MsExchange Blog Spot Telnet25

July 23, 2014

Create Custom RBAC roles with quick powerfull cmdlets.

Filed under: General — telnet25 @ 1:49 pm

Here are some handy RBAC cmdlets to help you build your own custom Role Groups, role assignments etc. When you design RBAC Groups , you need to pay attention to your name convention to make sure , Groups, role assignments etc. makes sense, each Role Group created will be located on Microsoft Exchange Security Groups on the root of the forest/Domain , adding members to these security groups also possible using active directors users snap in, so you need to have plan to secure these groups. it might be good idea to tick the box “protect object from accidental deletion” for these groups.

image

image

image

#List all Management Roles

Get-ManagementRole

clip_image001

#List all role entries within given Management Role

Get-ManagementRoleEntry "View-Only Recipients\*"

clip_image002

Note: as you have noticed, all these cmdlet’s , user can run if the user is assigned to a Role Group = Assigned Role = ManagementRoleEntry

Here is simple snapshot to digest the relationship

clip_image003

#Create new Role from existing Parent Role

New-ManagementRole "HelpDesk Permissions" -Parent "View-Only Recipients"

clip_image004

#Remove all Role Entries , except selected one

Get-ManagementRoleEntry “HelpDesk Permissions\*” | Where {$_.name -ne “Get-User”} | Remove-ManagementRoleEntry -Confirm:$False

image

#Locate managementRole

Get-ManagementRoleEntry “HelpDesk Permissions\*”

clip_image006

#Add additional CMDLET if needed to management Role

Add-ManagementRoleEntry “HelpDesk Permissions\Get-MailboxPermission”

clip_image007

#Locate ManagementRole to verify desired cmdlet is assigned to it

Get-ManagementRoleEntry “HelpDesk Permissions\*”

clip_image008

#Create New Role Group

New-RoleGroup "HelpDesk 1.5"

clip_image009

#Add Role assignment to Role Group

New-ManagementRoleAssignment -SecurityGroup "HelpDesk 1.5" -Role "HelpDesk Permissions"

clip_image010

#add member to Role Group

Add-RoleGroupMember “HelpDesk 1.5” –Member C-Ron.Buzon

clip_image011

#locate members

Get-ManagementRoleEntry “HelpDesk Permissions\*”

clip_image012

#remove Members from desired Role Group

Remove-RoleGroupMember “HelpDesk 1.5” –Member C-Ron.Buzon

clip_image013

# Find desired user, List all the Roles

Get-ManagementRoleAssignment -GetEffectiveUsers | ?{$_.EffectiveUserName -eq “Administrator”} | select Role

clip_image014

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

July 15, 2014

How To Create CUSTOM RBAC ROLE Exchange 2010 & 2013

Filed under: General — telnet25 @ 8:53 pm

We would like to utilize RBAC Role model and create custom RBAC Role for specific needs for a business. These needs could be different from one environment to another. This article will be good reference for you to get your customization. Having said that, first thing to understand is the RBAC Layers.

There are 6 Layers which make up the Role Group Model

  • Role group member
  • Management role group
  • Management role assignment
  • Management role scope
  • Management role
  • Management role entries

clip_image001[4]

Goal:

  1. Create Custom Role Group
  2. Create Custom RBAC Role Entry with desired cmdlet’s
  3. Add Custom Role entry to Role
  4. Add role to Custom Role Group
  5. Add Members to Custom Role Group

In this example we will use following template

image

Note: You can build your own management Role , and modify management role entries same way in this article. The process is pretty straight forward.

Task#1

Figure out all role entry contains set-mailbox (set-mailbox is one of the cmdlet we have as our requirement)

Get-ManagementRoleEntry *\Set-Mailbox

clip_image002[4]

 

Task#2

Create the management role with related parent Role

New-ManagementRole -Name “Assign Mailbox Access” -Parent “Mail Recipients”

clip_image003[4]

Task#3

Get-ManagementRoleEntry "Assign Mailbox Access\*"

Verify all cmdlet assign to newly created management role, as you can see we have many cmdlet we don’t want, therefore we will need to remove most of them and only keep what we need.

clip_image004[4]

Task#4

Remove what you don’t need

Get-ManagementRoleEntry “Assign Mailbox Access\*” | Where {$_.name -ne “Add-MailboxPermission”} | Remove-ManagementRoleEntry -Confirm:$False

clip_image005[4]

Task#5

Verify the Role entry , minimum cmdlet is assigned.

clip_image006[4]

Task#6

Add additional cmdlet

  • Add-ManagementRoleEntry "Assign Mailbox Access\get-mailbox"
  • Add-ManagementRoleEntry "Assign Mailbox Access\get-mailboxPermission"
  • Add-ManagementRoleEntry "Assign Mailbox Access\remove-mailboxPermission"
  • Add-ManagementRoleEntry "Assign Mailbox Access\set-mailbox"

clip_image007[4]

Task#7

Add remove any role entries if desired

Verify one more time to make sure we have all we wanted. If required continue to add by using same one liner cmdlet

Add-ManagementRoleEntry "Assign Mailbox Access\set-mailbox" —————> you can replace set-mailbox

If you need to remove use

Remove-ManagementRoleEntry "Assign Mailbox Access\set-mailbox"

clip_image008[4]

Task#8

Create new Role Group

New-RoleGroup “Audit Team”

clip_image009[4]

Task#9

Let’s put them together

New-ManagementRoleAssignment -SecurityGroup "Audit Team" -Role "Assign Mailbox Access"

clip_image010[4]

Task#10

Add-RoleGroupMember “Audit Team” –Member C-Ron.Buzon

clip_image011[4]

We are done lets look at this from ECP

clip_image012[4]

clip_image013[4]

Now if c-ron.Buzon logs in, he will only get the cmdlets assigned to him via RBAC Role. As you can see RBAC permissions model is very efficient and effective. When creating Roles, group and Role entries, you may want to think about unifying name convention and plan this out before start implementing it into production environment.

TechNet:

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

July 9, 2014

Recovering from Accidentally Deleted AD objects with PowerShell , AD Recycle BIN , Windows 2012 Active Directory.

Filed under: General — telnet25 @ 7:58 pm

We will recovery accidently deleted user account via PS in windows 2012 domain environment. To prepare the scenario we will fist delete the user and recovery it.

Log onto  Windows 2012 DC with administrator privileges.Open PS with administrator privileges

Type following.

Get-ADUser -Filter ‘Name -like "*C-Ron Buzon"’

image

image

We will delete the user

Get-ADUser -Filter ‘Name -like "*C-Ron Buzon"’ | Remove-ADUser -Confirm:$false

image

user has been deleted

image

we can see user within the Deleted Objects container in ADAC

image

Get-ADobject -Filter ‘Name -like "*C-Ron*"’ -IncludeDeletedObjects

image

we will restore this user

Get-ADobject -Filter ‘Name -like "*C-Ron*"’ -IncludeDeletedObjects | Restore-ADObject

image

if I check to see user is back to ADDS

image

image

Read more

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

 

Installing First Windows 2012 Domain Controller into Existing Forest/Domain via PowerShell

Filed under: General — telnet25 @ 7:54 pm

 

Task: Introducing first Windows 2012 domain controller into Existing Forest /Domain. As you already  notices with Windows 2012 , promoting server to be additional domain controller is changed a lot. There is no more DCpromo instead we use GUI or PowerShell to get the work done.

High Level Steps :

  • Install Windows 2012 Server
  • Configure , Server name, IP address
  • Add Server into existing domain as member server ( preferred )
  • Use PS to promote the server to be additional domain controller and modify the DCpromo.ps1 Script

Step# 1

First task is to add the windows 2012 server into existing domain. Adding server into existing domain  before promoting to be domain controller is a good old habit ,  which allows A record to be created  within the existing DNS Forward lookup  zone and helps also ensures correct DNS settings has been configured.

Log into Server

Open PowerShell and type following command.

Install-WindowsFeature -Name Ad-Domain-Services | Install-WindowsFeature

clip_image001

Step# 2

Now copy and paste the , below PowerShell command into notepad , and save it as DCpromo.ps1 ( we use this name to honor DCPromo we have used ages (-:   , you can name it anything you like.

image

You will need to change  “-DomainName "ZtekZone.com"  and if you like any additional customization , such as changing the defaults , SYSLOG, DatabasePath, LogPath etc.

Download the script from here

Run PS Command against pre-defied PS Script

#Installing Domain Controller

Write-Host "………………………….."

Write-Host "Please modify pre defined Script "

Write-Host "To Make sure it fits into your Environment"

Write-Host "………………………….."

Import-Module ADDSDeployment

Install-ADDSDomainController `

-NoGlobalCatalog:$false `

-CreateDnsDelegation:$false `

-CriticalReplicationOnly:$false `

# Change the DatabasePath if desired

-DatabasePath "C:\Windows\NTDS" `

# Change the Domain name if desired

-DomainName "ZtekZone.com"

-InstallDns:$true `

# Change the LogPath if desired

-LogPath "C:\Windows\NTDS" `

-NoRebootOnCompletion:$false `

# Change the AD Site Name if necessary

-SiteName "Default-First-Site-Name" `

# Change the SYSVOL if necessary.

-SysvolPath "C:\Windows\SYSVOL" `

-Force:$true

Now after modifying the script save it onto server into temp Directory

image

From PowerShell Run it

clip_image002

clip_image003

clip_image004

After server reboot if we open Site and Services we will see the additional domain controller

clip_image005

Now couple additional Configuration we will perform on the new domain controller

Add-WindowsFeature RSAT-AD-PowerShell, RSAT-AD-AdminCenter

clip_image006

Now you can open ADAC from GUI

clip_image007

Or you can open it from PowerShell

clip_image008

clip_image009

You can also open Site and Services

dssite.msc

clip_image010

You can open ADUC

Dsa.msc

clip_image011

More to read… AD Team

http://blogs.technet.com/b/askpfeplat/archive/2012/09/06/introducing-the-first-windows-server-2012-domain-controller-part-2-of-2.aspx

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Installing Windows 2012 Core as additional Domain Controller into Existing Forest/Domain. Sconfig is your Friend.

Filed under: General — telnet25 @ 7:46 pm

 

After finishing window 2012 server install , and logging into server all we get is  plain command prompt. If you are tasked to promote this newly installed  Core Server to be the additional domain controller you can use Sconfig to get the mission accomplish.

Type “Sconfig” and hit enter

image

image

Now first thing we will do is to rename the server

Option # 1

image

 

image

we will say no to this one for now, we will set the IP Address

Option # 8

image

Type the index number shown on the menu for the adapter you wish to configure

image

Option # 1

and select Static ( S )

image

as you can see the new configured IP is showing up next to 169.254.1.121

Now we need to take care of  DNS IP Addresses

Option # 2

image

image

image

Option # 4 return the Main Menu

image

Enable RDP Option # 7

image

and now I am going to re-start the server

image

After I login I made sure I can ping my existing DC/GC/DNS Server

image

Firing up SConfig one more time to add the server into existing domain as member server

image

image

Now server is part of the domain and ready to be promoted as additional domain controller

I make sure to log back into domain

image

Now lets fire-up PowerShell

image

image

Fire-up Sconfig  one more time to make sure I have the correct, desired configuration settings.

image

 

Install-WindowsFeature -Name Ad-Domain-Services | Install-WindowsFeature

image

Type notepad.exe on the PS and hit enter

image

Copy and paste below code into notepad.

Core.ps1 ( You need to change the desired filed in the PS script , such as domain name

I have used “-DomainName "ZtekZone.com" change this to suit to your scenario. Once you are done, on the notepad click file and save as , and save the file on the C:\temp directory as “CoreDeploy.ps1”

image 

You can download the script from here

image

 

#Installing Domain Controller

Write-Host "………………………….."

Write-Host "Please modify pre defined Script "

Write-Host "To Make sure it fits into your Environment"

Write-Host "………………………….."

Import-Module ADDSDeployment

Install-ADDSDomainController `

-NoGlobalCatalog:$false `

-CreateDnsDelegation:$false `

-CriticalReplicationOnly:$false `

# Change the DatabasePath if desired

-DatabasePath "C:\Windows\NTDS" `

# Change the Domain name if desired

-DomainName "ZtekZone.com"

-InstallDns:$true `

# Change the LogPath if desired

-LogPath "C:\Windows\NTDS" `

-NoRebootOnCompletion:$false `

# Change the AD Site Name if necessary

-SiteName "Default-First-Site-Name" `

# Change the SYSVOL if necessary.

-SysvolPath "C:\Windows\SYSVOL" `

-Force:$true

Now within the PS , change the directory to C:\temp directory

image

 

Type “CoreDeploy.ps1”

image

 

image

ZtekZone.com ( is the domain name in my case)

image

image

After server reboots , you need to make sure replication is working etc.

here is AD site and services with the newly promoted server

image

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Largest collection of FREE Microsoft eBooks ever, including: Windows 8.1, Windows 8,PowerShell, Exchange Server, Lync 2013, System Center, Azure, Cloud, SQL Server

Filed under: General — telnet25 @ 10:27 am

 

MS has large e-book offerings , click here to get them

 

image

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

July 7, 2014

Installing First Windows 2012 Domain Controller into Existing Forest/Domain via PowerShell

Filed under: General — telnet25 @ 5:44 pm

 

Task: Introducing first Windows 2012 domain controller into Existing Forest /Domain. As you already  notices with Windows 2012 , promoting server to be additional domain controller is changed a lot. There is no more DCpromo instead we use GUI or PowerShell to get the work done.

High Level Steps :

  • Install Windows 2012 Server
  • Configure , Server name, IP address
  • Add Server into existing domain as member server ( preferred )
  • Use PS to promote the server to be additional domain controller and modify the DCpromo.ps1 Script

Step# 1

First task is to add the windows 2012 server into existing domain. Adding server into existing domain  before promoting to be domain controller is a good old habit ,  which allows A record to be created  within the existing DNS Forward lookup  zone and helps also ensures correct DNS settings has been configured.

Log into Server

Open PowerShell and type following command.

 

Install-WindowsFeature -Name Ad-Domain-Services | Install-WindowsFeature

 

clip_image001

Step# 2

Now copy and paste the , below PowerShell command into notepad , and save it as DCpromo.ps1 ( we use this name to honor DCPromo we have used ages (-:   , you can name it anything you like.

image

You will need to change  “-DomainName "ZtekZone.com"  and if you like any additional customization , such as changing the defaults , SYSLOG, DatabasePath, LogPath etc.

‘>’>Download the Script from here if  you prefer

 

Run PS Command against pre-defied PS Script

#Installing Domain Controller

Write-Host "………………………….."

Write-Host "Please modify pre defined Script "

Write-Host "To Make sure it fits into your Environment"

Write-Host "………………………….."

Import-Module ADDSDeployment

Install-ADDSDomainController `

-NoGlobalCatalog:$false `

-CreateDnsDelegation:$false `

-CriticalReplicationOnly:$false `

# Change the DatabasePath if desired

-DatabasePath "C:\Windows\NTDS" `

# Change the Domain name if desired

-DomainName "ZtekZone.com"

-InstallDns:$true `

# Change the LogPath if desired

-LogPath "C:\Windows\NTDS" `

-NoRebootOnCompletion:$false `

# Change the AD Site Name if necessary

-SiteName "Default-First-Site-Name" `

# Change the SYSVOL if necessary.

-SysvolPath "C:\Windows\SYSVOL" `

-Force:$true

Now after modifying the script save it onto server into temp Directory

image

From PowerShell Run it

clip_image002

clip_image003

clip_image004

After server reboot if we open Site and Services we will see the additional domain controller

clip_image005

Now couple additional Configuration we will perform on the new domain controller

Add-WindowsFeature RSAT-AD-PowerShell, RSAT-AD-AdminCenter

clip_image006

Now you can open ADAC from GUI

clip_image007

Or you can open it from PowerShell

clip_image008

clip_image009

You can also open Site and Services

dssite.msc

clip_image010

You can open ADUC

Dsa.msc

clip_image011

More to read… AD Team

http://blogs.technet.com/b/askpfeplat/archive/2012/09/06/introducing-the-first-windows-server-2012-domain-controller-part-2-of-2.aspx

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

June 11, 2014

Configuring Servers with /32 Subnet Mask

Filed under: General — telnet25 @ 11:15 am

There are times specific IP address explicitly needs to be added into Active Directory site and services to ensure the application or the servers is talking to specific domain controllers for certain task such as authentication, Global catalog selection etc. Very recent ExRAP program I have worked , indicated some of the Exchange servers were talking to domain controllers out of its own AD SITE. As you may already know Exchange servers will select DC/GC from their own AD Site and if they cannot reach them out they will try to communicate other available domain controller ( DC/GC) the magic lays down on how TCP/IP settings configured on the client as well as AD Site and services , subnets.

In this example we will add Exchange server IP Addresses is  10.10.10.121 /24

On  the domain controller we will open Site and Services snap in

DSSite.msc 

image

Click Subnets , new subnet , type the IP address and Subnet mask and select the corresponding ( desired)  AD Site.Once finish you can make right click on Site and make sure the IP address is added on the properties.

image

image

By doing this simple task, we made sure the very specific IP address and its subnet mask is added to AD Site we choose.

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

May 28, 2014

Exchange Server 2013 Cumulative Update 5

Filed under: General — telnet25 @ 11:14 am

Exchange Server 2013 Cumulative Update 5 has been released kb2936880 has list of improvements and fixes CU5 contains. Don’t forget to test the latest CU and RU updates before applying them to production servers.

image

List of Issues CU5 has fixed and improved are,

This update resolves the issues that are described in the following Microsoft Knowledge Base (KB) articles:

  • 2963590 Message routing latency if IPv6 is enabled in Exchange Server 2013

  • 2963566 Outlook Web App accessibility improvement for UI appearance in Exchange Server 2013

  • 2962439 You cannot sync contacts or tasks in Microsoft CRM client for Outlook in an Exchange Server 2013 environment

  • 2962435 CRM synchronization fails if the time zone name of a meeting is not set in an Exchange Server 2013 environment

  • 2962434 Slow performance in Outlook Web App when Lync is integrated with Exchange Server 2013

  • 2958430 "Some or all Identity references could not be translated" error when you manage DAG in Exchange Server 2013 SP1 in a disjoint namespace domain

  • 2957592 IME is disabled in Outlook Web App when you press Tab to move the focus in an email message in Exchange Server 2013

  • 2942609 Exchange ActiveSync proxy does not work from Exchange Server 2013 to Exchange Server 2007

  • 2941221 EWS integration for Lync works incorrectly in an Exchange Server 2013 and 2007 coexistence environment

  • 2926742 Plain-text message body is cleared when writing in Outlook Web App by using Internet Explorer 8 in Exchange Server 2013

  • 2926308 Sender’s email address is broken after importing a PST file into an Exchange Server 2013 mailbox

  • 2925559 Users always get the FBA page when they access OWA or ECP in Exchange Server 2013

  • 2924519 "SyncHealth\Hub" folder is created unexpectedly after installing Cumulative Update 2 for Exchange Server 2013

  • 2916113 Cannot open .tif files from email messages by using Windows-based applications in an Exchange Server 2013 environment

  • 2592398 Email messages in the Sent Items folder have the same PR_INTERNET_MESSAGE_ID property in an Exchange Server 2010 environment

Exchange Server and Update Rollups Build Numbers

http://social.technet.microsoft.com/wiki/contents/articles/240.exchange-server-and-update-rollups-build-numbers.aspx

 

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

May 21, 2014

Mailbox move failed at 95% with Exception Unable to modify Table (Exchange 2003 to Exchange 2010)

Filed under: General — telnet25 @ 3:03 am

If  you are in the middle of migration and you have started to run into issues moving mailboxes, you might have seen MB move fails when it gets to 95 percent with above error. First thing to look at is the move logs to determine the root cause of the problem. From my experience the issues related to a corrupted item within the user mailbox. ( see details of the MB move report)

The top ones to look

  • Corrupted or empty outlook rules
  • Corrupted Calendar Items
  • Corrupted item in the deleted item folders

Easy way to deal with all these issues before you start messing with MFCMAPI is

  • Backup User mailbox to PST File
  • Assign yourself Full mailbox permissions
  • Delete everything ( send items , deleted items, all rules, all contacts etc.
  • Perform MB move
  • Import PST
  • Remove full MB permissions

Working with MFCMAPI

You need to assign Full mailbox permissions to yourself for mailbox the problem mailbox

clip_image001

Setup an Outlook profile with the mailbox that has the problem, logon with your credentials.

Picture (Device Independent Bitmap) 3

  1. Open MFCMAPI,
  2. click Session
  3. Logon
  4. Pick the outlook profile you like to load into MFCMAPI

In our case this the problem user is "Aki.Armstrong" we will log into her mailbox

  1. Right click on Problem  mailbox
  2. Choose Open store
  3. Expand the tree, and find the problem folder listed in the MB Move log file
  4. Locate the folder listed in the logs.

Example: Folder: ‘/Top of Information Store/Inbox/USers’s Emails/Inbox’, entryId [len=46, data=000000001026823AF4CCDA45936168C4A4275CE001008 )

  1. Right click on the folder and choose Other tables… and then Rules table…
    Delete the corrupted Item ( rule etc.)
  2. Right click on the folder and choose Other tables… and then Rules table…
  3. Delete the corrupted rule.
  4. Go back to the Exchange Management Console and resume the move-request.

Picture (Device Independent Bitmap) 4

Picture (Device Independent Bitmap) 5

Picture (Device Independent Bitmap) 7

Picture (Device Independent Bitmap) 6

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 33 other followers