My private collection of articles found on the net, i dont own them but they helped me.

Control as Virus Outbreak

2011-03-21T13:09:59Z

Export-Mailbox is a task developed by the migration team to allow Administrators to export content from active mailboxes to a folder inside other active mailboxes. The initial idea for this task was to be a complete replacement for ExMerge. The implementation of some of this functionality was problematic and it required more time than initially planned. In this post I will describe what we are missing, which workarounds are available, and some of our future plans.

The need for an ExMerge replacement

ExMerge is a tool created by Microsoft Support in the Exchange 5.5 timeframe, used to allow Administrators to export and import mailbox content to/from PST files. Over the years this tool became popular since, because of its flexibility, it could be used in a number of scenarios where specific tools did not exist. As a result of this popularity, the Exchange team took on development ownership of ExMerge for Exchange 2003 and released it as a tool over the web.

Even though ExMerge proved to be a helpful tool for Exchange Administrators, there were several problems that needed to be addressed in :

Separate Code Base: One of the goals for is to reduce the number of separate tools and code bases supported for migration operations. ExMerge has always been completely separate from all shared Exchange migration code. This has caused several technical problems like the need to support an independent PST provider (that is why the current version is not able to support mailboxes larger than 2 GB and Unicode) and so on. These issues have caused delays in updates, limited functionality and extra support costs for customers and Microsoft as well.

Independent Tool: Besides the technical implications of having a separate code base, the fact that ExMerge is an independent tool has caused a lot of unintended consequences regarding the scenarios where it is used.. Every time a tool is used for something it was not designed for the risk of unintended consequences and bugs increase. Also, over use of the Exmerge tool works as an incentive to under use our other migration tools where they are better suited. This adds extra cost to the management of Exchange.

Export-Mailbox

Export-Mailbox was built to address scenarios where mailbox content needs to be copied from one active mailbox to another without actually migrating the whole mailbox object. Source and target servers used by export-mailbox need to be part of a Single Forest or Resource Forests. That is, mailbox content can only be exported to mailboxes within the same forest.

The following versions are supported by export-mailbox:

Source Server:

Exchange 2000 SP3 (or later)

Exchange 2003 SP2 (or later)

Target Server:

Exchange Permission requirements:

Logon account for the user who is running Export-Mailbox needs to be a member of "Exchange Servers Administrators" for source and target Server. Permissions for previous Exchange Servers remain the same as they were for Exchange 2003 Move Mailbox Task (Exchange Administrator).

Current functionality available for Export-Mailbox

Pre-Validation and New and Improved Logging

Export-Mailbox benefits from a pre-validation functionality similar to the one present in move-mailbox. This feature saves time by identifying most errors right away before the export begins, instead of waiting until they happen during an actual export.

Also available for Export-Mailbox is the comprehensive log feature: Event logs, a XML Report and a troubleshooting log. All logs are enabled by default and are located at \Logging\MigrationLogs\.

Export-mailbox available options

Export mailbox content from a active mailbox to a folder inside another mailbox

Filter content to be exported based on:

List of included or excluded Folders (included using â€"IncludeFolders or excluded using -ExcludeFolders)

Message subject (-SubjectKeywords)

Message and attachments content (-ContentKeywords)

Attachment file names (-AttachmentFilenames)

Message locale (-Locale)

"OR" search of Message subject, message content and attachment content (-AllContentKeywords)

Date range (-StartDate and â€"EndDate)

Delete content from source mailbox after exporting it to target mailbox

Automatically exports dumpster items as regular messages in the target mailbox

Features postponed

The following options were not included for :

- Exporting content directly to a PST file: Part of the challenge here was to adapt our code to the Outlook PST provider, which provides the most up to date PST functionality. Currently Administrators can export content to folders inside one or more mailboxes and then manually export this content to PST files using Outlook. Also, will not actively block access from ExMerge clients supported by Exchange 2003. This is not a scenario officially tested but customers have reported that running ExMerge from an Exchange 2003 server and accessing databases indeed works. Native support for this PST is being planned to be part of Service Pack 1.

- UI interface: Since most of the common scenarios for ExMerge were related to bulk operations we have decided to focus on delivering the needed functionality first and a GUI later. There is no defined date for the creating of such interface for the export-mailbox task at this point.

Customer scenarios and examples

These are the supported customer scenarios for Export-Mailbox:

Exporting mailbox content during litigation process

During a litigation process, Administrators may need to regularly export mailbox content from selected users. These searches will be based on criteria defined by lawyers. This content will be exported from one or more source mailboxes into a temporary mailbox that the lawyers can access. The lawyers would then process the data and send the data to opposing counsel.

Exporting email content to former users

When accounts are about to be removed from a server (as in college students graduating or users leaving a hosting account)administrators might want to send mailbox content to the former users that for some reason could not manually copy the email content themselves. Admin would use the Export-Mailbox option to export the data to some intermediary mailbox and then manually export data to end users via PST files.

IT Emergency Response Process

In the course of daily operations of an IT Emergency Response organization, administrators need the ability to scan a large number of messages based on specified criteria, and perform mass deletion of any suspect email found. By using Export-Mailbox and the â€"DeleteContent parameter along with specific filter options, they are able to search and delete such messages.

Export-Mailbox examples:

Exporting mailbox content based on Organizational information:

Export all content from all mailboxes where user Title starts with VP to a folder called VPData in the Administrator mailbox:

Get-user | where { $_.Title -ilike "VP*" } | export-mailbox -TargetFolder "VPData" -TargetMailbox Administrator

Export all content from all mailboxes from the Accounting department to a folder called AccountingData in the Administrator mailbox:

Get-user | where { $_.Department -Eq "Accounting" } | export-mailbox -TargetFolder " AccountingData" -TargetMailbox Administrator

Using filtering when Exporting mailbox content:

Export all content from UserMailbox1's mailbox received between 02/02/05 and 02/05/05 to a folder called User1Data in the UserMailbox2's mailbox:

Export-mailbox -id UserMailbox1 â€"StartDate "02/02/05" â€"EndDate "02/05/05" -TargetFolder 'User1Data' -TargetMailbox UserMailbox2

Export all content from the Sent Items folder of UserMailbox1's mailbox to a folder called User1SentItems in the UserMailbox2's mailbox:

Export-mailbox -id UserMailbox1 -IncludeFolders "\Sent Items" -TargetFolder ' User1SentItems' -TargetMailbox UserMailbox2

Filters out content from the Deleted Items folder and only exports messages that are in Japanese to a folder called User1JapaneseItems in the UserMailbox2's mailbox:

Export-mailbox -id UserMailbox1 -ExcludeFolders "\Deleted Items" -Locale ja-jp -TargetFolder 'User1JapaneseItems' -TargetMailbox UserMailbox2

Using filtering to Export and delete mailbox content:

Export and delete all messages that contain "Confidential" in their subject from all mailboxes from the DB1 database to a folder called ConfidentialData in the Administrator mailbox:

Get-mailbox -database 'DB1' | export-mailbox â€"SubjectKeywords "Confidential" -TargetFolder "ConfidentialData" -TargetMailbox Administrator â€"DeleteContent

Export and deletes all messages that have an attachment that contains the word "movie" in its name from all mailboxes from the DB1 database to a folder called MovieAttachmentMessages in the Administrator mailbox:

Get-mailbox -database 'DB1' | export-mailbox â€"AttachmentFilenames "movie" -TargetFolder "MovieAttachmentData" -TargetMailbox Administrator â€"DeleteContent

Export and deletes all messages that contains the word "virus" in its body or in its attachment body from all mailboxes from the DB1 to a folder called VirusMessages in the Administrator mailbox:

Get-mailbox -database 'DB1' | export-mailbox -ContentKeywords "virus" -TargetFolder "VirusMessages" -TargetMailbox Administrator â€"DeleteContent

Powershell Setting Active Sync Based on group membership

2011-03-04T09:34:48Z

#Start-Transcript c:\activesyncerror.txt

# Set Report File
echo MM > "c:\active.csv"
$outfile = "c:\active.csv"

#Users to query
$user = Get-CASMailbox -resultsize unlimited
foreach ($userfound in $user)
{
$userdn = $userfound.distinguishedName
$usersm = $userfound.SamAccountName
$ADuser=[ADSI]"LDAP://$userdn"
$res = $aduser.memberOf
#$res

#Group to query membership off
$group = get-group "pda users"
$groupdn = $group.distinguishedName
$ADGroup=[ADSI]"LDAP://$Groupdn"

#Check if user is a member of the group
#if not then Active Sync is disabled for the account

if ($res -contains $ADGroup.distinguishedName)

{Write-output "$usersm Is a member of $group , Enabled" >> $outfile
#Set-CASMailbox $users.SamAccountName -ActiveSyncEnabled $true
Write-Host $usersm "Enabled"
}

if ($res -notcontains $ADGroup.distinguishedName)

{Write-output "$usersm Is not a member of $group , Disabled" >> $outfile
Set-CASMailbox $usersm â€"ActiveSyncEnabled $false -whatif
Write-host $usersm "Disabled"
}
}
#Stop-Transcript
$users.count
notepad $outfile

Powershell Users Group Membership

2011-03-04T07:04:24Z

Script to list a users group membership.

#Users to query
$users = Get-casMailbox Username
$userdn = $users.distinguishedName
$ADuser=[ADSI]"LDAP://$userdn"
$res = $aduser.memberOf
$res

PDA Statistics

2011-03-02T12:16:16Z

Script to list Active Sync Device Statistics.

$mbx = get-casmailbox -Filter {HasActivesyncDevicePartnership -eq $true -and -not DisplayName -like "CAS_{*"}

[string]::join(',',("Name","Display Name","","Model","Phone No","Device ID","DeviceIMEI","First Sync","Last Sync","Device OS","Device Friend Name","Device Type"))> "C:\ocs scripts\pda.csv"

foreach ($user in $mbx) {

$dev = get-activesyncdevicestatistics -mailbox $user.Name

foreach ($phone in $dev)

{

[string]::join(',',($user.name, $user.DisplayName, $phone.devicemodel, $phone.devicephonenumber, $phone.deviceid, $phone.DeviceIMEI, $phone.FirstSyncTime, $phone.LastSuccessSync ,$phone.DeviceOS, $phone.DeviceFriendlyName, $phone.DeviceType)) >> "C:\ocs scripts\pda.csv"

}

#$phone.

#notepad "C:\pda.csv"

________________________________________________________________________

Setting GC Global Catalog through powershell

2011-02-17T14:03:22Z

Script to set Global Catalog role when not GC's are available


# ---------------------------------------------------------------------------------------------------
function set-GCrole
# ---------------------------------------------------------------------------------------------------
{
Param (
  $serverName,
  $IsGC = "enable"
  )
  $dse  = [adsi]("LDAP://"+$Servername+"/RootDSE")
  $ntds  = [adsi]("LDAP://"+$dse.dsServiceName)
  
  # 1 = enable, 0 or nothing = disable
  If ($IsGC -eq "disable")
  {
    $ntds.options = 0
  }
  else
  {
    $ntds.options = 1
  }
  $ntds.SetInfo()
}
 
# ---------------------------------------------------------------------------------------------------
If ($Args.count -ne 2)
{
  write-host "You need to provide the Name of the DC,"
  write-host "and the ""enable"" or ""disable"" keyword."
  write-host "example: Set-GCrole.ps1 ""server1"" ""enable"""
  write-host
  exit
}
Set-GCrole $Args[0] $args[1]

Full Server Recovery of a Domain Controller

2011-02-15T08:06:45Z

Full Server Recovery of a Domain Controller (a nonauthoritative restore)

02 February 2011

07:45

Scenario 1

Loss of a DC, Not a FSMO Role Holder

Requirements: Full Bare Metal & System State of Single DC

To recover: Windows, Disks and Applications

Performing Nonauthoritative Restore of Active Directory Domain Services

Updated: January 9, 2009

Applies To: Windows Server 2008, Windows Server 2008 R2

A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.

You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS.

Note

If your objective is to recover objects that were deleted since the last backup, first perform a nonauthoritative restore from backup to reinstate the deleted objects and then perform an authoritative restore to mark the deleted objects as authoritative so that they are not overwritten during replication. When you are performing both a nonauthoritative restore and an authoritative restore, do not allow the domain controller to restart after the nonauthoritative restore. For information about performing authoritative restore, see Performing Authoritative Restore of Active Directory Objects.

Pasted from <http://technet.microsoft.com/en-us/library/cc816627(WS.10).aspx>

Nonauthoritative Restore Requirements

You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a stand-alone server, member server, or domain controller.

On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system. If you need to reinstall the operating system and then restore AD DS, see Restoring a Domain Controller Through Reinstallation or Restoring a Domain Controller Through Reinstallation.

To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:

System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command.

Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command.

Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.. For information about performing a full server backup for disaster recovery, see Performing a Full Server Recovery of a Domain Controller on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=116206).

Pasted from <http://technet.microsoft.com/en-us/library/cc816627(WS.10).aspx>

Performing a full server recovery of a domain controller by using the GUI

You can use this procedure to perform full server recovery of a domain controller with Windows Complete PC Restore.

There are no administrative credential requirements. No authentication is performed when you start in Windows RE.

To perform full server recovery of a domain controller (a nonauthoritative restore) by using the GUI

Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.
When you are prompted, press a key to start from the DVD.
At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
At the Install now screen, click Repair your computer.
In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
Under Choose a recovery tool, click Windows Complete PC Restore.
If the backup is stored on a remote server, a message indicates that Windows cannot find a backup on the hard disks or DVDs on this computer. Click Cancel to close the message.
Click Restore a different backup, and then click Next.
On the Select the location of the backup page, perform either set of the following steps, depending on whether the backup is stored locally or on a network shared folder:

If the backup is stored on the local computer, select the location of the backup, and then click Next.

Or

If the backup is stored on a network shared folder, click Advanced, and then click Search for a backup on the network.

Click Yes to confirm that you want to connect to the network.
In Network Folder, type the Universal Naming Convention (UNC) name for the network share, and then click OK.
Type credentials for a user account that has sufficient permissions to restore the backup, and then click OK.
On the Select the location of the backup page, click the location of the backup, and then click Next.

Click the backup to restore, and then click Next.

If you want to replace all data on all volumes, regardless of whether they are included in the backup, on the Choose how to restore the backup page, select the Format and repartition disks check box.
To prevent volumes that are not included in the restore from being deleted and re-created, click Exclude Disks, select the check box for the disks that you want to exclude, and then click OK.

Click Next, and then click Finish.

Select the I confirm that I want to format the disks and restore the backup check box, and then click OK.

Performing a full server recovery of a domain controller by using the command line

Use the following procedure to perform full server recovery of a domain controller from the command line.

There are no administrative credential requirements. No authentication is performed when you start in Windows RE.

To perform full server recovery of a domain controller (a nonauthoritative restore) by using the command line

Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.

When you are prompted, press a key to start from the DVD.

At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
At the Install now screen, click Repair your computer.
In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
Under Choose a recovery tool, click Command Prompt.

At the Sources prompt, type diskpart, and then press ENTER.

At the Diskpart prompt, type list vol, and then press ENTER.

Identify the volume from the list that corresponds to the location of the full server backup that you want to restore.
The drive letters in Windows RE do not necessarily match the volumes as they appear in Windows Server 2008.

Type exit, and then press ENTER.

At the Sources prompt, type the following command, and then press ENTER:
wbadmin get versions -backupTarget::
-machine:
Where:

: is the location of the backup that you want to restore.
is the name of the computer where you want to recover the backup. This parameter is required, if the backup is stored on a remote computer.

Identify the version that you want to restore.
You must enter this version exactly in the next step.

At the Sources prompt, type the following command, and then press ENTER:
wbadmin start sysrecovery -version:
-backuptarget:: -machine:
-restoreAllVolumes
Where:

is the version of the backup that you want to restore.
: is the drive that contains the backup.
is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.

When you are prompted, press Y to proceed with the restore process.

After the recovery operation has completed, minimize the command window, and then, in the System Recovery Options dialog box, click Restart.

Post Recovery Tests

Repadmin /replsum

dcdiag /test:CheckSecurityError /s:DRDC01

repadmin /showrepl

w32tm /monitor

dcdiag /s:DCName

dcdiag /test:dns /e /s:DCName

dcdiag /test:netlogons /v /s:DCName

dcdiag /test:fsmocheck /s:DCName

<<NTDS.ps1>>;

Additional considerations

Be aware of the following issues when you perform a full server recovery of a domain controller:

Wbadmin.exe does not require that you provide the recovery target. By specifying the backup version that you want to recover, the command proceeds to recover to the source location of the specified backup version.
Backup files are named for the date and time of the backup. When you recover, the version must be stated in the form MM/DD/YYYY-HH:MM, which specifies the name of the backup that you want to recover.
After the restore is completed, restart the server normally, and perform basic verification. When you restart the computer normally, AD DS and Active Directory Certificate Services (AD CS) automatically detect that they have been recovered from a backup. They perform an integrity check and index the database again.
After you log on to the system, browse AD DS. Verify that the following conditions are met:

All of the user objects and group objects that were present in the directory at the time of the backup are restored.

Note

Active Directory replication updates the objects that you restore with any changes that have been made to them since the time that the backup was taken.

Files that were members of a File Replication Service (FRS) replica set and certificates that were issued by AD CS are present.

The Windows Time service (W32time) is synchronized correctly.

The NETLOGON and SYSVOL folders are properly shared.

The Preferred DNS server address is configured correctly.

Host (A) and service (SRV) resource records are registered correctly in Domain Name System (DNS).

Pasted from <http://technet.microsoft.com/en-us/library/cc772519(WS.10).aspx>

Requirements - Full Server Recovery of a Domain Controller

2011-02-15T08:04:31Z

Requirements - Full Server Recovery of a Domain Controller

02 February 2011

09:09

When you perform a full server recovery, you recover all volumes from the backup set to the server. The procedure to perform full server recovery of a domain controller is the same as for any server running Windows Server 2008. Whenever you perform a full server recovery of a domain controller, you perform a nonauthoritative restore of Active Directory Domain Services (AD DS).

You can use these procedures to perform full server recovery of a domain controller by using Windows Complete PC Restore (a graphical user interface (GUI) tool) and Wbadmin.exe from the command line

Pasted from <http://technet.microsoft.com/en-us/library/cc772519(WS.10).aspx>

Requirements for performing a full server recovery of a domain controller

Full server recovery of a domain controller has the following requirements:

You must have a full server backup available. This type of backup contains all volumes that were on the server at the time that you made the backup.

You can store the backup on a separate, internal or external hard drive or a DVD. If you performed a manual backup, you can perform a full server recovery from a network shared folder.

Note

Windows Server Backup does not enumerate drives that are not attached or turned on when you start the Recovery Wizard. If you attach or turn on a drive after you start the wizard, and you do not see it in the list of backup locations that you can restore from, close, and then restart Windows Server Backup.

You must have the Windows Server 2008 operating system DVD or have Windows RE installed on a different partition than the critical partitions that are used by the domain controller that you are restoring.
If you are recovering to new hardware, the new hardware must provide enough storage capacity to recover all volumes. In other words, the hard drives that you are recovering data to must be as large as-or larger than-the drives that are included in the backup set.

Pasted from <http://technet.microsoft.com/en-us/library/cc772519(WS.10).aspx>

Forest Recovery Post recovery steps

2011-02-15T08:03:21Z

Forest Recovery Post recovery steps

Perform the following post recovery steps as needed:

Ensure DC's are health by running admin scripts below

Â· After the entire forest is recovered, you can revert to the original DNS configuration, including configuration of the preferred and alternate DNS servers on each of the domain controllers. After the DNS servers are configured as they were before the malfunction, their previous name resolution capabilities will be restored. Delete any DNS records for domain controllers that have not been recovered.

Â· Delete Windows Internet Name Service (WINS) records for all domain controllers that have not been recovered.

Â· You can transfer the operations master roles to other domain controllers in the domain or forest and add more global catalog servers based on your pre-failure configuration.

Â· Because the entire forest is restored to a previous state, any objects (such as users and computers) that were added and all updates (such as password changes) that were made to existing objects after this point are lost. Therefore, you should re-create these missing objects and reapply the missing updates as appropriate.

Â· You might also need to restore outgoing trusts with external domains, because these external trust relationships are not restored automatically from backups.

Â· If you suspect that the forest-wide failure was related to network intrusion or malicious attack, you can reset the account passwords for members of the Enterprise Admins and Domain Admins groups.

Â· Restore or reinstall any software applications that were running on domain controllers before recovery. Restoring AD DS on the first domain controller in the domain also restores the registry because they both are part of System State data. Keep this in mind if you had any applications running on these domain controllers and if they had any information stored in the registry.

Â· For client computers, you might have to reset their secure channel with domain controllers or rejoin them to the domain. To reset the secure channel, you can use Netdom.exe. At a command prompt, type the following command, and then press ENTER:

netdom reset /domain:

Repadmin /replsum

dcdiag /test:CheckSecurityError /s:DRDC01

repadmin /showrepl

w32tm /monitor

dcdiag /s:DCName

dcdiag /test:dns /e /s:DCName

dcdiag /test:netlogons /v /s:DCName

dcdiag /test:fsmocheck /s:DCName

<<NTDS.ps1>>;

Forest Recovery Procedures - Stage 2

2011-02-15T08:00:52Z

Forest Recovery Procedures - Stage 2

31 January 2011

13:59

Removing the global catalog

Use the following procedure to remove the global catalog from a domain controller.

Restoring a global catalog server from backup could result in the global catalog holding newer data for one of its partial replicas than the corresponding domain that is authoritative for that partial replica. In such a case, the newer data will not be removed from the global catalog and might even replicate to other global catalog servers. As a result, even if you did restore a domain controller that was a global catalog server, either inadvertently or because that was the solitary backup you trusted, you should remove the global catalog soon after the restore operation is complete. When the global catalog is removed, the computer removes all its partial replicas. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

To remove the global catalog

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

3. Expand the Servers container, and then expand the server object for the domain controller from which you want to remove the global catalog.

4. Right-click NTDS Settings, and then click Properties.

5. Clear the Global Catalog check box.

Raising the value of available RID pools

Use the following procedure to raise the value of the relative ID (RID) pools that the RID operations master will allocate after that domain controller is restored. By raising the value of the available RID pools, you can ensure that no domain controller allocates a RID for a security principal that was created after the backup that was used to restore the domain. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

To raise the value of available RID pools

1. At the command prompt, change directories to the folder that contains the Windows Support Tools, type the following command, and then press ENTER:

ldp

2. Click Connection, click Connect, type the name of the server on which you want to raise the RID pool, and then click OK.

3. Click Connection, click Bind, type your administrative credentials, and then click OK.

4. Click View, click Tree, and then type the following distinguished name path:

CN=RID Manager$,CN=System,DC=

This account has an attribute named rIDAvailablePool. This attribute value maintains the global RID space for an entire domain. The value is a large integer with upper and lower parts. The upper part defines the number of security principals that can be allocated for each domain (0x3FFFFFFF or just over 1 billion). The lower part is the number of RIDs that have been allocated in the domain. To view both parts, in Ldp.exe use the Large Integer Converter command in the Utilities menu.

Â· Sample Value: 4611686014132422708 (Insert in Large Integer Calculator in the Utilities menu of Ldp.exe)

Â· Low Part: 2100 (beginning of the next RID pool to be allocated)

Â· Upper Part: 1073741823 (total number of RIDs that can be created in a domain)

When you increase the value of the large integer, you increase the value of the low part. For example, if you add 100,000 to the sample value of 4611686014132422708 for a sum of 4611686014132522708, the new low part is 102100. This indicates that the next RID pool that will be allocated by the RID master will begin with 102100 instead of 2100.

5. Click Browse, and then click Modify.

6. Add 100,000 to the current rIDAvailablePool value, and then type the sum into Values.

7. In Dn, type cn=RID Manager$,cn=System,dc=.

8. In Edit Entry Attribute, type rIDAvailablePool.

9. Select Replace as the operation, and then click Enter.

10. Click Run to run the operation.

String:
High Part:
Low Part:
Close
11073741823
1103101
Run" width="283" height="137">

r Edit Entry
Attribute: rlDAvailablePool
Values: 4611686014132623709
Operation
r r Add r Delete ( Replace [nsert fil Enter
Entry List
[Repa:&Ã®CDA .ablePool:46 11686014132623709
Edit Remove
P' Synchronous Close
r Extended Run" width="342" height="368">

Seizing an operations master role - If the recovered DC does not hold the FSMO Roles

Use the following procedure to seize an operations master role (also known as a flexible single master operations (FSMO) role). You can use Ntdsutil.exe, a command-line tool that is installed automatically on all domain controllers. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

To seize an operations master role

1. At the command prompt, type the following command, and then press ENTER:

ntdsutil

2. At the ntdsutil: prompt, type the following command, and then press ENTER:

roles

3. At the FSMO maintenance: prompt, type the following command, and then press ENTER:

connections

4. At the server connections: prompt, type the following command, and then press ENTER:

Connect to server ServerFQDN

Where ServerFQDN is the fully qualified domain name (FQDN) of this domain controller, for example: connect to server nycdc01.example.com.

If ServerFQDN does not succeed, use the NetBIOS name of the domain controller.

5. At the server connections: prompt, type the following command, and then press ENTER:

quit

6. Depending on the role that you want to seize, at the FSMO maintenance: prompt, type the appropriate command as described in the following table, and then press ENTER.

Role	Credentials	Command
Domain naming master	Enterprise Admins	For Windows Server 2003: Seize domain naming master For Windows Server 2008: Seize naming master
Schema master	Schema Admins	Seize schema master
Infrastructure master	Domain Admins	Seize infrastructure master
PDC emulator master	Domain Admins	Seize pdc
RID master	Domain Admins	Seize rid master

After you confirm the request, Active Directory or AD DS attempts to transfer the role. When the transfer fails, some error information appears, and Active Directory or AD DS proceeds with the seizure. After the seizure is complete, a list of the roles and the Lightweight Directory Access Protocol (LDAP) name of the server that currently holds each role appears.

Note

If this computer was not a RID master before the failure and you attempt to seize the RID master role, the computer tries to synchronize with a replication partner before accepting this role. However, because this step is performed when the computer is isolated, it will not succeed in synchronizing with a partner. Therefore, a dialog box appears asking you whether you want to continue with the operation despite this computer not being able to synchronize with a partner. Click Yes.

Windows Server 2008: Deleting a domain controller using Active Directory Users and Computers

When you use the version of Active Directory Users and Computers in Windows Server 2008, metadata cleanup is performed automatically when you delete the domain controller object. In addition, the server object and the computer object are also deleted automatically, which eliminates the need to perform those additional procedures.

As an alternative, you can also use Active Directory Sites and Services in Windows Server 2008 to delete a domain controller object. If you use Active Directory Sites and Services, you must delete the associated server object and NTDS Settings object before you can delete the domain controller object.

If you do not have Windows Server 2008, you can instead download and use the Microsoft Remote Server Administration Tools for Windows Vista (http://go.microsoft.com/fwlink/?LinkID=115118) to perform this procedure.

To delete a domain controller object using Active Directory Users and Computers in Windows Server 2008

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, double-click the domain container, and then double-click the Domain Controllers organizational unit (OU).

3. In the details pane, right-click the domain controller that you want to delete, and then click Delete.

Resetting the krbtgt password

Use the following procedure to reset the krbtgt password for the domain. The following procedure applies to domain controllers that run Windows Server 2003 or writable domain controllers (not read-only domain controllers (RODCs)) that run Windows Server 2008.

Important

If you leave RODCs online during the forest recovery, do not delete the krbtgt accounts for the RODCs. The krbtgt account for an RODC is listed in the format krbtgt_number.

To reset the krbtgt password

1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, double-click the domain container, and then click Users.

3. In the details pane, right-click the krbtgt user account, and then click Reset Password.

4. In New password, type a new password, retype the password in Confirm password, and then click OK.

Notes

As mentioned in "Recovery steps," earlier in this guide, you should perform this operation twice.

Resetting the computer account password of the domain controller

Use the following procedure to reset the computer account password of the domain controller. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

To reset the computer account password of the domain controller

1. At a command prompt, type the following command, and then press ENTER:

netdom help resetpwd

2. Use the syntax that this command provides for using the NetDom command-line tool to reset the computer account password, for example:

netdom resetpwd /server: /userD:administrator /passwordd:*

Where is the local domain controller that you are recovering.

Note

As mentioned in "Recovery steps," earlier in this guide, you should run this command twice.

Resetting a trust password on one side of the trust - If you have trusts inplace

Use the following procedure to reset a trust password on one side of the trust. This includes implicit trusts between child and parent domains as well as explicit trusts between this domain (the trusting domain) and another domain (the trusted domain).

Reset the password on only the trusting domain side of the trust, known in Windows Server 2003 as the incoming trust (the side where this domain belongs). Then, use the same password on the trusted domain side of the trust. In Windows Server 2003, this trusted domain is called the specified domain, and the trust is called the outgoing trust. Reset the password of the outgoing trust when you restore the first domain controller in each of the other (trusted) domains.

Important

To perform the following procedure, use the latest Netdom.exe command-line tool in the Windows Server 2003 Service Pack 1 32-bit Support Tools, which you can download from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=70775), or use Netdom.exe, which is included in Windows Server 2008 or in the Microsoft Remote Server Administration Tools for Windows Vista. Do not use older versions of the Netdom.exe command-line tool.

To reset a trust password on one side of the trust

1. At a command prompt, type the following command, and then press ENTER:

netdom experthelp trust

2. Use the syntax that this command provides for using the NetDom tool to reset the trust password.

For example, if there are two domains in the forest-parent and child-and you are running this command on the restored domain controller in the parent domain, use the following command syntax:

netdom trust /domain: /resetOneSide /passwordT: /userO:administrator /passwordO:*

When you run this command in the child domain, use the following command syntax:

netdom trust /domain: /resetOneSide /passwordT: /userO:administrator /passwordO:*

Note

passwordT should be the same value on both sides of the trust. Run this command only once (unlike the netdom resetpwd command) because it automatically resets the password twice.

Adding the global catalog

Use the following procedure to add the global catalog to a domain controller. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.

To add the global catalog

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.

3. Expand the Servers container, and then expand the server object for the domain controller to which you want to add the global catalog.

4. Right-click NTDS Settings, and then click Properties.

5. Select the Global Catalog check box.

Once complete Plug back the NIC and restart

On all Rebuilt DC boxes configure the Name, IP and configuration as per the topology report

Once each machine join back to the domain and run DCPROMO as per original design

Additional considerations

Be aware of the following issues when you perform a nonauthoritative restore of AD DS:

If the nonauthoritative restore procedure is preliminary to performing an authoritative restore of any restored objects, do not restart the domain controller until after you have completed the authoritative restore procedure.

When you use System Recovery Options to restore a Windows Server 2008 domain controller in an environment that has Distributed File System (DFS) Replication implemented, the SYSVOL restore is performed nonauthoritatively by default. To perform an authoritative restore of SYSVOL, include the -authsysvol switch in your recovery command, as shown in the following example:

wbadmin start systemstaterecovery -authsysvol

If you use File Replication Service (FRS), the restore operation sets the BURFLAGS registry keys for FRS, which affects all replica sets that are replicated by FRS.

Wbadmin.exe does not require that you provide the target for the recovery. By specifying the backup version that you want to recover, the command proceeds to recover to the source location of the specified backup version.

Backup files are named for the date and time of the backup. When you recover, the version must be stated in the form MM/DD/YYYY-HH:MM, which specifies the name of backup that you want to recover.

After the restore is completed, restart the server normally, and perform basic verification. When you restart the computer normally, AD DS and Active Directory Certificate Services (AD CS) automatically detect that they have been recovered from a backup. They perform an integrity check and index the database again.

After you log on to the system, browse AD DS, and verify that the following conditions are met:

All of the user objects and group objects that were present in the directory at the time of the backup are restored.

Note

Active Directory replication updates the objects that you restore with any changes that have been made to them since the time that the backup was taken.

Files that were members of a FRS replica set and certificates that were issued by AD CS are present.

The Windows Time service (W32time) is synchronized correctly.

The NETLOGON and SYSVOL folders are properly shared.

The Preferred DNS server address is configured correctly.

Host (A) and service (SRV) resource records are registered correctly in Domain Name System (DNS).

Forest Bare Metal Recovery -

2011-02-15T07:57:50Z

Forest Bare Metal Recovery - Windows & AD Failed

02 February 2011

12:48

To recover: Windows, Disks and Applications

Loss of a Active Directory Forest

Requirements: Full Bare Metal backup & System State

You need to make sure that a full server backup is available!

You need to know the DSRM Admin account and password

Performing a full Forest recovery of a domain controller by using the GUI

Because this is the first writable domain controller in the domain, you must perform a nonauthoritative restore of AD DS and an authoritative restore of the SYSVOL folder

An authoritative restore of SYSVOL is required because replication of the SYSVOL replicated folder must be started after you recover from a disaster. All subsequent domain controllers that are added in the domain must resynchronize their SYSVOL folder with a copy of the folder that has been selected to be authoritative before the folder can be advertised

If you are restoring a domain controller that runs Windows Server 2008, use Wbadmin.exe to perform a nonauthoritative restore of AD DS. At the same time, perform an authoritative restore of SYSVOL by including the -authsysvol switch in your recovery command, as shown in the following example:

wbadmin start systemstaterecovery -authsysvol

The first DC we will restore is the FSMO owner in the root domain, this will be a complete bare metal recovery so that it restores the server with Directory Services installed. Once recovered then the latest system state with authorative sysvol will be recovered.

You can use this procedure to perform full server recovery of a domain controller with Windows Complete PC Restore.

There are no administrative credential requirements. No authentication is performed when you start in Windows RE.

Make sure the DC is not connected to the network

A full server recovery recovers every volume on the server. Use this type of recovery to recover from hard drive failures or file corruption on the same hardware with the same operating system installed.

A full server recovery reformats and repartitions all disks that are attached to the server. Use this scenario if you want to recover onto new hardware or if all other attempts to recover the server on the existing hardware have failed.

Before you perform a full server recovery, be aware that any existing data that is not included in the backup will be deleted when you complete this operation. This includes any volumes that are currently used by the server but not included in the backup.

For example, suppose you back up drives C, D, and E and disk 1, and the server also includes application data on disk 2. When you use that backup to perform a full server recovery, all the application data on disk 2 is lost.

If you recover to a dynamic disk that is not included in the backup, the partition-and the data that is stored on it-are deleted and then re-created without the data.

To perform full server recovery of a domain controller by using the GUI

Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.

When you are prompted, press a key to start from the DVD.

At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
At the Install now screen, click Repair your computer.
In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
Under Choose a recovery tool, click Windows Complete PC Restore.

If the backup is stored on a remote server, a message indicates that Windows cannot find a backup on the hard disks or DVDs on this computer. Click Cancel to close the message.

Click Restore a different backup, and then click Next.
On the Select the location of the backup page, perform either set of the following steps, depending on whether the backup is stored locally or on a network shared folder:

If the backup is stored on the local computer, select the location of the backup, and then click Next.

Or

If the backup is stored on a network shared folder, click Advanced, and then click Search for a backup on the network.

Click Yes to confirm that you want to connect to the network.

In Network Folder, type the Universal Naming Convention (UNC) name for the network share, and then click OK.

Type credentials for a user account that has sufficient permissions to restore the backup, and then click OK.

On the Select the location of the backup page, click the location of the backup, and then click Next.

Click the backup to restore, and then click Next.

If you want to replace all data on all volumes, regardless of whether they are included in the backup, on the Choose how to restore the backup page, select the Format and repartition disks check box.

Note the drive with the backup is already excluded so you can just select next

To prevent volumes that are not included in the restore from being deleted and re-created, click Exclude Disks, select the check box for the disks that you want to exclude, and then click OK.

Click Next, and then click Finish.

Select the I confirm that I want to format the disks and restore the backup check box, and then click OK.

Next we need to restore to the best system state

Click Start, click Command Prompt, and then click Run as administrator.

At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair

Type the following command, and then press ENTER:
shutdown -t 0 -r

The server will now boot into Directory Services Repair Mode

At the Windows logon screen, click Switch User, and then click Other User.

Type .\administrator as the user name, type the DSRM password for the server, and then press ENTER.

Click Start, right-click Command Prompt, and then click Run as Administrator..

At the command prompt, type the following command, and then press ENTER:

wbadmin get versions -backuptarget::
-machine:

wbadmin get
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
Backup time: 1/28/2011 1:05 PM
Backup target: 1394/USB Disk labeled E:
Uersion identifier: 01/28/2011-13:05
onsbackuPtaret:e:
Can Recover: Application(s), System State
Backup time: 1/31/2011 12:18 PM
Backup target: 1394/USB Disk labeled E:
Ijersion identifier: 01/31/2011-12:18
Can Recover: Application(s), System State" width="575" height="168">

Where:

: is the location of the backup that you want to restore.
is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.

Identify the version that you want to restore.
You must enter this version exactly in the next step.

At the command prompt, type the following command, and then press ENTER:
wbadmin start systemstaterecovery -version:
-backuptarget:: -machine: -authsysvol
-quiet

Backup target: 1394/USB Disk labeled E:
Uersion identifier: 01/28/2011-13:05
Can Recover: Application(s). System State
Backup time: 1/31/2011 12:18 PM
Backup target: 1394/USB Disk labeled E:
Uersion identifier: 01/31/2011-12:18
Can Recover: Application(s), System State
C:\Users\Administrator.DRDCOÃ>wbadmin start systemstaterecovery -version:01/31/2
011-12:18 -backuptarget:E: -machine:DRDCO1 -authsysvol
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
Do you want to start the system state recovery operation?
[Y] Yes [N] No y" width="598" height="220">

Where:

is the version of the backup that you want to restore.

: is the volume that contains the backup.
t is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.

If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the restore process and press Y to confirm that the replication engine for SYSVOL has not changed since you created the backup.
After the recovery operation has completed, if you are not going to perform an authoritative restore of any restored objects, restart the server as below

Now Restart the server and follow STAGE 2

To restart the server normally after you perform the restore operation, type the following command, and then press ENTER to have the server restart normally:

bcdedit /deletevalue safeboot

Type the following command, and then press ENTER:

shutdown -t 0 -r

Forest Recovery Roadmap

2011-02-15T07:56:08Z

Forest Recovery roadmap

This section provides an overview of the recommended path for recovering a forest. It is important to understand the recovery roadmap before you proceed with the forest recovery steps, which are described in detail later..

The following list summarizes the recovery steps at a high level:

1. Perform prerecovery steps.

Prerecovery steps include determining the current forest structure, identifying the functions that each domain controller performs, and other related tasks.

2. In each domain, perform an offline restore for one writable domain controller.

3. Starting with the forest root domain controller, introduce the restored domain controllers to the network.

4. Make the forest root domain controller a global catalog server. Perform replication synchronization between the forest root domain and each domain in the forest.

Although it is preferred that the forest root domain controller become a global catalog, it is possible to elect any of the restored domain controllers to become a global catalog.

While steps 1 through 4 are being performed, you can simultaneously start installing the operating system on each of the remaining writable domain controllers in the forest (that is, on those writable domain controllers that are not being restored from backup). This prepares them for step 5.

You do not necessarily have to rebuild RODCs at this point in the process. Instead, they can continue to allow access to local resources that are cached on the RODCs in their respective sites while the recovery operations are going on in parallel. Local resources, such as users and computers, that are not cached on the RODC in that site will have authentication requests forwarded to a writable domain controller. These requests will fail because writable domain controllers are offline.

If you are using a hub-and-spoke network architecture, you can concentrate first on recovering the writable domain controllers in the hub sites. Later, you can rebuild the RODCs in remote sites.

Remember that some operations in the remote sites, such as password changes, will not work until you recover writable domain controllers.

5. Install AD DS on the remaining domain controllers in the forest. During the AD DS installation, each remaining domain controller will replicate data from the single domain controller for the domain that you restored from backup in step 2.

6. Perform postrecovery steps.

Important

Restoring system state backups depends on the original operating system and server of the backup. For example, you should not restore a system state backup to a different server. In this case, you may see the following warning:

"The specified backup is of a different server than the current one. We do not recommend performing a system state recovery with the backup to an alternate server because the server might become unusable. Are you sure you want to use this backup for recovering the current server?"

If you need to restore Active Directory to different hardware, create full server backups and plan to perform a full server recovery.

If the time of the occurrence of the failure is unknown, investigate further to identify backups that hold the last safe state of the forest. This approach is less desirable. Therefore, we strongly recommend that you keep detailed logs about the health state of AD DS on a daily basis so that, if there is a forest-wide failure, the approximate time of failure can be identified. You should also keep a local copy of backups to enable faster recovery.

Directory Domain Services Database Mounting Tool

2011-02-15T07:43:34Z

Active Directory Domain Services Database Mounting Tool

31 January 2011

07:37

Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide

Updated: March 28, 2009

Applies To: Windows Server 2008

This guide shows how you can use an improved version of Ntdsutil and a new Active DirectoryÂ® database mounting tool in Windows ServerÂ® 2008 to create and view snapshots of data that is stored in Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), without restarting the domain controller or AD LDS server. A snapshot is a shadow copy-created by the Volume Shadow Copy Service (VSS)-of the volumes that contain the Active Directory database and log files.

Note

During product development, this feature has also been known by other names, including Snapshot Viewer, Snapshot Browser, and Active Directory data mining tool.

The Active Directory database mounting tool (Dsamain..exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.

This guide provides step-by-step instructions for using the Active Directory database mounting tool, including creating, listing, and mounting snapshots of AD DS; preparing them for viewing as a Lightweight Directory Access Protocol (LDAP) server; and viewing the data itself.

For more information about VSS snapshots, see Shadow Copies and Shadow Copy Sets (VSS) (http://go.microsoft.com/fwlink/?LinkId=90631).

In this guide

End-to-End Scenario That Uses the Active Directory Database Mounting Tool

Who should use this guide?

The following individuals should review this information about the Active Directory database mounting tool:

Information technology (IT) planners and analysts who are technically evaluating the product

Enterprise IT planners and designers for organizations
Administrators, operators, and managers who are responsible for IT operations, including recovery of deleted Active Directory data

Scenarios for using the Active Directory database mounting tool

This section describes common scenarios in which you can use the Active Directory database mounting tool.

Simplifying the forest recovery process

For organizations that have domain controllers running Windows Server 2003, the forest recovery process requires a determination of which backup is best to use for recovery. In general, you must consider whether to restore a recent backup of your data or an older backup that you believe may be safer. Choosing a more recent backup recovers more useful data, but it might increase the risk of reintroducing dangerous data into the restored forest.

To determine which backup is best, you must restore it to a domain controller to view its contents. Each restore operation requires that you restart the domain controller in Directory Services Restore Mode (DSRM).

For some organizations, the loss of productivity caused by the time required for such restore operations is great. These organizations often must keep detailed logs about the Active Directory health state on a daily basis so that, in case of a failure throughout the forest, the approximate time of failure can be identified.

In a forest recovery scenario, the ability to precisely determine which backup contains the best data to recover can drastically reduce downtime.

Auditing modified and deleted objects

Dsamain.exe helps you examine any changes that are made to Active Directory data. For example, if an object is accidentally modified, you can use this tool to examine the changes and to help you better decide how to correct them if necessary.

By scheduling a task to regularly create snapshots of the AD DS database, you can keep detailed records of AD DS data as it changes over time. You can create AD DS snapshots without devoting as much time and storage space as Windows Server Backup requires for critical-volume backups.

Requirements for using the Active Directory database mounting tool

You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following:

A new ntdsutil snapshot operation that you can use to create, list, mount, and unmount snapshots of AD DS or AD LDS data

Dsamain.exe, which you can use to expose the snapshot data as an LDAP server
Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers

By default, only members of the Domain Admins group and the Enterprise Admins group are allowed to view the snapshots because they contain sensitive AD DS data. If you want to access snapshot data from an old domain or forest that has been deleted, you can allow nonadministrators to access the data when you run Dsamain.exe.

All permissions that apply to the data in the snapshot are enforced when you view the data. For example, suppose that members of the Domain Admins groups are explicitly denied Read permission for an object in AD DS. If you supply credentials for a member of that group when you try to view the snapshot data for that object, access is denied.

Moreover, you cannot change the existing permission to grant Read access in the snapshot that you are viewing because the Active Directory data is read-only. Any add, modify, or delete operations will fail.

However, a malicious user might be able to copy sensitive data that might be stored in AD DS snapshots to another forest and then use privileged credentials from that forest to examine the data. Therefore, you should protect them in a manner that is similar to how you protect domain controller backups. Use encryption or other data security precautions with AD DS snapshots to help mitigate the chance of unauthorized access to them.

Steps for using the Active Directory database mounting tool

You are not required to use the ntdsutil snapshot operation to create the snapshots. You can use any backup of an AD DS or AD LDS database that uses VSS, including non-Microsoft backup solutions. The database must be in a consistent state; that is, the logs must be replayed. If you use Ntdsutil.exe or Windows Server Backup on a server running Windows Server 2008, the resulting snapshot or backup will be consistent.

Note

A domain controller backup contains more data than an AD DS snapshot because it also includes files that are needed to restore the operating system.

You can use either Ntdsutil.exe to mount the snapshot or use Windows Server Backup to restore the backup to an alternative location or to another computer. Then, you can use a tool such as Ldp.exe to view the data.

You can use the following process to use the Active Directory database mounting tool:

Although it is not a requirement, you can schedule a task that regularly runs Ntdsutil.exe to take snapshots of the volume that contains the AD DS or AD LDS database.
Run Ntdsutil.exe to list the snapshots that are available and then mount the snapshot that you want to view.

Run Dsamain.exe to expose the snapshot volume as an LDAP server.

Dsamain.exe takes the following arguments:

AD DS or AD LDS database (Ntds.dit) full file path. By default this file is opened as read-only. Only ASCII paths are supported. Network share paths are not supported.

Log path. This can be a temporary path, but you must have write access. This parameter is optional. If you do not specify the log path, logs and a temporary database are created in the Temp folder.
Four port numbers for LDAP, LDAP-SSL, Global Catalog, and Global Catalog-SSL. Only the LDAP port is required. If the other ports are not specified, they will use LDAP+1, LDAP+2, and LDAP+3, respectively. For example, if you specify LDAP port 41389 without specifying other port values, the LDAP-SSL port will use port 41390 by default, and so on..

You can stop Dsamain by pressing CTRL+C in the Command Prompt window or, if you are running the command remotely, by setting the stopservice attribute on the rootDSE object.

Run and attach Ldp.exe to the snapshot's LDAP port that you specified when you exposed the snapshot as an LDAP server in the previous step.

You can also try using the Active Directory Users and Computers snap-in that is installed by default on a Windows Server 2008 domain controller, as described in the procedure later in this guide.
Browse the snapshot just as you would with any live domain controller.

If you specify different ports for each snapshot when you run Dsamain.exe, you can browse multiple snapshot instances on the same domain controller (or on the same workstation if you are browsing a restored backup) at the same time and easily compare their data.

If you have some idea which organizational unit (OU) or objects were deleted, you can look up the deleted objects in the snapshots and record the attributes and back-links that belonged to the deleted objects. You can reanimate these objects by using the tombstone reanimation feature on a domain controller in your production environment. Then, you must manually repopulate these objects with the stripped attributes and back-links as identified in the snapshots. For more information about tombstone reanimation, see Reanimating Active Directory Tombstone Objects (http://go.microsoft.com/fwlink/?LinkID=116204).

Although you must manually re-create the stripped attributes and back links, the Active Directory database mounting tool makes it possible for you to re-create deleted objects and their back-links without rebooting the domain controller into Directory Services Restore Mode. You can also use the tool to look up previous configurations of AD DS as well, including permissions that were in effect.

Step 1: Create, mount, and list snapshots

To create a snapshot, you must be a member of the Enterprise Admins groups or the Domain Admins group or you must have been delegated the appropriate permissions. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To create an AD DS or AD LDS snapshot

Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
Click Start, right-click Command Prompt, and then click Run as administrator.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

At the elevated command prompt, type the following command, and then press ENTER:
ntdsutil

At the ntdsutil prompt, type the following command, and then press ENTER:
snapshot

At the snapshot prompt, type the following command, and then press ENTER:
activate instance ntds

At the snapshot prompt, type the following command, and then press ENTER:
create
The command returns the following output:
Snapshot set {GUID} generated successfully.
Where GUID is the globally unique identifier (GUID) for the snapshot.

At the snapshot prompt, type the following command, and then press ENTER:
mount { GUID }

C:\Users\Adnin istrator>ntdsutil
ntdsutil: sn
snapshot: act Inst ntds
Active instance set to " ntds="" .="" cre="" creating="" snapshot....="" set="" c61425c1f-312f-4f8c--b9fa-8f4thfssdcco)="" generated="" successfully.="" list="" all="" 1:="" 01:00:20="" c5?0c8044-1096-443c-9d9c-0c6="" ?6d4f981b)="" 2:="" (flbebebf-2f19-42a1-h88d-8ebd="" ?d4e6240)="" 3:="" 01:10:22="" {80a5="" fl61-c120-4c?8-ba6="" ?-2fba3?3aa4cc)="" 4:="" {0965a5dd-95d5-4800-a9e2-ab?3338bfcf="" ?)="" 5:="" :11:15="" c51009128-6b?9-41a5-ab5e-ff3Ã¸54Ã¸debce)="" 6:="" (c8d?44ac-26ca-4="" ?65-9d85-bf="" ?bfbd992cf)="" ?:="" 2011="" 02="" 01="" :12="" :22="" {61425c1f-312f-4f8c-h9fa-8f4="" ?bfsbdccÃŸ)="" 8:="" c:="" {5002f5e4-34db-4da?-830e-3fc8236e3af="" f)="" snapshot:="" nount="" {5002f5e4-34db-4da?-830e-3fc8236e3aff)="" snapshot="" (5002f5e4-34db-4da="" 7-830e-3fcb236e3aff)="" nounted="" as="" c:\s5nap201102011222="" _uolumec$\="" jpshot="" width="434" height="215">

As an option, to see a list of all mounted snapshots, you can type the following command, and then press ENTER:
list mounted
The output lists each mounted snapshot and a corresponding index number. You can use the index number instead of the GUID to subsequently mount, unmount, or delete the snapshot.

To unmount the snapshot after you have finished viewing the data, type either of the following commands, and then press ENTER:
unmount index #
-or-
unmount { GUID }

Delete old snapshots that you are no longer using because they consume disk space. To delete a snapshot, type either of the following commands, and then press ENTER:
delete index #
-or-
delete { GUID }

After you are done with snapshot operations, type quit to return to the ntdsutil menu, and then type quit again to return to the command prompt.

After you create and mount a snapshot, you can run Dsamain.exe to expose the AD DS or AD LDS data in the snapshot as an LDAP server.

Step 2 (Optional): Schedule a task that creates AD DS snapshots

You have the option to schedule a task that runs Ntdsutil.exe regularly to create snapshots.

To schedule a task to create AD DS or AD LDS snapshots, you must be a member of the Enterprise Admins group or the Domain Admins group. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To schedule a task to create AD DS or AD LDS snapshots

Log on to a domain controller as a member of the Enterprise Admins group or the Domain Admins group.

Click Start, click Administrative Tools, and then click Task Scheduler.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

Click Action, and then click Create task.

On the General tab, type a name for your task, and then select the appropriate security options to run the task.

On the Triggers tab, click New.

In New Trigger, select the appropriate settings for the task, and then click OK.

On the Action tab, click New..

In New Action, type the name or browse to the file path that contains Ntdsutil.exe and in Add arguments (optional), type the following command, and then press ENTER:
ntdsutil "activate instance ntds" snapshot create quit quit

On the Conditions tab and the Settings tab, select any additional settings that you want to apply to the task, and then click OK.

If you are prompted, enter the password for a member of the Enterprise Admins group or the Domain Admins group, and then click OK.

Step 3: Expose an AD DS or AD LDS snapshot as an LDAP server

By default, you must be a member of the Enterprise Admins groups or the Domain Admins group to run Dsamain.exe and to access the Active Directory data that it exposes. If the snapshot is taken from a domain that no longer exits, you can specify the /allowNonAdminAccess parameter. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To expose an AD DS or AD LDS snapshot as an LDAP server

Log on to a domain controller as a member Enterprise Admins groups or the Domain Admins group.
Click Start, right-click Command Prompt, and then click Run as administrator.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
At the elevated command prompt, type the following command, and then press ENTER. Be sure to include a space between the name of the parameter and the value that you specify.
dsamain /dbpath /ldapport
If you plan to view the snapshot data on a domain controller, specify ports that are different from the ports that the domain controller will use. For example, type:
dsamain /dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS
tds.dit /ldapport 51389
A message indicates that Active Directory Domain Services startup is complete.

licrosoft Iindows [Uersion 6.H.6HH2]
opyright (c) 2006 Microsoft Corporation.. All rights reserved. I
:\Users\Adninistrator>dsamain /dbpath C:\$SNAP_201102011222_UOLUMEC$\iIindows\NT
)S
tds.dit /ldapport 51389
EIJENTLOG (Informational): NTDS General / Service Control : 1000
Microsoft Active Directory Domain Services startup complete. version 6.0.6002.18
244" width="434" height="88">

Allow Dsamain.exe to continue running in the command prompt window while you use an LDAP tool such as Ldp.exe or Active Directory Users and Computers to view the AD DS or AD LDS data in the snapshot.

Step 4: Access Active Directory data that is stored in snapshots

To use Ldp.exe or Active Directory Users and Computers to access the AD DS or AD LDS data, you must be a member of the Enterprise Admins groups or the Domain Admins group or you must have been delegated permission. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To use Ldp.exe to access AD DS or AD LDS data that is stored in snapshots

Click Start, click Run, type ldp, and then click OK.

Click Connection, and then click Connect.
In Server, type the name of the server, or type localhost and, in Port, type a port number that you specified previously with dsamain. For example, type 51389. Click OK.
Click Connection, and then click Bind.
In Bind type, click Bind as currently logged on user or click Bind with credentials and type a name, password, and domain for a user account that has permission to access the Active Directory data. Click OK.

Click View, and then click Tree.
In BaseDN, type the distinguished name of the parent container for the data that you want to view, and then click OK. For example, to view all objects in the Contoso domain, type:
dc=contoso,dc=com

Double-click the appropriate containers for the object that you want to view, and then double-click that object to view its properties.

To use Active Directory Users and Computers to access Active Directory data that is stored in snapshots

Click Start, click Administrative Tools, and then click Active Directory Users and Computers.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

In the console tree, right-click Active Directory Users and Computers [FQDN], and then click Change Domain Controller.

Click , type the following, and then press ENTER:
hostname:port
where hostname is the name of the server where the snapshots are stored and port is the LDAP port number that you specified previously with dsamain. For example, type the following, and then click OK:
DC1:51389

Double-click the appropriate containers for the object that you want to view, and then double-click that object to view its properties.

Pasted from <http://technet.microsoft.com/en-us/library/cc753609%28WS.10%29.aspx>

Troubleshooting

NTDS LDAP / LDAP Interface 1238 "Active Directory Domain Services was unable to initialize network connections for incoming LDAP requests"

Error value 10013 An attempt was made to access a socket in a way forbidden by its access permissions

This may happen if the DNS service is installed on the computer on which you are loading the snap-shot. If it does, restarting the computer should resolve the issue. See the discussion in Microsoft KB article 959215 for additional technical details.

Pasted from <http://technet.microsoft.com/en-us/library/cc772168(WS.10).aspx

Exchange 2010 Calendar Sharing

2011-01-25T12:09:09Z

Managing iCal Calendar Sharing with SP1 [Updated]

One of the new features available in SP1 that I'm excited about (and already making use of) is the ability to share calendars from Exchange either in iCalendar or HTML format.

So - why is this useful? Doesn't already have improved Calendar sharing with the new federated sharing features available from RTM? Well, yes it does.. And this new features doesn't replace federated sharing, however if you want to share calendars now is that the world doesn't run . Some organisations will move to it over the next year or two; but lets face facts - some enterprises out there may move to Google Apps, Zimbra or something else, so Federated Sharing isn't going to be an option. While a workaround might be to create partner mailboxes or use third party software, it would be nice to have a solution that "just works" and enables the business to collaborate with partners easily without worrying too much about what technology each other uses. Only with open standards can this happen and with SP1 that's now a reality.

The ability to publish calendars with anonymous viewers (and that's an important point, which I'll come back to) means that should the admin enable it, the user can now go in via OWA, select the calendar they wish to share and choose to publish it. They then receive a set of URLs that they can share via email. The recipient then can simply refer to the calendar via a web browser, or by using any iCalendar compliant software or web app they can subscribe to the shared Calendar.

Getting back to the anonymous part, there are two options. The end user can publish a calendar with a "public" URL that is searchable. The other option is a "restricted" URL with an obfuscated URL. Additionally, the user can restrict what will be shown for each calendar they choose to publish. On top of this, the admin can restrict via sharing policies the maximum amount of information users can publish, and sharing policies can be tied to a certain set of users. So there is some risk in enabling the facility, but by default no user's calendars are shared, and there are a number of controls available to user and admin to pull the feature in line with the business and individual user's requirements.

Now you know a little more about the new feature, let's take a look at how it comes together from a user perspective, and how it's configured by the admin.

The User Experience

If a feature is going to work well it has to be easy for a user to find and configure. SP1 doesn't disappoint as the feature is listed in both OWA and Outlook in the same place as other calendar sharing options.

For an OWA user, they select the calendar they want to share, then choose "Share", and the option is listed as "Publish This Calendar..."

If they're using Outlook 2010 (beta ), the user right clicks the calendar they want to share, chooses "Share" and again, it's listed as "Publish This Calendar..."

After clicking "Publish This Calendar..." via OWA or Outlook, the options can be chosen including the detail to show, the date range and the type of access:

After clicking "Start Publishing", the links are generated:

The user can now either copy the links from this page, or via "Share" choose "Send Links to This Calendar..." which opens a new email with the two URLs attached.

Opening the calendar by the recipient is easy enough. For our first example, let's have a look at Exchange's primary competitor, Google Apps. To add the shared calendar to Google Calendar, the end user chooses "Add" then "Add by URL".

They pop in the iCalendar URL, and it shows up in the recipients Google Calendar. You'll see below I'm subscribing to two SP1 calendars - my personal one and my team's:

(In my case - this is one aspect I personally like about the feature. Although I don't use Google Calendar I do use iGoogle and it allows me to see my Exchange calendars on my homepage via the Google Calendar widget.)

Next up it's Zimba. Add a new Calendar, choose Synchronise appointments from remote calendar, then pop in the Exchange iCalendar URL:

Again, the Calendars show perfectly:

Finally let's not forget Outlook users; from Outlook 2007 onwards iCalendar subscriptions are supported. I've quickly tried this in Outlook 2010 beta - simple right click in the calendar list, choose "Add Calendar" and then select "From Internet..."

As above, after popping the iCalendar URLs in the subscriptions are created in the local Outlook client.

And, finally let's not forget HTML sharing, which does exactly what you'd expect:

The Admin Experience

Now you've seen the user experience let's take a look at what needs to be done to get it up and running in your SP1 environment. To get it all enabled we need to do the following:

Set an ExternalURL for your organisation's Client Access Server
Enable Calendar Publishing on the OWA Virtual Directory
Create or modify the sharing policy to allow anonymous sharing

Setup of the ExternalURL is pretty standard stuff so I won't cover it here. Moving on to the Calendar Publishing OWA virtual directory feature, let's look at what it's made up of.

The Calendar Publishing works via a new virtual directory - "calendar". This lives beneath the "owa" virtual directory as "/owa/calendar" and has anonymous, http access enabled (watch out ISA/TMG users). It's enabled by default but should it need re-enabling it's pretty straightforward using Powershell. Here's a quick example:

Set-OWAVirtualDirectory "owa (Default Web Site)" -CalendarPublishingEnabled:$true

Next up, a sharing policy needs to be configured to allow anonymous access. You can do this via EMS or via the EMC. The EMS example below changes the Default Sharing Policy to only allow anonymous access with maximum access level of Calendar Sharing with Free/Busy plus Subject, Location and Body.

Set-SharingPolicy -Identity "Default Sharing Policy" -Domains "Anonymous:CalendarSharingFreeBusyReviewer"

Via the EMC is also pretty straightforward and particularly suitable when you need to create multiple policies or modify existing ones. Here's a quick run through of how to create a new policy via EMC that only applies to certain users:

Open EMC and navigate to the Organizational Configuration node, then to Mailbox and select the Sharing Policies tab:

First, examine the sharing policies already present. In the above screenshot, I've got a single sharing policy which is disabled. As we're adding a new policy right-click in the white space or click "New Sharing Policy..." on the actions pane. Give the policy a name and add a new "domain" called "Anonymous" and select an appropriate maximum level of access:

After you've added the "domain" anonymous to the policy, make sure it's enabled, then press Next. On the next page you'll be presented with the opportunity to add mailboxes now. You can of course add these later either via the EMC or via EMS:

Press Next, then after confirming the details, press New. After completion you'll see a warning that lets you know calendar publishing is enabled for this policy:

Press Finish and we're all done. You should now be able to login to the specific mailbox and following the first part of the article share the Calendar.

Conclusion

We've had a look at what the new feature brings both from an end-user experience and to an administrator. As we can seen it's great for sharing calendars in an environment where open standards are important or where partners use different products. I'd like to see full WebDAV compatibility so a Linux user can plug straight in and go, but this is a great start as far as sharing is concerned.

Getting back to new shared calendar features in SP1 - I'm hoping more can be revealed over the next few weeks as there's still a bit more in store!
And of course, you'll be able to get your hands on this yourself early June.

A final thought - bear in mind all the features and steps described here are not necessarily final so don't be surprised if things change over the next few months.

Exchange 2010 Migration TIPS

2011-01-14T08:12:06Z

Since Exchange 2010 is similar if not almost identical to Exchange 2007 in terms of server roles (CAS, Hub Transport, Mailbox, Edge), if you implemented Exchange 2007 in a manner that suits the needs of your organization, then your transition to Exchange 2010 will be pretty straight forward. Effectively, you would add Exchange 2010 server roles to mirror the Exchange 2007 server roles you have today (ie: if you have 2 CAS/2007 servers today, you'd likely build up 2 CAS/2010 servers in the Exchange 2010 environment, etc).

The sequence for a migration from Exchange 2007 to Exchange 2010 is as follows:

Upgrade all Exchange Servers to Exchange Server 2007 Service Pack 2.
Bring the AD forest and domains to Windows Server 2003 Functional (or higher) levels.
Upgrade at least one Global Catalog domain controller in each AD Site that will house Exchange Server to Windows Server 2003 SP2 or greater.
Prepare a Windows Server 2008 (RTM or R2) x64 edition server for the first Exchange 2010 server.
Install the AD LDIFDE tools on the new Exchange 2010 server (to upgrade the schema).
Install any necessary prerequisites (WWW for CAS server role).
Run setup on the Exchange 2010 server, upgrade the schema, and prepare the forest and domains. (Setup runs all in one step or separate at the command line.)
Install CAS server role servers and configure per 2010 design. Validate function-ality.
Transfer OWA, ActiveSync, and Outlook Anywhere traffic to new CAS servers.
Install Hub Transport role and configure per 2010 design.
Transfer inbound and outbound mail traffic to the 2010 HT servers.
Install Mailbox servers and configure Databases (DAG if needed).
Create public folder replicas on Exchange 2010 servers using AddReplicatoPFRe-cursive.ps1or Exchange 2010 Public Folder tool.
Move mailboxes to Exchange 2010 using Move Mailbox Wizard or Powershell.
Rehome the Offline Address Book (OAB) generation server to Exchange Server 2010.
Transfer all Public Folder Replicas to Exchange Server 2010 Public folder store(s).
Delete Public and Private Information Stores from Exchange 2007 server(s).
Uninstall all Exchange 2007 servers.

One of the areas of change that you'll make with your transition to Exchange 2010 that is different than in your Exchange 2007 implementation is the high availability and disaster recovery functions of your Mailbox server role. Because the concepts of Single Copy Clusters, Cluster Continous Replication (CCR), and Standby Continous Replicaton (SCR) no longer exist in Exchange 2010, you'll be transitioning your mailboxes off of Exchange 2007 that has these functions to Exchange 2010 that users Database Availability Groups (DAGs). Of course if you are just migrating to a single Exchange 2010 Mailbox server with no high availability or disaster recovery, then you will just have mailbox databases that you'll be moving your mailboxes to. However for organizations implementing high availability and disaster recovery, the DAGs provide replication of mail (of up 16 copies) from server to server. When you setup your Exchange 2010 Mailbox servers to prepare them for the transition of mailboxes, setup your DAG replication and test your failover and failback of Exchange 2010 Mailbox servers, and then move your mailboxes to the DAG(s).

Another area of change between Exchange 2007 and Exchange 2010 is that ALL client connections go through the CAS server(s). Unlike Exchange 2007 and prior where OWA connections went through the CAS server but Outlook (2003/2007) connections actually communicated directly over MAPI to the backend Mailbox servers. However with Exchange 2010, client systems no longer communicate directly to the backend Mailbox servers. Instead, the client MAPI connections hit the CAS server(s) that then communicate with the Mailbox servers on the backend. So just like in the shift to Hub Transport servers in Exchange 2007 where all mail routes through the Hub Transport servers (incoming mail, outgoing mail, user to user mail between servers, and even user to user mail between users on the same server), with Exchange 2010, all clients go through the CAS server(s). As such, the CAS servers take on more of a performance load and need to be beefed up a little. Our recommendations for CAS to Mailbox in Exchange 2007 was 1 CAS servers for every 2 Mailbox servers. For Exchange 2010, our recommendation is now 3 CAS servers for every 4 Mailbox servers. Most organizations have at least 2 CAS servers in their environment for redundancy, and because you can virtualize the CAS role plus have 2000, 3000, even 5000 mailboxes on a single Mailbox server, we typically find this 3:4 CAS:MBX ratio hasn't been a showstopper for organizations in terms of a design change.

Also important to note is that all 2007 server roles (CAS, Hub Transport, Mailbox) in Exchange 2007 need to remain until all users are migrated to Exchange 2010. Exchange 2010 CAS, Hub Transport, and Mailbox servers are not backwards compatible with Exchange 2007, so in order for a user to access Outlook Web Access on Exchange 2007, they need to still hit the Exchange 2007 CAS servers to access their mailbox on the Exchange 2007 Mailbox server. After their mailbox is migrated to Exchange 2010, then the user will hit the Exchange 2010 CAS server and access their mailbox on the Exchange 2010 Mailbox server. Because Exchange 2010 has a proxy service on the CAS server, your external URL for OWA can point to the Exchange 2010 CAS server and if the user's mailbox is still on Exchange 2007, the CAS/2010 server will automatically redirect the client connection to the CAS/2007 server for OWA.

Lastly, after moving mailboxes off of Exchange 2007 to Exchange 2010, leave the Exchange 2007 infrastructure in place for a couple (2) weeks. By leaving the old Exchange 2007 server(s) in place, when an Outlook client tries to connect to the old Exchange 2007 server for its mail, the old Exchange 2007 server will notify the Outlook client software that the user's mail has been moved to the Exchange 2010 server and will automatically update the user's Outlook profile with the new destination server information. Thereafter, when the Outlook client is launched, Outlook will access the user's mailbox on the new Exchange 2010 server. By leaving the old Exchange 2007 infrastructure in place for a couple weeks, pretty much all of your users will launch Outlook to have the profile automatically changed thus requiring no client system intervention during the migration process. The only users you will likely need to manually reset their Outlook profile are users who are on extended leave and had not accessed their Outlook mail during the 2 week time that you had the Exchange 2007 environment still in place.

Hopefully these steps are helping in providing you guidance in your migration from Exchange 2007 to Exchange 2010. I cover the migration process in much more detail (including specific steps and step by step processes for cutting over CAS, Hub Transport, and Mailbox server roles) in my book "Exchange 2010 Unleashed" from Sams Publishing. The book was written from 2-yrs of early adopter experience working with Exchange 2010 and will hopefully provide more detailed guidance on the migration process from Exchange 2007 to Exchange 2010.

total number of messages send and received with amount of data

2010-12-03T11:54:34Z

Script to show total number of messages send and received with amount of data

add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin

[string]::Join(',',("Server,Sent,Received,TotalRecieved,TotalSent")) > "c:\totalsr.csv"

# Get the start date for the tracking log search

$Start = (Get-Date).adddays(-1)

# Get the end date for the tracking log search

$End = (Get-Date)#.adddays(-0)

# Declare an array to store the results

$Results = @()

# Get the SEND events from the message tracking logs

$servers = Get-exchangeserver |?{$_.isHubtransportServer -eq $true}

foreach ($server in $servers)

{

$Sent = Get-MessageTrackingLog -Server $server -EventID SEND -Start $Start -End $End -resultsize unlimited

$SendData = Get-MessageTrackingLog -Server $server -EventID SEND -Start $Start -End $End -resultsize unlimited |Select-Object TotalBytes | Measure-Object -Property TotalBytes -sum

$TotalSent = "{0:N2}" -f ($SendData.Sum / 1MB) + "MB"

# Get the RECEIVE events the message tracking logs

$Received = Get-MessageTrackingLog -Server $server -EventID RECEIVE -Start $Start -End $End -resultsize unlimited

$ReceivedData = Get-MessageTrackingLog -Server $server -EventID RECEIVE -Start $Start -End $End -resultsize unlimited |Select-Object TotalBytes | Measure-Object -Property TotalBytes -sum

$TotalRecieved = "{0:N2}" -f ($ReceivedData.Sum / 1MB) + "MB"

$Count = 1

# Declare a custom object to store the data

$Stats = "" | Select-Object Server,Sent,Receive

# Set the Sent property to the number of messages sent

$Stats.Sent =($Sent | Where-Object { ($_.EventId -eq "SEND")}).Count

# Set the Received property to the number of messages received

$Stats.Receive =($Received | Where-Object { ($_.EventId -eq "Receive")}).Count

# Add the statistics for this mailbox to our results array

foreach ($obj in $Stats)

{

$NoSent = $Stats.Sent

$NoReceived = $Stats.Receive

}

$Count += 1

$Results2 =[string]::Join(',',($Server,$NoSent,$NoReceived,$TotalRecieved,$TotalSent))

$Results2

$Results2 >> "c:\totalsr.csv"

}

mailbox last logon times

2010-12-03T11:43:49Z

Script to list mailbox last logon times

$mail = Get-mailbox | ?{$_.RecipientTypeDetails -eq "UserMailbox" -and $_.DisplayName.substring(0,4) -ne "CAS_"} | get-MailboxStatistics |Select-Object Displayname,LastLogontime |Sort-Object Lastlogontime #|Export-Csv c:\mm.csv

$mailDisplay = $mail.Displayname

$mailLastlogon = $mail.LastLogonTime

$recipienttype = $mail.RecipientTypeDetails

$result = [string]::Join(',',($mailDisplay,$mailLastlogon))

$result

$mail |Export-Csv c:\mm.csv

Machine Passwords

2010-12-03T10:42:44Z

Every so often I am asked to help analyze weird issues when assigning group memberships or permissions - accounts are not found and the Event Log shows unsettling messages. Many of these situations can be traced back to the operating system using a different machine account password than the domain is aware of.

Yes, Machine Accounts Have Passwords!

Just like user accounts, a machine object in Active Directory has a password to identify the machine and to protect the machine account. This password can expire as well and needs to be changed regularly. Usually this happens automatically bwtween the domain member and a domain controller without any intervention by the user. But sometimes a machine forgets it password - sort of ...

How Can a Machine Forget its Password?

Don't worry! The machine account password is not lost by freak occurrence - but it is a common problem in virtual environments. Whenever a snapshot is restored, a virtual machine is prone to this issue.

By default, a machine account password is changed every 30 days. When a virtual machine has been in use for more than 30 days and is then reset to an earlier state, the snapshot contains an outdated password causing the machine to loose its connection to the domain.

In the past, image-based backup and restore has caused the same problem as the machine account password is stored in the image - but it happens less often. The process of creating an image of a system is very time-consuming - as is the restore process. Therefore, the issue occurred very seldom.

With the rise of operating system streaming (like Citrix Provisioning Server), the machine account password needs to be managed by the product as reboots effectively reset a machine to a state predefined by a shared disk image. For example, Provisioning Server stored machine account passwords in the configuration database and updates information whenever an automatic change
occurs. Unfortunately, this process is prone to failure when the database is offline although a snapshot is maintained by Provisioning Server (see Administrator's Guide, chapter 15, "Offline Database Support").

How to Resolve the Issue

The issue is very quickly resolved by re-joining the machine to the domain.

Configuring the Password Expiry

Contrary to user account password policy, the machine account password is managed by two options:

The change interval specified the time between forced changes of the machine account password.
The expiry defines whether machine account password expires at all.

Both options are configured through group policies under the following node:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Domain member: Disable machine account password changes
Domain member: Maximum machine account password age

Both options are not configured by default.

Best Practices in Virtual Environments

In virtualized environments, machine account password changes should be disabled. By preventing machines from changing this password automatically, domain synchronization issues are effectively remedied.

Powershell Total Emails Send Received

2010-11-29T11:49:50Z

Script to query all Hub Transport Servers for a total of send and received emails. Also the sum of data send and received

#Add-PSSnapin Microsoft.Exchange.Management.Powershell.Admin

[string]::Join(',',("Server,Sent,Received"))
# Get the start date for the tracking log search
#$Start = (Get-Date -Hour 00 -Minute 00 -Second 00).AddDays(-4)
$Start = (Get-Date).adddays(-7)
# Get the end date for the tracking log search
$End = (Get-Date).adddays(-0)

# Declare an array to store the results
$Results = @()

# Get the SEND events from the message tracking logs
$servers = Get-exchangeserver |?{$_.isHubtransportServer -eq $true}
foreach ($server in $servers)
{
$Sent = Get-MessageTrackingLog -Server $server -EventID SEND -Start $Start -End $End -resultsize unlimited
$SendData = Get-MessageTrackingLog -Server $server -EventID SEND -Start $Start -End $End -resultsize unlimited |Select-Object TotalBytes | Measure-Object -Property TotalBytes -sum
$TotalSent = "{0:N2}" -f ($SendData.Sum / 1MB) + " MB Sent"

# Get the RECEIVE events the message tracking logs

$Received = Get-MessageTrackingLog -Server $server -EventID RECEIVE -Start $Start -End $End -resultsize unlimited
$ReceivedData = Get-MessageTrackingLog -Server $server -EventID RECEIVE -Start $Start -End $End -resultsize unlimited |Select-Object TotalBytes | Measure-Object -Property TotalBytes -sum
$TotalRecieved = "{0:N2}" -f ($ReceivedData.Sum / 1MB) + " MB Recieved"

$Count = 1

# Declare a custom object to store the data

$Stats = "" | Select-Object Server,Sent,Receive,TotalRecieved,TotalSent

# Set the Sent property to the number of messages sent

$Stats.Sent =($Sent | Where-Object { ($_.EventId -eq "SEND")}).Count

# Set the Received property to the number of messages received

$Stats.Receive =($Received | Where-Object { ($_.EventId -eq "Receive")}).Count

# Increment the progress bar counter
foreach ($obj in $Stats)
{
$NoSent = $Stats.Sent
$NoReceived = $Stats.Receive

}
$Count += 1

$Results2 =[string]::Join(',',($Server,$NoSent,$NoReceived,$TotalRecieved,$TotalSent))
$Results2

}