Exchange Server 2013 Service Pack 1 Released!

Yesterday Microsoft released Service Pack 1 for Exchange Server 2013. There are quite a lot of news and the Exchange Team got it well covered here.

If you want to get started directly you can download Service Pack 1 here.

Good luck and happy installing!

Receive Connector IP Range Manager – Beta 1.0

So I have this project… :)

I thought it was time to release a script, or more an application since it got forms, that I have been working on. I bet many of you need to add and remove IP-addresses and ranges from the relay receive connectors in your environment to maintain some sort of security? Well there are scripts out there that one can use but they can be a bit tricky. So a while ago I decided to create a forms based one and make it easier.

More information and a download link can be found here, but I suggest that you read the entire post before running it.

It now supports both Exchange Server 2010 and 2013!

The Tool

So what can you do with this tool? In short, you can edit all of your receive connectors at the same time either manually or using one of the receive connectors as a template.

This is just a normal PS1 file and you start it as a usual PowerShell script: .\RCIPRManager.ps1.
When the tool starts it gathers information on receive connectors and the ip range lists, no editing is done so there is no harm in starting the tool and checking it out. Its not until you click Save that any editing is done. When open, you can choose which receive connector to load ip ranges from, then add and remove rows as you wish. When done multiple target receive connectors can be selected and when you click Save the ip ranges listed will be written to the target receive connectors.

Disclaimer

This is a beta, not everything will be working as intended even tough I have tested the tool quite thoroughly in a number of different environments. As usual the script is provided “AS IS” with no guarantees, no warranties, and they confer no rights.

Final notes

Feel free to use the tool, share it and alter it. But please do not claim it as your own, be sure to include a reference to this blog and if you make any changes or fix any errors I would be very happy if you post them as a comment so that all of us can benefit from your findings and knowledge. Thanks in advance!

If you need any assistance just let me know and I will be happy to help!

Exchange Server 2013 RTM CU 1 Released!

Great news today, Microsoft has released Exchange Server 2013 RTM Cumulative Update 1 and you can find it here. But before you install the CU there is a number of things you need to be aware of. Here is a short list of some of the points to consider:

  • This is a full build, that means that when installing a new server you do not need the RTM media. You can simply install using only the CU.
  • Active Directory Preparation need to be done, this includes /PrepareSchema, /PrepareAD and /PrepareDomain.
  • To upgrade from Exchange 2013 RTM run setup.exe /m:upgrade.
    Read the full release notes here (will be made available 2013-04-03).

    Microsoft Sender ID Framework SPF Record Wizard

    There is a lot of different great posts out there that describes SPF and how to create the records. But not so many posts that refers to the Sender ID Framework SPF Record Wizard provided by Microsoft.

    Have a look at the wizard if you are planning to implement SPF, it provides the option to easily generate all SPF records you need. It can be found here!

    Exchange 2013 RTM CU1 preliminary release date is April 2nd.

    According to a post from the Exchange, the release date for Exchange 2013 RTM CU1 is currently planned for April 2nd. Great news even though it is a bit delayed. I am very much looking forward to this and I know that many of you are as well.

    I will post as soon as there are any updates on this, here is the original post:
    http://blogs.technet.com/b/exchange/archive/2013/03/25/exchange-2013-rtm-cu1-status.aspx

    One-liner to export all email addresses to CSV

    This command exports all email addresses for all users in the organization:

    Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, SamAccountName, PrimarySmtpAddress, @{Name="EmailAddresses";Expression={$_.EmailAddresses | Where-Object {$_.PrefixString -ceq "smtp"} | ForEach-Object {$_.SmtpAddress}}} | Export-CSV c:\EmailAddresses.csv -NoTypeInformation -Encoding Unicode

    If you want to narrow it down a bit you could add either a Where or narrow the scope sown to a specific OU as in the following example:

    Get-Mailbox -ResultSize Unlimited -OrganizationalUnit "sundis.local/Test/Users" | Select-Object DisplayName, SamAccountName, PrimarySmtpAddress, @{Name="EmailAddresses";Expression={$_.EmailAddresses | Where-Object {$_.PrefixString -ceq "smtp"} | ForEach-Object {$_.SmtpAddress}}} | Export-CSV c:\EmailAddresses.csv -NoTypeInformation -Encoding Unicode

    Let me know if you have any questions!

    Users is unable to access OWA options (ECP) in Exchange 2010 and 2013

    This is not an especially new issue but there is not much information about it so here goes anyway.

    The issue

    Some users, but not all, of a customer of mine reported that they could not save their signatures in OWA. After some investigation I found that the users that could save their signature had the an Role Assignment Policy set, “Default Role Assignment Policy”. This was the only policy in use and all users should have that policy.

    When I did a quick check online, some had reported that the following event with event ID 4 and the error message "The user "username" isn’t assigned to any management roles."  where logged in the Application Log on the CAS servers. However, my customer had no such events in the Application Logs on their CAS servers.

    The users that could not save their signature had an empty Role Assignment Policy attribute set. Exchange needs to have the RoleAssignmentPolicy property (msExchRBACPolicyLink  attribute) to be able to determine which settings the users has the rights to change in ECP. This is based on RBAC and if you want to read up on Role Assignment Policies have a look here.

    Lets have a look at this in more detail. I have got two users, Test User1 with no policy set. And Test User2 with the “Default Role Assignment Policy” set. We will start with the first user…

     

    A broken Mailbox

    Test User1 (no policy set)
    Run the following command to view the RoleAssignmentPolicy property.

    Get-Mailbox <identity> | Name,RoleAssignmentPolicy

    Example:

    OWASaveError03

    As you can see, the RoleAssignmentPolicy property is empty. In ADSI Edit the attribute you should look for is called msExchRBACPolicyLink as shown below.

    OWASaveError01

    As you probably have guessed already, the attribute is empty for Test User1. If I go to OWA and try to change some of the options I receive the following error message “Sorry! Access Denied. You don’t have permission to open this page. If you’re a new user or were recently assigned credentials, please wait 15 minutes and try again.”.

    In both Exchange 2010 and 2013 the message looks like this.

    OWASaveError05

     

    A working mailbox

    Test User2 (“Default Role Assignment Policy” set)

    Again, run the following command to view the RoleAssignmentPolicy property:

    Get-Mailbox <identity> | Name,RoleAssignmentPolicy

    Example:

    OWASaveError04

    Much better as you can se, when we use ADSI Edit the msExchRBACPolicyLink contains the Distinguished Name of the “Default Role Assignment Policy”.

    OWASaveError02

    For Test User2 it works fine to change the settings in ECP.

     

    Why did it happen?

    I did some more investigating and found that the reason that this issue occurred for some users was that my customer create some mailboxes using AD Toolkit. When AD Toolkit creates the mailboxes the msExchRBACPolicyLink attribute is not set.

    This can be achieved in AD Toolkit as well by adding an attribute when creating the mailboxes and specifying the msExchRBACPolicyLink attribute with a correct Role Assignment Policy.

     

    Solution

    Well the easiest way to solve the issues is to add a Role Assignment Policy for the affected mailboxes. To find all users with an empty msExchRBACPolicyLink attribute you can run the following command.

    Get-Mailbox -ResultSize Unlimited | Where { $_.RoleAssignmentPolicy -like $null}

    Example:

    OWASaveError07


    To add a Role Assignment Policy for all the listed users run the following command:

    Get-Mailbox -ResultSize Unlimited | Where { $_.RoleAssignmentPolicy -like $null} | Set-Mailbox –RoleAssignmentPolicy “Default Role Assignment Policy”

    Example:

    OWASaveError08

    And that should be it, all users should now be able to change their settings in ECP.

    Thanks for reading and do not hesitate to let me me know if you run in to any issues!