Author Archives: Michel de Rooij

Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

Exchange 2010 Update Rollup 1

Posted on by
Reply

Today, about one month after Microsoft Exchange Server 2010 RTM, Microsoft released Update Rollup 1. The following fixes are included in this RU:

  • 977439 Exchange Server 2010 users cannot open certain attachments when they access their mailboxes by using Outlook Web App
  • 977551 Meeting requests that are sent to a room mailbox are not processed in Exchange Server 2010
  • 977552 Exchange RPC Client Access service crashes in the Handler.dll that is located on an Exchange 2010 Client Access service server
  • 977553 Exchange RPC Client Access service crashes in Parser.dll on the Exchange Server 2010 CAS server
  • 977554 The subject or body of a message that is hosted in an Exchange Server 2010 mailbox is not set as expected
  • 977555 The message body is inaccessible when the property conversion from PR_BODY_HTML to PR_BODY fails
  • 977556 The body text of an e-mail message is invisible after you create exceptions for a recurring appointment or for a recurring meeting by using a CDO application together with Exchange Server 2010
  • 977557 An E_FAIL error occurs when you create an exception to a meeting request by using a CDO application for a Microsoft Exchange Server 2010 mailbox
  • 977558 A folder name is not changed when you try to move and then rename the folder in an Exchange Server 2010 mailbox by using the CopyFolder method of the IMAPIFolder interface
  • 977559 The location of a meeting or an appointment is not updated on an Exchange Server 2010 mailbox
  • 977560 Update fails when you use a CDO application to update a recurrence task on Exchange Server 2010
  • 977561 VSS backup process stops responding when you try to perform a Volume Shadow Copy Service (VSS) backup for Exchange Server 2010 databases

The knowledgebase article can be found here. You can download Rollup 1 directly from here.

Microsoft Forefront Protection 2010 for Exchange Server Best Practices Analyzer

Posted on by
Reply

Today Microsoft released the (take a deep breath) Microsoft Forefront Protection 2010 for Exchange Server Best Practices Analyzer (v11.0), or FPE 2010 BPA for short. The FPE 2010 BPA examines servers running ForeFront Protection 2010 for Exchange Server and checks the system configuration as well as the product configuration. Any settings or combination of settings that do not conform to FPE 2010 best practices are reported, enabling administrators to easily identify and address possible issues.

I assume everbody knows how these BPAs work, but in case you don’t proceed as follows:

  1. Download the FPE 2010 BPA from this location;
  2. Install the ForeFront Server Protection Best Practices Analyzer (FPBPA) on a server containing ForeFront Security 2010 for Exchange Server;
  3. Use the default settings and have FPBPA retrieve updates from the internet when required;
  4. Start FPBPA. It will check for online updates;
  5. Click Select options for a new scan;
  6. Enter a scan label, i.e. Initial FPBPA Scan, and click Start Scanning. FPBPA will now scan your ForeFront environment;
  7. When Scanning Completed click View a report of this Best Practices scan.

As you can see from the first issue, I still need to install the RTM 🙂  The second issue is about a non-configured critical error notification, i.e.  it has no no e-mail recipient specified. The other two issues are about possible misconfiguration of the number of scan processes (as FPE 2010 BPA states, the recommended setting is twice the number of CPUs here).

Exchange 2010 Role Based Access Control

Posted on by
15

Those who are about to switch to Exchange 2010 from Exchange 2007 will encounter major changes (and challenges) in the Exchange permissions model.  For those still on Exchange 2003 (or earlier ..), changes are more or less the same.

Exchange 2007

Before we dive into Exchange 2010 we’ll have a quick look at how permissions and delegations are managed in Exchange 2007. In Exchange 2007 we get the following security groups out of the box:

  • Exchange Organization Administrators;
  • Exchange Recipient Administrators;
  • Exchange Server Administrators;
  • Exchange View Only Administrators;
  • Exchange Public Folder Administrators.

That seems limited and very task oriented. Memberships are managed using the Exchange Management Console or through the cmdlets Add-ExchangeAdministrator, Get-ExchangeAdministrator en Remove-ExchangeAdministrator. Also, by default, Recipient Administrators get permissions on all recipients within the Exchange organization. Domain or OU delegations are possible, but require a little additional configuration (see http://technet.microsoft.com/en-us/library/bb232100.aspx).

Exchange 2010

Here comes Exchange 2010. New in Exchange is management of delegation and permissions through the so called Role Based Access Control model, shortened to RBAC. RBAC is partially configurable through the RBAC User Editor (Exchange Management Console > Toolbox) or fully using cmdlets. The RBAC model is based on three pillars, Who, What and Where.

Who

The Who (not the band) determines which user (in RBAC users are represented by mailboxes) or group (Universal Security Group) receives permissions. This information is stored in Role Groups, which can be managed through the RoleGroup and RoleGroupMember cmdlets.

To create a new Role Group we use the New-RoleGroup, like:
New-RoleGroup “UM Pincode Resetter” –Roles “Reset UM Pin”

Users or groups can be added directly to the Role Group at creation time, or can be added by using the Add-RoleGroupMember, like:
Add-RoleGroupMember “UM Pincode Resetter” –Member Angelique

To manage a Role Group, one has to be a member of the Organization Management Role Group or be the manager of the Role Group as determined by the ManagedBy attribute. Pay attention, members of the Organization Management Role Group manage the Organization Management Role Group. You could create a situation where nobody is able to manage anything.

Take note that a Role Group is nothing else but a Universal Security Group with a special flag indicating the USG is a Role Group. In Active Directory, Role Groups are located in the Microsoft Exchange Security Groups OU.

What

The What decides what permissions are assigned by creating sets of cmdlets and parameters. This information is stored in RBAC’s Management Roles which can be managed through the ManagementRole and ManagementRoleEntry cmdlets.

Of itself, Exchange 2010 knows about 65 Management Roles, which can be queries using:
Get-ManagementRole

The permissions of a Management Role can be retrieved through the Get-ManagementRole (Roles attribute) or through the Get-ManagementRoleEntry cmdlet:
Get-ManagementRoleEntry “UM Mailboxes\*”

What we see are all cmdlets and parameters available to the Management Role “UM Mailboxes”.

When creating our own Management Role, we need to specify an existing Management Role, the so called parent:
New-ManagementRole –Name “Reset UM Pin” –Parent “UM Mailboxes”

Be advised only custom Management Roles can be removed and all permissions of a Management Role should be removed before the Management Role itself can be removed. By specifying the recurse parameter in the Remove-ManagementRole cmdlet you can perform cascaded deletes of custom Management Roles with a parent-child relationship.

After creating the custom Management Role with initial settings taken from the parent, we can start adding or removing permissions. Be advised that Management Roles require at least one Management Role Entry. Also, in order for Set cmdlets to work, you should allow the Get counterparts, so we will start by removing all ManagementRoleEntry items but one:
Get-ManagementRoleEntry “Reset UM Pin\*” | where { $_.name –ne “Get-UMMailboxPIN”} | Remove-ManagementRoleEntry

Next, we can add custom permissions using Add-ManagementRoleEntry:
Add-ManagementRoleEntry “Reset UM Pin\Set-UMMailboxPIN” –Parameters “Identity,Pin,PinExpired,LockedOut”

What might be helpful is that Get-ManagementRoleEntry can be used to retrieve all Management Roles which are allowed to execute certain cmdlets with what parameters, e.g.:
Get-ManagementRoleEntry “*\*” | where { $_.Name –eq “Set-User” }

Where
Where determines the scope, which can be anything from a certain group of users, a server or an Active Directory site to an Organizational Unit or complete organization. RBAC has two types of scopes. First are Implicit scopes, which are scopes defined by the default Management Roles, e.g. Organization, MyGAL, Self, MyDistributionGroups, OrganizationConfig and None. Second type are Explicit scopes, which are predefined or custom scopes.

To view the scopes of a Management Role use the Get-ManagementRole, e.g.:
Get-ManagementRole “UM Mailboxes” | fl *scope*

As we can see, a Management Role has four scopes:

  • Recipient Read Scope: Which AD recipient objects one can read from;
  • Recipient Write Scope: Which AD recipient objects one can write to;
  • Configuration Read Scope: Which AD configuration objects one can read from;
  • Configuration Write Scope: Which AD configuration objects one can write to.

As said earlier, new Management Role entries must be based on an existing Management Role. At creation time the new Management Role will inherit (i.e. copy settings) the original scopes from the parent, after which they can be changed. Also, remember that the Write scope must be equal or smaller than the Read scope; you need to be able to Get things before you can Set things.

To create a custom scope use the New-ManagementScope cmdlet with one of the following, mutually exclusive, filters:

  • RecipientRestrictionFilter to filter Recipients. You can optionally specify the root using the RecipientRoot, otherwise it will apply to the whole organization;
  • ServerRestrictionFilter to filter Server objects;
  • ServerList to filter server names.

Examples:
New-ManagementScope –Name “NL Site” –ServerRestrictionFilter {ServerSite –eq “NL”}
New-ManagementScope –Name “Staff Secretaresses” –RecipientRoot “domain.local/Staff” –RecipientRestrictionFilter { memberofgroup -eq “cn=Secretaries,ou=Users,dc=domain,dc=local” }

Regarding the possibilities of filtering Exchange 2010 refers to Exchange 2007 documentation, see http://technet.microsoft.com/en-us/library/bb738155.aspx. For more background information on scopes, see http://technet.microsoft.com/en-us/library/dd335146%28EXCHG.140%29.aspx.

1+1+1=3

After defining the Who, What and Where we can start combining these elements by using Role Assignments. A Role Assignment is the link between a Role Group and a Management Role, with additional attributes like Recipient and Configuration Scopes.

Existing Role Assignments of a Role Group can be retrieved using Get-RoleGroup, e.g.:
Get-RoleGroup “UM management” | fl

The attribute RoleAssignment contains the current Role Assignments. All Role Assignments can be queried using Get-ManagementRoleAssignment, e.g.:
Get-ManagementRoleAssignment “UM Mailboxes-UM Management” | fl

As we can see, Microsoft used a combination of the ManagementRole and RoleGroup names to label Role Assignments. This is good practice and makes it easier to understand – and remember – which Role Assignment affects which Management Role and Role Group.

Using New-ManagementRoleAssignment we can assign a ManagementRole to a Role Group or other USG, a policy (more on this perhaps in another article) or user (mailbox), e.g.
New-ManagementRoleAssignment –Name “Reset UM Pin-UM Pincode Resetter” –Role “Reset UM Pin” -SecurityGroup “UM Pincode Resetter” –CustomRecipientWriteScope “Staff Secretaresses”

Conclusion

The Exchange 2010 and RBAC model create new opportunities for customers. Large companies, who probably already have complex delegation models in-place, will like the more fine grained controls to support business requirements. Their challenge lies in converting their existing model to the new designed RBAC model. For smaller customers the default set of roles, groups, scopes and assignments might appear overwhelming at first, but eventually be found an asset as it supports least privilege security model and get rid of the (Exchange) Adminsistrators surplus.

71-663 Beta Exam

Posted on by
Reply

Today I had a shot at the Microsoft Beta Exam 71-663, Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010. Largely on autopilot – the last time exam was in February – I went to the Exam Center of Global Knowledge only to find an half-empty building with new occupants; the company’s sign still was on the building. After some calls I discovered they relocated in March this year to the other side of Nieuwegein. Luckily I still was allowed to take the exam (normally you need to be there 30 mins in advance). Also, I am lucky my exam didn’t get cancelled. It turns out something went wrong with the application as it was uncapped and too much candidates could apply for 71-663 than was planned for. Shame.

Oh yeah, without going into too much details because of the NDA: the exam was ok.

Exchange 2010 Database Compression

Posted on by
1

One of the features of Exchange versions up to 2007 is Single Instance Storage (SIS). What SIS does is that it creates a single instance of messages sent to multiple recipients within the same database. Simply said, the first one gets a copy of the message in his or her mailbox, others get a referral to the message.

With the arrival of Exchange 2010 Microsoft made changes to the Extensible Storage Engine (ESE) .. again. Many of these changes are beneficiary to the performance of the system (read: less IOPS). For instance, Exchange 2010 uses larger pages and it orders database pages in the background. In an optimal situation this will result in an IOPS reduction of 70% versus Exchange 2007 (against Exchange 2003 a whopping 90%).

However, one of the victims of the new ESE is Single Instance Storage. This sounds worse than it is. Large (1 GB+) mailboxes are common nowadays, the maximum number of databases has increased and when looking at recovery times you are more likely to use multiple databases to reduce recovery times.

These developments also reduce the effectiveness of Single Instance Storage, which only works in a single database. In addition, the price of storage has dropped enormeously and focus these days is more on performance than on disk space.

Now before you think about getting additional storage space to counter the effects of SIS absence, I have good news. The new Exchange 2010 ESE engine has built-in storage compression. Certain parts of e-mail messages (headers, body) are stored in compressed format. Attachments are not compressed. Reason for not compressing attachments is that (de)compressing would be too CPU intensive (goodbye to performance improvements due to I/O reduction). Another reason I can think of is that it would be pointless to compress attachments as 90% of the attachments are probably already compressed (zip, docx, jpg).

First measurements show storage compression neutralizes the effects of SIS being gone. In fact, results are expected to be a lot better because storage compression doesn’t rely on messages being stored in the same database. Measurements also indicate overhead caused by (de)compression is equal or less than the amount of overhead required for the extra IOPS for fetching/storing uncompressed information.

For those interested, the algorithm used here is the same as in MAPI and DAG network traffic, i.e. XPRESS. This is a Microsoft implementation of the LZ77 algorithm. For more background information – or if you can’t sleep – check out the underlying RTF Extensions Specification.