Wednesday, September 29, 2010

OCS September 2010 Updates Released (CU7)

The latest round of OCS updates are available for download.  Only a few of the components were updated.  Most notable to this round of updates is the update to the troubled CU6 Response Group Service patch which got CU6 pulled soon after it was released.  Here are the details…

Server Updates – KB 968802

  • Administration Tools
  • Core Components
  • Response Group Service
  • UC Managed API 2.0 Core Redist
  • Web Components Server

As always, the easiest way to make sure your server is up to date across all components is to use the Cumulative Server Update Installer (ServerUpdateInstaller.exe package)

Wednesday, September 22, 2010

Exploring Litigation and Retention Hold in Exchange 2010 SP1

Exchange 2010 SP1 has added some nice features to manage litigation hold and retention hold.  This post will review each topic and demonstrate the additional ways to administer these features. 

Litigation Hold – If an organization needs to preserve all email for a given mailbox, they can choose to place the mailbox on litigation hold.  When a mailbox is on litigation hold, this does not prevent the user from deleting email from their Outlook view.  “Deleted” emails will ultimately end up in the Purges folder of the mailbox dumpster.  The Purges folder of the dumpster is not searchable by the user, but is searchable by the eDiscovery tools built into Exchange. 

So why would we not want the user to know that they have been placed on litigation hold?  Well, some companies do not want to let their employees know that their mailbox is on litigation hold.  Below I will show a way to notify the user that their mailbox has been placed on litigation hold if desired.

Before SP1, litigation hold could only be managed through the EMS.  While that option is still available, SP1 allow administrators the option to configure litigation hold through the EMC or ECP. 

Within the mailbox properties in the EMC on the Mailbox Settings tab, we can open the properties of the Messaging Records Management feature.

User - Mailbox settings-markup

Here we can enable/disable the mailbox for litigation hold.  Also if you want your user to know that their mailbox has been placed on litigation hold, you can add a comment.

Litigation Hold - EMC-comment-markup

From the ECP, the administrator can also configure these settings by opening the mailbox details.

Litigation Hold - ECP

The comment can be viewed within Outlook by selecting File from the Menu:

litigation Hold - outlookview-markup

Exchange 2010 SP1 also includes many new auditing reports located in the ECP.  A litigation hold report is available to monitor litigation hold status changes on mailboxes.

litigation hold-report-markup

Note that if a user has a Personal Archive defined in Exchange, litigation hold will apply to the archive mailbox as well.  More information about the Purges folder in the dumpster can be found at Exchange Team Blog: Single Item Recovery in Exchange 2010

Retention Hold – Messaging Records Management (MRM) is becoming more common.  MRM can be used to enforce mailbox cleanup, retention, or compliance requirements.  What happens if a user is on an extended leave of absence or vacation?  We wouldn’t want their email getting “managed” before they have a chance to review it.  Administrators have the option to place a mailbox on Retention Hold.  This will prevent MRM policies from running against the mailbox.

Within the mailbox properties in the EMC on the Mailbox Settings tab, we can open the properties of the Messaging Records Management feature.  Here we can enable/disable the mailbox for retention hold.  Also if you want your user to know that their mailbox has been placed on retention hold, you can add a comment.

Retention Hold - EMC-markup

Note that you can enable the Retention Hold indefinitely or schedule a time period.

Within Outlook, the user will notice that their mailbox has been placed on retention hold in two places.  On the File Menu they will see if the administrator configured a comment:

Retention Hold - outlookview-markup

Also, on an email that has a retention policy applied.  The expiration of the email will state “Expiration Suspended”

Retention Hold - email-markup

With Exchange 2010 SP1, administration of Litigation Hold and Retention Hold has become much easier and more visable.

Friday, September 17, 2010

Troubleshooting the Client Access Server

Many of us are familiar with troubleshooting the CAS services from outside our network using the Exchange Remote Connectivity Analyzer, but what about testing internally?  Or testing specific virtual directories such as the ECP?  There are some great built-in Powershell cmdlets that make troubleshooting the CAS much easier.

I would like to go through these one by one and show examples of each.  More information can be seen by clicking each cmdlet below.

Before we get started, many of these cmdlets rely on utilizing a test mailbox.  This mailbox is not created by default.  If you try to run a cmdlet that requires the test mailbox, you will see the following error: MailboxNotFoundException

CAS-user_error

A script is available to help generate the test mailbox for you.  From the Scripts folder where Exchange is installed, in my case C:\Program Files\Microsoft\Exchange Server\V14\Scripts\, run the New-TestCasConnectivityUser.ps1 script.

CAS-test user

Now that the test mailbox is created, let’s look at the different cmdlets.

Test-ServiceHealth – This should be run first in any troubleshooting scenario.  This script will list each Exchange role, what services are required for that role to function properly and which of those services are not running.

CAS-test-Services-before-mark2

In my example, you will see that the Exchange Forms Based Authentication service is not started.  After starting this from the services console, I run the cmdlet again and everything looks normal.

CAS-test-Services-after

Test-MapiConnectivity – This is the next command that should be run to verify that mailbox access is working.  Note that a | format-list can be added to any command to get more detailed information.

CAS-test-mapiconn

Test-OutlookConnectivity – Will verify that OWA is running and can be used to test all virtual directories or individual ones.  In this example I am testing HTTP connectivity, TCP can also be specified.

CAS-test-outlookconn-http

Test-OutlookWebServices – Verifies the service information returned by Autodiscover for the Availability Service, Outlook Anywhere, OAB, and UM

CAS-test-outlookwebserv-con

Test-WebServicesConnectivity – Tests EWS functionality.

CAS-test-webservices

Test-EcpConnectivity – Verifies connectivity to the Exchange Control Panel.

CAS-test-ecp

Test-ActiveSyncConnectivity – Performs a full mailbox synchronization to verify health of ActiveSync

CAS-test-AS

Test-PowerShellConnectivity – Test whether PowerShell remoting on a target CAS server is healthy

CAS-test-powershell

Also available are the Test-ImapConnectivity and Test-PopConnectivity if you are supporting those protocols.  Always remember to use the Best Practices Analyzer report from the Toolbox as well.

Monday, September 13, 2010

Announcing Microsoft Lync Server 2010

lynclogo2

Is Lync Server a new product?  Yes and No.  Lync Server is the successor to Microsoft Office Communications Server 2007 (and R2).  Lync Server takes OCS much farther and adds all the additional functionality needed for companies to think about replacing their PBXs and adding true Unified Communications features.  You should not think about UC as a VoIP product.  While that is a huge part of it, UC is the merging of all communication modality types into a unified user and client experience.  UC is designed to transform business processes and enable businesses to be more efficient and productive.  Lync Server 2010 is the answer!

Download the Public Release Candidate HERE

Some of the new functionality (not inclusive) added to Lync Server (since OCS 2007 R2):

  • Complete Virtualization support
  • PowerShell and Role Based Access Control (RBAC) management
  • Easier/Better high availability and survivability options
  • Enterprise Voice centric:
    • Call Admission Control
    • Media Bypass
    • Branch Office Survivability
    • E911
    • Improved Response Group flexibility and functionality
    • Call Park
    • Malicious Call Trace
    • Larger IP device support
  • Redesigned client experience with deeper integration with SharePoint and Exchange
  • New features and client experience for Web and Dial-in conferencing

Check out these videos to get a sneak peak:

  1. IM and Presence
  2. Conferencing
  3. Enterprise Voice
  4. Platform Extensibility
  5. High Definition
  6. Client Extensibility

I know this list does not give as much detail as you want immediately.  Future blog posts will cover many of these features in more detail.  For more information now, you can check  out these links:

Check out the Microsoft Lync Server 2010 homepage for further information.

Thursday, September 9, 2010

Exchange 2007 SP3 Update Rollup 1 Available

An update for Exchange 2007 SP3 has just released and can be downloaded at: Exchange 2007 SP3 Update Rollup 1 Download

For the list of all the included fixes (looks like a lot of them), see KB 2279665

If you have a clustered environment, please see this article: Applying Exchange 2007 Update Rollups to Clustered Mailbox Servers

Email Address Policies and Mailbox Moves

Fact: Email Address Policies (EAPs) will apply during a mailbox move.  While everyone is currently planning on their Exchange migrations to Exchange 2010 :), you will want to take some time to look at your EAPs and users that are exceptions to the policies.  The last thing you want is that call right after the migration saying that my email address has changed.

So for this example, let’s suppose we are migrating users from Exchange 2003 to 2010.  Here is the current EAP (or recipient policy in 2003) defined, note that alias@lab.local is defined as the primary email address:

EAP-2003-before

Now let’s look at an Exchange 2003 user that has a non-standard primary SMTP address: Joe-Cool@lab.com

EAP-2003-user-before

If we migrate this user to Exchange 2010, the EAP is applied and the user’s primary SMTP address is automatically changed to jdoe@lab.local :

EAP-2003-user-after-2010view

The easy fix is to uncheck the “Automatically update e-mail addresses based on e-mail address policy” in the user’s profile settings before the mailbox is migrated.

EAP-2003-user-postscript-markup

So, I said “easy fix”, but what if you have 25,000 users and are supporting multiple SMTP domains.  We can use powershell to identify and disable the mailbox from having the EAP applied.  Below is a script that will list out all users who’s primary SMTP address does not match the EAP.

###########################################################
# Find users that have a primary smtp address that doesn't match EAP
# There is no warranty, use at your own risk
# Author: Tim Harrington 
http://HowDoUC.blogspot.com
# Note: This script must be run on an Exch 2007/2010 server
##########################################################

#Find all recipient mailbox users
$users = get-user -recipienttypedetails usermailbox,legacymailbox -resultsize unlimited

#Generate Default EAP address based on user information and compare to primarySMTPAddress
Foreach ($mbx in $users) {
$DefaultEAP = $mbx.SamAccountName +"@DefaultSMTPdomain.com"

# For firstname.lastname use:
# $DefaultEAP = $mbx.firstname + "." + $mbx.lastname +"@DefaultSMTPdomain.com"

$primarysmtp = $mbx.WindowsEmailAddress
If ($DefaultEAP -ne $primarysmtp) {

# if the values are different, write the mailbox to the screen and text file

write-host $mbx.samaccountname, $DefaultEAP, $primarysmtp
add-content -path EAPMisMatchusers.txt -value ("Name: " +$mbx.samaccountname), ("Def. Pol.: " +$DefaultEAP), ("Current: " +$primarysmtp),(" ")

#Optionally, to set emailaddresspolicy disabled, uncomment the next line.

#set-mailbox -identity $mbx.samaccountname -emailaddresspolicyenabled:$false
}
}

#############################################################

Running the powershell script produces the following output and can disable the EAP from applying:

EAP-script

Now any mailbox that is migrated will keep it’s current primary SMTP address configuration in place during the migration.

Wednesday, September 1, 2010

ActiveSync Device Access Rules in Exchange 2010 SP1

Personal smartphones are becoming more and more common in business environments.  Companies have always struggled with managing who should have the ability to sync their phones and who can’t and what types of phones are allowed.  Exchange 2010 SP1 has made it very easy for the administrator (or any other appointed person) to approve or block specific users or phones from utilizing ActiveSync.  This post will not go into the specific feature policies, but will only examine connectivity policies.

By default ActiveSync is enabled for everyone and every type of device.  Let’s start off by configuring all devices that attempt to connect via ActiveSync into a quarantine for administrator approval.

From EMS we can run the following command to set the default access level to Quarantine for all devices and to notify the Administrator when a device tries to connect:

Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Quarantine –AdminMailRecipients AdminEmailAddress

EAS-OrgSetting-Quar

This can also be achieved through ECP:

EAP-PolicyECP

Then selecting the Edit button:

EAP-PolicyDefault

When a device tries to connect, both the device/user receives a notice that their phone is in Quarantine and the Administrator get an email notifying them to take action on the device:

Device/User notification:

EAP-ClientBlockEAP-ClientBlock-Email

Administrator notification:

EAP-AdminEmail

Once the administrator clicks the provided link to take action on the device, the ECP will launch and the administrator can decide to Allow or Block the device:

EAP-AdminECP-markup

With the new ActiveSync Access controls, the administrator can also make rules to automatically allow or block specific types of devices.  The default organization settings will be applied if a specific rule does not match.  In our example, we will configure any “PocketPC” device to automatically get blocked.  The query string can be based off of the device type or device model.  From the EMC:

New-ActiveSyncDeviceAccessRule –AccessLevel Block –Characteristic DeviceType –QueryString PocketPC

EAP-DevicePolicyBlock

This rule can also be created in the ECP:

EAP-DevicePolicyBlock-ECP

Now when a user tries to connect their device that matches the new ActiveSync Access Rule, the device will not sync and the user receives an email:

EAP-BlockEmail

From the partnership status in ECP, they can also see the details:

EAP-Block-partnershipstatus-markup

Exchange 2010 SP1 has allowed for much easier and granular management of ActiveSync device access control!