject,
body, header, etc.) that can be used
within a transport rule on a Hub
Transport server or an Edge Transport
server.
Basic Syntax: Some Common Parameters
In the short space that follows it is not possible to list all of the common parameters for
every single object, so the MailboxUser object is used to demonstrate many of the com-
mon parameters that are possible in a cmdlet.
-AccountDisabled Specifies whether to create the MailboxUser in
a disabled state.
TIP Resource mailboxes are automatically
flagged and do not have to have this switch
set manually.
-ActiveSyncMailboxPolicy Specifies the ActiveSyncMailboxPolicy that
will be used for the mailbox.
(If one is not specified, the default policy will
be used.)
-Alias Specifies the email alias of the user for the
mailbox that will be created.
(No spaces are allowed in an alias.)
-Confirm A value of $true for this parameter suspends
processing of the command and requires
acknowledgement of the command before pro-
cessing continues.
A value of $false bypasses any screens requir-
ing confirmation before continuing, such as
when you wish to delete an object but do not
wish to be bothered by an “Are you sure you
want to delete this object?” dialog box.
-Database Specifies in which Exchange database the new
user’s mailbox will be created.
Acceptable values include the name of the
database and the globally unique identifier
(GUID) of the database.
ptg6842824
28 Understanding the Basic Syntax of a cmdlet
-Discovery Specifies that the mailbox will be created as a
Discovery mailbox.
NOTE Discovery mailboxes are a special
type of mailbox created as the target for a
Discovery search. A mailbox designated as
a Discovery mailbox cannot be repurposed
or converted to another type of mailbox.
-DisplayName Specifies the Windows display name for the
new user who is being created.
(This is the name that appears in Active
Directory Users and Computers as well as
under Recipient Configuration in Exchange
Management Console, as well as other places.)
-Equipment Specifies that the mailbox will be created as a
resource mailbox representing a piece of equip-
ment, rather than a conference room (or other
facility) or a user account.
-FirstName Specifies the first name of the user who will be
created.
-Force Specifies whether to suppress warnings and
confirmations.
(This is usually used in scripts to bypass events
requiring user interaction in order for the com-
mand to complete successfully.)
-Initials Specifies the initials of the user who will be
created.
-LastName Specifies the last name of the user who will be
created.
-ManagedFolderMailboxPolicy Specifies the ManagedFolderMailboxPolicy
that will be used for the mailbox.
(If one is not specified, the default policy will
be used.)
-ModeratedBy Specifies the users who are responsible for
moderating messages sent to this mailbox.
TIP If more than one moderator is desired,
separate the users with commas.
ptg6842824
Understanding the Basic Syntax of a cmdlet 29
-ModerationEnabled Specifies whether moderation is enabled for the
mailbox.
(To enable moderation, use $true . To disable
moderation, use $false . The default value is
$false .)
-Name Specifies the user’s name that will appear in
Active Directory Users and Computers.
(This is also the user name that appears in the
properties of the recipient.)
-Office
Specifies the Office attribute for this mailbox.
-OrganizationalUnit Specifies the Organizational Unit (OU) where
the user will be created in the Active Directory.
-Phone
Specifies the user’s telephone number.
-PrimarySmtpAddress Specifies the primary SMTP address of the
user’s mailbox.
-RemotePowerShellEnabled Specifies whether the user has the right to use
Remote PowerShell.
NOTE This permission is necessary in
order to open Exchange Management Shell
or the Exchange Management Console on
Mailbox, Client Access, Hub Transport, or
Unified Messaging servers.
The default value depends on the management
role groups to which the user is assigned.
-ResetPasswordOnNextLogon Specifies whether the user must reset his or her
password the next time he or she logs on.
-ResourceCapacity Specifies the capacity of the resource, if this
mailbox is a room mailbox.
-RetentionPolicy Specifies the retention policy to be applied to
the mailbox being created.
(Retention policies include retention tags that
are applied to folders in a user’s mailbox regu-
lating how long items should be retained in the
tagged folders.)
-RoleAssignmentPolicy Specifies the management role assignment pol-
icy to be assigned to the mailbox being created.
NOTE This determines what users may do
with their mailbox and its contents, as well
as whether they may modify their personal
information, manage their public group
membership, manage their voicemail, and
their mobile phone. An assignment policy is
created as the default and all existing mail-
boxes are configured to use the assignment
policy unless another is specified.
ptg6842824
30 Understanding the Basic Syntax of a cmdlet
-Room Specifies that the mailbox will be created as
a resource mailbox representing a conference
room or other facility, rather than a piece of
equipment or user.
-SamAccountName Specifies the user logon name. If a
SamAccountName is not designated, the Active
Directory creates a SamAccountName attribute
automatically, based on the User Principal
Name (UPN) of the user account.
-Shared Specifies that the mailbox will be created as a
shared mailbox.
NOTE A shared mailbox is a mailbox that
allows multiple users to log on to it and is
not associated with any of the users who
access it. A disabled user account is cre-
ated for it in Active Directory. This was often
used to represent a resource object in previ-
ous versions of Exchange Server.
-UserPrincipalName Specifies the User Principal Name (UPN) for
the mailbox.
(Generally, this is the logon name for the user
account.)
-WhatIf The WhatIf switch simulates the actions of the
cmdlet without actually applying any changes
to Exchange or to the Active Directory.
(By using the WhatIf switch, you can view
what changes would occur without risking
damage to the Exchange organization. Because
using a Get statement alone does not make
any changes when you execute a cmdlet, the
-Whatif option is used primarily—and is most
valuable—when the Get cmdlet is pipelined to
another cmdlet.)
The following example creates a new user and the associated mailbox using a number of
the aforementioned attributes.
ptg6842824
Finding the Right Cmdlet 31
PS C:\Users\Administrator>
New-Mailbox -Name "Leo Weishew" -Alias "Leo" -OrganizationalUnit
"romacsign.com/Assemblers" -UserPrincipalName "[email protected]" -SamAccountName "Leo" -FirstName "Leo" -Initials ""
-LastName "Weishew" -Password "System.Security.SecureString" -Phone "856-555-1212 "
-ResetPasswordOnNextLogon $false
-Database "AssemblyDB"
This example uses the following
attributes from the previous list:
■ -Name
■ -Alias
■ -OrganizationalUnit
■ -UserPrincipalName
■ -SamAccountName
■ -FirstName
■ -Initials
■ -LastName
■ -Password
■ -Phone
■ -ResetPasswordOnNextLogon
■ -Database
NOTE Some of the attributes (such as -SamAccountName and -UserPrincipalName )
are mandatory attributes, whereas others (such as -FirstName , -LastName , and
-Phone) are optional attributes.
Finding the Right Cmdlet
In this section, you find cmdlets that access the Help features of PowerShell. For exam-
ple, the Get-Tip cmdlet allows you to view the Tip of the Day, which is a feature that is
displayed whenever you launch Exchange Management Shell.
PS C:\Users\
Administrator> Get-Command Retrieves a list of all possible cmdlets available
to EMS.
PS C:\Users\
Administrator> Get-Command >filepath
PS C:\Users\
Administrator> Get-Command >C:\Demos\cmdlet_list.txt
Creates a text file in the specified path with all
of the possible cmdlets available to EMS.
Creates a text file in the C:\Demos directory
with all of the possible cmdlets available to
EMS.
PS C:\Users\
Administrator> Get-Command | Measure-Object
Retrieves a list of all possible cmdlets available
to EMS and “counts” them with the Measure-Object cmdlet, providing a numerical value as
output.
PS C:\Users\
Administrator> Get-Command | Get -*
Retrieves a list of all possible cmdlets available
to EMS that use the verb Get .
ptg6842824
32 Finding Help for the Right Cmdlet
PS C:\Users\
Administrator> Get-Command | Get -* string
PS C:\Users\
Administrator> Get-Command | Get - * Mailbox
Retrieves a list of all possible cmdlets available
to EMS that have the string value in the noun
position.
Retrieves a list of all possible cmdlets available
to EMS that have Mailbox in the noun position.
The output of this example would include:
Get-CASMailbox
Get-Mailbox
Get-UMMailbox
PS C:\Users\
Administrator> Get-Command -Verb string
PS C:\Users\
Administrator> Get-Command -Verb New
Retrieves a list of all possible cmdlets using the
specified verb (in this case, the New verb).
PS C:\Users\Administrator>
Get-ExCommand Retrieves a list of all possible Exchange cmdlets
available to EMS.
PS C:\Users\
Administrator> QuickRef Opens a link to frequently used EMS cmdlets.
The Exchange Management Tools must be
installed and the latest version of the Quick
Reference Guide must be downloaded from the
Microsoft Download Center in order to use this
feature.
PS C:\Users\
Administrator> Get-Tip Causes a new Exchange Management Shell
“Tip of the Day” to be displayed.
(The Exchange Management Tools must be
installed in order to use this feature.)
PS C:\Users\
Administrator> Get-ExBlog Opens a web browser and navigates to the
Exchange Team blog site.
(The Exchange Management Tools must be
installed in order to use this feature.)
Finding Help for the Right Cmdlet
In this section, you find ways to access Help for specific cmdlets.
PS C:\Users\Administrator>
Get-Help Displays help about Windows PowerShell
cmdlets.
PS C:\Users\Administrator>
Get-Help cmdlet
PS C:\Users\Administrator>
Get-Help New-Mailbox
Displays help about the specific cmdlet for
which help is required.
(In this case, help for the New-Mailbox
cmdlet.)
ptg6842824
Finding Help for the Right Cmdlet 33
PS C:\Users\
Administrator> cmdlet -?
PS C:\Users\Administrator>
New-Mailbox -?
Displays help about the specific cmdlet for
which help is required.
(In this case, it’s help for the New-Mailbox
cmdlet. This provides the same information
as Get-Help , but does not allow access to
advanced help features such as -detailed ,
-examples , and -full .)
PS C:\Users\Administrator>
Get-Help cmdlet -detailed
PS C:\Users\Administrator>
Get-Help New-Mailbox
-detailed
Displays detailed help about the specific
cmdlet for which help is required.
(In this case, it’s detailed help for the New-Mailbox cmdlet.)
See the “What’s Included in Each Version
of Help” table that follows.
PS C:\Users\Administrator>
Get-Help cmdlet -examples
PS C:\Users\Administrator>
Get-Help New-Mailbox
-examples
Displays examples for the specific cmdlet
for which examples may be required.
(In this case, the examples are for the cmd-
let New-Mailbox .)
See the “What’s Included in Each Version
of Help” table that follows.
PS C:\Users\Administrator>
Get-Help New-Mailbox -full Displays full help about the specific cmdlet
for which help is required.
(In this case, it’s full help for the New-Mailbox cmdlet.)
See the “What’s Included in Each Version
of Help” table that follows.
What’s Included in Each Version of Help
The following table details what’s included in each version of Help.
Included? →
Name Synopsis Syntax Description Parameters Inputs/Outputs
Errors Examples Related Links
Remarks
Help Version
Standard
Help
Yes Yes Yes Yes No No No No Yes Yes
-Detailed Yes Yes Yes Yes Yes
(Basic)
No No Yes No Yes
-Examples Yes Yes No No No No No Yes No No
-Full Yes Yes Yes Yes Yes
(Complete)
Yes Yes Yes Yes No
Figure 2-6 shows an example of a Get-Help cmdlet with the -examples option shown.
ptg6842824
34 Using the Tab Completion Feature
Figure 2-6 Get-Help cmdlet with -examples option
Using the Tab Completion Feature
If you have not found it already, there is a feature of Exchange Management Shell called
Tab Completion (some call it Tab Expansion) that gives you the ability to finish a cmd-
let without having to type the entire cmdlet, as shown in the following table.
PS C:\Users\Administrator> Set-M Type what you see to the
left and press Tab until
Set-Mailbox is displayed.
PS C:\Users\Administrator> Set-Mailbox You should now see this.
PS C:\Users\Administrator> Set-Mailbox -I
Press the spacebar, and then
type -I . Press Tab until
-Identity is displayed.
PS C:\Users\Administrator> Set-Mailbox -Identity
You should now see this.
PS C:\Users\Administrator>
Set-Mailbox -Identity name -I PS C:\Users\Administrator> Set-Mailbox -Identity Dorothy -I
Add the name for the recipient
of the mailbox on which you wish
to set a quota, press the spacebar,
and then type -I and press Tabuntil -IssueWarningQuota is
displayed.
PS C:\Users\Administrator> Set-Mailbox -Identity Dorothy -IssueWarningQuota
You should now see this.
PS C:\Users\Administrator> Set-Mailbox -Identity name -IssueWarningQuota size -UseDatabaseQuotaDefaults
PS C:\Users\Administrator>
Set-Mailbox -Identity Dorothy -IssueWarningQuota 500MB -U
Add the size value for the quota,
press the spacebar, and then
type -U and press Tab until
-UseDatabaseQuotaDefaults is
displayed.
ptg6842824
Using the Tab Completion Feature 35
PS C:\Users\Administrator> Set-Mailbox -Identity Dorothy -IssueWarningQuota
500MB -UseDatabaseQuotaDefaults
You should now see this.
PS C:\Users\Administrator> Set-Mailbox -Identity Dorothy -IssueWarningQuota
500MB -UseDatabaseQuotaDefaults $false
Add the $false parameter and
press Enter .
You’ve just created a very powerful cmdlet with only a little typing!
This also works with file paths in Exchange Management Shell, as shown in the follow-
ing table.
PS C:\Users\Administrator> cd C:\Pr
If you want to change directories, type cd
and only C:\ and the first few letters of the
directory and then press Tab until the full
directory name Program Files is displayed.
PS C:\Users\Administrator> cd 'C:\Program Files'
You should now see this.
PS C:\Users\Administrator> cd 'C:\Program Files'\M
Type \M and press Tab until the directory
Microsoft is displayed.
(Don’t backspace over the quotation mark.
It will be moved to the right when you
press Tab .)
PS C:\Users\Administrator> cd 'C:\Program Files\Microsoft'
You should now see this.
PS C:\Users\Administrator> cd 'C:\Program Files\Microsoft'\
Ex
Type \Ex and press Tab until the directory
Exchange Server is displayed.
(Again, don’t backspace over the quotation
mark. It will be moved to the right when
you press Tab .)
PS C:\Users\Administrator> cd 'C:\Program Files\Microsoft\
Exchange Server'
You should now see this.
As you can see, Tab Completion can significantly reduce the amount of typing you have
to do.
In Part II, “Achieving a Comfort Level with PowerShell,” you learn and practice some
advanced techniques for working with PowerShell and EMS. You will explore how
to pipeline, run .ps1 scripts, modify the registry with PowerShell, and customize your
command-line environment. You also begin creating your PowerShell profile.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Working with pipelines
■ Running programs
■ Creating and running scripts
■ Registry modifications with PowerShell
■ Understanding quotes
Working with Pipelines
When you pipeline, you take the output of one cmdlet and use it in a subsequent cmdlet
to perform another operation. This simple act ensures that you can string together very
simple cmdlets into complex operations. Some of the reasons you may wish to pipeline
include the following:
■ You need to pass data from the output of one cmdlet to a subsequent cmdlet.
■ You need to perform multiple actions on one or more Exchange objects without
having to do so individually.
■ You need to pass data output between dissimilar nouns.
■ You need the system to report errors or warnings.
You can use pipelining to pass data from the output of one cmdlet to a subsequent cmd-
let in order to perform another operation. This operation might work like what’s shown
in the following table.
CHAPTER 3
Advanced Techniques
ptg6842824
38 Working with Pipelines
Get-User -OrganizationalUnit OUName | Enable-Mailbox -Database "DatabaseName"
PS C:\Users\
Administrator> Get-User -OrganizationalUnit
Assemblers |
Enable-Mailbox -Database "AssemblyDB"
After acquiring a new assembly plant in
Philadelphia, you need to create mailboxes
in the AssemblyDB database for all users in
the Assemblers OU, which is a child of the
Philadelphia OU.
This pipelined cmdlet retrieves a list of all users
in the Assemblers OU and passes the resultset to
the Enable-Mailbox cmdlet, which creates the
mailboxes for those users.
In Figure 3-1 , you can see that there are two
users in the Assemblers OU in Active Directory
Users and Computers. However, in Figure 3-2 ,
there are no mailboxes present for these users.
Figure 3-3 demonstrates the cmdlet used for
creating mailboxes for existing users using a
Get-User cmdlet piped to an Enable-Mailbox
cmdlet. Finally, in Figure 3-4 , you can see that
the mailboxes have been created.
Figure 3-1 Users in the Assemblers OU in Active Directory Users and Computers
Figure 3-2 No mailboxes present in the Exchange Management Console for the
Assemblers OU users
ptg6842824
Working with Pipelines 39
Figure 3-3 Mailboxes for users in the Assemblers OU created with the Enable-Mailboxcmdlet
Figure 3-4 Mailboxes now present in the Exchange Management Console for the
Assemblers OU users
You can also use pipelining to combine several actions. In that way, you can use one
cmdlet to gather the mailboxes for all managers, VPs, and anyone in the Assembly
department in your organization who has an Exchange mailbox and then a second cmdlet
to set multiple quota values on those distinct groups of mailboxes. Performing multiple
actions on Exchange objects might work like what’s shown in the following table.
Get-User -Filter {((Title -like Title1Name ) -or (Title -like Title2Name ) -or (Department -eq DepartmentName ))
-and (RecipientTypeDetails -eq RecipientType )} | Set-Mailbox
-IssueWarningQuota size1 -ProhibitSendQuota size2
-ProhibitSendReceiveQuota size3
-UseDatabaseQuotaDefaults $boolean value
PS C:\Users\Administrator> Get-User -Filter {((Title -like "*Manager*") -or
(Title -like "*VP*") -or (Department -eq
"Assembly")) -and (RecipientTypeDetails
-eq "UserMailbox")} | Set-Mailbox -IssueWarningQuota
900MB -ProhibitSendQuota 1GB
-ProhibitSendReceiveQuota unlimited -UseDatabaseQuotaDefaults $false
You have very distinct
groups of users who need
unique quotas applied to
their mailboxes. You cannot
use a quota at the database
level because these users
are spread across multiple
databases.
All managers, VPs, and users
in the Assembly department
need these quotas applied to
their mailboxes regardless of
the server or database where
their mailbox is located.
You can combine the col-
lecting of the distinct groups
of users with the application
of the unique quotas on the
mailboxes with a piped cmd-
let, as shown.
ptg6842824
40 Working with Pipelines
NOTE You might not know what all of the options in the previous table are just yet,
but use the cmdlets as examples of some of the ways you can perform very complex
tasks using the pipelining capabilities of PowerShell.
You can pipe data between dissimilar nouns. You might find that you want to use the
data from one cmdlet within another cmdlet, but the object types do not match. This can
happen if one cmdlet references one noun (such as by importing information from a .csv
file with an Import-CSV cmdlet, where “CSV” is the noun) and you then want to use
that imported data to create a new user account as well as an Exchange mailbox, which
you can do with the New-Mailbox cmdlet, where “Mailbox” is the noun. Finally, you
might wish to add title and department attributes to the user account (not the mailbox),
which references the “User” noun. Passing data output between dissimilar nouns might
work like what’s shown in the following table.
Import-CSV "C:\filename.csv" | ForEach-Object -Begin { $Pass = ConvertTo-SecureString password -asPlainText -force} -Process
{New-Mailbox -Name $_.Name -UserPrincipalName
"$($_.UserName)@ DomainName "
-OrganizationalUnit "OUName" -Database "DatabaseName" -Password $Pass -ResetPasswordOnNextLogon $true | Set-User -Title $_.Title -Department
$_.Department}
PS C:\Users\Administrator> Import-CSV "C:\FileFromHR.csv" |
ForEach-Object -Begin {$Pass =
ConvertTo-SecureString "Pa$$w0rd" -asPlainText -force} -Process
{New-Mailbox -Name $_.Name -UserPrincipalName "$($_.UserName)
@DomainName" -OrganizationalUnit "OUName" -Database
"DatabaseName"
-Password $Pass
-ResetPasswordOnNextLogon $true |
Set-User -Title $_.Title -Department
$_.Department}
You need to import several
users from a .csv file given to
you by the HR department. The
noun initially used is “CSV”.
You then wish to create the user
and the mailbox at the same
time, but that requires setting
a password for each user. You
create a password and save it
as a secure string, which the
Active Directory will accept.
You use a variable ($Pass ) to
store the secure string password.
This involves the New-Mailbox
cmdlet, which utilizes the
“Mailbox” noun.
Finally, you want to add values
to title and department, which
are properties of the user,
so you need to reference the
“User” noun to do that.
You can also report errors or warnings though pipelining, which might work like what’s
shown in the following table.
ptg6842824
Running Programs 41
$Name = " Custom Text" PS C:\Users\
Administrator> $Warn
= "This is an example
of a custom warning
that you might cre-
ate that could provide
an onscreen warning
when some condition
exists."
$Name | Write-Warning
PS C:\Users\
Administrator> $Warn | Write-Warning
This illustrates how you could pipe a string to the
Write-Warning cmdlet.
You could save the string in a variable, as shown
in the first pair of cmdlets, and then pipe the string
to Write-Warning , as shown in the second pair of
cmdlets.
TIP Pipelining could be used with the Write-Error cmdlet as well.
Running Programs
Unlike cmd.exe, Exchange Management Shell (EMS) can process cmdlets in one of two
ways. It analyzes what you have typed and decides whether it should be interpreted as an
expression (Typing 1 + 1 produces a result of 2 in Expression mode) or as a command,
which works similarly to the way that cmd.exe works. In Command mode, if what you
have typed has no errors, it will be executed. If you begin a line of code with a num-
ber, a quote, or a dollar sign ($), EMS will function in Expression mode. This can be
observed when you type $compute = 1+1 and press Enter . When you subsequently type
$computer and press Enter , the output will be the number “2”.
What if you are interested in running a program and you have defined the variable
$Prog to run it—how can you tell EMS to execute $Prog as a command and not display
it as a value? The use of the ampersand (&) character is how you can do this, as shown
in the following table.
PS C:\Users\
Administrator> $Prog=C:\Windows\System32\
calc.exe
PS C:\Users\
Administrator> $Prog PS C:\Users\
Administrator> &$Prog
If you define the variable $Prog as shown in the
example, the Windows Calculator will not launch
when you subsequently type $Prog , but the result
that is displayed will be C:\Windows\System32\calc.exe .
EMS is displaying the value of the variable, not
executing it.
However, if you type &$Prog , the Windows
Calculator will launch successfully.
To run a batch file, you need cmd.exe to launch first, so you could do something like
what’s shown in the following table.
ptg6842824
42 Creating and Running Scripts
PS C:\Users\
Administrator> cmd.exe /c MyTest.bat
Here, /c tells the batch file to carry out the com-
mand and then terminate cmd.exe It is not neces-
sary to use & with cmd.exe.
For a VBScript executable, you also need cmd.exe to launch first, so you could do some-
thing like what’s shown in the following table.
PS C:\Users\Administrator>
&"cscript.exe MyVBScript.vbs
param1 param2"
Because you are launching another execut-
able, & is required.
To run PowerShell scripts from a cmd.exe prompt, you need to use powershell.exe. In
previous versions of PowerShell, you used msh.exe. Powershell.exe is run as shown in
the following table.
PS C:\Users\
Administrator>
powershell.exe -noexit "C:\MyScripts\MyTest.ps1"
Powershell.exe is the Windows PowerShell
executable.
TIP You can use Task Scheduler as you
normally would to schedule the running of the
script.
The -noexit switch is an optional parameter that
tells the PowerShell console to remain open after
the script finishes.
TIP If the focus of the cmd.exe prompt is on the same directory that the .ps1 file
resides in, it is not necessary to type the path. Simply type .\ and the name of the .ps1
script, like this: PS C:\Users\Administrator> .\MyTest.ps1 .
This technique will be illustrated in the section that follows.
Creating and Running Scripts
In most cases, you will run individual cmdlets to achieve your desired result, and with
the use of pipelining you can combine cmdlets together to allow for creative results.
However, just like from a Windows command prompt, a single line of code may not
be able to provide you with the ability to do everything you desire. From the Windows
command prompt, it is common to use a .bat file to group multiple commands into a
single file, but that will not work in Exchange Management Shell. But, do not fear.
PowerShell offers support for a scripting language, based on the Microsoft .NET
Framework, and those scripts can be used to automate tasks or run multiple cmdlets
together when pipelining is not appropriate. The Shell lets you create scripts, assign vari-
ables in the scripts, perform looping operations, and use conditional logic in the scripts.
This is all done within a text file using PowerShell cmdlets. When you save the text file
with a .ps1 extension, it is executable from Exchange Management Shell.
ptg6842824
Creating and Running Scripts 43
By creating your own library of these .ps1 scripts, you can automate tasks and efficiently
run your scripts on any computer that has Exchange Management Shell installed on it.
The following example illustrates how to create a script to perform the five steps neces-
sary to configure Messaging Records Management.
Create a text file with a .ps1 extension.
In the example that follows, the file will be called C:\
Users\Administrator\ MRM_Retention.ps1 .
Five steps are involved
in configuring Messaging
Records Management .
This is commonly con-
figured from Exchange
Management Console
(prior to Service Pack 1)
because each step is per-
formed in a unique place
and no single cmdlet will
perform all five steps.
However, in the Console,
there is no single wizard
that will perform all five
steps either. Therefore,
you want to create a script
to perform all five steps
together in a PowerShell
script.
New-ManagedFolder -Name "ObjectName" -FolderName "FolderName"
PS C:\Users\Administrator>
New-ManagedFolder -Name "Retention" -FolderName "Retention"
Step 1: Create a new
managed custom folder.
TIP Name refers to
the Exchange name
of the object and
FolderName refers to
the name that the user
sees on the folder in
his or her mailbox.
Many times they will
be the same, but both
have to be specified.
$AgeLimit = New-TimeSpan -Day ValueInDays
PS C:\Users\Administrator> $AgeLimit =New-TimeSpan -Day 1100
Create a variable to use in
step 2.
TIP The example uses
$AgeLimit , but any
name could be used for
the variable.
NOTE This is not nor-
mally a step required
for Messaging Records
Management. The ex -
ample that was chosen
requires a variable, and
this provides the neces-
sary variable for step 2.
ptg6842824
44 Creating and Running Scripts
New-ManagedContentSettings -Name "ContentSettingsName" -FolderName "FolderName" -MessageClass "MessageClassType" -RetentionEnabled $boolean value -AgeLimitForRetention $AgeLimit -RetentionAction RetentionActionType
PS C:\Users\Administrator> New-ManagedContentSettings -Name "Retention Settings for Retention
Folder" -FolderName "Retention" -MessageClass * -RetentionEnabled: $true
-AgeLimitForRetention $AgeLimit -RetentionAction PermanentlyDelete
Step 2: Create managed
content settings for the 3
Year Retention Folder,
which permanently deletes
all items after 3 years or
1,100 days.
New-ManagedFolderMailboxPolicy -Name "PolicyName" -ManagedFolderLinks "Folder(s)ToBeLinked ToPolicy"
PS C:\Users\Administrator> New-ManagedFolderMailboxPolicy
-Name "Executives Mailbox Policy" -ManagedFolderLinks "Retention"
Step 3: Create a managed
folder mailbox policy.
Set-Mailbox -Identity MailboxUsername -ManagedFolderMailboxPolicy "PolicyName"
PS C:\Users\Administrator> Set-Mailbox -Identity Administrator -ManagedFolderMailboxPolicy "Executives
Mailbox Policy"
Step 4: Apply the man-
aged folder mailbox
policy to a mailbox.
PS C:\Users\Administrator> $ServerName = cmd /c echo %computername%
PS C:\Users\Administrator> Set-MailboxServer -ID $ServerName
-ManagedFolderAssistantSchedule "Schedule"
PS C:\Users\Administrator> Set-MailboxServer -ID $ServerName -ManagedFolderAssistantSchedule
"Sun.12:00-Sun.11:00"
Step 5: Schedule the
Managed Folder Assistant
to run each day.
TIP $ServerNamedefines a variable with
the name of the server
as the value of the
variable.
ptg6842824
Creating and Running Scripts 45
PS C:\Users\Administrator>
Start-ManagedFolderAssistant Alternate step 5: Start the
Managed Folder Assistant
manually.
# Step 1: Create a new managed custom
folder. New-ManagedFolder -Name "Retention"
-FolderName "Retention"
# Create a variable, "$AgeLimit," to use
in Step Number 2. $AgeLimit = New-TimeSpan -Day 1100 # Step 2: Create managed content settings
for the 3 Year Retention Folder that per-
manently deletes all items after 3 years
or 1100 days.
New-ManagedContentSettings -Name "Retention Settings for Retention
Folder" -FolderName "Retention" -MessageClass * -RetentionEnabled:$true
-AgeLimitForRetention $AgeLimit -RetentionAction PermanentlyDelete # Step 3: Create a managed folder mailbox
policy. New-ManagedFolderMailboxPolicy -Name "Executives Mailbox Policy"
-ManagedFolderLinks "Retention" # Step 4: Apply the managed folder mail-
box policy to a mailbox. Set-Mailbox -Identity Administrator -ManagedFolderMailboxPolicy "Executives
Mailbox Policy" # Step 5: Start the Managed Folder
Assistant manually.
Start-ManagedFolderAssistant
The completed script with
all steps combined in a
file.
The # sign indicates a
remark, and that line will
not be executed.
Save this file with a
name such as C:\Users\
Administrator> MRM_Retention.ps1 .
TIP There is no need
to use the path in
each step of the script
when you run it from
within the .ps1 file.
NOTE The .ps1 file in the previous example could be created with Notepad.exe or any
text editor. It does not have to be created from within EMS.
ptg6842824
46 Creating and Running Scripts
PS C:\Users\Administrator> .\MRM_Retention.ps1
Run the script as shown in Figure 3-5 .
Figure 3-5 Running the MRM_Retention.ps1 script created in the example
Figures 3-6 , 3-7 , 3-8 , and 3-9 show the results after the script has been run.
Figure 3-6 Custom folder and content settings on a folder viewed from the Exchange
Management Console
Figure 3-7 Managed folder mailbox policy viewed from the Exchange Management
Console
ptg6842824
Creating and Running Scripts 47
ExecutiveMailbox
Policy
Figure 3-8 Executives mailbox policy linked to a user, as viewed from the Exchange
Management Console
Retention Folder
Figure 3-9 Retention folder viewed on user’s Outlook Web App client
ptg6842824
48 Registry Modifications with PowerShell
Registry Modifications with PowerShell
It is very easy to modify the registry of a server by using Exchange Management Shell
and the Set-ItemProperty cmdlet. Performing the registry change from within Exchange
Management Shell means that you can incorporate the change into a .ps1 script, and you
can also pipeline it to multiple servers as needed. You must have permission to make
this change or your attempt will fail. The examples in the following table illustrate how
to change the timeout values for the OWA cookies used by forms-based authentication
on a Client Access Server.
NOTE Changes made to the Windows registry happen immediately. Do not edit the
Windows registry with Exchange Management Shell or any other registry-editing pro-
gram unless you are confident about doing so. It is especially dangerous doing this in
PowerShell because of the potential for typographical errors.
Use the following cmdlets at your own risk.
Set-ItemProperty RegistryPath -Name TimeoutType -Value TimeInMinutes -Type RegistryValueType
PS C:\Users\Administrator> Set-ItemProperty "HKLM:\SYSTEM\
CurrentControlSet\Services\
MSExchange OWA" -Name PrivateTimeout -Value 360
-Type Dword
This example sets the Private Computer
cookie timeout value to 360 minutes,
or 6 hours, for the Outlook Web App
client.
NOTE The default value for the
Private Computer cookie timeout is
720 minutes, or 12 hours.
Set-ItemProperty RegistryPath -Name TimeoutType -Value TimeInMinutes -Type RegistryValueType
PS C:\Users\Administrator>
Set-ItemProperty "HKLM:\SYSTEM\
CurrentControlSet\Services\
MSExchange OWA"
-Name PublicTimeout -Value 30
-Type Dword
This example sets the Public Computer
cookie timeout value to 30 minutes for
the Outlook Web App client.
NOTE The default value for the
Public Computer cookie timeout is
15 minutes.
Understanding Quotes
PowerShell uses four different types of quotes. As an administrator, you are most inter-
ested in single ordinary and double ordinary quotes. A developer would be more inter-
ested in the here-strings. The four types of quotes are explained in the following table.
ptg6842824
Understanding Quotes 49
Single ordinary quotes:
$a="Champs"
'World $a' => World $a
In single quotes, variable names are not
expanded and escape sequences are not inter-
preted.
Double ordinary quotes:
$a="Champs" "World $a" => World Champs
Inside double quotes, variable names are
replaced with their values and PowerShell
escape sequences are interpreted.
Single here-strings:
$b="Two" $x = @'
" Easy as
One $b
Three !
"
'@
$x produces:
"
Easy as
One $b Three !
"
In single here-strings, variable names are not
expanded and escape sequences are not inter-
preted. A single here-string begins with @’ and
ends with ’@ .
PowerShell here-strings are similar to here-
documents in Perl.
Double here-strings:
$b="Two" $x = @" "
Easy as
One Two Three
! " "@ $x produces: " Easy as One
Two
Three ! "
Inside double here-strings, variable names
are replaced with their values and PowerShell
escape sequences are interpreted. A double
here-string begins with @” and ends with “@ .
PowerShell here-strings are similar to here-
documents in Perl.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Creating and using PowerShell profiles
■ Using built-in aliases
■ Working with user-defined aliases
■ Filtering output
■ Formatting output
Creating and Using PowerShell Profiles
You have begun to create your own aliases, variables, and possibly even some func-
tions, and you might be frustrated by the fact that they are only available in the current
Exchange Management Shell (EMS) session. When you close the session, your custom-
ized settings are lost. This is because your custom-defined objects and their definitions
exist and are stored only in memory on the system you are working on. If you would
like to have them available in any session, you need to create a PowerShell profile script
that utilizes a .ps1 file.
As shown in the following table, the profile type is defined by where it is stored in the
Windows file system.
%windir%\System32\
WindowsPowerShell\
v1.0\
Microsoft.PowerShell_
profile.ps1
Here is the location of the PowerShell profile script
that affects all users . It is available to all users on an
Exchange server or administrator’s workstation that
has the Exchange Management Tools installed on it. If
no profile exists in that directory, the user receives the
default profile.
NOTE This does not imply that all users will have
permission to run everything in the profile simply
because they have access to the profile.
%userprofile%\
My Documents\
WindowsPowerShell\
Microsoft.PowerShell_
profile.ps1
Here is the location of the PowerShell profile script
that affects only the current user . It is available only
to the user who is logged on to an Exchange server or
an administrator’s workstation that has the Exchange
Management Tools installed on it.
CHAPTER 4
Customizing the PowerShell Environment
ptg6842824
52 Creating and Using PowerShell Profiles
When you start EMS, it checks these two locations on the server or workstation on
which it has been started and loads the Microsoft.PowerShell_profile.ps1 profile files,
if any are located. The one for all users is loaded first and then the current user profile
file is loaded, if both are present. Usually, you would put the customizations that sev-
eral users require in the System32 location and the customizations that only you require
in the current user profile location. To create your own current user profile file, open
Notepad and use the New-Item cmdlet as shown in the following table.
PS C:\Users\
Administrator> New-Item -Path $profile
-ItemType File -Force
Creates the profile file for the current user, as
shown in Figure 4-1 .
Figure 4-1 Creating the PowerShell profile file
The profile that has been created is shown in the following table.
PS C:\Users\
Administrator> $profile By typing the variable $profile , you can validate that
the profile has been successfully created.
TIP This variable is built in to Exchange
Management Shell (PowerShell) and always points
to the path for the current user.
PS C:\Users\
Administrator> Notepad $profile
Opens the PowerShell profile file in Notepad.
Figure 4-2 shows the execution of this command as
well as a completed PowerShell profile file. Save the
Notepad file, relaunch Exchange Management Shell,
and all of your “shortcuts” are loaded into memory
and are ready to go.
ptg6842824
Creating and Using PowerShell Profiles 53
Figure 4-2 Opening the PowerShell profile file and adding your custom settings
As shown in Figure 4-2 , three types of settings have been configured: aliases, functions,
and variables. There is no denying the fact that Exchange Management Shell requires a
good deal of typing unless you have created one or more scripts. For that and other rea-
sons, you are able to create aliases, functions, and variables and then incorporate them
into your PowerShell profile.
Alias:
PS C:\Users\
Administrator>
Set-Alias GetDB
Get-MailboxDatabase
An alias does two things for you. It reduces the amount of
repetitive typing required and it decreases the number of
typos that occur.
You might want to create your own aliases and make them
available whenever you launch EMS.
This example demonstrates one custom administrator-
defined alias. Whenever the administrator needs a list of
all the mailbox databases in the organization, he or she
need only type getdb from a PS prompt, as shown in
Figure 4-3 .
Figure 4-3 Using a custom administrator-defined alias
ptg6842824
54 Creating and Using PowerShell Profiles
Function:
Function Get-MyMailbox
{
param($Name)
Get-Mailbox $Name
| Format-List
Name, Database,
OrganizationalUnit,
IssueWarningQuota
}
A function is a block of code that is given a
name. When you run a function, you need only
type the function name. The code is defined in
your profile file.
Functions can be very basic, such as this exam-
ple, or as complex as an application.
Like cmdlets, functions can have parameters.
The function can return values that can be dis-
played, assigned to variables, or even passed to
other functions or cmdlets.
PowerShell 2.0 greatly enhances functions with
the use of advanced functions .
Without using a function, this very simple verb-
noun combination ( Get-Mailbox ) would be easy
enough to type if it weren’t for the large number
of parameters used.
These extensive parameters would require a
lot of typing every time you wanted to retrieve
this information. By creating a function, you
can simply type Get-MyMailbox whenever
you need to retrieve the updated information, as
shown in Figure 4-4 .
TIP If you try this function, notice that Get-MyMailbox will autocomplete when you type
Get-M and press the Tab key after the func-
tion has been defined.
Figure 4-4 Using a custom function
ptg6842824
Creating and Using PowerShell Profiles 55
Variables:
$SquareNumber1 = [int]1
$SquareNumber2 = [int]4
$SquareNumber3 = [int]9
$SquareNumber4 = [int]16
$SquareNumber5 = [int]25
A variable is a place for storing data. PowerShell
(and other programming languages) not only can
store text strings and numeric data, but also objects.
When you define a variable (whether you define
it from the PowerShell profile or just type it from
a PS prompt), you place a $ before its name. This
helps distinguish between what’s a variable and
what’s an alias or function.
When you open Exchange Management Shell, a
number of variables are automatically defined.
By including variables in your profile, you make
them available from wherever you access the Ex-
change Management Shell, as shown in Figure 4-5 .
Figure 4-5 Using custom variables
The following table shows the Administrator’s PowerShell profile with all of the preced-
ing aliases, functions, and variables defined. Create it as a .txt file and save it with a .ps1
extension.
# This is the Administrator's
PowerShell Profile.
# It was created on 9/23/2010 and most
recently, it was modified on 10/4/2010.
# These are my Aliases:
Set-Alias GetDB Get-MailboxDatabase
# These are my Functions:
Function Get-MyMailbox
{
param($Name)
Get-Mailbox $Name | Format-List
Name, Database, OrganizationalUnit,
IssueWarningQuota
}
# These are my Variables:
$SquareNumber1 = [int]1
$SquareNumber2 = [int]4
$SquareNumber3 = [int]9
$SquareNumber4 = [int]16
$SquareNumber5 = [int]25
The example here shows the
complete PowerShell pro-
file, including all remarks,
indicated by the # symbol.
Most profiles are much more
complex. This example
attempts to illustrate how
easy a PowerShell profile is
to create.
The complexity of the profile
comes from what you put
into the .ps1 file.
ptg6842824
56 Using Built-in Aliases
Using Built-in Aliases
A number of aliases come built in. For example, when you type ft , you are actually
using an alias that maps to the cmdlet Format-Table . You don’t need to include any
built-in aliases in your PowerShell profile file. You already have access to them even if
you are not using a PowerShell profile.
PS C:\Users\
Administrator>
Get-Alias PS C:\Users\
Administrator>
Get-Alias | Measure
This cmdlet allows you to view the list of the built-in
aliases included with Exchange Management Shell.
There are 139 built-in aliases in Exchange Management
Shell in the RTM version of Exchange 2010. The sec-
ond example will count them for you. (Note the use of
an alias to count the number of aliases. Measure is an
alias for Measure-Object .)
Although not a complete list, the following table shows some of the more frequently
used built-in aliases.
NOTE In the following table, some of the aliases use symbols (such as % ) rather than
abbreviations.
Alias Cmdlet Alias Cmdlet
% ForEach-Object gci Get-ChildItem
? Where-Object gcm Get-Command
cd Set-Location gl Get-Location
chdir Set-Location gm Get-Member
clc Clear-Content gsv Get-Service
clear Clear-Host gv Get-Variable
cls Clear-Host gwmi Get-WmiObject
clv Clear-Variable ipal Import-Alias
compare Compare-Object ipcsv Import-Csv
copy Copy-Item kill Stop-Process
cp Copy-Item list Format-list
cpi Copy-Item lp Out-Printer
del Remove-Item ls Get-ChildItem
Diff Compare-Object md Mkdir
dir Get-ChildItem measure Measure-Object
echo Get-ChildItem move Move-Item
epal Write-Output nal New-Alias
epcsv Export-Csv nv New-Variable
erase Remove-Item pwd Get-Location
fc Format-Custom sal Set-Alias
ptg6842824
Working with User-Defined Aliases 57
Alias Cmdlet Alias Cmdlet
fl Format-List set Set-Variable
foreach ForEach-Object si Set-Item
ft Format-Table sl Set-Location
fw Format-Wide sv Set-Variable
gal Get-Alias table format-table
write Write-Output
Working with User-Defined Aliases
User-defined aliases stored in your PowerShell profile will be quite handy when it is
necessary to perform repetitive tasks. Let’s say you need to run the following three
reports each week. All three reports use the Get-MailboxStatistics cmdlet. Because
the parameters in each report are fairly long to type and the required attributes do not
autocomplete when you press the Tab key, this can become quite tedious. Look at the
amount of typing that would be required to generate these reports each week.
PS C:\Users\Administrator> Get-Mailbox |
Get-MailboxStatistics -IncludeMoveHistory | Where
{$_.LastLogonTime -lt (get-date).AddDays(-100)} | fl
DisplayName, LastLogonTime,
LastLoggedOnUserAccount,
ServerName, MoveHistory
One frequently required and requested
report that you might need is a list of all
mailboxes that haven’t been accessed in
the last X days. (In the example, 100 days
is used as the value.) But here is a wrinkle:
You also need to see whether the mailbox
has been moved during that time.
The output of this cmdlet is shown in
Figure 4-6 .
PS C:\Users\Administrator>
Get-Mailbox |
Get-MailboxStatistics | Where
{$_.LastLogonTime -eq $null |
fl DisplayName, LastLogonTime,
LastLoggedOnUserAccount,
ServerName
At the same time, you also might need a
list of all mailboxes that have never been
logged on to before.
PS C:\Users\Administrator>
Get-Mailbox |
Get-MailboxStatistics |
Where {$_.DisconnectDate -gt
(get-date).AddDays(-14)} |
fl DisplayName, ServerName,
DatabaseName, TotalItemSize
You may also have to run a report detail-
ing all mailboxes that have been disabled
in the past 14 days. In this example, you
want to know what server the mailboxes
are located on, in which databases they
reside, and the amount of data in each
mailbox.
ptg6842824
58 Working with User-Defined Aliases
Figure 4-6 Mailboxes that haven’t been accessed in past 100 days
You could cut and paste these from Notepad, but there is an easier way. Create user-
defined aliases for your three reports, as shown in the following table.
PS C:\Users\Administrator> Set-Alias NoAccess100 Get-Mailbox | Get-MailboxStatistics -IncludeMoveHistory | Where {$_.LastLogonTime
-lt (get-date).AddDays(-100)} |
fl DisplayName, LastLogonTime,
LastLoggedOnUserAccount, ServerName,
MoveHistory
NoAccess100
PS C:\Users\Administrator> Set-Alias NeverLoggedOn Get-Mailbox |
Get-MailboxStatistics | Where
{$_.LastLogonTime -eq $null | fl DisplayName,
LastLogonTime, LastLoggedOnUserAccount,
ServerName
NeverLoggedOn
PS C:\Users\Administrator>
Set-Alias DisconnectedPast14 Get-Mailbox | Get-MailboxStatistics |
Where {$_.DisconnectDate -gt
(get-date).AddDays(-14)} | fl DisplayName,
ServerName, DatabaseName, TotalItemSize
DisconnectedPast14
Isn’t it nice to know that you don’t have to type these three long cmdlets each and every
week? Simply type the aliases shown on the right after they have been properly defined.
TIP Put these aliases in your PowerShell profile and they will be available from wher-
ever you need to run them.
ptg6842824
Filtering Output 59
Filtering Output With Exchange Management Shell, you get what you ask for. You want to request only
the data you are required to work with and do not want to retrieve unneeded data, as
shown in the following tables.
PS C:\Users\
Administrator>
Get-Mailbox
For example, this cmdlet retrieves a list of all users
in your organization with Exchange mailboxes.
If you have 50 users, this may be what you need to
retrieve. But, what if you have 50,000 users? There’s
not much chance that this cmdlet executed without
any filtering will produce meaningful results in a
large environment.
PS C:\Users\
Administrator>
Get-Mailbox -OrganizationalUnit
RomacSign.com/Sales
PS C:\Users\
Administrator>
Get-Mailbox -Server Romac-EX2
PS C:\Users\
Administrator>
Get-Mailbox -Database Executives
PS C:\Users\
Administrator>
Get-Mailbox
-RecipientTypeDetails
LegacyMailbox
You need to find ways to reduce the amount of data
to be retrieved.
Here are some basic options for doing that:
-OrganizationalUnit filters by Active Directory OU.
-Server filters by Exchange server object.
-Database filters by Exchange database.
-RecipientTypeDetails filters by the type of
recipient.
TIP LegacyMailbox recipients are those recipi-
ents from Exchange 2000/2003. This can be help-
ful when you are moving recipients from Exchange
2000/2003 to 2010.
PS C:\Users\
Administrator>
Get-Mailbox -OrganizationalUnit
RomacSign.com/Sales
PS C:\Users\
Administrator>
Get-Mailbox -OrganizationalUnit
RomacSign.com/Sales
-Server Romac-EX2
How can filtering be put to practical use?
Suppose you have just migrated to a new storage
area network (SAN). You want to increase the quotas
on your sales peoples’ mailboxes, but right now, you
only want to increase quotas for sales people with
mailboxes on Romac-EX2.
The problem is that no specific collection or group
includes only sales people with mailboxes on
Romac-EX2.
If you execute the first cmdlet, with only the
-OrganizationalUnit parameter, all sales peoples’
mailboxes will be returned, as shown in Figure 4-7 .
No problem. Add the -Server parameter as shown in
the second cmdlet. Figure 4-7 also shows the results
returned when the second attribute is added.
ptg6842824
60 Formatting Output
Figure 4-7 Filtering with and without the -Server attribute
PS C:\Users\
Administrator>
Get-Mailbox -OrganizationalUnit
RomacSign.com/Sales
-Server Romac-EX2 | Set-Mailbox
-ProhibitSendQuota 200MB
By adding the pipe character and using the Set-Mailbox cmdlet with the -ProhibitSendQuota
attribute, you can easily achieve your goal, as
shown in Figure 4-8 .
Moe’s mailbox’s ProhibitSendQuota has been
increased to 200MB. (Moe is the only sales person
with a mailbox on Romac-EX2.)
Figure 4-8 Setting the ProhibitSendQuota attribute on the desired mailboxes
Formatting Output
Exchange Management Shell uses predefined output modes to display data from the
command line. However, you are not limited to those modes. For example, if you issue a
Get-Mailbox cmdlet, four columns will be displayed in a table as the output.
Name
Larry Fine
Moe Howard
Curly Howard
Alias
Larry
Moe
Curly
ServerName
romac-ex1
romac-ex1
romac-ex1
ProhibitSendQuota
unlimited
unlimited
unlimited
ptg6842824
Formatting Output 61
If you only need to view the mailboxes in your organization, this may be sufficient.
However, it is not very likely that those four columns are exactly the columns you would
like to retrieve. For example, if you only have a single Exchange server, the ServerName
column has little significance for you. Every mailbox will have the same value for
ServerName, as is the case with romac-ex1 in the previous table.
Also, if you are not using quotas, the ProhibitSendQuota column is not relevant for you
either. In a single-server environment, the following cmdlet might make more sense.
PS C:\Users\
Administrator> Get-Mailbox | Format-Table Name, Database,
PrimarySMTPAddress,
OrganizationalUnit,
IsResource
Formatted this way, you can see the Name
and Database attributes, along with three
other important attributes that you might wish
to view. But now, the problem is that because
there are five columns (which will not fit
entirely on the screen), the data is truncated,
as shown in the next table.
The output doesn’t look very attractive and sometimes important information will be
truncated, as shown in the following table.
Name
Larry
Fine
Moe
Howard
Curly
Howard
Database
AssemblyDB
ManufacturingDB
OfficeDB
PrimarySMTPAddress
larry@romacsig...
curly@romacsig...
OrganizationalUnit
romacsign.com/...
romacsign.com/...
romacsign.com/...
IsResource
false
false
false
Try it again with Autosize . With the Autosize parameter, Exchange Management Shell
will calculate the maximum number of columns that can be displayed without truncating
the data.
PS C:\Users\Administrator> Get-Mailbox | Format-Table Name, Database,
PrimarySMTPAddress, OrganizationalUnit,
IsResource -Autosize
Try the same cmdlet with the
Autosize option.
The output looks much better now, as shown in the following table.
Name
Larry Fine
Moe
Howard
Curly
Howard
Database
AssemblyDB
ManufacturingDB
OfficeDB
PrimarySMTPAddress
larry@ romacsign.com
curly@ romacsign.com
OrganizationalUnit
romacsign.com/
Assembly
romacsign.com/
Manufacturing
romacsign.com/Office
IsResource
false
false
false
ptg6842824
62 Formatting Output
TIP You can also use the -Wrap option to have the output scroll to the next line
onscreen.
Sometimes formatting the output in a table just doesn’t make sense. If you need to
view many attributes, for instance, formatting the output as a table would not make
sense. Also, if the order of the output is important, formatting as a list can help. Use the
Format-List option to make all attributes accessible from one output screen in the order
you designate.
PS C:\Users\Administrator>
Get-Mailbox -Identity Moe |
Format-List Name, Database,
PrimarySMTPAddress,
OrganizationalUnit,
IsResource, ProhibitSendQuota,
IssueWarningQuota
This cmdlet is the same as the
previous one, with two additional
attributes.
The output is formatted as a list
instead of as a table (see Figure
4.9 ).
Figure 4-9 Formatting the output as a list
TIP There is also a Format-Wide option. The Format-Wide (or fw ) option allows
you to retrieve single-item data and display that data in multiple columns. By default,
Format-Wide displays data in two columns, but you can specify more with the col-umns option.
You can also output to a file if that information must be exported. The file could be a
.txt file, a .csv file, an .xml file, or even an .html file. The following examples illustrate
how to take output from the cmdlet and write it to the appropriate type of file.
PS C:\Users\Administrator> Get-Mailbox -Identity Moe | Format-List Name,
Alias, Database, PrimarySMTPAddress,
OrganizationalUnit, IsResource,
ProhibitSendQuota, IssueWarningQuota |
Out-File -FilePath C:\ Demos\moe.txt
Outputting data to a .txt
file.
ptg6842824
Formatting Output 63
PS C:\Users\Administrator> Get-Service | Format-Table | Export-CSV C:\Users\
Administrator\services.csv
Outputting data to a .csv
file.
PS C:\Users\Administrator> Get-Service | ConvertTo-Html -Property Name, Status | ForEach { if($_ -like "*<td>Running</td>*")
{$_ -replace "<tr>",
"<tr bgcolor=green>"}
else
{$_ -replace "<tr>",
" <tr bgcolor=red>"}} >
C:\Users\Administrator\
service_red_alert.html
Outputting data to an
.html file.
You might think you could open the file you just created with an Open-File cmdlet, but
no such cmdlet exists. You may either use the Get-Content cmdlet to view the content
or use the appropriate application (such as Notepad.exe or Microsoft Internet Explorer)
as shown in the following table.
PS C:\Users\Administrator> Get-Content "C:\Demos\moe.txt"
or
PS C:\Users\Administrator>
Notepad "C:\Demos\moe.txt"
Viewing the content or opening the .txt
file.
PS C:\Users\Administrator>
Get-Content
"C:\Demos\services.csv"
Viewing the content of the .csv file.
NOTE You can open the file in
Microsoft Excel, but that will require
writing a script to do so. Several
examples of such a script can be
found on the Web, but that borders
on development, and this book is
written primarily for administrators.
PS C:\Users\Administrator>
Get-Content
C:\Users\Administrator\
service_red_alert.html
or
PS C:\Users\Administrator>
Invoke-Item
C:\Users\Administrator\service_
red_alert.html
Viewing the content or opening the
.html file in Internet Explorer.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Deploying prerequisites for all versions of Exchange Server 2010 on Windows
Server 2008 operating systems
■ Deploying prerequisites for Exchange Server 2010 RTM (Release-to-
Manufacturing) on Windows Server 2008 SP2
■ Deploying prerequisites for Exchange Server 2010 RTM on Windows Server
2008 SP2
■ Deploying prerequisites for Exchange Server 2010 RTM on Windows Server
2008 R2
■ Deploying prerequisites for Exchange Server 2010 SP1 on Windows Server
2008 R2
■ Setup options for Exchange Server 2010 RTM
■ Upgrading from Exchange Server 2010 RTM to SP1
■ Using the Exchange 2010 Deployment Assistant
Deployments of Exchange Server 2010 are not performed using Windows PowerShell
cmdlets; however, the installation of the prerequisites can now be facilitated using
PowerShell on Windows Server 2008 R2. Even with simple deployments, there are dif-
ferent scenarios for installing prerequisites, depending on the operating system and ver-
sion of Exchange Server.
Before installing Exchange 2010, you must ensure that both your domain functional
levels for all of your domains as well as the forest functional level have been raised to at
least 2003 mode. Your Schema Master FSMO (Flexible Single Master Operation) role
must be running a minimum of Window Server 2003 SP1.
Deploying Prerequisites for All Versions of Exchange Server 2010 on Windows Server 2008 Operating Systems
The following table details the prerequisites for Exchange Server 2010.
Microsoft .NET
Framework 3.5
Service Pack 1
(SP1).
Microsoft .NET Framework 3.5 Service Pack 1 is a full cumu-
lative update that incorporates elements from .NET Framework
2.0, 3.0, and 3.5.
CHAPTER 5
Standard Deployments
ptg6842824
66 Deploying Prerequisites for Exchange Server 2010 RTM on Windows Server 2008 SP2
Windows Remote
Management
(WinRM) 2.0.
WinRM is the Microsoft implementation of WS-Management
Protocol.
The WS-Management Protocol specification provides a com-
mon way for systems to access and exchange management
information across an IT infrastructure.
Windows
PowerShell V2
(Windows6.0-
KB968930.msu).
As discussed previously, Windows PowerShell V2 provides
significant improvements, features, and options over Windows
PowerShell V1.
You must uninstall PowerShell 1.0 (if present) to install V2.
If your Exchange
server will be
hosting either the
Mailbox or Hub
Transport role, you
will need to install
the Microsoft Filter
Pack, as shown in
Figure 5-1 .
On Exchange 2010 RTM, you can meet this prerequisite by
installing 2007 Office System Converter: Microsoft Filter
Pack. It is recommended that you upgrade to Microsoft Office
2010 Filter Packs.
In SP1 this requirement has been changed. The Office 2010
Filter Pack is now required.
Figure 5-1 Microsoft Filter Pack installation
Deploying Prerequisites for Exchange Server 2010 RTM (Release-to-Manufacturing) on Windows Server 2008 SP2
The prerequisites for Exchange Server 2010 RTM on Windows Server 2008 SP2 are
presented in the following table for completeness, but it is highly suggested that you
ptg6842824
Deploying Prerequisites for Exchange Server 2010 RTM on Windows Server 2008 SP2 67
install Exchange Server on Windows Server 2008 R2. With each new operating system
or Exchange service pack, the prerequisite installation becomes easier.
Microsoft .NET
Framework 3.5
Family Update for
Windows Vista x64,
and Windows Server
2008 x64 updates
Resolves a set of known application compatibility issues with
Microsoft .NET Framework 3.5 Service Pack 1.
Microsoft Knowledge
Base article 977624
update
AD RMS (Active Directory Rights Management Services)
clients do not authenticate federated identity providers in
Windows Server 2008 or in Windows Vista.
Resolves the issue of AD RMS features that may stop work-
ing without this update.
Microsoft Knowledge
Base article 982867
hotfix
Resolves the issue of Windows Communication Foundation
(WCF) services that are hosted by computers together in a
Network Load Balancing (NLB) cluster that can fail in .NET
Framework 3.5 SP1 without this hotfix.
Microsoft Knowledge
Base article 979744
update
Resolves the issue of a .NET Framework 2.0–based Multi-
AppDomain application that may stop responding when you
run the application.
Microsoft Knowledge
Base article 979917
update
Resolves issues that can occur when you deploy an ASP.NET
2.0–based application on a server that is running IIS 7.0 or IIS
7.5 in Integrated mode.
Microsoft Knowledge
Base article 973136
update
Resolves the issue of an exception error message that can
occur when a .NET Framework 2.0 SP2–based application
tries to process a response with zero-length content to an
asynchronous ASP.NET Web Service request: “Value cannot
be null”.
Microsoft Knowledge
Base article 977592
update
Resolves the issue of RPC over HTTP clients that cannot con-
nect to the Windows Server 2008 RPC over HTTP servers
that have RPC load balancing enabled.
Deploying Prerequisites for Exchange Server 2010 RTM on Windows Server 2008 SP2
NOTE These are not PowerShell cmdlets. You must launch a command prompt with
elevated permissions and navigate to the \Setup\ServerRoles\Common folder on the
Exchange 2010 installation media. From there, you would type the following commands
at a command prompt (each line is a separate command) to install the necessary oper-
ating system components.
The following table shows how the command-line version of Server Manager is used to
install Exchange Server 2010 prerequisites on Windows Server 2008 platforms.
ptg6842824
68 Deploying Prerequisites for Exchange Server 2010 RTM on Windows Server 2008 SP2
sc config NetTcpPortSharing start= auto ServerManagerCmd -ip
Exchange-Typical.xml -Restart
NET.TCP Port Sharing Service is
manual, by default, so you must set it to
Automatic start and then start the service.
The first command does this using the
Service Control Manager ( sc ) command.
For a server that will have the Typical in-
stallation of Client Access, Hub Transport,
and the Mailbox role, the second com-
mand will use the appropriate .xml file to
install the necessary prerequisites.
NOTE The ip stands for inputpath
and must be followed by an .xml file.
TIP The -Restart switch really does
automatically restart the server after
installation of the prerequisites. Make
sure you have saved your work if any
other applications are open on the server.
sc config NetTcpPortSharing start= auto
ServerManagerCmd -i
Desktop-Experience ServerManagerCmd -ip
Exchange-Typical.xml -Restart
For a server that will host the Client
Access, Hub Transport, Mailbox, and
Unified Messaging server roles.
NOTE The i stands for install and
must be followed by the name of the
feature that you wish to install.
sc config NetTcpPortSharing start= auto ServerManagerCmd -ip
Exchange-Typical.xml -Restart
For a server that will host the Client
Access and Hub Transport server roles.
ServerManagerCmd -ip Exchange-Typical.xml -Restart
For a server that will host the Hub
Transport and Mailbox server roles.
sc config NetTcpPortSharing start= auto ServerManagerCmd -ip
Exchange-Typical.xml -Restart
For a server that will host the Client
Access and Mailbox server roles.
sc config NetTcpPortSharing start= auto ServerManagerCmd -ip
Exchange-CAS.xml -Restart
For a server that will host only the Client
Access role.
ServerManagerCmd -ip Exchange-Hub.xml -Restart
For a server that will host only the Hub
Transport role.
ServerManagerCmd -ip Exchange-MBX.xml -Restart
For a server that will host only the
Mailbox role.
ServerManagerCmd -ip Exchange-UM.xml -Restart
For a server that will host only the
Unified Messaging role.
ServerManagerCmd -ip Exchange-Edge.xml -Restart
For a server that will host the Edge
Transport role.
ptg6842824
Deploying Prerequisites for Exchange Server 2010 RTM on Windows Server 2008 R2 69
Deploying Prerequisites for Exchange Server 2010 RTM on Windows Server 2008 R2
NOTE These are PowerShell cmdlets. By using the Import-Module ServerManager
cmdlet, you are accessing Server Manager from within PowerShell. Simply type the
cmdlets below (all on one line for each cmdlet) from a PS prompt after you have
imported the Server Manager module into Windows PowerShell.
The following table shows the PowerShell cmdlets used to install Exchange Server 2010
prerequisites on Windows Server 2008 R2 platforms.
Import-Module ServerManager From the Start Menu, navigate to All
Programs, then Accessories, and then
Windows PowerShell.
Open an elevated Windows
PowerShell console and run the
I mport-Module ServerManager
cmdlet.
NOTE Don’t forget that on
servers that will host the Hub
Transport or Mailbox server role,
you must install the Microsoft
Filter Pack.
Add-WindowsFeature NET-Framework,RSAT-ADDS,
Web-Server,Web-Basic-Auth,
Web-Windows-Auth, Web-Metabase,Web-Net-Ext,
Web-Lgcy-Mgmt-Console, WAS-Process-Model,RSAT-Web-Server,
Web-ISAPI-Ext, Web-Digest-Auth,
Web-Dyn-Compression, NET-HTTP-Activation,
RPC-Over-HTTP-Proxy
Desktop-Experience -Restart
For a server that will have the
Typical installation of Client Access,
Hub Transport, and the Mailbox
roles, use the Add-WindowsFeature
cmdlet to install the necessary operat-
ing system components, as shown on
the left and in Figure 5-2 .
TIP The -Restart switch really
does automatically restart the
server after installation of the
prerequisites. Make sure you
have saved your work if any other
applications are open on the
server.
Figure 5-2 Installing the prerequisites for a typical install on Windows Server 2008 R2
ptg6842824
70 Deploying Prerequisites for Exchange Server 2010 RTM on Windows Server 2008 R2
The procedure for installing prerequisites for the other Exchange Server 2010 roles on
Windows Server 2008 R2 is detailed in the following table.
Add-WindowsFeature NET-Framework,
RSAT-ADDS, Web-Server,Web-Basic-Auth,Web-Windows-Auth, Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console, WAS-Process-Model,RSAT-Web-Server,
Web-ISAPI-Ext, Web-Digest-Auth,Web-Dyn-Compression, NET-HTTP-Activation,
RPC-Over-HTTP-Proxy, Desktop-Experience -Restart
For a server that will host the
Client Access, Hub Transport,
Mailbox, and Unified Messaging
server roles, use the Add-WindowsFeature cmdlet to
install the necessary operating
system components, as shown on
the left.
Add-WindowsFeature NET-Framework,RSAT-ADDS, Web-Server,Web-Basic-Auth,Web-Windows-Auth, Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console, WAS-Process-Model,RSAT-Web-Server,
Web-ISAPI-Ext, Web-Digest-Auth,Web-Dyn-Compression, NET-HTTP-Activation,
RPC-Over-HTTP-Proxy -Restart
For a server that will host the
Client Access and Hub Transport
server roles, use the Add-WindowsFeature cmdlet to
install the necessary operating
system components, as shown on
the left.
Add-WindowsFeature NET-Framework,RSAT-ADDS, Web-Server,Web-Basic-Auth,Web-Windows-Auth, Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,
WAS-Process-Model,
RSAT-Web-Server -Restart
For a server that will host the
Hub Transport and Mailbox
server roles, use the Add-WindowsFeature cmdlet to
install the necessary operating
system components, as shown on
the left.
Add-WindowsFeature NET-Framework,RSAT-ADDS, Web-Server,Web-Basic-Auth,Web-Windows-Auth, Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,
WAS-Process-Model,RSAT-Web-Server,
Web-ISAPI-Ext, Web-Digest-Auth,Web-Dyn-Compression,
NET-HTTP-Activation,
RPC-Over-HTTP-Proxy -Restart
For a server that will host the
Client Access and Mailbox
server roles, use the Add-WindowsFeature cmdlet to
install the necessary operating
system components, as shown on
the left.
ptg6842824
Deploying Prerequisites for Exchange Server 2010 RTM on Windows Server 2008 R2 71
Add-WindowsFeature NET-Framework,RSAT-ADDS, Web-Server,Web-Basic-Auth,Web-Windows-Auth, Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,
WAS-Process-Model,RSAT-Web-Server,
Web-ISAPI-Ext, Web-Digest-Auth,Web-Dyn-Compression, NET-HTTP-Activation,
RPC-Over-HTTP-Proxy -Restart
For a server that will host only
the Client Access role, use the
Add-WindowsFeature cmdlet
to install the necessary operating
system components, as shown on
the left.
Add-WindowsFeature NET-Framework,RSAT-ADDS, Web-Server,Web-Basic-Auth,Web-Windows-Auth, Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,
WAS-Process-Model,
RSAT-Web-Server -Restart
For a server that will host
the Hub Transport or the
Mailbox role, use the Add-WindowsFeature cmdlet to
install the necessary operating
system components, as shown on
the left.
Add-WindowsFeature NET-Framework,RSAT-ADDS, Web-Server,Web-Basic-Auth,Web-Windows-Auth, Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console, WAS-Process-Model,RSAT-Web-Server, Desktop-Experience -Restart
For a server that will host only
the Unified Messaging role, use
the Add-WindowsFeature cmd-
let to install the necessary operat-
ing system components, as shown
on the left.
Add-WindowsFeature NET-Framework,RSAT-ADDS, ADLDS -Restart
For a server that will host the
Edge Transport role, use the
Add-WindowsFeature cmdlet
to install the necessary operating
system components, as shown on
the left and in Figure 5-3 .
Figure 5-3 Installing the prerequisites for an Edge Transport install on Windows Server
2008 R2
You also must set the Net.Tcp Port Sharing Startup Type to Automatic and start the
service. The cmdlet shown in the following table achieves that goal using PowerShell in
Windows Server 2008 R2.
ptg6842824
72 Deploying Prerequisites for Exchange Server 2010 SP1 on Windows Server 2008 R2
Set-Service NetTcpPortSharing
-StartupType
Automatic
On servers that will have the Client Access Server role
installed, after the system has restarted, log on as an
administrator, open an elevated Windows PowerShell con-
sole, and configure the Net.Tcp Port Sharing Service for
Automatic startup by running the command on the left.
Figure 5-4 shows the Services console after the command
has been run.
Figure 5-4 Viewing the startup type and condition of the Net.Tcp Port Sharing Service
in the Services console
Deploying Prerequisites for Exchange Server 2010 SP1 on Windows Server 2008 R2
Installing prerequisite software for Exchange 2010 SP1 has become even more simpli-
fied, especially when you’re installing Exchange on Windows Server 2008 R2.
NOTE If you have installed prerequisites on Exchange Server 2010 prior to SP1 and
you haven’t used some of the automation techniques discussed earlier, you know how
painful it can be. However, when you use the Exchange Server 2010 SP1 (GUI) Setup
Wizard, a new feature called “Automatically install Windows Server roles and features
required for Exchange Server” is available by checking a box (see Figure 5-5 ). Yes, by
selecting the check box, all prerequisites will be installed automatically. That is very
nice!
ptg6842824
Deploying Prerequisites for Exchange Server 2010 SP1 on Windows Server 2008 R2 73
Figure 5-6 shows the features that have been installed after the “Automatically install
Windows Server roles and features required for Exchange Server” check box has been
selected and the installation has completed.
Figure 5-5 Exchange Server 2010 SP1 Setup Wizard with the new feature selected
Figure 5-6 Features installed automatically by the Exchange Server 2010 SP1 Setup
Wizard
ptg6842824
74 Setup Options for Exchange Server 2010 RTM
Setup Options for Exchange Server 2010 RTM
Exchange Server 2010 is available in two server editions: Standard Edition and
Enterprise Edition. You define which edition is enabled by the product key you enter.
Both RTM and SP1 versions are currently available. There are two versions of Setup.
Setup.exe is the graphical user interface, and you are guided through the installation by
the Setup Wizard. Setup.com is the unattended (command-line) interface, where you
provide options for Setup by using command-line switches. Both versions are available
from the Exchange 2010 DVD or across the network.
As shown in the following table, a number of Active Directory preparations must be per-
formed before any version of Exchange Server 2010 can be installed.
D:\SetupFiles> Setup.com /PrepareLegacyExchangePermissions
D:\SetupFiles> Setup.com /pl
If you have any computers in your
organization running Exchange
2003, open an elevated command
prompt and then run the command
in the example.
NOTE D:\SetupFiles could
represent any location where the
setup files would be found.
TIP /pl could be used in place
of /PrepareLegacyExchangePermissions , as
shown in the second example.
D:\SetupFiles> Setup.com /PrepareSchema
D:\SetupFiles> Setup.com /ps
This command connects to the
Active Directory Schema Master
FSMO role and imports LDAP Data
Interchange Format (LDIF) files.
These files update the schema with
Exchange 2010–specific objects and
attributes.
TIP /ps could be used in place
of /PrepareSchema , as shown
in the second example.
ptg6842824
Setup Options for Exchange Server 2010 RTM 75
Setup.com /PrepareAD
/OrganizationName : OrganizationName
D:\SetupFiles> Setup.com /PrepareAD /OrganizationName: RomacSign
Setup.com /p /on : OrganizationName
D:\SetupFiles> Setup.com /p /on: RomacSign
This command creates the Microsoft
Exchange container in Active
Directory, if it doesn’t already exist.
If no Exchange organization con-
tainer exists, you must specify an
organization name by using the /OrganizationName parameter. The
organization container will be cre-
ated with the name that you specify.
This command also verifies that the
schema has been updated. If it has
not, this command will create the
containers, objects, and attributes
necessary for the installation of
Exchange Server 2010.
This command also verifies that the
permissions have been updated if
any previous versions of Exchange
Server exist in the Active Directory.
Next, this command creates the
Microsoft Exchange Security
Groups Organizational Unit (OU)
in the root domain of the forest and
populates the OU with all of the
new 2010 management role groups.
The command also prepares the
local domain for Exchange 2010.
TIP /p could be used in
place of /PrepareAD and
/on could be used in place of
/OrganizationName , as shown
in the second pair of examples.
Setup.com /PrepareDomain :
DomainName
D:\SetupFiles> Setup.com /PrepareDomain : RomacSign.com
Setup.com /pd : DomainName
D:\SetupFiles> Setup.com /pd :
RomacSign.com
This command prepares the speci-
fied domain for Exchange 2010.
TIP /pd could be used in place
of /PrepareDomain , as shown
in the second pair of examples.
ptg6842824
76 Setup Options for Exchange Server 2010 RTM
D:\SetupFiles> Setup.com /PrepareAllDomains
D:\SetupFiles> Setup.com /pad
This command prepares all domains
in the forest for Exchange 2010.
TIP /pad could be used in
place of /PrepareAllDomains ,
as shown in the second exam-
ple.
After the Active Directory preparations have been performed and replicated throughout
the forest, the actual setup options can be employed to install Exchange Server 2010, as
shown in the following table.
D:\SetupFiles> Setup.com /mode:Install
D:\SetupFiles> Setup.com /m:Install
Install Mode
This is the default mode for setup.
Use this mode when you’re installing a new
server role or adding a server role to an existing
installation.
You can use this mode from both the Exchange
Setup Wizard in maintenance mode and with the
unattended install.
NOTE /m could be used in place of /mode ,
as shown in the second example.
D:\SetupFiles> Setup.com /mode:Uninstall
Uninstall Mode
Use this mode when you’re removing the
Exchange installation or removing a single
server role from an existing installation.
You can use this mode from both the Exchange
Setup Wizard in maintenance mode and with
unattended install.
D:\SetupFiles> Setup.com /mode:Upgrade
Upgrade Mode
Use this mode when you have an existing instal-
lation of Exchange and you’re installing the new
version; for example, this mode is used for a
service pack installation.
You can use this mode from both the Exchange
Setup Wizard and the unattended install.
You cannot use this to upgrade from Exchange
2007 or Exchange 2003!
ptg6842824
Setup Options for Exchange Server 2010 RTM 77
D:\SetupFiles> Setup.com /mode:RecoverServer
RecoverServer Mode
Use this mode when there has been a complete
failure of a server and you need to recover data.
You must install a new server or rebuild an
existing server using the same fully qualified
domain name (FQDN) as the failed server.
You run Setup with the /m:RecoverServer
switch. No other information is required. The
server is built as dictated by the server object in
the Active Directory.
To run in RecoverServer mode, you cannot
have Exchange already installed on the server,
but the Exchange server object must still exist in
Active Directory from the failed server.
You can only use this mode during an unat-
tended installation. (This mode will be dis-
cussed more completely in Chapter 6 , “Disaster
Recovery Deployments.”)
D:\SetupFiles> Setup.com /roles:ClientAccess
D:\SetupFiles> Setup.com /roles:CA
D:\SetupFiles> Setup.com /roles:C
Any of these examples install the Client Access
role on a server using an unattended installation.
D:\SetupFiles> Setup.com /roles:HubTransport
D:\SetupFiles> Setup.com /roles:HT
D:\SetupFiles> Setup.com /roles:H
Any of these examples install the Hub Transport
role on a server using an unattended installation.
D:\SetupFiles> Setup.com /roles:Mailbox
D:\SetupFiles> Setup.com /roles:MB D:\
D:\SetupFiles> Setup.com /roles:M
Any of these examples install the Mailbox
Server role on a server using an unattended
installation.
ptg6842824
78 Upgrading from Exchange Server 2010 RTM to SP1
D:\SetupFiles> Setup.com /roles:UnifiedMessaging
D:\SetupFiles> Setup.com /roles:UM
D:\SetupFiles> Setup.com /roles:U
Any of these examples install the Unified
Messaging role on a server using an unattended
installation.
D:\SetupFiles> Setup.com /roles:H, M, C
Any of the preceding roles can be combined in
any arrangement, if multiple roles need to be
installed on a server as shown in the example.
The command in the example would install the
Hub, the CAS, and the Mailbox server roles on
the same server.
D:\SetupFiles> Setup.com /roles:EdgeTransport
D:\SetupFiles> Setup.com /roles:ET
D:\SetupFiles> Setup.com /roles:E
Any of these examples install the Edge
Transport role on a server using an unattended
installation.
NOTE The Edge Transport role must be
installed as a standalone role. It is not sup-
ported or possible to combine the Edge
Transport role with any other Exchange
Server roles.
D:\SetupFiles> Setup.com /roles:ManagementTools
D:\SetupFiles> Setup.com /roles:MT
D:\SetupFiles> Setup.com /roles:M
Any of these examples install the Exchange
2010 Management Tools on your 64-bit work-
station.
NOTE There is no longer a 32-bit version
of the tools as there was in Exchange Server
2007.
Upgrading from Exchange Server 2010 RTM to SP1
You can use the Microsoft Exchange Server 2010 Service Pack 1 (SP1) Setup Wizard to
perform an upgrade from the RTM version of Exchange 2010 to Exchange 2010 SP1. If
you have one or more Exchange Server 2010 roles or the Exchange Management Tools
installed, you can upgrade to Exchange Server 2010 SP1, as shown in Figures 5-7 and
5-8 . (It is also possible to do a clean install, if desired.)
ptg6842824
Upgrading from Exchange Server 2010 RTM to SP1 79
Figure 5-7 Upgrading to Exchange Server 2010 SP1
Figure 5-8 Introduction to the Exchange Server 2010 SP1 Upgrade Wizard
ptg6842824
80 Using the Exchange 2010 Deployment Assistant
Figure 5-9 displays the Exchange Management Console highlighting the newly installed
Exchange Server 2010 with SP1 installed on it. (Note the SP1 version number [14.1] and
the Build Number [218.15]. Exchange Server 2010 RTM is version number 14.0 and
Build Number 639.21.)
Figure 5-9 Version number displayed after an upgrade to Exchange Server 2010 SP1
TIP After you upgrade to Exchange 2010 SP1, you can’t uninstall the service pack
to revert to Exchange 2010 RTM. If you uninstall Exchange 2010 SP1, you actually
remove Exchange from the server.
Using the Exchange 2010 Deployment Assistant
Microsoft has created an Exchange Deployment Assistant (also known as ExDeploy).
This is a web-based tool that can help you with your Exchange Server 2010 deployment,
as shown in the following table.
ptg6842824
Using the Exchange 2010 Deployment Assistant 81
http://technet.microsoft.com/en-us/exdeploy2010/
default(EXCHG.140).aspx#Home
This web-based tool creates a customized
checklist based on answers you provide
about your existing messaging environment
to assist in a smooth Exchange Server 2010
upgrade or deployment.
The URL will take you to the starting page
for the Deployment Assistant, as shown in
Figure 5-10 .
If you are planning a deployment of
Exchange Server 2010, take a look at this
tool, especially if you are migrating from
Exchange 2007 or Exchange 2003.
Figure 5-10 Exchange Server 2010 Deployment Assistant
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Recovering from a single role failure
■ Recovering from a multiple-role failure on the same server
■ Recovering from a Database Availability Group (DAG) member server failure
This chapter focuses on recovering from a role or server failure as well as briefly over-
views recovery from the failure of a node in a high-availability environment. Future
chapters will investigate backing up and restoring servers and databases, as well as other
disaster recovery scenarios. This chapter only focuses on the deployment operation in a
disaster recovery situation.
Recovering from a Single Role Failure
One of the best ways to protect the organization from a failure of a single role is to have
another server hosting that role in the Active Directory site already in place. If you have
multiple servers hosting the role, failure of the role will reduce the impact of the failure
to your organization. The remaining servers will simply have to take on the load of the
failed server until it can be replaced. For a short- or long-term solution, the failed role
can be added to any existing or new Exchange server, provided there are no conflicts
with the roles currently hosted on it.
It is important to know the impact of a failed role, as detailed in the following table.
If the Mailbox
Server role were
to fail in an Active
Directory site and it
is the only Mailbox
Server in that site:
All mailboxes and mailbox databases would be unavailable.
(Public folder databases would be unavailable as well.)
Add the Mailbox Server role to a functioning Exchange server
that could accept the role and restore or reconnect the databas-
es, build a new server with the Mailbox role on it, or recover
the server as described in the section on multiple role failure
later in this chapter.
If the Mailbox
Server role were
to fail in an Active
Directory site and
there are other
Mailbox Servers in
that site:
Mailboxes, mailbox databases, and public folder databases on
the failed server would be unavailable.
Add the Mailbox Server role to a functioning Exchange server
that could accept the role and restore or reconnect the data-
bases, build a new server with the mailbox role on it, or recover
the server as described in the section on multiple role failure
later in this chapter.
CHAPTER 6
Disaster Recovery Deployments
ptg6842824
84 Recovering from a Single Role Failure
If the Client Access
Server role were
to fail in an Active
Directory site and
it is the only Client
Access Server in
that site:
No access to Exchange by any client of Exchange Server 2010
is possible. There would be a loss of Autodiscover service as
well as Availability service. There would also be a loss of the
default Offline Address Book (OAB) distribution point and
other ancillary services.
Add the CAS role to a functioning Exchange server that could
accept the role, build a new server with the CAS role on it, or
recover the server as described in the section on multiple role
failure later in this chapter.
NOTE Clients would need to be redirected to the replace-
ment CAS role. This could mean changing host (A) records
in DNS, as well as altering some of your firewall settings to
direct appropriate traffic to the new Client Access Server.
If the Client Access
Server role were
to fail in an Active
Directory site and
there are other
Client Access
Servers in that site:
No loss of services. Other Client Access Servers would be
required to handle more of the load.
Add the CAS role to a functioning Exchange server that could
accept the role, build a new server with the CAS role on it,
recover the server as described in the section on multiple role
failure later in this chapter, or accept the loss, making sure you
remove the failed server objects from the Active Directory.
If the Hub Transport
server role were to
fail in an Active
Directory site and
it is the only Hub
Transport server in
that site:
No mailflow within the site would occur. No mailflow to or
from any other site to the site that the failed server is in would
occur.
Add the Hub Transport role to a functioning Exchange server
that could accept the role, build a new server with the HT role
on it, or recover the server as described in the section on mul-
tiple role failure later in this chapter.
If the Hub Transport
server role were to
fail in an Active
Directory site and
there are other Hub
Transport servers in
that site:
No loss of services. Other Hub Transport servers would be
required to handle more of the load.
Add the Hub Transport role to a functioning Exchange server
that could accept the role, build a new server with the HT role
on it, recover the server as described in the section on multiple
role failure later in this chapter, or accept the loss, making sure
you remove the failed server objects from the Active Directory.
If the Unified
Messaging Server
role were to fail in
an Active Directory
site and it is the
only Unified
Messaging Server in
that site:
Loss of voice messaging, fax messaging, and integration of
Exchange with telephony networks would occur.
Add the Unified Messaging role to a functioning Exchange
server that could accept the role, build a new server with the
UM role on it, or recover the server as described in the section
on multiple role failure later in this chapter.
ptg6842824
Recovering from a Multiple-Role Failure on the Same Server 85
If the Unified
Messaging Server
role were to fail in
an Active Directory
site and there are
other Unified
Messaging Servers
in that site:
No loss of services. Other Unified Messaging Servers would be
required to handle more of the load.
Add the Unified Messaging role to a functioning Exchange
server that could accept the role, build a new server with the
UM role on it, recover the server as described in the section
on multiple role failure later in this chapter, or accept the loss,
making sure you remove the failed server objects from the
Active Directory.
If the Edge
Transport Server
role were to fail that
was affiliated with
an Active Directory
site and it is the
only Edge Transport
Server affiliated
with that site:
No mailflow to and from the Internet. Internal mailflow would
be unaffected.
Deploy a new Edge Transport server and use the cloned con-
figuration file to recover the failed role. (This topic is discussed
more fully in Chapter 10 , “The Edge Transport Role,” which
deals with the Edge Transport Server role.)
If the Edge
Transport Server
role were to fail
that was affili-
ated with an Active
Directory site and
there are other Edge
Transport Servers
affiliated with that
site:
No loss of services. Other Edge Transport Servers would be
required to handle more of the load.
Recovering from a Multiple-Role Failure on the Same Server
Because nearly all of the configuration information and settings for Mailbox, Client
Access, Hub Transport, and Unified Messaging server roles are stored in Active
Directory, you can leverage that information to rebuild a failed server. The Setup param-
eter used is the /m:RecoverServer option.
The information stored in the Active Directory about the failed server is used to re-create
a new server (on either the same or alternate hardware as the failed server). The replace-
ment server, although given a new security identifier (SID), is recognized by both the
Exchange organization and the Active Directory as the old server, as if it never failed. In
addition, this could be used in a planned scenario to replace an older server.
The following table details the requirements and procedures to recover from a server
failure.
ptg6842824
86 Recovering from a Multiple-Role Failure on the Same Server
The Windows Server operating sys-
tems must be the same.
The server on which recovery is being per-
formed must be running the same operating
system as the server that is being replaced.
For example, you cannot recover a server
that was running Exchange 2010 and
Windows Server 2008 on a server running
Windows Server 2008 R2, or vice versa.
All drive letters must be available. The same disk-drive letters for mounted
databases on the server that is being replaced
must exist or be created on the server on
which you are running the recovery opera-
tion.
Performance of the replacement server
should be similar.
The server on which recovery is being per-
formed should have the same performance
characteristics and hardware configuration as
the server it is replacing.
This is for Mailbox, CAS, Hub
Transport, and Unified Messaging
roles only.
The Setup /m:RecoverServer procedure
can be run on an Exchange 2010 server
that has the Client Access, Hub Transport,
Mailbox, Unified Messaging, or any combi-
nation of those server roles installed.
You cannot use Setup /m:RecoverServer to
recover an Edge Transport server.
For Edge Transport server recoveries, use
Edge Cloning, described in Chapter 10 , “The
Edge Transport Role.”
NOTE The Setup /m:RecoverServer pro-
cedure cannot recover an Edge Transport
Server role because the procedure leverag-
es information about the failed server that
remains in the Active Directory after the
role failure. Because the Edge Transport
Server has never been an AD member,
there is no information in the AD to use for
recovery purposes.
ptg6842824
Recovering from a Multiple-Role Failure on the Same Server 87
In Active Directory Users and Computers:
1 Find the computer object for the
failed Exchange Server.
2 Right-click the computer object that
you want to reset.
3 Click Reset Account .
Alternatively, type the following from
the command prompt:
dsmod computer ComputerDN -Reset
C:\Users\Administrator> dsmod computer "CN=Romac-EX3HC,
OU=Exchange Servers,
DC=RomacSign, DC=com" -Reset
Reset the server’s computer account in
Active Directory.
This can be done either from Active
Directory Users and Computers, as shown
in Figure 6-1 , or from a command prompt
using the dsmod command, as shown in
Figure 6-2 .
TIP Do not DELETE the account.
Instead, use the RESET ACCOUNT
option. If you delete the computer
account, this recovery method cannot be
used.
Figure 6-1 Resetting the computer account in Active Directory Users and Computers
for Romac-EX3HC
ptg6842824
88 Recovering from a Multiple-Role Failure on the Same Server
Figure 6-2 Resetting the computer account using dsmod from a command prompt for
Romac-EX3HC
Ensure that the
computer name
is the same and
then join the
same domain.
Install the proper operating system and name the new server with
the same name as the server it will be replacing. (The IP address is
optional.)
Join the server to the same domain as the failed server.
NOTE All necessary prerequisites and operating system com-
ponents, including the necessary service packs, hotfixes, and
updates, should be installed. These should be documented well
before the disaster occurs.
TIP You could use a generic image of a server, because when you join the server to
the domain, a new SID will be generated. Ensure that you put the Exchange prerequi-
sites on the image to speed up the recovery process.
D:\SetupFiles> Setup /m:RecoverServer
Open a command prompt window.
Using the original Setup media or a network location, run
the command shown on the left.
NOTE D:\SetupFiles could represent any location
where the Setup files would be found.
The result of running Setup /m:RecoverServer is shown
in Figure 6-3 .
(The location of the Setup files in Figure 6-3 is at the root
of the D:\ drive.)
After Setup has completed, but before the recovered server is put into production, it is
a good idea to reconfigure any custom settings that were present on the original server,
such as nonstandard permissions on virtual directories or nonstandard websites on a
CAS, unique transport dumpster settings on a Hub Transport, or voice prompts unique to
a location on a Unified Messaging role.
NOTE You must perform this disaster recovery technique using the same version of
Exchange as was on the server being replaced. The Active Directory objects are ver-
sion specific.
ptg6842824
Recovering from a Database Availability Group (DAG) Member Server Failure 89
Figure 6-3 Running Setup /m:RecoverServer on the replacement server for
Romac-EX3HC
Recovering from a Database Availability Group (DAG) Member Server Failure
If a Mailbox server that’s a member of a Database Availability Group (DAG) is lost or
otherwise fails and is unrecoverable and needs replacement, you can perform a server
recovery operation. For DAG member server recovery, Microsoft Exchange Server 2010
Setup also allows the use of switch /m:RecoverServer to perform the server recovery
operation. Just as with a single server failure, running Setup with the / m:RecoverServer
switch causes Setup to read the server’s configuration information from Active Directory
for a server with the same name as the server from which you’re running Setup. After
the server’s configuration information is gathered from Active Directory, the original
Exchange files and services are then installed on the server, and the roles and settings
that were stored in Active Directory are then applied to the server. This is different from
Cluster Continuous Replication (CCR) in Exchange Server 2007, where you used Setup /RecoverCMS .
You need to be assigned permissions before you can perform the steps in this procedure.
The required permissions for each step are listed in the following table.
ptg6842824
90 Recovering from a Database Availability Group (DAG) Member Server Failure
To Perform These Tasks...
Database availability group membership
Database availability group properties
Database availability groups
Database availability networks
...You Need to Be In:
Organization Management
Database Availability Groups Role
To Perform These Tasks...
Database switchover
Mailbox database copies
Server switchover
Update a mailbox database copy
...You Need to Be In:
Organization Management
Database Copies Role
The following table details the requirements and procedures to recover from a DAG
member server failure.
Get-MailboxDatabase DatabaseName |
Format-List *lag*
PS C:\Users\Administrator> Get-MailboxDatabase AssemblyDB |
Format-List *lag*
First, retrieve any replay lag or
truncation lag settings for any
mailbox database copies that exist
on the server being recovered.
You can achieve this by using the
Get-MailboxDatabase cmdlet and
pipelining it to the Format-List output.
Remove-MailboxDatabaseCopy DatabaseCopyName\DAGMemberServerName
PS C:\Users\Administrator>
Remove-MailboxDatabaseCopy
AssemblyDB\Romac-EX1
To recover the failed server, you
must remove any mailbox data-
base copies that exist on the server
being recovered by using the
Remove-MailboxDatabaseCopy
cmdlet.
TIP You would need to do
this for each database copy on
the failed server.
Remove-DatabaseAvailabilityGroupServer
-Identity DAGName -MailboxServer DAGMemberName
PS C:\Users\Administrator>
Remove-DatabaseAvailabilityGroupServer
-Identity DAG1
-MailboxServer Romac-EX1
After the database copies have been
removed, you need to remove the
failed server’s configuration from
the DAG by using the Remove-DatabaseAvailabilityGroupServer
cmdlet.
ptg6842824
Recovering from a Database Availability Group (DAG) Member Server Failure 91
In Active Directory Users and Computers:
1 Find the computer object for the failed
Exchange Server.
2 Right-click the computer object you want to
reset.
3 Click Reset Account .
Alternatively, type the following from the com-
mand prompt:
dsmod computer ComputerDN -Reset C:\Users\Administrator> dsmod computer "CN=Romac-EX1,
OU=Exchange Servers, DC=RomacSign,
DC=com" -Reset
Reset the server’s computer
account in Active Directory.
NOTE This is the same proce-
dure that you performed on the
non-DAG member computer
account (refer to Figure 6-1 )
in Active Directory Users and
Computers.
It can also be done from a com-
mand prompt using the dsmod
command (refer to Figure 6-2 ).
TIP Do not DELETE the
account. If you delete the com-
puter account, this recovery
method cannot be used.
D:\SetupFiles> Setup /m:RecoverServer Open a command prompt window.
Using the original Setup media,
run the command shown on the
left.
NOTE D:\SetupFiles could
represent any location where
the Setup files would be found.
PS C:\Users\Administrator>
Add-DatabaseAvailabilityGroupServer
-Identity DAG1 -MailboxServer
Romac-EX1
When the Setup recovery process
is complete, add the recovered
server to the DAG by using the
Add-DatabaseAvailabilityGroupServer cmdlet.
Add-MailboxDatabaseCopy -Identity DatabaseCopyName -MailboxServer MailboxServerName
PS C:\Users\Administrator>
Add-MailboxDatabaseCopy -Identity AssemblyDB
-MailboxServer Romac-EX1
Add-MailboxDatabaseCopy -Identity DatabaseCopyName -MailboxServer MailboxServerName -ReplayLagTime TimeValue
PS C:\Users\Administrator>
Add-MailboxDatabaseCopy -Identity AssemblyDB
-MailboxServer Romac-EX1
-ReplayLagTime 3.00:00:00
After the server has been
added back to the DAG, you
can reconfigure mailbox data-
base copies by using the Add-MailboxDatabaseCopy cmdlet.
If any lag time is desired, it
could be added using the same
cmdlet with the parameter
-ReplayLagTime , as shown in the
second pair of examples, or the
parameter -TruncationLagTime
(not shown).
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Identifying the Exchange 2010 recipient types
■ Creating and managing a user mailbox
■ Creating and managing a mail-enabled user
■ Creating and managing a mail-enabled contact
■ Creating and managing resource mailboxes
■ Working with distribution groups
■ Converting recipient types
■ Creating and managing email address policies
■ Creating and managing address lists
This chapter focuses on the creation and management of recipient objects in Exchange
2010. You investigate the recipient types and create them using Exchange Management
Shell. In Chapter 8 , “Bulk Management of Recipients,” you will investigate ways to create
the recipient objects in bulk. You will discover that in Exchange 2010 there are common
recipient types you will create and manage regularly and other recipient types you may
rarely configure or manipulate. The chapter concludes with a look at email address policies
and address lists.
Identifying the Exchange 2010 Recipient Types
It is important to understand the recipient types available in Exchange 2010 and how to
manage them using Exchange Management Shell (EMS). The following table details the
cmdlets that allow you to identify the specific recipients by type.
Get-Recipient Retrieves a list of all recipients, regardless of type
Get-Mailbox Retrieves a list of only the User Mailbox
recipients
Get-MailUser Retrieves a list of only the Mail User recipients
Get-MailContact Retrieves a list of only the Mail Contact recipients
Get-DistributionGroup Retrieves a list of all distribution groups
Get-DynamicDistributionGroup Retrieves a list of all dynamic distribution groups
The two distinguishing features for a recipient type are as follows:
■ Which type of Active Directory object is created when the recipient is created
■ Whether an Exchange mailbox is created when the recipient is created
CHAPTER 7
Working with Recipient Objects
ptg6842824
94 Identifying the Exchange 2010 Recipient Types
Some of the more common recipient types are detailed in the following table.
Recipient Type
What Type of Active Directory Object Is Created?
Is an Exchange Mailbox Created for This Object?
Description
User
mailbox
AD User account Yes. A User mailbox is an
Active Directory user
account that has an
Exchange mailbox enabled
for it.
In many organizations,
this is the most common
type of Exchange recipient
object. The user logs on to
Windows and accesses a
mailbox in Exchange.
NOTE The mailbox may
be accessed using a
variety of clients, such as
Microsoft Office Outlook,
Outlook Anywhere, OWA,
or ActiveSync. The point
is that the mailbox exists
in the Exchange orga-
nization and is not an
external email address.
Mail user AD User account No, but the
user’s external
email address
appears in the
Global Address
List (GAL).
A mail-enabled user is a
recipient object that repre-
sents an Active Directory
user who has an external
email address rather than an
Exchange mailbox. All mes-
sages sent to the mail user
are routed to this external
email address.
A mail user is similar to a
mail contact, except that
a mail user has Active
Directory logon credentials
and can access resources
and the contact cannot.
However, even without an
Exchange Mailbox, this
object appears in the Global
Address List (GAL).
ptg6842824
Identifying the Exchange 2010 Recipient Types 95
Recipient Type
What Type of Active Directory Object Is Created?
Is an Exchange Mailbox Created for This Object?
Description
contact
AD Contact object; no
user account is created
No, but the con-
tact’s external
email address
appears in the
Global Address
List (GAL).
A mail-enabled contact is a
recipient object that contains
information about people
or organizations that exist
outside the Exchange orga-
nization.
The mail contact has an
external email address. All
messages sent to the mail
contact are routed to this
external email address.
Even without an Exchange
Mailbox or AD user
account, this object appears
in the Global Address List
(GAL).
Room
mailbox
AD User Account
(Disabled)
Yes. It is labeled
as a room.
A room mailbox is a
resource mailbox that is
associated with a meeting
location, such as a confer-
ence room.
Room mailboxes can be
included as resources in
meeting requests, providing
a simplified way of creat-
ing and managing meetings
for your users that includes
the automation of the invi-
tation and the resource’s
acceptance of your users’
requests.
ptg6842824
96 Identifying the Exchange 2010 Recipient Types
Recipient Type
What Type of Active Directory Object Is Created?
Is an Exchange Mailbox Created for This Object?
Description
Equipment
mailbox
AD User Account
(Disabled)
Yes. It is labeled
as equipment.
An equipment mailbox is
a resource mailbox that
is associated with a non-
location-specific resource.
Often projectors, vehicles,
and even items such as
wireless aircards can be
represented by this recipi-
ent type.
Equipment mailboxes can
be included as resources
in meeting requests or can
simply be a method of
reserving a piece of equip-
ment in your organization
through Exchange.
This can provide a simpli-
fied way of creating and
managing meetings for
your users that includes the
automation of the invita-
tion and the resource’s
acceptance of your users’
requests.
Mail-
enabled
universal
distribu-
tion group
AD Group object
Type=Distribution
Scope=Universal
No, but an email
alias is created.
A mail-enabled Active
Directory distribution
group object is a recipient
object that can be used only
to distribute messages to a
group of recipients.
Because it is only a distri-
bution group, this recipient
type cannot be used by
Windows to assign permis-
sions to a resource.
ptg6842824
Identifying the Exchange 2010 Recipient Types 97
Recipient Type
What Type of Active Directory Object Is Created?
Is an Exchange Mailbox Created for This Object?
Description
Mail-
enabled
universal
security
group
AD Group object
Type=Security
Scope=Universal
No, but an email
alias is created.
A mail-enabled Active
Directory security group
object is a recipient
object that can be used to
grant access permissions
to resources in Active
Directory and can also be
used to distribute messages.
Because it is a security
group, this recipient type can
be used for both purposes.
Dynamic
distribu-
tion group
AD msExch
DynamicDistributionList
object
No, but an email
alias is created.
A Dynamic distribution
group is a special AD
object that uses recipient
filters and conditions to
derive its membership at
the time messages are sent.
Legacy
mailbox
AD User account Yes, but it
was created in
Exchange 2003.
A Legacy mailbox is a
recipient object that repre-
sents an Active Directory
user account that has an
Exchange mailbox enabled
for it on a server running
Exchange Server 2003.
NOTE In general, a
mailbox on Exchange
Server 2007 is not
considered a Legacy
mailbox. However, there
could be reasons that
Legacy mailboxes might
exist on a 2007 server.
You would observe
this by looking at the
Recipient Type Status
column in the Exchange
Management Console
(EMC) for the 2007
mailbox server. If the
description in the column
displays LegacyMailboxinstead of UserMailbox ,
you must convert it to a
UserMailbox . (This may
have occurred when you
moved the mailbox to
2007 from 2003.)
ptg6842824
98 Identifying the Exchange 2010 Recipient Types
Recipient Type
What Type of Active Directory Object Is Created?
Is an Exchange Mailbox Created for This Object?
Description
Linked
mailbox
Two AD User
accounts:
Primary forest—
account is enabled.
Resource forest—
account is disabled.
Yes.
(The mailbox
is created in the
resource forest.)
A Linked mailbox is a
recipient object that repre-
sents an Active Directory
user account in one AD
forest (primary forest) that
is assigned or linked to an
Exchange mailbox in a sec-
ond forest (resource forest).
The resource forest must
have a trust relationship
with the primary forest.
Other recipient types are detailed in the following table.
Microsoft
Exchange
recipient
A Microsoft Exchange recipient is a special recipient object that
replaces the System Administrator sender used for system-gener-
ated messages in earlier versions of Exchange.
This recipient type allows Exchange to differentiate system-gen-
erated messages from other messages.
It cannot be managed by using the EMC.
You must use the Set-OrganizationConfig cmdlet in EMS to
configure the Microsoft Exchange recipient object.
The types of messages sent by the Microsoft Exchange recipi-
ent include any messages from agents (transport or journal), any
Delivery Status Notification (DSN) messages, reports as a result
of the journaling process, and any messages regarding quotas.
Shared mailbox A Shared mailbox is a recipient object that is not associated with
a single user account. It is configured to allow logon access for
several users. In Exchange 2003, resources were often created as
Shared mailboxes and had to be managed by a delegate.
It is recommended that you convert your Exchange 2003 Shared
mailboxes that generally represent resources to either room mail-
boxes or equipment mailboxes.
It is possible to convert the following:
■ A user mailbox to a shared mailbox
■ A user mailbox to a resource mailbox
■ A shared mailbox to a user mailbox
ptg6842824
Identifying the Exchange 2010 Recipient Types 99
■ A shared mailbox to a resource mailbox
■ A resource mailbox to a user mailbox
■ A resource mailbox to a shared mailbox
These conversions must be performed using Exchange Management Shell. One of the
most common conversions needed is when you move a shared resource mailbox from
Exchange Server 2003 to Exchange Server 2010.
In Exchange 2003, you used shared mailboxes to represent resources. If you were to
simply move this mailbox to Exchange 2010, it would become an Exchange 2010
shared mailbox and no automation of its calendar would be possible. You must con-
vert it from an Exchange 2010 shared mailbox to an Exchange 2010 resource mailbox
(room or equipment) so that it can automatically book itself using the Resource Booking
Attendant feature in Exchange 2010. You cannot use the EMC to convert a mailbox.
Later in this chapter, you will view a shared-mailbox-to-resource-mailbox conversion.
Some other recipient types are detailed in the following table.
Mail forest
contact
A Mail forest contact is a recipient object that represents a recipient
object from another AD forest.
Mail forest contacts are usually created by Microsoft Identity
Integration Server (MIIS) synchronization and are used as part of
GAL synchronization.
Mail forest contacts are read-only recipient objects that are updated
only through MIIS or a similar synchronization utility.
You cannot use the Exchange Management tools to configure these
recipients.
Mail-enabled
non-universal
group
A mail-enabled Active Directory non-universal group (global or local
group) was a recipient type in Exchange 2007 and earlier.
These recipient objects were deprecated in Exchange 2010. They can
exist only if they were migrated from Exchange 2003 or earlier ver-
sions of Exchange.
You cannot use Exchange 2010 to create non-universal distribution
groups.
Mail-enabled
public folder
A Mail-enabled public folder is a recipient type that represents an
Exchange public folder that has been configured to receive messages.
ptg6842824
100 Identifying the Exchange 2010 Recipient Types
System
Mailboxes
System mailboxes are created by Exchange in the root domain of the
Active Directory forest during installation. Users or administrators
can’t log on to these mailboxes.
System mailboxes are created for Exchange 2010 features such as
message approval and Multi-Mailbox Search.
System mailboxes may also be termed arbitration mailboxes. An
arbitration mailbox is used for managing approval workflow with a
moderated recipient.
TIP If you want to decommission the last Exchange 2010 Mailbox server in your orga-
nization, you must first disable these system mailboxes by using the Disable-Mailboxcmdlet. Before you decommission a Mailbox server that contains these system mail-
boxes, you should move them to another Mailbox server to make sure you don’t lose
functionality.
The following table displays the cmdlets used to view the system mailboxes.
PS C:\Users\
Administrator> Get-Mailbox -Arbitration | fl Name ,
DisplayName , RecipientType ,
RecipientTypeDetails
This Get-Mailbox command with the
-Arbitration parameter allows you to view
the system or arbitration mailboxes.
The default system mailboxes are displayed in Figure 7-1 and include those detailed in
the following table.
Mailbox Purpose Common Name (CN)
Discovery This mailbox is used as the default target
mailbox for cross-mailbox searches. An
auditor might use discovery search when
he or she wants to search for confidential
emails across all the mailboxes in your
organization.
You can create additional discovery mail-
boxes if required.
SystemMailbox {e0dc1c29-
89c3-4034-b678-e6c29d-
823ed9}
Message
Approval
This mailbox is used as part of the mes-
sage moderation process for moderated
groups.
SystemMailbox {1f05a927-
xxxx-xxxx- xxxx-
xxxxxxxxxxxx}
where the x’s are randomly
assigned numbers
Federated
This mailbox is used as part of the feder-
ated delegation setup for ADFS when two
organizations are federated.
FederatedEmail 4c1f4d8b-
8179-4148-93bf-
00a95fa1e042
ptg6842824
Creating and Managing a User Mailbox 101
Figure 7-1 The default system mailboxes
Creating and Managing a User Mailbox
Although you would not usually create a cmdlet to create a single User mailbox, it is
certainly possible to do so. Most people would use Exchange Management Console to
create a single User mailbox. As you will see in Chapter 8 , you can use several of the
techniques shown in the following table to create recipient objects in bulk. Bulk manage-
ment of recipient objects is one area where PowerShell and Exchange Management Shell
can far exceed the capabilities of Exchange Management Console.
PS C:\Users\Administrator>
$Pass=ConvertTo-SecureString
"Pa$$w0rd" -asPlainText -Force
This example
defines a secure
string password so
that you don’t have
to type a password
for each user that
follows.
NOTE This
password will
only be valid
from within this
session, unless
you incorporate
it into your
PowerShell
profile.
ptg6842824
102 Creating and Managing a User Mailbox
New-Mailbox -Name Name -Alias Name -UserPrincipalName [email protected] -SamAccountName Username -FirstName FirstName -LastName LastName -OrganizationalUnit OUName -Password password -ResetPasswordOnNextLogon $boolean value -Database DatabaseName
PS C:\Users\Administrator> New-Mailbox -Name "Vinnie Vignola"
-Alias "Vinnie" -UserPrincipalName
[email protected] -SamAccountName "Vinnie" -FirstName "Vinnie" -LastName "Vignola" -OrganizationalUnit "romacsign.com/Assembly"
-Password $Pass -ResetPasswordOnNextLogon $false
-Database "AssemblyDB"
This New-Mailbox
cmdlet creates a
single User mailbox
using EMS.
dsadd user "CN= UserName , OU= OUName , DC= Domain, DC= com " -pwd password
C:\> dsadd user "CN=David Petry, OU=Assembly, DC= RomacSign, DC=com" -pwd Pa$$w0rd
This dsadd com-
mand creates a user
to test with the
Enable-Mailbox
cmdlet.
Enable-Mailbox -Identity Name -Database DatabaseName
PS C:\Users\Administrator> Enable-Mailbox -Identity "David Petry" -Database "AssembyDB"
This Enable-Mailbox cmdlet
enables a single
user’s mailbox for
an existing AD
User account.
As shown in the following table, there is a difference between the New-Mailbox cmdlet,
which creates both the AD User and enables the Exchange mailbox, and the Enable-Mailbox cmdlet, which takes an existing AD User and enables the Exchange mailbox
for the account.
Remove-Mailbox Name PS C:\Users\
Administrator> Remove-Mailbox "Vinnie
Vignola"
Sometimes it is necessary to remove the user from
the Active Directory, as might be the case if the user
leaves the company.
This can be done with the Remove-Mailbox cmdlet.
The user is removed, but the mailbox remains for the
duration of the mailbox retention period, which is 30
days by default. Then, the mailbox is removed.
ptg6842824
Creating and Managing a User Mailbox 103
Disable-Mailbox Name PS C:\Users\
Administrator>
Disable-Mailbox
"Vinnie Vignola"
Sometimes it is necessary to simply disassociate the
user from the mailbox when he or she no longer needs
an Exchange mailbox.
This can be done with the Disable Mailbox cmdlet.
The user is preserved, but is no longer associated with
the mailbox. The mailbox remains for the duration
of the mailbox retention period, which is 30 days by
default. Then, the mailbox is removed.
Figures 7-2 through 7-6 show the differences between removing a user mailbox and dis-
abling one.
Figure 7-2 Right-click menu displaying the Remove and Disable options in EMC
Figure 7-3 Removing a user mailbox from EMC
ptg6842824
104 Creating and Managing a Mail-Enabled User
Figure 7-4 Removing a user mailbox from EMS
Figure 7-5 Disabling a user mailbox from EMC
Figure 7-6 Disabling a user mailbox from EMS
Creating and Managing a Mail-Enabled User
As shown in the following table, it is also possible to create a single Mail-enabled user
or Mail User with a similar cmdlet.
ptg6842824
Creating and Managing a Mail-Enabled User 105
PS C:\Users\Administrator>
$Pass=ConvertTo-SecureString
"Pa$$w0rd" -asPlainText -Force
Once again, this step defines a
secure string password so that
you don’t have to type a pass-
word for each mail-enabled
user that will be created if you
are creating more than one.
NOTE This password will
only be valid from within
this session, unless you
incorporate it into your
PowerShell profile.
New-MailUser -Name Name -Alias Name -OrganizationalUnit OUName -UserPrincipalName [email protected] -SamAccountName UserName -FirstName FirstName -LastName LastName -Password password -ResetPasswordOnNextLogon $boolean value - ExternalEmailAddress SMTP:[email protected]
PS C:\Users\Administrator> New-MailUser -Name "Jeff Schultz" -Alias Jeff -OrganizationalUnit
"romacsign.com/Assembly"
-UserPrincipalName [email protected] -SamAccountName "Jeff"
-FirstName "Jeff" -LastName "Schultz" -Password $Pass -ResetPasswordOnNextLogon $true
- ExternalEmailAddress SMTP:[email protected]
This New-MailUser cmdlet
creates a single Mail User
using EMS.
dsadd user "CN= UserName , OU= OUName , DC= Domain, DC= com " -pwd password
C:\> dsadd user "CN=Bob Fuoco, OU=Assembly, DC=RomacSign, DC=com"
-pwd Pa$$w0rd
This dsadd command creates
a user to test with the
Enable-MailUser cmdlet.
ptg6842824
106 Creating and Managing a Mail-Enabled Contact
Enable-MailUser -Identity Name -ExternalEmailAddress EmailAddress
PS C:\Users\Administrator> Enable-MailUser -Identity "Bob Fuoco" -ExternalEmailAddress [email protected]
This Enable-MailUser cmd-
let enables an external email
address for an existing AD
User account.
As shown in the following table, there is also a difference between the New-MailUser
cmdlet, which creates both the AD User and associates it with an external email address,
and the Enable-MailUser cmdlet, which takes an existing AD User and associates it
with an external email address.
PS C:\Users\
Administrator> Remove-MailUser
"Bob Fuoco"
Sometimes it is necessary to remove the user from the Active
Directory, as might be the case if the user leaves the company.
This can be done with the Remove-MailUser cmdlet.
The user is removed and there is no longer any association
with that external email address in the Exchange organization.
PS C:\Users\
Administrator>
Disable-MailUser
"Bob Fuoco"
Sometimes it is necessary to simply disassociate the user from
the external email address.
This can be done with the Disable-MailUser cmdlet.
The user is preserved, but is no longer associated with the
external email address.
Creating and Managing a Mail-Enabled Contact
It is also possible to create a single Mail-enabled contact or Mail Contact with a similar
cmdlet, as shown in the following table.
It is not necessary to create a pass-
word for a Mail Contact because
this object does not have an associ-
ated AD User account.
ptg6842824
Creating and Managing a Mail-Enabled Contact 107
New-MailContact -ExternalEmailAddress "SMTP:[email protected]" -Name Name -Alias Name -FirstName FirstName -LastName LastName -OrganizationalUnit OUName
PS C:\Users\Administrator>
New-MailContact
-ExternalEmailAddress
"SMTP:[email protected]" -Name "Mike Burrows" -Alias "Mike"
-FirstName "Mike" -LastName "Burrows" -OrganizationalUnit "romacsign.com/
Assembly"
This New-MailContact cmdlet
creates a single Mail Contact using
EMS.
dsadd contact "CN= UserName , OU= OUName , DC= domain , DC= com "
C:\> dsadd contact "CN=Dave Cowan, OU=Assembly, DC=RomacSign, DC=com"
This dsadd command creates a
contact to test with the Enable-MailContact cmdlet.
Enable-MailContact Name -ExternalEmailAddress "SMTP:[email protected]"
PS C:\Users\Administrator>
Enable-MailContact "Dave Cowan" -ExternalEmailAddress
"SMTP:[email protected]"
This Enable-MailContact cmdlet
enables an external email address
for an existing Mail Contact using
EMS.
PS C:\Users\Administrator>
Remove-MailContact "Dave Cowan" Sometimes it is necessary to
remove the contact from the Active
Directory, as might be the case if a
consultant no longer works with the
company.
This can be done with the Remove-MailContact cmdlet.
The contact is removed and there
is no longer any association with
that external email address in the
Exchange organization.
ptg6842824
108 Creating and Managing Resource Mailboxes
PS C:\Users\Administrator>
Disable-MailContact "Dave Cowan" Sometimes it is necessary to simply
disassociate the contact from the
external email address.
This can be done with the Disable-MailContact cmdlet.
The contact is preserved, but is no
longer associated with the external
email address.
Creating and Managing Resource Mailboxes
Creating a Resource mailbox is very much like creating a User mailbox. Only one
parameter makes a Resource mailbox unique, and it depends on the type of resource. If
you are creating an Equipment mailbox, you will use the parameter -Equipment , and if
you are creating a Room mailbox, you will use the parameter -Room , as shown in the
following table.
New-Mailbox -Name Name -Alias Name -UserPrincipalName [email protected] -SamAccountName UserName -FirstName FirstName -LastName LastName -OrganizationalUnit OUName -Password password -ResetPasswordOnNextLogon $boolean value -Database DatabaseName -Equipment
PS C:\Users\Administrator> New-Mailbox -Name "Projector 1234" -Alias "Projector1234" -UserPrincipalName
"[email protected]" -SamAccountName "Projector1234"
-FirstName "Projector"
-LastName "1234"
-OrganizationalUnit Assembly
-Password $Pass -ResetPasswordOnNextLogon $false -Database "AssemblyDB" -Equipment
This New-Mailbox cmdlet
creates a Resource mailbox
(Equipment type) using
EMS.
ptg6842824
Working with Distribution Groups 109
New-Mailbox -Name Name -Alias Name -UserPrincipalName [email protected] -SamAccountName UserName -FirstName FirstName -LastName LastName -OrganizationalUnit OUName -Password password -ResetPasswordOnNextLogon $boolean value -Database DatabaseName -Room
PS C:\Users\Administrator> New-Mailbox -Name "Conference Room
111" -Alias "Conf111"
-UserPrincipalName "[email protected]" -SamAccountName "Conf111"
-FirstName "Conference Room" -LastName "111"
-OrganizationalUnit Assembly
-Password $Pass
-ResetPasswordOnNextLogon $false -Database "AssemblyDB" -Room
This New-Mailbox cmdlet
creates a Resource mailbox
(Room type) using EMS.
Working with Distribution Groups
Understanding how distribution groups work in Exchange 2010 can be a little tricky.
A distribution group can be created in the Active Directory, but Exchange will not rec-
ognize it until it has been mail-enabled. This may seem strange. After all, it seems as if
simply creating the group as a distribution group in the Active Directory should be suf-
ficient. However, if you analyze the enabling process, it may make more sense. Just as
you could create a user in Active Directory and later mail-enable the object, the same is
true with groups. You can either create the group and mail-enable it in one operation, or
you can create the group first and then mail-enable it later. You may have expected that
this would be true with security groups, but it is also true with distribution groups.
In Exchange, groups can be one of three types:
■ Mail-enabled distribution groups —Can only be used to distribute messages to a
group of recipients
■ Mail-enabled security groups —Can be used for both distributing messages and
configuring security on objects such as files, folders, and printers
■ Dynamic distribution groups —Can use recipient filters and conditions to derive
membership at the time the message is sent
ptg6842824
110 Working with Distribution Groups
The following table shows how to use Exchange Management Shell (EMS) to create a
mail-enabled distribution group as well as a mail-enabled security group.
New-DistributionGroup -Name Name -Type "Distribution" -SamAccountName Name -Alias Name
PS C:\Users\Administrator>
New-DistributionGroup -Name "Assemblers" -Type "Distribution" -SamAccountName "Assemblers"
-Alias "Assemblers"
This New-DistributionGroup cmdlet
creates a distribution group (Distribution
type; Universal scope) using EMS.
New-DistributionGroup -Name Name -Type "S ecurity" -SamAccountName Name -Alias Name
PS C:\Users\Administrator>
New-DistributionGroup -Name "Assembly Managers"
-Type "Security" -SamAccountName
"AssemblyManagers" -Alias "AssemblyManagers"
This New-DistributionGroup cmdlet
creates a distribution group (Security
type; Universal scope) using EMS.
Enable-DistributionGroup -Identity GroupName -Alias GroupAlias
PS C:\Users\Administrator>
Enable-DistributionGroup -Identity "RomacSign.com/
Assembly/Assembly Team 1" -Alias "AssemblyTeam1"
PS C:\Users\Administrator>
Enable-DistributionGroup -Identity "RomacSign.com/
Assembly/Assembly Team 2" -Alias "AssemblyTeam2"
Enabling a distribution group allows
Exchange to route messages to the alias
that represents the Active Directory
group object.
In EMS, this can be done with the
Enable-DistributionGroup cmdlet.
These Enable-DistributionGroup cmd-
lets enable first a distribution group and
then a security group.
Notice that when you mail-enable a dis-
tribution group that already exists, you
do not specify the group type. The object
has already been created in the Active
Directory and there is already a group
type associated with the object.
Assembly Team 1 is a mail-enabled dis-
tribution group and Assembly Team 2 is
a mail-enabled security group (as shown
in Figure 7-7 ).
Both are mail-enabled with the same
cmdlet. Only the name need be different.
ptg6842824
Working with Distribution Groups 111
Figure 7-7 Disabling a User mailbox from EMS
The following table shows how to use EMS to create a dynamic distribution group.
New-DynamicDistributionGroup -Name GroupName -OrganizationalUnit OUName -RecipientFilter { (( RecipientType -eq RecipientType ) -and ( ServerName -eq ServerName ) -and (Name -notlike " SystemMailbox ")) }
PS C:\Users\Administrator> New-DynamicDistributionGroup
-Name "Mailbox Users in Assembly OU on
Romac-EX1" -OrganizationalUnit romacsign.com/
Assembly -RecipientFilter { ((RecipientType -eq "UserMailbox" ) -and (ServerName -eq "Romac-EX1")
-and(Name -notlike "SystemMailbox")) }
This New-DynamicDistributionGroup
cmdlet creates a dynamic
distribution group using a
Recipient Filter in EMS
that will include users in
the Assembly OU with
Exchange mailboxes on
Romac-EX1, but will
exclude the System mail-
boxes.
This is just one example of how you might use a dynamic distribution group. The ben-
efit of using this type of group is that the membership does not need to be managed.
If the recipient is included in the filter, it will receive the message; if the recipient is
not included in the filter, it will not receive the message. A slight performance cost is
involved with using dynamic distribution groups because the membership must be calcu-
lated at the time the message is sent.
ptg6842824
112 Converting Recipient Types
NOTE By default, new dynamic distribution groups in Exchange Server 2010 require
that all senders be authenticated. This prevents external senders from sending messag-
es to dynamic distribution groups. Also, by default, a maximum of 1,000 recipients is
displayed to keep performance at an optimum level. If you increase this value, the time
it takes to display the results will be prolonged. There also may be a negative impact
on the domain controller to which you are connected if you use many large dynamic
distribution groups due to an excessive number of LDAP queries.
Converting Recipient Types
In many organizations, the most common type of conversion is when you need to con-
vert a 2003 Shared mailbox to a 2010 Resource mailbox. As previously detailed in this
chapter, that is not the only conversion that can be performed on a recipient. When you
move a Resource mailbox to Exchange 2010, it is migrated as a Shared mailbox. If you
would like to take advantage of the automated booking features of Exchange 2010, you
must manually convert it to a Room mailbox (or Equipment mailbox) because Exchange
has no way of determining if that is your intention. Fortunately, it is a very simple pro-
cess, as shown in the following table.
New-Mailbox -Name RoomName -Alias RoomAlias -UserPrincipalName UPN -SamAccountName UserName -FirstName FirstName -LastName LastName -Password password -ResetPasswordOnNextLogon $boolean value -Database DatabaseName -Shared
PS C:\Users\Administrator> New-Mailbox -Name "Conference Room 112"
-Alias "Conf112" -UserPrincipalName "[email protected]" -SamAccountName "Conf112"
-FirstName "Conference Room"
-LastName "112" -Password $Pass -ResetPasswordOnNextLogon $false
-Database "AssemblyDB" -Shared
This New-Mailbox
cmdlet creates a Shared
mailbox to test with the
Set-Mailbox cmdlet as
part of a conversion to a
Room mailbox.
NOTE Figure 7-8
shows the mailbox
before running the
cmdlet, and Figure
7-9 shows the result
after running the
cmdlet.
Set-Mailbox RoomName -Type Room
PS C:\Users\Administrator> Set-Mailbox Conf112 -Type Room
This Set-Mailbox cmdlet
migrates a Shared mail-
box to a 2010 Resource
mailbox.
ptg6842824
Creating and Managing Email Address Policies 113
Figure 7-8 Shared mailbox before conversion, as seen in EMC
Figure 7-9 Resource mailbox after conversion, as seen in EMC
Creating and Managing Email Address Policies
If a recipient is to send or receive email, it is essential that the recipient have an email
address. When you create an email address policy, an email address can automatically be
configured for each of your recipients, rather than you having to assign them manually.
The policy can generate both primary and secondary email addresses for your recipients
so they can receive and send email.
There is a default email address policy in Exchange 2010. The default policy specifies
the recipient’s alias combined with the default accepted domain. For example, if a user’s
alias is Rodney, his email address would be [email protected] in the test lab
environment used in this book.
You can change this, however. Many companies use the same user logon name as
the Exchange alias and might not want to compromise security by exposing the
logon names. Instead of using an alias, you could change how your recipients’ email
ptg6842824
114 Creating and Managing Email Address Policies
addresses will be displayed by specifying that your recipients’ email will appear as
FirstName . LastName @romacsign.com, such as [email protected].
As shown in the following table, default variables are in place for generating email
addresses.
%m Exchange alias.
%g Given name. (If a number appears before the “g,” that number of characters
from the recipient’s given name will be used in the email address.)
%i Middle initial.
%s Surname or last name. (If a number appears before the “s,” that number of
characters from the recipient’s last name will be used in the email address.)
%d Display name.
The following table shows how to use EMS to create, apply, and edit email address
policies.
New-EmailAddressPolicy -Name RegionName -IncludedRecipients RecipientTypes -ConditionalStateorProvince States -EnabledEmailAddressTemplates "SMTP:%s.%[email protected]"
PS C:\Users\Administrator> New-EmailAddressPolicy -Name "Northeast Region" -IncludedRecipients MailboxUsers -ConditionalStateorProvince
"Connecticut","Massachusetts",
"New York","New Jersey",
"Pennsylvania","Rhode Island","Maine" -EnabledEmailAddressTemplates
"SMTP:%s.%[email protected]"
This New-EmailAddressPolicy
creates an email address policy.
NOTE The use of the
ConditionalStateorProvinceparameter allows a filter
to specify a state or prov-
ince for an email address
policy, address list, or other
Exchange-related LDAP
query. All recipients with a
ConditionalStateOrProvinceattribute that match the value
you specify will be included
in the email address policy or
address list.
Update-EmailAddressPolicy -Identity EmailAddressPolicyName
PS C:\Users\Administrator>
Update-EmailAddressPolicy
-Identity "Northeast Region"
This Update-EmailAddressPolicy applies
(or updates) an existing email
address policy.
ptg6842824
Creating and Managing Email Address Policies 115
Set-EmailAddressPolicy -Identity EmailAddressPolicyName -ConditionalStateorProvince "Connecticut","Massachusetts",
"New York","New Jersey",
"Pennsylvania","Rhode Island",
"Maine", "Delaware"
PS C:\Users\Administrator>
Set-EmailAddressPolicy -Identity "Northeast Region" -ConditionalStateorProvince
"Connecticut","Massachusetts",
"New York","New Jersey",
"Pennsylvania","Rhode Island","Maine",
"Delaware"
This Set-Email Address Policy
edits an existing email address
policy.
NOTE Even though the e-mail address policy is already applied to recipients in
Connecticut, Massachusetts, New York, New Jersey, Pennsylvania, Rhode Island, and
Maine, you must include them again in the Set-EmailAddressPolicy cmdlet because
the cmdlet overwrites the previous values.
TIP You might have to wait several hours for the new or updated email address policy
to fully take effect.
The following table shows how to use EMS to remove an existing email address policy.
Remove-EmailAddressPolicy -Identity EmailAddressPolicyName -Confirm: $boolean value
PS C:\Users\Administrator>
Remove-EmailAddressPolicy -Identity "Northeast Region"
-Confirm:$False
This Remove-EmailAddressPolicy
cmdlet removes an existing email address
policy.
TIP Use the -Confirm: $False option
to avoid being prompted about the
deletion.
The following table shows how to use EMS to retrieve information about email address
policies.
PS C:\Users\Administrator>
Get-EmailAddressPolicy This Get-EmailAddressPolicy retrieves a
list of all existing email address policies.
ptg6842824
116 Creating and Managing Address Lists
Get-EmailAddressPolicy -Identity EmailAddressPolicyName | fl
PS C:\Users\Administrator>
Get-EmailAddressPolicy -Identity "Northeast Region"
| fl
This Get-EmailAddressPolicy cmdlet
retrieves all attributes for the specified
email address policy.
(The output is in a list format.)
Creating and Managing Address Lists
The following table shows how to use EMS to create an address list.
New-AddressList -Name AddressListName -RecipientContainer OUName -IncludedRecipients RecipientType -ConditionalStateOrProvince State
PS C:\Users\Administrator> New-AddressList -Name "Pennsylvania Assemblers Address List" -RecipientContainer RomacSign.com/Assembly
-IncludedRecipients MailboxUsers -ConditionalStateOrProvince "Pennsylvania"
This New-AddressList cmdlet creates an
address list for all
users with Exchange
mailboxes located
in Pennsylvania that
have accounts in the
Assembly OU.
NOTE The result
of the cmdlet is
shown in EMC
in Figures 7-10
through 7-12 .
Figure 7-10 Created address list, as seen in EMC
ptg6842824
Creating and Managing Address Lists 117
Figure 7-11 Recipient container where filter is applied, as seen in EMC
Figure 7-12 Conditions and address list preview, as seen in EMC
ptg6842824
118 Creating and Managing Address Lists
The following table shows how to use EMS to update and edit an address list.
Update-AddressList -Identity AddressListName
PS C:\Users\
Administrator>
Update-AddressList
-Identity "Pennsylvania
Assemblers Address List"
This Update-AddressList cmdlet updates the
recipients included in the specified address list.
Set-AddressList -Identity AddressListName -DisplayName NewDisplayName -ForceUpgrade :$true
PS C:\Users\
Administrator>
Set-AddressList -Identity "Pennsylvania
Assemblers Address List" -DisplayName
"PA Assemblers"
-ForceUpgrade:$true
This Set-AddressList cmdlet modifies an existing
address list.
In this example, the Display Name needs to be
changed to PA Assemblers, as shown in Figure 7-13 .
TIP The -ForceUpgrade parameter causes a
dialog box to be ignored that states the follow-
ing: “To save changes on object, the object must
be upgraded to the current Exchange version.
After upgrade, this object can’t be managed by a
previous version of Exchange System Manager.
Do you want to continue to upgrade and save
the object?”
This may occur when you upgrade an address list
from Exchange Server 2003 to Exchange 2010.
Figure 7-13 Changing the display name of an address list
The following table shows how to use EMS to move an address list.
ptg6842824
Creating and Managing Address Lists 119
Move-AddressList -Identity AddressListName -Target Container
PS C:\Users\Administrator>
Move-AddressList -Identity "Pennsylvania
Assemblers Address List" -Target "\Assemblers"
This Move-AddressList cmdlet moves the
specified address list to a new location, as
shown in Figure 7-14 .
Figure 7-14 Moving an address list to a new location
The following table shows how to use EMS to remove an address list.
Remove-AddressList -Identity AddressListName -Recursive
PS C:\Users\Administrator> Remove-AddressList -Identity "Pennsylvania
Assemblers Address List"
-Recursive
This Remove-AddressList cmdlet
removes the specified address list
and all of its child address lists, if the
-Recursive option is included.
The following table shows how to use EMS to retrieve information about address lists.
ptg6842824
PS C:\Users\
Administrator> Get-AddressList This Get-AddressList retrieves the attri-
butes of all the address lists in the All
Address Lists container.
Get-AddressList -Identity AddressListName | fl
PS C:\Users\
Administrator> Get-AddressList -Identity "Pennsylvania
Assemblers Address List" | fl
This Get-AddressList cmdlet retrieves all
attributes for the specified address list.
(The output is in a list format.)
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Creating multiple recipients
■ Modifying multiple recipients
■ Reconnecting multiple disconnected mailboxes
This chapter focuses on the ways you can create and manage recipient objects in bulk.
You will discover that using Exchange Management Shell (EMS) is a very efficient way
to manage recipient objects in Exchange 2010. Also, you can “batch” PowerShell cmd-
lets together and save them as text files with a .ps1 extension and they will be executable
from EMS. You will also investigate how to create templates to assist in bulk creation of
user accounts and Exchange mailboxes.
Creating Multiple Recipients
Creating one recipient at a time is not efficient in EMS. There are too many chances
you will type something incorrectly or misconfigure an attribute. But, suppose the HR
department provides you with a file each week with all new hires. You will probably
want to find a way to extract the data from the file and use it to create both the Active
Directory user accounts as well as the Exchange mailboxes. In this next section, you will
investigate some of the ways to create recipients in bulk.
The following table shows the contents of a .csv file that might be imported into Active
Directory. Both an Active Directory user account as well as an Exchange mailbox will
be created with this single file.
CHAPTER 8
Bulk Management of Recipients
ptg6842824
122 Creating Multiple Recipients
FirstName,LastName,Password,
Department Linda,Rose,Pa$$w0rd,Shipping
Larry,Ludin,Pa$$w0rd,Shipping
Karen,Zadnik,Pa$$w0rd,Shipping
Jim,Schaffer,Pa$$w0rd,Shipping
Carolyn,Smith,Pa$$w0rd,Shipping
Fred,Klein,Pa$$w0rd,Shipping
Heather,Flinkman,Pa$$w0rd,Shipping
Leo,Weishew,Pa$$w0rd,Shipping
(Name this file C:\Users\Administrator\
NewHires.csv.)
You are given a text file that is gener-
ated by the HR department from a data-
base of information about newly hired
employees, as shown on the left and in
Figure 8-1 .
You want to import the data from the
file, creating both Active Directory
User accounts and Exchange mailboxes
from the data in the file.
Later, HR will give you a second file,
shown in Figure 8-2 , as more new hires
begin work and also require an AD
account and an Exchange mailbox.
NOTE The attributes are very limited
in this file to give you a general idea
of how this works. You will want to
import more attributes to make the
accounts more usable in a production
environment.
Figure 8-1 Text file with users to be imported
The script shown in this table takes the contents of the NewHires.csv file previously cre-
ated and constructs Active Directory users accounts and Exchange mailboxes for each
entry in the file.
ptg6842824
Creating Multiple Recipients 123
## Section 1
## Define Database for new mailboxes
$db="ShippingDB"
## Define User Principal name
$upndom="romacsign.com"
## Define OU for new users
$ou="Shipping"
## Define CSV File with user information
$csvFile="C:\Users\Administrator\NewHires.csv"
## Section 2
## Import csv file into variable $users
$users = import-csv $csvFile
## Section 3
## Function to convert Password string to secure string
function SecurePassword([string]$plainPassword)
{
$secPassword = new-object System.Security.SecureString
Foreach($char in $plainPassword.ToCharArray())
{
$secPassword.AppendChar($char)
}
$secPassword
}
## Section 4
## Create new mailboxes and users
foreach ($i in $users)
{
$sp = SecurePassword $i.Password
$upn = $i.FirstName + "@" + $upndom
$display = $i.FirstName + " " + $i.LastName
New-Mailbox -Password $sp -Database $db
-UserPrincipalName $upn -Name $i.FirstName
-FirstName $i.FirstName -LastName $i.LastName
-OrganizationalUnit $OU
}
The text file shown on the left
is one way to use the data in
the NewHires.csv file to import
users into Active Directory and
assign Exchange mailboxes to
the new users.
If you use a file similar to this
one, save it with a .ps1 exten-
sion and it will become execut-
able from within EMS—much
like a .bat file can be executed
from the command line.
TIP The New-Mailboxcmdlet in Section 4 must
all be typed on one line. It
is word-wrapped here for
readability.
NOTE Lines that begin
with pound signs (##) are
remarks.
NOTE The third character
in “.ps1” is the number one
and not a lowercase L.
ptg6842824
124 Creating Multiple Recipients
FirstName,LastName,Password,Department Joanne,Hoadley,Pa$$w0rd,Shipping
Kevin,Stinson,Pa$$w0rd,Shipping
Jill,Evans,Pa$$w0rd,Shipping
Bill,Hobbs,Pa$$w0rd,Shipping
Monica,Lavin,Pa$$w0rd,Shipping
Tony,Dalmau,Pa$$w0rd,Shipping
Denise,Rousseau,Pa$$w0rd,Shipping
Joe,Heumann,Pa$$w0rd,Shipping
(Rename this file C:\Users\Administrator\
NewHires.csv.)
Now that you have the .ps1
file, in the future when you are
given another text file from
HR containing a second batch
of new hires, you can use the
same .ps1 file to import data
from this new .csv file into the
Active Directory, as shown on
the left and in Figure 8-2 .
Exchange mailboxes will be cre-
ated for the new users as well.
The only thing you must do in
order for the .ps1 file to work
correctly is rename the file to
NewHires.csv . The contents of
both the earlier .csv file with
the first group of new hires and
the current .csv file with the
second group of new hires are
shown in Figure 8-2 .
Execute the .ps1 file again.
Figure 8-3 displays the results
of the two executions of the
NewHires.ps1 file.
You can also see the newly
hired employees in EMC, as
shown in Figure 8-4 .
Figure 8-2 Text files with both groups of new hires
ptg6842824
Creating Multiple Recipients 125
Figure 8-3 EMS showing that two sets of users and mailboxes have been created
Figure 8-4 EMC showing mailboxes for both sets of users
The benefit of using a .ps1 file is that it is reusable. The .csv file contents may change,
but the .ps1 file used to import the users and create the mailboxes does not change.
ptg6842824
126 Creating Multiple Recipients
However, you can achieve similar results of bulk importing users from a .csv file with-
out the use of a .ps1 script by using the steps shown in the following table.
$Pass = ConvertTo-SecureString password -asPlainText –Force
PS C:\Users\Administrator>
$Pass=ConvertTo-SecureString
"Pa$$w0rd" -asPlainText -Force
This example defines a secure
string password so that you don’t
have to type a password for each
user in the .csv file.
NOTE This password will only
be valid from within this ses-
sion, unless you incorporate it
into your PowerShell profile.
Name,UserName,Department Karen Michelfelder,KarenM,Shipping
Michael Doyle,MikeD,Management
Linda Cordon, LindaC,Reception
Donna Ecksterowicz,Donna,Management
Pete Dispenza,Pete,Management
Tom Petock,Tom,Management
Al Sorichillo,Al,Receiving
Pattie Kass,Pattie,Shipping
(Name this file C:Users\Administrator\
MoreNewHires.csv.)
In the next example, you will again
use a .csv file to import users and
create mailboxes.
This file is slightly different from
the previous two. Look at the attri-
bute line of the file. (The attribute
line is the first line and has been
bolded for your convenience.)
Import-CSV FileName | ForEach-Object -Process
{New-Mailbox -Name $_.Name -UserPrincipalName
"$($_.UserName)@ domain.com "
-OrganizationalUnit OUName -Database DatabaseName -Password $Pass -ResetPasswordOnNextLogon $boolean value }
PS C:\Users\Administrator> Import-CSV "C:\Users\Administrator\
MoreNewHires.csv" | ForEach-Object -Process
{New-Mailbox -Name $_.Name
-UserPrincipalName
"$($_.UserName)@romacsign.com" -OrganizationalUnit romacsign.com/
Users
-Database OfficeDB -Password $Pass
-ResetPasswordOnNextLogon $true}
Another way to import the data
from a .csv file is to use the
Import-CSV cmdlet that incorpo-
rates a ForEach-Object cmdlet,
as shown on the left and in Figure
8-5 .
This is a bit easier than using the
.ps1 file, but less automated. You
would need to type this each time
you needed to import users from a
.csv file.
Note the use of the New-Mailbox
cmdlet embedded in the code.
ptg6842824
Creating Multiple Recipients 127
Import-CSV FileName | ForEach-Object -Process {Set-User
-Identity $_.UserName
-Department $_.Department}
PS C:\Users\Administrator> Import-CSV "C:\Users\Administrator\
MoreNewHires.csv" | ForEach-Object -Process {Set-User
-Identity $_.UserName -Department $_.Department}
This also works when you need to
import Active Directory informa-
tion in from the .csv file, as shown
on the left and in Figure 8-5 .
The Department attribute is a
property of a user, not a mailbox.
Note the use of the Set-User cmd-
let in this example, rather than the
New-Mailbox cmdlet in the previ-
ous example. You will be popu-
lating an Active Directory User
account attribute, rather than an
Exchange Mailbox attribute if you
execute this cmdlet.
Get-User | Where-Object {$_.department –eq Department }
PS C:\Users\Administrator> Get-User | Where-Object {$_.department
-eq "Management"}
To view the result of the preceding
cmdlet, use the Get-User cmdlet
with a Where clause, as shown on
the left and in Figure 8-5 .
NOTE Figure 8-5 is a multipart illustration of the previous three steps. The first step
creates the users and mailboxes from the MoreNewHires.csv file. The second step
imports the department attribute to the Active Directory for the user account. The third
step displays the department attribute for all users in the Management department.
Figure 8-5 Creating and managing recipients in bulk using EMS
ptg6842824
128 Creating Multiple Recipients
You can even use a template to create mailboxes. To do this, take the Import-CSV
cmdlet you created and executed earlier and assign a variable to it. (You can store this in
your PowerShell profile.) Create a template and variable for each department for which
you regularly create accounts and mailboxes.
The following table shows how to create a template for the Shipping department.
$Pass = ConvertTo-SecureString password -asPlainText –Force
PS C:\Users\Administrator>
$Pass=ConvertTo-SecureString
"Pa$$w0rd" -asPlainText -Force
Redefines the secure string pass-
word so that you don’t have to
type a password for each user in
the .csv file.
Name,UserName,Department Kathy Crawford,KathyC,Shipping
Ed Shields,EdS, Shipping
Madge McCann,MadgeM, Shipping
Andre Brown,AndreB, Shipping
Terri Hines,TerriH, Shipping
Bill Krupitzer,BillK, Shipping
Morey Goldberg,MoreyG, Shipping
Jim Masters, JimM, Shipping
(Name this file C:Users\Administrator\
ShippingNewHires.csv.)
In the next example, you will
again use a .csv file as a template
to import users and create mail-
boxes.
PS C:\Users\Administrator>
$NewShippers=Import-CSV
"C:\Users\Administrator\
ShippingNewHires.csv" | ForEach-Object -Process
{New-Mailbox -Name $_.Name
-UserPrincipalName
"$($_.UserName)@romacsign.com" -OrganizationalUnit romacsign.com/Users -Database OfficeDB -Password $Pass
-ResetPasswordOnNextLogon $true}
By defining a variable for your
Import-CSV cmdlet, you can
simply type the variable name
from a PS prompt, without hav-
ing to type the entire cmdlet each
time.
ptg6842824
Modifying Multiple Recipients 129
PS C:\Users\Administrator >$NewShippers
When you are given a new .csv
file for new hires in the Shipping
department, you need only type
the variable name for that depart-
ment, as shown on the left and in
Figure 8-6 .
Figure 8-6 Creating and managing recipients in bulk using a template in EMS
Modifying Multiple Recipients
It is also possible to modify multiple recipients using EMS. One modification you may
want to make is to take a collection of existing users who do not have mailboxes and use
EMS to enable them in bulk.
The commands in the first section of the following table create 10 user accounts in
Active Directory. The cmdlet that follows in the second section enables the mailboxes
for the 10 newly created users.
ptg6842824
130 Modifying Multiple Recipients
cd\
Dsadd ou "ou=Sales Training,dc=romacsign,dc=com"
Dsadd ou "ou=Observers, ou=Sales Training,
dc=romacsign,dc=com"
Dsadd user "cn=salestrainee01,ou=Sales
Training,dc=romacsign,dc=com" -pwd Pa$$w0rd
-dept "Sales Training"
Dsadd user "cn=salestrainee02,ou=Sales
Training,dc=romacsign,dc=com" -pwd Pa$$w0rd
-dept "Sales Training"
Dsadd user "cn=salestrainee03,ou=Sales
Training,dc=romacsign,dc=com" -pwd Pa$$w0rd
-dept "Sales Training"
Dsadd user "cn=salestrainee04,ou=Sales
Training,dc=romacsign,dc=com" -pwd Pa$$w0rd
-dept "Sales Training"
Dsadd user "cn=salestrainee05,ou=Sales
Training,dc=romacsign,dc=com" -pwd Pa$$w0rd
-dept "Sales Training"
Dsadd user "cn=salestrainee06,ou=Sales
Training,dc=romacsign,dc=com" -pwd Pa$$w0rd
-dept "Sales Training"
Dsadd user "cn=salestrainee07,ou=Sales
Training,dc=romacsign,dc=com" -pwd Pa$$w0rd
-dept "Sales Training"
Dsadd user "cn=salestrainee08,ou=Sales
Training,dc=romacsign,dc=com" -pwd Pa$$w0rd
-dept "Sales Training"
Dsadd user "cn=salestrainee09,ou=Observers,
ou=Sales Training,dc=romacsign,dc=com"
-pwd Pa$$w0rd -dept "Sales Training"
Dsadd user "cn=salestrainee10,ou=Observers,
ou=Sales Training,dc=romacsign,dc=com"
-pwd Pa$$w0rd -dept "Sales Training"
(Name this file C:Users\Administrator\
SalesTraineeEnableMB.bat.)
The Directory
Services
Administrator
has created eight
new salespeople
and two observers
as user accounts
in the Active
Directory. He
or she may have
done this with a
.bat file similar to
the one shown on
the left.
NOTE This
is not an EMS
cmdlet. This is
done using the
dsadd utility
from Windows
Server 2008.
ptg6842824
Modifying Multiple Recipients 131
Use the following if all of the users are not in the same OU, as is
the case in the preceding file:
Get-User | Where-Object
{$_.DistinguishedName -ilike OUName } | Enable-Mailbox -Database DatabaseName
PS C:\Users\Administrator >Get-User | Where-Object
{$_.DistinguishedName -ilike
"*OU=Sales Training,dc=romacsign,dc=com"} |
Enable-Mailbox -Database "TrainingDB"
Once the users have
been created, you
can use the Enable-Mailbox cmdlet to
enable their mail-
boxes, as shown in
Figure 8-7 .
NOTE The
Enable-Mailboxcmdlet was
written this way
because not all
of the users are
in a single OU.
Figure 8-7 Mail-enabling users in bulk using EMS
The cmdlet to enable the users’ mailboxes becomes even easier when all of the users are
in the same Active Directory OU, as shown in the following table.
Use the following if all the users are in the
same OU, as is not the case in the previous
file:
Get-User -OrganizationalUnit OUName | Enable-Mailbox -Database DatabaseName
PS C:\Users\Administrator> Get-User -OrganizationalUnit
"Sales Training" | Enable-Mailbox
-Database "TrainingDB"
If all of the users were in the Sales
Training OU, you could use this much
simpler example. Figure 8-8 shows
the created mailboxes in Exchange
Management Console (EMC).
ptg6842824
132 Modifying Multiple Recipients
Figure 8-8 Viewing the created mailboxes from EMC
Bulk modifying a mailbox attribute is equally simple if you know the syntax for the
attribute that you want to modify.
The cmdlets shown in the following table allow you to make a bulk modification to a
group of mailboxes as well as view the change after it has been made.
Get-Mailbox Mailboxes | Set-Mailbox -IssueWarningQuota QuotaSize
PS C:\Users\Administrator>
Get-Mailbox SalesTrainee* |
Set-Mailbox -IssueWarningQuota 49MB
If you wanted to change the default
IssueWarningQuota to 49MB for all
of the sales trainees, you could do so as
shown on the left.
NOTE 49MB was used because it is
a unique number and would not cor-
respond to any default values.
Get-Mailbox Mailboxes | fl Name, IssueWarningQuota
C:\Users\Administrator> Get-Mailbox SalesTrainee* | fl
Name, IssueWarningQuota
To verify that the settings took effect,
use the example shown on the left and in
Figure 8-9 .
Note the use of the asterisk (*), which will
collect any mailbox with SalesTrainee in
its name.
ptg6842824
Reconnecting Multiple Disconnected Mailboxes 133
Figure 8-9 Viewing the result of the bulk modification
In Chapter 15 , “Working with Mailboxes” you will investigate how to move multiple
mailboxes from one database to another, as well as how to import and export a mailbox,
which could also be done in bulk.
Reconnecting Multiple Disconnected Mailboxes
In addition to using Exchange Management Console (EMC), it is also possible to recon-
nect disconnected mailboxes using EMS (as shown in the following table). This is espe-
cially helpful when multiple user accounts need to be reconnected to their mailboxes.
ptg6842824
134 Reconnecting Multiple Disconnected Mailboxes
Get-MailboxStatistics -Database DatabaseName | Where-Object {$_.DisconnectDate -ne $Null} |
Foreach-Object {Connect-Mailbox -Identity $_.MailboxGuid
-Database DatabaseName }
C:\Users\Administrator> Get-MailboxStatistics -Database "TrainingDB" |
Where-Object {$_.DisconnectDate -ne $Null} |
Foreach-Object {Connect-Mailbox -Identity $_.MailboxGuid
-Database "Training DB"}
The sales trainees’ mailboxes
have been disconnected because
of an accidental deletion of the
OU containing all sales trainees.
You restore the Active
Directory OU and sales trainee
accounts with an authoritative
AD restore and now you need
to find all disconnected mail-
boxes for the sales trainees (in
the TrainingDB) and reconnect
them to their respective user
accounts.
The results of the Connect-Mailbox cmdlet are shown in
Figure 8-10 .
Figure 8-10 Reconnecting mailboxes with the original user accounts
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Configuring accepted and remote domains
■ Managing email address policies
■ Working with SMTP connectors and other transport objects
■ Working with routing group connectors
■ Managing transport queues
This chapter focuses on the creation and management of transport objects. Starting with
creating Accepted Domain and Remote Domain objects, you will also learn how to con-
figure email address policies as well as SMTP Send and SMTP Receive connectors from
Exchange Management Shell. You will work with Routing Group connectors in a mixed
environment with Exchange 2003, and you will also see how to manage transport queues
from the command line.
Configuring Accepted and Remote Domains
If it is an MX record that brings the email to your doorstep, it is the accepted domain
that allows it to enter the Exchange organization. An accepted domain is any SMTP
domain for which Microsoft Exchange accepts incoming messages.
The three types of accepted domains in Exchange 2010 are as follows:
■ Authoritative domain —You use this type when you want to allow email to
be delivered to a recipient that has a domain account and a mailbox in your
Exchange organization.
■ Internal Relay domain —You use this type when you want to allow email to be
delivered to a recipient in your organization or to be relayed to a server in another
email system, but still under the authority of your company or organization.
■ External Relay domain —You use this type when you want to allow email to be
delivered to a recipient outside of this Exchange organization, such as a business
partner’s email system.
You can view, create, manage, and delete accepted domains with the following cmdlets:
■ Get-AcceptedDomain
■ New-AcceptedDomain
■ Set-AcceptedDomain
■ Remove-AcceptedDomain
CHAPTER 9
The Hub Transport Role
ptg6842824
136 Configuring Accepted and Remote Domains
Get-AcceptedDomain
The following table shows the uses of the Get-AcceptedDomain cmdlet.
PS C:\Users\Administrator>
Get-AcceptedDomain This example retrieves a list
of all accepted domains.
Get-AcceptedDomain | Where{$_.DomainType -eq DomainType }
PS C:\Users\Administrator> Get-AcceptedDomain |
Where{$_.DomainType -eq "Authoritative"}
This example retrieves a
list of all accepted domains
with a domain type of
“Authoritative.”
New-AcceptedDomain
The following table shows the uses of the New-AcceptedDomain cmdlet.
PS C:\Users\Administrator>
New-AcceptedDomain
-Name "Romac Neon"
-DomainName romacneon.com -DomainType Authoritative
Creates the domain name
RomacNeon.com as a second
Authoritative accepted domain in
your Exchange organization.
PS C:\Users\Administrator>
New-AcceptedDomain -Name "Romac Sign Company" -DomainName romacsigncompany.com
-DomainType InternalRelay
Creates the domain name
RomacSignCompany.com as an
Internal Relay accepted domain.
PS C:\Users\Administrator>
New-AcceptedDomain -Name "Sign 1 Suppliers"
-DomainName sign1suppliers.com
-DomainType ExternalRelay
Creates the domain name
Sign1Suppliers.com as an External
Relay accepted domain.
The successful creation and management of accepted domains can be viewed in
Exchange Management Console (EMC), as shown in Figure 9-1 .
Figure 9-1 Accepted domains as seen from Exchange Management Console
ptg6842824
Configuring Accepted and Remote Domains 137
Set-AcceptedDomain
The following table shows a use of the Set-AcceptedDomain cmdlet.
PS C:\Users\
Administrator>
Set-AcceptedDomain -Identity "Romac
Sign Company"
-DomainType
Authoritative -MakeDefault $true
Edits the RomacSignCompany.com domain name,
changing it from an Internal Relay to an Authoritative
accepted domain and uses the MakeDefault parameter
to specify the name as the new default domain.
NOTE The first accepted domain created in the
organization is created with a default value of
$true . Subsequent accepted domains are created
with a default value of $false unless you use the
MakeDefault parameter equal to $true .
The successful creation configuration change of an Internal Relay accepted domain to
the default Authoritative accepted domain can be viewed in Exchange Management
Console, as shown in Figure 9-2 .
Figure 9-2 Changing a namespace to the default accepted domain as seen from
Exchange Management Console
Remove-AcceptedDomain
The following table shows a use of the Remove-AcceptedDomain cmdlet.
PS C:\Users\Administrator>
Remove-AcceptedDomain -Identity "Sign 1 Suppliers"
Removes the domain name
Sign1Suppliers.com as an accepted
domain when it is no longer required
Remote domains allow you to define the settings for message transfer between your
organization and mail domains outside your Active Directory forest. Accepted domains
control what names come in to your organization, but remote domains control what
types of messages go out to the other domain(s). Most commonly, this object controls
Out of Office messages to specific Internet domains when you do not want out-of-office
messages going to all Internet domain names. You can also apply message format
ptg6842824
138 Configuring Accepted and Remote Domains
policies and acceptable character sets for messages that are sent from users in your orga-
nization to the remote domain.
Get-RemoteDomain
The following table shows a use of the Get-RemoteDomain cmdlet.
PS C:\Users\Administrator>
Get-RemoteDomain Retrieves a list of all remote domains
New-RemoteDomain
The following table shows the uses of the New-RemoteDomain cmdlet.
PS C:\Users\Administrator> New-RemoteDomain -DomainName SignDistributors1.com -Name "Sign
Distributors 1"
PS C:\Users\Administrator> New-RemoteDomain -DomainName SignDistributors2.com -Name "Sign
Distributors 2"
These examples cre-
ate two new remote
domains for a busi-
ness partner.
Set-RemoteDomain
The following table shows the uses of the Set-RemoteDomain cmdlet.
PS C:\Users\
Administrator>
S et-RemoteDomain -Identity "Sign
Distributors 1" -AllowedOOFType
ExternalLegacy
-DeliveryReportEnabled
$true
PS C:\Users\
Administrator>
S et-RemoteDomain -Identity "Sign
Distributors 2" -AllowedOOFType None
-DeliveryReportEnabled
$false
The first example edits the SignDistributors1.com
remote domain, changing the AllowedOOFType
parameter to ExternalLegacy .
With this option enabled, only out-of-office messages
configured as external by Outlook 2007 or OWA for
mailboxes located on Exchange 2010 or Exchange 2007
Mailbox servers are delivered to the remote domain.
Out-of-office messages set by Outlook 2003 or earlier
clients, regardless of the server version of their mail-
box store, are delivered to the remote domain.
Out-of-office messages sent by Exchange 2003 or ear-
lier servers, regardless of the client version used to set
the out-of-office message, are delivered to the remote
domain.
It also sets the DeliveryReportEnabled parameter to
$true . These settings are illustrated in Figure 9-3 .
The second example edits the SignDistributors2.com
remote domain, changing the AllowedOOFTypeparameter to None and the DeliveryReportEnabledparameter to $false . These settings are illustrated in
Figure 9-4 .
ptg6842824
Configuring Accepted and Remote Domains 139
Figure 9-3 Remote domain settings for SignDistributors1.com as seen from Exchange
Management Console
Figure 9-4 Remote domain settings for SignDistributors2.com as seen from Exchange
Management Console
Select other parameters for the Set-RemoteDomain cmdlet are detailed in the following
table.
ptg6842824
140 Configuring Accepted and Remote Domains
-Identity This required parameter specifies the display name of the
remote domain.
NOTE The length of the name cannot exceed 64 char-
acters.
-AllowedOOFType
(Example in previous
Set-RemoteDomain
table.)
This parameter specifies the type of out-of-office notifica-
tion returned to users at the remote domain.
The valid values are External , ExternalLegacy , None ,
and InternalLegacy .
The default value is External .
-AutoForwardEnabled This parameter specifies whether to allow messages that
are automatically forwarded in your organization.
Setting this parameter to $true enables auto-forwarded
messages to be delivered to the remote domain.
The default setting is $false .
-AutoReplyEnabled This parameter specifies whether to allow messages that
are automatic replies in your organization.
Setting this parameter to $true enables automatic replies
to be delivered to the remote domain.
The default value is $false .
-DeliveryReportEnabled
(Example in previous
Set-RemoteDomain
table.)
This parameter specifies whether to allow delivery reports
in your organization to the remote domain.
The default value is $true .
-IsInternal This parameter specifies whether the recipients in this
remote domain should be considered as an internal recipi-
ent.
When you set this parameter to $true , all transport com-
ponents, like transport rules or transport agents, treat this
remote domain as an internal domain.
The default value is $false .
-Name This parameter specifies a unique name for the remote
domain object.
-NDREnabled This parameter specifies whether to allow non-delivery
reports (NDRs) from your organization.
Setting this parameter to $false suppresses NDRs to the
remote domain.
The default value is $true .
As shown in the following table, the Remove-RemoteDomain cmdlet deletes the remote
domain object from the Active Directory.
ptg6842824
Managing Email Address Policies 141
PS C:\Users\
Administrator>
Remove-RemoteDomain
-Identity "Sign
Distributors 1"
-Confirm: $false
Removes the remote domain SignDistributors1.com
as a remote domain when it is no longer required.
NOTE The -Confirm: $false option does not
prompt you to confirm the removal of the remote
domain.
TIP When you remove a remote domain, it does not disable mail flow to that domain.
It only removes the settings for message transfer between your organization and the
remote domain.
Managing Email Address Policies
When a recipient is created, it must have an email address if it is to send or receive
email. Recipients (which include users, resources, contacts, and groups) are any mail-
enabled object in Active Directory to which Microsoft Exchange can deliver or route
messages. For a recipient to send or receive email messages, the recipient must have
an email address. If you had to manually assign an email address policy to each recipi-
ent, it would not only be tedious, but it would also lead to inconsistencies in how email
addresses were generated. An email address policy is used to automatically generate
addresses for your recipients. The default policy uses the recipient’s alias before the “@”
and the default accepted domain after, but that can be changed or a new policy can eas-
ily be created.
The following table shows some of the cmdlets you might use when creating or manag-
ing an email address policy.
PS C:\Users\Administrator>
Get-EmailAddressPolicy Retrieves a list of all email address
policies in use in the organization.
New-EmailAddressPolicy -Name PolicyName -EnabledEmailAddressTemplates "SMTP:%g.%[email protected]" -RecipientFilter {((RecipientType
-eq "UserMailbox" ) -and (Department -like DeptName ))}
PS C:\Users\Administrator>
New-EmailAddressPolicy -Name "Sales Policy" -EnabledEmailAddressTemplates
"SMTP:%g.%[email protected]" -RecipientFilter {((RecipientType
-eq "UserMailbox") -and (Department -like "Sales"))}
You want a policy to generate a
more friendly email address for the
Sales users in your company.
Creates an email address policy
using a recipient filter, which will
generate an email address that
includes firstname.lastname for all
Sales users, as shown in Figure 9-5 .
An example of an address that
would be generated for Larry
Ludin would be [email protected] .
ptg6842824
142 Managing Email Address Policies
PS C:\Users\Administrator> New-EmailAddressPolicy -Name "Philadelphia Office"
-IncludedRecipients "AllRecipients" -ConditionalDepartment
"Assembly","Office" -Priority 1 -EnabledEmailAddressTemplates
"SMTP:%g.%[email protected]"
PS C:\Users\Administrator> Set-EmailAddressPolicy -Identity "Philadelphia Office" -ConditionalDepartment "Assembly",
"Manufacturing","Office"
An Active Directory administrator
has redesigned the Philadelphia
office, breaking it into three depart-
ments (Assembly, Manufacturing,
and Office Staff) and your email
address policy must be edited to
include the third department.
NOTE The existing depart-
ments must be included
in the cmdlet. When you
execute the cmdlet, it over-
writes all existing values for
the ConditionalDepartmentattribute. The new
ConditionalDepartment set-
tings are illustrated in Figure
9-6 .
Figure 9-5 New email address policy created using recipient filter, as seen from
Exchange Management Console
ptg6842824
Managing Email Address Policies 143
Figure 9-6 New ConditionalDepartment settings as seen from Exchange Management
Console
Other email address policy cmdlets are detailed in the following table.
PS C:\Users\
Administrator> Update-EmailAddressPolicy
-Identity "Philadelphia
Office"
You have added a new department to the
Philadelphia Office email address policy
in the previous example using the Set-EmailAddressPolicy , but it does not take effect.
This example shows the use of the Update-EmailAddressPolicy cmdlet, which you would
apply after you use the Set-EmailAddressPolicy
cmdlet to set the changes.
PS C:\Users\
Administrator>
Remove-EmailAddressPolicy -Identity "Philadelphia
Office" -Confirm: $false
You have redesigned your email address policies
and now you want to remove the Philadelphia
Office policy. This example shows the removal of
an email address policy.
NOTE The - Confirm: $false option does not
prompt you to confirm the removal of the email
address policy.
ptg6842824
144 Working with SMTP Connectors and Other Transport Objects
Working with SMTP Connectors and Other Transport Objects
Two types of SMTP connectors can be created in Exchange 2010. Send connectors are
required on Exchange 2010 transport servers to deliver messages to the next hop as they
make their way through the transport pipeline. A Send connector controls outbound con-
nections from the Exchange organization. Receive connectors are required on Exchange
2010 transport servers to receive messages from the Internet, from email clients, and
from other email servers. A Receive connector controls inbound connections to the
Exchange organization.
Send Connectors
Send connectors are required in Exchange 2010 to send mail to other SMTP hosts. These
Exchange objects are stored in the Active Directory at the organization level (for Hub
Transport servers) and they create a logical connection between Exchange and other
SMTP hosts. On Edge Transport servers, Send connectors can be configured to send
mail to the Internet. On Edge Transport servers, the Send connector is stored locally
in AD LDS. Creating a Send connector is a fairly simple process from the Exchange
Management Console or from Exchange Management Shell.
Get-SendConnector
The following table shows the uses of the Get-SendConnector .
PS C:\Users\
Administrator>
Get-SendConnector
PS C:\Users\
Administrator>
Get-SendConnector
-Identity "External
Domain.com Send
Connector" | fl
Allows you to view the configuration of all Send
connectors in the organization.
The example allows you to view the configura-
tion of a specific Send connector to the domain
ExternalDomain.com on a Hub Transport or Edge
Transport server.
Use this cmdlet after you have created a Send con-
nector to view its configuration.
New-SendConnector
The following table shows the uses of the New-SendConnector cmdlet.
ptg6842824
Working with SMTP Connectors and Other Transport Objects 145
New-SendConnector -Internet -Name ConnectorName -AddressSpaces domain1,domain2 (if nec.)
PS C:\Users\Administrator>
New-SendConnector -Internet -Name PartnerSendConnector -AddressSpaces
sign1suppliers.com,
signdistributors.com
$Authentication =
Get-Credential
New-SendConnector -Name ConnectorName -AddressSpaces domain1,domain2(if nec.) -AuthenticationCredential Name -SmartHostAuthMechanism AuthenticationType -DNSRoutingEnabled Boolean -SmartHosts FQDN or IPAddress
PS C:\Users\Administrator>
New-SendConnector -Name "Secure to
Sign1Suppliers.com" -AddressSpaces
sign1suppliers.com -AuthenticationCredential
$Authentication -SmartHostAuthMechanism
BasicAuth -DNSRoutingEnabled $false -SmartHosts 192.168.1.1
Allows you to create a new Send connector
on a Hub Transport or Edge Transport.
The first example creates a Send connector
to two partner organizations with the fol-
lowing properties:
■ It sends email to the Internet.
■ It only processes messages addressed
to the sign1suppliers.com and
signdistributors.com domains.
The second example creates the Send con-
nector “Secure to Sign1Suppliers.com”
with the following properties:
■ It only processes messages for the
Sign1Suppliers.com domain.
■ It uses Basic authentication.
■ It uses a specific authentication cre-
dential.
To assign the specific authentication cre-
dential for the Send connector, you must
first run the Get-Credential cmdlet and
store the user’s input as a temporary vari-
able.
NOTE When you run the Get-Credential cmdlet, the command asks
for the user name and password of the
account used during authentication with
the Sign1Suppliers.com mail server, as
shown in Figure 9-7 .
The temporary variable can then be
used in the New-SendConnector cmd-
let to create the new connector.
ptg6842824
146 Working with SMTP Connectors and Other Transport Objects
Figure 9-7 Prompted for a credential
The following table details select other parameters for the New-SendConnector cmdlet.
-AddressSpaces
(Example in previous
New-SendConnector table.)
This is a required parameter that specifies the
names to which the Send connector will route
mail.
-AddressSpaceType This parameter specifies the type of address space
and may be SMTP, X400, or any other text string.
The default is an SMTP address space.
-AddressSpaceCost "SMTP:sign1suppliers.com;1"
This parameter specifies a relative cost for using
this connector. The valid input range for the cost
is from 1 through 100. A lower cost indicates a
better route.
(If you specify the address space type with the
address space cost, you must enclose the address
space in quotation marks [“] as shown in the
example.)
-AuthenticationCredential
(Example in previous
New-SendConnector table.)
This parameter specifies the creation and passing
of a credential object.
-Custom This parameter specifies the Custom usage type.
The usage type specifies the permissions and
authentication methods assigned to the Send con-
nector.
-DNSRoutingEnabled
(Example in previous
New-SendConnector table.)
This parameter specifies whether the Send con-
nector uses DNS to route mail. The valid values
for this parameter are $true and $false and the
default value is $true .
ptg6842824
Working with SMTP Connectors and Other Transport Objects 147
-Internal This parameter specifies the Internal usage type.
The usage type specifies the permissions and
authentication methods assigned to the Send con-
nector.
-Internet This parameter specifies the Internet usage type.
The usage type specifies the permissions and
authentication methods assigned to the Send con-
nector.
-MaxMessageSize This parameter specifies the maximum size of a
message that can pass through the connector. The
default value is 10MB.
-Partner This parameter specifies the Partner usage type.
The usage type specifies the permissions and
authentication methods assigned to the Send con-
nector.
-SmartHostAuthMechanism
(Example in previous
New-SendConnector table.)
This parameter specifies the smart host authen-
tication mechanism to use during authentication
with a remote server. This parameter is used
only when a smart host is configured and the
DNSRoutingEnabled parameter is set to $false .
The valid values are None , BasicAuth ,
BasicAuthRequireTLS , ExchangeServer , and
ExternalAuthoritative and each value is mutu-
ally exclusive with the others.
-SmartHosts
(Example in previous
New-SendConnector table.)
This parameter specifies the smart hosts that
the Send connector may use to route mail and
is required if you set the DNSRoutingEnabled
parameter to $false .
The SmartHosts parameter can use FQDNs or
IP addresses, or combinations of both. You must
separate entries with a comma.
-SourceIPAddress This parameter specifies the local IP address to
use as the endpoint for an SMTP connection to a
remote messaging server. The default IP address
is 0.0.0.0. This value means that the server can
use any available local IP address. This parameter
is only valid for Send connectors configured on
Edge Transport servers.
-SourceTransportServers This parameter specifies the names of the Hub
Transport servers that can use this Send connec-
tor. If you specify more than one Hub Transport
server, you must separate entries with a comma.
ptg6842824
148 Working with SMTP Connectors and Other Transport Objects
Set-SendConnector
The following table shows the uses of the Set-SendConnector cmdlet.
Set-SendConnector -Identity ConnectorName -MaxMessageSize Value
PS C:\Users\Administrator>
Set-SendConnector -Identity "Secure to
Sign1Suppliers.com" -MaxMessageSize 25MB
Allows you to modify a Send connector on a
Hub Transport or Edge Transport server.
The example allows you to edit the configura-
tion of a specific Send connector on a Hub
Transport, changing its MaxMessageSize
attribute to 25MB from its default value of
10MB.
TIP You might set the same parameters with the Set-SendConnector cmdlet as you
did when you created the connector with the New-SendConnector cmdlet.
Remove-SendConnector
The following table shows a use of the Remove-SendConnector cmdlet.
PS C:\Users\
Administrator> Remove-SendConnector
-Identity "Secure to
Sign1Suppliers.com" -Confirm: $false
Allows you to remove a Send connector on a Hub
Transport or Edge Transport server.
The example allows you to edit the configuration of a
specific Send connector on a Hub Transport or Edge
Transport server.
NOTE The -Confirm: $false option does not prompt
you to confirm the removal of the Send connector.
Receive Connectors
Receive connectors are required in Exchange 2010 to receive mail from other SMTP
hosts. These Exchange objects are stored in the Active Directory at the server level (for
Hub Transport servers) and they create a logical connection between Exchange and
other SMTP hosts. On Edge Transport servers, Receive connectors can be configured
to receive mail from the Internet. On Edge Transport servers, the Receive connector is
stored locally in AD LDS. Creating a Receive connector is also a fairly simple process
from either the Exchange Management Console or from Exchange Management Shell.
The following table shows a use of the Get-ReceiveConnector as well as a use of the
New-ReceiveConnector cmdlets.
PS C:\Users\Administrator> Get-ReceiveConnector -Server Romac-EX1
Allows you to view the configuration infor-
mation for all Receive connectors on the
specified Hub Transport or Edge Transport
server.
ptg6842824
Working with SMTP Connectors and Other Transport Objects 149
PS C:\Users\Administrator>
New-ReceiveConnector -Name "Inbound from
Sign1Suppliers.com"
-Usage Custom -Bindings 10.10.0.1:25
-RemoteIPRanges 172.16.0.1-
172.16.0.50
Creates a new Receive connector on a server
that has the Hub Transport or the Edge
Transport role installed on it.
NOTE Port number, listening IP address
( Bindings ), and accepted remote IP
addresses ( RemoteIPRanges ) must be
specified in the cmdlet.
New-ReceiveConnector
The following table includes select other parameters for the New-ReceiveConnector
cmdlet.
-Bindings
(Example in previous New-ReceiveConnector cmdlet.)
This required parameter specifies the local IP
address and TCP port numbers used by the
Receive connector to listen for inbound mes-
sages.
An IP address of 0.0.0.0 indicates that the
Receive connector uses all IP addresses con-
figured on all network adapters to listen for
inbound messages. If you specify an incor-
rect local IP address, the Microsoft Exchange
Transport service may fail to start when the
service is restarted.
-RemoteIPRanges
(Example in previous New-ReceiveConnector cmdlet.)
The required parameter specifies the remote IP
addresses from which this connector accepts
messages.
You can specify a single IP address or multiple
IP address ranges separated by commas.
-Usage
(Example in previous New-ReceiveConnector cmdlet.)
This required parameter specifies the default
permission groups and authentication methods
that will be assigned to the Receive connector.
The valid values for the Usage parameter
are Client , Custom , Internal , Internet , and
Partner .
If you don’t specify a value for a required
parameter, the cmdlet fails.
ptg6842824
150 Working with SMTP Connectors and Other Transport Objects
AuthMechanism This parameter specifies the advertised and
accepted authentication mechanisms.
The valid authentication options are
None , TLS , Integrated , BasicAuth ,
BasicAuthRequireTLS , ExchangeServer ,
and ExternalAuthoritative .
You can enter multiple values for the
AuthMechanism parameter by separating the
values with commas.
-ConnectionTimeout
(Example in Set-ReceiveConnector
cmdlet that follows this table.)
This parameter specifies the maximum time
that a connection can remain open. This applies
even if the connection is actively transmitting
data over the connector.
The default value for a Receive connector
configured on a Hub Transport server is 10
minutes.
The format for the time span is dd.hh:mm:ss
(where d = days, h = hours, m = minutes, and s
= seconds).
The maximum value is 1 day and the minimum
value is 1 second.
-DeliveryStatusNotificationEnabled This parameter specifies whether the delivery
status notification (DSN) EHLO keyword is
advertised in the EHLO response to the remote
server and is available for use.
This parameter can be set to either $true or
$false .
-PermissionGroups This parameter specifies the groups or roles
that can submit messages to the Receive con-
nector and the permissions assigned to those
groups.
A permission group is a predefined set of
permissions and valid values for this param-
eter, which include None , AnonymousUsers ,
ExchangeUsers , ExchangeServers ,
ExchangeLegacyServers Partners , and
Custom .
Set-ReceiveConnector
The following table shows a use of the Set-ReceiveConnector cmdlet.
ptg6842824
Working with SMTP Connectors and Other Transport Objects 151
PS C:\Users\Administrator>
Set-ReceiveConnector -Identity "Inbound from
Sign1Suppliers.com" -ConnectionTimeout 00:20:00
Changes the default timeout value for
the Receive connector specified from its
default of 10 minutes to 20 minutes.
Remove-SendConnector
The following table shows a use of the Set-ReceiveConnector cmdlet.
PS C:\Users\Administrator> Remove-ReceiveConnector -Identity "Inbound from
Sign1Suppliers.com"
-Confirm: $false
Removes the specified Receive connector
when it is no longer required.
NOTE The -Confirm: $false option
does not prompt you to confirm the
removal of the Receive connector.
Other Transport Cmdlets
The following table includes transport cmdlets other than those specifically designed for
the creation, management, and removal of Send and Receive connectors.
PS C:\Users\Administrator> Get-TransportConfig
Get-TransportConfig | fl MaxSendSize
Allows you to view organization-
wide email transport configuration
settings on a Hub Transport (or Edge
Transport) server.
The second example allows you to
view the specified attribute.
PS C:\Users\Administrator>
Set-TransportConfig
-MaxSendSize 25MB
Changes the specified attribute to a
new value.
NOTE You could again use
the Get-TransportConfig | fl MaxSendSize cmdlet to view the
change.
PS C:\Users\Administrator>
Get-TransportPipeline Allows you to view a list of each
transport agent registered on a Hub
Transport server.
ptg6842824
152 Working with Routing Group Connectors
PS C:\Users\Administrator>
Get-TransportServer
PS C:\Users\Administrator>
Get-TransportServer Romac-EX1 | fl
PS C:\Users\Administrator>
Get-TransportServer Romac-EX1 | fl Name,
MessageTrackingLogMaxDirectorySize
Allows you to view some transport
configuration information for a Hub
Transport server.
The second example displays all
attributes for the specified server.
The third example displays informa-
tion about a specified attribute that
you will later change with a Set-TransportServer cmdlet.
PS C:\Users\Administrator>
Set-TransportServer Romac-EX1
-MessageTrackingLogMaxDirectorySize
2000MB
Allows you to change the specified
attribute from its default of 1000MB
(1GB) to 2000MB (2GB).
NOTE You could again use the
Get-TransportServer Romac-EX1 |fl Name, MessageTrackingLogMax-DirectorySize
cmdlet to view the change.
PS C:\Users\Administrator>
Get-NetworkConnectionInfo Allows you to view the network
configuration data for all network
adapters configured on an Exchange
server.
Working with Routing Group Connectors
Routing Group connectors are not needed in Exchange Server 2010. However, older
Exchange messaging systems still require routing groups. The first Routing Group
connector between Exchange 2010 and Exchange 2003 is created for you during the
installation of your first Hub Transport server role in an existing Exchange 2003 orga-
nization, and all Exchange 2010 Hub Transport servers are automatically put into that
single 2010 routing group. A Hub Transport role acts as a bridgehead server in the 2010
routing group to connect with bridgeheads in the 2003 routing groups. This 2010 rout-
ing group is hidden from the Exchange Management Console, but is seen as Exchange
Routing Group (DWBGZMFD01QNBJR) in Exchange System Manager, the Exchange
2003 GUI management tool. You cannot use Exchange System Manager to manage the
Exchange 2010 routing group and will no longer be able to use it to manage any Routing
Group connectors that include a 2010 Hub Transport server as either the source server or
the target server.
TIP Add one letter to each character and the “DWBGZMFD01QNBJR” name spells
“EXCHANGE12ROCKS.” It should be noted that this name cannot be changed.
As shown in the following table, you can use several cmdlets in Exchange Management
Shell to create and manage Routing Group connectors.
ptg6842824
Working with Routing Group Connectors 153
New-RoutingGroupConnector - Name ConnectorName - SourceTransportServers SourceServerName - TargetTransportServers TargetServerName - Cost Value -Bidirectional $boolean value -PublicFolderReferralsEnabled $boolean value
PS C:\Users\Administrator> New-RoutingGroupConnector -Name "E2k10toE2k3 RGC" -SourceTransportServers
"Romac-EX1.romacsign.com" -TargetTransportServers "Romac-Legacy2k3
-EX01.romacsign.com" -Cost 44 -Bidirectional $true
-PublicFolderReferralsEnabled $true
Creates reciprocal Routing
Group connectors (because
of the bidirectional param-
eter) between the Exchange
2010 routing group and the
routing group associated
with the specified Exchange
Server 2003 server.
A cost of 44 is assigned to
the connector, and public
folder referrals are enabled
over the connector.
Get-RoutingGroupConnector -Identity RGCName
PS C:\Users\Administrator>
Get-RoutingGroupConnector
-Identity "Exchange Administrative Group
(FYDIBOHF23SPDLT)\Exchange Routing Group
(DWBGZMFD01QNBJR)\E2k10 to E2k3 RGC"
Allows you to view the attri-
butes of the Routing Group
connector created in the pre-
vious example.
Set-RoutingGroupConnector
-Identity RGCName -Cost Value
-MaxMessageSize Value
-SourceTransportServers SourceServerName
-TargetTransportServers TargetServerName
PS C:\Users\Administrator>
Set-RoutingGroupConnector
-Identity "Exchange Administrative Group
(FYDIBOHF23SPDLT)\Exchange Routing Group
(DWBGZMFD01QNBJR)\E2k10 to E2k3 RGC"
-Cost 57 -MaxMessageSize 7MB
-SourceTransportServers
"Romac-EX1.romacsign.com"
-TargetTransportServers
"Romac-Legacy2k3-EX01.romacsign.com"
Allows you to edit one
or more attributes for the
Routing Group connector
created in the first example.
The cost is changed
from 44 to 57, and the
MaxMessageSize has been
changed from the default
value of 10MB to 7MB.
ptg6842824
154 Managing Transport Queues
TIP You must use the Exchange Management Shell to configure these connectors.
The permissions necessary to allow mailflow between the server versions are automati-
cally configured when the Routing Group connector is created.
Managing Transport Queues
Transport servers host queues. Messages may be brought into the organization in several
different ways:
■ Messages can be placed in the Submission queue by the store driver when it
retrieves messages from users’ outboxes on a mailbox server.
■ Messages can be brought into the organization and placed in the Submission
queue from another SMTP host using an SMTP Receive connector.
■ Properly formatted messages in the Pickup directory are placed in the Submission
queue.
To view and manage the queues on a transport server, you will need to know several
cmdlets (as detailed in the following table).
PS C:\Users\Administrator>
Get-Queue | fl Allows you to view configura-
tion information for queues on the
local Hub Transport server or Edge
Transport server.
Get-Queue -Filter {MessageCount -gt Value }
PS C:\Users\Administrator>
Get-Queue -Filter {MessageCount -gt 500}
Lists all queues that contain more
than 500 messages in them.
You would use this to determine if
there are any queues backing up on
a server.
Get-Queue -Identity ServerName \ QueueName | Format-List
PS C:\Users\Administrator> Get-Queue -Identity
Romac-EX1\externaldomain.com |
Format-List
Lists detailed information for a spe-
cific queue (ExternalDomain.com)
that exists on the server Romac-EX1.
Suspend-Queue -Filter
{NextHopDomain -eq DomainName -and Status -eq "Retry"}
PS C:\Users\Administrator>
Suspend-Queue -Filter
{NextHopDomain -eq "externaldomain.com"
-and Status -eq "Retry"}
Suspends processing on all queues
holding messages for delivery to the
domain ExternalDomain.com and
that currently have a status of Retry .
ptg6842824
Managing Transport Queues 155
Suspend-Queue -Server ServerName -Filter {MessageCount -gt Value }
PS C:\Users\Administrator>
Suspend-Queue
-Server Romac-EX1.romacsign.com
-Filter {MessageCount -gt 500}
Suspends processing on all queues
on server Romac-EX1 that have
more than 500 messages in the
queue.
Resume-Queue -Server ServerName -Filter {NextHopDomain
-eq DomainName }
PS C:\Users\Administrator>
Resume-Queue -Server Romac-EX1.romacsign.com
-Filter {NextHopDomain -eq "externaldomain.com"}
Resumes processing of all queues
where the NextHopDomain is
ExternalDomain.com on the server
Romac-EX1.romacsign.com.
Retry-Queue -Filter {NextHopDomain
-eq DomainName -and Status -eq "Retry"}
PS C:\Users\Administrator>
Retry-Queue -Filter {NextHopDomain
-eq "externaldomain.com"
-and Status -eq "Retry"}
Forces a connection attempt for all
queues that have messages destined
for the ExternalDomain.com domain
and are in a “ Retry ” state.
TIP Queue management is often more efficient from Exchange Management Shell
than with Queue Viewer due to the overhead of the GUI environment in Queue Viewer.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Creating an Edge Subscription
■ Edge Synchronization
■ Cloning an Edge Transport
■ Address Rewriting
This chapter focuses on the configuration of an Edge Transport server. You will first
create an Edge Subscription, which makes the Active Directory aware of the existence
of the Edge Transport server and affiliates it with an Active Directory site. Next, you
will set up Edge Synchronization, which is a secure replication of data from the Active
Directory through Hub Transport servers to the Edge Transport. Then, you will clone
an Edge Transport, which will back up the configuration data to an .xml file and can be
used to rebuild a failed Edge Transport or create a second Edge Transport using the con-
figuration data from the first server. Finally, you will create Address Rewrite entries, a
feature unique to Edge Transport servers.
Creating an Edge Subscription
You begin the process of creating an Edge Subscription from the Edge Transport
server. In addition to other things, this creates a key pair that is used as part of Edge
Synchronization to securely pass data from the secure Active Directory network to the
Edge Transport, which is in the DMZ. An .xml file is created, and that file is used in the
next step, when you subscribe the server to the Active Directory site. All Hub Transports
present at the time of the subscription can then synchronize with the Edge Transport. If
a Hub Transport is removed after the subscription, the other Hub Transports will still be
able to synchronize with the Edge Transport. However, if a new Hub Transport is added,
you have to remove the subscription and subscribe the Edge Transport again. The sub-
scription process is surprisingly easy.
From the new Edge Transport server, you must create an Edge Subscription .xml file
that you will use to create the Edge Subscription on one of your Hub Transport servers
(as shown in the following table).
New-EdgeSubscription -Filename FileName
PS C:\Users\Administrator> New-EdgeSubscription -Filename "C:\NewEdge.xml"
Creates the file on the Edge
Transport server that will be used
in the creation of the subscription
on a Hub Transport server.
CHAPTER 10
The Edge Transport Role
ptg6842824
158 Creating an Edge Subscription
Now that the subscription file has been created, it must be brought to any Hub Transport
server in the organization. Because there is normally a firewall between your core network
and your DMZ, it may not be easy to copy the .xml file to a Hub Transport server. You
can use removable media such as a flash drive if your security administrators permit it.
NOTE When you move the file to one of your Hub Transport servers, you should make
sure you don’t leave a copy of the file behind on your Edge Transport server. The infor-
mation contained in this file could compromise the integrity of your organization. The
file should be destroyed after you use it or it should be moved to a secure location.
From any Hub Transport server, you will take the Edge Subscription .xml file created
previously and use it to create the actual subscription (as shown in the following table).
New-EdgeSubscription -Site SiteName -FileData $(Get-Content -Path FileName -Encoding Byte )
PS C:\Users\Administrator>
New-EdgeSubscription -Site "Default-First-Site-Name"
-FileData $(Get-Content -Path "C:\NewEdge.xml" -Encoding Byte )
Creates the subscription for the
new Edge Transport in the Active
Directory.
NOTE Path refers to the
location and file name where
you copied the subscription
file from the Edge Transport
server.
PS C:\Users\Administrator>
Get-EdgeSubscription | Format-List Retrieves a list of all Edge
Subscriptions registered in the
Active Directory, including the
one you just created in the previ-
ous example.
The successful creation of the Edge Subscription can be viewed in Exchange
Management Console (EMC), as shown in Figure 10-1 .
Figure 10-1 Successful Edge Subscription as seen from EMC
ptg6842824
Edge Synchronization 159
Modification of an Edge Subscription is not possible. The only available option is to
remove the subscription and subscribe the server again. As shown in the following table,
you can remove an Edge Subscription from any Hub Transport because it is stored in the
Active Directory.
PS C:\Users\
Administrator>
Remove-EdgeSubscription -Identity Romac-Edge
Removes an Edge Subscription.
After you remove the Edge Subscription, all syn-
chronization from the Active Directory to the Edge
Transport server stops.
All the accounts stored in AD LDS are removed.
The Edge Transport server is removed from the
source server list of any Send connector.
Edge Synchronization
Once the subscription has been created, the Configuration partition replicates every 60
minutes by default. The Recipient partition replicates every 4 hours by default. The infor-
mation passed to the Edge Transport server during synchronization includes the following:
■ Send connector configuration data
■ Accepted domains
■ Remote domains
■ Message classifications
■ Safe senders lists (hashed)
■ Blocked senders lists
■ Recipients (hashed)
■ List of Send and Receive domains used in domain secure communications with
partners
■ List of SMTP servers identified as internal in your organization’s transport con-
figuration
■ List of Hub Transport servers in the subscribed Active Directory site
The following table shows you how to start Edge Synchronization manually.
PS C:\Users\Administrator>
Start-EdgeSynchronization Manually starts an Edge Synchronization. A suc-
cessful Edge Synchronization is shown in Figure
10-2 .
TIP If you receive a CouldNotConnect error message during Edge Synchronization, as
shown in Figure 10-3 , it is most likely due to the fact that there is no host (A) record in
DNS for your Edge Transport server. Create a DNS host record for the Edge Transport
server, as shown in Figure 10-4 , flush the DNS cache on your Hub Transport server,
and then try the Start-EdgeSynchronization cmdlet again.
ptg6842824
160 Edge Synchronization
Figure 10-2 Successful Edge Synchronization as seen from EMS
Figure 10-3 Unsuccessful Edge Synchronization as seen from EMS
ptg6842824
Cloning an Edge Transport 161
Figure 10-4 Creation of Static DNS host record for the Edge Transport server
The following table shows you how to test Edge Synchronization.
PS C:\Users\Administrator>
Test-EdgeSynchronization
Test-EdgeSynchronization -VerifyRecipient RecipientEmailAddress
PS C:\Users\Administrator>
Test-EdgeSynchronization
-VerifyRecipient
Uses a cmdlet that provides a report of the
synchronization status of your subscribed
Edge Transport servers.
One option you could use is the
VerifyRecipient parameter to verify that a
single recipient has been successfully syn-
chronized to the Edge Transport server.
This cmdlet compares the data stored in
Active Directory and the data stored in AD
LDS. Inconsistent data is reported in the out-
put of the cmdlet.
Cloning an Edge Transport
Two scripts are provided in Exchange 2010 for cloning an Edge Transport server. They
are located by default in the C:\Program Files\Microsoft\Exchange Server\V14\Scripts
directory on your Edge Transport server and are detailed in the following table.
ptg6842824
162 Cloning an Edge Transport
PS C:\Users\
Administrator>
.\ExportEdgeConfig.ps1 -CloneConfigData "C:\
RomacEdge.xml"
Copies the clone configuration data from your
Edge Transport server to an .xml file.
Copy the ImportEdgeConfig.ps1 script to the root
folder of your user profile on the server you are
restoring and then run the .ps1 file.
After the clone configuration data file has been
created, place it in a secure location until it is
needed.
When needed, perform a clean installation of an
Edge Transport server. If the file is to be used to
rebuild a failed server, build the server with the
same name as the failed server. Otherwise, give
the new server an appropriate name.
PS C:\Users\
Administrator>
.\ImportEdgeConfig.ps1 -CloneConfigData
"C:\RomacEdge.xml"
-isImport $false -CloneConfigAnswer
"C:\RomacEdgeAnswer.xml"
Validate the configuration file and create an
answer file, as shown in Figure 10-5 , which will
provide server-specific information when the file
is imported. The isImport $false option validates
the file.
Note Success
Figure 10-5 Successful validation of the configuration file and the creation of an answer
file
The following table shows the original answer file, followed by the modified answer
file after the server name has been changed. Once the answer file has been modified,
you would use the Import-EdgeConfig.ps1 file to import data from one Edge Transport
server to another.
ptg6842824
Cloning an Edge Transport 163
Original Answer File:
<MachineSpecificSettings>
<ReceiveConnector Name="Default internal receive connector ROMAC-EDGE ">
<!-- Validation failed -->
<Fqdn> Romac-Edge.romacsign.com </Fqdn>
</ReceiveConnector>
</MachineSpecificSettings>
Modified Answer File:
<MachineSpecificSettings>
<ReceiveConnector Name="Default internal receive connector ROMAC-NEWEDGE ">
<!-- Validation failed -->
<Fqdn> Romac-NewEdge.romacsign.com</Fqdn>
</ReceiveConnector>
</MachineSpecificSettings>
Open the answer file ( “C:\RomacEdgeAnswer.xml” in the exam-
ple on the left and in the previous
table) and modify any settings that are
invalid for the server.
Usually this involves modifying the
name of the server and possibly other
machine-specific data.
NOTE Items changed are in bold
typeface in the example.
PS C:\Users\Administrator>
.\ImportEdgeConfig.ps1 -CloneConfigData
"C:\RomacEdge.xml"
-isImport $true -CloneConfigAnswer
"C:\RomacEdgeAnswer.xml"
Import the Edge Transport serv-
er configuration by using the
ImportEdgeConfig.ps1 script.
The isImport $true option performs
the actual import.
NOTE “ C:\RomacEdge.xml” rep-
resents the full path of the inter-
mediate .xml template file that will
be used by the ImportEdgeConfig.
ps1 script.
“C:\RomacEdgeAnswer.xml” repre-
sents the full path of the .xml answer
file.
When the import is completed, the
confirmation message “Importing
Edge configuration information suc-
ceeded” appears as shown in Figure
10-6 .
ptg6842824
164 Cloning an Edge Transport
Note Success
Figure 10-6 Successful import of the Edge configuration file
Once the new Edge Transport server has been configured, you should subscribe it as you
did with the original Edge Transport server, as shown in the following table.
PS C:\Users\
Administrator>
New-EdgeSubscription -Filename
"C:\RomacNEWEdge.xml"
Create a subscription for the new server, as you did
with Romac-Edge earlier, as shown in Figure 10-7 .
This example creates the subscription file. You
would do this on Romac-NEWEdge .
Figure 10-7 Successful Edge subscription of second Edge Transport as seen from EMC
The following table shows the successful subscription and synchronization of the new
Edge Transport server.
ptg6842824
Address Rewriting 165
PS C:\Users\Administrator>
New-EdgeSubscription -Site "Default-First-Site-
Name" -FileData $(Get-Content -Path "C:\RomacNEWEdge.xml"
-Encoding Byte)
Use the file on a Hub Transport to create
the subscription in the Active Directory.
PS C:\Users\Administrator>
Start-EdgeSynchronization Allow the Hub Transports to synchronize
with the new Edge Transport server either
on a schedule or manually. (Manually is
shown in the example and in Figure 10-8 .)
Figure 10-8 Successful Edge subscription of second Edge Transport as seen from EMC
At this point the cloning process is complete. The second Edge Transport server is sub-
scribed, synchronized, and identically configured to the first Edge Transport server.
Address Rewriting
With Address Rewriting in Microsoft Exchange Server 2010, you can modify the
addresses of senders and recipients for messages entering or leaving the organization
through an Edge Transport server. This is performed by creating and configuring one or
more Address Rewriting agents and creating Address Rewrite entries, as shown in the
following table.
ptg6842824
166 Address Rewriting
PS C:\Users\Administrator>
Get-AddressRewriteEntry Retrieves a list of all existing address
rewrite entries that rewrites sender and
recipient email addresses for messages
sent to or from an organization.
NOTE If there are no address rewrite
entries present, you will be brought
back to a PS prompt and no output
will be displayed.
PS C:\Users\Administrator>
New-AddressRewriteEntry
-Name "Address Rewrite Entry
for [email protected]" -InternalAddress
-ExternalAddress
Creates an address rewrite entry for the
email address [email protected].
The address will be rewritten for mes-
sages in both directions.
PS C:\Users\Administrator>
New-AddressRewriteEntry -Name "Address rewrite
romacvinylsigns.com and
subdomains" -InternalAddress
*.romacvinylsigns.com -ExternalAddress romacsigns.com -OutboundOnly $true
Creates an address rewrite entry for all
email addresses in the romacvinylsigns.
com domain and all subdomains.
With the -OutboundOnly attribute set
to $true , only outbound email messages
will be rewritten.
NOTE There is a 64-character limita-
tion on the Name attribute.
You can change one or more properties of an Address Rewrite entry by using the Set-AddressRewriteEntry cmdlet, as shown in the following table.
PS C:\Users\Administrator> Set-AddressRewriteEntry "Address
rewrite romacvinylsigns.com
and subdomains" -Name "Address
rewrite romacdigitalsigns.com"
-InternalAddress
"romacvinylsigns.com"
Modifies the internal domain name
to be written for the Address Rewrite
entry for romacvinylsigns.com.
It also modifies the descriptive name
to reflect the new domain name to be
rewritten.
PS C:\Users\Administrator>
Get-AddressRewriteEntry |
ft Name, InternalAddress,
ExternalAddress
Allows you to view the address rewrite
entries created previously.
These changes are also shown in
Figure 10-9 .
ptg6842824
Address Rewriting 167
Figure 10-9 Successful creation of address rewrite entries on an Edge Transport server
TIP Address Rewriting can only be performed by Edge Transport servers, not Hub
Transport servers.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Transport rules and transport agents
■ Journaling rules and journaling agents
■ Anti-spam agents
This chapter focuses on the configuration of rules and agents on Hub Transport servers.
There are many rules and many combinations of conditions and actions that make up
rules. The intent of the first portion of the chapter is not to explore each combination,
but to provide the cmdlet and parameter syntax so that you can create transport rules
using Exchange Management Shell.
Transport Rules and Transport Agents
Transport rules can restrict message flow as a message passes through your organization.
They can also modify the contents of the message. This puts great power in the hands
of those who create these rules. These rules allow you to comply with company or gov-
ernment regulations, by applying messaging policies to messages that flow through the
transport pipeline on Hub Transport or Edge Transport servers.
Here are some of the things that can be achieved with a transport rule:
■ Applying one or more disclaimers in your organization as the messages pass
through the organization
■ Preventing confidential or inappropriate messages from entering or leaving the
organization
■ Restricting inbound or outbound messages from being delivered until they are
inspected
■ Tracking messages that are sent to or received from specific individuals
■ Archiving specific messages for specific individuals
Transport Rules
Transport rules are made up of three components, as detailed in the following table.
CHAPTER 11
Configuring Rules and Agents on Transport Servers
ptg6842824
170 Transport Rules and Transport Agents
Conditions Conditions identify the messages to which a transport rule action
should be applied.
Within a condition is a component called a predicate. A predicate stipu-
lates which part of the message should be examined.
Actions Actions are performed on messages that match the conditions of the
rule, provided they are not specifically excluded by an exception.
One of the most common actions that a company will want to take is to
insert a disclaimer into the message.
Exceptions Exceptions are very much like conditions. They look for the same pred-
icates. The difference is that instead of applying the action, exceptions
prevent the action from taking effect.
Exceptions override conditions.
The following table details the various transport rule cmdlets.
PS C:\Users\Administrator> Get-TransportRuleAction
Retrieves a list of transport rule
actions that can restrict mes-
sage flow or modify message
content as the message passes
through the transport pipeline.
NOTE The version of
Exchange Server deter-
mines which transport rule
actions are available. Each
new version adds additional
options.
PS C:\Users\Administrator>
Get-TransportRulePredicate Retrieves a list of all transport
rule predicates that determine
the available conditions and
exceptions.
NOTE The version of
Exchange Server deter-
mines which transport rule
predicates are available.
Each new version adds
additional options.
PS C:\Users\Administrator>
Get-TransportRule Retrieves a list of all transport
rules configured on all Hub
Transport servers or a single
Edge Transport server.
Get-Transport Rule -Identity Transport rule GUID or Name | Format-List
PS C:\Users\Administrator> Get-TransportRule
-Identity "Disclaimer Rule" |
Format-List
Displays the properties of the
specified transport rule.
ptg6842824
Transport Rules and Transport Agents 171
PS C:\Users\Administrator>
New-TransportRule -Name 'Disclaimer Rule' -Comments 'This rule applies the com-
pany disclaimer to all messages from
internal users.' -Priority '0' -Enabled $true
-FromScope 'InOrganization' -ApplyHtmlDisclaimerLocation 'Append'
-ApplyHtmlDisclaimerText '<div
style="font-size:9pt; font-family:
''Calibri'',sans-serif;">
%%displayname%%</br>%%title%%
</br>%%company%%</br>%%street%%
</br>%%city%%, %%state%% %%zipcode%%
</div> </br><div style="background-
color:#D5EAFF; border:1px dotted
#003333; padding:.8em; ">
<span style="font-size:12pt;
font-family: ''Cambria'',''times
new roman'',''garamond'',serif;
color:#ff0000;">Confidentiality
Notice:</span></br><p style="font-size:
8pt; line-height:10pt; font-family:
''Cambria'',''times roman'',serif;">This
message contains confidential infor-
mation and is intended only for the
individual(s) addressed in the message.
If you are not the named addressee,
you should not disseminate, distribute,
or copy this e-mail. If you are not
the intended recipient, you are noti-
fied that disclosing, distributing, or
copying this e-mail is strictly prohib-
ited. </p><span style="padding-top:10px;
font-weight:bold; color:#CC0000;
font-size:10pt; font-family:
''Calibri'',Arial,sans-serif; ">
<a href="http://www.RomacSign.com">Romac
Sign Company, Inc. </a></span></br>
</br></div>' -ApplyHtmlDisclaimerFallbackAction
'Wrap'
Creates a new transport rule
that stamps a disclaimer
on every message from
an internal user, no mat-
ter where the message will
go. All of the text in the
-ApplyHtmlDisclaimerText parameter is the HTML code
that makes up your disclaimer.
NOTE The rule’s condi-
tion and action in the
example are for illustration
only. You would create
rules with the appropriate
conditions and actions to
meet your needs.
ptg6842824
172 Transport Rules and Transport Agents
The newly created rule can be viewed in Figure 11-1 and the disclaimer can be viewed
in Figure 11-2 .
Figure 11-1 Newly created transport rule as seen in EMC
Figure 11-2 Disclaimer applied by the transport rule
The following table details the use of the Get-TransportRule cmdlet.
ptg6842824
Transport Rules and Transport Agents 173
PS C:\Users\Administrator>
Get-TransportRule -Identity "Disclaimer Rule"
| fl Name, FromScope,
SentToScope
Retrieves specified parameters for a rule
you wish to modify, as shown in Figure
11-3 .
(Notice that the SentToScope parameter
has no associated value.)
Figure 11-3 Original transport rule showing the specified parameters
The following table uses the Set-TransportRule cmdlet to change the SentToScope
attribute and verifies the change with the Get-TransportRule cmdlet.
PS C:\Users\Administrator> Set-TransportRule -Identity "Disclaimer Rule"
-SentToScope NotInOrganization
Modifies a transport rule so that it will be
applied to messages sent only to recipients
outside of your Exchange organization.
PS C:\Users\Administrator>
Get-TransportRule
-Identity "Disclaimer Rule"
| fl Name, FromScope,
SentToScope
Retrieves specified parameters for the
modified rule, as shown in Figure 11-4 .
(Notice that the SentToScope parameter
now has a value of NotInOrganization .)
Figure 11-4 Modified transport rule showing the specified parameters
Transport Agents
Transport rules are applied on Hub Transport and Edge Transport servers by transport
agents. On the Hub Transport servers, which are members of the Active Directory,
ptg6842824
174 Journaling Rules and Journaling Agents
rules are applied uniformly by the Transport Rules agent. The agent fires on the
OnRoutedMessage transport event. Because the transport rules are stored in Active
Directory, they are available to all Hub Transport servers in the organization, and this
allows all Hub Transport servers to consistently apply a single set of rules across the
entire organization. The server processing the message queries the Active Directory to
retrieve the organization’s transport rules and then applies the rule(s) to all messages that
it processes.
PS C:\Users\
Administrator>
Get-TransportPipeline
Retrieves all of the enabled transport agents and the
SMTP events on which they are registered.
NOTE The information retrieved by the Get-TransportPipeline cmdlet is retrieved only after a
message has been sent through the transport pipe-
line. Prior to the first message being sent in an orga-
nization, no transport information will be available.
Journaling Rules and Journaling Agents
Exchange 2010 provides three journaling options:
■ Standard journaling —Configured on the mailbox database. The journaling agent
journals all messages sent to and from mailboxes located in the specific mailbox
database.
■ Premium journaling —Enables the journaling agent to perform a more granular
level of journaling by using journal rules. You must have an Exchange Enterprise
client access license (CAL) for each mailbox that will require premium journal-
ing.
■ Journaling as a part of Messaging Records Management —Allows you to
incorporate journaling into your managed folder mailbox policies. You must also
have an Exchange Enterprise client access license (CAL) to use this form of jour-
naling.
Journaling Rules
The following table shows an example of standard journaling.
NOTE Before performing the next steps, create a User mailbox recipient that will act
as the journal mailbox. In the example, it will be called ProductionJournalMB .
PS C:\Users\
Administrator>
Set-MailboxDatabase
"ProductionDB"
-JournalRecipient
"ProductionJournalMB"
Enables journaling for the mailbox database called
ProductionDB and sets ProductionJournalMB as
the journal recipient.
NOTE The JournalRecipient parameter speci-
fies where the journal reports are sent.
ptg6842824
Journaling Rules and Journaling Agents 175
The following table shows an example of premium journaling.
NOTE Before performing the next steps, create a User mailbox recipient that will act
as the journal mailbox. In the examples, it will be called JournalMailbox .
PS C:\Users\Administrator> Set-Mailbox "Journal Mailbox"
-AcceptMessagesOnlyFromSendersOrMembers
"Microsoft Exchange" -RequireSenderAuthenticationEnabled
$true
Configures delivery restric-
tions on a journaling mailbox
called Journal Mailbox. It
restricts the mailbox to accept
messages only from the
Microsoft Exchange recipient.
NOTE This optional pro-
cedure should only be
performed in organizations
where the journaling mailbox
is required to receive email
only from the Microsoft
Exchange recipient. Be
aware that this step cannot
be performed from EMC,
because the system mailbox
called “Microsoft Exchange”
is hidden in the GAL.
PS C:\Users\Administrator> Set-Mailbox "Journal Mailbox"
-UseDatabaseQuotaDefaults $false
-IssueWarningQuota unlimited
-ProhibitSendQuota unlimited
-ProhibitSendReceiveQuota unlimited
Disables mailbox quotas for
the journaling mailbox and is
an optional step that should be
taken only when the journal-
ing mailbox has ample storage
and will not consume all of
the space in the database.
PS C:\Users\Administrator>
Add-MailboxPermission -Identity "Journal Mailbox"
-User JournalAdmin -AccessRights Fullaccess -InheritanceType all
Grants Full Access permis-
sions to the selected journal
administrator for accessing the
journaling mailbox.
NOTE This also is an
optional step.
PS C:\Users\Administrator>
New-JournalRule -Name "Journal VP E-mail" -Recipient [email protected] -JournalEmailAddress "Journal Mailbox" -Scope Global -Enabled $True
Creates a journal rule to jour-
nal all messages sent to and
received by the recipient VP@
romacsign.com.
TIP The scope parameter determines which messages are journaled for the recipient.
A scope of Internal means that both sender and recipient must be internal. A scope of
External means that either the sender or the recipient of the message must be external.
A scope of Global, as in the example, means that all messages to and from the recipi-
ent will be journaled, regardless of where the recipient is located.
ptg6842824
176 Journaling Rules and Journaling Agents
The following table shows you how to disable, enable, modify, or remove a rule after it
has been created.
PS C:\Users\Administrator> Disable-JournalRule "Journal VP
E-mail" -Confirm: $false
Disables the specified rule.
NOTE The -Confirm: $false option
means that you will not be prompt-
ed to confirm the disabling of the
rule and is an optional parameter.
PS C:\Users\Administrator>
Enable-JournalRule "Journal VP
E-mail"
Enables the specified rule after it has
been disabled.
PS C:\Users\Administrator>
Set-JournalRule -Identity "Journal VP E-mail" -Recipient [email protected]
-JournalEmailAddress
[email protected] -Scope Internal
Modifies the rule to only journal mes-
sages to and from external recipients.
Messages sent internally are no longer
journaled.
PS C:\Users\
Administrator> Remove-JournalRule "Journal VP E-mail"
-Confirm: $false
Removes or deletes the specified rule.
The following table shows you how to set an alternate journaling mailbox.
PS C:\Users\Administrator> Set-TransportConfig -JournalingReportNdrTo
Allows you to configure Exchange to
redirect rejected journal reports to an
alternate journaling mailbox named
Rejections may occur due to inaccessibility
of the journal mailbox or because the mail-
box has become full.
NOTE You cannot use the EMC to
configure an alternate journaling mail-
box. You also may not have more than
one alternate journaling mailbox.
Journaling Agents
In an Exchange 2010 organization, all email traffic is routed by one or more Hub
Transport servers. Every message passes through at least one Hub Transport. The journ-
aling agent processes all of these messages, looking for those messages to be copied as
part of standard journaling at the database level as well as specific journaling as dictated
by rules that have been created as part of premium journaling. The agent fires on the
OnSubmittedMessage and OnRoutedMessage transport events.
ptg6842824
Anti-Spam Agents 177
The journaling agent is a built-in agent and cannot be viewed with the Get-TransportAgent cmdlet, as was the case in Exchange Server 2007.
Anti-Spam Agents
To install the anti-spam agents on a Hub Transport server, navigate to the C:\Program
Files\Microsoft\Exchange Server\Scripts directory (on a default installation) in Exchange
Management Shell and run the install-antispamagents.ps1 PowerShell executable script.
After installation, you can view and configure the anti-spam agents on the Anti-spam tab
under the Organization Configuration | Hub Transport node in Exchange Management
Console. (Close and reopen the console if the Anti-spam tab does not appear.)
The following .ps1 file installs all the built-in anti-spam agents on transport servers in
Exchange Server 2010.
PS C:\Users\Administrator>
.\install-antispamagents.ps1 Installs the anti-spam agents on the
Hub Transport server and Edge Transport
servers.
The Anti-spam tab and associated agents are shown in Figure 11-5 .
Figure 11-5 Anti-spam agents on the Anti-spam tab as seen in Exchange Management
Console
As shown in the following table, you can also uninstall the Anti-spam agents if you no
longer require them.
PS C:\Users\Administrator>
.\uninstall-antispamagents.ps1 Uninstalls the anti-spam agents on a trans-
port server.
TIP If you are using an Edge Transport server, it is not necessary to install the agents
on a Hub Transport server.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Configuring Outlook access
■ Enabling and configuring Outlook Anywhere access
■ Enabling and configuring OWA access
■ Configuring of POP3 and IMAP4
■ Configuring the Autodiscover service
■ Configuring the Offline Address Book (OAB)
This chapter focuses on the configuration of the Client Access Server from the various
clients’ perspective. You will observe how to configure various clients to connect to and
receive information from the CAS.
Configuring Outlook Access
There are times when you would like to restrict certain clients from accessing Exchange.
In many cases, this is done simply by disabling a service on a server. However, what
if you would like to restrict certain client modes or certain client versions from access-
ing Exchange? This can be accomplished with the Set-CASMailbox cmdlet. The
Set-CASMailbox cmdlet has many purposes, most dealing with Outlook Web App.
However, it can also restrict Outlook modes or versions as necessary.
The following table shows how to enable/disable Cached Exchange Mode.
PS C:\Users\Administrator>
Get-Mailbox -OrganizationalUnit "Inside Sales"
| Set-CASMailbox
-MAPIBlockOutlookNonCachedMode
$true
Prevents recipients in the Inside
Sales OU from accessing Exchange
using Cached Exchange Mode.
The following table shows how to enable and disable versions of Outlook.
CHAPTER 12
CAS Services
ptg6842824
180 Enabling and Configuring Outlook Anywhere Access
PS C:\Users\
Administrator> Get-Mailbox | Set-CASMailbox -MAPIBlockOutlookVersions
"11.5608.5606-11.6568.5658"; "14.4760.1000-14.4763.1000"
Restricts MAPI access to Exchange to just
Outlook 2007 versions.
For example, your organization has decided
that Outlook 2003 is not permitted to connect
to Exchange 2010, and Outlook 2010 will not
be permitted until testing can take place in the
lab environment.
NOTE The first URL links to Microsoft
TechNet and displays Outlook version
information: http://support.microsoft.com/
kb/870929
The second URL displays proper formatting
for the version IDs: http://support.microsoft.
com/?kbid=288894
TIP The other versions of Outlook are listed in Chapter 33, "Reporting and Other
Useful Cmdlets."
Enabling and Configuring Outlook Anywhere Access
To allow users to access Exchange using Outlook when they are not on the local net-
work, you may want to enable Outlook Anywhere. Outlook Anywhere was called RPC
over HTTP in Exchange 2003. The following table shows you how to enable/disable the
clients’ access to Exchange with Outlook Anywhere.
PS C:\Users\Administrator> Enable-OutlookAnywhere -Server:Romac-EX1
-ExternalHostname:
mail.romacsign.com -ClientAuthenticationMethod:
Basic,Ntlm
-SSLOffloading:$true
Enables the server Romac-EX1 for Outlook
Anywhere.
The external host name is set to mail.romac-
sign.com and both Basic and NTLM authenti-
cation are used.
TIP With both authentication modes set,
users on computers joined to the domain
will not be prompted for authentication,
and users on computers not joined to the
domain will be prompted for authentication
when connecting with Outlook Anywhere.
-SSLOffloading is set to $true .
NOTE By setting this option to $true ,
you are indicating to Exchange that you
have an SSL accelerator that can handle
the encryption/decryption process. If you
don’t, set this option to $false ; otherwise,
Outlook Anywhere won’t function correctly.
ptg6842824
Enabling and Configuring OWA Access 181
PS C:\Users\Administrator>
Disable-OutlookAnywhere -Server Romac-EX1
-Confirm:$false
Enables Outlook Anywhere on the CAS.
Enabling and Configuring OWA Access
By default, users can use Outlook Web App or OWA. You can restrict access to
Exchange using OWA by again using the Set-CASMailbox cmdlet.
The following table shows you how to enable/disable OWA access.
PS C:\Users\
Administrator> Get-Mailbox | Set-CASMailbox -OWAEnabled $false
Disables all recipients in the organization from
accessing Exchange using Outlook Web App.
Figure 12-1 shows the effect on one user.
Figure 12-1 No recipients can access exchange via OWA
PS C:\Users\
Administrator> Get-Mailbox -OrganizationalUnit
"Outside Sales" |
Set-CASMailbox -OWAEnabled $true
After disabling OWA for everyone, use this
example if it is necessary for one specific
Organizational Unit (OU) to use OWA.
Figure 12-2 shows the effect on the same user
when the user is moved into the affected OU
and the cmdlet is rerun.
ptg6842824
182 Configuring POP3 and IMAP4
Figure 12-2 The recipient moved into the affected OU can access Exchange via OWA
Configuring POP3 and IMAP4
Support for the POP3 and IMAP4 protocols may still be required in your organization.
Many setting are available for both of these services. The intent of this portion of the
chapter is not to explore each setting, but to provide the cmdlets so that you can config-
ure these services using Exchange Management Shell (EMS).
TIP Often, you can incorrectly enter a cmdlet that’s close to the actual one, if you do
not know it, and the built-in EMS Help feature will provide the correct cmdlet.
This table shows you how to view service status using the Get-Service cmdlet as well as
how to start and stop services using EMS.
PS C:\Users\
Administrator> Get-Service msexchangepop3
PS C:\Users\
Administrator> Get-Service msexchangeimap4
Retrieves the status of the POP3 and IMAP4
services on the server on which they are run.
PS C:\Users\
Administrator> Start-Service msexchangepop3
PS C:\Users\
Administrator> Stop-Service msexchangepop3
Shows how you can also start and stop these
services from EMS.
NOTE Substitute imap4 in place of
pop3 if appropriate.
ptg6842824
Configuring the Autodiscover Service 183
The following table shows three examples of the many options used to configure POP
and IMAP settings.
PS C:\Users\Administrator>
Set-PopSettings
-Server "Romac-EX2" -UnencryptedOrTLSBindings
10.10.0.10:993
Sets the plain text or TLS connection to
the Client Access Server Romac-EX1.
In this example, the connection uses an
IP address of 10.10.0.10 and a port num-
ber of 993.
PS C:\Users\Administrator>
Set-ImapSettings -ProtocolLogEnabled $true -LogFileLocation
"D:\Imap4Logfiles"
Turns on IMAP4 protocol logging.
It also changes the path to the IMAP4
protocol logging directory to D:\
Imap4Logfiles.
PS C:\Users\Administrator>
Set-ImapSettings
-LogPerFileSizeQuota 2097152
After changing the log file location, you
may also want to change the max log file
size that will be reached before a new log
file is created. This example changes that
setting to create a new log file when the
current file reaches 2MB.
Configuring the Autodiscover Service
The Autodiscover service was introduced with Exchange Server 2007. It is a remarkably
simple concept that probably took too long to come into existence. The Active Directory
“knows” who you are when you authenticate. With Autodiscover, Outlook receives con-
figuration data at logon and on a continuous basis as long as it is running. When the cli-
ent authenticates, it queries for the existence of a Service Connection Point (SCP). The
SCP has the location of the Autodiscover URL. Normally, this would be something like
Romac-EX1.romacsign.com/Autodiscover/Autodiscover.xml.
You might want to move the Autodiscover virtual directory to a public web server to
make it accessible from the Internet. To do this, you must change the service location
and remove the current virtual directory on your CAS. In the following table, Romac-
EX2 represents the company’s public web server.
PS C:\Users\Administrator>
Set-ClientAccessServer -Identity Romac-EX2 -AutodiscoverServiceInternalURI
"http://romac-ex2.romacsign.com"
Specifies the internal URL for the
Autodiscover service.
PS C:\Users\Administrator>
Remove-AutodiscoverVirtualDirectory -Identity "Romac-EX1\Autodiscover
(Default Web Site)"
-Confirm:$false
Uses the Remove-AutodiscoverVirtualDirectory
cmdlet to remove the
Autodiscover virtual directory
associated with the Autodiscover
service on a Client Access Server.
ptg6842824
184 Configuring the Offline Address Book (OAB)
As shown in the following table, after removing the original virtual directory on the
CAS, you must create a new one on a public web server if external users must access the
Exchange organization and be configured automatically.
PS C:\Users\Administrator>
New-AutodiscoverVirtualDirectory -WebSiteName
"autodiscover.romacsign.com" -WindowsAuthentication $true
-DigestAuthentication $true
Illustrates that when you have more
than one email domain in your orga-
nization and each requires its own
Autodiscover site and its own vir-
tual directory, you can use the New-AutodiscoverVirtualDirectory cmdlet
to create a new Autodiscover virtual
directory under a new website.
NOTE You should always enable
Secure Sockets Layer (SSL) for the
Autodiscover service.
PS C:\Users\Administrator>
Get-AutodiscoverVirtualDirectory -DomainController Romac-DC1
-Server Romac-EX2
Retrieves the settings for the
Autodiscover virtual directory on a
CAS.
Configuring the Offline Address Book (OAB)
The Offline Address Book (OAB) is initially a copy of the default Global Address List
(GAL) that a client can download and use when the network is not present. In Exchange
Server 2003, the OAB was stored in a System Public folder. In Exchange Server 2010, it
is stored as a virtual directory on a Client Access Server. When you install the CAS role,
the virtual directory named OAB is created in the Default website, but it is not available
from outside of your Exchange organization until an External URL is set. Also, the OAB
virtual directory does not require SSL by default. The following table shows that both of
these settings can be configured with the Set-OabVirtualDirectory cmdlet.
PS C:\Users\Administrator>
Set-OABVirtualDirectory
-Identity "Romac-EX1\OAB (Default Web
Site)"
-ExternalUrl "https://www.romacsign.com/
OAB"
Configures the OAB vir-
tual directory to be available
from outside the Exchange
organization.
PS C:\Users\Administrator>
Set-OABVirtualDirectory
-Identity "Romac-EX1\OAB (Default Web
Site)" -RequireSSL $true
Configures the OAB vir-
tual directory to require SSL
security.
The following table shows other cmdlets that are useful when working with the OAB.
ptg6842824
Configuring the Offline Address Book (OAB) 185
PS C:\Users\Administrator>
Set-OfflineAddressBook
-Identity "\Default Offline
Address Book" -Name "Romac Sign Offline
Address Book"
Configures the OAB properties. You may
wish to change the name of your Offline
Address Book. In this example, the name
of the OAB is changed to the specified
name.
PS C:\Users\Administrator>
Get-OfflineAddressBook Retrieves the list of OABs in your organi-
zation, but in this case you can view that
the name change did take effect.
PS C:\Users\Administrator>
Set-OfflineAddressBook
-Identity "\Default Offline
Address Book" -VirtualDirectories "Romac-
EX2\OAB (Default Web Site)"
PS C:\Users\Administrator>
Set-OfflineAddressBook -Identity "Romac Sign Offline
Address Book" -VirtualDirectories "Romac-
EX2\OAB (Default Web Site)"
You could also use the Set-OfflineAddressBook cmdlet to set another
CAS as a web distribution point for the
OAB.
The second example changes the OAB dis-
tribution point to Romac-EX2.
NOTE Normally, you would use the
first example, but because you changed
the name of the default OAB in the pre-
vious example, you would have to use
the new OAB name in your cmdlet, as
shown.
Figure 12-3 shows the properties of the
Romac Sign Offline Address Book before
the configuration of Romac-EX2 as a web
distribution point and after the configura-
tion in a side-by-side format.
ptg6842824
186 Configuring the Offline Address Book (OAB)
Figure 12-3 Configuring a CAS as a web distribution point for an OAB (showing the
before and after)
The OAB is generated only once per day, by default. A service running on the CAS is
responsible for copying the changes from the generation server (usually the Mailbox
role) to the OAB distribution point (usually the CAS). This schedule can be modified.
The following table edits the generation schedule of the OAB.
PS C:\Users\Administrator>
Set-OfflineAddressBook -Identity "Romac Sign Offline
Address Book" -Schedule
"Sun.5:00 AM-Sun.6:00 AM,
Mon.5:00 AM-Mon.6:00 AM,
Mon.8:00 PM-Mon.9:00 PM,
Tue.5:00 AM-Tue.6:00 AM,
Tue.8:00 PM-Tue.9:00 PM,
Wed.5:00 AM-Wed.6:00 AM,
Wed.8:00 PM-Wed.9:00 PM,
Thu.5:00 AM-Thu.6:00 AM,
Thu.8:00 PM-Thu.9:00 PM,
Fri.5:00 AM-Fri.6:00 AM,
Fri.8:00 PM-Fri.9:00 PM,
Sat.5:00 AM-Sat.6:00 AM"
Illustrates how you would change the
generation schedule of the OAB to occur
at 5:00 a.m. and 8:00 p.m. each weekday,
instead of once per day, as is the default
schedule, and once per day on Saturday
and Sunday.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Types of certificates
■ Generating a certificate request
■ Importing the certificate
■ Enabling the certificate
This chapter focuses on the configuration of the Client Access Server from the perspec-
tive of certificates. You will work with the various aspects of certifying servers in your
Exchange organization.
Types of Certificates
Certificates in the Exchange organization have traditionally been difficult to create and
manage for messaging administrators. To understand how to work with certificates, it is
important to first understand the different types of certificates that could be used to cer-
tify the servers in your organization.
■ Single certificate —You can request one certificate for all types of client connec-
tions and protocols. Each CAS will need only a single name and a single certifi-
cate.
■ Multiple certificates —You can request a separate certificate for each type of cli-
ent connection and protocol. Each CAS will likely need multiple certificates and
multiple websites.
■ Multiple Subject Alternative Name (SAN) certificate —You can request one
certificate with multiple names for each protocol. Each client connection and pro-
tocol can use a unique name, but only one certificate is required.
■ Wildcard certificate —You can request a certificate with your domain name and
certify all servers in your namespace with it (*.romacsign.com). That certificate
could then be used to secure any client connection or protocol.
Generating a Certificate Request
After a Client Access Server has been installed, the role has a self-signed certificate
installed on it.
OWA (Outlook Web App in Exchange 2010) and Exchange ActiveSync (EAS) can
use the self-signed certificate if the certificate is trusted by the client. The trust can be
CHAPTER 13
Working with Certificates
ptg6842824
188 Generating a Certificate Request
accomplished by installing the certificate into the computer or mobile device’s certificate
store or by using a GPO to deliver it to domain-based computers. Outlook Anywhere
does not work with Exchange Server 2010/2007’s self-signed certificate. It requires a
valid certificate issued by a Certification Authority (CA)—either an enterprise root CA
or a trusted third-party CA.
Of course, OWA users can also click through the warning that alerts them about certifi-
cate-related errors and proceed through to access OWA.
In general, it is recommended to remove the self-signed certificate and replace it with
either a certificate generated by your own “in-house” CA or one from a third-party CA.
The following table shows how to replace the self-signed certificate.
PS C:\Users\
Administrator> New-ExchangeCertificate
This example runs the New-ExchangeCertificate
cmdlet without any parameters.
NOTE A self-signed certificate will be gener-
ated and the old certificate will be replaced
with a new one, as shown in Figure 13-1 .
Figure 13-1 New self-signed certificate is generated
The following table shows how to renew the self-signed certificate when it expires.
PS C:\Users\Administrator>
Get-ExchangeCertificate
-Thumbprint
6F109C9B82E6C4224ECEDA708C68318CD7BC4018 |
New-ExchangeCertificate
This example shows how
to renew the self-signed
certificate.
NOTE Even though
this “renews” the self-
signed certificate, a
new certificate is actu-
ally generated, as seen
in Figure 13-2 .
NOTE In the previous example, you may notice the use of the “thumbprint” parameter
as part of the Get-ExchangeCertificate cmdlet. The thumbprint is a unique identifier
for the certificate. No two certificates may share the same thumbprint.
ptg6842824
Generating a Certificate Request 189
Figure 13-2 Self-signed certificate is renewed
The following table shows how to request a certificate from a Certification Authority (CA).
PS C:\Users\Administrator>
New-ExchangeCertificate
-GenerateRequest -SubjectName "c=US, o=Romac Sign
Company, cn=Romac-EX2.romacsign.com" -DomainName romacsign.com, romacneon.com -PrivateKeyExportable $true
Outputs the certificate request
in Base64 format.
You could then send the cer-
tificate request to a CA within
the organization, to a trusted
CA outside of the organiza-
tion, or to a commercial CA.
You would cut and paste the
certificate request output into
a certificate request web page
of the CA or send it via email.
This request has mul-
tiple subject alternate
names (Romacsign.com and
Romacneon.com) and has an
exportable private key.
PS C:\Users\Administrator> $RomacCert = New-ExchangeCertificate -GenerateRequest
-SubjectName "c=US, o=Romac Sign
Company, cn=Romac-EX2.romacsign.com" -DomainName romacsign.com, romacneon.com
-PrivateKeyExportable $true
This example is a variation
of the previous certificate
request, but the output is
saved to a variable named
$RomacCert .
PS C:\Users\Administrator>
Set-Content
-Path "C:\Users\Administrator\
Documents\RomacCertRequest.req" -Value $RomacCert
After creating the variable in
the previous example, you can
use the Set-Content cmdlet
to write data from the variable
to the certificate request file
RomacCertRequest.req in the
specified folder.
ptg6842824
190 Generating a Certificate Request
TIP Although you can use the New-ExchangeCertificate cmdlet to request a cer-
tificate, a new wizard is built in to Exchange Management Console (EMC) (new to
Exchange 2010) that allows you to create a certificate request. How to access the wiz-
ard and its first two pages are shown in Figures 13-3 through 13-5 .
Figure 13-3 Accessing the New Exchange Certificate Wizard
Figure 13-4 The New Exchange Certificate Wizard welcome page
ptg6842824
Importing the Certificate 191
Figure 13-5 Configuring names in the New Exchange Certificate Wizard
Importing the Certificate
After the certificate request has been generated, the certificate is created by the CA if
you are not using a self-signed certificate. You may have pasted the request directly into
the CA’s website for that purpose. The CA returns a digital certificate. The certificate
contains the key pair for the Client Access Server. You must then import the certificate
into the Client Access Server’s certificate store.
NOTE This task must be performed from the same server that made the request
because the information is machine specific.
As shown in the following table, the Import-ExchangeCertificate cmdlet imports a cer-
tificate that has been issued either from an outstanding request or from a PKCS #12 file.
PS C:\Users\Administrator>
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "C:\certificates\Issued_Cert.p7b"
-Encoding Byte -ReadCount 0))
Imports a chain of certifi-
cates from the PKCS #7
file Issued_Cert.p7b.
ptg6842824
192 Enabling the Certificate
PS C:\Users\Administrator>
Import-ExchangeCertificate
-FileData ([Byte[]]$(Get-Content -Path "C:\certificates\Exported_Cert.pfx"
-Encoding Byte -ReadCount 0))
-Password:(Get-Credential).password
Imports an existing cer-
tificate and private key
from the PKCS #12 file
Exported_Cert.pfx.
PS C:\Users\Administrator>
Remove-ExchangeCertificate
-Thumbprint
6F109C9B82E6C4224ECEDA708C68318CD7BC4018
Illustrates the removal of a
certificate with the speci-
fied thumbprint if it has
been imported incorrectly
or if the wrong certificate
has been imported.
TIP Figure 13-3 also shows that an Import Exchange Certificate Wizard is built in
to the Exchange Management Console, which is new to Exchange 2010. This wizard
allows you to import the certificate after you have received it from the CA without need-
ing to run the Import-ExchangeCertificate cmdlet.
Enabling the Certificate
The cmdlet in the following table enables a certificate for Exchange services such as
OWA, POP, and IMAP.
PS C:\Users\Administrator>
Enable-ExchangeCertificate
-Thumbprint
6F109C9B82E6C4224ECEDA708C683
18CD7BC4018 -Services POP,IMAP,SMTP,IIS
Enables a certificate for POP, IMAP, SMTP,
and IIS services.
NOTE OWA is included as part of IIS.
The cmdlet in the following table shows how to import a chain of certificates from a file.
PS C:\Users\Administrator> Import-ExchangeCertificate
-FileData ([Byte[]]$(Get-Content
-Path "c:\certificates\
IssuedCert.p7b"
-Encoding byte -ReadCount 0))
Imports a chain of certificates
from the PKCS #7 file
IssuedCert.p7b.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Configuring the properties of a mailbox server
■ Creating and mounting a new database
■ Managing an existing database
■ Removing an existing database
This chapter focuses on the configuration of the Mailbox Server role. You will inves-
tigate how to change properties of a server first and then move on to the creation and
configuration of a mailbox database.
Configuring the Properties of a Mailbox Server
Often, you will not need to configure mailbox server properties, or if you are changing
an attribute for an individual server, it will be easier to perform this task using Exchange
Management Console (EMC). However, there may be situations where it would be to
your advantage to work with server properties from the command line using Exchange
Management Shell (EMS).
The following table shows some of the ways to retrieve and edit parameters for the
Mailbox Server role.
PS C:\Users\Administrator>
Get-MailboxServer -Identity Romac-EX1 | fl
Retrieves the list of attributes for a mail-
box server.
In a subsequent example, you will set the
-SubmissionServerOverrideList attribute
to configure the mailbox server to use a
specific Hub Transport server in the same
AD site.
CHAPTER 14
Mailbox Servers and Databases
ptg6842824
194 Creating and Mounting a New Database
Set-MailboxServer -Identity MailboxServer -SubmissionServerOverrideList: HTServer1, HTServer2
PS C:\Users\Administrator>
Set-MailboxServer -Identity Romac-EX1
-SubmissionServerOverrideList:
Romac-EX2
In certain situations, you may need to
configure a mailbox server to use one or
more specific Hub Transport servers in an
Active Directory site.
By setting a static list of Hub Transport
servers to be notified when messages are
ready for retrieval, you can control mail-
flow throw the specified Hub Transport
servers in a site.
NOTE Normally, the use of Hub
Transport servers in a site is on a
round-robin basis. Once this attribute
is set, a mailbox server may only use
those servers in the list, and mailflow
may fail even when other Hub Transport
servers are available in the site.
TIP The list can contain more than
one HT server. Simply separate the
servers in the list with commas.
PS C:\Users\Administrator>
Get-MailboxServer -Identity Romac-EX1 | fl
Retrieves the updated list of attributes for a
mailbox server.
Creating and Mounting a New Database
Creating a new mailbox database is quite easy from either EMC or EMS. One difference
is that if you create the database in EMC, it will be mounted automatically. If you create
it using Exchange Management Shell, you will have to execute the Mount-Database
cmdlet to mount the database.
The following table shows how to create and mount a mailbox database.
New-MailboxDatabase
-Name MailboxDatabaseName
-EdbFilePath MailboxDatabasePath
PS C:\Users\Administrator>
New-MailboxDatabase
-Name "AssemblyDB"
-Server Romac-EX1
-EdbFilePath "C:\Databases\AssemblyDB\
AssemblyDB.edb"
Creates the database in the
specified location.
PS C:\Users\Administrator> Mount-Database
-Identity "AssemblyDB" Mounts the specified database.
TIP Notice the default location of the transaction logs is not in the specified location
(as shown in Figure 14-1 ) because the -LogFolderPath parameter was not specified.
ptg6842824
Creating and Mounting a New Database 195
Figure 14-1 Locations of files when the LogFolderPath parameter is not specified
The following table shows how to create a mailbox database and place its log files in a
separate location from the database file. The database will also be mounted.
PS C:\Users\Administrator>
New-MailboxDatabase -Name "ManufacturingDB" -Server Romac-EX1 -EdbFilePath
"C:\Databases\ManufacturingDB\
ManufacturingDB.edb" -LogFolderPath "C:\LogFiles\
ManufacturingDB"
Creates the database in the specified
location and also places the transaction
logs in a unique location, as shown in
Figure 14-2 .
PS C:\Users\Administrator>
Mount-Database -Identity "ManufacturingDB"
Mounts the specified database.
NOTE The Microsoft Exchange
Information Store service must be
running to mount a database.
ptg6842824
196 Managing an Existing Database
Figure 14-2 Locations of files when the LogFolderPath parameter is specified
Managing an Existing Database
Other tasks that may be performed on a database are shown in the following table.
PS C:\Users\Administrator> Dismount-Database "ManufacturingDB"
-Confirm:$false
Dismounts a mailbox database.
NOTE The Microsoft Exchange
Information Store service must
be running to dismount a data-
base.
Including the -Confirm:$false
option means that you will not be
prompted to confirm the dismount
operation.
PS C:\Users\Administrator>
Set-MailboxDatabase -Identity "AssemblyDB" -MaintenanceSchedule "Sun.1:00
AM-Sun.4:00 AM","Wed.1:00
AM-Wed.4:00 AM"
Sets the database maintenance
schedule for the specified mailbox
database on the specified server to
run between 1:00 a.m. and 4:00 a.m.
on Sunday morning and Wednesday
morning, as seen in Figure 14-3 .
ptg6842824
Managing an Existing Database 197
Figure 14-3 The adjusted database maintenance schedule as seen in Exchange
Management Console
PS C:\Users\Administrator> Set-MailboxDatabase -BackgroundDatabaseMaintenance
$false -Identity "AssemblyDB"
PS C:\Users\Administrator>
Set-MailboxDatabase -BackgroundDatabaseMaintenance $true -Identity "AssemblyDB"
The first example mounts the
specified database without the
24×7 background check-summing
mode and performs the ESE
checksum maintenance only dur-
ing the online maintenance period
that you specify, as shown in
Figure 14-4 .
The second example mounts the
specified database with the 24×7
checksum mode enabled.
NOTE With either of these
examples, you will receive
a warning in EMS that the
change will not take place
until the database is dis-
mounted and then remounted.
ptg6842824
198 Managing an Existing Database
Figure 14-4 The adjusted database maintenance option as seen in Exchange
Management Console
NOTE Background database maintenance can now be continuously run in Exchange
Server 2010. You can use either EMC or EMS to set the maintenance schedule for a
database to occur at a specific time or allow 24×7 database maintenance. The online
defragmentation no longer runs only during the maintenance window (as it did in
Exchange Server 2007) unless you schedule it to do so. If you leave 24×7 ESE data-
base maintenance enabled, it will be performed continuously as the data is read from
and written to the database. It is strongly suggested that you do not disable this new
feature.
Modifying the database size limit is shown in the following table.
Get-MailboxDatabase -Identity "database name" | Format-Table Name, GUID
PS C:\Users\Administrator>
Get-MailboxDatabase -Identity "ShippingDB" | Format-Table Name, GUID
Retrieves the database GUID.
ptg6842824
Managing an Existing Database 199
This step is performed from Registry Editor or regedit.
1 Open regedit and locate the follow-
ing registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\
MSExchangeIS\<Server Name>\
Private-<database GUID>
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\
MSExchangeIS\Romac-EX2\
Private-825fb102-92e8-463e-
be4d-d9b18db4a9e9
2 Find the Database Size Limit in GB
DWORD and change its value to
2048 or the desired size in gigabytes.
3 If the Database Size Limit in GB
DWORD does not exist for the sub-
key, create a new DWORD with that
name and then set its value to 2048
or the desired size in gigabytes.
You can use Registry Editor or regedit to modify a database size limit in
Microsoft Exchange Server 2010.
The database size is checked against its
limit periodically, and if the size limit is
reached, the database is dismounted.
This example changes the maximum
size limit for Exchange 2010 Standard
Edition to 2048 gigabytes (GB).
TIP The default database size limit
for Exchange 2010 Standard Edition
is 1,024 gigabytes (GB). There is no
default database size limit for the
Exchange 2010 Enterprise Edition.
NOTE There are no hard limits in
Exchange Server 2010. This soft limit
exists to protect the database from
growing too large without an admin-
istrator noticing. Sometimes, it is
necessary to go beyond the soft limit.
This registry change fulfills that need.
Registry Editing Warning:
If you use Registry Editor incorrectly,
you can cause serious problems that
may require you to reinstall your oper-
ating system or Exchange Server. Use
Registry Editor at your own risk and
make sure you can back up the registry
before making any changes.
Modifying other database parameters is shown in the following table.
Move-DatabasePath -Identity "DatabaseName" -EdbFilePath "DatabasePath" -Confirm: $false
PS C:\Users\Administrator> Move-DatabasePath -Identity "ShippingDB" -EdbFilePath "C:\Databases\Shipping\
Shipping.edb" -Confirm:$false
Sets a new path for the
specified mailbox data-
base.
NOTE You could
also identify and
move the database
by using its GUID.
ptg6842824
200 Managing an Existing Database
Set-MailboxDatabase -Identity "DatabaseName" -DeletedItemRetention ItemRetentionPeriod
PS C:\Users\Administrator> Set-MailboxDatabase -Identity "ShippingDB"
-DeletedItemRetention 30.00:00:00
Sets the length of time
that deleted items are
retained to the specified
value.
NOTE The default
value is 14 days.
Prior to Exchange Server 2010 SP1, you repaired a database using the ISInteg com-
mand. The functionality formerly incorporated into ISInteg is now made available using
two Exchange Management Shell cmdlets:
■ New-MailboxRepairRequest
■ New-PublicFolderDatabaseRepairRequest
Using these new PowerShell cmdlets, you no longer need to dismount the database when
repairing it. You can repair logical corruption at the mailbox level, fix corrupt search
folders, fix the provisioned folder, and fix aggregate counts.
The cmdlets shown in the following table focus on the New-MailboxRepairRequest cmdlet. This cmdlet can detect and repair mailbox corruptions and can be run
against a specific mailbox or against an entire mailbox database. (The New-PublicFolderDatabaseRepairRequest cmdlet will be examined in Chapter 25 , “Public
Folder Database Management.”)
TIP This task cannot be performed from Exchange Management Console and requires
Exchange Server 2010 Service Pack 1.
New-MailboxRepairRequest -Mailbox MailboxName -CorruptionType RepairType
PS C:\Users\Administrator> New-MailboxRepairRequest -Mailbox [email protected]
-CorruptionType FolderView
Detects and repairs the folder view
for the specified mailbox.
NOTE This type of repair
might be performed when the
views on folders are not return-
ing the correct content.
ptg6842824
Removing an Existing Database 201
PS C:\Users\Administrator>
Get-Mailbox -Filter { CustomAttribute15 -like "MBRepairRequired" } | New-MailboxRepairRequest -CorruptionType SearchFolder,
AggregateCounts,ProvisionedFolder,
FolderView
Detects and repairs all corruption
types for those mailboxes you have
set the “MBRepairRequired”
value for the Exchange
CustomAttribute15 .
In addition to
CorruptionType=FolderView ,
repairs will also be made to
Search folder corruptions with
CorruptionType=SearchFolder ,
aggregate counts on folders that
aren’t reflecting correct values with
CorruptionType=AggregateCounts , as well as
provisioned folders that are incor-
rectly pointing into parent fold-
ers that aren’t provisioned with
CorruptionType=ProvisionedFolder .
New-MailboxRepairRequest -Database DatabaseName -CorruptionType RepairType
PS C:\Users\Administrator>
New-MailboxRepairRequest -Database ShippingDB
-CorruptionType FolderView
Detects and repairs the folder view
for all mailboxes in the specified
database.
TIP The -Database param-
eter is incompatible with the
-Mailbox parameter.
PS C:\Users\Administrator>
New-MailboxRepairRequest
-Mailbox [email protected] -CorruptionType
ProvisionedFolder,SearchFolder
-DetectOnly
Detects and reports only
on ProvisionedFolder and
SearchFolder corruption issues for
Joyce’s mailbox.
NOTE No repairs are per-
formed on this mailbox because
of the DetectOnly instruction.
NOTE After you start the repair request, it cannot be stopped unless you dismount
the database. While the mailbox is being repaired, the user will not have access to it. If
the cmdlet is being run against a database, only the mailbox actually in the process of
being repaired is unavailable.
Removing an Existing Database
When a mailbox database is no longer required, you can use the Remove-Database
cmdlet to delete the database (as shown in the following table).
ptg6842824
202 Removing an Existing Database
Remove-MailboxDatabase -Identity DatabaseName -Confirm: $false
PS C:\Users\Administrator>
Remove-MailboxDatabase
-Identity ShippingDB
-Confirm:$false
This example removes the specified
mailbox database.
NOTE The Remove-MailboxDatabase cmdlet removes
only the database object from Active
Directory. It will not delete the physi-
cal database files from the file sys-
tem. You must remove the database
and log files manually after you run
this cmdlet.
NOTE If the mailbox database has a database copy, the Remove-MailboxDatabasecmdlet also removes the copy.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Exporting a mailbox
■ Importing a mailbox
■ Moving an online mailbox
■ Running the Clean-MailboxDatabase cmdlet
This chapter focuses on the configuration of mailboxes. You will examine the process
used to export and import data to and from the mailbox. Then you will observe the new
procedure in Exchange Server 2010 for moving mailboxes. Finally, you will investigate
how to use the Clean-MailboxDatabase cmdlet when disconnected mailboxes do not
appear properly in Exchange Management Console (EMC).
Exporting a Mailbox
By default, the Mailbox Import Export management role is not part of any of the built-in
role groups. Even the Organization Management role group does not have permission to
run the Export-Mailbox and Import-Mailbox cmdlets by default. In order to export or
import mailbox data, you need to add the Mailbox Import Export management role to a
role group.
It is not possible to add roles to the built-in role groups. Therefore, to assign the Mailbox
Import Export management role, you need to create a new role group (as shown in the
following table).
PS C:\Users\
Administrator>
New-RoleGroup -Name MailboxManagement
-Roles "Mailbox Import
Export"
Creates a new management role group with the
specified name and assigns the Mailbox Import
Export management role to the role group.
CHAPTER 15
Working with Mailboxes
ptg6842824
204 Exporting a Mailbox
PS C:\Users\
Administrator>
Add-RoleGroupMember -Identity
MailboxManagement
-Member RomacSign\Paul
MailboxMgr
Adds a mailbox as a member of the specified role
group.
NOTE You cannot use someone in the Domain
Administrators group. You are explicitly restricted
as a domain admin from importing or exporting
mailboxes for security reasons.
In this example, a user named Paul MailboxMgr
has been created. This user has been added to the
Organization Management built-in role, as well as to
the MailboxManagement custom role.
Now that the role group has been created, ensure that the user who will export the data
( MailboxAdmin in the following examples) is a member of the MailboxManagement role
group and that the role group has the correct role assignment. One way you could do this is
to use the Get-RoleGroup cmdlet, as shown in the following table.
PS C:\Users\
Administrator> Get-RoleGroup
"RomacSign.com\
MailboxManagement" | fl
name, role
Confirms the creation of the management role
group and the assignment of the Mailbox Import
Export role from the previous examples.
TIP This can also be done quite easily in Exchange Control Panel, as shown in Figure 15-1 .
Figure 15-1 Membership of the role group and role assignment
ptg6842824
Exporting a Mailbox 205
To perform the following tasks, you must create the MailboxExports mailbox and a fold-
er named ExportedData in the MailboxExports mailbox, as shown in the following table.
PS C:\Users\MailboxAdmin>
Export-Mailbox
-Identity [email protected] -TargetMailbox MailboxExports
-TargetFolder ExportedData
Exports the contents of the speci-
fied mailbox (Maureen) to the spec-
ified folder (ExportedData) in the
mailbox named MailboxExports.
To perform the next task, you must send an email to the user Joyce with the words
“Amazing Toy World” in the body of the message. When you perform the task, a filter
will capture all messages with the content keywords in them and export the messages to
the specified location (as shown in the following table).
PS C:\Users\MailboxAdmin> Export-Mailbox -Identity [email protected] -TargetMailbox MailboxExports -TargetFolder ExportedData -ContentKeywords "Amazing Toy World"
Uses a filter to specify which
items in the mailbox should
be included in the export, as
shown in Figure 15-2 .
Figure 15-2 Mailbox content found and exported successfully
You could also export messages based on subject keywords.
ptg6842824
206 Exporting a Mailbox
PS C:\Users\MailboxAdmin>
Get-Mailbox
-Database AssemblyDB |
Export-Mailbox
-TargetMailbox MailboxExports -TargetFolder ExportedData -SubjectKeywords "Nasty
Attachment" -DeleteContent
Illustrates how to locate and delete a mes-
sage from a mailbox.
NOTE It will find the message, export
it to the specified mailbox, and then
delete it from the source mailbox.
Because both the sender and recipient
mailboxes are in the same database, this
will locate the sent item in the sender’s
mailbox and delete that as well.
PS C:\Users\MailboxAdmin>
Export-Mailbox -Identity
-PSTFolderPath "C:\
ExportedMailboxes\maureen.pst"
Exports all messages from the specified
mailbox’s Inbox folder to a .pst file.
NOTE When you run this cmdlet from
a remote machine such as your work-
station, the -PSTFolderPath still refer-
ences a location on your server, not the
workstation.
TIP To export to a .pst file, the 64-bit
version of Outlook 2010 or later must
be installed on the server (yes, on the
server) to which you are connecting;
otherwise, you will get an error mes-
sage stating as much, as shown in
Figure 15-3 .
Figure 15-3 Error message regarding installation of Outlook 2010 on the server when
importing or exporting to a .pst file
This same task may be performed in Exchange Server 2010, Service Pack 1.
However, you do not use the Export-Mailbox cmdlet. Instead, you will use the New-MailboxExportRequest cmdlet (as shown in the following table).
The New-MailboxExportRequest cmdlet replaces the Export-Mailbox cmdlet in
Service Pack 1.
ptg6842824
Importing a Mailbox 207
PS C:\Users\MailboxAdmin>
New-MailboxExportRequest -Name "Maureen\
MaureenExport"
-Mailbox Maureen -FilePath "\\Romac-
EX2\ExportedMailboxes\
Maureen_Recovered.pst"
Creates a mailbox export request, which begins
the process of exporting the specified mailbox
data to a .pst file.
NOTE You cannot use the Exchange
Management Console (EMC) to create a mail-
box export request.
TIP When you export a mailbox to a network
location, create the network shared folder
and grant read and write permissions to the
Exchange Trusted Subsystem group. If you
don’t grant these permissions, an error will be
received stating that Exchange is unable to
establish a connection to the target mailbox.
Importing a Mailbox
Just as you had to create a new role group and assign the Mailbox Import Export
management role to export mailboxes, you have to do the same to import mailboxes.
However, if you did this when you exported the mailboxes, it is not necessary to perform
this again (as shown in the following table).
NOTE Perform the previous examples under the section “Exporting a Mailbox” if you
need to create the new role group and add role group members to import a mailbox
and have not already done so previously.
PS C:\Users\MailboxAdmin>
Import-Mailbox
-Identity
[email protected] -PSTFolderPath
"C:\ ExportedMailboxes\
Maureen_Recovered.pst"
Imports the data from the specified .pst file to
the existing, connected mailbox of the user.
NOTE When you run this cmdlet from a
remote machine such as your worksta-
tion, the -PSTFolderPath still references
a location on your server, not the worksta-
tion.
TIP To import from a .pst file, the 64-bit
version of Outlook 2010 or later must be
installed on the server to which you are
connecting; otherwise, you will get an error
message stating as much.
PS C:\Users\MailboxAdmin>
Dir "C:\ ExportedMailboxes"
| Import-Mailbox -StartDate 01/21/2009
Imports the data from all the .pst files that are
located in the specified directory into existing
mailboxes.
NOTE Only messages that were received
after 01/21/2009 will be imported into the
mailbox.
ptg6842824
208 Moving an Online Mailbox
PS C:\Users\
MailboxAdmin> Get-Mailbox -OrganizationalUnit
Assemblers |
Import-Mailbox
-PSTFolderPath "C:\
ExportedMailboxes"
Imports data from .pst files into mailboxes
whose users are in the Assemblers OU.
The .pst files must be named using the format
Alias.pst, such as Maureen.pst.
NOTE Only .pst files whose alias cor-
responds to a user in the specified
Organizational Unit (OU) will be imported.
PS C:\Users\MailboxAdmin>
New-MailboxImportRequest -Mailbox Maureen -FilePath "\\Romac-EX2\
ExportedMailboxes\Maureen_
Recovered.pst"
Imports a .pst file into Maureen’s personal
archive folder.
The content is merged under existing fold-
ers, and new folders are created if they don’t
already exist.
Moving an Online Mailbox
As shown in the following table, you can use the New-MoveRequest cmdlet to begin
the process of an asynchronous mailbox move to a different database in the same Active
Directory forest.
NOTE This also can be used to move the personal archive mailbox to a different data-
base in the same Active Directory forest beginning with Exchange Server 2010, Service
Pack 1. (Prior to Service Pack 1, the primary mailbox and the archive mailbox had to be
in the same database.)
New-MoveRequest -Identity Recipient Mailbox -TargetDatabase DatabaseName -WhatIf
PS C:\Users\Administrator> New-MoveRequest -Identity "[email protected]" -TargetDatabase "ManufacturingDB"
-WhatIf
Verifies that the mailbox is
ready to be moved to another
database within the same
forest.
NOTE By using the
-WhatIf switch, if the
mailbox is not ready
to be moved, you will
receive an error message
when you try to move
the mailbox; however, no
data will be affected.
ptg6842824
Moving an Online Mailbox 209
PS C:\Users\Administrator>
New-MoveRequest -Identity "[email protected]"
-Remote -TargetDatabase OtherOrgsDatabase -RemoteHostName
"mail.businesspartner.com" -RemoteCredential (Get-Credential
BusPartnerSignCompany\Administrator) -TargetDeliveryDomain "romacsign.com"
-WhatIf
Uses the -WhatIf switch to
verify that a mailbox is ready
to move to another forest.
TIP This command
should be run from the
target forest.
PS C:\Users\Administrator>
New-MoveRequest -Identity "[email protected]"
-TargetDatabase "ManufacturingDB"
Moves the specified mailbox
to the new target database.
PS C:\Users\Administrator> Get-Mailbox -Database AssemblyDB | New-MoveRequest -TargetDatabase
ManufacturingDB -BatchName "AssemblyDB to
ManufacturingDB"
Creates a batch move request
for all mailboxes on one
database and moves them to
another database, as shown
in Figure 15-4 .
Figure 15-4 Batch move request of multiple mailboxes, as seen in Exchange
Management Console
PS C:\Users\
Administrator> New-MoveRequest -Identity
-PrimaryOnly -TargetDatabase "AssemblyDB"
In Exchange Server 2010, Service Pack 1,
this example moves only the specified recip-
ient’s primary mailbox from one database to
another. The archive mailbox is not moved.
ptg6842824
210 Moving an Online Mailbox
PS C:\Users\Administrator>
New-MoveRequest -Identity
-ArchiveOnly -ArchiveTargetDatabase
"AssemblyArchiveDB"
In Exchange Server 2010, Service Pack 1,
this example moves only the specified recip-
ient’s archive mailbox from one database to
another. The primary mailbox is not moved.
PS C:\Users\Administrator>
New-MoveRequest -Identity
-TargetDatabase
"AssemblyDB"
-ArchiveTargetDatabase
"AssemblyArchiveDB"
Moves the specified recipient’s primary
mailbox and archive mailbox to separate
databases.
PS C:\Users\Administrator>
New-MoveRequest -Identity
-PrimaryOnly -TargetDatabase "AssemblyDB" -BadItemLimit 50
–AcceptLargeDataLoss
Moves the specified recipient’s primary
mailbox to another mailbox database and
sets the bad item limit to 50.
Because this is not a normal scenario, you
must set the -AcceptLargeDataLoss param-
eter.
You may remove, suspend, or resume a move request by using the appropriate cmdlet
(as shown in the following table).
PS C:\Users\Administrator> Remove-MoveRequest -Identity "[email protected]"
Removes the mailbox move request for
the specified mailbox. This cancels the
mailbox move for a mailbox queued up
for moving by the New-MoveRequest cmdlet.
PS C:\Users\Administrator>
Suspend-MoveRequest -Identity "[email protected]"
Suspends the move request for the
specified mailbox.
NOTE You may use the Suspend-MoveRequest cmdlet to suspend
a move request any time after the
move request was created, but
before it reaches the status of
Completing .
ptg6842824
Running the Clean-MailboxDatabase Cmdlet 211
PS C:\Users\Administrator>
Get-MoveRequest -MoveStatus InProgress |
Suspend-MoveRequest
Suspends all move requests that
are in progress by using the Get-MoveRequest cmdlet to retrieve all
move requests with a MoveStatus value
of InProgress and then pipelining the
output to the Suspend-MoveRequest cmdlet.
PS C:\Users\Administrator>
Resume-MoveRequest "[email protected]"
Resumes the move request of the speci-
fied recipient’s mailbox.
NOTE You would use this cmdlet
to resume a move request that has
been suspended or has failed.
PS C:\Users\Administrator>
Get-MoveRequest
-MoveStatus Failed |
Resume-MoveRequest
Resumes any failed move requests.
Running the Clean-MailboxDatabase Cmdlet
When disconnected mailboxes do not appear properly, you can use the Clean-MailboxDatabase cmdlet to update the information between Exchange Server and the
Active Directory. Disconnected mailboxes typically occur when the Active Directory
user account is deleted, thus orphaning the mailbox. The mailbox is preserved for
30 days by default and is moved to the Disconnected Mailboxes node of Exchange
Management Console.
The following table shows how to run the Clean-Mailbox cmdlet, which scans the
Active Directory for mailboxes that are disconnected from user accounts but do not yet
appear as disconnected in EMC or EMS.
NOTE It is normally not necessary to run this cmdlet unless the mailbox does not
appear in Disconnected Mailboxes.
Clean-MailboxDatabase -Identity DatabaseName
PS C:\Users\
Administrator> Clean-MailboxDatabase -Identity AssemblyDB
Scans the Active Directory for disconnected mail-
boxes that aren’t yet marked as disconnected. It
then updates the status of those mailboxes.
Running this cmdlet requires that the Microsoft
Exchange Information Store service is started and
that the database is mounted.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Creating the recovery database (RDB)
■ Restoring a database to the RDB
■ Removing the RDB
This chapter focuses on the creation and deletion of the recovery database as well as
the restoration of a database using the RDB. Because there are no storage groups in
Exchange Server 2010, the Recovery Storage Group (RSG) has been deprecated. The
functionality of the RSG has been moved to a new feature in Exchange 2010 called the
Recovery Database.
Creating the Recovery Database (RDB)
A recovery database (RDB) is an unusual mailbox database. It allows you to have a
second copy of a database mounted for the purpose of extracting data from one or more
mailboxes in the restored database and merging that data back into production mailboxes
as part of a recovery operation. This can be done without affecting a user’s access to his
or her mailbox. There are two possibilities, as shown in the following table.
If a recovery
database already
exists:
The RDB database can be dismounted, the data can be restored
onto the recovery database, and then the database can be
remounted.
If a recovery
database does not
already exist:
The database can be restored to any disk location. Exchange can
analyze the restored data, replay the transaction logs, and then
the RDB can be configured to point to the database files.
An RDB is different from other mailbox databases in numerous ways:
■ The RDB does not count as a database. You may still have five databases on
Standard Edition servers and 100 databases on Enterprise Edition servers.
■ An RDB is for mailbox databases only. You cannot use this recovery technique
for public folder databases.
■ A recovered database mounted as an RDB is not linked to the original database,
even though the database filenames may be the same. It is a separate database and
can only be created by using EMS.
■ MAPI access from Outlook or Outlook Web App (OWA) is not allowed, and mail
cannot be sent to or from an RDB mailbox.
CHAPTER 16
Using the Recovery Database (RDB)
ptg6842824
214 Creating the Recovery Database (RDB)
■ It is not possible to connect mailboxes in an RDB to user accounts. You can
merge the data from the mailbox into the user’s production mailbox or you can
export data from the RDB mailbox to a folder or .pst file.
■ Policies are not applied to RDB mailboxes. You cannot make an RDB database
a member of a Database Availability Group (DAG) and you cannot back up an
RDB database. DAGs are discussed in greater detail in Chapter 21 , “Database
Availability Groups (DAGs).”
■ Online maintenance is not performed for the RDB, and circular logging is dis-
abled and cannot be enabled for the RDB.
■ Only one RDB can be mounted per mailbox server per restore operation. It must
be destroyed before the next restore if you want to create another RDB on the
same server.
■ Mailbox databases from previous versions of Exchange aren’t supported, and both
source and target mailboxes must be in the same forest in Active Directory.
You would use the RDB in three possible recovery operations, as shown in the following
table.
Dial tone restores You can repair or restore a database while a dial tone data-
base is in use, with the goal of merging the two databases
together at the end of the repair or restore operation.
Recovering a database
on another server
You can recover the database to an alternate server and then
merge the recovered data back to the original server, if so
desired.
Recovering deleted or
corrupted items
You can recover an individual mailbox (or item in a mail-
box) from backup when the deleted mailbox retention period
has expired.
You would extract data from the restored mailbox and copy
it to a target folder or merge it with another mailbox.
The first step is to create the RDB, as shown in the following table.
PS C:\Users\Administrator> New-MailboxDatabase -Recovery
-Name RomacRDB1 -Server Romac-EX1
Creates the recovery
database on the speci-
fied mailbox server
using the default paths
for the database file
and the transaction log
folder. The -Recovery
switch is what desig-
nates the database as
an RDB.
NOTE You can-
not use the EMC
to create a recov-
ery database.
ptg6842824
Creating the Recovery Database (RDB) 215
PS C:\Users\Administrator> New-MailboxDatabase -Recovery -Name RDB_ManufacturingDB -Server Romac-EX2 -EdbFilePath "C:\Databases\RDB_ManufacturingDB\
ManufacturingDB.edb" -LogFolderPath "C:\Databases\RDB_
ManufacturingDB"
Creates the recovery
database on the speci-
fied mailbox server
using a custom path
for the database file
and transaction log
folder, as shown in
Figure 16-1 .
Figure 16-1 Creation of an RDB with a custom path for the database and transaction
log folder on a server
It is not possible to view the RDB in Exchange Management Console (EMC). However,
you can view it from Exchange Management Shell (EMS), as shown in the following
table.
PS C:\Users\
MailboxAdmin> Get-MailboxDatabase
| fl name, recovery
Retrieves a list of all mailbox databases as well as their
recovery status.
NOTE RomacRDB1 is the recovery database on
Romac-EX1, and RomacRDB2 is the recovery data-
base on Romac-EX2, as shown in Figure 16-2 . (The
two RDBs exist on separate servers because you may
only have one RDB per server per restore operation.)
Figure 16-2 Recovery Databases in the enterprise displayed in EMS
ptg6842824
216 Restoring a Database to the RDB
Restoring a Database to the RDB
In the previous examples, you created an RDB. Now, the database and log files contain-
ing the recovered data must be restored or copied into the RDB folder structure that
was created when the RDB was created. If you are performing these tasks, copy the
AssemblyDB database and transaction log files to “C:\Databases\RDB_AssemblyDB”
on Romac-EX2 and ensure the database name remains AssemblyDB.edb.
NOTE If you moved the AssemblyDB database file in an earlier chapter, it will be
located at C:\Databases\ManufacturingDB and the log files will be located at C:\
LogFiles\ManufacturingDB on Romac-EX1. The database must be dismounted to move
the files.
You must also determine the log file prefix number, as shown in the following table.
PS C:\Users\Administrator>
Get-MailboxDatabase -Identity ManufacturingDB |
fl name, logfileprefix
Determines the log file prefix
number as shown in Figure
16-3 .
Figure 16-3 Viewing the log file prefix number in EMS
PS C:\Databases\RDB_ManufacturingDB>
eseutil /R E02 /i /d Performs a soft recovery that puts
the database into a clean shutdown
state. Because an RDB is an alter-
nate restore location for all data-
bases, all restored databases will be
in a dirty shutdown state and a soft
recovery must be performed.
TIP In the example, the
logfileprefix is E02, and the
“i” instructs the command to
“ignore errors.” Also, the “d”
instructs the command to use
the current directory as the path
for the database files.
PS C:\Users\Administrator>
Mount-Database "RDB_ManufacturingDB"
After a soft recovery is performed,
this example mounts the RDB.
ptg6842824
Restoring a Database to the RDB 217
PS C:\Users\Administrator>
Get-MailboxStatistics -Database "RDB_ManufacturingDB"
Retrieves the list of available mail-
boxes on the RDB, as shown in
Figure 16-4 .
Figure 16-4 List of available mailboxes on the RDB
To simulate corrupted or missing messages, you will delete emails from a mailbox, as
shown in the following table.
NOTE If you have performed some of the tasks from previous chapters, Maureen’s
mailbox was moved to the ManufacturingDB, so simply delete one or more messages
from her mailbox.
PS C:\Users\Administrator> Restore-Mailbox
-Identity Maureen
-RecoveryDatabase "RDB_ManufacturingDB"
Restores a mailbox for the
specified recipient from the
RDB.
PS C:\Users\Administrator> Restore-Mailbox -Identity Maureen
-RecoveryDatabase "RDB_ManufacturingDB" -RecoveryMailbox "Joyce Celecz"
-TargetFolder Recovery
Restores a recipient’s mailbox
content into another recipient’s
mailbox under the Recovery
folder.
PS C:\Users\Administrator> Get-Mailbox -Database
ManufacturingDB | Restore-Mailbox
-RecoveryDatabase "RDB_ManufacturingDB"
Bulk restores all the mailboxes
in the mailbox database DB1
that are also present in the
recovery database RDB1.
ptg6842824
218 Removing the RDB
Removing the RDB
When you are finished with the RDB, you should remove it in preparation for your next
recovery operation, as shown in the following table.
PS C:\Users\Administrator> Dismount-Database
RDB_ManufacturingDB
-Confirm:$false
Dismounts the specified RDB in
preparation for removing the recov-
ery database.
PS C:\Users\Administrator>
Remove-MailboxDatabase
RDB_ManufacturingDB
-Confirm:$false
Removes the specified RDB. The
-Confirm:$false option ensures that
you are not prompted for the dele-
tion.
When you remove the mailbox database, you receive a warning that the specified data-
base has been removed but that you must remove the database file from your computer
manually if it still exists. If appropriate, remove the file.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Configuring the properties of a UM server
■ Creating and managing dial plans
■ Creating and managing UM IP gateways
■ Creating and managing hunt groups
■ Creating and managing UM mailbox policies
■ Monitoring and troubleshooting a UM server
This chapter focuses on the configuration of the Unified Messaging (UM) role. You will
investigate how to create and configure UM objects such as dial plans, UM IP gateways,
hunt groups, and UM policies. Before you can work with the UM objects, the UM role
must be installed onto your Exchange server. This can be installed separately or added to
any existing Exchange server running any role except the Edge Transport role.
NOTE Before installing the UM role, you must install the Desktop Experience feature
on your Windows Server 2008 computer. This provides components that the UM role
requires.
Configuring the Properties of a UM Server
Once the UM role is installed, you will want to configure the properties of the server.
You can configure several options, including the number of concurrent calls that the UM
server can answer. You can also remove the UM server from all dial plans. Many of the
configuration settings can be performed from either EMC or EMS, as shown in the fol-
lowing table.
PS C:\Users\Administrator>
Set-UMServer -Identity Romac-EX2 -Status NoNewCalls
Prevents the specified UM server from
accepting new calls, which effectively
disables it.
PS C:\Users\Administrator>
Set-UMServer -Identity Romac-EX2 -Status Enabled
Enables the specified UM server when
you no longer need the -NoNewCalls
option set.
PS C:\Users\Administrator>
Set-UMServer -Identity Romac-EX2 -MaxCalls 75
Sets the maximum number of incoming
voice calls to the specified UM server.
NOTE The default value is 100 con-
current calls.
CHAPTER 17
Working with Unified Messaging (UM) Role Objects
ptg6842824
220 Creating and Managing Dial Plans
PS C:\Users\Administrator>
Set-UMServer -Identity Romac-EX2
- DialPlans $null
This example removes the specified UM
server from all UM dial plans.
Creating and Managing Dial Plans
Once the UM role is installed, you will want to create a dial plan. A UM dial plan is
necessary to allow it to process incoming calls. Dial plans are used to link user mail-
boxes to their extension numbers. They are also used to configure default settings such
as dial codes for accessing external lines and international numbers, default languages
for voice prompts, and the audio codec for voice messages, such as MP3. A dial plan
may also be used to configure a default greeting that will be played when dial-plan sub-
scribers call in to the server. You must have at least one UM server and at least one dial
plan for that server. Dial plans can be managed from either EMC or EMS, as shown in
the following table.
PS C:\Users\
Administrator>
Get-UMServer | fl
This example allows you to verify that your server has the
UM role installed.
NOTE You can view that the default status is
“Enabled,” that the default language is “en-US,” and
that there are no dial plans present by default, as shown
in Figure 17-1 .
Figure 17-1 Verifying the default settings and status on a UM server
ptg6842824
Creating and Managing Dial Plans 221
PS C:\Users\Administrator>
New-UMDialplan -Name PhiladelphiaUMDialPlan
-NumberofDigits 4 -CountryOrRegionCode 1
PS C:\Users\Administrator>
New-UMDialplan -Name OrlandoUMDialPlan
-UriType SIPName -NumberofDigits 3 -CountryOrRegionCode 1
The first example creates a new UM
dial plan for the Philadelphia office
that uses four-digit extension numbers.
The country/region code is unique for
each country.
The second example creates a new UM
dial plan for the Orlando office that
uses three-digit extension numbers.
NOTE In addition to the number
of digits in the extension, you could
also specify the URI Type if you
need a SIP URI dial plan to sup-
port Session Initiation Protocol
(SIP) routing or if you’re integrating
Microsoft Office Communications
Server (OCS) and Exchange Unified
Messaging.
Some common country/region codes are shown in the following table.
Code Country
1 USA
7 Russia
33 France
34 Spain
44 United Kingdom
45 Denmark
46 Sweden
47 Norway
48 Poland
49 Germany
55 Brazil
61 Australia
81 Japan
86 China
Add a server to a dial plan and configure the dial plan to set the outside-line access code
to use 9, as shown in the following table.
ptg6842824
222 Creating and Managing Dial Plans
PS C:\Users\Administrator>
Set-UMServer -Identity Romac-EX2
-DialPlans PhiladelphiaUMDialPlan
Adds the specified server to a dial
plan, as shown in Figure 17-2 .
PS C:\Users\Administrator>
Set-UMDialplan -Identity PhiladelphiaUMDialPlan
-OutsideLineAccessCode 9
Configures the specified dial plan to
set the outside-line access code to 9,
as also shown in Figure 17-2 .
Figure 17-2 Server added to dial plan and outside-line access code configured on
specified dial plan, as shown in EMC
To retrieve settings for a dial plan, change other settings for a dial plan, and remove a
dial plan, use the appropriate cmdlet (as shown in the following table).
PS C:\Users\Administrator>
Get-UMDialplan Retrieves the complete list of
dial plans in the organization.
PS C:\Users\Administrator> Get-UMDialplan -Identity PhiladelphiaUMDialPlan | fl
Displays a formatted list of prop-
erties for the specified dial plan.
PS C:\Users\Administrator>
Set-UMDialplan -Identity PhiladelphiaUMDialPlan -WelcomeGreetingEnabled $true
-WelcomeGreetingFilename
"RomacWelcome.wav"
Configures the specified UM
dial plan to use a custom wel-
come greeting.
ptg6842824
Creating and Managing UM IP Gateways 223
PS C:\Users\Administrator>
Remove-UMDialplan
-Identity OrlandoUMDialPlan
-Confirm:$false
After disassociating the UM dial
plan with all UM mailbox poli-
cies, this example removes the
specified dial plan.
Creating and Managing UM IP Gateways
A UM IP gateway is an Active Directory object that represents your physical IP gateway
hardware device. This could be either an IP PBX or a VOIP gateway. An IP gateway
processes calls from the hardware device. It must be associated with at least one dial
plan and can contain one or more hunt groups. The IP gateway can be managed from
either EMC or EMS, as shown in the following table.
PS C:\Users\Administrator>
New-UMIPGateway -Name PhiladelphiaUMIPGateway
-Address 10.5.0.50
PS C:\Users\Administrator>
New-UMIPGateway -Name OrlandoUMIPGateway -Address
"OrlandoUMIPGateway.RomacSign.com"
The first example creates a new UM
IP gateway that enables a UM server
to begin accepting calls from an IP
gateway with the specified IP address,
as shown in Figure 17-3 .
The second example creates a new
UM IP gateway that enables a UM
server to begin accepting calls from
an IP gateway with the specified
name.
Figure 17-3 The new UM IP gateway as seen in EMC
To perform other configuration settings on a UM IP gateway, use the appropriate cmdlet
(as shown in the following table).
ptg6842824
224 Creating and Managing Hunt Groups
PS C:\Users\Administrator>
Get-UMIPGateway |Format-List Retrieves the complete list of UM
IP gateways in the organization.
PS C:\Users\Administrator>
Get-UMIPGateway
-Identity PhiladelphiaUMIPGateway
| fl
Displays a formatted list of proper-
ties for the specified IP gateway.
PS C:\Users\Administrator>
Set-UMIPGateway -Identity PhiladelphiaUMIPGateway
-Address 10.5.0.50
-Status Disabled
-OutcallsAllowed $false
PS C:\Users\Administrator>
Set-UMIPGateway
-Identity PhiladelphiaUMIPGateway
-Address 10.5.0.50 -Status Enabled -OutcallsAllowed
$true
The first example prevents the
specified UM IP gateway from
accepting incoming calls and pre-
vents outgoing calls.
The second example reverses the
initial changes.
PS C:\Users\Administrator>
Remove-UMIPGateway -Identity OrlandoUMIPGateway
-Confirm:$false
Deletes the specified UM IP gate-
way without prompting for a con-
firmation of the deletion.
Creating and Managing Hunt Groups
A UM hunt group is an Active Directory object that logically represents the PBX hunt
group to link IP gateways and dial plans together. It is also used to locate the PBX hunt
group. This object can also be managed from either EMC or EMS, as shown in the fol-
lowing table.
PS C:\Users\Administrator> New-UMHuntGroup -Name PhiladelphiaUMHuntGroup
-PilotIdentifier 12119
-UMDialPlan PhiladelphiaUMDialPlan -UMIPGateway PhiladelphiaUMIPGateway
PS C:\Users\Administrator> New-UMHuntGroup -Name OrlandoUMHuntGroup -PilotIdentifier 11919 -UMDialPlan OrlandoUMDialPlan -UMIPGateway OrlandoUMIPGateway
These examples
create the specified
UM hunt groups
with the specified
pilot identifiers, as
shown in Figure
17-4 .
ptg6842824
Creating and Managing UM Mailbox Policies 225
Figure 17-4 The hunt group as seen in EMC
To perform other configuration settings on a UM hunt group, use the appropriate cmdlet
(as shown in the following table).
PS C:\Users\Administrator> Get-UMHuntGroup Displays all the UM hunt
groups in the organization.
PS C:\Users\Administrator> Get-UMHuntGroup -Identity PhiladelphiaUMIPGateway\
PhiladelphiaUMHuntGroup |
fl
Displays a formatted list of
properties for the specified
hunt group.
PS C:\Users\Administrator> Get-UMHuntGroup | Where-Object
{$_.UMDialPlan -eq
"PhiladelphiaUMDialPlan"}
Displays all of the UM
hunt groups associated with
the specified UM dial plan.
PS C:\Users\Administrator>
Remove-UMHuntGroup
-Identity "PhiladelphiaUMHuntGroup"
-Confirm:$false
Removes the specified UM
hunt group without prompt-
ing for the deletion.
Creating and Managing UM Mailbox Policies
UM mailbox policies apply settings to configure UM-enabled users. You can specify set-
tings such as dial plan, number of unsuccessful logon attempts, number of digits required
in a PIN, password history, regional/international calling restrictions, and the like with a
UM mailbox policy.
ptg6842824
226 Monitoring and Troubleshooting a UM Server
The following table shows how to create, edit, view, and delete a UM mailbox policy.
PS C:\Users\Administrator>
New-UMMailboxPolicy -Name PhiladelphiaUMMailboxPolicy -UMDialPlan PhiladelphiaUMDialPlan
PS C:\Users\Administrator>
New-UMMailboxPolicy
-Name OrlandoUMMailboxPolicy
-UMDialPlan OrlandoUMDialPlan
These examples create two
new UM mailbox policies
that are associated with their
respective dial plans.
PS C:\Users\Administrator>
Set-UMMailboxPolicy
-Identity PhiladelphiaUMMailboxPolicy -LogonFailuresBeforePINReset 8 -MaxLogonAttempts 10 -MinPINLength 6
-PINHistoryCount 10 -PINLifetime 120
-ResetPINText "Your PIN has been
reset."
Sets the PIN settings for
users associated with the
specified UM mailbox policy.
PS C:\Users\Administrator>
Get-UMMailboxPolicy | Format-List Returns a formatted list of all
UM mailbox policies in the
organization.
PS C:\Users\Administrator>
Get-UMMailboxPolicy
-Identity PhiladelphiaUMMailboxPolicy
Returns the properties and
associated values for the
specified UM mailbox policy.
PS C:\Users\Administrator>
Remove-UMMailboxPolicy
-Identity OrlandoUMMailboxPolicy
-Confirm:$false
Removes the specified UM
mailbox policy without
prompting for the deletion.
Monitoring and Troubleshooting a UM Server
You can use several cmdlets to monitor the status of your UM server as well as trouble-
shoot issues on the server. Some of these cmdlets are shown in the following table.
PS C:\Users\Administrator>
Get-UMCallSummaryReport
-GroupBy Month -UMDialplan
PhiladelphiaUMDialPlan
Returns statistics about all calls received or
placed by Unified Messaging (UM) servers
in an organization.
This includes number of messages, missed
calls, subscriber access, auto attendant, and
fax calls and also includes audio quality
metrics for the specified calls.
NOTE The results will be collected only
for the PhiladelphiaUMDialPlan and will
be grouped by Month, rather than by
Day or by Total.
ptg6842824
Monitoring and Troubleshooting a UM Server 227
PS C:\Users\Administrator>
Get-UMActiveCalls
-Server Romac-EX2
Returns data about the calls that are
active and being processed by the Unified
Messaging (UM) servers.
If the UM server is specified, this cmdlet
returns only the active calls being processed
by the specified server.
PS C:\Users\Administrator>
Test-UMConnectivity
-UMIPGateway
PhiladelphiaUMIPGateway
-Phone 12119 -Secured $false
Tests the operation of a server that has
the Unified Messaging (UM) server role
installed.
When you run this cmdlet and include the
UMIPGateway parameter, the Unified
Messaging server tests end-to-end function-
ality of the Unified Messaging system.
NOTE The -Secured parameter speci-
fies whether the test will be run in SIP
Secured Mode and the -Phone param-
eter specifies the telephone number or
SIP Uniform Resource Identifier (URI)
used when the test call is redirected.
There is also the Exchange 2010 UM Troubleshooting Tool, which can be used to diag-
nose configuration errors specific to call-answering scenarios. In addition, it allows you
to test whether voicemail is functioning correctly in Exchange 2010 SP1.
This cmdlet emulates calls and runs a series of diagnostic tests that help diagnose mis-
configurations in telephony equipment, Exchange Server 2010 SP1 Unified Messaging
settings, and connectivity issues.
You can download this utility from the Microsoft Download Center by searching for
“Unified Messaging Troubleshooting Tool.”
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Managing the UM Auto Attendant
■ Working with call-answering rules
■ Exporting UM call data records
■ Working with UM-enabled mailboxes
This chapter focuses on the configuration of Unified Messaging (UM) users and
UM-enabled mailboxes. You will investigate how to create and configure a UM Auto
Attendant, allow or restrict the user’s use of call-answering rules, work with Call Data
Records, and configure and enable UM-enabled mailboxes.
Managing the UM Auto Attendant
The UM Auto Attendant allows internal and external callers to navigate through the
voice menu system for your organization. The attendant enables you to set welcome
greetings and custom organizational voice-prompt menus as well as gives you the ability
to allow the system to connect the caller with the telephone of the subscriber. It also per-
mits the ability to search your organization’s directory for the subscriber.
The following table shows the creation of two UM Auto Attendants.
PS C:\Users\Administrator>
New-UMAutoAttendant -Name PhiladelphiaUMAutoAttendant -UMDialPlan
PhiladelphiaUMDialPlan -PilotIdentifierList 19000
New-UMAutoAttendant
-Name OrlandoUMAutoAttendant -UMDialPlan OrlandoUMDialPlan -PilotIdentifierList 90000
These two examples create new UM
Auto Attendants that can accept
incoming calls but are not speech
enabled, as shown in Figure 18-1 .
NOTE The pilot identifiers have
been specified at the time of cre-
ation of the attendants.
CHAPTER 18
Managing Unified Messaging (UM) Users
ptg6842824
230 Managing the UM Auto Attendant
Figure 18-1 New UM Auto Attendants as seen in EMC
PS C:\Users\Administrator>
New-UMAutoAttendant
-Name PhiladelphiaUMAutoAttendant
-UMDialPlan PhiladelphiaUMDialPlan -PilotIdentifierList 19121,19122
-SpeechEnabled $true
Creates a new speech-
enabled UM Auto Attendant
using the specified pilot
identifier.
NOTE When the Auto
Attendant is speech
enabled, callers can
respond to the system or
custom prompts used by
the UM Auto Attendant
via touchtone or voice
inputs.
By default, the Auto
Attendant is not speech
enabled when it’s cre-
ated unless you specify the
-SpeechEnabled parameter
as $true.
PS C:\Users\Administrator>
Set-UMAutoAttendant
-Identity OrlandoUMAutoAttendant
-OperatorExtension 99999 -AfterHoursTransferToOperatorEnabled
$true
Sets the specified UM Auto
Attendant’s operator’s exten-
sion to 99999 and configures
transfers to this extension
number after business hours,
as shown in Figure 18.2 .
ptg6842824
Managing the UM Auto Attendant 231
Figure 18-2 New operator extension as seen in EMC
PS C:\Users\Administrator> Set-UMAutoAttendant -Identity PhiladelphiaUMAutoAttendant
-BusinessHoursSchedule
1.09:00-1.17:00, 2.09:00-2.17:00,
3.09:00-3.17:00, 4.09:00-4.17:00,
5.09:00-5.17:00,6.09:00-6.16:30
-HolidaySchedule "Facility Closed for
Holiday,holiday2010.wav,
12/24/2010,01/01/2011"
Configures a new UM Auto
Attendant that has business
hours configured as 9:00 a.m.
to 5:00 p.m. Monday–Friday
and 9:00 a.m. to 2:00 p.m. on
Saturday; as well as “Facility
Closed for Holiday” config-
ured from December 24, 2010
through January 2, 2011.
NOTE In this example, the
.wav file contains your cus-
tom holiday greeting detail-
ing the dates and times that
the facility will be closed for
the holidays.
These changes can be seen in
Figure 18-3 .
ptg6842824
232 Managing the UM Auto Attendant
Figure 18-3 Other Auto Attendant configurations as seen in EMC
PS C:\Users\Administrator>
Get-UMAutoAttendant | Format-List Returns a formatted list of all UM
Auto Attendants in the organiza-
tion.
PS C:\Users\Administrator> Get-UMAutoAttendant -Identity PhiladelphiaUMAutoAttendant
Displays the properties of the
specified UM Auto Attendant.
PS C:\Users\Administrator>
Enable-UMAutoAttendant -Identity PhiladelphiaUMAutoAttendant
Enables the specified UM Auto
Attendant to answer incoming calls.
TIP Auto Attendants are cre-
ated with a status of disabled
and must be enabled.
PS C:\Users\Administrator>
Disable-UMAutoAttendant -Identity PhiladelphiaUMAutoAttendant
Disables the specified UM Auto
Attendant.
PS C:\Users\Administrator>
Remove-UMAutoAttendant
-Identity OrlandoUMAutoAttendant
-Confirm:$false
Removes the specified UM Auto
Attendant.
It is possible to create a new Auto Attendant without setting up an extension number for
it. An extension number for a UM Auto Attendant might otherwise be known as a pilot
identifier or pilot number. It is also possible to associate more than one telephone or
extension number with a single Auto Attendant. You can either add the extension
ptg6842824
Managing the UM Auto Attendant 233
numbers when you create the UM Auto Attendant or add them after you configure the
Auto Attendant.
TIP The number of digits in the extension number you configured on the UM Auto
Attendant must match the number of digits for an extension number that’s configured
on the UM dial plan associated with the UM Auto Attendant.
The following table shows how to add one or more pilot identifiers to an existing UM
Auto Attendant.
PS C:\Users\Administrator>
Set-UMAutoAttendant -Identity
PhiladelphiaUMAutoAttendant -PilotIdentifierList "11255",
"17325", "28000"
Configures the specified UM Auto
Attendant with multiple extension
numbers, as shown in Figure 18-4 .
Figure 18-4 The updated pilot identifier list for the specified Auto Attendant as seen in
EMC
You can also enable or disable directory lookups on a UM Auto Attendant, as shown in
the following table.
PS C:\Users\Administrator> Set-UMAutoAttendant -Identity PhiladelphiaUMAutoAttendant
-NameLookupEnabled $true
Enables direc-
tory lookups on the
specified UM Auto
Attendant.
ptg6842824
234 Exporting UM Call Data Records
PS C:\Users\Administrator> Set-UMAutoAttendant -Identity PhiladelphiaUMAutoAttendant
-NameLookupEnabled $false
Disables direc-
tory lookups on the
specified UM Auto
Attendant.
Working with Call Answering Rules
You can allow users associated with a UM dial plan to create and configure call-answer-
ing rules, as well as restrict them from doing so. By default, UM-enabled users can cre-
ate a rule and apply it to an incoming call to their phone number, similar to configuring
an Inbox rule for incoming messages to their mailbox. A user can transfer the call, have
the caller leave a voice message, or allow the caller to locate him or her at a different
phone number with a call-answering rule. You also might want to restrict the user from
creating and configuring call-answering rules. This could be done by configuring a UM
mailbox policy and associating it with the user’s mailbox, as shown in the following
table.
PS C:\Users\Administrator> Set-UMDialPlan -Identity PhiladelphiaUMDialPlan -CallAnsweringRulesEnabled $true
Allows users who are associated with
the specified UM dial plan to configure
call-answering rules.
PS C:\Users\Administrator>
Set-UMDialPlan
-Identity PhiladelphiaUMDialPlan -CallAnsweringRulesEnabled
$false
Prevents users who are associated with
the specified UM dial plan from con-
figuring call-answering rules.
PS C:\Users\Administrator>
Set-UMMailboxPolicy -Identity
PhiladelphiaUMMailboxPolicy -AllowCallAnsweringRules $false
Prevents users who are associated with
the specified UM mailbox policy from
creating call-answering rules.
PS C:\Users\Administrator>
Set-UMMailbox -Identity [email protected]
-CallAnsweringRulesEnabled
$false
Prevents the specified user from using
call-answering rules.
NOTE The user must have a
UM-enabled mailbox for this cmdlet
to succeed.
Exporting UM Call Data Records
The Export-UMCallDataRecord cmdlet exports UM call data records for the date
you specify. This can be filtered by dial plan or by UM IP gateway. Each UM call data
record provides detailed information about all calls either placed to or received by the
specified user.
ptg6842824
Working with UM-Enabled Mailboxes 235
This includes the date and time that the call was taken, the duration of the call, the audio
codec used, the dial plan, the call type, the calling number as well as the called number.
You can use the Export-UMCallDataRecord cmdlet to export the UM call data records
and the Get-UMCallDataRecord cmdlet to search for records for a specific mailbox, as
shown in the following table.
PS C:\Users\Administrator> Export-UMCallDataRecord -Date 04/18/10
-UMDialPlan PhiladelphiaUMDialPlan
Exports all UM call data
records for the specified date
for the specified UM dial plan.
PS C:\Users\Administrator>
Get-UMCallDataRecord -Mailbox [email protected]
Retrieves UM call data records
for the last 90 days for the spec-
ified UM-enabled mailbox.
Working with UM-Enabled Mailboxes
You might need to configure properties on a UM-enabled mailbox. Some of the more
common options that can be configured are shown in the following table.
AirSyncNumbers Specifies whether to register a mobile
phone number with a hosted voicemail
service.
AllowUMCallsFromNonUsers Specifies whether to include or exclude the
mailbox from directory searches.
AnonymousCallersCanLeaveMessages Specifies whether diverted calls without
a caller ID should be allowed to leave a
message.
AutomaticSpeechRecognitionEnabled Specifies whether users can use Automatic
Speech Recognition (ASR) when they log
on to their mailbox.
NOTE This parameter can only be set to
$true if there is ASR support for the lan-
guage selected by the user in Microsoft
Office Outlook Web App options.
CallAnsweringAudioCodec Specifies the audio codec used to encode
voicemail messages that are left for the user.
NOTE The audio codec that’s used is
the audio codec set at the UM dial plan
level. The default value is .mp3.
CallAnsweringRulesEnabled Specifies whether users can configure call-
answering rules for their accounts.
NOTE The default value is set to $true.
FaxEnabled Specifies whether a user may receive
incoming faxes.
ptg6842824
236 Working with UM-Enabled Mailboxes
MissedCallNotificationEnabled Specifies whether to send missed call noti-
fications.
OperatorNumber Specifies the string of digits for the per-
sonal operator.
PlayOnPhoneEnabled Specifies whether a user can use the Play
on Phone feature to listen to voice mes-
sages.
NOTE The default value is set to $true.
SubscriberAccessEnabled Specifies whether the users are allowed sub-
scriber access to their individual mailboxes.
When this option is set to $true, users are
able to retrieve voicemail over the tele-
phone after they have been authenticated.
NOTE The default value is $true.
TUIAccessToCalendarEnabled Specifies whether the UM-enabled user
has the ability to access his or her calendar
using the Microsoft Outlook Voice Access
telephone user interface (TUI) or touchtone
interface.
NOTE The default value is $true.
UMMailboxPolicy Specifies the UM mailbox policy linked to
the UM-enabled user’s mailbox.
UMSMSNotificationOption Specifies whether a UM-enabled user gets
SMS or text messaging notifications.
The accepted values for this parameter
include:
■ VoiceMail
■ VoiceMailAndMissedCalls
■ None
NOTE The default value is None.
The following table shows how to configure one or more of these parameters on a
UM-enabled mailbox.
PS C:\Users\Administrator>
Set-UMMailbox -Identity [email protected] -CallAnsweringAudioCodec Wma -CallAnsweringRulesEnabled $false -FaxEnabled $false -UMSMSNotificationOption VoiceMail
Configures the specified UM-enabled
user so that the call-answering audio
codec is set to Wma, call-answering
rules are disabled, incoming faxes are
blocked, and voicemail notifications
are allowed, but missed call notifica-
tions are not allowed using text mes-
saging.
ptg6842824
Working with UM-Enabled Mailboxes 237
PS C:\Users\Administrator>
Set-UMMailbox
-Identity [email protected]
-TUIAccessToCalendarEnabled $false
-TUIAccessToEmailEnabled $false
Prevents the specified user from
accessing his or her calendar and
email while using Outlook Voice
Access.
NOTE The user must have a
UM-enabled mailbox for this cmd-
let to succeed.
PS C:\Users\Administrator>
Get-UMMailbox | Format-List Retrieves a list of all UM-enabled
mailboxes in the organization.
PS C:\Users\Administrator>
Get-UMMailbox
-Identity [email protected]
Retrieves the UM mailbox properties
for the specified user.
PS C:\Users\Administrator>
Enable-UMMailbox
-Identity [email protected]
-UMMailboxPolicy
PhiladelphiaUMMailboxPolicy
-Extensions 5050 -PIN 1233210
-NotifyEmail
-PINExpired $true
Enables UM on the mailbox for the
specified user and sets the extension
and PIN for the user.
It also assigns a UM
mailbox policy named
PhiladelphiaUMMailboxPolicy to
the user’s mailbox.
PS C:\Users\
Administrator> Disable-UMMailbox
-Identity [email protected]
-Confirm: $false
Disables UM on the mailbox for the
specified user.
You can use the Set-UMMailboxPIN cmdlet to reset the PIN for a UM-enabled mailbox
as well as lock and unlock the UM-enabled mailbox, as shown in the following table.
PS C:\Users\Administrator>
Set-UMMailboxPIN -Identity [email protected]
Resets the PIN on the specified
UM-enabled mailbox.
PS C:\Users\Administrator>
Set-UMMailboxPIN -Identity [email protected]
-PIN 1010101
-PINExpired $true
Resets the initial PIN to 1010101 on the
UM-enabled mailbox for the specified
user and then sets the PIN as expired, so
the user will be prompted to change the
PIN the next time he or she logs on.
PS C:\Users\Administrator>
Set-UMMailboxPIN
-Identity [email protected]
-LockedOut $true
Locks the UM-enabled mailbox for the
specified user account, blocking the user
from accessing the mailbox.
PS C:\Users\Administrator>
Set-UMMailboxPIN -Identity [email protected]
-LockedOut $false
Unlocks the UM-enabled mailbox for
the specified user account and allows the
user access to the mailbox.
ptg6842824
238 Working with UM-Enabled Mailboxes
PS C:\Users\Administrator>
Get-UMMailboxPIN Displays the UM mailbox PIN-related
status for all UM-enabled users in the
organization.
PS C:\Users\Administrator>
Get-UMMailboxPIN -Identity [email protected]
Displays the UM mailbox PIN-related
status for the specified user.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Using default message routing
■ Using Exchange hub sites
■ Using Exchange-specific costs on site links
■ Tracking messages with PowerShell
Mailflow within an Active Directory site is handled by the Hub Transport server that
picks up the message. The Microsoft Exchange Mail Submission service on the Mailbox
server notifies all Hub Transports in the local site whenever messages are available for
retrieval from a sender’s Outbox. The store driver retrieves the message and because it
is destined for a local recipient, the Hub Transport that picked up the message can also
deliver it to the Mailbox server that holds the recipient’s mailbox.
When a message is destined for another Active Directory site or the Internet, other trans-
port servers become involved, so you must understand how message routing takes place.
This chapter first looks at default message routing and then moves on to alternatives you
can take to modify default message routing when necessary.
Using Default Message Routing
The first thing to understand about remote mailflow to another Active Directory site
is that routing groups are no longer used. To support coexistence between Exchange
2010 routing and Exchange 2003, all Exchange 2010 servers are automatically
added to a single routing group when they are installed. The Exchange 2010 rout-
ing group is recognized in Exchange System Manager in Exchange 2003 as Exchange
Routing Group (DWBGZMFD01QNBJR) within Exchange Administrative Group
(FYDIBOHF23SPDLT), but it is not recognized in Exchange Management Console
(EMC) or Exchange Management Shell (EMS). Both the routing group and the adminis-
trative group are hidden in the Exchange 2010 tools. Do not move Exchange 2010 serv-
ers out of Exchange Routing Group (DWBGZMFD01QNBJR). Do not move Exchange
2003 servers into it (except when you’re decommissioning the last 2003 routing group).
Also, don’t rename either the hidden routing group or the hidden administrative group
with any utilities that may be able to do so.
TIP Increasing each letter/number in the routing group’s name by one spells
“EXCHANGE12ROCKS,” in case you were wondering what the deal was with all the let-
ters. This might have made sense in Exchange Server 2007, even if you didn’t care for
it. However, the name is still the same in Exchange Server 2010 (Exchange 14.)
CHAPTER 19
Exchange Server 2010 Message Routing
ptg6842824
240 Using Default Message Routing
Very little configuration is performed from the Exchange server for default message
routing. Use Active Directory Sites and Services (ADSS), which allows you to create
sites, site links, and site link costs. Figure 19-1 illustrates a scenario for Romac Sign
Company, where five Active Directory sites and six WAN links are represented logically
in Active Directory. Initially, all site link costs are 10 units.
Figure 19-1 AD sites, site links, and site link costs
Mail can take three possible paths when being routed from Toronto to Dallas:
■ TOR→SDO→DAL
■ TOR→PHL→DAL
■ TOR→ATL→DAL
This is illustrated in Figure 19-2 and represents the default mailflow scenario for this
organization.
ptg6842824
Using Exchange Hub Sites 241
TORONTO
PHILADELPHIASAN DIEGO ATLANTA
10
10
10
DALLAS
10
10
10
Figure 19-2 Default message flow
Using Exchange Hub Sites
One of two ways to modify message routing in Exchange 2010 is the use of an
Exchange hub site. It is remarkably easy to create a hub site, but it has far-reaching
implications. Oftentimes, the AD design for your organization is not mail friendly. For
example, in Figure 19-1 , it may be desirable to replicate AD information evenly across
the three paths. However, consider how mailflow will be potentially delayed if the bulk
of your Hub Transport servers are located in Philadelphia and messages from Toronto
to Dallas will be evenly spread across all three paths. Message delivery from Toronto
to Dallas will potentially be slow if routed through either San Diego or Atlanta because
there are not enough Hub Transports in either site to handle the volume. You can config-
ure Philadelphia as an Exchange hub site to resolve the problem.
NOTE This task can only be performed with EMS. EMC has no interface for enabling
an Exchange hub site.
PS C:\Users\Administrator>
Get-ADSite Displays all Active Directory sites
in the forest.
PS C:\Users\Administrator>
Get-ADSite -Identity Philadelphia Displays the configuration details
for the specified Active Directory
site.
PS C:\Users\Administrator>
Set-AdSite -Identity Philadelphia
-HubSiteEnabled $true
Designates the AD site Philadelphia
as an Exchange hub site.
ptg6842824
242 Using Exchange-Specific Costs on Site Links
PS C:\Users\Administrator>
Set-AdSite
-Identity Philadelphia
-HubSiteEnabled $false
Removes the Exchange hub site
designation from the AS site
Philadelphia.
Philadelphia is represented as an Exchange hub site in Figure 19-3 .
TORONTO
PHILADELPHIAEXCHANGEHUB SITE
SAN DIEGO ATLANTA
10
10
10
DALLAS
10
10
10
Figure 19-3 Philadelphia designated as an Exchange hub site
Using Exchange-Specific Costs on Site Links
Another way to modify default message flow is to set an Exchange-specific cost on an
Active Directory site link. You may not want to set an Exchange-specific cost on every
AD site link. You might instead use this technique so that message routing will avoid
the use of a specific WAN connection where bandwidth may be saturated. When looking
at the previous examples, consider what would occur if there was a network slowdown
on the ATL-DAL link every afternoon. Mail traversing the other two paths would be
relatively unaffected, but users in Dallas receiving mail from Toronto over the ATL-
DAL link would experience delivery problems or delays. If this was the case, you could
configure the ATL-DAL link (as shown in the following table) to use a different cost for
mail than for AD replication (see Figure 19-4 ).
ptg6842824
Using Exchange-Specific Costs on Site Links 243
NOTE This task can only be performed with EMS. EMC has no interface for enabling
Exchange-specific costs.
PS C:\Users\Administrator>
Get-ADSiteLink Returns a list of all IP site links in
your organization.
PS C:\Users\Administrator>
Get-AdSiteLink | Where {$_.ExchangeCost -ne $null}
Returns a list of all IP site links in
your organization that have a spe-
cific Exchange cost assigned.
PS C:\Users\Administrator>
Set-AdSiteLink
-Identity ATL-DAL -ExchangeCost 100
Assigns an Exchange-specific cost
to an Active Directory IP site link.
The ATL-DAL WAN link is shown with its Exchange-specific cost in Figure 19-4 .
TORONTO
PHILADELPHIASAN DIEGO ATLANTA
10
10
10
DALLAS
10
10100
EXCHANGE
COST
10
SLOWCONNECTION
Figure 19-4 Configuring an Exchange Specific cost for a slow connection
The outcome of both the Set-ADSite and Set-ADSiteLink cmdlets is shown in Figure
19-5 .
ptg6842824
244 Using Exchange-Specific Costs on Site Links
Figure 19-5 Configuring a hub site and an Exchange-specific cost, as shown in EMS
The following table shows how to return the cost to its original setting.
PS C:\Users\
Administrator>
Set-AdSiteLink
-Identity ATL-DAL
-ExchangeCost $null
Assigns an Exchange-specific cost to an Active
Directory IP site link.
TIP To return to the original setting, you would
not use a value of 0 for the cost for two rea-
sons. First, 0 is less than the original value of
10. Second, it is not an acceptable value for this
cmdlet. The acceptable values are 1–99999.
The following table shows how to set both the Exchange-specific cost as well as the
maximum message size that could be sent across the link.
PS C:\Users\Administrator>
Set-AdSiteLink
-Identity ATL-DAL -ExchangeCost 100
-MaxMessageSize 15MB
Assigns an Exchange-specific
cost to an Active Directory IP
site link as well as configures
the maximum message size that
can pass across the link.
The following table shows other cmdlets involved with mailflow.
ptg6842824
Using Exchange-Specific Costs on Site Links 245
PS C:\Users\Administrator>
Get-DeliveryAgentConnector -Identity "Business Partner X.400
Connector" | Format-List
Retrieves information about a spe-
cific delivery agent connector in
your organization.
NOTE Delivery agent connec-
tors are used to route mes-
sages addressed to foreign sys-
tems that don’t use the SMTP
protocol.
PS C:\Users\Administrator>
New-DeliveryAgentConnector -Name "Business Partner X.400
Connector" -AddressSpaces "X400:c=US;a=Data1;
p=BusPartner;1" -DeliveryProtocol "X.400" -SourceTransportServers
Romac-EX1,Romac-EX3
Creates a delivery agent connec-
tor called “Business Partner X.400
Connector” that will be hosted only
on Romac-EX1 and Romac-EX3,
but not Romac-EX2.
The delivery agent connector is
designed to handle X.400 connec-
tions to your business partner and
uses the carrier Data1.
The address space for the connector
is c=US;a=Data1;p=BusPartner.
PS C:\Users\Administrator>
Set-DeliveryAgentConnector -Identity "Business Partner X.400
Connector" -MaxMessageSize 15MB
-MaxMessagesPerConnection 75
-MaxConcurrentConnections 20
Configures restrictions on the
specified delivery agent connector,
setting the maximum message size
allowed through the connector to
15MB, configuring the maximum
number of messages allowed per
connection to 75, and setting the
maximum concurrent connections
to 20.
PS C:\Users\Administrator>
Remove-DeliveryAgentConnector
-Identity "Business Partner X.400
Connector" -Confirm:$false
Removes the specified delivery
agent connector.
PS C:\Users\Administrator>
Get-ForeignConnector -Identity "Romac Fax Connector" |
Format-List
Retrieves information about the
specific foreign connector.
PS C:\Users\Administrator>
New-ForeignConnector -Name "Romac Fax Connector" -AddressSpaces "X400:c=US;a=Data1;
P=BusPartner;5" -SourceTransportServers
Romac-EX2,Romac-EX3
Creates a foreign connector called
“Romac Fax Connector” that will
be hosted only on Romac-EX2 and
Romac-EX3, but not Romac-EX1.
The fax connector is designed to
handle X.400 fax connections to
your business partner.
The address space for the connector
is c=US;a=Data1;P=BusPartner.
ptg6842824
246 Tracking Messages with PowerShell
PS C:\Users\Administrator>
Set-ForeignConnector
-Identity "Romac Fax Connector"
-MaxMessageSize 25MB
Configures a 25MB message size
limit on the existing foreign con-
nector fax connector.
PS C:\Users\Administrator>
Remove-ForeignConnector
-Identity "Romac Fax Connector"
-Confirm:$false
Deletes the foreign connector fax
connector.
Tracking Messages with PowerShell
The message-tracking log is located in C:\Program Files\Microsoft\Exchange Server\
V14\TransportRoles\Logs\MessageTracking by default on each computer that has the
Hub Transport, Edge Transport, or Mailbox server role installed. The message-tracking
log is a .csv file that contains the history of each email message as it travels through the
individual server, but could be converted to another format such as HTML for ease of
viewing or better functionality.
The message-tracking report retrieves and displays information about specific messages
in the message-tracking log. This cmdlet requires you to specify the ID for the message-
tracking report you want to view.
You would use the Search-MessageTrackingReport cmdlet to find the message-
tracking report ID for a specific message and then pass the message-tracking report
ID from the output of the Search-MessageTrackingReport cmdlet to the Get-MessageTrackingReport cmdlet to retrieve the proper report. The use of these cmdlets
is shown in the following table.
PS C:\Users\Administrator>
Get-MessageTrackingLog
-Start "11/15/2010 9:00AM"
-End "11/21/2010 5:00PM" -Sender "[email protected]"
Retrieves message-tracking log
entries that were created between
the specified dates and times,
with a Sender parameter value
of [email protected] .
PS C:\Users\Administrator>
Search-MessageTrackingReport
-Identity "Joyce Celecz"
-Recipients "[email protected]"
Uses the Search-MessageTrackingReport cmdlet
to find the message-tracking
report based on the search crite-
ria provided.
You would then pass this mes-
sage-tracking report ID to the
Get-MessageTrackingReport cmdlet to retrieve the message-
tracking information.
ptg6842824
Tracking Messages with PowerShell 247
PS C:\Users\
Administrator >$RomacSearch = Search-MessageTrackingReport
-Identity "Joyce Celecz" -Recipients [email protected]
PS C:\Users\Administrator>
Get-MessageTrackingReport -Identity
$RomacSearch.MessageTrackingReportID -ReportTemplate Summary
Uses a variable to define
a search and can pass the
message-tracking report ID
from the output of the Search-MessageTrackingReport cmdlet to the Get-MessageTrackingReport cmd-
let.
The following table shows an example of how you might use the message-tracking
option in PowerShell to export a message-tracking report to an HTML file.
PS C:\Users\Administrator> Get-ExchangeServer | Where {$_.IsHubTransportServer
-eq "true"} | Sort-Object Name |
Get-MessageTrackingLog
-Sender:[email protected] -EventID "RECEIVE"
-Start "3/1/2011 1:00:00 PM" -End "3/3/2011 1:00:00 PM" |
ConvertTo-HTML
TimeStamp,ServerHostName,Sender,
{$_.recipients},MessageSubject
| Out-File "C:\Users\Administrator\
Maureen.html"
Retrieves message-tracking log
entries from all Hub Transport
servers that were created between
the specified dates and times,
with a Sender parameter value of
The result set is converted to an
HTML file and includes the time-
stamp, the server that processed
the message, as well as the sender,
recipient, and subject of the mes-
sage, as shown in Figure 19-6 .
Figure 19-6 Converting to an HTML file
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Configuring routing with Exchange Server 2003
■ Suppressing link state updates on Exchange 2003 bridgehead servers
During a migration from Exchange Server 2003 to Exchange Server 2010, messages
must be able to be routed regardless of where the recipient’s mailbox currently exists.
Exchange 2003 uses routing groups to route messages, whereas Exchange 2010 uses AD
sites and site links. However, mailflow cannot be interrupted simply because a mailbox
has been moved from 2003 to 2010. Also, mail must still be routed between a recipient’s
mailbox on a 2003 server and a mailbox that has been moved to 2010.
Configuring Routing with Exchange Server 2003
When you install the first Exchange 2010 server into the existing organization, the
Exchange installation program (Setup.exe) prompts you for the 2003 bridgehead server
that the 2010 Hub Transport server will connect with and then it creates a bidirectional
routing group connector (RGC) between the two servers. This configuration page is
shown in Figure 20-1 .
Figure 20-1 Assigning the first Exchange 2010 Hub Transport server to an Exchange
2003 bridgehead server
CHAPTER 20
Integrating Exchange Server 2010 into an Existing Exchange Server
2003 Environment
ptg6842824
250 Configuring Routing with Exchange Server 2003
In the previous chapter, you learned that the RGCs are hidden connectors and that the
routing group is also hidden from the 2010 management tools. Without this bidirectional
connector (actually two one-way connectors), mail could not be routed between the ver-
sions of Exchange Server because 2003 knows no other way to route mail other than by
using a routing group connector. Figure 20-2 shows the existence of the routing groups
and RGCs from Exchange System Manager, the 2003 GUI for Exchange Server manage-
ment.
2010 Administrative and Routing Groups
Figure 20-2 Routing groups and RGCs as seen from Exchange System Manager (2003)
after installation of the first Exchange 2010 Hub Transport
Sometimes, it is necessary to create additional connectors. Before creating any connec-
tors, you should verify network configuration of the transport server that will host the
connectors. As shown in the following table, this can be performed with a cmdlet called
Get-NetworkConnectionInfo in Exchange Management Shell (2010).
ptg6842824
Configuring Routing with Exchange Server 2003 251
PS C:\Users\Administrator>
Get-NetworkConnectionInfo
-Identity Romac-EX2010HT
Retrieves the network configuration infor-
mation for all NICs configured on the local
server.
The retrieved information includes the name
of the NIC, the configured DNS servers, IP
addresses, as well as the MAC address of
the adapter.
You can use this information to verify
network configuration before trying to con-
figure additional routing group connectors
from the hidden 2010 routing group to the
appropriate 2003 routing groups.
PS C:\Users\Administrator>
New-RoutingGroupConnector -Name "2003 to 2010 RGC" -SourceTransportServers
"Romac-EX2010HT.Romac2k3.com" -TargetTransportServers
"Romac-EX2003.Romac2k3.com" -Cost 15 -Bidirectional $true
Creates the specified routing group connec-
tor. The connector will connect the 2010
Hub Transport to the 2003 bridgehead
server.
The routing group connector that will be cre-
ated is a two-way connector (actually, two
one-way connectors) between the Exchange
2010 routing group and the 2003 routing
group associated with the specified Exchange
2003 server. The cost assigned will be 15.
These connectors are shown in Figure 20-3 .
Newly Created Routing Group Connectors
Figure 20-3 Newly created RGCs
ptg6842824
252 Configuring Routing with Exchange Server 2003
As shown in the following table, you can also change or view properties on existing
routing group connectors, as well as remove them when they are no longer required.
NOTE When Exchange Server 2003 is being decommissioned from the organiza-
tion, you must remove the remaining RGCs, the last 2003 routing group, and the last
Exchange 2003 server. The reasons for removal may be apparent, but the individual
tasks must be implemented in a prescribed manner.
Although some of these tasks can be performed from Exchange Management
Shell, you will want to become more familiar with the order, procedures, and details
for removing these objects before attempting to do so. This topic should be fully
researched before you attempt to remove your last 2003 Exchange server from the
organization.
PS C:\Users\Administrator>
Set-RoutingGroupConnector -Identity "Exchange Administrative
Group (FYDIBOHF23SPDLT)\Exchange
Routing Group
(DWBGZMFD01QNBJR)\2010 to 2003 RGC" -Cost 75 -MaxMessageSize 15MB -SourceTransportServers
"Romac-EX2010HT.Romac2k3.com"
-TargetTransportServers
"Romac-EX2003.Romac2k3.com"
Changes the configuration of
the specified routing group
connector, setting the cost to
75 (from 15) and setting the
maximum message size limit
to 15MB (from the default), as
shown in Figure 20-4 .
NOTE This could also be
used to specify new source
and target servers for the
connector, if desired.
Figure 20-4 RGC properties
ptg6842824
Suppressing Link State Updates On Exchange 2003 Bridgehead Servers 253
PS C:\Users\Administrator>
Get-RoutingGroupConnector -Identity "Exchange Administrative Group
(FYDIBOHF23SPDLT)\Exchange Routing Group
(DWBGZMFD01QNBJR)\2010 to 2003 RGC" | fl
Retrieves the configu-
ration information for
the specified routing
group connector.
PS C:\Users\Administrator> Remove-RoutingGroupConnector
-Identity "Exchange Administrative Group
(FYDIBOHF23SPDLT)\Exchange Routing Group
(DWBGZMFD01QNBJR)\2010 to 2003 RGC" -Confirm:$false
Removes the rout-
ing group connector
Ex2010 to Ex2003
RGC.
Suppressing Link State Updates On Exchange 2003 Bridgehead Servers
Before you begin creating RGCs using the preceding method, you should be aware of
a compatibility issue with routing in Exchange Server 2003 and in Exchange Server
2010—that is, 2010 uses site and site links for message routing and 2003 uses rout-
ing groups. The 2003 bridgehead servers, by default, try to calculate alternate paths for
mailflow when a routing group connector is found to be unavailable. This won’t work
with Exchange 2010, and a routing loop may result if Exchange 2003 bridgeheads were
to begin marking RGCs as unavailable. Fortunately, an easy fix can be performed using
regedit.exe.
You need to suppress minor link state updates so that Exchange 2003 only uses least
cost routing to route messages and does not try to calculate alternative routes. When you
suppress minor link state updates, the servers running Exchange 2003 do not mark rout-
ing group connectors as unavailable as they would do normally and mailflow between
the routing groups will function as designed in Exchange 2010.
You should perform this procedure on every Exchange 2003 bridgehead server in the
organization prior to the creation of additional routing group connectors.
NOTE This is not performed using Exchange Management Shell.
The following table shows you how to suppress link state updates on Exchange 2003.
ptg6842824
254 Suppressing Link State Updates On Exchange 2003 Bridgehead Servers
1 Open RegEdit.exe.
2 Navigate to HKEY_LOCAL_MACHINE\
System\CurrentControlSet\Services\
RESvc\Parameters.
3 Right-click Parameters and select New | DWORD .
4 Name the new DWORD value
SuppressStateChanges. (This is case-
sensitive.)
5 Double-click SuppressStateChanges.
6 In the Value data field, type 1 to suppress
link state updates.
7 Close RegEdit.exe.
8 Restart the SMTP service, the Microsoft
Exchange Routing Engine service, and
the Microsoft Exchange MTA Stacks ser-
vices for the change to take effect.
The purpose of suppressing link
state updates is to ensure that rout-
ing loops do not take place because
Exchange 2003 bridgehead servers
take control of the connectors.
Exchange 2010 doesn’t use a link
state routing table and doesn’t
support the relaying of link state
information.
Registry Editing Warning: If you
use Registry Editor incorrectly,
you can cause serious problems
that may require you to reinstall
your operating system or Exchange
Server. Use Registry Editor at your
own risk and make sure you can
back up the registry before making
any changes.
Figure 20-5 shows the appropriate area of the registry.
Figure 20-5 Suppressing minor link state updates on Exchange Server 2003 bridgehead
servers
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Creating and configuring a DAG
■ Adding or removing a DAG member
■ Recovering a failed DAG member
■ Creating and configuring a DAG network
■ Removing a DAG
A Database Availability Group (DAG) provides the infrastructure for replicating mail-
box databases to other servers in the DAG. When a DAG is created, you can think of it
as a replication boundary for databases on servers in the DAG. In this chapter, you will
review the procedures for creating and managing the DAG and one or more DAG net-
works.
Creating and Configuring a DAG
You need to be aware of the following rules when creating a DAG:
■ A server may belong to only one DAG at any time.
■ Databases may not be replicated outside of the DAG.
■ There is a limit of 16 copies of any database placed on 16 separate servers, called
DAG members.
■ Only one copy of each database may be mounted at any time. Others will hope-
fully appear as “healthy” copies. (This is not a multimaster database environment,
such as the one that exists in the Active Directory.)
■ The database copies must all be stored in the same path on each server.
The following table shows how to create a new DAG.
CHAPTER 21
Database Availability Groups (DAGs)
ptg6842824
256 Creating and Configuring a DAG
PS C:\Users\Administrator>
New-DatabaseAvailabilityGroup -Name RomacDAG1 -WitnessServer Romac-EX3HC -WitnessDirectory C:\FSW-DAG1
Creates a new DAG with the name
RomacDAG1, using the specified server as
the witness server and the specified direc-
tory as the witness directory. If you did not
specify a witness server, one of your Hub
Transport servers would be automatically
assigned as a witness server, assuming that
you have at least one Hub Transport server
present that does not have the Mailbox
Server role installed on it.
NOTE RomacDAG1 will be assigned an
IP address from DHCP because no IP
address was specified.
TIP If the witness server is not an
Exchange Server, you will receive a
warning message during the execution of
this cmdlet, as shown in Figure 21-1 .
Exchange had not yet been installed on
Romac-EX3HC in order to view this warn-
ing.
Figure 21-1 Warning received when a non-Exchange server is designated as the wit-
ness server
PS C:\Users\Administrator>
New-DatabaseAvailabilityGroup
-Name RomacDAG2 -DatabaseAvailabilityGroupIPAddresses 10.5.0.79 -WitnessServer Romac-EX3HC -WitnessDirectory C:\FSW-DAG2
Creates a new DAG with the name
RomacDAG2, using the specified
server as the witness server and
the specified directory as the wit-
ness directory.
NOTE RomacDAG2 will use
the specified static IP address
because it was assigned in the
cmdlet. You might do this when
all DAG members are on the
same subnet on your network.
ptg6842824
Creating and Configuring a DAG 257
PS C:\Users\Administrator> New-DatabaseAvailabilityGroup -Name RomacDAG3 -DatabaseAvailabilityGroupIPAddresses 10.5.0.80, 10.6.0.85, 10.7.0.90 -WitnessServer Romac-EX3HC -WitnessDirectory C:\FSW-DAG3
Creates a new DAG with the name
RomacDAG3, using the specified
server as the witness server and the
specified directory as the witness
directory, as shown in Figure 21-1 .
NOTE RomacDAG3 will use
the three specified static IP
addresses because they were
assigned in the cmdlet.
TIP If the members of the
DAG are on multiple subnets,
you must assign multiple IP
addresses for the DAG for
each subnet. Simply separate
the IP addresses by commas
in the cmdlet, as shown.
PS C:\Users\Administrator>
New-DatabaseAvailabilityGroup -Name RomacDAG4
This example creates a new DAG
with the name RomacDAG4, but
does not specify any parameters.
NOTE You can always
add the unspecified param-
eters later with a Set-DatabaseAvailabilityGroupcmdlet.
TIP In this example, a Hub
Transport should have been
automatically designated as a
witness server because none
was specified. However, no Hub
Transport was found without
a mailbox role on it as well. In
such cases, you will receive an
error, as shown in Figure 21-2 .
After the Hub Transport role
was added to a server (Romac-
EX3HC), the cmdlet was rerun and
it completed without any errors.
Also, in this example,
RomacDAG4 will be assigned an
IP address from DHCP because no
IP address was specified.
NOTE In Service Pack 1, it is now possible to create a DAG with a static IP address in
Exchange Management Console (EMC).
ptg6842824
258 Creating and Configuring a DAG
Figure 21-2 Error received when the system attempts to designate a Hub Transport
server as the witness server and no Hub Transports are found without the mailbox role
also installed on them
Once one or more DAGs have been created, you may want to view the properties of all
DAGs or of a specific DAG. You can also specifically view the status of the DAG if you
wish. Figure 21-3 shows them from Exchange Management Console (EMC), but you
could also use the Get-DatabaseAvailabilityGroup cmdlet, which shows them from the
command line (as shown in the following table).
Figure 21-3 DAGs as seen from EMC
PS C:\Users\Administrator> Get-DatabaseAvailabilityGroup | fl
Lists all DAGs in your organization.
PS C:\Users\Administrator>
Get-DatabaseAvailabilityGroup -Identity RomacDAG3 | fl
Shows the complete list of all attri-
butes for a single DAG.
ptg6842824
Creating and Configuring a DAG 259
PS C:\Users\Administrator>
Get-DatabaseAvailabilityGroup -Identity RomacDAG3 -Status | fl
Shows the status-related attributes for
a single DAG.
To change properties of an existing DAG, you can use the Set-DatabaseAvailabilityGroup cmdlet (as shown in the following table).
PS C:\Users\Administrator>
Set-DatabaseAvailabilityGroup
-Identity RomacDAG4 -WitnessServer Romac-EX3HC -WitnessDirectory C:\FSW-DAG4 -DatabaseAvailabilityGroupIPAddresses 10.5.0.99
Adds the specified server as
the witness server and the
specified directory as the wit-
ness directory.
NOTE RomacDAG4
will now use the
static IP address of
10.5.0.99, because it
was added with the Set-DatabaseAvailabilityGroupcmdlet.
PS C:\Users\Administrator>
Set-DatabaseAvailabilityGroup -Identity RomacDAG4 -AlternateWitnessDirectory C:\FSW-RomacDAG1 -AlternateWitnessServer Romac-DC1
Assigns an alternate witness
server for the specified DAG.
This is useful in case of a site
failure and will be discussed
in greater detail in Chapter
23 , “Using DAG to Mitigate
Failures.”
NOTE The
AlternateWitnessServerparameter can be used
to specify the name of a
new witness server for
the DAG in the DR site.
By using this parameter,
you can specify the server
in advance. You can also
assign the alternate wit-
ness directory for the
specified DAG on the new
witness server.
PS C:\Users\Administrator>
Set-DatabaseAvailabilityGroup
-Identity RomacDAG3 -DatabaseAvailabilityGroupIPAddresses 0.0.0.0
Forces the specified DAG to
use a dynamically assigned IP
address from DHCP, instead
of the one it was originally
configured to use.
ptg6842824
260 Adding or Removing a DAG Member
PS C:\Users\Administrator> Get-DatabaseAvailabilityGroup -Identity RomacDAG4 | fl Name, DatabaseAvailabilityGroupIpv4Addresses
PS C:\Users\Administrator>
Get-DatabaseAvailabilityGroup -Identity RomacDAG3 | fl Name, DatabaseAvailabilityGroupIpv4Addresses
It is not possible to view
the IP address of the DAG
from Exchange Management
Console after it has been
configured using Exchange
Management Shell (EMS),
but you can use the examples
to do so from EMS.
These examples (displayed
in Figure 21-4 ) show the IP
address specifically assigned
to DAG4 (previously) and the
dynamic address assignment
configured on Romac-DAG3.
Figure 21-4 IP addresses assigned to RomacDAG4 and dynamic assignment to
RomacDAG3, as seen from EMS
Adding or Removing a DAG Member
In Figure 21-3 , no DAG members are in the highlighted DAG (or any other DAG) at the
moment. Servers in the DAG are called “members,” and after the DAG has been created,
the members need to be added to the DAG with the Add-DatabaseAvailabilityGroupServer cmdlet. This is not an automated process because Exchange cannot know which
mailbox servers you want to join each individual DAG. When a server is added as a
DAG member, it joins the other servers already in the DAG, and they function together
to ensure high availability of one or more databases. The Primary Active Managers
(PAMs) and Secondary Active Managers (SAMs) on DAG members provide automatic,
database-level failovers and switchovers whenever a database, server, or even a network
failure is detected.
Here are the requirements for a server to become a DAG member:
ptg6842824
Adding or Removing a DAG Member 261
■ The potential DAG member must be a mailbox server running a 64-bit operating
system version of Windows Server 2008 Enterprise Edition or Windows Server
2008 R2 Enterprise Edition because failover clustering is required for Database
Availability Groups.
■ The potential DAG member may not be a member of any other DAG.
■ The potential DAG member must not be a domain controller.
■ The potential DAG member must be in the same Active Directory domain as all
of the other DAG members.
NOTE Do not install the Failover Clustering feature in advance.
The following table shows how to add a server to the DAG as a member.
PS C:\Users\Administrator>
Add-DatabaseAvailabilityGroupServer -Identity RomacDAG4 -MailboxServer Romac-EX1
PS C:\Users\Administrator>
Add-DatabaseAvailabilityGroupServer -Identity RomacDAG4 -MailboxServer Romac-EX2
Adds the specified mailbox serv-
ers as DAG members, as shown in
Figure 21-5 .
NOTE This task will take
several minutes because the
Windows Failover Clustering
component must be added to
each server before the server
may become a member of the
DAG.
Figure 21-5 RomacDAG4 with member servers Romac-EX1 and Romac-EX2 added
ptg6842824
262 Adding or Removing a DAG Member
After the members have been added to the DAG, a computer object will appear in
Active Directory Users and Computers (ADUC), as shown for RomacDAG4 in Figure
21-6 . Notice that there are no similar objects for RomacDAG1, RomacDAG2, and
RomacDAG3 because you never added any members to those DAGs.
Figure 21-6 Viewing the DAG in Active Directory Users and Computers (ADUC)
The following table shows how to remove a server from the DAG, such as might be nec-
essary when a server must be added as a member of another DAG.
PS C:\Users\Administrator>
Remove-DatabaseAvailabilityGroupServer -Identity RomacDAG4 -MailboxServer Romac-EX2 -Confirm:$false
Removes the specified DAG
member from the DAG.
NOTE To remove a Mailbox
server from a DAG, all rep-
licated copies of databases
must be removed first.
PS C:\Users\Administrator>
Add-DatabaseAvailbilityGroupServer -Identity RomacDAG4 -MailboxServer Romac-EX2
Uses the Add-DatabaseAvailbilityGroupServer
cmdlet to add the specified server
back into the DAG.
The -ConfigurationOnly switch removes the DAG member server attribute from Active
Directory without actually removing the DAG member from the DAG, as shown in the
following table.
ptg6842824
Recovering a Failed DAG Member 263
PS C:\Users\Administrator> Remove-DatabaseAvailabilityGroupServer -Identity RomacDAG4 -MailboxServer Romac-EX2 -ConfigurationOnly
-Confirm:$false
Forcibly removes the specified
DAG member from the DAG
when the DAG member will be
out of service for an extended
period of time and you are unable
to use the Remove-DatabaseAvailabilityGroupServer cmdlet
normally.
The -ConfigurationOnly option
allows the remaining DAG mem-
bers to establish a quorum with-
out the missing member.
NOTE Be careful with this one.
This should only be performed if
the Mailbox server role is down
or unavailable for an extended
period of time because you will
be unable to reestablish the
failed server as a DAG member
by using conventional means.
If the server is up, you should
remove it from the DAG properly.
NOTE If you performed the preceding example, you will need to do a little cleanup
before proceeding. You must recover the “failed” RomacEX2 and add it back as a
member server in Romac-DAG4 or use another mailbox server, as is done with Romac-
EX4 in the next two chapters.
Recovering a Failed DAG Member
The procedure to remove a failed DAG member is not complex, but does involve
several steps. Before you can recover the failed DAG member, you must identify any
replicated databases located on the member server. This can be done by using the Get-MailboxDatabase cmdlet. Once you have identified copies of any replicated databases
hosted locally, you must switch any mounted copies to another DAG member. This will
be discussed in Chapter 22 , “Mailbox Database Copies.” Any remaining copies must
be removed with the Remove-MailboxDatabaseCopy cmdlet. At that point, the server
may be removed from the DAG using the Remove-DatabaseAvailabilityGroupServer
cmdlet.
You could rebuild the server in a variety of ways, but one way that would be relatively
easy would be to use the Setup.com /m:RecoverServer option to perform an unattended
rebuild of the affected server on either new or existing hardware.
This procedure is outlined in the table that follows.
NOTE If you wish to perform this task, be advised that it will take an extensive amount
of time because Exchange will be reinstalled as part of the recovery operation.
ptg6842824
264 Recovering a Failed DAG Member
PS C:\Users\Administrator>
Get-MailboxDatabase AssemblyDB | fl Retrieves information about a
replicated database, including all
of its replicated copies. When
you observe a replicated database
copy on a failed DAG member,
you must first remove the copy
before the server can be recov-
ered.
PS C:\Users\Administrator>
Remove-MailboxDatabaseCopy
AssemblyDB\Romac-EX2
Removes the replicated data-
base copy from the failed DAG
member.
PS C:\Users\Administrator> Remove-DatabaseAvailabilityGroupServer -Identity RomacDAG4 -MailboxServer Romac-EX2
Removes a Mailbox server from
a Database Availability Group
(DAG).
NOTE To remove a Mailbox
server from a DAG, the
Mailbox server must not host
any replicated mailbox data-
bases.
Perform this step from cmd.exe, not
from Exchange Management Shell:
D:\Setup.com /m:RecoverServer
Rebuilds the failed DAG member
by running a special version of
Setup.com specifically designed to
rebuild a failed Exchange server
using the information from Active
Directory.
TIP Before reinstalling
Exchange Server on the failed
server, it is very important to
use the Reset Account option in
ADUC and not the Delete option
before rebuilding your server, as
shown in Figure 21-7 . Deleting
the computer account will cause
this type of rebuild to no longer
be an option.
NOTE After the installation
completes, you would follow
the steps in Chapter 22 to add
and configure database copies
to the repaired server.
ptg6842824
Creating and Configuring a DAG Network 265
Figure 21-7 Resetting the affected computer account in ADUC
Creating and Configuring a DAG Network
In preparation for the next two chapters, you will reset the environment to have only one
DAG configured. Remove all DAG members and remove all DAGs. Then, you may pro-
ceed with the steps shown in the following table.
PS C:\Users\Administrator> New-DatabaseAvailabilityGroup -Name RomacDAG -DatabaseAvailabilityGroupIPAddresses 10.5.0.100 -WitnessServer Romac-DC1 -WitnessDirectory C:\FSW-RomacDAG
Creates a new DAG
with the specified
name.
PS C:\Users\Administrator>
Add-DatabaseAvailabilityGroupServer -Identity RomacDAG -MailboxServer Romac-EX3HC
PS C:\Users\Administrator>
Add-DatabaseAvailabilityGroupServer -Identity RomacDAG -MailboxServer Romac-EX4
These examples add
the two specified
servers as DAG
members.
A DAG network is a collection of one or more subnets on your network that are utilized
for either RPC/MAPI connections or for replication traffic between DAG members.
Initially a DAG is automatically assigned one DAG network; it is utilized for both RPC/
MAPI connections as well as replication traffic, by default.
ptg6842824
266 Creating and Configuring a DAG Network
Often, it is desirable to separate the replication traffic from the clients accessing the
server. This would require a second DAG network and a second NIC in all DAG mem-
bers. It is also fully supported to have more than two DAG networks.
PS C:\Users\Administrator> New-DatabaseAvailabilityGroupNetwork
-DatabaseAvailabilityGroup RomacDAG
-Name RomacDAGNet01 -Description "Romac DAG Replication
Network 01" -Subnets 10.5.0.0/24
-ReplicationEnabled:$true
PS C:\Users\Administrator>
New-DatabaseAvailabilityGroupNetwork -DatabaseAvailabilityGroup RomacDAG
-Name RomacDAGNet02
-Description "Romac DAG Replication
Network 02" -Subnets 10.155.0.0/24 -ReplicationEnabled:$true
Creates two new DAG networks
with the specified names.
PS C:\Users\Administrator> Get-DatabaseAvailabilityGroupNetwork -Identity RomacDAG
Lists the DAG networks and
retrieves standard configuration
information for all networks in the
specified DAG, as shown in Figure
21-8 .
NOTE The 10.155.0.0 sub-
net has an “Unknown” status
because it does not actually
exist on the network.
Figure 21-8 shows the newly created and configured DAG networks in EMC.
Figure 21-8 DAG networks as seen in EMS
ptg6842824
Creating and Configuring a DAG Network 267
The following table provides additional information about your DAG networks and how
to configure DAG network properties.
PS C:\Users\Administrator> Get-DatabaseAvailabilityGroupNetwork -Identity RomacDAG | fl
Retrieves all configuration infor-
mation for all networks in the
specified DAG.
PS C:\Users\Administrator>
Get-DatabaseAvailabilityGroupNetwork -Identity RomacDAG\RomacDAGNet02 -Server Romac-EX4 | fl
Retrieves all configuration infor-
mation for the specified DAG net-
work in a DAG from the specified
Mailbox server.
PS C:\Users\Administrator>
Set-DatabaseAvailabilityGroupNetwork -Identity RomacDAG\RomacDAGNet02 -ReplicationEnabled:$false
Configures the existing DAG
network to no longer be used for
DAG replication traffic.
PS C:\Users\Administrator>
Set-DatabaseAvailabilityGroupNetwork -Subnets 10.156.0.0/24 -Identity RomacDAG\RomacDAGNet02
Configures the existing DAG
network to include the specified
new IP subnet as part of the DAG
network.
NOTE The 10.156.0.0 sub-
net has an “Unknown” status
because it does not actually
exist on the network.
Figure 21-9 shows the newly created and configured DAG networks in EMC.
Figure 21-9 DAG networks as seen in EMC
ptg6842824
268 Removing a DAG
Removing a DAG
When a DAG is no longer required, you may remove it from service with the Remove-DatabaseAvailabilityGroup cmdlet, as shown in the following table.
PS C:\Users\Administrator>
Remove-DatabaseAvailabilityGroupNetwork -Identity RomacDAG\RomacDAGNet02 -Confirm:$false
Before removing the DAG,
this example removes the
DAG network. This example
removes the specified DAG
network from a DAG.
PS C:\Users\Administrator>
Remove-DatabaseAvailabilityGroup -Identity RomacDAG -Confirm:$false
Removes the DAG from ser-
vice after all member servers
have been removed from the
DAG.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Adding and configuring a mailbox database copy
■ Moving the active mailbox database copy to a new location
■ Suspending or resuming a mailbox database copy
■ Updating a mailbox database copy
■ Removing a copy of a mailbox database
In this chapter you investigate how easy it is to create a mailbox database copy within
the infrastructure of a Database Availability Group (DAG). You observe how to config-
ure the copies, as well as how to move a copy of a mailbox database to another server
using a DAG, while the database never goes offline.
You also investigate how to suspend, resume, and update a copy of a mailbox database
and, finally, you see how to remove a copy when it is no longer needed.
Adding and Configuring a Mailbox Database Copy
You can use the Add-MailboxDatabaseCopy cmdlet to create a copy of a mailbox data-
base on another server. This will only work with mailbox databases, not public folder
databases.
TIP Use public folder replication to create a copy of a public folder database as you
did in previous versions of Exchange Server.
For you to successfully create a copy of a mailbox database, the server that will host the
copy must be in the same Database Availability Group as the server hosting the original
copy. A server is not able to host two copies of the same database any longer, as was the
case with Local Continuous Replication (LCR) in Exchange Server 2007.
All copies of a single database must use the same path in the file system of the DAG
member servers. If a database exists in D:\Databases\AssemblyDB on one server, that
path must not currently be in use on the server that will receive the copy; otherwise, the
database copy operation will fail.
Creating a copy of a mailbox database as well as editing the attributes of a database are
shown in the following table.
CHAPTER 22
Mailbox Database Copies
ptg6842824
270 Adding and Configuring a Mailbox Database Copy
PS C:\Users\Administrator>
Add-MailboxDatabaseCopy -Identity OfficeDB -MailboxServer Romac-EX3HC -ActivationPreference 2
Adds a copy of the specified mailbox
database to the Mailbox server named
Romac-EX3HC.
Because they are not specified, the
Replay lag time and Truncation lag
time are set to their default value of 0.
The activation preference is set to a
value of 2.
PS C:\Users\Administrator>
Add-MailboxDatabaseCopy -Identity ResearchDB -MailboxServer Romac-EX3HC -ActivationPreference 2
Adds a copy of a different mailbox
database to the Mailbox server named
Romac-EX3HC.
PS C:\Users\Administrator>
Add-MailboxDatabaseCopy -Identity ShippingDB -MailboxServer Romac-EX3HC -ReplayLagTime 7.00:00:00 - TruncationLagTime 00:30:00 -ActivationPreference 2
Adds a copy of the specified mailbox
database to the Mailbox server named
Romac-EX3HC.
The Replay lag time is set to 7 days
and the Truncation lag time is set to 30
minutes.
The activation preference is set to a
value of 2.
PS C:\Users\Administrator>
Set-MailboxDatabaseCopy -Identity ResearchDB\Romac-EX3HC -ReplayLagTime 5.0:0:0
PS C:\Users\Administrator>
Set-MailboxDatabaseCopy -Identity ResearchDB\Romac-EX3HC -ReplayLagTime 0.0:0:0
The first example configures the
Replay lag time to 5 days for the speci-
fied copy of a mailbox database hosted
on Romac-EX3HC.
The second example configures the
Replay lag time back to 0 for the speci-
fied copy of a mailbox database hosted
on Romac-EX3HC.
PS C:\Users\Administrator>
Set-MailboxDatabaseCopy -Identity ResearchDB\Romac-EX3HC -ActivationPreference 6
Configures the Activation preference
for the specified copy of a mailbox
database hosted on Romac-EX3HC.
NOTE Because the Activation
Preference number is set at 6, this
cmdlet will only work if you have six
or more copies of the database.
The copies of the ResearchDB, as they appear in EMC, can be seen in Figure 22-1 . Note
that the original copy, which appears as “Mounted,” is on Romac-EX4, and the repli-
cated copy appears as “Healthy” on Romac-EX3HC.
ptg6842824
Adding and Configuring a Mailbox Database Copy 271
Figure 22-1 Mailbox database copies as seen from EMC
You can check the status of your database and all its copies as well as remove an indi-
vidual copy using the cmdlet shown in the following table.
PS C:\Users\
Administrator>
Test-ReplicationHealth -Identity Romac-EX3HC
Allows you to check the replication and replay
status of a database copy, as shown in Figure 22-2 .
This cmdlet is designed for on-going monitoring of
all copies of the specified database.
NOTE This cmdlet can be run locally or
remotely against any Mailbox server in the DAG.
Figure 22-2 Romac-EX3HC passes all replication health tests
ptg6842824
272 Moving the Active Mailbox Database Copy to a New Location
You can remove a database copy by using the cmdlet shown in the following table.
PS C:\Users\Administrator>
Remove-MailboxDatabaseCopy -Identity ResearchDB\Romac-EX3HC -Confirm:$false
Removes the specified copy
of the mailbox database that
is hosted on Romac-EX3HC.
Moving the Active Mailbox Database Copy to a New Location
You can use the Move-ActiveMailboxDatabase cmdlet to implement a database-level
switchover, thus activating a database copy on another mailbox server. You can also
use the same cmdlet to implement a server-level switchover, thus activating all database
copies on another mailbox server. Switchovers are administrative events usually imple-
mented in order to perform maintenance on a database or server.
Prior to the moving of databases, Romac-EX4 has the active copy of both the OfficeDB
and the ShippingDB, as seen in Figure 22-3 .
Figure 22-3 Romac-EX4 hosts both active database copies prior to the database swi-
tchovers
The following table shows how to move active databases to another server with multiple
database-level switchovers and no downtime.
ptg6842824
Moving the Active Mailbox Database Copy to a New Location 273
PS C:\Users\
Administrator>
Move-ActiveMailboxDatabase -Identity OfficeDB -ActivateOnServer
Romac-EX3HC -MountDialOverride:None
Performs a switchover of the specified database
to the Mailbox server named Romac-EX3HC.
When the command completes, Romac-EX3HC
will host the active copy of the ResearchDB.
The -MountDialOverride parameter has the fol-
lowing five possible options:
None —The copy on the specified server mounts
the database using its own defined database auto-
mount dial settings.
Lossless —The copy on the specified server
mounts the database when all log files from the
original server have been copied and replayed on
the new server. (This is the default value for this
setting and allows for no data loss.)
Good Availability —The copy on the specified
server mounts the database immediately after a
failover if the copy queue length is less than or
equal to six logs.
Best Availability —The copy on the specified
server mounts the database immediately after a
failover if the copy queue length is less than or
equal to 12 logs.
Best Effort —The copy on the specified server
mounts the database automatically, regardless of
the size of the copy queue length. Because the
database will mount with any amount of transac-
tion log loss, using this option could potentially
result in an excessive amount of data loss, but it
is presented as an option for those cases where
mounting the database is necessary at any cost.
PS C:\Users\
Administrator>
Move-ActiveMailboxDatabase -Identity ShippingDB -ActivateOnServer Romac-EX3HC
Performs a switchover of the specified database
to the Mailbox server named Romac-EX3HC.
When the command completes, Romac-EX3HC
will host the active copy of the ShippingDB
database.
Because the MountDialOverride parameter
isn’t specified, the Lossless option (default) will
be used.
Now, Romac-EX4 has the “healthy” copies of both the OfficeDB and the ShippingDB,
as seen in Figure 22-4 . The mounted copies have been moved to Romac-EX3HC.
ptg6842824
274 Suspending or Resuming a Mailbox Database Copy
Figure 22-4 Romac-EX4 now hosts “healthy” database copies after the database-level
switchover and prior to the server-level switchover
The following table shows how to move active databases back to the original server with
a server-level switchover and no downtime.
PS C:\Users\Administrator>
Move-ActiveMailboxDatabase
-Server Romac-EX3HC
Performs a server switchover for the specified
Mailbox server role, as shown in Figure 22-5 .
Active mailbox database copies on the server
will be automatically activated on other Mailbox
server roles that host healthy copies of the active
databases on the specified server.
Figure 22-5 Performing a server-level switchover using EMS
Suspending or Resuming a Mailbox Database Copy
You can use the Suspend-MailboxDatabaseCopy cmdlet to halt the replication of a
database and the replaying of transaction logs on the target database copy. You can use
ptg6842824
Suspending or Resuming a Mailbox Database Copy 275
the Resume-MailboxDatabaseCopy cmdlet to resume replication of a database copy
and the replaying of transaction logs for a mailbox database.
The cmdlets in the following table show how to suspend a database copy, which you
may want to do when you are performing maintenance on the server, and then resume
the copy after the maintenance has been performed.
PS C:\Users\Administrator> Suspend-MailboxDatabaseCopy -Identity ShippingDB\Romac-EX3HC -SuspendComment "Windows Service Pack applied to Romac-EX3HC"
Suspends the replication and transaction
log replay for the specified database
copy of a database on Romac-EX3HC,
as shown in Figure 22-6 .
NOTE An optional reason
( -Suspend Comment ) is included in
the cmdlet.)
PS C:\Users\Administrator>
Suspend-MailboxDatabaseCopy -Identity OfficeDB\Romac-EX3HC -ActivationOnly
Suspends activation for the specified
copy of a database.
The -ActivationOnly parameter is
included to suspend only the activation
portion. Log shipping and replay will
still occur.
PS C:\Users\Administrator>
Resume-MailboxDatabaseCopy -Identity OfficeDB\Romac-EX3HC
Resumes both replication and transac-
tion log copying and replaying for
the specified copy hosted on Romac-
EX3HC.
PS C:\Users\Administrator>
Resume-MailboxDatabaseCopy -Identity OfficeDB\Romac-EX3HC -ReplicationOnly
Resumes both replication and transac-
tion log copying and replaying for
the specified copy hosted on Romac-
EX3HC.
However, after the copy is resumed, acti-
vation of the copy is blocked because of
the -ReplicationOnly parameter.
Figure 22-6 A suspended database copy as seen from EMC
ptg6842824
276 Removing a Copy of a Mailbox Database
Updating a Mailbox Database Copy
You can use the Update-MailboxDatabaseCopy cmdlet to seed or reseed a mailbox
database copy. The seeding operation copies a database from one DAG member to
another. Once the mailbox database copy is fully seeded, transaction log shipping and
replay can commence.
If logs are missing, resuming the database copy is not possible. The following table
shows how to force a reseeding of the database. In the second example, the database is
reseeded from a specific server (Romac-EX4).
PS C:\Users\Administrator>
Update-MailboxDatabaseCopy -Identity ShippingDB\Romac-EX3HC
Shows how to seed the specified
copy of a database on the server
Romac-EX3HC.
PS C:\Users\Administrator>
Update-MailboxDatabaseCopy -Identity ShippingDB\Romac-EX3HC -SourceServer Romac-EX4
Shows how to seed the specified
copy of a database on the server
Romac-EX3HC using Romac-EX4
as the source server for the seeding
operation.
NOTE To seed the database only and not the content index, you would use the
-DatabaseOnly switch. To seed the content index only and not the database, you
would use the -CatalogOnly switch.
Removing a Copy of a Mailbox Database
You can use the Remove-MailboxDatabaseCopy cmdlet to remove a mailbox database
copy from a server. This will function on all copies except for the active/mounted copy.
To remove the active copy, dismount the database using the Remove-MailboxDatabase
cmdlet (as shown in the following table).
PS C:\Users\Administrator>
Remove-MailboxDatabaseCopy -Identity ShippingDB\Romac-EX3HC -Confirm:$false
Removes the specified copy
of mailbox database from
the Mailbox server role
named Romac-EX3HC.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Activating a mailbox database copy on another DAG member
■ Activating a lagged mailbox database copy on another DAG member
■ Switching over to another DAG member
■ Switching over to another datacenter
■ Enabling Datacenter Activation Coordination (DAC) mode
In the previous chapter, you saw how easy it was to activate a mailbox database copy on
another server. In this chapter, you take a more in-depth look at the process before inves-
tigating lagged database copies. Lagged database copies were mentioned previously, but
not examined to any great detail. This chapter looks at the procedure for activating a
lagged mailbox database copy on another DAG member, with the intent of performing a
point-in-time recovery of a database that has been found to have corrupt or missing data.
After looking at database-level failovers and switchovers, you will move to server-level
failovers and switchovers. Finally, you will look at configuring datacenter switchovers
when a disaster strikes your datacenter.
Activating a Mailbox Database Copy on Another DAG Member
As you saw in the previous chapter, activation is the process of changing a mailbox data-
base copy from a passive copy to an active copy. This operation can be an administrative
event, such as you saw in Chapter 22 , “Mailbox Database Copies,” when you used the
Move-ActiveMailboxDatabase cmdlet to perform a switchover. Other times, this opera-
tion can be a system-related event, such as when a corrupt database is found by Active
Manager. This system-related event is called a “failover” and occurs automatically in
many circumstances. Sometimes, you may want to prevent a database copy from activat-
ing automatically. Executing the cmdlet prevents a database copy from becoming the
active copy during a database or server failover. With lagged database copies, you will
want to prevent a copy from becoming active too soon. Suspending and resuming such
database copies manually is shown in the following table.
NOTE You must use EMS as part of the activation process. You cannot use EMC to
suspend or resume a database in preparation for activation.
CHAPTER 23
Using DAG to Mitigate Failures
ptg6842824
278 Activating a Mailbox Database Copy on Another DAG Member
PS C:\Users\Administrator>
Suspend-MailboxDatabaseCopy -Identity OfficeDB\Romac-EX3HC -ActivationOnly
Prevents the specific database
copy from becoming the active
(mounted) copy.
PS C:\Users\Administrator>
Resume-MailboxDatabaseCopy
-Identity OfficeDB\Romac-EX3HC
Resumes the copy of the specified
database, so that it may become
the active (mounted) copy as part
of the normal automatic activation
process.
All automatic failovers and manual switchovers are controlled by a new component
in Exchange 2010 called the Active Manager. It is important to understand that this is
the component that provides the capability formerly provided by integration with the
Windows Cluster service in previous versions of Exchange. Exchange Server 2010 no
longer uses the traditional cluster resource model for high availability, as was the case
with Exchange Server 2007.
The Windows Failover Cluster model is still used by Exchange, but there are no cluster
groups or storage resources for Exchange. All of the clustering capabilities are complete-
ly managed by Exchange and not by any Windows cluster utilities.
Active Manager runs as a role on all Mailbox servers. On Mailbox servers that are
not configured for high availability, there is a single Active Manager role called the
Standalone Active Manager. However, on servers that are members of a Database
Availability Group (DAG), there are two possible Active Manager roles. These roles are
the Primary Active Manager (PAM and the Standby Active Manager [SAM]).
PAM is the Active Manager in a DAG that decides which copies will be active and
which will remain passive in failover and switchover scenarios. PAM is also responsible
for receiving and updating topology change notifications and responding to server fail-
ures. The DAG member that holds the PAM role is always the member that currently
owns the cluster quorum resource. If the server that owns the cluster quorum resource
fails, the PAM role automatically moves to another server. If the PAM role moves, it
will move to the server that takes ownership of the cluster quorum resource.
If you need to take the server that hosts the cluster quorum resource offline for mainte-
nance purposes, you should move the PAM role to another server in the DAG.
ptg6842824
Activating a Lagged Mailbox Database Copy on Another DAG Member 279
Activating a Lagged Mailbox Database Copy on Another DAG Member
A lagged mailbox database copy is a mailbox database copy configured with a replay lag
time value greater than 0. Activating a lagged mailbox database copy is not difficult if
you intend to replay all of the outstanding log files to make the database copy identical
to the other copies of the database. However, the benefit of employing a lagged database
copy is the ability to perform a point-in-time recovery for that database.
For example, suppose someone deletes several hundred mailboxes accidentally or on
purpose. Without a lagged copy, those deletions are transactions that will replicate to
all nonlagged copies and be replayed immediately. With a lagged copy of the database,
you can replay the log files right up to a specific point in time (in this case, the deletion),
which can be a huge benefit to you because it may reduce or eliminate the need for a
database restore if you know when the data became corrupted or was lost.
However, it is a much more complex environment when you use lagged database cop-
ies. You must work with log files manually and you must employ certain options built in
to the utility eseutil, which you might not be familiar with using. Also, you must know
the timeframe in which corruption or loss occurred. Add to this the fact that there are no
built-in utilities to tell you which log file contains each transaction. Therefore, you have
to use your best judgment to anticipate which log files should be replayed in order to get
the database to the exact point in time you require.
Point-in-time recoveries must be performed using EMS; this option is not available in
EMC. The mailbox database copy that you wish to use in your point-in-time recovery
must be activated and also must be configured with a replay lag time greater than 0. It
must also have all of its log files available right up to the point in time to which you
want to recover the database. You can use EMS to activate a lagged mailbox database
copy to a specific point in time. The following table shows how to do this.
PS C:\Users\Administrator>
Suspend-MailboxDatabaseCopy -Identity OfficeDB\Romac-EX3HC -SuspendComment "Activation of the lagged copy of the OfficeDB
on Romac-EX3HC" -Confirm:$false
Suspends replication on the lagged
copy that will be activated, as shown
in Figure 23-1 .
NOTE You should carefully con-
sider whether you want to back up
the database and transaction log
files or copy them to another loca-
tion. This is important in case you
don’t restore the logs to the cor-
rect point in time the first time.
ptg6842824
280 Activating a Lagged Mailbox Database Copy on Another DAG Member
Figure 23-1 Suspending replication of the lagged copy on Romac-EX3HC
PS C:\Users\
Administrator> Get-MailboxDatabase
-Identity OfficeDB | fl Name,
LogFilePrefix
Before performing this step, identify which log files are
required to be replayed into the database to meet your
point-in-time recovery. Move the log files created later
to a different directory. If all goes well, you won’t need
them again.
This example determines the log file prefix number for
the database, as shown in Figure 23-2 .
Figure 23-2 Determining the log file prefix for a database
ptg6842824
Activating a Lagged Mailbox Database Copy on Another DAG Member 281
PS C:\Program Files\
Microsoft\Exchange
Server\V14\Mailbox\
OfficeDB> Del E01.chk
Deletes the checkpoint file for the database.
NOTE If the log file prefix number is E01, this file
would be called E01.chk.
PS C:\Program Files\
Microsoft\Exchange
Server\V14\Mailbox\
OfficeDB>
Eseutil.exe /r E01 /a
Performs a soft recovery of the database, as shown
in Figure 23-3 .
NOTE The “ /r ” instructs eseutil to perform the
soft recovery, and the “ /a ” instructs eseutil to run
in log recovery mode.
TIP This step may take a really long time
depending on the database size, replay lag
time, the number of log files, and the speed of
your hardware. You can use the 2010 version
of JetStress (64-bit), which includes a Recovery
Performance option for calculating the approxi-
mate time that the soft recovery will take.
Figure 23-3 Soft recovery of the database using Eseutil /r
ptg6842824
282 Switching Over to Another DAG Member
This step will vary depending on
your recovery needs for the database
copy. Your options are displayed.
When eseutil has completed, the database is
in a clean shutdown state. You can do one of
three things at this point:
■ You can copy it to a server and attempt
to mount it.
■ You can create a recovery database
using this database, attempt to mount it,
and recover the data.
■ You can replace the corrupt database
files with the lagged database files and
then attempt to mount the database.
PS C:\Users\Administrator>
Resume-MailboxDatabaseCopy -Identity OfficeDB\
Romac-EX3HC
This example may be performed after the
recovery process has completed. You may want
to resume replication for the database that was
used as part of the recovery process.
This can become a long and tedious process and is not a procedure you will want to do
very often. Fortunately, not too many situations require it. Lagged copies were never
designed for the recovery of deleted items, although in a disaster you may need to use
a lagged copy for just that type of recovery operation. However, you have previously
seen other ways to recover deleted items before you will need to resort to performing
this type of restore. Lagged copies are a protection against data corruption and, when
combined with DAGs, can begin the process of moving toward a backup-less Exchange
organization.
NOTE Just because you can do a point-in-time recovery of a database with a lagged
database copy does not always mean that you will want to immediately move to a
backup-less Exchange organization. You will need to consider many factors before
using high-availability DAGs in place of traditional disaster recovery strategies. What
it can mean, however, is that you might be able to reduce your reliance on traditional
backup and restore operations as you shift your resources toward high availability.
Switching Over to Another DAG Member
A server-level switchover is initiated when you want all active databases on a DAG
member to be activated on one or more other DAG members. This can be for many rea-
sons. You may want to take a server out of service permanently, you may want to patch
a server, or you may even be experiencing intermittent problems on a server and want
to get it out of the production environment until you figure out what the problem is with
the server. A server-level switchover can occur within the datacenter, but it could also
occur between datacenters. Just like a database-level switchover, the server-level swi-
tchover can be started from either EMC or EMS. Several PowerShell cmdlets in EMS
are shown in the following table.
ptg6842824
Switching Over to Another Datacenter 283
PS C:\Users\Administrator>
Move-ActiveMailboxDatabase -Server Romac-EX3HC
Performs a server switchover for the specified
server.
NOTE Because no target server was
specified, the Active Manager automati-
cally selects the best server for each active
database.
PS C:\Users\Administrator>
Move-ActiveMailboxDatabase
-Server Romac-EX3HC
-ActivateOnServer Romac-EX4
Performs a server switchover for the specified
server.
If the cmdlet completes successfully, the target
server will host the active copy of all databases
that were previously active on the original
server.
Switching Over to Another Datacenter
Significant differences exist between database or server failures and failures of the data-
center, so you will need to manage the datacenter switchover differently. With other
types of failures, you require some form of automatic recovery that requires no adminis-
trative intervention. Recovering from these events will normally complete with the com-
ponent (database or server) in a fully functional state.
Compare that to the datacenter failure, which is a much rarer event and often will require
administrative intervention to bring the alternate datacenter online for clients. In order to
understand this process, you must know which scenario you are faced with as part of the
DR strategy. One possible scenario is that both sites survive the failure but have no con-
nectivity to each other. Another scenario is that the primary site has experienced a partial
failure, but some roles still exist. A third possible scenario is that the primary datacenter
has been completely lost. There may be no way for Exchange to distinguish between
these scenarios from the DR site. In order to recover, you must first know if Datacenter
Activation Coordination (DAC) mode has been enabled for the DAG.
DAC mode is designed to prevent split brain syndrome from occurring, where both sites
believe that they are the surviving site and that the other site is gone. With DAC mode
enabled, after a site or communication failure, when the DAG recovers, it blocks the
automatically remounting databases in the primary site even though the DAG has a quo-
rum in that site. DAC mode is disabled by default, but should be enabled for all DAGs
that use continuous replication in multiple sites where three or more database copies
exist.
When DAC mode is not enabled, and a failure occurs impacting one or more servers in
the DAG, the DAG will restart and attempt to mount all of its databases when a major-
ity of the DAG members return to service. In the case of a partial datacenter failure, you
want to terminate any remaining DAG members in the primary datacenter and fail over
to the alternate site. The following table shows how to do this.
ptg6842824
284 Switching Over to Another Datacenter
PS C:\Users\Administrator> net stop clussvc cluster RomacDAG node Romac-EX3HC
/forcecleanup
Evicts the remaining servers in the par-
tially failed site from the DAG.
PS C:\Users\Administrator> net stop clussvc
Restarts the DAG members in the alter-
nate datacenter, which is required to
complete the eviction process.
PS C:\Users\Administrator> net start clussvc /forcequorum
Forces a quorum start of the Cluster ser-
vice on a DAG member in the alternate
datacenter.
No tasks need to be performed from
Exchange Management Shell (EMS) in
this step.
You would then open the Failover
Cluster Management tool in Windows
Server 2008, connect to the DAG’s
underlying cluster, expand the cluster,
and then expand Nodes .
Next, right-click each node in the pri-
mary datacenter, select More Actions ,
and then select Evict . This evicts the
remaining DAG members in the primary
datacenter.
You would then activate the servers in the alternate datacenter. (Again, these steps
assume that DAC mode is not enabled.) The following table shows how this is done.
PS C:\Users\Administrator> cluster RomacDAG /quorum /nodemajority
If there are an odd number of DAG
members in the alternate datacen-
ter, this example changes the DAG
quorum model from a Node and File
Share Majority to a Node Majority
quorum. Proceed to the step that
starts the Cluster service.
PS C:\Users\Administrator>
Set-DatabaseAvailabilityGroup RomacDAG -WitnessServer Romac-DC1
If there is an even number of DAG
members in the alternate datacenter,
this example reconfigures the witness
server and directory. Proceed to the
step that starts the Cluster service.
PS C:\Users\Administrator> net start clussvc
Starts the Cluster service on any
remaining DAG members in the
alternate datacenter.
PS C:\Users\Administrator>
Move-ActiveMailboxDatabase -Server Romac-EX4
-ActivateOnServer Romac-EX3HC
Performs one or more server switcho-
vers to activate the appropriate mail-
box database servers in the alternate
datacenter node of the DAG.
ptg6842824
Enabling Datacenter Activation Coordination (DAC) Mode 285
PS C:\Users\Administrator>
Get-MailboxDatabase Romac-EX3HC |
Mount-Database
Mounts the mailbox databases on
each DAG member in the alternate
datacenter.
Enabling Datacenter Activation Coordination (DAC) Mode
As discussed previously, DAC mode is designed to prevent split brain syndrome. This is
done by using the Datacenter Activation Coordination Protocol (DACP). DACP is used
to determine the current state of the DAG and whether Active Manager should attempt
to mount the databases. Return to two of the possible scenarios discussed previously to
understand why DAC mode exists. The datacenter could actually be lost or the network
connection between the two sites could be down. The DAG members in the alternate
datacenter have no way of determining which scenario has taken place. Therefore, auto-
matic activation of the alternate datacenter is not desired until an administrator figures
out what is happening in the primary site.
If the decision is made to activate the alternate site’s servers, a new problem arises.
What will happen if the primary site is returned to an active status? It is very possible
that the primary servers will come online before network connectivity between the two
sites has been reestablished. Without DAC mode, there would be two active sites, each
unable to talk to the other.
Add to this the fact that the primary site contains the majority of the DAG quorum vot-
ers, which is why it was active to begin with, and even without network connectivity
to the alternate site, servers in the primary site would come online and begin activat-
ing their copies of their databases as they would do with a database or server failover
scenario. This is a problem because the alternate site has been manually activated by an
administrator and is functioning for clients.
DACP was created to prevent this very scenario. Active Manager stores a bit in memo-
ry—either a 0 or a 1. This bit allows or blocks a DAG member from mounting its copy
of the database. When a DAG is running in DAC mode, which would be appropriate
for any multisite DAG with three or more members, each time Active Manager starts
on a server, the bit is automatically set to a 0, which indicates to the server that it is not
allowed to mount its databases. Because the DAG is in DAC mode, the server attempts
to communicate with all other members of the DAG. If it can connect to a server whose
bit is set to a 1, this server can also set its bit to a 1. Databases can now be activated on
the server. If the server cannot connect to any other DAG members or can only connect
to other servers whose bit is set to a 0, then this server’s bit must remain a 0 and data-
bases may not be activated on this server.
In this scenario, all servers in the primary datacenter will have their bits set to 0 when
they come back online and will have no way to change the bit to a 1, until network con-
nectivity is reestablished to the alternate datacenter. At that point, the members realize
that there are active servers online in the alternate site. It is a simple but important con-
figuration to enable DAC mode, and this can only be performed using EMS, as shown in
ptg6842824
286 Enabling Datacenter Activation Coordination (DAC) Mode
the following table. Other very important cmdlets shown in the following table include
those allowing you to stop and start the DAG, as well as cmdlets for restoring the DAG
to a member in an alternate datacenter after a failure.
PS C:\Users\Administrator> Set-DatabaseAvailabilityGroup -Identity RomacDAG1
-DatacenterActivationMode DagOnly
Enables DAC mode on the
specified DAG.
PS C:\Users\Administrator>
Stop-DatabaseAvailabilityGroup -Identity RomacDAG -MailboxServer Romac-EX3HC
Uses the Stop-DatabaseAvailabilityGroup
cmdlet to stop a member of a
DAG or to stop an entire Active
Directory site.
NOTE This cmdlet is used
during a datacenter switcho-
ver and marks the members
of the DAG in a failed data-
center as stopped.
This cmdlet can be run
against a DAG only when the
DAG is configured with a
-DatacenterActivationMode
value of DagOnly , as performed
in the previous example.
PS C:\Users\Administrator>
Stop-DatabaseAvailabilityGroup -Identity RomacDAG -ActiveDirectorySite Philadelphia
Uses the Stop-DatabaseAvailabilityGroup
cmdlet to stop an entire Active
Directory site.
PS C:\Users\Administrator>
Stop-DatabaseAvailabilityGroup -Identity RomacDAG -MailboxServer Romac-EX3HC -ConfigurationOnly
Stops the specified Mailbox
server, which is currently
offline, in the specified DAG.
PS C:\Users\Administrator>
Restore-DatabaseAvailabilityGroup -Identity RomacDAG -ActiveDirectorySite Dallas
Uses the Restore-DatabaseAvailabilityGroup
cmdlet to activate DAG mem-
ber servers in the alternate
datacenter.
NOTE This cmdlet is used
following a failure or deactiva-
tion of the active DAG mem-
bers in a primary datacenter.
This cmdlet can be run
against a DAG only when the
DAG is configured with a
-DatacenterActivationMode
value of DagOnly .
ptg6842824
Enabling Datacenter Activation Coordination (DAC) Mode 287
PS C:\Users\Administrator>
Restore-DatabaseAvailabilityGroup -Identity RomacDAG -ActiveDirectorySite Philadelphia
- AlternateWitnessServer Romac-EX1 -AlternateWitnessDirectory D:\FSWRomacDAG1
Activates member servers in the
specified DAG and configures
an alternate witness server and
alternate witness directory on
the specified server in the speci-
fied location.
PS C:\Users\Administrator>
Start-DatabaseAvailabilityGroup -Identity RomacDAG -MailboxServer Romac-EX3HC
Uses the Start-DatabaseAvailabilityGroup
cmdlet to start a member of a
DAG.
NOTE This cmdlet is used
to activate member Mailbox
servers in a recovered
datacenter after a datacen-
ter switchover. The server
is added to the DAG and
joined to the DAG’s cluster.
This cmdlet can also be used
to reactivate servers from a
previously failed datacenter that
has been restored to service. In
that scenario, after this cmdlet
is run, you would then run the
Move-ActiveMailboxDatabase
cmdlet to activate databases in
the primary datacenter.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Monitoring using the Exchange Management Console
■ Monitoring using PowerShell cmdlets
■ Monitoring using Event Viewer
■ Monitoring using PowerShell scripts
In this chapter, you investigate the ways to monitor the health of your highly available
databases, servers, and DAGs. Some of these methods can be performed through either
EMC or Event Viewer, whereas others will go deeper and use either individual cmdlets
or multiple cmdlets batched together into one of two scripts.
Monitoring Using the Exchange Management Console
There are several ways to monitor DAG members and their databases. One very easy
way is to observe them from the viewpoint of the database in Exchange Management
Console (EMC), as shown in Figure 24-1 . You can also observe them from the view-
point of the server in EMC, as shown Figure 24-2 .
Figure 24-1 DAG Mailbox Database Copy Status from the viewpoint of the database as
seen from EMC
CHAPTER 24
Monitoring Highly Available Databases
ptg6842824
290 Monitoring Using PowerShell Cmdlets
Figure 24-2 DAG Mailbox Database Copy Status from the viewpoint of the server as
seen from EMC
Observing this information in a visual format makes it very easy to determine the basic
state of your DAG and its member servers.
Monitoring Using PowerShell Cmdlets
You can also use Exchange Management Shell (EMS) to view status information about
DAGs in your organization and their members. As you might expect, ensuring that
your DAG members are functioning correctly and that your database copies are healthy
is crucial for maintaining highly available mailbox servers. This involves monitoring
hardware, server operating systems, and Exchange Server. Windows Server 2008 and
Exchange Server 2010 include several utilities to ensure your highly available databases
and servers are functioning properly. Two main monitoring cmdlets are used for evaluat-
ing the performance of your DAGs and their member servers.
The first is the Get-MailboxDatabaseCopyStatus cmdlet. This allows you to view sta-
tus information about mailbox database copies, including information about all copies
of a particular database as well as information about a specific copy of a database on a
specific server, as shown in the following table.
PS C:\Users\Administrator>
Get-MailboxDatabaseCopyStatus -Identity ShippingDB | fl
Returns status information for all copies of
the specified database.
PS C:\Users\Administrator>
Get-MailboxDatabaseCopyStatus -Server Romac-EX3HC | fl
Returns the status for all database copies on
the specified server.
ptg6842824
Monitoring Using Event Viewer 291
PS C:\Users\Administrator>
Get-MailboxDatabaseCopyStatus
-Local | fl
Returns the status for all database copies on
the local Mailbox server.
PS C:\Users\Administrator>
Get-MailboxDatabaseCopyStatus -Identity ShippingDB\Romac-EX3HC -ConnectionStatus | fl
Returns status, log shipping, and seeding
information for the specified database DB3
on the specified Mailbox server.
The second is the Test-ReplicationHealth cmdlet, which allows you to view continuous
replication status information about various mailbox database copies. It is used to evalu-
ate all of the components involved in the replication and log replay process between
members of the DAG.
NOTE This cmdlet can be run locally on any Mailbox server in the DAG or remotely
against any Mailbox server in a DAG from a client that has Exchange Management
Shell installed on it.
PS C:\Users\
Administrator> Test-ReplicationHealth -Identity Romac-EX3HC
Evaluates the health of replication for the specified
Mailbox server.
Monitoring Using Event Viewer
A new feature in Windows Server 2008 allows you to customize logs in Event Viewer.
In addition to the standard logs, such as the System Log, the Security Log, and the
Application Log, Server 2008 allows for these custom logs. There are new Windows
logs, but the category of logs you will want to take advantage of are the Applications
and Services Logs. These logs collect data from an application (or service component).
In Windows Server documentation, you may see this termed “crimson channel logging.”
To set up the logging of Exchange-related events as part of crimson channel logging,
you can view or configure the Application and Services Logs entry as shown in the fol-
lowing table.
ptg6842824
292 Monitoring Using Event Viewer
NOTE These steps
are performed in Event
Viewer and do not
require any PowerShell
cmdlets.
Open Event Viewer , expand Applications and Services Logs , expand Microsoft , expand
Exchange , and select either HighAvailability or
MailboxDatabaseFailureItems , depending on the cat-
egory of event you want to monitor, as shown in Figure
24-3 .
NOTE The HighAvailability crimson channel will
contain events related to startup and shutdown of the
Microsoft Exchange Replication service, which will
include Active Manager–related events for the DAG.
The MailboxDatabaseFailureItems crimson channel
will contain events related with replicated mailbox data-
base failures.
Figure 24-3 Monitoring a DAG using Event Viewer
Figure 24-4 shows a High Availability error that occurred on Romac-EX4.
ptg6842824
Monitoring Using PowerShell Scripts 293
Figure 24-4 DAG Member Server High Availability error as seen from Event Viewer
Monitoring Using PowerShell Scripts
Finally, two scripts are provided by Microsoft as a part of Exchange Server 2010 to
read a DAG member’s event logs and collect and review data about the health of the
DAGs in your organization. The first script is called CollectOverMetrics.ps1 and, as
is the case with both scripts, can be found in the Scripts folder in the file system of an
Exchange server under the path where Exchange was installed.
The CollectOverMetrics.ps1 script reads the DAG member’s event logs and collects
some or all of the following information:
■ Identity of the database
■ Start time for the operation
■ Completion time for the operation
■ Mounted copy of database at start of operation
■ Mounted copy of database at completion of operation
■ Purpose of the operation
■ Completion status of the operation
■ Error messages if the operation failed
ptg6842824
294 Monitoring Using PowerShell Scripts
This script writes information to a .csv file, with each operation written as a row in the
file. An individual .csv file is created for each DAG. You can customize the script to
collect only the data that you require, such as information regarding a specific database
and all of its copies. The following table shows some examples of ways to customize
this script.
PS C:\Program Files\Microsoft\
Exchange Server\V14\Scripts\>
.\CollectOverMetrics.ps1
-DatabaseAvailabilityGroup RomacDAG -Database:"*DB" -GenerateHTMLReport
-ShowHTMLReport
Uses a wildcard to collect metrics for
all databases that match *DB (which
would include OfficeDB, ShippingDB,
ResearchDB, and the like) in the specified
DAG.
After the metrics are collected, an HTML
report will be generated and displayed, as
shown in Figure 24-5 .
Figure 24-5 Resulting HTML report from the running of the CollectOverMetrics.ps1
script
Other uses for the CollectOverMetrics.ps1 script are shown in the following table.
PS C:\Program Files\
Microsoft\Exchange Server\
V14\Scripts\>
.\CollectOverMetrics.ps1
-SummariseCsvFiles
(dir *.csv)
-Database OfficeDB,ShippingDB
Illustrates one way that you could specify a
list of databases and have the report summa-
rize only the selected databases.
ptg6842824
Monitoring Using PowerShell Scripts 295
PS C:\Program Files\
Microsoft\Exchange
Server\V14\Scripts
\>.\CollectOverMetrics.ps1 -SummariseCsvFiles
(dir *.csv) -ReportFilter {
$_.DatabaseName -notlike "Office*" }
Filters the report in a different way, filtering
out the OfficeDB and any other database
name that starts with Office .
NOTE The -SummariseCSVFiles option
specifies a list of .csv files to generate a
summary report.
The other script is called CollectReplicationMetrics.ps1 , and it collects data from one
or more Mailbox servers. Data that can be collected using this script includes the name
of the DAG from which you want to collect metrics, the list of databases the report will
include (wildcards characters are supported), an email alias to which the report should be
sent, the folder used to store the results of this script, the amount of time the collection
process should run, and the frequency at which the data is collected.
This script writes each server’s data to a .csv file and can summarize the information
about one or more servers in a report. You can specify an individual server, or you can
specify the entire DAG.
Behind the scenes, the script starts PowerShell jobs to collect relevant data from each
server, as shown in the following table.
PS C:\Program Files\Microsoft\
Exchange Server\V14\Scripts\>
.\CollectReplicationMetrics.ps1 -DagName RomacDAG -Duration "02:00:00"
-Frequency "00:01:00"
–ReportPath "C:\Logs"
Collects data from servers in the speci-
fied DAG for 2 hours and then gener-
ates a summary report. The use of the
-ReportPath parameter tells the script to
save the files to the specified directory.
TIP If you’re not running a monitoring solution such as SCOM, you can create a
Windows scheduled task to automate and schedule the execution of these scripts.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Installing public folders
■ Creating a public folder database
■ Configuring a public folder database
■ Removing a public folder database
In this chapter, you work with public folder databases. You see how to create a database
during the installation of your first mailbox server, create a database after installation of
your mailbox server, retrieve information and configure your public folder databases,
and then see how to remove a public folder database.
Installing Public Folders
If you installed Exchange 2010 using Setup.exe, on the first mailbox server, you were
asked the question shown in Figure 25-1 . If you answered “No” to the question indicat-
ing that you had no Outlook 2003 or Entourage clients, no public folder database was
installed on the first server and you were never asked that question again during subse-
quent installations in your organization. As you will see, however, you can very easily
create a public folder database even though none was created for you during setup. On
the other hand, if you answered “Yes” to the question, Exchange 2010 created a public
folder database on the Mailbox server because both Outlook 2003 and Entourage require
public folders. For these clients, a public folder database is required in order for them to
connect to Exchange 2010. Public folders provide free/busy information, which is stored
in a dedicated system folder called SCHEDULE+FREE BUSY. The OAB distribution
point for these clients is also provided by the public folder. However, all Exchange pub-
lic folder requirements are removed for Outlook 2007 and later clients. Public folders
remain in Exchange Server 2010 for business-related reasons rather than Exchange- and
Outlook-related reasons.
CHAPTER 25
Public Folder Database Management
ptg6842824
298 Creating a Public Folder Database
Figure 25-1 Question presented during setup asking if Outlook 2003 or Entourage cli-
ents are present in the organization
Creating a Public Folder Database
To create a public folder database using Exchange Management Shell (EMS), you would
use the cmdlet New-PublicFolderDatabase , as shown in the following table.
PS C:\Users\Administrator>
New-PublicFolderDatabase "HR" -Server Romac-EX1
PS C:\Users\Administrator>
New-PublicFolderDatabase "Projects" -Server Romac-EX3HC
These examples create two
public folder databases on the
specified servers using the
default locations for the data-
base files and logs.
PS C:\Users\Administrator>
Mount-Database "HR"
PS C:\Users\Administrator>
Mount-Database "Projects"
These examples mount the two
databases from the first group
of examples.
ptg6842824
Configuring a Public Folder Database 299
PS C:\Users\Administrator> New-PublicFolderDatabase "Marketing" -Server Romac-EX4 -EdbFilePath "D:\Databases\Marketing\Marketing.edb"
-LogFolderPath "E:\Logs\Marketing"
This example creates a public
folder database on the speci-
fied server using the specified
locations for the database files
and logs.
NOTE According to
Microsoft, it is considered
to be a best practice to
place the database on a
drive or LUN that’s sepa-
rate from the transaction
logs.
PS C:\Users\Administrator>
Mount-Database "Marketing" This example mounts the
specified database.
Configuring a Public Folder Database
Configuring public folder databases using Exchange Management Shell can be per-
formed using the Set-PublicFolderDatabase cmdlet. Not a lot of configurations are
necessary for a database; however, you may want to put quotas on the database to
restrict posting to the public folders in the database after the size of a folder reaches the
specified limit. (The quota can be set to a value from 0 to 2,097,151MB, or 2TB). You
can set the maximum item size to limit the maximum size of items users can post to the
public folders in the database. You can also change settings such as the Deleted Item
retention period for the database, as well as configure the maintenance schedule to per-
form maintenance on the database only during off-peak hours.
To view the configuration settings of your database, you can use the Get-PublicFolderDatabase cmdlet, as shown in the following table.
PS C:\Users\Administrator> Set-PublicFolderDatabase Marketing -IssueWarningQuota 1500MB -ProhibitPostQuota 2GB
Changes the quota for the specified
public folder database and also con-
figures a warning to be issued when
folders in the database reach the spec-
ified limits, as shown in Figure 25-2 .
NOTE From EMS, you can use
MB or GB, but it will be converted
to KB in the EMC.
ptg6842824
300 Configuring a Public Folder Database
Figure 25-2 Quotas set on public folder database as seen from EMC
PS C:\Users\Administrator> Set-PublicFolderDatabase
-Identity Marketing -DeletedItemRetention "7.00:00:00"
Sets the Deleted
Items retention peri-
od on the specified
public folder data-
base to 7 days.
PS C:\Users\Administrator> Set-PublicFolderDatabase -Identity Marketing -MaintenanceSchedule "Sun.1:00 AM-Sun.7:00
AM, Mon.1:00 AM-Mon.7:00 AM, Tue.1:00
AM-Tue.7:00 AM, Wed.1:00 AM-Wed.7:00 AM,
Thu.1:00 AM-Thu.7:00 AM, Fri.1:00 AM-Fri.7:00
AM, Sat.1:00 AM-Sat.7:00 AM"
Sets the database
maintenance schedule
on the specified pub-
lic folder database to
run daily from 1:00
a.m. to 7:00 a.m.
PS C:\Users\Administrator>
Get-PublicFolderDatabase Retrieves the com-
mon properties for all
of the public folder
databases in your
organization.
ptg6842824
Removing a Public Folder Database 301
PS C:\Users\Administrator>
Get-PublicFolderDatabase Marketing | fl
PS C:\Users\Administrator> Get-PublicFolderDatabase Marketing | fl Name, IssueWarningQuota, ProhibitPostQuota,
DeletedItemRetention, MaintenanceSchedule
Allows you to view
all of the properties
for an individual pub-
lic folder database in
your organization.
NOTE Figure
25-3 shows the
properties that
were changed
with the preced-
ing examples.
Figure 25-3 Using the Get-PublicFolderDatabase cmdlet to validate database changes
Removing a Public Folder Database
To remove a public folder database, you can use the Remove-PublicFolderDatabase
cmdlet, as shown in the following table.
PS C:\Users\Administrator> Remove-PublicFolderDatabase -Identity Projects -Confirm:$false
Removes the specified public
folder database.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Assigning a default public folder database to a mailbox database
■ Creating and managing public folders
■ Replicating public folders
■ Removing a public folder
In this chapter, you first assign a new default public folder database to a mailbox data-
base, and then you create public folders in the public folder databases that you created
in the preceding chapter. You replicate folders from one Mailbox server to another, and,
finally, you see how to remove a public folder or a public folder replica when it is no
longer required.
Assigning a Default Public Folder Database to a Mailbox Database
Once the public folder database exists on a server, a mailbox database is assigned a
public folder database as the default database for users with mailboxes on that server. In
Figure 26-1 , you can see that the ShippingDB mailbox database resides on Romac-EX4.
When you navigate to the Client Settings tab on the Properties page of the database, you
can see that the HR public folder database has already been assigned as the default.
CHAPTER 26
Managing Public Folders
ptg6842824
304 Assigning a Default Public Folder Database to a Mailbox Database
Figure 26-1 Default public folder database for users with mailboxes in the ShippingDB
The Outlook client opens a connection to the default public folder database (in this case,
HR) and uses it for all operations that require connecting to a public folder. These opera-
tions might be simply viewing public folders and content, but they may also include
creating and deleting public folders, as well as querying for the location of public folder
content. HR may not be the appropriate public folder database for the ShippingDB users
to use as their default database and therefore might need to be changed. For example,
the shippers need to collaborate with the Marketing department to coordinate shipping
products to correspond with a new marketing campaign. Therefore, you would like
the Marketing public folder to be the default database for users with mailboxes in the
ShippingDB mailbox database, as shown in the following table.
PS C:\Users\Administrator>
Set-MailboxDatabase
-Identity "ShippingDB"
-PublicFolderDatabase "Marketing"
Sets the specified public folder
database as the default public folder
database for the mailboxes in the
ShippingDB, as seen in Figure 26-2 .
ptg6842824
Creating and Managing Public Folders 305
Figure 26-2 Setting a new public folder database for users with mailboxes in the
ShippingDB
Creating and Managing Public Folders
Now that the public folder database exists and you have configured the mailbox database
with a new public folder database, it is a simple matter to create a public folder. Then,
after you create the folder, you can mail-enable it, as shown in the following table.
PS C:\Users\Administrator>
New-PublicFolder
-Name "\Marketing Department Shipping
Strategy" -Server "Romac-EX4"
PS C:\Users\Administrator> New-PublicFolder -Name "\2009 Marketing Strategy "-Server "Romac-EX4"
These examples create two
public folders on the speci-
fied server.
PS C:\Users\Administrator>
New-PublicFolder
-Name "Year End Push" -Path "\2009 Marketing Strategy" -Server "Romac-EX4"
Creates the specified
public folder in the exist-
ing public folder 2009
Marketing Strategy on the
specified Mailbox server.
Figure 26-3 shows the
public folders created in
the preceding examples.
ptg6842824
306 Creating and Managing Public Folders
Figure 26-3 Public folders as seen from the Public Folder Management Console
(accessed from EMC)
Mail-enabling a public folder involves running the Enable-MailPublicFolder cmd-
let. Setting a specific SMTP address for the public folder consists of turning the email
address policy off for the specific public folder and then specifying a custom SMTP
address.
Disabling mail to a public folder can be achieved by running the Disable-MailPublicFolder cmdlet, as shown in the following table.
PS C:\Users\Administrator>
Enable-MailPublicFolder -Identity "\Marketing Department
Shipping Strategy"
PS C:\Users\Administrator>
Enable-MailPublicFolder
-Identity "\2009 Marketing Strategy"
These examples mail-enable the
specified public folders.
PS C:\Users\Administrator> Set-MailPublicFolder -Identity "\Marketing Department
Shipping Strategy" -EmailAddressPolicyEnabled $false
PS C:\Users\Administrator>
Set-MailPublicFolder
-Identity "\2009 Marketing Strategy" -EmailAddressPolicyEnabled $false
Disables the email address policy
of the specified mail-enabled
public folders so that you can set
custom email addresses for them
independent of any email address
policy in your organization.
PS C:\Users\Administrator>
Set-MailPublicFolder
-Identity "\Marketing Department
Shipping Strategy"
-PrimarySmtpAddress
Sets the primary SMTP address of
the specified public folder to the
custom email address specified.
ptg6842824
Replicating Public Folders 307
PS C:\Users\Administrator>
Set-MailPublicFolder
-Identity "\2009 Marketing Strategy"
-PrimarySmtpAddress
Sets the primary SMTP address of
the specified public folder to the
custom email address specified.
PS C:\Users\Administrator>
Disable-MailPublicFolder -Identity "\2009 Marketing Strategy"
Disables mail for the specified
public folder.
Replicating Public Folders
To create a public folder replica using Exchange Management Shell, you can use the
cmdlet Set-PublicFolder with the -Replicas parameter, as shown in the following table.
PS C:\Users\Administrator>
Set-PublicFolder -Identity "\Marketing Department Shipping
Strategy" -Replicas Marketing, HR
PS C:\Users\Administrator> Set-PublicFolder -Identity "\2009 Marketing Strategy" -Replicas Marketing, HR
These examples replicate
the specified folders to
the specified public folder
databases.
PS C:\Users\Administrator>
Set-PublicFolder -Identity "\Marketing Department Shipping
Strategy" -ReplicationSchedule Always
Sets the replication sched-
ule of the specified public
folder so that it always
uses the default schedule.
PS C:\Users\Administrator>
Set-PublicFolder -Identity "\2009 Marketing Strategy" -ReplicationSchedule "Sunday.12:00
AM-Sunday.11:59 PM"
Sets the specified public
folder so that it replicates
only on Sunday. Figure
26-4 shows the result of
this command.
ptg6842824
308 Removing a Public Folder
Figure 26-4 Public folder replication schedule as seen from the Public Folder
Management Console (accessed from EMC)
Removing a Public Folder
You can use the Remove-PublicFolder cmdlet to remove the public folder data from all
servers in your organization. If you only want to remove data from one server, you can
use the Set-PublicFolder cmdlet with the -Replicas parameter, as shown in the follow-
ing table.
PS C:\Users\Administrator> Remove-PublicFolder -Identity "\2009 Marketing Strategy\
Year End Push"
-Confirm: $false
PS C:\Users\Administrator> Remove-PublicFolder -Identity "\2009 Marketing Strategy"
-Confirm: $false
These examples remove the speci-
fied public folders and all replicas
from the databases that hold rep-
licas.
NOTE A public folder must be
empty before you can remove
it.
PS C:\Users\Administrator>
Set-PublicFolder -Identity "\Marketing Department
Shipping Strategy" -Replicas Marketing
Removes only the replica of
the specified public folder that
exists in the HR database. The
Marketing database replica will be
preserved.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Adding administrative permissions to the folder structure
■ Controlling top-level public folders
■ Setting client permissions to public folder content
In this chapter, you investigate public folder permissions. You look at administrative
permissions to the public folder structure (hierarchy) and then you investigate how to set
content permissions for both administrators and clients.
You also look at top-level public folders and observe the importance of configuring per-
missions on them to lock down the public folder hierarchy.
Adding Administrative Permissions to the Folder Structure
You cannot use Exchange Management Console (EMC) to add administrative permis-
sions for an administrator to access the public folder hierarchy. Exchange Management
Shell (EMS) can be used to assign administrative permissions. You can use the Add-PublicFolderAdministrativePermission cmdlet to add administrative permissions to a
public folder or a public folder hierarchy. When you use the Add-PublicFolderAdministrativePermission cmdlet with the -AccessRights parameter, you can set permissions
on public folders and the hierarchy. The following table shows a number of options for
this cmdlet.
Option Description
None The administrator cannot modify any
of the public folder attributes.
ModifyPublicFolderACL The administrator can modify client
access permissions for the specified
folder.
ModifyPublicFolderAdminACL The administrator can modify admin-
istrator permissions for the specified
public folder.
CHAPTER 27
Public Folder Permissions
ptg6842824
310 Adding Administrative Permissions to the Folder Structure
Option Description
ModifyPublicFolderDeletedItemRetention The administrator can modify
the Public Folder Deleted Item
Retention attributes, which include
the RetainDeletedItemsFor and the
UseDatabaseRetentionDefaults
attributes.
ModifyPublicFolderExpiry The administrator can modify the
Public Folder Expiration attributes,
which include the AgeLimit and
UseDatabaseAgeDefaults attributes.
ModifyPublicFolderQuotas The administrator can modify the
Public Folder Quota attributes,
which include the MaxItemSize ,
PostQuota , PostWarningQuota ,
and UseDatabaseQuotaDefaults
attributes.
ModifyPublicFolderReplicaList The administrator can modify the
replicas for the specified public fold-
er using the -Replicas attribute for
the Set-PublicFolder cmdlet.
AdministerInformationStore The administrator can modify any
other public folder property not pre-
viously listed.
ViewInformationStore The administrator can view the public
folder’s properties but cannot modify
any of them.
AllExtendedRights The administrator can modify all
public folder properties.
NOTE These examples illustrate how to set administrative permissions on public fold-
ers. In order for you to perform these tasks as shown, you need the users Joyce and
Maureen, which were created in an earlier chapter, and a new user named Jeanna. You
also have to create a public folder database named “Policies” on Romac-EX2 as well
as a parent public folder named “Company Policies” and two child folders named “US
Polices” and “Canada Policies.”
The permission assignments in the following table illustrate that permissions are set on
specific public folders and do not inherit unless specified.
PS C:\Users\Administrator>
Add-PublicFolderAdministrativePermission
-User Maureen -Identity "\Company Policies" -AccessRights ViewInformationStore
Grants Maureen the
ViewInformationStore
permission for the specified
public folder, as seen in
Figure 27-1 .
ptg6842824
Adding Administrative Permissions to the Folder Structure 311
PS C:\Users\Administrator> Add-PublicFolderAdministrativePermission
-User Maureen -Identity "\Company Policies\Canada
Policies" -AccessRights ViewInformationStore -Deny
Denies the specified user
the ViewInformationStore
permission for the specified
public folder, as seen in
Figure 27-1 .
Figure 27-1 Administrative permissions to a public folder structure with no inheritance
NOTE Maureen is given permission to the Company Policies public folder, but was
not given permission to the US Policies public folder because no inheritance was spec-
ified. She was also specifically denied access to the Canada Policies public folder.
The permission assignment shown in the following table illustrates that permissions can
be set on a specific public folder and inheritance can be specified.
PS C:\Users\Administrator> Add-PublicFolderAdministrativePermission
-User Jeanna -Identity "\Company Policies" -AccessRights AllExtendedRights -InheritanceType SelfAndChildren
Grants the specified user the
AllExtendedRights permis-
sion for the specified public
folder and all child public
folders under it, as seen in
Figure 27-2 .
ptg6842824
312 Setting Client Permissions to Public Folder Content
Figure 27-2 Administrative permissions to a public folder structure with inheritance
NOTE Jeanna is given permission to the Company Policies public folder, and because
inheritance was specified she has permission to both the US Policies and the Canada
Policies public folders.
Controlling Top-level Public Folders
It is important to restrict top-level public folder creation and management to a select
group of administrators. This can be done by controlling the root of the database and
setting inheritance as shown in the following table. If you don’t control top-level public
folders, you will end up with a very shallow hierarchy with many different folders being
placed directly under the root. By controlling the top level, you can have a much more
organized hierarchy based on geography, departments, or any other organizational con-
figuration you might need.
PS C:\Users\Administrator>
Add-PublicFolderAdministrativePermission
-User Administrator -Identity "\" -AccessRights AllExtendedRights
-InheritanceType SelfAndChildren
Grants the specified user the
AllExtendedRights permis-
sion for the root and all child
public folders under it.
Setting Client Permissions to Public Folder Content
In Exchange Server 2010 Service Pack 1, you can set client permissions using the Public
Folder Management Console. This is new to Service Pack 1. Previously, you could use
either Exchange Management Shell or Microsoft Office Outlook to do this.
When you use the Add-PublicFolderClientPermission cmdlet with the -AccessRights
parameter, you can set client permissions on public folders and their contents. The fol-
lowing table shows a number of options for this cmdlet.
Option Description
ReadItems The user can read items within the specified public folder.
CreateItems The user can create items within the specified public folder.
ptg6842824
Setting Client Permissions to Public Folder Content 313
Option Description
EditOwnedItems The user can edit items that he or she owns in the specified
public folder.
DeleteOwnedItems The user can delete items that he or she owns in the specified
public folder.
EditAllItems The user can edit all items in the specified public folder.
DeleteAllItems The user can delete all items in the specified public folder.
CreateSubfolders The user can create subfolders in the specified public folder.
FolderOwner The user can view and move the public folder and create
subfolders, but cannot necessarily read items, edit items,
delete items, or create items in the folder.
FolderVisible The user can view the specified public folder but cannot nec-
essarily read or edit items within the folder.
The following table shows how to set client permissions using Exchange Management
Shell.
PS C:\Users\Administrator>
Add-PublicFolderClientPermission -Identity "\Company Policies" -User Maureen -AccessRights ReadItems
This example adds the permission for
the user Maureen to read items in the
public folder called Company Policies.
NOTE This permission is equivalent
to the Reviewer role, so Maureen is
automatically added as a reviewer,
as shown in Figure 27-3 .
PS C:\Users\Administrator>
Add-PublicFolderClientPermission -Identity "\Company Policies" -User Joyce -AccessRights CreateItems
This example adds the permission for
the user Joyce to create items in the
public folder called Company Policies.
NOTE This permission has no
equivalent role, so Joyce is shown
as having “Custom” permissions.
PS C:\Users\Administrator>
Add-PublicFolderClientPermission -Identity "\Company Policies"
-User Jeanna -AccessRights CreateItems,
EditAllItems, DeleteAllItems
This example adds multiple permis-
sions for the user Jeanna. She can create
items, edit items, and delete items in the
public folder called Company Policies.
NOTE This combination of per-
missions has no equivalent role,
so Jeanna is shown as having
“Custom” permissions.
The three permission configurations set in the previous table are shown Figure 27-3 .
You can also set permissions based on roles, which include multiple access rights. The
following table details the available roles in Exchange 2010 and which client permis-
sions are associated with those roles.
ptg6842824
314 Setting Client Permissions to Public Folder Content
Figure 27-3 Client permissions as viewed from Microsoft Office Outlook 2010
Role Permissions
None FolderVisible
Owner CreateItems , ReadItems , CreateSubfolders ,
FolderOwner , FolderContact , FolderVisible ,
EditOwnedItems , EditAllItems , DeleteOwnedItems ,
DeleteAllItems
Publishing Editor CreateItems , ReadItems , CreateSubfolders ,
FolderVisible , EditOwnedItems , EditAllItems ,
DeleteOwnedItems , DeleteAllItems
Editor CreateItems , ReadItems , FolderVisible ,
EditOwnedItems , EditAllItems , DeleteOwnedItems ,
DeleteAllItems
PublishingAuthor CreateItems , ReadItems , CreateSubfolders ,
FolderVisible , EditOwnedItems , DeleteOwnedItems
Author CreateItems , ReadItems , FolderVisible ,
EditOwnedItems , DeleteOwnedItems
NonEditingAuthor CreateItems , ReadItems , FolderVisible
Reviewer ReadItems , FolderVisible
Contributor CreateItems , FolderVisible
NOTE Permissions set using the preceding roles are most easily configured using the
Microsoft Office Outlook client.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Using Test cmdlets for all roles
■ Using Test cmdlets for the Mailbox role
■ Using Test cmdlets for the Transport roles
■ Using Test cmdlets for the Client Access Server role
■ Using Test cmdlets for the Unified Messaging role
■ Using Test cmdlets for client connectivity
■ Using helpful non-Exchange Test cmdlets
Starting with Exchange Server 2007 and continuing in Exchange 2010, a series of cmd-
lets is available that use the verb “Test.” These cmdlets are designed to diagnose and
troubleshoot Exchange systems that are having problems or to validate whether those
systems are in fact healthy. In this chapter, you investigate some of these Test cmdlets as
they apply to each Exchange Server role.
Using Test Cmdlets for All Roles
As shown in the following table, the Test-ServiceHealth cmdlet is a very handy tool to
remember when you are troubleshooting servers.
PS C:\Users\Administrator>
Test-ServiceHealth Tests whether all the Windows services
that Exchange requires on a server are
started.
This cmdlet separates services by role
and returns an error when any service
required by that role has stopped.
Figure 28-1 shows a successful comple-
tion of the test.
TIP You can run this against a
remote server by using the -Serverswitch.
CHAPTER 28
Troubleshooting with the Test Cmdlets
ptg6842824
316 Using Test Cmdlets for All Roles
Figure 28-1 The Test-ServiceHealth cmdlet with no errors
Next, stop the Microsoft Exchange Transport Service and rerun the cmdlet (as shown in
the following table).
PS C:\Users\Administrator>
Test-ServiceHealth In this example, the Transport
Service is not running, and this will
appear as an error in the output, as
shown in Figure 28-2 .
(Don’t forget to start the service
when you are finished.)
Other “Test” cmdlets that may be used on all roles include those shown in the following
table.
ptg6842824
Using Test Cmdlets for the Mailbox Role 317
Figure 28-2 The Test-ServiceHealth cmdlet with an error (Microsoft Exchange
Transport Service stopped)
PS C:\Users\Administrator>
Test-SystemHealth Collects data in the Exchange system and
analyzes it against Microsoft best prac-
tices.
NOTE This cmdlet checks for
updates from the Internet.
PS C:\Users\Administrator>
Test-ExchangeSearch
-Identity Jeanna
Tests that Exchange Search is enabled
and is indexing new email messages
properly.
Tests the mailbox database on which the
specified mailbox resides.
PS C:\Users\Administrator>
Test-ExchangeSearch
-Identity Jeanna -Verbose
Performs the same tests but produces a
more detailed output.
Using Test Cmdlets for the Mailbox Role
One Mailbox role cmdlet you can use is the Test-ReplicationHealth cmdlet. As shown
in the following table, this cmdlet tests the replication and replay status for a specific
Mailbox server in a DAG. It checks the availability of the Active Manager as well as the
status of the underlying cluster service.
ptg6842824
318 Using Test Cmdlets for the Transport Roles
PS C:\Users\
Administrator>
Test-ReplicationHealth -Identity Romac-EX3HC
Allows you to check the replication and transaction
replay status of a database copy.
NOTE The successful completion of this cmdlet
is shown in Figure 28-3 .
Figure 28-3 Successful run of the Test-ReplicationHealth cmdlet
Using Test Cmdlets for the Transport Roles
As shown in the following table, several important Test cmdlets are available for trans-
port servers. The first tests Edge Synchronization of a Hub Transport server to an Edge
Transport server. Others test the spam-filtering capabilities of the built-in spam filters
and the mailflow in the transport pipeline.
PS C:\Users\Administrator> Test-EdgeSynchronization
Tests the Edge Synchronization process
and produces a report showing the syn-
chronization status of subscribed Edge
Transport servers.
PS C:\Users\Administrator>
Test-EdgeSynchronization
-VerifyRecipient
Verifies the synchronization status of the
specified recipient.
PS C:\Users\Administrator>
Test-IPAllowListProvider Tests the settings for the specified IP
Allow list provider on a Hub Transport or
Edge Transport server.
This configuration is used by the
Connection Filter agent, one of the built-
in spam filters on Hub Transport and
Edge Transport servers.
ptg6842824
Using Test Cmdlets for the Transport Roles 319
PS C:\Users\Administrator>
Test-IPBlockListProvider Tests the settings for the specified IP
Block list provider on a Hub Transport or
Edge Transport server.
This configuration is used by the
Connection Filter agent, one of the built-
in spam filters on Hub Transport and
Edge Transport servers.
PS C:\Users\Administrator>
Test-IRMConfiguration -Sender [email protected]
Tests the IRM configuration for messages
sent from the specified sender.
Performs a series of tests to determine
IRM functionality.
NOTE Information Rights
Management (IRM) is a file-level tech-
nology from Microsoft that restricts
content from being printed, forwarded,
or copied by unauthorized recipients.
The restrictions follow the email mes-
sage as part of the contents of the file.
PS C:\Users\Administrator>
Test-Mailflow Romac-EX1 -TargetMailboxServer Romac-EX2
Tests whether mail can be successfully
sent from and delivered to the system
mailbox on a computer that has the
Mailbox server role installed, as seen in
Figure 28-4 .
NOTE Even though this cmdlet tests
mailbox-to-mailbox mailflow, it is actu-
ally testing the latency of the transport
mechanism and will produce a latency
value you can use to compare against
an acceptable latency threshold.
Figure 28-4 Output of a Test-Mailflow cmdlet checking mailflow between Romac-EX1
and Romac-EX2
ptg6842824
320 Using Test Cmdlets for the Client Access Server Role
Using Test Cmdlets for the Client Access Server Role
Several important Test cmdlets are also available for testing Client Access Servers. As
shown in the following table, these cmdlets can test client connectivity to the Client
Access Server, Exchange services status on the Client Access Server, whether the
PowerShell remoting capability is functioning correctly, and so on.
Use the following script to create the required
user for the test:
PS C:\Program Files\Microsoft\
Exchange Server\V14\Scripts>
.\New-TestCasConnectivityUser.ps1
Then run the cmdlet:
PS C:\Users\Administrator> Test-WebServicesConnectivity
TIP Before executing the Test-WebServicesConnectivitycmdlet, run the script New-TestCasConnectivityUser.ps1 to
create a user that the cmdlet uses
to test connectivity.
Tests the functionality of Exchange
Web Services (EWS) on a server that
has the Client Access Server role
installed.
NOTE Exchange Web Services
replaces many of the features
found in WebDAV, CDOEX, and
ExOLEDB, thus potentially reduc-
ing problems with applications
requiring these earlier APIs.
PS C:\Users\Administrator>
Test-WebServicesConnectivity
-AllowUnsecureAccess
Tests Exchange Web Services on the
local Client Access Server, but uses
an unsecured connection that doesn’t
require SSL.
PS C:\Users\Administrator>
Get-ClientAccessServer |
Test-MRSHealth
Tests the health of an instance of the
Mailbox Replication service on one or
more Client Access Servers.
In the example, you test all Client
Access Servers.
PS C:\Users\Administrator>
Test-PowerShellConnectivity -ClientAccessServer Romac-EX2 -VirtualDirectoryName "PowerShell
(Default Web Site)" -TrustAnySSLCertificate
Tests whether Windows PowerShell
remoting on a Client Access Server is
functioning correctly.
NOTE This example tests
the PowerShell (Default Web
Site) virtual directory on the
specified server. The switch
-TrustAnySSLCertificate is used
to skip the certificate check during
connection.
TIP This cmdlet uses the
same user account created
when you ran the script New-TestCasConnectivityUser.ps1previously.
ptg6842824
Using Test Cmdlets for Client Connectivity 321
PS C:\Users\Administrator>
Test-OutlookWebServices -Identity:[email protected]
Tests for a connection to each service
(note that quite a few are tested).
It also submits a request to the
Availability service for the speci-
fied user to determine whether the
user’s free/busy information is being
returned correctly from the Client
Access Server to the Outlook client.
Using Test Cmdlets for the Unified Messaging Role
As shown in the following table, you can test functionality of a Unified Messaging
server with the Test-UMConnectivity cmdlet.
PS C:\Users\Administrator>
Test-UMConnectivity Tests the functionality of a computer
that has the Unified Messaging (UM)
server role installed.
This cmdlet tests the functionality of a
Unified Messaging server and related
connected telephony equipment.
You can test full end-to-end operation
of the Unified Messaging system or
test only the operation of the Unified
Messaging components on the Exchange
server.
Using Test Cmdlets for Client Connectivity
You can use a number of the Test cmdlets to verify client connectivity. As shown in the
following table, many of the client connection protocols have a cmdlet designed to test
connectivity.
PS C:\Users\Administrator>
Test-ActiveSyncConnectivity -ClientAccessServer Romac-EX2
-URL http://mail.romacsign.com/
Microsoft-Server-ActiveSync -MailboxCredential:(Get-Credential
romacsign\maureen)
Initiates a full synchronization
against the specified mailbox to
test the configuration of Exchange
ActiveSync.
NOTE You are presented with
a logon prompt for the specified
user during this test.
PS C:\Users\Administrator>
Test-EcpConnectivity Verifies that the Exchange Control
Panel is running normally.
ptg6842824
322 Using Test Cmdlets for Client Connectivity
PS C:\Users\Administrator>
Test-ImapConnectivity
-ClientAccessServer Romac-EX2 -MailboxCredential:(Get-Credential
romacsign\maureen)
Tests the IMAP4 connectivity for
the specified Client Access Server
using the credentials for the speci-
fied user.
NOTE You are presented with
a logon prompt for the specified
user during this test.
PS C:\Users\Administrator>
Test-MapiConnectivity -Server "Romac-EX1"
Tests connectivity to all databases
on the specified server.
Dismount the AssemblyDB database and run the test again. The results of both tests are
shown in Figure 28-5 . (Don’t forget to mount the database after the test.)
Figure 28-5 Successful and failed Test-MapiConnectivity tests as seen from Exchange
Management Shell
Other client connectivity tests include those shown in the following table.
PS C:\Users\Administrator>
Test-MapiConnectivity -Identity "romacsign\maureen"
Tests connectivity to a mailbox.
NOTE The format of the mail-
box must be domain\username.
PS C:\Users\Administrator>
Test-OutlookConnectivity
-Protocol:HTTP
- GetDefaultsFromAutoDiscover:$true
Tests end-to-end Microsoft Office
Outlook client connectivity in the
Microsoft Exchange Server 2010
organization.
Tests Outlook Anywhere (RPC/
HTTP) connections.
PS C:\Users\Administrator>
Test-OutlookConnectivity -Protocol:TCP - GetDefaultsFromAutoDiscover:$true
Performs the same test for RPC/
MAPI (TCP/IP) connections.
ptg6842824
Using Helpful Non-Exchange Test Cmdlets 323
PS C:\Users\Administrator> Test-OwaConnectivity
-URL:https://mail.romacsign.com/owa -MailboxCredential:(Get-Credential
romacsign\maureen)
Verifies OWA is running normally.
NOTE You are presented with
a logon prompt for the specified
user during this test.
PS C:\Users\Administrator>
Test-PopConnectivity -ClientAccessServer Romac-EX2 -MailboxCredential:(Get-Credential
romacsign\maureen)
Tests the POP3 connectivity for the
specified Client Access Server using
the credentials for the specified user.
NOTE You are presented with
a logon prompt for the specified
user during this test.
Using Helpful Non-Exchange Test Cmdlets
The following table shows two Test cmdlets that might come in handy.
PS C:\Users\Administrator> Test-Path -Path "C:\Program Files\
Microsoft\Exchange
Server\V14\Mailboxes\
ShippingDB"
Validates the existence of a path in the
file system and could be incorporated into
a script to check for a folder before some-
thing is put into it.
Shows a successful discovery of an exist-
ing path.
Output is True .
PS C:\Users\Administrator>
Test-Path -Path "C:\Program Files\
Microsoft\Exchange Server\V14\
Mailboxes\ShippingPublicFolder"
Runs the same cmdlet and shows a result
where the path does not exist.
Output is False .
PS C:\Users\Administrator>
Test-Connection Romac-EX1 Functions like Ping does from a command
prompt, sending ICMP echo request pack-
ets to remote hosts, as shown in Figure
28-6 .
Figure 28-6 “Pinging” with the Test-Connection cmdlet
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Retrieving events with Get-EventLog
■ Setting diagnostic Event Log levels
Management of Event Logs from PowerShell can be beneficial to an Exchange admin-
istrator. The Get-EventLog cmdlet illustrates some of the options available to you. By
changing the Diagnostic Event Log level, you can adjust the amount of Exchange infor-
mation logged while you are troubleshooting.
Retrieving Events with Get-EventLog
You can retrieve events from an Event Log on a local or remote computer using
Exchange Management Shell. You can use the Get-EventLog cmdlet to search for
events in one or more logs by using their property values. Get-EventLog retrieves only
events from the traditional Windows Event Logs (that is, the System Log, Application
Log, and Security Log).
NOTE To get events from some of the newer Windows Event Logs in Windows Server
2008, you can use Get-WinEvent .
The following table shows some ways to use this cmdlet.
PS C:\Users\
Administrator>
Get-EventLog -List
Retrieves information about the available Windows
Event Logs, including the number of entries, the maxi-
mum allowed size of the log, and whether entries will be
retained for any period of time, as shown in Figure 29-1 .
Figure 29-1 List of all available Event Logs
CHAPTER 29
Event Logging with PowerShell
ptg6842824
326 Retrieving Events with Get-EventLog
PS C:\Users\
Administrator> Get-EventLog -Newest 25
-LogName Application
Retrieves and displays the specified number
of most recent events from the specified log.
PS C:\Users\
Administrator> Get-EventLog -LogName Application
-Source "MSExchange Unified
Messaging" -Newest 10
Retrieves and displays the specified number
of most recent events with a Source value of
MSExchange Unified Messaging, as shown
in the upper half of Figure 29-2 .
PS C:\Users\
Administrator> Get-EventLog -LogName Application
-EntryType Error -Newest 10
Retrieves and displays the specified number
of most recent events with an -EntryType
value of Error , as shown in the lower half
of Figure 29-2 .
Figure 29-2 Finding specific events from a list of recent events on the local computer
PS C:\Users\Administrator>
Get-EventLog
-LogName Application
-EntryType Error
-Newest 10
-ComputerName Romac-EX1
Retrieves and displays the specified number of
most recent events with an -EntryType value of
Error from a remote computer.
NOTE You would run this from your work-
station or another server. The example was
run from Romac-EX2.
ptg6842824
Retrieving Events with Get-EventLog 327
PS C:\Users\Administrator>
Get-EventLog
-LogName Application -ComputerName localhost,
Romac-EX1 -EntryType Error
-Newest 3
| fl MachineName, Time,
EntryType, Source,
InstanceID
Retrieves and displays the specified number of
most recent events with an -EntryType value of
Error from a local and a remote computer.
NOTE The cmdlet displays only the speci-
fied information, as shown in Figure 29-3 .
Figure 29-3 Finding specific events from a list of recent events on multiple computers
PS C:\Users\Administrator> Get-EventLog -LogName Application -Message "*failed*" -Newest 10
Retrieves and displays the
specified number of most
recent events with the word
“failed” in the message.
PS C:\Users\Administrator >$Dec4_2010 = Get-Date 12/4/2010
PS C:\Users\Administrator> $Dec11_2010 = Get-Date 12/11/2010
PS C:\Users\Administrator> Get-EventLog -LogName Application
-EntryType Error -After $Dec4_2010
-Before $Dec11_2010
Retrieves and displays
events of the specified
event type between the
specified dates.
ptg6842824
328 Setting Diagnostic Event Log Levels
NOTE The Application Log was used in these examples because many Exchange-
related events are logged there, but these examples could be used on other Windows
Event Logs as well.
Setting Diagnostic Event Log Levels
You can set Diagnostic Event Log levels to collect more or less information than the
default levels allow. You would do this while troubleshooting Exchange servers and then
you would return the log levels to their defaults.
The following table shows how to view the default log levels.
PS C:\Users\Administrator>
Get-EventLogLevel Displays all logged items’ logging
levels.
The following table lists some of the available log information and the default log levels.
MSExchange ActiveSync\Requests Lowest
MSExchange ActiveSync\Configuration Lowest
MSExchange Autodiscover\Core Lowest
MSExchange Autodiscover\Web Lowest
MSExchange Availability\Availability Service Lowest
MSExchange Configuration Cmdlet - Management Shell\General
Lowest
MSExchange Configuration Cmdlet - Management Shell\RBAC
Low
MSExchange Configuration Cmdlet - Remote Management\General
Lowest
MSExchange Configuration Cmdlet - Remote Management\RBAC
Lowest
MSExchange Configuration Cmdlet - Control Panel\General
Lowest
MSExchange Configuration Cmdlet - Control Panel\RBAC Lowest
MSExchange EdgeSync\Synchronization Lowest
MSExchange EdgeSync\Topology Lowest
MSExchange TransportService\TransportService Lowest
MSExchange Messaging Policies\Journaling Lowest
MSExchange Messaging Policies\Rules Lowest
MSExchange Mailbox Replication\Service Lowest
MSExchange Mailbox Replication\Mailbox Move Lowest
MSExchangeIS\9001 Public\Send On Behalf Of Lowest
MSExchangeIS\9001 Public\Send As Lowest
MSExchangeTransport\Agents Lowest
ptg6842824
Setting Diagnostic Event Log Levels 329
These are just a few of the categories that are logged. You can change the logging level
as shown in the following table.
PS C:\Users\Administrator>
Set-EventLogLevel
-Identity "MSExchange
Messaging Policies\Rules"
-Level High
Changes the log level for the specified log to
High, as shown in Figure 29-4 .
NOTE Valid log levels are as follows:
■ Lowest Only— Critical events, error
events, and events with a logging level of
0 are logged. This is the default level.
■ Low— Events with a logging level of 1 or
lower are logged.
■ Medium— Events with a logging level of
3 or lower are logged.
■ High— Events with a logging level of 5 or
lower are logged.
■ Expert— Events with a logging level of 7
or lower are logged.
PS C:\Users\Administrator>
Get-EventLogLevel
-Identity "MSExchange
Messaging Policies\Rules"
Allows you to view the logging level for the
specified log, as shown in Figure 29-4 .
Figure 29-4 Configuring an Event Log level
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Using scripts to automate tasks in PowerShell
■ Finding scripts to automate tasks in PowerShell
In this chapter, you use some of the scripts that ship with Exchange Server 2010 and
investigate how to find locations that have scripts that you can download and use for
various purposes.
Using Scripts to Automate Tasks in PowerShell
PowerShell scripts are cmdlets that are “batched” together as lines of code written in the
PowerShell scripting language, not unlike a .bat or .cmd file. These files have the .ps1
extension (yes, even in PowerShell 2.0, they still use the .ps1 extension), but they are
executed by Windows PowerShell instead of the Windows cmd.exe or command.com.
NOTE In PowerShell 2.0, you can even execute a script by right-clicking the file and
selecting the Run with PowerShell option. In Exchange Server 2007 with PowerShell
1.0, you had to run scripts from a PowerShell prompt.
These “batched” cmdlets allow you to perform very complex tasks, such as installing all
the built-in anti-spam agents using a single .ps1 file called install-AntispamAgents.ps1.
You should use caution when executing .ps1 scripts, because they can access critical
Windows operating system components as well as critical Exchange Server components.
A number of preconfigured .ps1 files are located under the Exchange installation direc-
tory, which by default is located at C:\Program File\Microsoft\Exchange Server\V14\
Scripts. You must include the path when running a .ps1 file, but if the focus of Exchange
Management Shell (EMS) is on the directory that the file is located in, you may use “ .\ ”
to indicate that the file should be run from the current directory, as shown in the follow-
ing table.
The following table also shows some of the more interesting .ps1 files that come with
Exchange Server.
CHAPTER 30
Using and Finding Scripts to Automate
ptg6842824
332 Using Scripts to Automate Tasks in PowerShell
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\CheckInvalidRecipients.ps1
Runs a script that attempts to fix two
types of errors.
First, if the recipient has multiple SMTP
addresses listed as primary or if the
primary SMTP is invalid, the script will
try to set the WindowsEmailAddress as
the primary SMTP address.
Second, if a distribution group has
the HideDLMembershipEnabledattribute set to true, but
ReportToManagerEnabled ,
ReportToOriginatorEnabled , or
SendOofMessageToOriginatorEnabled
are also set to true, then the membership
may not be truly hidden.
The script will set the appropriate attri-
butes to false to fix the distribution
group.
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\CollectOverMetrics.ps1
Runs a script that reports database
failover statistics, as seen previously in
the DAG chapters.
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\CollectReplicationMetrics.ps1
Runs a script that checks for and reports
healthy DAG replication.
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\ConvertTo-MessageLatency.ps1
Runs a script that allows an adminis-
trator to extract server and end-to-end
latency information from the message-
tracking log.
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\Export-OutlookClassification.ps1
Runs a script that exports Message
Classifications to an XML file that can
be imported by Outlook 2007, so that
Outlook 2007 clients may classify mes-
sages for use with transport rules.
NOTE Outlook will not support
the use of message classifications
unless the .xml file created by this
cmdlet is imported on the client.
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\Get-SetupLog.ps1
Runs a script that parses the Exchange
Server ExchangeSetup.log file detecting
errors or errors and warnings in the log.
ptg6842824
Using Scripts to Automate Tasks in PowerShell 333
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\install-AntispamAgents.ps1
Runs a script that installs the following
anti-spam agents:
■ Content Filtering
■ IP Allow List
■ IP Allow List Providers
■ IP Block List
■ IP Block List Providers
■ Recipient Filtering
■ Sender Filtering
■ Sender ID
■ Sender Reputation
The agents are shown in Figure 30-1 .
Figure 30-1 Installation of the anti-spam agents using a .ps1 file
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\MailboxDatabaseReseed.ps1
Runs a script that either attempts to reseed
the database on the specified server or
attempts to reseed all of the failed or sus-
pended databases on the server.
ptg6842824
334 Using Scripts to Automate Tasks in PowerShell
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\MoveAllReplicas.ps1
Runs a script that moves all public folder
replicas to another server in the replica list.
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\MoveMaibox.ps1
Similar to the Move-Mailbox cmdlet in
Microsoft Exchange Server 2007.
Provides a synchronous management experi-
ence for moving mailboxes, but will move
local mailboxes only.
Runs a script that first creates a local move
request, then waits as the mailbox is moved,
and finally clears the move request after the
move has completed.
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\MoveTransportDatabase.ps1
Runs a script that changes the location of
the Transport database and moves the data-
base files to the new location.
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\TestCasConnectivityUser.ps1
Runs a script that creates a user, as shown
in Figure 30-2 , that can be used for test-
ing connectivity by using some of the
Test cmdlets, as covered in Chapter 28 ,
“Troubleshooting with the Test Cmdlets.”
Figure 30-2 User created with a .ps1 script for testing purposes, as seen from Active
Directory Users and Computers
ptg6842824
Finding Scripts to Automate Tasks in PowerShell 335
PS C:\Program File\Microsoft\
Exchange Server\V14\Scripts>
.\ResumeMailboxDatabaseCopy.ps1
Runs a script that resumes a mailbox
database copy when it has been previ-
ously suspended.
Finding Scripts to Automate Tasks in PowerShell
Many websites and blog sites offer .ps1 file scripts for download. Microsoft.com has the
Script Center Repository as part of TechNet. This is a fantastic place to start looking for
scripts. Chances are, you aren’t the first person to ask whether PowerShell can do some
particular task—others have had to either figure it out for themselves or find someone
with PowerShell skills to do it for them. If you are lucky, the script you need already
exists in the Script Center Repository. Most of these sites do not charge anything for
their scripts and provide helpful information on how they function. The drawback, how-
ever, is that most of these sites are not Exchange specific.
Also, these sites do not guarantee that their scripts will function properly in your envi-
ronment. When you’re working with a new or untrusted cmdlet, three switch options are
available that allow you to reduce or prevent unintended results from occurring when
you execute the cmdlet. You can use the -Whatif switch wherever possible to see what
would happen if the script were run...before you actually run it for real! No changes
are made to any Exchange objects when you execute a cmdlet with a -Whatif switch
applied. The -Whatif switch is available in many cmdlets, and using it might just protect
you from executing a script that permanently damages your Exchange organization.
NOTE The -Whatif switch must be added to the actual cmdlet as an attribute, as
shown in the following table.
PS C:\Users\Administrator> Get-Mailbox
-OrganizationalUnit "Management" | Set-Mailbox
-IssueWarningQuota 838860800
-ProhibitSendQuota 943718400
-ProhibitSendReceiveQuota 1048576000
-UseDatabaseQuotaDefaults $false -Whatif
Sets quotas for all mailboxes
in the Management OU.
NOTE With the use of the
-Whatif switch, the change
will be simulated, but will
not actually take effect.
The -Whatif switch is beneficial for new Exchange administrators, because they can
execute an unfamiliar cmdlet in the production environment using a simulated version of
the cmdlet. However, this switch can also be useful for seasoned administrators, because
they can test familiar cmdlets to determine whether there will be any unintended results
when the cmdlets are actually executed. It is common to put the -Whatif switch at the
very end of the cmdlet. You could then use the up arrow, backspace over -Whatif , and
reexecute the cmdlet.
ptg6842824
336 Finding Scripts to Automate Tasks in PowerShell
You can also use the - Confirm switch to avoid unintentional modification to Exchange
objects. By default, EMS automatically applies the -Confirm switch to cmdlets that have
the following verbs:
■ Clear
■ Disable
■ Dismount
■ Move
■ Remove
■ Stop
■ Suspend
■ Uninstall
When a cmdlet runs that includes any of these verbs, EMS stops execution of the cmd-
let and waits for your acknowledgement before it continues to execute the cmdlet. As
shown in the following table, there are several possible responses to a -Confirm confir-
mation prompt that states “Are you sure you want to perform this action?”
Y
(Yes)
Instructs the cmdlet to continue the operation. The next operation will
present another confirmation prompt.
NOTE This is the default option.
A
(Yes to all)
Instructs the cmdlet to continue the operation and all subsequent opera-
tions. You will not receive any additional confirmation prompts for the
duration of this command.
N
(No)
Instructs the cmdlet to skip this operation and continue with the next
operation. The next operation will present another confirmation prompt.
L
(No to all)
Instructs the cmdlet to skip this operation and all subsequent operations.
You will not receive any additional confirmation prompts for the dura-
tion of this command.
S
(Suspend)
Pauses the current pipeline and returns to the command line. You may
type Exit to resume the pipeline.
?
(Help)
Displays the confirmation prompt Help on the command line.
You can also manually use the -Confirm switch in a cmdlet, as shown in the following
table.
ptg6842824
Finding Scripts to Automate Tasks in PowerShell 337
PS C:\Users\Administrator>
Remove-Mailbox -Identity "RomacSign\Jim"
-Confirm:$true
Deletes the specified mailbox, but
first prompting you for confirmation
before the deletion.
PS C:\Users\Administrator>
Remove-Mailbox
-Identity "RomacSign\Tess"
-Confirm:$false
Overrides the default option (Yes)
and, in this example, deletes the
specified mailbox with no prompting.
Finally, you can use the -ValidateOnly switch. This switch instructs the cmdlet
to evaluate all of its conditions and requirements before making any changes. The
-ValidateOnly switch is available (and most useful) on cmdlets that potentially could
take a long time to execute. When you use the -ValidateOnly switch in a cmdlet, the
cmdlet runs through the whole process, performing each step, as if it were actually
executing. But no changes are actually being made. When the cmdlet completes its
execution, it displays a summary of the results. If the summary shows no errors, you can
run the cmdlet again without the -ValidateOnly switch. The use of the -ValidateOnly
switch is shown in the following table.
PS C:\Users\Administrator>
Get-Mailbox "RomacSign\Madge" | New-MoveRequest
-TargetDatabase "ManagementDB" -ValidateOnly
Evaluates all conditions and
requirements for moving the speci-
fied mailbox to the specified loca-
tion.
The -Whatif , -Confirm , and -ValidateOnly switches are often most valuable when used
together with a Get statement and a pipeline to another cmdlet. This allows you to spe-
cifically modify the items returned by the Get command and yet still have control over
which items will be modified. By adding some of these switches to your scripts, you
may avoid the scripts stopping execution while awaiting a response at a prompt.
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Creating and managing a management role group
■ Adding members to the management role group
■ Retrieving information about role groups and role group members
■ Setting and viewing management scopes
In this chapter, you review setting permissions using Role-Based Access Control
(RBAC). After the management role groups have been created and the roles have been
assigned, permissions are easily set either using PowerShell or through GUI-based tools.
This chapter provides an overview of how to configure management role groups, assign
management roles to those groups, add role group members, and view information about
existing role groups and role group members.
Creating and Managing a Management Role Group
A number of built-in management role groups are present in Exchange 2010. For exam-
ple, Recipient Management, Organization Management, and Records Management are
three such management role groups present by default. In this section, you investigate
how to create a custom role group. The ability to import and export to and from a mail-
box is not assigned to any user or group by default. The Mailbox Import Export manage-
ment role allows you to import and export mailbox content as well as delete undesirable
content from a user’s mailbox or from an administrative mailbox if you have recalled a
message.
This example illustrates Role-Based Access Control (RBAC) permissions in Exchange
Server 2010. Management roles are assigned to one or more management role groups,
similar to the way permissions are assigned to groups in Windows. One significant dif-
ference is that there are approximately 70 Exchange-specific management roles com-
pared to the delegated permission assignment of previous versions of Exchange Server.
Rather than assigning the permission for a user to print as you would in Windows, you
assign the management role to a management role group in Exchange 2010. This pro-
vides flexibility in assigning permissions and a level of granularity for assigning permis-
sions not seen in previous versions of Exchange Server. A second difference is that if
you do not have the permission to do something, the cmdlet will appear to be unavail-
able in EMS or the option will not be present in Exchange Management Console (EMC)
or in Exchange Control Panel. For example, if you want to export content from a mail-
box and you do not have the Mailbox Import Export management role assigned to you,
the cmdlet will error with a message stating that the cmdlet does not exist. The following
CHAPTER 31
Configuring Role-Based Access Control (RBAC) Permissions
ptg6842824
340 Creating and Managing a Management Role Group
table shows the initial failure of the Export-Mailbox cmdlet and illustrates the creation
of a management role group.
NOTE In Service Pack 1, the Export-Mailbox cmdlet has been replaced with the
New-ExportRequest cmdlet, which is discussed further in Chapter 32.
PS C:\Users\
Administrator> Export-Mailbox -Identity "RomacSign\Larry"
-TargetMailbox ExportMailbox -TargetFolder LarrysData
Attempts to export the contents of the
specified mailbox to the specified tar-
get folder.
NOTE This cmdlet was run by the
user Paul Trzaska in the example.
Paul does not yet have permission
to export mailboxes, so the cmdlet
fails. The error is shown in Figure
31-1 .
PS C:\Users\Administrator>
New-RoleGroup -Name MBExporters -Roles "Mailbox Import Export"
Creates the management role group
that will allow role holders to import
or export content to and from a user’s
mailbox, as shown in Figure 31-2 .
NOTE No members have been
added to the management role
group at this time.
Figure 31-1 Mailbox export fails with error, as seen from EMS
NOTE The Mailbox Import Export management role will be used again in Chapter 32 ,
“Using Mailbox Audit Logging to Monitor Exchange Server,” to test auditing.
ptg6842824
Adding Members to the Management Role Group 341
Figure 31-2 Creation of the management role group
Another option for the New-RoleGroup cmdlet is to allow the role group members to be
assigned at the time of the role group’s creation, as shown in the following table.
PS C:\Users\Administrator>
New-RoleGroup -Name "Recipient Config" -Roles "Mail Recipients",
"Distribution Groups"
-Members Jim, Karen
Allows role group members to perform some
recipient-level configuration, but does not allow
them to create or delete mail recipients. They
can, however, create, modify, view, and remove
distribution groups, as well as add or remove
distribution group members in the organization.
NOTE The role group members are added
at the time of the role group’s creation in this
example.
As shown in the following table, you can remove a management role group with the
Remove-RoleGroup cmdlet.
PS C:\Users\Administrator>
Remove-RoleGroup "Recipient Config" Removes the specified management
role group.
Adding Members to the Management Role Group
You can add a member to the newly created management role group in two ways. One way
would be by using the Add-RoleGroupMember cmdlet, as shown in the following table.
PS C:\Users\
Administrator>
Add-RoleGroupMember
"MBExporters"
-Member Ed
Adds a member to the specified management role group.
You can view the result of this cmdlet from Exchange
Control Panel, as shown in Figure 31-3 . Ed Nichols is
now a member of the MBExporters management role
group after this cmdlet has been run.
NOTE This is one way to add a user to the specified
management role group.
ptg6842824
342 Adding Members to the Management Role Group
Figure 31-3 Viewing role group members
The following table shows that you can also use the Role-Based Access Control (RBAC)
User Editor to add a second user in EMC.
1 Proceed to the Toolbox in Exchange
Management Console and launch the Role-Based Access Control (RBAC) User Editor .
2 Double-click Role-Based Access Control (RBAC) User Editor and log on as
RomacSign\administrator .
3 Click RomacSign\MBExporters and then
click Details .
4 Under Members, click Add , select a user (in
Figure 31-3 , the user is Paul Trzaska), add him
to the group, and then click OK .
5 Click Save and close the Internet Explorer win-
dow that opened when you launched the Role-
Based Access Control (RBAC) User Editor.
This example shows how to
open the Role-Based Access
Control (RBAC) User
Editor.
NOTE This is another
way to add the specified
user to a management
role group.
Figure 31-3 also shows
that the user added with the
Role-Based Access Control
(RBAC) User Editor (Paul
Trzaska) appears as a mem-
ber of the role group.
Now that the user Paul Trzaska has been made a member of the MBExports group, he
can execute the Export-Mailbox cmdlet that failed earlier. This cmdlet is shown again
in the following table, only with a different outcome.
ptg6842824
Retrieving Information about Role Groups and Role Group Members 343
PS C:\Users\
Administrator> Export-Mailbox -Identity "RomacSign\Larry"
-TargetMailbox ExportMailbox -TargetFolder LarrysData
Attempts to export the contents of the spec-
ified mailbox to the specified target folder.
NOTE This cmdlet succeeds now that
Paul has the proper permissions, as
shown in Figure 31-4 .
Figure 31-4 Mailbox export now succeeds, as seen from EMS
NOTE The Export-Mailbox cmdlet has been replaced in Exchange Server 2010 SP1.
The New-ExportRequest cmdlet replaces it and has new features; however, the con-
cept of RBAC holds true with SP1, and an administrator does not have the right to
run the cmdlet until he or she is added to a management role group that includes the
Mailbox Import Export role entry.
Retrieving Information about Role Groups and Role Group Members
One of the easiest ways to view and manage the management role group membership
after it has been created is to use Active Directory Users and Computers. Figure 31-5
shows that a third user has been added to the management role group.
ptg6842824
344 Retrieving Information about Role Groups and Role Group Members
Figure 31-5 Viewing the management role group in Active Directory Users and
Computers
TIP The difficult part about working with custom role groups is creating the role
groups. Once they are created, though, managing them is very much like other
Windows groups. You simply need to add a user to the group to covey Exchange per-
missions.
Other ways to view information about management role groups and role group members
are shown in the following table.
PS C:\Users\Administrator> Get-RoleGroupMember
"MBExporters"
Uses the Get-RoleGroupMember cmdlet
to view the membership of a role group. It
retrieves a list of all of the members in the
specified role group.
PS C:\Users\
Administrator> Get-RoleGroup Uses the Get-RoleGroup cmdlet to retrieve
a list of all of the management role groups in
your organization.
PS C:\Users\
Administrator> Get-RoleGroup "MBExporters" | fl
Retrieves the details for the specified role
group, as shown in Figure 31-6 .
ptg6842824
Setting and Viewing Management Scopes 345
Figure 31-6 Viewing details for a management role group in EMS
PS C:\Users\Administrator>
Get-ManagementRole Uses the Get-ManagementRole cmdlet to
view management roles that have been cre-
ated in your organization.
PS C:\Users\Administrator
> Get-ManagementRole "Mailbox Import Export" | fl Name,
RoleType
Retrieves only the specified role and passes
the output of the Get-ManagementRole
cmdlet to the Format-List cmdlet, which
shows only the Name and RoleType attri-
butes for the role.
Setting and Viewing Management Scopes
You can create a management role group scope using the New-ManagementScope cmd-
let. Management role scopes allow you to define what portion of the organization you
can manage when you have been granted management rights. For example, you might
want an administrator to manage only unclassified servers in the Philadelphia location.
You could do this easily by creating a list of servers to be managed.
When you apply a scope, the administrator can only work with the objects contained with-
in that scope. You can use a management role group, a management role, a management
ptg6842824
346 Setting and Viewing Management Scopes
role assignment policy, a user, or a universal security group with a scope of management.
There are two types of scopes:
■ A regular scope, which is not exclusive. This means that if you are a member of
more than one role group, you may receive additional permissions from other role
groups to which you belong.
■ An exclusive scope, which allows you to deny access to objects contained within
the exclusive scope, unless an administrator is specifically assigned a role associ-
ated with the exclusive scope.
PS C:\Users\Administrator>
New-ManagementScope
-Name "Philadelphia Unclassified
Servers" -ServerList Romac-EX1, Romac-EX2,
Romac-EX5
Creates a scope that includes only
the specified (unclassified) servers in
Philadelphia.
NOTE Administrators can only
perform tasks for which they have
been granted rights on the servers
included in the scope.
PS C:\Users\Administrator>
New-ManagementScope -Name "Philadelphia Site Servers" -ServerRestrictionFilter
{ServerSite -eq
"CN=Philadelphia,CN=Sites,
CN=Configuration,DC=romacsign,
DC=com"}
Creates a scope for all Philadelphia
site servers (classified and unclassi-
fied).
NOTE Administrators can perform
tasks for all servers located in the
Philadelphia Active Directory site.
PS C:\Users\Administrator>
New-ManagementScope
-Name "Assemblers Mailboxes"
-RecipientRoot "romacsign.com/
Assemblers" -RecipientRestrictionFilter
{RecipientType -eq "UserMailbox"} -Exclusive
Creates a new exclusive scope for
management of User mailboxes in the
Assemblers OU in Active Directory.
NOTE When you create an exclu-
sive scope, you receive the follow-
ing warning:
“When you create exclusive manage-
ment scopes, only users or universal
security groups that are assigned
exclusive scopes that contain objects
to be modified will be able to access
those objects. Users or USGs that
aren’t assigned an exclusive scope
that contains the objects will imme-
diately lose access to those objects.
Are you sure you want to create the
Assemblers Mailboxes exclusive
scope?”
PS C:\Users\Administrator>
Get-ManagementScope
-Exclusive $true
This example retrieves a list of all
exclusive scopes in use within the
organization.
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Enabling Mailbox Audit Logging
■ Initiating administrative actions to test Mailbox Audit Logging
■ Initiating a search of the mailbox audit log
In this chapter, you monitor when a delegate accesses another user’s mailbox. It is criti-
cal to monitor when someone other than the owner of the mailbox accesses it to deter-
mine whether he or she is performing appropriate and acceptable tasks on the mailbox
or performing improper actions on the mailbox. This capability is much improved in
Exchange 2010 SP1. For example, a CEO may ask a messaging administrator to allow
her assistant to be able to send mail as the CEO. This delegation is acceptable if the
CEO has approved the action. However, if the messaging administrator were to also give
herself “Send As” permissions to the CEO’s mailbox, this would be unacceptable. The
CEO did not indicate that she wanted the administrator to have that permission.
A new feature called Mailbox Audit Logging allows you to track who logs on to a mail-
box in your organization and view what actions are taken on the mailbox. As you will
see, Mailbox Audit Logging allows you track three types of user access to another user’s
mailbox.
Enabling Mailbox Audit Logging
You can use Mailbox Audit Logging in Exchange 2010 SP1 to monitor logons to users’
mailboxes and collect data about their actions, even while they are logged on to their
mailboxes. In many cases, you will want to monitor a user’s access to a mailbox other
than his or her own. In addition to logging one user’s access rights to another user’s
mailbox, this commonly could involve logging one user’s access rights to a resource
mailbox. You might want to identify the recipients who currently have rights to the
mailbox and compare this to the approved list of recipients who should have rights to the
mailbox.
One type of mailbox that should definitely be considered a candidate for Mailbox Audit
Logging is the Discovery Search mailbox. Even if no other mailbox is configured with
Mailbox Audit Logging, this one should be configured to ensure that the proper people
are performing only the necessary cross-mailbox searches.
CHAPTER 32
Using Mailbox Audit Logging to Monitor Exchange Server
ptg6842824
348 Enabling Mailbox Audit Logging
There are three types of individuals for whom you may log access:
■ Mailbox owners (the user of the mailbox)
■ Mailbox delegates (those given rights to the user’s mailbox)
■ Administrators (those who manage the user’s mailbox)
Mailbox Audit Logging is enabled at the mailbox level. You may specify the monitoring
of your users’ actions—accessing the mailbox, moving the mailbox, moving a message
in the mailbox, deleting a message—as well as other information such as the logon type
specified, the client’s IP address, the client’s hostname, and the type of client used to
access the mailbox. For items that were moved, the log entry also includes the name of
the destination folder.
NOTE By default, Mailbox Audit Logging is not enabled for any mailbox. For each mail-
box you want to audit, you must enable audit logging and designate the mailbox owner,
delegate, or administrator actions for which you want to audit, as specified earlier.
When you enable Mailbox Audit Logging on a mailbox, an audit log is created for
the mailbox. Each mailbox has a unique audit log. The log entries are stored in the
Recoverable Items folder of the audited mailbox in a folder called Audit. Mailbox audit
log entries are kept in the mailbox for 90 days, by default. This can be modified with
the -AuditLogAgeLimit option. If litigation hold is enabled on a mailbox, audit logs are
retained until the hold is removed. The following table shows how to enable and disable
Mailbox Audit Logging.
PS C:\Users\Administrator> Set-Mailbox -Identity "Jim" -AuditEnabled $true
Enables mailbox auditing for
the specified mailbox.
PS C:\Users\Administrator> Set-Mailbox -Identity "Jim" -AuditEnabled $false
Disables mailbox auditing for
the specified mailbox.
Here are the events that can be logged for owners (users), delegates, and administrators,
as appropriate. The following actions constitute mailbox owner or delegate access to a
mailbox:
■ Accessing a folder in a mailbox
■ Accessing a message in the preview pane or opening a message
■ Copying a message to another folder
■ Deleting a message from the Deleted Items folder
■ Exercising the SendAs permission
■ Exercising the SendOnBehalf permission
■ Moving a message to another folder
ptg6842824
Initiating Administrative Actions to Test Mailbox Audit Logging 349
■ Moving a message to the Deleted Items folder
■ Permanently deleting a message from the Recoverable Items folder
Here are the events that can be logged for administrators. The following actions consti-
tute administrator access to a mailbox:
■ Using a New-MailboxExportRequest cmdlet to export a mailbox
■ Using Discovery Search to search a mailbox
■ Using the Microsoft Exchange Server MAPI Editor to access the mailbox
Initiating Administrative Actions to Test Mailbox Audit Logging
You can test the logging process by exercising an action normally reserved for an
administrator. In the examples that follow, you will export data to a .pst file. In
Exchange 2003, you used the Exchange utility ExMerge. ExMerge was not PowerShell
capable, so it was retired when Exchange 2007 was released. (The functionality of
ExMerge is contained in three cmdlets in PowerShell: Move-Mailbox , Import-Mailbox ,
and Export-Mailbox .)
Unfortunately, you couldn’t just type Export-Mailbox in Exchange 2007 and export
data to a .pst file. A lot of preparation work had to be performed in order to export data
to a .pst file. There were a great deal of restrictions and roadblocks. One such road-
block was that Outlook had to be installed on your server to get the .dll files necessary
for importing and exporting .pst files. Add to that the fact that Import-Mailbox and
Export-Mailbox do not always complete without errors, and also the fact that ExMerge
is no longer a supported tool by Microsoft, and you can see why importing from a .pst
file and exporting to a .pst file have been challenging over the past few years.
The RTM version of Exchange 2010 continued to use the Import-Mailbox and Export-Mailbox cmdlets as Exchange 2007 SP1 did, but that changes with Exchange 2010 SP1.
With Exchange 2010 SP1, the Import-Mailbox and Export-Mailbox cmdlets have been
retired and no longer function on SP1 machines. The replacement cmdlets are New-MailboxImportRequest and New-MailboxExportRequest . (Actually, quite a few other
cmdlets are involved with importing and exporting mailboxes, but these two provide
the main functionality.) The use of these cmdlets is not completely effortless, however.
By default, no one is granted the permissions necessary to import and export data to
and from mailboxes in Exchange 2010 SP1. This includes members of Organization
Management. Therefore, it is necessary to grant permissions as you did in Chapter 31 ,
“Configuring Role-Based Access Control (RBAC) Permissions,” using RBAC manage-
ment role groups and role assignments.
The examples shown in the following table export data to a .pst file, and then you see
the effects of Mailbox Audit Logging after the export has completed.
ptg6842824
350 Initiating Administrative Actions to Test Mailbox Audit Logging
PS C:\Users\Administrator>
New-MailboxExportRequest
-Mailbox "Jim"
-FilePath "\\Romac-DC1\ExportedPST\
Jim2010Primary.pst"
Exports the specified user’s
primary mailbox to a .pst
file on the specified network
shared folder.
PS C:\Users\Administrator>
New-MailboxExportRequest -Mailbox "Jim"
-FilePath "\\Romac-DC1\ExportedPST\
Jim2010Archive.pst" -IsArchive
Exports the specified user’s
archive to a .pst file on the
specified network shared
folder.
PS C:\Users\Administrator>
New-MailboxExportRequest
-Mailbox "Jim" -IncludeFolders "#Inbox#" -FilePath "\\Romac-DC1\ExportedPST\
Jim2010Inbox.pst"
Exports all messages from
the specified user’s Inbox to
the appropriate .pst file.
Figure 32-1 shows the exported .pst files from the preceding examples, which validates
that administrative rights were used by an administrator.
Figure 32-1 Exported .pst files as seen in Windows Explorer
In addition to the New-ImportRequest and New-ExportRequest cmdlets, other new
cmdlets in Service Pack 1 deal with importing and exporting mailboxes, as shown in the
following table.
PS C:\Users\Administrator>
Get-MailboxExportRequest Displays the status of an export request
that is in progress. Use this after the
New-MailboxExportRequest cmdlet
has been executed.
ptg6842824
Initiating Administrative Actions to Test Mailbox Audit Logging 351
PS C:\Users\Administrator>
Get-MailboxExportRequestStatistics Displays detailed information about
export requests that are in progress.
This information can be outputted to a
.txt or .csv file.
PS C:\Users\Administrator>
Remove-MailboxExportRequest Removes a fully or partially completed
export request.
Completed export requests aren’t
cleared automatically. They need to
be removed by using this cmdlet, just
like completed mailbox moves must
be cleared.
PS C:\Users\Administrator>
Resume-MailboxExportRequest Resumes an export request that was
suspended or did not complete suc-
cessfully.
PS C:\Users\Administrator>
Set-MailboxExportRequest Edits export request options after the
initial request has been created.
PS C:\Users\Administrator>
Suspend-MailboxExportRequest Suspends an export request after the
request was created but before the re-
quest reaches the status of Completed .
PS C:\Users\Administrator>
Get-MailboxImportRequest Displays the status of an import request
that is in progress. Use this after the
New-MailboxImportRequest cmdlet
has been executed.
PS C:\Users\Administrator>
Get-MailboxImportRequestStatistics Displays detailed information about
import requests that are in progress.
This information can be outputted to a
.txt or .csv file.
PS C:\Users\Administrator>
Remove-MailboxImportRequest Removes a fully or partially completed
import request.
Completed import requests aren’t
cleared automatically. They need to
be removed by using this cmdlet, just
like completed mailbox moves must be
cleared.
PS C:\Users\Administrator>
Resume-MailboxImportRequest Resumes an import request that was
suspended or did not complete suc-
cessfully.
PS C:\Users\Administrator>
Set-MailboxImportRequest Edits import request options after the
request has been created.
PS C:\Users\Administrator>
Suspend-MailboxImportRequest Suspends an import request after the
request was created but before the
request reaches the status of Completed .
ptg6842824
352 Initiating a Search of the Mailbox Audit Log
Initiating a Search of the Mailbox Audit Log
You can also exercise Send As rights to test Mailbox Audit Logging, as shown in the fol-
lowing table. For example, suppose you investigate a complaint that someone is sending
mail as the VP, Jim Masters. You determine that two people have been granted Send As
permissions to the mailbox. The VP (Jim) states that Paul is legitimately sending mail
as him. So, you search the mailbox audit log for instances of other users sending mail as
the VP. By initiating a mailbox audit log search to asynchronously look for one or more
mailboxes, you can check to see whether the complaint has validity. You can even desig-
nate the search results to be sent to you by email.
NOTE It is not possible to create a mailbox audit log search using Exchange
Management Console (EMC), but you can do it with Exchange Control Panel (ECP) in
Exchange 2010 SP1.
PS C:\Users\Administrator>
Search-MailboxAuditLog -Mailboxes "Jim" -ShowDetails |
Where-Object {$_.Operation -eq "SendAs"} | fl LogonUserDisplayName, Operation,
LastAccessed
Retrieves all “Send As”
mailbox audit log entries
for the specified user’s
mailbox, as shown in
Figure 32-2 .
Figure 32-2 Searching the mailbox audit log for a user sending mail as another user
As shown in Figure 32-2 , Maureen Doyle is sending mail as the VP (in addition to Paul,
who is doing so legitimately).
ptg6842824
Initiating a Search of the Mailbox Audit Log 353
You can use the New-MailboxAuditLogSearch cmdlet to search mailbox audit logs and
have the search results sent by email to a distribution group consisting of the company’s
auditors, if desired, as shown in the following table.
PS C:\Users\Administrator>
New-MailboxAuditLogSearch
-Name "Possible Admin Abuse"
-Mailboxes "Jim" -LogonTypes Admin -StartDate 12/1/2010
-EndDate 12/14/2010
-StatusMailRecipients
[email protected] -ShowDetails
Creates a mailbox audit log
search to look for the specified
mailboxes for administrator log-
ons during the specified dates in
search of administrator abuse.
Search results are delivered to
RomacMBAuditors@romac-
sign.com via email.
Finally, it is also possible to configure many of these mailbox audit log settings through
the SP1 version of OWA, as shown in Figure 32-3 .
Figure 32-3 Mailbox Audit Logging as configured using OWA connected to an
Exchange 2010 SP1 mailbox
ptg6842824
This page intentionally left blank
ptg6842824
This chapter provides information and commands concerning the following topics:
■ Obtaining information about a mailbox with Get-MailboxStatistics
■ Retrieving logon information about currently active sessions with Get-LogonStatistics
■ Using other useful cmdlets
In this chapter, you investigate the reporting capabilities of Exchange Management Shell
with two cmdlets: the Get-MailboxStatistics cmdlet and the Get-LogonStatistics cmd-
let. The final section of this chapter includes a list of useful cmdlets.
Obtaining Information about a Mailbox with Get-MailboxStatistics
As shown in the following table, you can use the Get-MailboxStatistics cmdlet to
obtain information about a mailbox, such as the size of the mailbox, the number of mes-
sages it contains, and the last time it was accessed. In addition, you can get the move
history or a move report of a completed move request.
PS C:\Users\Administrator>
Get-MailboxStatistics
-Identity RomacSign\Paul
Retrieves the mailbox statistics for the
specified mailbox by using the user’s
account name, as shown in Figure 33-1 .
Figure 33-1 Use of the Get-MailboxStatistics cmdlet
PS C:\Users\Administrator> Get-MailboxStatistics
-Identity Paul
Retrieves the mailbox statistics for the spec-
ified mailbox by using the user’s alias.
NOTE This cmdlet produces identical
results as the first example, but uses the
alias attribute to identify the mailbox.
CHAPTER 33
Reporting and Other Useful Cmdlets
ptg6842824
356 Obtaining Information about a Mailbox with Get-MailboxStatistics
PS C:\Users\Administrator>
Get-MailboxStatistics -Server Romac-EX1
Retrieves the mailbox statistics for all mail-
boxes on the specified server, as shown in
Figure 33-2 .
Figure 33-2 Use of the Get-MailboxStatistics cmdlet with the -Server switch
PS C:\Users\Administrator> Get-Mailbox |
Get-MailboxStatistics |
Where {$_.TotalItemSize -gt 500MB}
Retrieves the mailbox statistics for all
mailboxes over the specified value in
size, as shown in Figure 33-3 .
Figure 33-3 Use of the Get-MailboxStatistics cmdlet for filtering by mailboxes greater
in size than 500MB
PS C:\Users\Administrator>
Get-MailboxStatistics -Database "AssemblyDB"
Retrieves the mailbox statistics for all
mailboxes in the specified mailbox
database.
ptg6842824
Obtaining Information about a Mailbox with Get-MailboxStatistics 357
PS C:\Users\Administrator>
Get-Mailbox -Server Romac-EX1 |
Get-MailboxStatistics | Where
{$_.DisconnectDate -ne $null}
Retrieves the mailbox statistics for all
disconnected mailboxes.
NOTE The use of -ne in this con-
text means “not equal.”
PS C:\Users\Administrator>
Get-Mailbox | Sort-Object TotalItemSize |
Get-MailboxStatistics | Select-Object DisplayName,
{$_.TotalItemSize.Value.ToMB()} |
Export-Csv -Path "C:\Reports\
MBSizes.csv"
Retrieves a list of the mailboxes and
their sizes in the organization.
TIP To convert the output to MB,
use the ToMB option, as shown
in Figure 33-4 . ( ToGB would also
work if you wanted the output
converted to GB instead of MB, as
shown in the example.)
Figure 33-4 Outputting a list of mailboxes and their sizes to a .csv file, with the size
converted to MB
PS C:\Users\Administrator> Get-MailboxStatistics -Identity Ed -IncludeMoveHistory | Format-List
Returns the move history for the com-
pleted move request for the specified
mailbox in addition to other mailbox
statistics, as shown in Figure 33-5 .
TIP Use the Format-List option,
because Format-Table will trun-
cate the move history data.
ptg6842824
358 Obtaining Information about a Mailbox with Get-MailboxStatistics
Figure 33-5 Use of the Get-MailboxStatistics cmdlet showing move history
PS C:\Users\Administrator> Get-Mailbox |
Get-MailboxStatistics | Where-Object
{$_.LastLoggedOnUserAccount
-eq "RomacSign\Paul"}
Enables you to view all mailboxes that have
-LastLoggedOnUserAccount set to a spe-
cific user account, as shown in Figure 33-6 .
TIP This can be helpful when
you’re migrating mailboxes. You can
determine which mailboxes have
not been logged on to by a user if
-LastLoggedOnUserAccount is set to
$null and then not move them.
Figure 33-6 Use of the Get-MailboxStatistics cmdlet showing a user logged on to
another mailbox
ptg6842824
Retrieving Logon Information about Currently Active Sessions with Get-LogonStatistics 359
PS C:\Users\Administrator> Get-Mailbox -OrganizationalUnit "Assemblers" |
Get-MailboxStatistics | ft DisplayName,TotalItemSize
Retrieves statistics for all
mailboxes in the specified
Organizational Unit and then
displays the user and size of
mailbox in a table format.
PS C:\Users\Administrator> Get-Mailbox | Get-MailboxStatistics |
Where {$_.LastLogonTime -lt
(Get-Date).AddDays(-90)} | fl DisplayName,LastLogonTime,
LastLoggedOnUserAccount, ServerName
Retrieves a list of mailboxes
that have not been accessed in
the last 90 days and displays
the list with the specified attri-
butes in a list format.
PS C:\Users\Administrator> Get-Mailbox | Get-MailboxStatistics |
Where {$_.LastLogonTime -eq $null} | fl DisplayName,LastLogonTime,
LastLoggedOnUserAccount,
ServerName
Retrieves a list of mailboxes
that have never been logged
on to and displays the list with
the specified attributes in a list
format.
Retrieving Logon Information about Currently Active Sessions with Get-LogonStatistics
The Get-LogonStatistics cmdlet retrieves logon information about currently active ses-
sions. As shown in the following table, this cmdlet is run against mailbox servers.
PS C:\Users\
Administrator>
Get-LogonStatistics -Identity Maureen
| ft -AutoSize
Retrieves some information about the specific user.
NOTE This information includes the user name, server
name, logon time, and last access time, as shown in
Figure 33-7 .
There are multiple entries (three) because the client
(Maureen) has connected multiple times, including one
time when she accessed her Personal Archive mailbox.
Figure 33-7 Use of the Get-LogonStatistics cmdlet
ptg6842824
360 Retrieving Logon Information about Currently Active Sessions with Get-LogonStatistics
PS C:\Users\Administrator>
Get-LogonStatistics -Identity Maureen | fl
Retrieves all information about the specific user.
NOTE This information includes the preced-
ing information as well as client mode, client
IP address, and adapter speed.
This cmdlet provides real-time data about the
logons.
PS C:\Users\Administrator>
Get-LogonStatistics
-Server Romac-EX1
Retrieves some information about users with
mailboxes on a specific server. This informa-
tion includes the user name, server name, logon
time, and last access time.
NOTE This example returns logon statis-
tics for all users connected to the specified
server.
PS C:\Users\Administrator>
Get-LogonStatistics
-Identity Maureen | fl Name, ClientName,
ClientMode
Allows you to determine what version of
Outlook is connecting to Exchange, as shown in
the following list.
NOTE The output will be similar to
11.0.8010.8036, which is Outlook 2003 SP2.
TIP Mode = 0 (showing “unknown”) is a
pre-Outlook 2003 or BlackBerry client.
Mode = 1 is a client in Online mode. Mode = 2
is a client in Cached Exchange mode.
The recent Outlook version numbers are as follows:
■ Office XP RTM— 10.0.2627.1
■ Office XP SP1— 10.0.3416.0
■ Office XP SP2— 10.0.4115.0
■ Office XP SP3— 10.0.6515.0
■ Office 2003 RTM— 11.0.5604.0
■ Office 2003 SP1— 11.0.6352.0
■ Office 2003 SP2— 11.0.6555.0
■ Office 2003 SP3— 11.0.8161.0
■ Office 2007 RTM— 12.0.4518.1014
■ Office 2007 SP1— 12.0.6211.1000
■ Office 2007 SP2— 12.0.6423.1000
■ Office 2010 RTM— 14.0.4760.1000
ptg6842824
Using Other Useful Cmdlets 361
PS C:\Users\Administrator>
Get-LogonStatistics
-Server Romac-EX1
| Where {$_.ClientIPAddress
-like "10.5.0.155"}
Retrieves a specific logon session
from a specific IP address.
PS C:\Users\Administrator>
Get-LogonStatistics
-Server Romac-EX1 |
Export-Csv "C:\Reports\
RomacLoggedOn.csv" | fl
Retrieves a list of currently logged-
on users and exports it to a .csv file.
It displays the output in a list format.
Using Other Useful Cmdlets
A lot of other useful cmdlets are available that might not fit into any specific category,
but can be very helpful in a variety of situations. This chapter concludes with a number
of these cmdlets documented in the following tables, in no particular order. Enjoy.
PS C:\Users\Administrator> Get-ActiveSyncDeviceStatistics
-Mailbox Paul | fl DeviceType,
DeviceUserAgent, LastSuccessSync
Retrieves mobile device
information for the speci-
fied mailbox.
PS C:\Users\Administrator>
Get-MailboxDatabase -Identity *DB* | Get-Mailbox | ft Name,Database
Retrieves a list of all users
with mailboxes in databas-
es with “DB” in the name
of the database.
PS C:\Users\Administrator> Send-MailMessage -From [email protected] -To [email protected] -Subject "Test Send" -Body "This example
tests the sending of an e-mail via a
PowerShell cmdlet" -SmtpServer Romac-EX1.romacsign.com
Sends an email from
the specified user to the
specified recipient using
a PowerShell cmdlet, as
shown in Figure 33-8 .
Figure 33-8 Sending mail using a PowerShell cmdlet
The following table lists some other useful cmdlets for the configuration of an out-of-
office schedule or an out-of-office message.
ptg6842824
362 Using Other Useful Cmdlets
PS C:\Users\Administrator>
Get-Mailbox | Select -Expand
EmailAddresses | %{$_.SmtpAddress}
Retrieves a list of all
SMTP addresses for all
users in the organization.
PS C:\Users\Administrator>
Get-Mailbox | Export-Csv
"C:\Reports\RomacUsers.csv" | fl
Retrieves a list of all
mailboxes in the organi-
zation and exports the list
(including all attributes)
to a .csv file.
NOTE There is no
formatting to this text
data, other than it is
in a .csv format.
PS C:\Users\Administrator>
Set-MailboxAutoReplyConfiguration
-Identity Maureen
-StartTime 12/17/2010 -AutoReplyState Scheduled
-EndTime 1/3/2011
Sets up a user’s out-of-
office schedule.
PS C:\Users\Administrator>
Set-MailboxAutoReplyConfiguration -Identity Maureen
-InternalMessage "I am headed to Hawaii
for two weeks." -ExternalMessage "I am out of the office
for the next two weeks."
Changes a user’s out-of-
office message (internal
and external) as neces-
sary.
PS C:\Users\Administrator>
Get-Mailbox -Server Romac-EX1 |
Get-MailboxAutoReplyConfiguration
| Where-Object {$_.AutoReplyState -eq "Scheduled"}
Retrieves a list of users
who have their out-of-
office message turned on,
as shown in Figure 33-9 .
NOTE You now
even have the abil-
ity to change the
user’s message, set
the audience (inter-
nal or external), and
turn the message
off using Exchange
Management Shell.
ptg6842824
Using Other Useful Cmdlets 363
Figure 33-9 Finding mailboxes with Out of Office set
The following table shows useful cmdlets for disabling the use of an out-of-office mes-
sage and for calculating the amount of whitespace in the databases in your organization.
PS C:\Users\Administrator>
Set-MailboxAutoReplyConfiguration -Identity Maureen
-AutoReplyState Disabled
Disables the out-of-office message
for the specified user.
PS C:\Users\Administrator>
Get-MailboxDatabase -Status |
Select-Object Server,Name,
AvailableNewMailboxSpace
Calculates the amount of whitespace
in the databases in your organiza-
tion, as shown in Figure 33-10 .
Figure 33-10 Calculating the available whitespace in databases
The following table shows some useful cmdlets for several different tasks that you might
want to perform, such as retrieving the name of your Exchange organization, enabling
ptg6842824
364 Using Other Useful Cmdlets
litigation hold on a mailbox, creating a CAS array, and assigning a database to a specific
CAS array.
PS C:\Users\Administrator>
Get-OrganizationConfig | Select Name Retrieves the name of your orga-
nization.
PS C:\Users\Administrator> Set-Mailbox [email protected] -LitigationHoldEnabled $true
Places the specified mailbox on
litigation hold.
NOTE It might take up to an
hour for the litigation hold to
take effect.
PS C:\Users\Administrator> Set-Mailbox [email protected] -LitigationHoldEnabled $false
Removes the specified mailbox
from litigation hold.
PS C:\Users\Administrator>
New-ClientAccessArray -Name "Philadelphia CAS Array"
-Fqdn "outlook.romacsign.com" -Site "Philadelphia"
Creates a CAS array to load-
balance MAPI traffic.
You would load-balance your
CAS servers in a CAS array
by using either hardware load
balancing or Windows Network
Load Balancing (NLB). You
would then create a MAPI A
record in your internal DNS
infrastructure that resolves to the
Virtual IP Address (VIP) of the
CAS array.
You would configure your load-
balancing array to load-balance
the MAPI RPC ports TCP (135),
UDP/TCP (6005–65535), or you
could set static ports.
PS C:\Users\Administrator>
Set-MailboxDatabase AssemblyDB
-RpcClientAccessServer
"outlook.romacsign.com"
Sets the RpcClientAccessServer
property to match the newly cre-
ated CAS array.
NOTE You need to do this
for any databases that were
created before the CAS array
was created.
PS C:\Users\Administrator>
Get-DistributionGroup |
Select Name,
HiddenFromAddressListsEnabled | Where {$_.HiddenFromAddressListsEnabled
-eq $true}
Retrieves a list of all distribu-
tion groups that are hidden from
address lists.
ptg6842824
Using Other Useful Cmdlets 365
PS C:\Users\Administrator> Get-Mailbox | Add-MailboxPermission
-AccessRights FullAccess -User Paul
Grants full-access permissions
for all mailboxes to the specified
user.
PS C:\Users\Administrator> Get-Mailbox -OrganizationalUnit "Assemblers" |
Add-MailboxPermission -AccessRights FullAccess -User Jim
Grants full-access permissions for
all mailboxes in the specified OU
to the specified user.
PS C:\Users\Administrator> Get-Mailbox | Add-ADPermission -ExtendedRights "Send As" -User Paul
Grants “Send As” permissions
for all mailboxes to the specified
user.
PS C:\Users\Administrator>
Set-ExchangeServer
-Identity "Romac-EX1"
-ProductKey "Enter Product Key Here"
Adds your product key to a new
Exchange server.
NOTE You must restart
the Microsoft Exchange
Information Store service after
entering the product key.
PS C:\Users\Administrator>
Get-MailContact
-OrganizationalUnit "RomacSign/
Assemblers" | Set-MailContact
-HiddenFromAddressListsEnabled $true
Hides all contacts in the specified
OU from address lists.
PS C:\Users\Administrator>
Clean-MailboxDatabase -Identity AssemblyDB
Scans Active Directory for any
disconnected mailboxes that
have not yet been marked as
“Disconnected” in the Microsoft
Exchange store. It updates the
status of those mailboxes in the
Exchange store.
NOTE The Information Store
service must be running and
the database must be mount-
ed for this cmdlet to function
without errors.
PS C:\Users\Administrator>
Get-ExchangeServer |
?{$_.IsHubTransportServer -eq $true}
| Get-Queue | Get-Message |
Remove-Message -WithNdr $false
Removes all messages from all
queues on your Hub Transport
servers.
NOTE This might be useful
in a lab environment.
ptg6842824
This page intentionally left blank
ptg6842824
You may not be able to (or want to) use your production environment for working with
cmdlets as you write and test them. For this reason, I have included a brief description of
the lab environment I used in the writing of this book. Although this is the environment
I used, you have a number of options in addition to this one. I used a virtual platform so
that I could have multiple servers up and running at the same time. I also needed it to
run on my laptop because I travel extensively.
The Platform on Which the Virtual Machines Ran During the Writing of This Book
I initially thought of using Microsoft’s Hyper-V platform, but that requires Windows
Server 2008, and my laptop runs Windows 7. I decided that I did not want to install
Server 2008 on my laptop. I also looked at Windows Virtual PC, the new version of
Microsoft Virtual PC available natively in some Windows 7 editions, but that only
allows for 32-bit virtual machines (VMs), and of course Exchange Server 2010 only runs
on 64-bit platforms. Therefore, I decided to try Oracle’s Virtual Box, which allows for
64-bit VMs to run on a 64-bit Windows 7 physical host. Virtual Box is a free download
from http://www.virtualbox.org/ , and I used the current version (which was 3.2.12, as of
the writing of this book).
My laptop is a two-year-old Dell D630 with 8GB of RAM. It has two internal 320GB
hard drives that are spinning at 7200 RPM. I separated the virtual environment (Drive
2) from the operating system and page file (Drive 1). With VMs, more RAM and faster
disk speed dramatically improve performance and allow more VMs to run simultane-
ously. This met my two main objectives:
■ Having multiple Exchange servers with enough resources to have at least three
VMs running simultaneously and still maintain acceptable performance.
■ Installed on my laptop so it would travel with me (and not require Internet con-
nectivity).
APPENDIX A
Lab Environment Used for This Book
ptg6842824
368 The Lab Environment Used in this Book
The Lab Environment Used in this Book
Romac Sign Company was my father’s actual company before he and his partner passed
away. The company was based in Philadelphia, Pennsylvania, and came into existence
long before the Internet. I registered the domain name RomacSign.com for use in this
book, so that you may use the actual examples in this book without fear of using some-
one’s real domain name on your lab’s Exchange servers. Here’s a list of the servers you
will need (running either physically or virtually) to fully perform all of the cmdlets in
this book:
■ Romac-DC1— A Windows Server 2008 R2 machine running AD DS (Active
Directory Domain Services).
■ Romac-EX1— A Windows Server 2008 R2 machine running the Mailbox, Hub
Transport, and Client Access Server roles with the RTM version of Exchange
Server 2010.
■ Romac-EX2— A second Windows Server 2008 R2 machine running the Mailbox,
Hub Transport, and Client Access Server roles with the RTM version of Exchange
Server 2010.
■ Romac-EX3— A Windows Server 2008 R2 machine running the Mailbox, Hub
Transport, and Client Access Server roles with Service Pack 1 for Exchange
Server 2010. (This server is optional; if you do not plan on using Service Pack 1
yet, you may omit this server.)
■ Romac-EX4— An additional Windows Server 2008 R2 machine running the
Mailbox, Hub Transport, and Client Access Server roles with the RTM version of
Exchange Server 2010. (This server is optional; you could use either Romac-EX1
or Romac-EX2 in place of this server. It was more convenient to just use a clone
of one of my VMs after the DAG had been created than to remove the DAG.)
■ Romac-EX5— Similar to Romac-EX4, this is an additional Windows Server 2008
R2 machine running the Mailbox, Hub Transport, and Client Access Server roles
with the RTM version of Exchange Server 2010. (This server is also optional; you
could use either Romac-EX1 or Romac-EX2, as was the case with Romac-EX4.)
■ Romac-CL1— A Windows 7 Enterprise Edition machine running Outlook 2010.
■ Romac-ET1— A Windows Server 2008 R2 machine running the Edge Transport
role with the RTM version of Exchange Server 2010.
At this point, your lab environment would appear as represented in Figure A-1 .
ptg6842824
Creating Test Users and Mailboxes for the Lab Environment 369
Figure A-1 Romac Sign Company Exchange 2010 lab
Primary DataCenter
ROMAC SIGN COMPANYEXCHANGE 2010 LAB
Romac-ET1Exchange 2010 Edge Transport
Server
Romac-EX4Exchange 2010 Mailbox/Hub
Transport/Client AccessServer
Romac-EX3Exchange 2010 SP1 Mailbox/Hub Transport/Client Access
Server
Romac-EX1Exchange 2010 Mailbox/Hub
Transport/Client AccessServer
Romac-EX5Exchange 2010 Mailbox/Hub
Transport/Client AccessServer
Romac-EX2Exchange 2010 Mailbox/Hub
Transport/Client AccessServer
Romac-DC1Windows Server 2008 R2
Domain Controller
Romac-CL1Outlook 2010 Client on
Windows 7
DMZ
Internet
The aforementioned machines may all use evaluation software and do not have to be
activated. If the evaluation period is close to expiration, simply type the cmd.exe
slmgr -rearm , reboot the VM, and you will extend the grace period.
NOTE There is a limit as to the number of times you can extend the grace period.
Creating Test Users and Mailboxes for the Lab Environment
Use the following text along with the .ps1 file to populate your Active Directory envi-
ronment and give the newly created users Exchange mailboxes if you wish to have some
test mailboxes to practice your cmdlets. Copy the exact text that follows and save it as
C:\Users\Administrator.RomacSign.com\management.csv.
NOTE If you do not use the same path indicated here, you may save the file to any
location for which you have permission. Alter the path for the $csvfile variable in the
management.ps1 script to reflect the alternate path you have chosen.
FirstName,LastName,Password,OU
Gary,Hoadley,Pa$$w0rd,Management
Larry,Ludin,Pa$$w0rd,Management
Leo,Weishew,Pa$$w0rd,Management
Jim,Schaffer,Pa$$w0rd,Management
Tess,Hines,Pa$$w0rd,Management
ptg6842824
370 Creating Test Users and Mailboxes for the Lab Environment
Janet,Buhler,Pa$$w0rd,Management
Madge,McCann,Pa$$w0rd,Management
Teresa,Crawford,Pa$$w0rd,Management
Use the following script to create the users and mailboxes. If you save it as a .ps1 file, it
will be executable from PowerShell. In the example that follows, save the script as C:\
Users\Administrator.RomacSign.com\management.ps1.
NOTE If you do not use the same path indicated here, you should save this file to the
same alternate location you used when you saved the management.csv file earlier.
Figure A-2 shows the result of running the management.ps1 file.
Figure A-2 New users and mailboxes created with the management.ps1 file
If you are performing these steps, you will need to create an OU called “Management”
and a database called “Management DB” on Romac-EX1 before running the manage-
ment.ps1 script.
To create the OU, follow these steps:
1. Open Active Directory Users and Computers and right-click your domain. (In
the lab environment used to create this book, this is RomacSign.com.)
2. Select New and then select Organizational Unit .
3. In the Name box, type Management .
4. Accept all other defaults and click OK to complete the creation of the
Management OU.
To create the database, follow these steps:
1. Open Exchange Management Console , right-click Mailbox beneath
Organization Configuration, and select New Mailbox Database .
2. In the Mailbox database name box, type ManagementDB .
ptg6842824
Creating Test Users and Mailboxes for the Lab Environment 371
3. Browse to one of your mailbox servers. (In the preceding example, Romac-EX1
was used.)
4. With the server selected, click OK .
5. Click Next , accept the default paths and all other default options, and then click
Next again.
6. Click New and then click Finish .
TIP Better yet, why not use the techniques you learned in Chapter 14 , “Mailbox
Servers and Databases,” to create and mount the database?
## Section 1
## Define the Database for your new mailboxes
$db="ManagementDB"
## Define the User Principal Name for your users
$upndom="romacsign.com"
## Define OU for your new users
$ou="Management"
## Define the CSV File with the user information in it
$csvFile="C:\Users\Administrator.RomacSign.com\management.csv"
## Section 2
## Import the CSV file into the variable $users
$users = Import-CSV $csvFile
## Section 3
## Function to convert Password string to secure string
function SecurePassword([string]$plainPassword)
{
$secPassword = new-object System.Security.SecureString
Foreach($char in $plainPassword.ToCharArray())
{
$secPassword.AppendChar($char)
}
$secPassword
}
## Section 4
## Create new mailboxes and users
ptg6842824
372 Conclusion
foreach ($i in $users)
{
$sp = SecurePassword $i.Password
$upn = $i.FirstName + "@" + $upndom
$display = $i.FirstName + " " + $i.LastName
New-Mailbox -Password $sp -Database $db -UserPrincipalName $upn
-Name $i.FirstName -FirstName $i.FirstName -LastName $i.LastName
-OrganizationalUnit $OU
}
Conclusion
Most of the examples in the book could run very well on a single server running both the
Active Directory and Exchange Server 2010, if you do not have the time or resources to
set up a fully functional lab. (Keep in mind that it is highly recommended that the Active
Directory Domain Controller and the Exchange Server do not coexist on the same physi-
cal or virtual machine in the real world for a variety of reasons.)
I chose a private addressing scheme that should be unique to most of you, so that the lab
would not conflict with your own internal addressing scheme in your company; howev-
er, this can be customized as you wish. The subnet used in this book is 10.5.0.0/16 and
includes the range of IP addresses 10.5.0.1 to 10.5.255.254.
If you use machines that are similar to the ones I used in each chapter, you could have
your lab PCs running (either physically or virtually) so that you can type the cmdlets
as you read them in the book. Hopefully, you will see similar results when you execute
them as I did when I wrote the chapters.
In any case, I feel that it will be invaluable to have at least one Exchange 2010 server
available to practice the cmdlets you learn in this book. This is especially true when you
are working with Exchange Management Shell at the outset. It is likely that you will
have problems with syntax and will need to work with your cmdlets in order to achieve
the desired results. There is no doubt that working with Exchange Management Shell in
the beginning can be a challenging and admittedly frustrating experience. You may want
to run back to the comfort and safety of Exchange Management Console, but give the
Shell a fair shake. With a little time spent learning and practicing your cmdlets, you will
realize what an amazingly powerful command-line shell Microsoft has brought to the
messaging environment.
ptg6842824
APPENDIX B
Create Your Own Journal Here
Use this appendix to make notes about your day-to-day tasks and information specific to
your job to make this journal truly your own.
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
ptg6842824
374 Appendix B
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
ptg6842824
Appendix B 375
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
ptg6842824
376 Appendix B
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
ptg6842824
Appendix B 377
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
ptg6842824
378 Appendix B
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
ptg6842824
Appendix B 379
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________
_______________________________________________________________________