SMTP certificate renewal and EDGE subscription

I have had to renew SMTP certificate on EDGE servers. Here is the procedure how to renew certificate and re-create Edge subscription. This procedure starts,when CSR is created and we have received certificate from trusted CA.

1. Import new certificate
To import certificate to local certification store run:

import-exchangecertificate -FileData ([byte[]]$(Get-Content -Path "D:\tempo\certificate_mx1_2013.cer" -Encoding Byte -ReadCount 0))

2. Connect pending request to certificate
If step 1 failed to connect certificates together inside certification store run:

certutil -repairstore my "1268f7300044bc90ff426d5f515d3729"

Explanation can be found in my previous article: https://ficility.net/2013/02/25/exchange-2010-complete-certificate-request-problem/

3. Enable new Exchange certificate for SMTP service
Before certificate can be used, it must have been enabled for particular services.

Enable-ExchangeCertificate  -services SMTP

Result:

[PS] C:\Windows\system32>Enable-ExchangeCertificate 81315B240A62B5B5AD5570AA58A06D90B4B90B7E -Services SMTP

Confirm
Overwrite the existing default SMTP certificate?

Current certificate: 'C661DC9E16FB391EDA2A852C3514AD035D710F68' (expires 4/27/2013 2:59:59 AM)
Replace it with certificate: '81315B240A62B5B5AD5570AA58A06D90B4B90B7E' (expires 4/28/2014 2:59:59 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this
Edge Transport server is subscribed to an Active Directory site, you must  subscribe it again by using the
New-EdgeSubscription cmdlet in the Shell, and then restart AD LDS.
[PS] C:\Windows\system32> 

4. Restart transport service and AD LDS service
At this moment e-mail stop to flow to this EDGE server, because AD LDS is using new certificate and Edge is subscribed via old one.

5. Create subscription file (XML) on Edge server ans copy it to HUB server
We don´t need to create connectors for EDGE Subscription, since those are already created. EDGE must be subscribed to AD site within 24 hours after creation of subscription file.

New-EdgeSubscription -FileName d:\subscription_2013.xml -Site <SITE_NAME> -CreateIternetSendConnector $false -CreateInboundSendConnector $false

Result:

[PS] C:\Windows\system32>New-EdgeSubscription -FileName d:\subscription_2013.xml -Site Default-First-Site-Name -CreateIternetSendConnector $false -CreateInboundSendConnector $false

Confirm
The Edge Subscription should be completed inside your organization within the next "1440" minutes before the bootstrap
account expires.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

6. Subscribe EDGE server on HUB by subscription file (XML).
We need to re-create trusted connection between Edge server and HUB servers. Subscribtion needs to be re-created, because AD LDS needs to use new certificate instead of old one. It is enough to subscribe each EDGE server once per subsciption.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "D:\subscription_2013.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"

7. Restart EDGE server
Just to be sure all settings are applied before tests.

8. Test Edge Subscription
If the test is not successfulm you receive error.

Test-EdgeSynchronization -FullCompareMode

Successful result:

[PS] C:\Windows\system32>Test-EdgeSynchronization -FullCompareMode


RunspaceId                  : 4f4c61e7-1059-43fc-963b-877641087e2a
SyncStatus                  : Normal
UtcNow                      : 4/26/2013 6:43:50 AM
Name                        : EDGE
LeaseHolder                 : CN=HUB2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrati
                              ve Groups,CN=OR,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=SALONOVI,DC=cz
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 4/26/2013 7:12:12 AM
LastSynchronizedUtc         : 4/26/2013 6:42:12 AM
TransportServerStatus       : Synchronized
TransportConfigStatus       : Synchronized
AcceptedDomainStatus        : Synchronized
RemoteDomainStatus          : NotSynchronized
SendConnectorStatus         : Synchronized
MessageClassificationStatus : Synchronized
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 6
CookieRecords               : Number of cookies 2

9. Test mailflow

10. To start Edge synchronization manually

Start-EdgeSynchronization

Result:

[PS] C:\Windows\system32>Start-EdgeSynchronization


RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Configuration
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Recipients
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0

Links:http://technet.microsoft.com/en-us/library/bb310755(v=exchg.80).aspx

How to change TEMP files location in Windows

24-04-2013 8-04-0524-04-2013 8-08-27

Default temp location is C:\Windows\Temp or %SystemRoot%\TEMP.

The location can be changed via GUI or PowerShell:

Set-ItemProperty -path "HKLM:System\CurrentControlSet\Control\Session Manager\Environment" -name TEMP "C:\TEMP"
Set-ItemProperty -path "HKLM:System\CurrentControlSet\Control\Session Manager\Environment" -name TMP "C:\TEMP"

How to send a test spam message?

I know, it is common stuff but for someone it could be helpful.

We can use generic test for unsolicited bulk email (GTUBE) and send message with the following string:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

19-04-2013 18-51-34

Basically the GTUBE is supported by many anti-spam solutions (except WatchGuard) such as:

  • Symantec BrightMail19-04-2013 18-07-37
  • Cisco Ironport

19-04-2013 18-13-59

  • Microsoft Forefront Protection for Exchange
The error that the other server returned was:
550 5.7.1 Message rejected due to content restrictions
  • Commodo Antispam Gateway
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550 GTUBE found in message. See http://spamassassin.apache.org/gtube/

Similar way can be used also for a malware test message (EICAR test file):

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Enjoy testing ;).

Exchange 2010 – The ActiveSyncDevice identity cannot be found

Why not mention Exchange 2010 bug – The ActiveSyncDevice identity cannot be found.

Symptoms

  • The user has a Microsoft Exchange ActiveSync partnership that works as expected.
  • You move the user to a new organizational unit (OU) or rename a user account in Active Directory Domain Services (AD DS).
  • You try to perform a remote wipe operation for the device in the Exchange Management Console (EMC).

15-04-2013 12-19-41

KB

http://support.microsoft.com/kb/2721428

Reporting

Get-ActiveSyncDevice -Mailbox 00164 | select UserDisplayName,Identity 

UserDisplayName : liintra.intra/Users/00164
Identity : liintra.intra/Users2/00164/ExchangeActiveSyncDevices/NokiaEmail§IMiEI284675044284679

Affected objects can be found and reported (csv):

[PS] C:\>Get-ActiveSyncDevice -ResultSize unlimited | sort -Property Identity -Unique | select Identity,UserDisplayName | ? {$_.Identity -notmatch $_.UserDisplayName} | select UserDisplayName,Identity  | Export-Csv -Delimiter "," -Encoding unicode -Path "C:\Users\filip\Desktop\Report170413.txt"

Solution

  • Remove-ActiveSyncDevice –Identity “new path = Identity from Get-ActiveSyncDevice“
Remove-ActiveSyncDevice -Identity "liintra.intra/Users2/00164/ExchangeActiveSyncDevices/NokiaEmail§IMiEI284675044284679"
  • During the next mail sync user’s device will perform full sync automatically, but the sync will take longer than usually.

Exchange 2010 – Get-MailboxDatabaseStatistics (your customization)

The function Get-MailboxDatabaseStatistics has been created due to a reporting purpose. I was focused mainly on script output and customization. It means that the most part of script code is related to the output and its attributes. Well it would be quite easy to modify the output attributes based on your needs.

Script prerequisites

  • Exchange Server 2010
  • Exchange Management Shell run-space
  • Organization Management (RBAC)

Script inputs

The function requires one of these inputs: DatabaseName, ServerName, AllDatabases. It means that we can call the function for example like:

Get-MailboxDatabaseStatistics -DatabaseName mbx11

Get-MailboxDatabaseStatistics -DatabaseName mbx11,mbx12

Get-MailboxDatabaseStatistics -DatabaseName (Get-MailboxDatabase|?{$_.Server -like "*exch10*"})

Get-MailboxDatabaseStatistics -ServerName exch10ser01

Get-MailboxDatabaseStatistics -AllDatabases

Database queries (code)

The function expects database name/names declared via input parameters. After input validation process, the function can process particular database name in a loop. The loop is uses for the following queries:

  • $query1 = Get-MailboxDatabase -Identity $db -Status
  • $query2 = Get-Mailbox -Database $db
  • $query3 = $query2 |%{if($_.Identity -ne $null){Get-MailboxStatistics -identity $_.identity}}

As can be seen above, here is the first thing for consideration/customization. Because the script processing time depends primarily on amount and severity of particular query. So the processing time can be decreased by query optimization (e.g. omit  Get-Mailbox etc.).

Output attributes (code)

The loop fills query variables ($query1, $query2, $query3) and those variables are used for declaration of attributes into output brick.  Due to this reason the brick can contain original values as same as a variation of values from all queries at once. Attributes are added into the brick through simple function addResultAttribute:

function addResultAttribute ($propertyName,$propertyValue){
$result | add-member -Type NoteProperty -name $propertyname -value $propertyValue
}

Just for example we can create attribute DatabaseName by using query1 (Get-MailboxDatabase -Status) and its parameter Name:

  • DatabaseName : DB01
addResultAttribute DatabaseName $query1.Name

Another example is attribute  RecipientTypeStatus which keeps amount of mailboxes based on  RecipientTypeDetails:

  • RecipientTypeStatus: {158-UserMailbox, 36-SharedMailbox, 1-DiscoveryMailbox, 3-ArbitrationMailbox}
addResultAttribute RecipientTypeStatus (($query2|Group-Object -Property RecipientTypeDetails|%{$_.Count,$_.Name -join ("-")}) -join (",")).ToString()

Feel free to modify brick attributes. The function contains only attributes regarding my scenario.

Scrip output

The output is brick wall as collection. It contains the brick with declared attributes for each database which was processed by the function. So it can looks like:

DatabaseName                     : DB01
DatabaseSize                     : 171 GB (183,619,878,912 bytes)
AvailableNewMailboxSpace         : 12.3 GB (13,204,750,336 bytes)
CircularLoggingEnabled           : False
LogFolderPath                    : E:\DB01
EdbFilePath                      : E:\DB01\DB01.edb
IssueWarningQuota                : 2.876 GB (3,088,056,320 bytes)
ProhibitSendQuota                : 3 GB (3,221,225,472 bytes)
ProhibitSendReceiveQuota         : 3.276 GB (3,517,972,480 bytes)
LastFullBackup                   : 5.4.2013 15:01:15
LastIncrementalBackup            : 7.4.2013 15:01:13
DatabaseCopiesCount              : 2
DatabaseCopiesServer             : {exch10Ser01, exch10Ser01}
TotalMailboxCount                : 198
RecipientTypeStatus              : {158-UserMailbox, 36-SharedMailbox, 1-DiscoveryMailbox, 3-ArbitrationMailbox}
MailboxWithDatabaseQuotaCount    : 189
ArchiveMailboxCount              : 130
SoftDeletedMailboxCount          : 
DisconectedMailboxCount          : 4
MailboxTotalItemSizeSumMB        : 138996
MailboxTotalDeletedItemSizeSumMB : 4931
MailboxTotalSizeSumMB            : 143927
MailboxTotalItemCount            : 1426074
Top3LargestMailboxSize           : {2.935 GB (3,151,719,330 bytes), 2.904 GB (3,118,361,061 bytes), 2.897 GB (3,110,582,421 bytes)}
Top3LargestMailboxName           : {Kasaj Filip, Salon Zbynek, Namjman Lukas}
MailboxLimitStatus               : {187-BelowLimit, 6-NoChecking, 4-IssueWarning}

Of course that we can use the function also:

[PS] C:\> $rep = Get-MailboxDatabaseStatistics -DatabaseName db01
[PS] C:\> $rep.MailboxTotalDeletedItemSizeSumMB
4916

[PS] C:\> $rep2 = Get-MailboxDatabaseStatistics -DatabaseName db01,db02
[PS] C:\> $rep2 | fl RecipientTypeStatus
RecipientTypeStatus : {158-UserMailbox, 36-SharedMailbox, 1-DiscoveryMailbox, 3-ArbitrationMailbox}
RecipientTypeStatus : {151-UserMailbox, 52-SharedMailbox}

[PS] C:\> Get-MailboxDatabaseStatistics -AllDatabases | Export-Csv -Delimiter "," -Encoding unicode -Path "C:rep.txt"

How to load the function

  • Save function as ps1 file.
  • Import the file into Exchange Management Shell.
  • That’s it.

07-04-2013 19-45-27Download: 

Get-MailboxDatabaseStatistics.ps1

Exchange 2013 RTM CU1 – released

Exchange team released Exchange 2013 RTM CU1.

Blog http://blogs.technet.com/b/exchange/archive/2013/04/02/released-exchange-server-2013-rtm-cumulative-update-1.aspx

download http://www.microsoft.com/en-us/download/details.aspx?id=38176

Enjoy coexistence with Exchange 2010 SP3 and Exchange 2007 SP3 RU10!