Exchange RBAC Knowledge base

Hi Again, due to popular demand, here is my small RBAC “knowledge base”, this should apply just fine to Exchange 2010 and Exchange 2013.

Fast and Furious how-to and cool examples:

http://www.mikepfeiffer.net/2010/11/7-useful-one-liners-when-managing-rbac-in-exchange-2010/

http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/13/use-powershell-and-rbac-to-control-access-to-exchange-server-cmdlets.aspx

http://www.opsvault.com/how-to-create-custom-recipient-management-groups-using-exchange-2010-rbac/

http://rbac.codeplex.com/ – a free GUI tool for managing RBAC

Learn and Understand RBAC:

http://blogs.technet.com/b/exchange/archive/2009/11/16/3408825.aspx – RBAC and the Triangle of Power

http://technet.microsoft.com/en-us/library/dd298183.aspx – Understanding Role Based Access Control

http://help.outlook.com/en-us/140/dd207272.aspx – Built-in RBAC Roles for Exchange Online

Hope you find this information useful !

ilantz

Exchange 2010 DAG failover with lost members and homeMTA and msExchHomeServerName values

Hi Again,

I’ve recently had an unusual situation I wanted to share. A client of mine had a geographically stretched Exchange 2010 DAG cluster that crashed really bad, the original “active” servers had been lost beyond repair… luckily the databases were replicated to another location, so the data was saved. In addition the client was in between a migration from Exchange 2007 to Exchange 2010 (the 2007 servers were not effected from the disaster..).

Just for the sake of explaining a little more, the original “active” servers should have been restored with the setup.com /m:recoverserver , but due to the nature of the failure those servers and their names are gone and were no longer required. Those failed Exchange 2010 DAG member servers were completely deleted from Active Directory using ADSIEdit.

To recover the Exchange 2010 environment I’ve done a few steps, following which the Exchange DAG was online and service was restored.

  1. Restored the DAG to the DR site (evict nodes from the cluster, modify the quorum, leverage AlternativeWitnessServer): Restore-DatabaseAvailabilityGroup
  2. Created a new ClientAccessArray in the new AD site
  3. Modified all databases with Set-MailboxDatabase so the new CAS array is now the RpcClientAccessServer
  4. Made sure all databases are active within the our new site and on the correct servers with Move-ActiveMailboxDatabase
  5. Removed the lost database copies on the lost DAG members with Remove-MailboxDatabseCopy
  6. Forcibly removed the lost DAG members from the DAG: Remove-DatabaseAvailabilityGroupServer -ConfigurationOnly

Following the actions above, service was restored, and all was good, until we encountered an issue with users located on the Exchange 2007, they reported that they could not retrieve any free/busy information from other users (which were all located on Exchange 2010 databases).

A quick troubleshooting showed that configuration was fine (URL’s were set correctly, networking access was fine, permissions were okay etc..), so I’ve enabled the troubleshooting log on an outlook client while logged on as an 2007 user. Looking at the xxxx-xxx-AS.log (availability service logs) generated from outlook, I was able to extract the root cause:

<FreeBusyResponse><ResponseMessage ResponseClass="Error"><MessageText>Unable to find a Client Access server that can serve a request for an intraforest mailbox <Jhon Doe>;SMTP:Jhon.Doe@Contoso.com., inner exception: The server MBX2.contoso.com was not found in the topology.</MessageText><ResponseCode>ErrorServiceDiscoveryFailed</ResponseCode><DescriptiveLinkKey>0</DescriptiveLinkKey><MessageXml><ExceptionType xmlns="http://schemas.microsoft.com/exchange/services/2006/errors">Microsoft.Exchange.InfoWorker.Common.Availability.ServiceDiscoveryFailedException</ExceptionType><ExceptionCode xmlns="http://schemas.microsoft.com/exchange/services/2006/errors">5021</ExceptionCode></MessageXml></ResponseMessage><FreeBusyView><FreeBusyViewType xmlns="http://schemas.microsoft.com/exchange/services/2006/types">None</FreeBusyViewType></FreeBusyView></FreeBusyResponse>

The availability service on the Exchange 2007 server was trying to locate the users’ using its msExchHomeServerName value which pointed to a deleted server, one of the original “active” DAG members that was lost !  Looking at the attributes values of John Doe (per my example above) reviles that the values of homeMTA and msExchHomeServerName were pointing to non existing values, the homeMTA clearly shows a deleted server value, and the msExchHomeServerName points to a server that no longer exists. here’s an example of what I saw:

homeMTA points to a deleted server value - CN=Microsoft MTA\0DEL:
homeMTA points to a deleted server value – CN=Microsoft MTA\0DEL:
msExchHomeServerName points to a deleted server
msExchHomeServerName points to a deleted server

I’ve wrote a small PowerShell script that helps update the values for all affected users using a LDAP filter and the Get-User cmdlet from the Active Directory Module and the Set-Mailbox -ConfigurationOnly cmdlet.

Use this script on your own risk, make sure to always double check your self before running on a production environment.

$filter = "(&(objectCategory=user)(objectClass=user)(msExchHomeServerName=/o=Contoso/ou=Exchange\20Administrative\20Group\20\28FYDIBOHF23SPDLT\29/cn=Configuration/cn=Servers/cn=MBX2*))"
$strAttributes = "msExchHomeServerName, homeMTA, homeMDB"
$users = get-ADUser -LDAPFilter "$filter" -ResultSetSize $null -properties $strAttributes
foreach ($user in $users)
{
$mbx = $null;
$mbx = get-mailbox -Identity $user.DistinguishedName;
write-host "working on user" $user.name
write-host "working on mailbox" $mbx.name
set-mailbox $mbx -Database $mbx.database -confirm:$false -force -verbose
}

Make sure you modify the LDAP filter $filter and the MBX2 per your configuration.

The conclusion from this case was very interesting to me, the scenario we had here was a “typical” cross site activation of an Exchange 2010 DAG, but due to the nature of the failure, we were forced to re-home the mailboxes as if we were using Database Portability! (excluding the actual database change of course). See the links below for more about Database Potability.

Hope you find this information useful,
Ilantz

Datacenter Switchovers

Move a Mailbox Database Using Database Portability

Enable or disable POP3 and IMAP4 by group membership in Exchange 2007

Hi everyone !

My good friend podlisk has finally got his blog up and running, check out the script for this highly required task for Exchange 2007 / 2010 🙂

http://podlisk.wordpress.com/2011/01/13/enable-or-disable-pop3-and-imap4-by-group-membership-in-exchange-2007

Enjoy !

Managing email addresses in Exchange 2010 and 2007

Shay Levi (MVP) has posted yet another great PowerShell tip,

this time he blogged about how to modify the EmailAddresses property ( which is actually a MultiValuedProperty ) with powershell 2.0 new capabilities, making adding an additional or removing an email address from a recipient a snap!

check it out

Managing email addresses in Exchange 2010

Grant Full Access to All Mailboxes in Exchange 2010 – even for new databases

Hi again,

Since Exchange 2010 was released I always run into this request from administrators and help desk personnel:

“I want full access to all mailboxes, and also to all future mailboxes too ! uh and new mailboxes in new mailbox databases too !”

🙂

The following commands will do the trick, copy the first row separately- Exchange 2010 only:

$user = Read-Host -Prompt:"Enter UserName to grant permissions";

$organization = Get-OrganizationConfig;
$databasesContainer = "CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups," + $organization.DistinguishedName;
Add-ADPermission -User:$user -AccessRights ExtendedRight -ExtendedRights Receive-As, Send-As, ms-Exch-Store-Admin -Identity:$databasesContainer;

And remember with Active Directory permissions an explicit allow overwrites an inherited deny. so this will work even if you do this to an admin user / group.

Hope this helps !