Adding a public folder replica under Exchange 2010

The public folder hierachy shows up on other public folder servers, but the data itself is not replicated by default to a second public folder on a different server.  If server 01 dies, the actual data in that public folder will not be available on server 02.

If you have lots of public folders, you can add replicas of all the public folders as follows (for both normal and system ones):

Default public folders:

Log onto MBX01 and open the Exchange shell
Navigate to cd $exscripts
Type .\AddReplicaToPFRecursive.ps1 -TopPublicFolder “\” -ServerToAdd “MBX02”

Check this using Get-PublicFolder -Recurse | Format-List Name,Replicas

System public folders:

Log onto MBX01 and open the Exchange shell
Navigate to cd $exscripts
Type .\AddReplicaToPFRecursive.ps1 -TopPublicFolder “\NON_IPM_Subtree” -ServerToAdd “MBX02”

Using RunAs with the Exchange 2010 management console

When publishing the Exchange 2010 console via a Citrix server, the common practice under Citrix is to have applications published based on the standard user account.  What this means is that when you launch the Exchange 2010 console under Citrix it runs as your standard account which most likely does not have any permissions to Exchange 2010.

If you want the standard user account to see the published application, but want to run the Exchange 2010 console as your admin account, you can use the run as command:

1. Create an empty batch file
2. Use the following code
   @echo off
   set /p UserName=”Enter your admin account username (eg !ABC): “
   runas /profile /env /user:domain\%UserName% “cmd /c \”c:\program files\microsoft\exchange server\v14\bin\exchange management console.msc\””
3. Publish this batch file within Citrix and set the icon to the Exchange management console icon
4. When a user launches the published app, they are prompted for their username which is passed through to the runas command which then asks for their password and runs the console in the context of the other user

Useful one liner powershell command for pre 2003 to 2010 mailbox moves

Before you move mailboxes from Exchange 2003 to Exchange 2010 in a large organisation, it is useful to know things such as which department the user works in and what their title is.  This helps cut up the user base when planning the moves and you may not want to move the executives first!

You can use the Get-Mailbox CMDLet to extract most of the information, but you will be missing the Department and Title attributes as this are obtained for commands such as Get-User.  I have come across various extravagent Powershell scripts on the internet for getting such information, but why write a script when you can use a single line command to do the same thing?  I find that people have a habit of over complicating things when it comes to Powershell.  Having a one line command to do the same thing means you don’t have to copy scripts about and can simply cut/paste the command into a shell when needed.

Within Powershell you can embed additional commands in a “Select” query to achieve what a lot of people seem to do with extensive scripts.  Here is an example that I used recently on a project:

Get-Mailbox -ResultSize Unlimited | Sort-Object Name | Select DisplayName,@{Label=”Title”;Expression={(Get-User $_.Name).Title}},@{Label=”Department”;Expression={(Get-User $_.Name).Department}},PrimarySMTPAddress,Alias,SamAccountName,OrganizationalUnit,Database | Export-CSV “C:\Admin\AllMailboxes.csv” -NoType

You can add additional parameters into the Select portion and pull in other information from whatever other useful CMDLets you may use on a daily basis.

Cannot access a Netscaler logon page via Internet Explorer via HTTPS

If you are using Netscalers for load balancing and cannot access the GUI console via HTTPS, this may be because you are using the Netscaler built-in self signed certificate.  At the end of 2012, Microsoft pushed out a windows update that requires all SSL certs for be 1024bits minimum and the self-signed certificate is 512bit.  Have a look for the windows update KB2661254.

http://support.citrix.com/article/CTX135480

The symptoms you will see are that you cannot click on the Continue to this website (not recommended) link despite you knowing that the certificate is unsigned.  Internet explorer will not give you a valid error message, but will just refuse to do anything.

To fix this:

• Install a real SSL certificate on the Netscaler
• Redo the self-signed certificate as 1024bit as per the Citrix article above
• Use Chrome or Firefox that do not enforce this requirement at time of writing

Enable POP and IMAP using a wildcard certificate in Exchange 2010

The Microsoft article here (http://technet.microsoft.com/en-us/library/aa997231.aspx) states that you should not use the enable-exchangecertificate cmdlet to enable a wildcard certificate.  Unfortunately this means that secure IMAP and POP won’t work!

1. Enable POP and IMAP
   Enable-ExchangeCertificate -Thumbprint XXXXXXXXXX -Services POP,IMAP,IIS
2. Use the set-pop3 and set-imap4 cmdlets to set POP3 and IMAP4 to use SSL
   Set-ImapSettings -server CAS01 -X509CertificateName imap.domain.com
   Set-PopSettings -server CAS01 -X509CertificateName pop.domain.com
3. Restart the POP and IMAP services
4. You should now be OK

If you do not do the above you will see Event ID 1102 stating:

The POP3 service failed to connect using SSL or TLS encryption. No valid certificate is configured to respond to SSL/TLS connections. Check the configured host name as well as which certificates are installed in the Personal Certificates store of the computer.

Create a PFX certificate from a Netscaler CER and KEY file export

If you generate a CSR on a Netscaler device, complete the request on the Netscaler and then wish to use the certificate on Exchange 2010, when you export the certificate from the Netscaler you may find you have two files.  One is a CER file and one is a KEY file.  If this is not avoidable, you can create a PFX file which is required for Windows to use the private key by using Open SSL.

1. Install Open SSL v1.0.0.k light – http://slproweb.com/products/Win32OpenSSL.html
2. Right-click and run CMD as Administrator Navigate to C:\OpenSSL-Win32\bin
3. Run
   openssl pkcs12 -export -in c:\admin\mycert.cer -inkey c:\admin\mycert.key -out c:\admin\mycert.pfx
4. Install any intermediate certificates in Computer\Intermediate Certification Authorities\Certificates on the Exchange 2010 computer
5. Check that no conflicting certs (ie same name) exist that match the intermediate certs under Computer\Trusted Root Certification Authorities\Certicates as these can break the certificate chain
6. Copy the PFX file to the Exchange 2010 server
7. Import the certificate using the Exchange Shell.  NOTE that Microsoft articles may have the incorrect syntax which does not work.  Ignore the articles which say to use Import-ExchangeCertificate -Path as this does not work with SP2 as it errors with “A positional parameter cannot be found that accepts the argument -path”
8. To import it correctly use
   Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path “c:\admin\mycert.pfx” -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password
9. The name may show as blank if you look at certificates in the Exchange console, so if you want a friendly name see here – http://dougg.co.nz/2013/03/14/change-the-friendly-name-of-an-exchange-2010-certificate/
10. Enable services on the certificate using Powershell (NOTE that for POP and IMAP you should not use this command – http://technet.microsoft.com/en-us/library/aa997231(v=exchg.141).aspx)
    Enable-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXX -Services SMTP,IIS -DoNotRequireSSL
11. You should now be good to go

Change the friendly name of an Exchange 2010 certificate

When you view Exchange certificates in the Exchange 2010 console, you see the “Name” attribute displayed.  This is created when you generate a CSR.  If you wish to change it later on (if, for example, you made a mistake) perform the following:

1. Open a blank MMC console
2. Add the Certificates snap-in
3. Navigate to Local Computer -> Personal -> Certificates
4. Find the certificate and right-click it then choose properties
5. On the General tab you can set the Friendly Name
6. Refresh the Exchange console to see the name update

An active manager operation failed – Database copy has content index files failed

When trying to move the active copy of a database in a DAG in Exchange 2010 you may receive the error:

An Active Manager operation failed. Error: The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database copy ‘DAG01-MDB01 (2GB)′ on server ‘mbx01’ has content index catalog files in the following state: ‘Failed’.

If so, perform the following:

1. Check if the content index is failed on the mailbox server you are trying to move the active database to using
   Get-MailboxdatabaseCopyStatus
2. For each database in a failed state update its index by running
   Update-MailboxDatabaseCopy “DAG01-MDB01 (DB Name)” -CatalogOnly
3. Confirm that the content index is healthy using the cmdlet in step 1
4. You should now be able to move mailbox databases to the server

Copy files and permissions from one server to another

This is useful when migrating files from a 2000/2003 server to a 2008 R2 box.  The tools needed are:

• iCacls – built in to 2008 R2
• Robocopy – built in to 2008 R2
• An understanding of the iCacls syntax because it is very fussy!

In this example, server1 is the Server 2000 server D: drive and server2 is the 2008 R2 server and you are copying IIS files from 2000 to 2008 R2.  The method used will allow you to copy the files without having to install software on the 2000 server:

1. Log on to the 2008 R2 server
2. Map a drive to server1
   net use x: \\server1\d$
3. Copy permissions to a file on the 2008 R2 server (IMPORTANT: Note the lack of a \ at the end of the remote path!)
   icacls x:\inet\wwwroot /save c:\admin\ntfsperms.txt /t /c
4. Copy files from the 2000 box to the new location on 2008 R2
   robocopy x:\inet\wwwroot d:\inetpub\wwwroot /e /R:1 /W:5 /tee /log:c:\admin\robocopyLog.txt
5. Apply NTFS permissions from the iCacls file to the files now located on 2008 (IMPORTANT: Note that the \ is now required and you must run the command from the same location as the ntfsperms.txt file)
   icacls d:\inetpub\ /restore ntfsperms.txt /c

The most important thing is to remember to check for the proper “\” syntax as you will hit problems if this is missed when trying to restore permissions using iCacls

Disable a network so that it is not used in a Exchange 2010 DAG cluster

If you are unlucky and need to include additional network cards in the mailbox server build but want these excluded from cluster activities, you can disable the addtional networks from being used in the DAG cluster by performing the following:

• In the Exchange console, find the 3rd or extra networks under Org config -> Mailbox -> Database availability Groups
• Rename the network from Network03 or whatever it is to something more descriptive about the Network
• Open windows cluster manager and check under DAGName -> Networks
• Rename the same network here to match the one in the Exchange console
• Open the Exchange shell and run the following command to disable log replication and set the network to be ignored
  Set-DatabaseAvailabilityGroupNetwork -Identity “DAG01\YourNewNetworkName” -ReplicationEnabled:$false -IgnoreNetwork:$true -mapiaccessenabled:$false
• You will still the network listed in Exchange but you can confirm the settings applied by running the following and checking the parameter for ignorenetwork is false
  Get-DatabaseAvailabilityGroupNetwork -Identity “DAG01\YourNewNetworkName” | fl
• Also, in Windows Cluster Manager open DAG -> Networks and right-click on the network and view its properties which should show the network set to Do not allow cluster network communication on this network