About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

GAL Segmentation announced for Exchange 2010 SP2

Posted on January 28, 2011 by Michel de Rooij

An interesting post today on the Microsoft Exchange Team blog. Some, mainly large, organizations require the possibility of having creating different GAL (Global Address List) views or subsets. This way, users will be able to view a customized GAL with relevant addresses instead of the organization-wide GAL.

In Exchange 2007 (or earlier versions) customers had this possibility by implementing the Virtual Organizations and Address List Segregation whitepaper or utilizing Andy Grogan’s Address List Segregation Tool for example. Apparantly, Microsoft listened and are going to offer similar functionality as of Exchange 2010 SP2, which the article states is scheduled for Q3/Q4 2011.

The Exchange team speaks of a “Global Address Segmentation feature”, offering segmentation through the Exchange management interfaces, providing organizations a way to create views of the global address book. The mechanism for these views are called “Address Book Policies”, which are going to use an assignment model instead of the ACL-based GAL segmentation. Note that the team states that Address Book Policies won’t replace the tenant isolation feature found in Exchange 2010’s hosting mode. Address Book Policies are to be used to segment and grant access to GAL segments, with hosting mode tenants are isolated.

I wonder if it will be possible to assign multiple Address Book Policies to a user to create cumulative views. For example, the manager of two departments can view the assigned GALs of these departments as being his GAL. If not, you may be required to create a separate address book policy for each level of access which might pose an administrative challenge.

Another thing: I expect it may require some form of change or requirement on clients as well since address lists are contained in the LDAP://CN=All Global Address Lists,CN=Address Lists Container,CN=<Exchange Organisation>,CN=Microsoft Exchange,CN=Services,.. container. The Default Global Address List element in that container is often accessed through a hard-coded lookup on its name and since it resides in Active Directory I don’t see how Exchange 2010 SP2 will manage that.

But of course this is all speculation; how Address Book Policies will be implemented and what the consequences are for migrations from an ACL-based Exchange environment remains to be seen.

Note that because of this announcement, Andy Grogan has ceased development on an Exchange 2010 version of the Address List Segregation Tool. Also, Microsoft will not release an Exchange 2010 version of the Virtual Organizations and Address List Segregation document.

Comparing Active Directory Permissions

Posted on January 26, 2011 by Michel de Rooij

Every now and then you might be required to compare Active Directory account permissions. When it concerns one or few accounts, you could do the manual side-by-side comparison using Active Directory and Computers. However, when you need to check multiple accounts this task becomes tedious.

Now you could follow the practice laid out by Exchange fellow Andy Grogan here, generating permissions output using Quest Active Roles and comparing the textual output with a comparison utility like WinMerge or WinDiff. But you can also perform this comparison using PowerShell’s Compare-Object cmdlet, which I’ll show you here.

For this task we’re going to use the Quest AD extensions (Active Roles), which you can download here. Install these extensions on a domain-joined system where PowerShell is already installed. After installation, start the ActiveRoles Management Shell and enter the following, where IdA and IdB are the Identities of the objects you want to compare:

$a= Get-QadPermission <IdA> -Inherited -SchemaDefault
$b= Get-QadPermission <IdB> -Inherited –SchemaDefault

Now $a and $b contain the permission sets of both objects. Next, we’re going to utilize compare-object to compare these two sets. When we use Compare-Object $a $b you get the following output:

Not quite helpful this output but it isn’t unexpected. Since we’re comparing two object sets compare-object generates a result with objects. We can make this more readable by specifying the PassThru parameter so we can post-process these objects, like displaying certain fields using the Format-Table cmdlet, e.g.

Compare-Object $a $b -PassThru | ft SideIndicator,AccountName,Rights,Source,ApplyTo

Presto! The SideIndicator is included to see in which set the attribute is contained, e.g. “<=” means the element is contained in the 1st specified (reference) object and “=>” means its is contained in the 2nd (difference) object.

If you want to include equal objects in the output as well, add the IncludeEqual parameter to the Compare-Object cmdlet.

Exchange 2010 Mailbox Role Calculator 14.2

Posted on January 23, 2011 by Michel de Rooij

After releasing version 14.1 this week, the Microsoft Exchange Team released a small update of the Exchange Mailbox Role Calculator, bringing it to version 14.2.

This version includes the following fixes since 14.1:

Fixed two-node stretched DAG scenario that resulted in calculator not reporting results due to new copy validation check.

You can download the calculator here, consult the changeblog here or read through the usage instructions here.

Exchange 2010 Mailbox Role Calculator 14.1

Posted on January 19, 2011 by Michel de Rooij

The Microsoft Exchange Team released an important update of the Exchange Mailbox Role Calculator, bringing it to version 14.1.

This version includes the following fixes since 12.8:

Fixed the Activation Results Scenarios to no longer display #NAME when dealing with dedicated lagged copy servers;
Fixed 2 LUNs / Backup Set formula for the 11th database grouping set in the DB and Log LUN Design / Server table to display the correct number of databases in the grouping set;
Fixed “Number of Active Databases / SDC Server (After First PDC Server Failure)” calculations to take into account stretched Single DAG without dedicated DR servers;
Fixed “Number of Required Mailbox Processor Cores (Primary Datacenter)” formula to respect when site resilience is disabled and A/A (Single DAG) is selected;
Fixed formatting for scenario that resulted in more HA database copies being deployed in the secondary datacenter than in the primary datacenter and also improved validation checks;
Updated “Custom Number of Databases” (Input Section) and “Number of Databases” (Role Requirements section) text to indicate in standalone situations that the “Custom Number of Databases” is per server and “Number of Databases” is for the environment;
Fixed 2nd PDC failure formula to enable site resilient scenarios that have 3 copies in PDC to allow double server failure event;
Optimized Number of Mailboxes per Database (I/O Driven) to not round up odd numbers to the next even number;
Fixed text in various comment fields.

This version also contains the following enhancements:

Added conditional formatting for Exchange Native Data Protection input factor to alert when you are deploying with less than the recommended number of HA copies;
The calculator now includes the ability to select different disk types and capacities for the storage architecture being deployed in the secondary data center.

Consult the changeblog here.You can download the calculator here. Usage instructions can be found here.

Restoring a personal archive from backup

Posted on January 7, 2011 by Michel de Rooij

Many articles discuss recovering single or multiple mailboxes from backup, but little on how to recover those personal archives (and no, recovering the mailbox doesn’t recover the personal archive, depending on your backup solution of course). I’d like to show you how to restore a personal archive using standard Exchange 2010 SP1 functionality and a backup, meaning we won’t use the dumpster and we won’t be using a lagged copy.

For our example we’ll need an archive-enabled mailbox:

Disaster strikes and you need to perform a full recovery of the personal archive. For completeness I’ll describe shortly how to restore a backup and create and mount the recovery database.

First, restore the database and logs from backup (you do have a backup, right?) and use an alternative location to restore the files. In this example, the effective restoration path for the DB will be called <RestoreDBPath>, the path for the logs will be <RestoreLogsPath>.

Second, create a recovery database using the following cmdlet:

New-MailboxDatabase –Recovery –Name RecoveryDB –Server <ServerID> –EdbFilePath <RecoveryDBPath> –LogFolder <RecoveryLogsPath>

Before you can mount the recovery database it might be required to bring it in a clean state. This means all logs need to be replayed, for which we use ESEUTIL in recovery mode (/r). The command to use is something as follows, where <PREFIX> is the prefix used by the database, e.g. ‘”E00”:

ESEUTIL /r <PREFIX> /l “<RecoveryLogsPath>” /d “<RecoveryDBPath>”

Next, mount the database using the Exchange Management Shell as follows:

Mount-MailboxDatabase RecoveryDB

Now it’s time to restore the personal archive, for which we’ll use the New-MailboxRestoreRequest cmdlet. We’ll use the TargetIsArchive parameter to specify that the restored content should be stored in the specified mailbox’s associated personal archive. Now the trick is to specify the ArchiveGuid as SourceStoreMailbox instead of the ID (yes, having a SourceIsArchive option in the future would be nice, so we don’t need to fetch the mailbox’ ArchiveGuid first). Given this information, use the following New-MailboxRestoreRequest cmdlet to restore UserID’s personal archive:

Get-Mailbox <UserID> | % { New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox $_.ArchiveGuid -TargetMailbox $_.Identity -TargetIsArchive }

This will fetch UserID’s mailbox first and pass it to the New-MailboxRestoreRequest cmdlet using the required parameters. Note that, unlike Restore-Mailbox, you can’t filter on subject, timeframe, etc. You can however optionally specify a TargetFolder to restore content in a separate folder (otherwise content will be merged, like you may expect).

The restore request is queued and you can monitor progress using Get-MailboxRestoreRequest. When the restore has finished successfully, the status will be set to Completed.

Now let’s take a look at the mailbox’ personal archive again:

When you verified everything is restored, you can remove the completed restore request using Get-MailboxRestoreRequest. For example, to remove all completed restore requests in conjunction with Remove-RestoreRequest cmdlet use the following:

Get-MailboxRestoreRequest | where { $_.Status -eq “Completed”} | Remove-MailboxRestoreRequest –Confirm:$false

The above procedure is great for restoring a single personal archive, but you can also use it to recover multiple mailboxes by passing a collection of mailboxes to New-MailboxRestoreRequest like shown above, e.g.

Get-Mailbox –Database <DatabaseID> | where {$_.Name –like “p*”} | % { New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox $_.ArchiveGuid -TargetMailbox $_.Identity -TargetIsArchive }

This will select all mailboxes on a single database (which makes sense since the recovery database will only contain the backup of a single database) and filter the selection on users with a Displayname starting with a “p”. Those users’ personal archive will be restored using RecoveryDB.