Jude's Blog

[New Release] Recover deleted items using M365 Exchange Admin Center

leave a comment »

Users accidentally deleting emails can sometimes be a painstaking task for an administrator. Specially if you are in charge of 1000+ users and majority of them are not tech savvy. For the past few years Office 365, or Microsoft 365 as now we call it gave us two main options. First would be to use the Outlook client and the second would be to use PowerShell.

Finally, Microsoft has released the ability to “Recover deleted items” using the New M365 Exchange Admin Center.

Prerequisites

  • The Exchange administrator account that will be used to recover the mail items needs to be assigned with the “Mailbox Import Export” permission. To do this, you can either create a new Role or modify an existing role and add the “Mailbox Import Export” to the permission list.
  • Once permissions are granted, wait for a few minutes, sign-off and sign-in again for the permissions to be active for your session
  • This will adhere to your deleted items retention policies placed within the organization or user level.

For the below demo, we’ll look at the below users Deleted Items folder.

Now that we know what items will be recovered, let’s head to the Exchange Admin Center and see how the recovery is done.

  1. Login to the all-new Exchange Admin Center : https://admin.exchange.microsoft.com
  2. Navigate to Recipients > Mailboxes
  3. Select the user that you wish to recover the items from, click on the three dots (more options) and select Recover deleted items.

  4. Once you are in the Recover deleted items page, adjust the filters as you wish and click Apply filter. As you can see, all mail items are visible in the search results that’s also visible in the users Deleted Items folder from his personal login.

  5. Now to recover, you can either select a single entry, multiple entries or all items and click on the Recover deleted items button.

  6. The email item will now be restored to the Original folder as displayed in the above result summary.

And you are done!

Microsoft has really worked this feature out in terms of user-friendliness with the new EAC. This is just one feature and in the future posts, I will demo the ret of the new additions. Give this a try and share your thoughts.

Microsoft Teams Attendance Report is here

leave a comment »

The long await is finally over. Yes, Microsoft has rolled out the much-awaited participation report for a meeting. This feature is long due as getting an attendance report is indeed a must in a meeting specially for Educators. The feature has now come up as a workaround to general availability.

Thank you for the feedback and waiting for this feature with patience. We have enabled the shortterm fix to allow download of a meeting attendance list during a meeting (from the roster view). This is released for general availability.” – Alex (Teams Engineering, Microsoft Teams)

Now let’s see the look and feel;

For this to work, you need to be the meeting organizer. If you are, while you are on the meeting, navigate to the peoples pane and check the top right corner section and you will see the Download icon.

However, there is a catch as of now. The participation list download will only be available while the meeting is going on for the meeting organizer only. So if you are the organizer you might want to download the attendance list right before you exit the call.

That’s it. It’s that simple.

For Administrators

However, if you are an administrator and would like to see the Enabled or Disabled status of the feature to your tenant. You can use the below methods.

Step 01: Open your PowerShell and type

Import-Module SkypeOnlineConnector

Step 02: Run the below command and enter your tenant administrator credentials;

$userCredential = Get-Credentials

Step 03: Create connection to CS Online modules using the below commands;

$sfbSession = New-CsOnlineSession -Credential $userCredential

Step 04: Import CS PowerShell session

Import-PSSession $sfbSession

Step 05: Now that we are connected to the CS online for your tenant, let’s use the below command to view the Global policy settings;

Get-CsTeamsMeetingPolicy -identity Global

Keep a note on the setting highlighted above AllowEngagementReport. In our case this setting is already Enabled. Microsoft is rolling out this feature Enabled by default so you shouldn’t need to worry about it. However, if you are unable to see it yet, you might want to have a look at this setting.

Step 06: In case your setting is shown as Disabled or you want to change it, you can use the below command;

Set-CsTeamsMeetingPolicy -Identity Global -AllowEngagementReport Enabled

That’s it! Your new settings will now be applied. Additionally, you might want to try below options if you still cant see;

  1. Sign-out and sign back in.
  2. Update your Teams app
  3. Wait: yes, give it few days as the global roll-out has already started and it will come to you soon.

Written by judeperera

May 18, 2020 at 3:18 am

Exchange ECP Empty Results Issue in Internet Explorer

leave a comment »

When it comes to browser compatibility issues, it’s always about non-Microsoft browsers having issues with Exchange Servers. But in this particular case, the issue was vise-versa.

This was an Exchange 2013 environment, and the administrator reported that while using the ECP in Internet Explorer he was unable to view any data within sub windows and the links within were not clickable. However, when using Google Chrome or FireFox, this was not a problem.

The above image is what you get when you open a Recipient mailbox in ECP. As you can see, the values are all empty and I cannot click any of the action items on left side.

Now let’s see what type of an approach you should take in a scenario like this.

  • Check with multiple Internet Explorer versions/users. Plus clear your cache and cookies as well.
  • Check with compatibility mode on IE.
  • Check if the issue is for both internal and external users. Why I’m saying this is that in most of the cases your Exchange Servers may be placed behind many layers such as proxy, load balancers etc. So, we need to narrow this down to internal or external.
  • Check if the issue is for a single server only. Go to your exchange server, open Internet Explorer and check your ECP using localhost FQDN. By this, we can see if the issue is only for one Exchange Server or multiple servers.
  • Now that you have figured out where and which servers are affected, it’s time to refresh your IIS cache. We do this because that’s the first point where all web connections hit to. And I’ve seen that in most client connectivity issues, doing a simple refresh or may be a reset on IIS fixes the issue. Resetting IIS would be the last resort as it would drop all connections and users will not be able to connect until the service starts which can take some time.

Below are the steps that worked for me;

  1. Open IIS Manager and navigate to Application
    Pools.
  2. Under the list of pools, you can see the MSExchangeECPAppPool. This is responsible for ECP connections and we can easily refresh the cache.
  3. Right click the MSExchangeECPAppPool and click Recycle.

  4. Now IIS will refresh your specific app pool.
  5. Login back to the ECP and check if the issue is sorted.
  6. In my case, it was working again.

Written by judeperera

October 28, 2019 at 1:24 pm

Exchange 2016 CU Update error at “Mailbox role: Transport service”

with one comment

Well, this was a strange case that came across while installing the Exchange Server 2016 CU14 update. The setup goes all the way and throws an error at “Mailbox role: Transport service” component installation and exits.

Issue:

Error:

The following error was generated when "$error.Clear();

if ($RoleProductPlatform -eq "amd64")

{

try

{

# Need to configure the ETL traces before the fast service is installed. This will ensure that when the service comes up

# it will have the necessary trace session setting available to read from the registry

$fastPerfEtlTraceFolderPath = Join-Path -Path $RoleBinPath -ChildPath "\Search\Ceres\Diagnostics\ETLTraces"

$fastDiagnosticTracingRegKeyPath = 'HKLM:\SOFTWARE\Microsoft\Office Server\16.0\Search\Diagnostics\Tracing'

if(-not(Test-Path -Path $fastPerfEtlTraceFolderPath))

{

$null = New-Item $fastPerfEtlTraceFolderPath -Type 'Directory' -Force

}

if (-not(Test-Path -Path $fastDiagnosticTracingRegKeyPath))

{

$null = New-Item -Path $fastDiagnosticTracingRegKeyPath -Force

}

$null = New-ItemProperty -Path $fastDiagnosticTracingRegKeyPath -Name 'TracingPath' -PropertyType 'string' -Value $fastPerfEtlTraceFolderPath -Force

$null = New-ItemProperty -Path $fastDiagnosticTracingRegKeyPath -Name 'TracingFileName' -PropertyType 'string' -Value 'DocumentProcessingTrace' -Force

$null = New-ItemProperty -Path $fastDiagnosticTracingRegKeyPath -Name 'DocumentParserSuccessLogMessage' -PropertyType 'Dword' -Value 1 -Force

$null = New-ItemProperty -Path $fastDiagnosticTracingRegKeyPath -Name 'DocumentParserLoggingNoInitialisation' -PropertyType 'Dword' -Value 1 -Force

# Max trace folder size 50 * 100 = 5GB

$null = New-ItemProperty -Path $fastDiagnosticTracingRegKeyPath -Name 'MaxTraceFileSize' -PropertyType 'Dword' -Value 50 -Force

$null = New-ItemProperty -Path $fastDiagnosticTracingRegKeyPath -Name 'MaxTraceFileCount' -PropertyType 'Dword' -Value 100 -Force

$null = New-ItemProperty -Path $fastDiagnosticTracingRegKeyPath -Name 'UseGeneralSwitch' -PropertyType 'Dword' -Value 1 -Force

$null = New-ItemProperty -Path $fastDiagnosticTracingRegKeyPath -Name 'GeneralSwitch' -PropertyType 'Dword' -Value 0 -Force

}

catch

{

# ETl tracing is not critical. Info only log

Write-ExchangeSetupLog -Info ("An exception ocurred while trying to Configure the FAST ETL traces. Exception: " + $_.Exception.Message);

}

try

{

$fastFusionRegKeyPath = 'HKLM:\SOFTWARE\Microsoft\Office Server\16.0\Search\FlightControl'

if (Test-Path -Path $fastFusionRegKeyPath)

{

Remove-ItemProperty -Path $fastFusionRegKeyPath -Name 'fusion_new_enabled' -Force -ErrorAction SilentlyContinue

Remove-ItemProperty -Path $fastFusionRegKeyPath -Name 'fusion_old_enabled' -Force -ErrorAction SilentlyContinue

Remove-ItemProperty -Path $fastFusionRegKeyPath -Name 'fusion_compare_outputs' -Force -ErrorAction SilentlyContinue

}

}

catch

{

# Removing new fusion keys is not critical. Info only log

Write-ExchangeSetupLog -Info ("An exception ocurred while trying to remove the fast new fusion reg keys. Exception: " + $_.Exception.Message);

}

$fastInstallConfigPath = Join-Path -Path $RoleBinPath -ChildPath "Search\Ceres\Installer";

$command = Join-Path -Path $fastInstallConfigPath -ChildPath "InstallConfig.ps1";

$dataFolderPath = Join-Path -Path $RoleBinPath -ChildPath "Search\Ceres\HostController\Data";

# Remove previous SearchFoundation configuration

&$command -action u -silent;

try

{

if ([System.IO.Directory]::Exists($dataFolderPath))

{

[System.IO.Directory]::Delete($dataFolderPath, $true);

}

}

catch

{

$deleteErrorMsg = "Failure cleaning up SearchFoundation Data folder. - " + $dataFolderPath + " - " + $_.Exception.Message;

Write-ExchangeSetupLog -Error $deleteErrorMsg;

}

# Re-add the SearchFoundation configuration

try

{

# the BasePort value MUST be kept in sync with dev\Search\src\OperatorSchema\SearchConfig.cs

&$command -action i -baseport 3800 -dataFolder $dataFolderPath -silent;

}

catch

{

$errorMsg = "Failure configuring SearchFoundation through installconfig.ps1 - " + $_.Exception.Message;

Write-ExchangeSetupLog -Error $errorMsg;

# Clean up the failed configuration attempt.

&$command -action u -silent;

try

{

if ([System.IO.Directory]::Exists($dataFolderPath))

{

[System.IO.Directory]::Delete($dataFolderPath, $true);

}

}

catch

{

$deleteErrorMsg = "Failure cleaning up SearchFoundation Data folder. - " + $dataFolderPath + " - " + $_.Exception.Message;

Write-ExchangeSetupLog -Error $deleteErrorMsg;

}

}

# Set the PowerShell Snap-in's public key tokens

try

{

$PowerShellSnapinsPath = "HKLM:\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\";

$FastSnapinNames = @("EnginePSSnapin", "HostControllerPSSnapIn", "InteractionEnginePSSnapIn", "JunoPSSnapin", "SearchCorePSSnapIn");

$officePublicKey = "71E9BCE111E9429C";

$exchangePublicKey = "31bf3856ad364e35";

foreach ($fastSnapinName in $FastSnapinNames)

{

$fastSnapinPath = $PowerShellSnapinsPath + $fastSnapinName;

$assemblyNameProperty = Get-ItemProperty -Path $fastSnapinPath -Name "AssemblyName" -ErrorAction SilentlyContinue;

if ($assemblyNameProperty -ne $null -and (-not [string]::IsNullOrEmpty($assemblyNameProperty.AssemblyName)))

{

$newAssemblyName = $assemblyNameProperty.AssemblyName -ireplace ($officePublicKey, $exchangePublicKey);

Set-ItemProperty -Path $fastSnapinPath -Name "AssemblyName" -Value $newAssemblyName;

}

}

}

catch

{

# Info only log

Write-ExchangeSetupLog -Info ("An exception ocurred while configuring Search Foundation PowerShell Snapin. Exception: " + $_.Exception.Message);

}

}

" was run: "System.Exception: Failure configuring SearchFoundation through installconfig.ps1 - Error occurred while configuring Search Foundation for Exchange.System.TimeoutException: This request operation sent to net.tcp://sandesha-b.cbsl.lk:3803/Management/AdminService did not receive a reply within the configured timeout (00:01:00). The time allotted to this operation may have been a portion of a longer timeout. This may be because the service is still processing the operation or because the service was unable to send a reply message. Please consider increasing the operation timeout (by casting the channel/proxy to IContextChannel and setting the OperationTimeout property) and ensure that the service is able to connect to the client.

Server stack trace:

at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

at Microsoft.Ceres.CoreServices.Admin.IAdminServiceManagementAgent.UpdateConfiguration()

at Microsoft.Ceres.Exchange.PostSetup.NodeManager.AddNodeAndUpdateConfiguration(String node)

at Microsoft.Ceres.Exchange.PostSetup.NodeManager.DeployContentEngineNode()

at Microsoft.Ceres.Exchange.PostSetup.DeploymentManager.Install(String installDirectory, String dataDirectoryPath, Int32 basePort, String logFile, Boolean singleNode, String systemName, Boolean attachedMode)

at CallSite.Target(Closure , CallSite , RuntimeType , Object , Object , Object , Object , Object , Object , Boolean )

at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)

at Microsoft.Exchange.Management.Deployment.WriteExchangeSetupLog.InternalProcessRecord()

at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()

at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

 

Resolution:

We actually made a few changes from the server end and once we tried again, the setup ran without any issues. Therefore if you encounter such an error above, you might want to try this out and see if any of these will work;

  • Run the setup again and check
  • Check with Anti-virus software is disabled
  • Check with Firewall disabled
  • Check with setting the PowerShell Execution Policy of the server to ‘Unrestricted’ (Set-ExecutionPolicy Unrestricted)

Once you have done the above, give the installer another try and hopefully this will fix. In my case, I was able to finish the installation after doing the last three mentioned.

Happy Installations!!

Written by judeperera

October 16, 2019 at 3:36 am

Posted in Uncategorized

Fixing “451 4.7.0 Temporary server error. Please try again later. PRX4”

leave a comment »

Issue

In this scenario we are going to talk about an issue related to Exchange server not being able to accept any inbound SMTP connections. The client had one Edge server and two Exchange 2016 Mailbox servers. Out of nowhere, they have noticed that they are unable to send emails within the Exchange organization as well as all inbound emails from internet seemed to have stopped. In such a scenario, what we should do first is to identify the role that the issue might be at. In our case this is to with the SMTP mail flow thus the Hub Transport service should be involved.

Also, looking at the mail queues in the gateway and exchange servers, the Last Known Error message is shown as below;

451 4.7.0 Temporary server error. Please try again later. PRX4

Step 01:
Our first step should be to make sure that all Exchange Services are running on the servers. You can do this by going to the “Services” or opening up Exchange Powershell and running the below command to ensure that all required services are in “Running” state.

Get-ServerComponentState -Identity <ServerIdParameter>

Step 02:
Now that we know our services are working (at least showing that it’s working) let’s do a telnet and verify. You can do this by sending an email using ‘Telnet‘ from your other hops. In my case;

  • Edge server to Exchange server 01 – Gives error “451 4.7.0 Temporary server error. Please try again later. PRX4”
  • Exchange server 01 to Exchange server 01 – Gives error “451 4.7.0 Temporary server error. Please try again later. PRX4”
  • Exchange server 01 to Exchange server 01 – Gives error “451 4.7.0 Temporary server error. Please try again later. PRX4”
  • Exchange server 02 to Exchange server 02 – Gives error “451 4.7.0 Temporary server error. Please try again later. PRX4”
  • Exchange server 02 to Exchange server 01 – Gives error “451 4.7.0 Temporary server error. Please try again later. PRX4”
  • Exchange server 02 to Edge server 01 – Message relayed successfully
  • Exchange server 02 to Edge server 02 – Message relayed successfully

What does this say? Issue is on my internal Exchange Servers, ditto!

Step 03: Now that we have established where the issue occurs on which service, the next option was to check the AD connectivity. You can do this by checking the event log for “MSExchange
ADAccess” and confirm that Exchange and AD connection is working as expected.

Step 04: Check if the time is correct on all your Exchange servers along with the time of your AD.

Step 05: Verify that the entries in your DNS is correct and working by doing a NSLOOKUP from all Exchange servers.

Step 06: Verify that your certificates are valid and SMTP services are assigned properly.

In my scenario, all steps from 1-5 were perfectly fine except for step 6. I logged into my ECP, went to Servers and Certificates and in my list, I noticed that the certificate Status was showing as ‘Invalid‘. In addition, the certificate properties showed that the SMTP service was also assigned to this certificate.

 

Resolution

We can get an idea on what might the issue be. We have an Invalid certificate with SMTP assigned to it. And our issue is that the Exchange server is rejecting the SMTP connections. This seems to be a valid cause. Now check your other certificates too. In my case the certificate in issue was an older custom created one. But there was a proper certificate that was set to IIS,SMTP,POP,IMAP services. That means we can delete it. However, if the certificate is a built-in certificate or the only certificate that’s assigned to all services, ‘DO NOT DELETE’.

Before deleting, it’s always a good idea to take a backup of the certificate. To do this, follow the steps;

  1. Open MMC
  2. Click File and select Add/Remove Snap In
  3. Under the Available
    snapins, click on Certificates and Add
  4. Under Certificates snap-in select ‘Computer
    account’ and click Finish
  5. Select Local Computer to manage the snap-in
  6. Click OK to add the selected snap-in to console window
  7. Go to the MMC, under Personal Certificates store, right-click on your certificate that should be exported, and select All Tasks and click Export
  8. Proceed with exporting the certificate with the Private key.

Now that we have exported the certificate, we can go back to the ECP and delete the Invalid certificate.

  1. Login to Exchange
    Admin
    Center (ECP)
  2. Navigate to Servers and click on Certificates
  3. Select the server you want to list the certificates from the drop-down menu
  4. Select the certificate which is marked as Invalid that you want to delete
  5. Click on the delete icon (recycle-bin icon)
  6. If you have multiple servers, do steps 2-5

The next step is to restart the Microsoft Exchange Transport related services so that the service will now refresh its certificate and will only use the Valid certificate(s). Do this on all servers that you removed the certificate.

Give your services to run and the mail queues to automatically restart and you will be able to see that the mail Queue will now be delivered.

Written by judeperera

October 11, 2019 at 11:28 am

[Script] Shared Mailbox Convert and Enabling Sent Items Copy

leave a comment »

This is a simple script that will allow an administrator to achieve the below tasks;

  1. Convert a User mailbox to a Shared Mailbox
  2. Enable Messages sent from the shared mailbox to be saved to the Sent Items folder of the shared mailbox

Let’s take the below scenario;

User Mailbox – user@contoso.com
Shared Mailbox – shared@contoso.com (user@contoso.com has SendAs and FullAccess permissions)

In a case where if user(user@contoso.com) tries to send an email with SendAs/SendOnBehalfOf permissions for ‘shared@contoso.com‘, the sent email will only be available in the primary users ‘Sent Items‘ ONLY. In a business requirement where the mail should also be present in the ‘shared@contoso.com‘ shared mailbox, we would require the below permissions to be enabled. Once done, the email with SendAs/SendOnBehalfOf permission will be in both user@contoso.com and shared@contoso.com mailboxes’ Sent Items.

The MessageCopyForSendOnBehalfEnabled parameter specifies whether to copy the sender for messages that are sent from a mailbox by users that have the “send on behalf of” permission. In this script we will be enabling this by setting the value to $true; where when a user sends a message from the mailbox by using the “send on behalf of” permission, a copy of the message is sent to the sender’s mailbox.

The MessageCopyForSentAsEnabled parameter specifies whether to copy the sender for messages that are sent from a mailbox by users that have the “send as” permission. In this script we will be enabling this by setting the value to $true; where when a user sends a message from the mailbox by using the “send as” permission, a copy of the message is sent to the sender’s mailbox.

Want to give a try? you can get the script here..


 

Exchange Server 2019 CU 4 Role Requirements Calculator – Download [Latest]

with 2 comments

After much await Microsoft has decided to release the Role Requirements Calculator for Exchange Server 2019.

However unlike other versions, Microsoft has decided to make getting this extremely difficult. How? By including the file only inside the Exchange Server 2019 CU2 update. Yes, now you have to download a 5GB+ file just to get a 761KB file. Well that’s a bummer indeed.

Anyhow, if anyone wants to give a try, you can get the Exchange Server 2019 CU 4 Role Requirements Calculator here..

download

Written by judeperera

June 27, 2019 at 8:20 am

Restore a Deleted User Mailbox

leave a comment »

Issue

In this scenario we are going to take an on-premise environment with a Windows Server 2012 R2 Active Directory and an Exchange Server 2016 environment. In our case, a user was accidentally deleted from the OU itself. (NOTE: It is always a best practice to enable ‘Protect object from accidental deletion‘ for your AD Objects.

You can also recover a deleted mailbox using backups. However, note that backups are not current. This will lead to restoring but will not give you the latest data once recovered.

Prerequisites

  1. First, we need to get the AD account restored. For this, you should have the Active Directory Recycle-bin enabled in your environment. If you don’t have this enabled already, you are in tough luck.
  2. Secondly, we need to make sure that you are within the time duration mentioned in the ‘Keep deleted mailboxes for (days)’ under Exchange database properties where the user was. In our case, it was 30 days as shown below;

Solution

  1. Restore the AD account from Active Directory
  2. Ensure that restored user accounts ‘User logon name‘ has the correct domain mentioned.
  3. Go to AD User properties page, note down the ‘Display Name‘ of the user (ex: Jude Perera).
  4. Open Exchange Control Panel (ECP), go to Recipients > Mailboxes. Click More
    Options icon, and then click Connect mailbox

  5. Click the deleted mailbox that you want to connect.
  6. Note down the ‘Display Name‘ of the user you want to restore (ex: Jude Perera).
  7. Open the Exchange PowerShell and run the below command;
    Connect-Mailbox -Identity "Jude Perera" -Database DB01 -User "Jude Perera" -Alias jude

    NOTE: The Identity parameter specifies the display name of the deleted mailbox retained in the mailbox database provided. The User parameter specifies the Active Directory user account to connect the mailbox to. Alias is what the users email alias is.

    Now we must get the identity and user attributes from the noted in steps 3 and 6 which is as below;

    Connect-Mailbox -Identity "Jude Perera" -Database DB01 -User "Jude Perera" -Alias jude

  8. Once you run the above command the mailbox will now be connected.
  9. To verify, go to the Exchange Admin Center and search for the user mailbox in the ‘Recipients‘. Your reconnected user will be shown.

Tip: In case you receive an error ‘Property expression “jude” isn’t valid. Valid values are: Strings that includes ‘@’, where ‘@’ cannot be the last character.’ Navigate to the AD user properties, select the ‘Account’ tab and verify that the User logon name has the domain selected properly.

Written by judeperera

March 22, 2019 at 10:45 am

SYSVOL migration from FRS to DFSR step by step

with 9 comments

If you have a Domain Controller environment that’s Windows server 2003, 2008 or 2008 R2 it is high time to get your environment upgraded to the latest Windows Server environment. However, if you are currently using an above operating system OR if you previously upgraded from a legacy domain controller environment such as 2003, you might want to perform some extra steps prior upgrading or migrating to the new Windows Server 2016+ domain controllers.

Here’s the background of the story.

File Replication Service (FRS) came into the picture with Windows Server 2000. Microsoft was using FRS to replicate the SYSVOL between its domain controller members. Later on with Windows Server 2008, Microsoft introduced Distributed File System Replication (DFSR) that was able to replicate SYSVOL.

However, environments which got migrated from legacy 2003 domain controllers tend to utilize FRS. However when an upgrade is in place for your domain controllers, one thing you need to consider is raising your Forest and Domain functional levels.

For an example, a Windows server 2008 R2 with a Windows Server 2003 Forest and Domain functional level may still be using FRS as the default SYSVOL replication method. In this environment if you are to upgrade your domain controllers to Windows Server 2016 you will come into issues with FRS.

Windows Server version 1709 can no longer be added as an Active Directory domain controller (DC) to an existing domain that is still using File Replication Service (FRS) for replication of the SYSVOL share.

When you try to add a Windows Server version 1709-based server as a DC to the domain, you receive the following error message:

  • The specified domain %1 is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is deprecated.
  • The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain.
  • You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing.

How to overcome this? Well, there is only one way and that is to migrate the replication method of the SYSVOL to DFSR. Let’s see steps to perform the migration.

First thing you might want to do is to check what SYSVOL replication is used in your environment. To do this, open up the command prompt using administrator and run the below command;

dfsrmig /GetGlobalState

dfsrmig /GetMigrationState

What you need to focus on the result is the state mentioned Global state (‘<State>’).

  • In most cases, you will see “START” as the state, you are running FRS and is required to perform the migration.
  • If you have “ELIMINATED” as the state, you don’t have to worry as it will be using DFSR.

Prerequisites

This is a very important stage. Why? Well you are dealing with your SYSVOL and its better to start the migration process knowing that your domain environment is running in a healthy state.

  • You should have domain controllers running Windows Server 2008 or above ONLY. Any domain controller running windows server 2003 will not be able to perform the task as you won’t be able to raise the functional levels to 2008 or above.
  • You should be running Windows Server 2008 or above domain/forest functional levels. If you don’t, it’s time to raise the functional levels.
  • Make sure that you have installed all the updates; without updates, you might still be able to go through this but it’s always recommended.
  • Verify that the built-in Administrators group has the “Manage Auditing and Security Log” user right on all your domain controllers. You can check this via running a gpresult.exe command on your domain controllers.
  • Ensure that replication for your entire organization is in a healthy state. For this, use an administrator command prompt to run the below commands;
    • repadmin /syncall /AdeP – Initiate a full sync and wait
    • repadmin /replsum – See if replication was run and you are shown with a minimum time (most recent time would be the time where you ran the above command)
    • dcdiag /e /c /q – Provides you a summary of the errors on your directory configuration for the entire environment
    • dcdiag /e /test:sysvolcheck /test:advertising – This will ensure that SYSVOL is advertised among all domain controllers without any issues
    • If you encounter any abnormal issues, don’t proceed. Fix It!

Migration

In this document I will be taking you through the process of what we call a ‘Quick Migration’. This involves migrating in a slow, phase by phase method where you will have the option to roll back. This is always preferred.

The migration will take you through migrating to below levels step by step;

0 Start State

1 Prepared State

2 Redirected State

3 Eliminated State

For the next few steps, we will be using the command ‘dfsrmig /SetGlobalState <state>’ where the state can be chosen from the above numerical value 0-3.

Prepared State

As we saw earlier, you will be shown to be in the ‘Start State’. Our task is to migrate the DFSR state to ‘Prepared’. For this, open the command prompt as administrator and run the below command;

dfsrmig /SetGlobalState 1

What happens is that the initiated domain controller will start the migration task for the given state and will inform the rest of the servers. Therefore this will take time and depending on your links, the time to complete on each server may vary. Once the command is executed, wait for 15mins and run the below command to view the status of the migration process.

dfsrmig /GetMigrationState

As you can see, the state is still ‘Start’ in three of my servers. What you can do to speed up the process is;

  1. Wait till it completes by itself
  2. Run a repadmin /syncall /AdeP to manually invoke replication to each domain controllers

Once the migration is complete, you will receive the below message; Note that it says the state is now ‘Prepared

Also notice that you will have a new folder inside the NTDS for SYSVOL;

Redirected State

As we saw earlier, you will be shown to be in the ‘Start State’. Our task is to migrate the DFSR state to ‘Prepared’. For this, open the command prompt as administrator and run the below command;

dfsrmig /SetGlobalState 2

Once the command is executed, wait for 15mins and run the below command to view the status of the migration process.

dfsrmig /GetMigrationState

As you can see, the state is still ‘Start’ in three of my servers. What you can do to speed up the process is;

  1. Wait till it completes by itself
  2. Run a repadmin /syncall /AdeP to manually invoke replication to each domain controllers

Once the migration is complete, you will receive the below message; Note that it says the state is now ‘Redirected

Eliminated State

After the above task, you will be shown to be in the ‘Redirected State’. The next task would be the final task which is to migrate the DFSR state to ‘Eliminated’. For this, open the command prompt as administrator and run the below command;

dfsrmig /SetGlobalState 3

Once the command is executed, wait for a few mins and run the below command to view the status of the migration process.

dfsrmig /GetMigrationState

As you can see, the state is still ‘Start’ in three of my servers. What you can do to speed up the process is;

  1. Wait till it completes by itself
  2. Run a repadmin /syncall /AdeP to manually invoke replication to each domain controllers

Once the migration is complete, you will receive the below message; Note that it says the state is now ‘Eliminated’

With this, we conclude the migration of the SYSVOL to DFSR. You can monitor for awhile and check for any errors using DCDIAG and REPADMIN.

Really appreciate all your comments, especially if i have missed anything or made a mistake regarding the installation. 🙂

(c) Copyrights Reserved! Do not share or use any content in any way without approval from poster!

Written by judeperera

March 19, 2019 at 4:59 am

Step by Step Guide for Installing Exchange Server 2019 Preview

with 6 comments

The following section describes a step-by-step guide for the installation of Microsoft® Exchange Server 2019 Preview. The installation considers a single server deployment of Exchange Server 2019. Additional details of the topology and architecture of the lab environment which was used in the installation is described here;

Active Directory Domain Controller(s)
Operating System Windows Server 2019 preview
Forest Functional Level Windows Server 2019 preview
Domain Functional Level Windows Server 2019 preview
Exchange 2019 server(s)
Operating System Windows Server 2019 preview
.Net Framework Version 4.7.2 (default)

 

 

Exchange 2019 prerequisites

Domain Controller Support

The following Active Directory writable Domain Controller(s) are supported;

  • Windows Server 2012 R2
  • Windows Server 2016 (Core and Desktop Experience)
  • Windows Server 2019 preview (Core and Desktop Experience)

Operating System Support

  • Windows Server 2016 (Core and Desktop Experience)
  • Windows Server 2019 preview (Core and Desktop Experience)

.Net Framework Support

Other requirements

 

Active Directory preparation

The first task in the installation of any version of Exchange is to prepare the Active Directory environment where the Exchange Server will be placed. However, prior to the preparation, it should be checked against the above Domain Controller support prerequisites mentioned earlier. Once the above requirements are verified for consistency, proceed with the following preparation tasks on the server/computer which will be used to prepare the Active Directory.

We will be using the Exchange Server itself to prepare the Active Directory.

  1. Install .NET Framework 4.7.1 or .NET Framework 4.7.2 as supported by your Operating System (mentioned above)

    Note: .Net Framework 4.7.2 is already included and is not required to download or install with Windows Server 2019 preview

  2. Once the installation is complete perform a reboot.
  3. Open a Windows PowerShell
  4. Run the below command to install Remote Administration tools

    Install-WindowsFeature RSAT-ADDS


  5. Run the below command to install the server prerequisites

    Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS


Prepare Active Directory and domains

To prepare the active Directory and the Domains for Exchange 2019, follow the following steps. To execute the commands, the commands should be run using the Schema Admins group and the Enterprise Admins group membership.

  1. Mount the Exchange Server 2019 Preview Installation Media
  2. Open up a Command Prompt
  3. Navigate to the Exchange Installation media path
  4. Run the following command to extend the schema.

    Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

  5. Once the setup completes successfully, run the following command

    Setup.exe /PrepareAD /OrganizationName:”<organization name>” /IAcceptExchangeServerLicenseTerms


  6. Run the below command to prepare each of the Active Directory domains

    Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms


    Now that your Active Directory forest and the domains are prepared, we can finally get running the Exchange Installation Wizard

Install Exchange Server 2019

If you’re installing the first Exchange 2019 Preview server in the organization, and the Active Directory preparation steps have not been performed, the account you use must have membership in the Enterprise Administrators group. If you haven’t previously prepared the Active Directory Schema, the account must also be a member of the Schema Admins group.

  1. Mount the Exchange Server 2013 Preview Installation Media
  2. Start Exchange 2019 Preview Setup by double-clicking Setup.exe
  3. On the Check for Updates page, select whether you want Setup to connect to the Internet and download product and security updates for Exchange 2019 Preview and click Next

  4. Once you click Next, the setup will copy the installation binaries to the local drive and prepare for the installation

  5. Once completed, you will be prompted with the Introduction Page
  6. The Introduction page gives additional guidance for the installation procedure. Review the content and Click Next to continue

  7. On the License Agreement page, review the terms. If you agree to the terms, select I accept the terms in the license agreement, and then click next

  8. On the Error Recommended Settings page, select whether you want to use or not the recommended settings such as error checks and usage feedback etc. and then click next

  9. As you can see, just like Exchange 2016, Exchange 2019 only has a Mailbox role and Edge role only. Proceed with your requirement and to be sure, make a tick on the “Automatically install windows server roles and features…” Although we have covered this initially, running this will ensure that if we have missed anything, the setup will install it for us

  10. On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location with adequate storage space, click next to proceed

  11. If installing the Mailbox role a Malware Protection Settings page will appear. Choose whether to enable or disable malware scanning and click Next. (For demo purposes, I will be proceeding with Yes)

  12. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If unsuccessful, perform the required tasks and click Back, and Next to run the Readiness check again. If successful, click install to proceed with installing Exchange Server 2019

  13. Now the installation will proceed, note that this will take time depend on your environment

  14. Once the setup completes the installation, on the Completion page, click Finish

  15. Now that the Exchange installation is complete, it’s always good to reboot your server

Review Exchange Installation

Once all the above tasks are performed, proceed with the below steps to verify the installation using the Exchange 2019 Administrative Center and PowerShell.

The Exchange Administration Center (EAC) is the web-based management console in Microsoft Exchange Server 2019 Preview that allows for ease of use and is optimized for on-premises, online, or hybrid Exchange deployments. To navigate to the Exchange Admin Center;

  1. Open the web browser.
  2. Navigate to the bellow URL, provide your credentials and then click sign in.

    https://localhost/ecp


  3. Review the tabs and sections in the new Admin Center

There you go. Time to play! Hope this guide helped you. Don’t forget to keep on checking for some exiting new posts on how to play around with the all new Admin Center as well as a step by step guide for installing Skype for Business Server 2019 preview in the next couple of days.

Really appreciate all your comments, especially if i have missed anything or made a mistake regarding the installation. 🙂

(c) Copyrights Reserved! Do not share or use any content in any way without approval from poster!

Written by judeperera

August 6, 2018 at 5:44 pm