June 12, 2013

How to create a trust between Two Exchange Forests and enable free/busy

This question came up in an interview I had recently. If you have federation trust in place and a forest trust in place, how would you enable Free Busy Access between the two forests? The two forests both had Exchange 2010 environments, one was an acquisition. The full answer to this question has about 3 parts to it. You need to have: 

1: A forest trust in place (Already in place)
2: An organizational relationship
3: Sharing policy
Create a forest trust
  1. Open Active Directory Domains and Trusts.
  2. In the console tree, right-click the domain node for the forest root domain, and then click Properties.
  3. On the Trust tab, click New Trust, and then click Next.
  4. On the Trust Name page, type the DNS name (or NetBIOS name) of another forest, and then click Next.
  5. On the Trust Type page, click Forest trust, and then click Next.
  6. On the Direction of Trust page, do one of the following:
    • To create a two-way, forest trust, click Two-way.
      Users in this forest and users in the specified forest can access resources in either forest.
    • To create a one-way, incoming forest trust, click One-way:incoming.
      Users in the specified forest will not be able to access any resources in this forest.
    • To create a one-way, outgoing forest trust, click One-way:outgoing.
      Users in this forest will not be able to access any resources in the specified forest.
  7. Continue to follow the wizard.

Create an Organizational Relationship
To enable the Free/busy to be used between the two forests using the EMC console:

1. Click on Organization Configuration, and select the Organization Relationships Tab on the right hand side. Right click and choose “New Organization Relationship....”

2.  In the Name field, type in a name for the organization relationship. 
Select the check boxes for "Enable this Organization relationship" and "Enable free/busy information access".
From the drop down menu, select which level of access you would like between the two forests. in this example "Free/Busy access with time, plus subject and location".

 3. Enter the forest domain name in the "Automatically discover configuration information" text box, and press Next.

4. When satisfied with the entries, select finish.

NB: Alternatively you can use a powershell cmdlet to set up  an organizational relationship with free/busy:

[PS] Get-FederationInformation -domainname <domainname> | New-organizationrelationship -Name '<relationshipname>' -enabled:$true -FreeBusyAccessEnabled:$true -FreeBusyAccessLevel 'LimitedDetails' -FreeBusyAccessScope:$null

5: The new organization relationship will be listed as so.

Create a Sharing policy
Next you need to create a sharing policy between the two environments in order to share information between the 2 Exchange environments.

 1: Using the EMC console, click on Organization Configuration, Mailbox. Click on the Sharing Policies tab, right click on the Default Sharing Policy, then choose Properties.

 2: In the next window "Default Sharing Policy Properties", click on Add.

3 :Type in your domain eg"contoso.com", then from the drop down menu, select the level of permission you wish to grant between the two forests. in this example "Calendar Sharing with free/busy information plus subject, location, and body, contacts sharing" is selected.

click ok and ok again when finished with your selections.
Alternatively you can set this in Powershell using the following cmdlet

[PS] Set-SharingPolicy 'Default Sharing policy' -Domains '*:CalendarSharingFreeBusySimple', '<yourdomain>:CalendarSharingFreeBusyReviewer, ContactsSharing'

In order to complete the full process, log into the 2nd exchange environment and create an organizational relationship and a sharing policy back to exchange environment 1, following the steps above.

June 10, 2013

Exchange 2010 mail flow from start to finish

This refers to a typical Exchange 2010 organization, what fundamentally happens during MAPI mailflow.
A user sends email from Outlook (where their mailbox resides on the Mailbox server) and the message will be moved to the Outbox, mail will be picked up from the Store driver on the Hub transport server. The message is sent to the Submission queue. From the Submission Queue the message is sent to the Categorizer. The Categorizer will process all inbound messages and determines what to do with the message, it will apply policies, route message and perform content conversion.

1: Recipient resolution (resolves recipients email address to see if it is internal or external)
2: Routing (recipient is resolved and determines where message needs to be sent ie: external IP or next hop to Hub Transport server)
3: Content conversion (HTML, RTF, TXT)

The message is then sent to the Delivery queue. This is where the message is determined for either external delivery (these messages are then sent to the SMTP Send connector for external delivery). Or for internal email delivery, it will be passed to the correct Hub transport servers store driver, then delivered to the appropriate Mailbox server and Mailbox or Public folder.

In Summary:
1: Message is sent and waits in Outbox of outlook
2: Store driver on Hub Transport picks up this message from the oubox
3: Message is passed to the Submission Queue
4: Message is moved to the Categorizer where Recipient resolution, routing and content conversion takes place.
5: (For internal messages) email is then sent to the (destination ) Delivery queue of the hub transport server (eg: London HUB server)
(For external messages) email is then submitted to the Delivery Queue and then SMTP send to external destination.
6: Message is then moved to the Store Driver (at destination Hub Transport server) for delivery to the Mailbox server. Message is then delivered to mailbox or Public folder.

Below is Microsoft's diagram of how message flow works within 2010.

More high level Microsoft architecture for Hub transport can be seen here:


 ref: http://technet.microsoft.com/en-us/library/aa998825.aspx

June 7, 2013

Move emails from one Hub server to another Hub server for delivery

Ever found yourself dealing with an Edge server with messages stuck on it, unable to deliver?
There is a quick method to transfer those messages to another Edge server that is functioning properly, in order to take some time troubleshooting the first edge server.
I do not recommend this but this is how it is done when you find yourself in a situation with very little options.

Example, you are on an EDGE server 1 server and messages are stuck in retry and you want to move those messages to EDGE server 2 (or 3 or 4... etc) for processing.

1: On exchange EDGE server 1


2: Pause the transport services,

3: Suspend the queue

get-queue | ? {$_.deliverytype -eq 'dnsconnectordelivery'} | get-message | suspend-message

4: Then export those suspended messages:

get-queue | ? {$_.DeliveryType -eq 'dnsconnectordelivery'} | get-message | ForEach-Object {$temp="c:\temp\"+$_.InternetMessageID+".eml";$Temp.Replace("<","_");$Temp=$Temp.Replace(">","_");Export-Message $_.Identity | AssembleMessage -Path $Temp}

5: Remove exchange Edge server 1 from the send connector

6: Open c:\temp folder on exchange Edge server 1

7: Copy all the *.eml files from the c:\temp folder and remote into exchange Edge server 2.

8: Browse to where exchange is installed on the Edge server (this can be c: or d: drive) eg: 
 D:\Program Files\Microsoft\Exchange Server\TransportRoles\Replay and paste all the .eml files copied from c:\temp on exchange EDGE server 1.
Since the transport service is running this queue will quickly flush.

9: Return to exchange Edge server 1 and start the transport services again once you have resolved the technical issue with that Edge server.

June 6, 2013

Creating a "Confidential" policy in your organisation

Some organizations have an "Confidential" policy. This can mean that for any document intended for internal use with the words "confidential" or other nominated verbiage such as "Internal Use Only", "Company Distribution Only" can be stopped at the Hub transport level from reaching any external recipients.

The concept is to set up a transport rule to delete anything with the terminology found in the body of the text or attachment. There is a way to by pass this for the occasional exception. We will cover that at the end.

1: Open Exchange Management Console 2010
2: Drill down to Organization Configuration> Hub Transport> Transport Rules (tab)

3:Click on "New transport Rule" in the right hand navigation pane.
4: A wizard will open up.
5: At the introduction screen, type in the name of your rule eg: For Company use only.  Click the Enable rule check box if not already selected.
Then click Next.

6:  At the next screen, click on the box "Sent to users that are inside or outside the organization,or partners. Click Next.

 7: The next screen will allow you to put in all the phrases that you want blocked within your organisation.
Examples include "Company Use Only", "Confidential", "Internal Use only"
When finished with your list, click OK then Next.
8: The next screen is defining the conditions. Select the box "Sent to users that are inside or outside the organization, or partners" if not already selected. Click Next.
9: At the next screen select the check box "Send Rejection message to sender with enhanced status code". This will ensure that users who have breached the confidential rule will be aware that their email did not reach the intended recipient. This will allow them eot correct the issue or ask to bypass the rule (this can be done by creating an exception rule at the end and creating a distribution list as the exception. You can add "exception" individuals in this group).
Click Next.

10: Optional. If you wish to create a bypass list for the "confidentiality rule" you can do so by creating a distribution list and adding it as an exception. This is not recommended practise as this becomes a time consuming task managing a list of users who do not wish to comply with the companies confidentiality policy., Click Next.
11: At the next screen, review the rule you have created and click ok to create the rule.

12: At the next screen click finish.

June 5, 2013

SMTP Journalling to a third party compliance product.

When it comes to Journalling, the best way is to Journal using Journalling databases. Sometimes this luxury is not available and some improvising needs to take place.

With an Edge server:
You can have Journaling set up to send to a 3rd party complioance product instead of creating journal mailboxes within your Exchange 2010 organisation. This can alleviate some storage concerns for the organisation that may not have already been factored into the original design plan.

At times there is also an Edge server involved between your internal organisations journaling to the 3rd party.
This guide will step you through setting up SMTP Journaling, to configuring your Edge server as a relay to the 3rd party journal site and some testing.

Create the journal contact in EMC

1. Select Start > All Programs > Microsoft Exchange Server 2010 >
Exchange Management Console.
2. Expand Exchange server, then expand Recipient Configuration
3. Click Mail Contact under Recipient Configuration.
4. In the Mail Contact page (a), click New Mail Contact in the Actions pane
5. Select the New Contact option (a) and then click Next (b).
7. In the New Mail Contact window, type Journaling in the First Name field,
Contact in the Last Name field and JournalingNewYork in the Alias field (a).
Click Edit (b).

8. Type the journaling address provided to you (company@providor.net) and then click OK

9. Click Next.

10. Click New.

11. Click Finish.

Create an SMTP send connector
1. Select Start > All Programs > Microsoft Exchange Server 2010 >
Exchange Management Console.
2. Expand your Exchange server, then expand Organization Configuration.
3. Click Hub Transport.
4. Click the Send Connectors tab.
5. In the Actions pane, click New Send Connector.
6. Type eg: SENDCON-EDGE-Journal  for the Name field, for the Select the intended
use for this Send connector drop-down list, select Custom (a). Click Next

7. Click Add. The SMTP Address Space window opens.
8. In the Address field, type the Address Space (eg: *.providor.net) (a). Leave the cost at 1 and then
click OK (b).

9. Click Next.
10. Select the Route mail through the following smart hosts option and then
click Add.
11. Select the IP address option, type the smart host provided to you and then click OK. (add the 2 autonomy edge servers;, as seen below in figure 1)

12. Click Next.
13. Select None for the Configure smart host authentication settings and then
click Next.
14. Add all the HUB server’s , Click Next.

15. Click New.
16. Click Finish.

You should have a new send connector that looks like the one below:

Activate journaling
1. Select Start > All Programs > Microsoft Exchange Server 2010 >
Exchange Management Console.
2. Expand Exchange server.
3. Expand Organization Configuration.
4. Click Mailbox.
5. In the Database Management tab, right click your mailbox database and select

6. Click the Maintenance tab.
7. Select the Journal Recipient check box (a), and then click Browse.

8. Select JournalingNewYork (email@externalparty.com)(a) and then click OK (b).

9. Click OK.
You have successfully activated message journalling.

For the remaining database’s run this cmdlet for each:
Set-MailboxDatabase -Identity NYC* -JournalRecipient "newyork/Global/Other contacts/Journalling"