Installatie Exchange 2010 SP3 in hybrid omgeving

In het kort de volgende stappen uitgevoerd op de Exchange servers uitgevoerd:

• SP3 geinstalleerd op Mailbox server
• SP3 geinstalleerd op CAS/HUB
• SP3 geinstalleerd op EDGE
• OWA web.config files nagelopen op wijzigingen
• IIS Default Web Site aangepast (SSL / redirection)
• Casredirect.aspx aangepast ivm Hybrid omgeving url

 

Voor de OWA op de “Default Web Site” redirection aangezet en require SSL uitgevinkt, dir zodat “http://fqdn” redirect wordt naar “https://fqdn/owa”

 

Omdat de redirection doorgegeven wordt naar de onderliggende Virtual Directories, deze daar weer uit moeten zetten met:

 

C:\Windows\System32\inetsrv>

appcmd set config "Default Web Site/autodiscover" /section:httpredirect /enabled:false -commit:apphost

appcmd set config "Default Web Site/ecp" /section:httpredirect /enabled:false -commit:apphost

appcmd set config "Default Web Site/ews" /section:httpredirect /enabled:false -commit:apphost

appcmd set config "Default Web Site/owa" /section:httpredirect /enabled:false -commit:apphost

appcmd set config "Default Web Site/oab" /section:httpredirect /enabled:false -commit:apphost

appcmd set config "Default Web Site/powershell" /section:httpredirect /enabled:false -commit:apphost

appcmd set config "Default Web Site/rpc" /section:httpredirect /enabled:false -commit:apphost

appcmd set config "Default Web Site/rpcwithcert" /section:httpredirect /enabled:false -commit:apphost

appcmd set config "Default Web Site/Microsoft-Server-ActiveSync" /section:httpredirect /enabled:false -commit:apphost

 

Dit geeft het volgende resultaat:

 

 

Meer info:

 

http://technet.microsoft.com/en-us/library/aa998359(v=exchg.141).aspx

 

 

Office365 hybrid omgeving tuning:

 

Ivm onze hybrid Exchange omgeving zijn de volgende regels toegevoegd aan bestand “C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\casredirect.aspx”:

 

<%

if (RedirectionUrl.Contains("https://outlook.com/owa")) {

Response.Redirect(RedirectionUrl);

Response.End();

}

%>

 

Dit zodat alle gebruikers dezelfde url kunnen gebruiken en geredirect worden naar outlook.com indien nodig.

 

 

PowerShell for Failover Clustering: CSV Free Disk Space

De vrije ruimte van een CSV kun je met het powershell commando get-clustersharedvolume bekijken.

 

 

Dit is echter een nested object en kan worden weergegeven met de format-custom attribute:

 

 

De vrije ruimte zit in nested object SharedVolumeInfo\Partition en wordt in bytes weergegeven.

 

Met onderstaand script kun je een overzicht van de CSVs krijgen:

 

Get-ClusterSharedVolume | select -Expand SharedVolumeInfo | select -Expand Partition | ft -auto Name,@{ Label = "Size(GB)" ; Expression = { "{0:N2}" -f ($_.Size/1024/1024/1024) } },@{ Label = "FreeSpace(GB)" ; Expression = { "{0:N2}" -f ($_.FreeSpace/1024/1024/1024) } },@{ Label= "UsedSpace(GB)" ; Expression = { "{0:N2}" -f ($_.UsedSpace/1024/1024/1024) } },@{ Label = "PercentFree" ; Expression = { "{0:N2}" -f ($_.PercentFree) } }

 

 

 

Met onderstaand script worden de Volume namen omgezet in FriendlyVolumeName.

 

Import-Module FailoverClusters

 

$objs = @()

 

$csvs = Get-ClusterSharedVolume

foreach ( $csv in $csvs )

{

   $csvinfos = $csv | select -Property Name -ExpandProperty SharedVolumeInfo

   foreach ( $csvinfo in $csvinfos )

  {

      $obj = New-Object PSObject -Property @{

         Name        = $csv.Name

         Path        = $csvinfo.FriendlyVolumeName

         Size        = $csvinfo.Partition.Size

         FreeSpace   = $csvinfo.Partition.FreeSpace

         UsedSpace   = $csvinfo.Partition.UsedSpace

         PercentFree = $csvinfo.Partition.PercentFree

      }

      $objs += $obj

   }

}

 

$objs | ft -auto Name,Path,@{ Label = "Size(GB)" ; Expression = { "{0:N2}" -f ($_.Size/1024/1024/1024) } },@{ Label = "FreeSpace(GB)" ; Expression = { "{0:N2}" -f ($_.FreeSpace/1024/1024/1024) } },@{ Label = "UsedSpace(GB)" ; Expression = { "{0:N2}" -f ($_.UsedSpace/1024/1024/1024) } },@{ Label = "PercentFree" ; Expression = { "{0:N2}" -f ($_.PercentFree) } }

 

 

http://blogs.msdn.com/b/clustering/archive/2010/06/19/10027366.aspx

 

Natuurlijk willen we dit op afstand kunnen uitvoeren, hiervoor moet Powershell remoting enabled worden:

 

How to enable Powershell remoting:

 

Run Enable-PSRemoting, this will perform serveral tasks:

• Start (or restart, if it’s already started) the WinRM service.
• Set the WinRM service to start automatically from now on.
• Create a WinRM listener for HTTP traffic on port 5985 for all local IP addresses.
• Create a Windows Firewall exception for the WinRM listener. Note that this will fail on client versions of Windows if any network cards are configured to have a type of “Public,” because the firewall will refuse to create new exceptions on those cards. If this happens, change the network card’s type to something else (like “Work” or “Private,” as appropriate), and run Enable-PSRemoting again. Alternately, if you know you have some Public network cards, add the –SkipNetworkProfileCheck parameter to Enable-PSRemoting. Doing so will successfully create a firewall exception that allows incoming Remoting traffic only from the computer’s local subnet.

 

http://searchwindowsserver.techtarget.com/feature/How-to-enable-PowerShell-remoting

 

Active Directory attribute properties

Elk attribuut in de AD heeft bepaalde eigenschappen.

 

Handig om te weten. Hier een paar voorbeelden:

 

SAM-Account-Name Attribute:

 

http://msdn.microsoft.com/en-us/library/windows/desktop/ms679635(v=vs.85).aspx

 

CN                      : SAM-Account-Name

Ldap-Display-Name       : sAMAccountName

Size                    : Less than 20 characters.

Update Privilege        : Domain administrator

Update Frequency        : This value should be assigned when the account record is created, and should not change.

Attribute-Id            : 1.2.840.113556.1.4.221

System-Id-Guid          : 3e0abfd0-126a-11d0-a060-00aa006c33ed

Syntax                  : String(Unicode) 

 

User-Principal-Name Attribute:

 

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680857(v=vs.85).aspx

 

CN                : User-Principal-Name

Ldap-Display-Name : userPrincipalName

Size              : -

Update Privilege  : Domain administrator or account owner.

Update Frequency  : In theory this should never change.

Attribute-Id      : 1.2.840.113556.1.4.656

System-Id-Guid    : 28630ebb-41d5-11d1-a9c1-0000f80367c1

Syntax            : String(Unicode) 

 

De overige kun je vinden op:

 

http://msdn.microsoft.com/en-us/library/windows/desktop/ms675090(v=vs.85).aspx

 

 

 

Excel kolommen zijn cijfers ipv letters

Dit is aan te passen door bij “Opties voor Excel” naar “Formules” te gaan en daar het “Verwijzingstype R1K1” vinkje weghalen.

 

Change groupscope van Global naar DomainLocal

Je kunt de GroupScope niet rechtstreeks wijzigen van Global naar DomainLocal, je zal daarom eerst de scope moeten omzetten naar Universal <2>.

 

<<<< VOOR DEGENE DIE ZICH AFVRAAGT WAAROM >>>>

The reasons are largely historical.  In NT 4.0 domains, you had global groups and local groups and could not convert between the two.  When Active Directory was introduced with Windows 2000, this mechanism was held since NT 4.0 BDCs (Backup Domain Controllers) could exist in an AD domain when the domain was in either Windows 2000 Mixed Mode and later Windows 2003 Interim Mode.  Universal groups could not exist when the AD domain was in either of these modes because NT 4.0 BDCs could not interpret them.  When moved to 2000 Native Mode or higher, Universal groups and Distribution groups could be used in the AD domain.  Because of the design of the AD Schema, it became possible to convert Global or Local groups to Universal groups, and the other way around (provided the pre-requisites are met).

 

If you examine the attributes of the different types of Security groups, some of the reasoning becomes a bit more clear:

Global

groupType = 0x80000002 (ACCOUNT_GROUP | SECURITY_ENABLED)

sAMAccountType = 268435456 (GROUP_OBJECT)

 

Local

groupType = 0x80000004 (RESOURCE_GROUP | SECURITY_ENABLED)

sAMAccountType = 536870912 (ALIAS_OBJECT)

 

Universal

groupType = 0x80000008 (UNIVERSAL_GROUP | SECURITY_ENABLED)

sAMAccountType = 268435456 (GROUP_OBJECT)

 

That said, Microsoft has long recommended using the ADGLP model for RBAC in AD environments.  E.g., you place users in Global Groups, place Global Groups in Domain Local Groups, and assign permissions on objects to those Domain Local groups.  This makes sense if you examine the above attributes (Global - ACCOUNT_GROUP and GROUP_OBJECT, Local - RESOURCE_GROUP and ALIAS_OBJECT).  Some feel this security model is aging and true RBAC methods should be adopted but we aren't quite there yet in my opinion (Server 2012 is a step closer).  Anyway, the point is that if you find yourself converting groups in Active Directory, you probably have a design flaw in your group architecture.  I personally do not recommend converting between group types unless absolutely necessary.  In general, you should implement the groups correctly, migrate users and resources to the new group design, and destroy the old groups.

<<<< EINDE WAAROM >>>>

 

Je kunt die actie natuurlijk via de GUI doen (één-voor-één) of je gebruikt powershell (gebruik filter,searchbase en where om de scope te bepalen):

 

De tussenstap - van Global naar Universal:

 

PS C:\> Get-ADGroup -Filter "name -like 'LG_M_*'" -SearchBase "OU=Groups,DC=DOMAIN,DC=LOCAL" | where {$_.GroupScope -like "Global"} | Set-ADGroup -GroupScope Universal

 

Van Universal naar DomainLocal:

 

PS C:\> Get-ADGroup -Filter "name -like 'LG_M_*'" -SearchBase "OU=Groups,DC=DOMAIN,DC=LOCAL" | where {$_.GroupScope -like "Universal"} | Set-ADGroup -GroupScope DomainLocal

 

 

Achterhalen welke gebruiker achter een SID zit

Voer onderstaand powershell script gegeven:

 

 

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-1960401961-583907252-1417001413-2304")

$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])

$objUser.Value

 

 

Get-Diskfree

Met onderstaand script kun je de schijfruimte van een computer bekijken die is toegewezen en welke vrij is:

Tevens kun je met een scriptje de LOW DISK SPACE van alle servers bekijken.

 

 

function Get-DiskFree

{

     [CmdletBinding()]

     param

     (

         [Parameter(ValueFromPipeline=$true,

                    ValueFromPipelineByPropertyName=$true)]

         [Alias('hostname')]

         [Alias('cn')]

         [string[]]$ComputerName = $env:COMPUTERNAME,

         [switch]$Format

     )

 

     BEGIN

     {

         function Format-HumanReadable

         {

             param ($size)

             switch ($size)

             {

                 {$_ -ge 1PB}{"{0:#.#'P'}" -f ($size / 1PB); break}

                 {$_ -ge 1TB}{"{0:#.#'T'}" -f ($size / 1TB); break}

                 {$_ -ge 1GB}{"{0:#.#'G'}" -f ($size / 1GB); break}

                 {$_ -ge 1MB}{"{0:#.#'M'}" -f ($size / 1MB); break}

                 {$_ -ge 1KB}{"{0:#'K'}" -f ($size / 1KB); break}

                 default {"{0}" -f ($size) + "B"}

             }

         }

 

         $wmiq = 'SELECT * FROM Win32_LogicalDisk WHERE Size != Null

                 AND DriveType >= 2'

     }

 

     PROCESS

     {

         foreach ($computer in $ComputerName)

         {

             try

             {

                $disks = Get-WmiObject -Query $wmiq `

                          -ComputerName $computer -ErrorAction Stop

 

                 if ($Format)

                 {

                     # Create array for $disk objects and then add each 

                    $diskarray = @()

                     $disks | ForEach-Object { $diskarray += $_ }

 

                     # The output of the computer name allows for 

                    # cleaner separation when querying multiple computers

                    Write-Output "Computer: $computer"

 

                     # Output custom formatted table

                    $diskarray | Format-Table -AutoSize `

                         @{n='Vol';e={$_.DeviceID}},

                         @{n='Size';e={Format-HumanReadable `

                         $_.Size};Align='Right'},

                         @{n='Used';e={Format-HumanReadable `

                         (($_.Size)-($_.FreeSpace))};Align='Right'},

                         @{n='Avail';e={Format-HumanReadable `

                         $_.FreeSpace};Align='Right'},

                         @{n='Use%';e={"{0:#}" -f ((($_.Size)-($_.FreeSpace))`

                         /($_.Size) * 100)};Align='Right'},@{n=' FS '`

                         ;e={$_.FileSystem};Align='Center'},

                         @{n='Type';e={$_.Description};Align='Left'}

                 }

                 else

                 {

                     foreach ($disk in $disks)

                     {

                         # Create property hash table

                        $diskprops = @{'Volume'=$disk.DeviceID;

                                     'Size'=$disk.Size;

                                     'Used'=($disk.Size - $disk.FreeSpace);

                                     'Available'=$disk.FreeSpace;

                                     'FileSystem'=$disk.FileSystem;

                                     'Type'=$disk.Description

                                     'Computer'=$disk.SystemName;}

 

                         # Create custom PS object and apply type

                        $diskobj = New-Object -TypeName PSObject `

                                     -Property $diskprops

                         $diskobj.PSObject.TypeNames.Insert(0,'BN.DiskFree')

 

                         Write-Output $diskobj

                     }

                 }

             }

             catch

             {

                 # Check for common DCOM errors and display "friendly" output

                switch ($_)

                 {

                     { $_.Exception.ErrorCode -eq 0x800706ba } `

                         { $err = 'Unavailable (Host Offline or Firewall)';

                             break; }

                     { $_.CategoryInfo.Reason -eq 'UnauthorizedAccessException' } `

                         { $err = 'Access denied (Check User Permissions)';

                             break; }

                     default { $err = $_.Exception.Message }

                 }

                 Write-Warning "$computer - $err"

             }

         }

     }

 

     END {}

} 

 

 

 

 

PS C:\PSScripts>’localhost’, ‘computer’ | Get-DiskFree -Format

 

 

>>> LOW DISK SPACE <<<

 

> IPMO AD <

 

PS C:\PSScripts>Import-Module ActiveDirectory

 

> MAAK ARRAY <

 

PS C:\PSScripts>$servers = Get-AdComputer -Filter { OperatingSystem -like '*server*' } | select -expand name

 

> BEKIJK ARRAY <

 

PS C:\PSScripts>Write-Output $servers

 

PS C:\PSScripts>Get-DiskFree -cn $servers | ? { ($_.Volume -eq 'C:') -and ($_.Available / $_.Size) -lt .20 } | select comp*

 

 

PS C:\PSScripts>$servers | get-diskfree -Format

 

 

> LEEG ARRAY <

 

PS C:\PSScripts>$servers.Clear()

 

 

Info: http://binarynature.blogspot.nl/2010/04/powershell-version-of-df-command.html

 

Exchange Distribution Group Warning: "the object must be upgraded to the current Exchange version"

When you make a change to an Exchange Distribution Group and you get a Warning message like: "the object must be upgraded to the current Exchange version", you can click yes to upgrade.

But having hundreds of those groups you might want to upgrade de Exchangeversion of a Distribution Group through Powershell.

 

Warning:

 

 

 

To get an overview of the Distribution Groups with their version:

 

Get-DistributionGroup | sort exchangeversion | ft name,exchangeversion –a

 

To upgrade from a particular version to the current version:

 

Get-DistributionGroup | where {$_.Exchangeversion -like "0.1 *"} | Set-DistributionGroup

 

 

DNS server doesn't resolve TLD names

 

 

The server uses only root hints to resolve dns records.

 

Using nslookup for troubleshooting we found out that it was a dns problem.

 

 

 Clearing the cache resolved the problem