Archive for Recoverd From Archive

Restore Mailbox after Mailbox Clean has removed Disconnected Mailbox

We have recently had an issue where we needed to bring back a mailbox and export it to .PST after the Exchange mailbox cleanup agent deleted the disconnected mailbox.

First we had to bring the files back from tape.  We used CommVault, and did a Restore to Non-Exchange Location <Out of Place, No Recover> – The database will be restored to the specified location and the logs will not be replayed.

We now have the files restored on a different drive than the original mailbox database was on,  all we need to do now is create a new Recover Database, and then point it to the files that were restored.

Once the files are there, you will need to bring them into a state that allows for you to mount them.  There are a couple of ways to do this.  Instead of giving the details here, you can go to this BLOG for details:

In this case, I was getting a JET error Operation terminated with error -1216 (JET_errAttachedDatabaseMismatch, An outst anding database attachment has been detected at the start or end of recovery, bu t database is missing or does not match attachment info) after 16.661 seconds.

Because I am only worried about creating a .PST file of a old mailbox, and do not wish to restore any other data, I did the Hard Recovery.  If I were restoring this database to be moved back into production, I would trouble shoot the error first.  I am only using the hard recovery option because this database is not going back into a production environment, and the loss of the log files is an acceptable risk.  NOTE: This process could take a long time.  The mailbox database I ran the command on was 103 GB in size, and it took 2395.255 seconds to run the command.

Once you can run the eseutil -mh on the database and have it return a Clean Shutdown state, then you are ready to create your recovery database, mount it, and then export the mailbox you are looking for.

To create the mailbox database, you need to use the new-mailboxdatabase command with the -recover switch.  Here is the command I used because the .edb file and log files were restored to s:\restore\ location.

new-mailboxdatabase -Recover -Name RDB1 – Server prexmb01 -EdbFilePath s:\restore\ex10-ms03.edb -LogFolderPath s:\restore\logfiles

You will also need to create a recovery mailbox, it cannot be in the recovery database.  I have a TempDB database that I use for things like this an legal discovery if needed.  I just created a recovery mailbox for that user.  It will be needed in the next step when you use the new-mailboxrestorerequest command.

You can find more details by going to Microsoft’s site.  I will use the commands I used in below.

First, you need to get the MailboxGuild.  I used the following command.

Get-MailboxStatistics -Database RDB1 | Where { $_.DisplayName -eq “USERNAME” } | Format-List LegacyDN, DisplayName, MailboxGUID, DisconnectReason

You need the following info from the display:

MailboxGuid      : f5b9e238-1095-4a96-be24-1ab89e939506

Then you can use the new-mailboxrestorerequest to get the email from the recovery database and import it into the temp database.

New-MailboxRestoreRequest -SourceDatabase “RDB1″ -SourceStoreMailbox f5b9e238-1095-4a96-be24-1ab89e939506 -TargetMailbox recovermailbox -AllowLegacyDNMismatch

Notice that I added the -AllowLegacyDNMismatch so that you don’t have to have the new mailbox you are restoring to have the same LegacyExchangeDN or X500 proxy address as the mailbox you are recovering.

You can check on the progress of the restore by using the Get-mailboxrestorerequest command.   It should go from a status of Queued, to InProgress, and then to Completed.

At this point, you can then use the new-exportmailboxrequest to create a .PST file.  You can find more details on this command in a previous blog post that I did.

To export the mailbox, you then use the new-mailboxexportrequest command.  I used the following command:

New-MailboxexportRequest -Mailbox USERNAME -FilePath “\\mkiefferex\exld$\USERNAME_10-30-2010_1505.pst” -MRSServer prexchu01

You can check on the status of the export request by using the get-mailboxexportrequest.  The status should change from Queued to InProgress then to Completed.

Once it has completed, you can then copy the .PST to a file share, CD or DVD to give to the user that requested the mailbox restore.  NOTE:  I LEARNED THIS THE HARD WAY.  If you try to copy the file and it says the file is still in use, DO NOT terminate or close the connection that is accessing the file.  If you go and look at open files on the computer the .PST file was copied to, you will see the file is open by the client access computers admin user.  If you close the connection, it WILL damage the .PST file and you will not be able to use it.

Clean-Up – Don’t leave stuff that is unneeded in your Exchange Org.

When you are done, make sure you do the following.

  1. Delete the Recovery Mailbox Database.
  2. Delete the files that were used for the restore and the Recovery Mailbox Database.
  3. Delete the user you recovered the email to.

Exchange 2013 – Reduction in Server Roles

In Exchange 2007, when you installed Exchange, you had to specify what server roles you wanted to put on the server. This allowed you to move specific roles to seperate hardware and move the load over several servers. Those roles included: Mailbox, Hub Transport, Client Access and Unified Messaging.

Changes in Exchange 2013. Now, Exchange only has two roles. It has the Mailbox and the Client Access roles only. They have taken all the roles besides the client access role and have moved them back to the Mailbox Role.

The Mailbox server includes all the traditional server components found in Exchange 2010: the Client Access protocols, Hub Transport service, Mailbox databases, and Unified Messaging. The Mailbox server handles all activity for a given mailbox. The Client Access server provides authentication, redirection, and proxy services. The Client Access server itself doesn’t do any data rendering. The Client Access server is a thin and stateless server. There is never anything queued or stored on the Client Access server. The Client Access server offers all the usual client access protocols: HTTP, POP and IMAP, and SMTP. [SOURCE]

This creates a couple of gottchas that need to be addressed.  First, they no longer support direct RPC connections to Exchange, you have to use RPC over HTTPS.   Second, Outlook 2003 is no longer supported with Exchange 2013, you must have all clients running newer version of Outlook.

Mailbox Database White Space

Exchange uses its own database engine, and as such there are times that whitespace or space that has been freed by deleted mailboxes, emails, and other clean up functions, builds up.   Exchange by default does not compress its database, or remove the whitespace.  The whitespace is eventually used by new data, so the mailbox database size does not grow until it has to because it has used the whitespace.  There are a lot of times that I have found that I wanted to know which databases have the most whitespace so I know where to create new users to avoid expanding databases.

You can use the following command to display the Free space in each of the databases.  Powershell will give you this data in a field called AvailableNewMailboxSpace

Get-MailboxDatabase -Status | Sort-Object DatabaseSize -Descending | Format-Table Name, DatabaseSize, AvailableNewMailboxSpace

The -Status switch gets details usually not returned by the Get-MailboxDatabase command and then we only display the Name, DatabaseSize, and AvailableNewMailboxSpace.

Clone distribution group attributes

I was asked to create a distribution group, and then add all of the moderation settings, and message accept settings for the group.   I wanted to find an easy way to do this without having to use the GUI and add every single member, moderator, etc.

To do this, you create the distribution list the same way you would create one if you did not want to copy the values.  Once that distribution list has been created, you can do a few tricks to copy the values from the old DL to the new DL.

To start, you need to load the old DL into a powershell variable.  You can do this by typing in the following command.

$olddl = get-distributiongroup olddl

This assigns the attributes for the distribution group olddl to the variable $olddl.  You can just type $olddl in the powershell window and it will return the same results as the get-distributiongroup command would.

Now comes the trick.  Lets say there are a couple of attributes you want to copy from the olddl to the newdl.  For this example, lets say I want to copy ModeratedBy, BypassModerationFromSendersOrMembers, and AcceptMessagesOnlyFromSendersOrMembers.   You can type in the following command to do that.

set-distributiongroup newdl -ModeratedBy $olddl.ModeratedBy -ByPassModerationFromSendersOrMembers $olddl.ByPassModerationFromSendersOrMembers -AcceptmessagesOnlyFromSendersOrMembers $olddl.AcceptMessagesOnlyFromSendersOrMembers

If you then get-distributiongroup newdl | fl, you will notice that the newdl now has the same values, in those three attributes, as the olddl.

You can do this with almost any of the attributes in the olddl.  This makes it really easy to clone a distribution list.

Foward to DL fails

This one is not that big of a deal, and is a DUH on my part, but it may be something someone else runs into so I am going to post it.

Senario: User has a shared mailbox (SB1) that he wants to receieve email, and then foward it to his Personal mailbox (PM1) and an external user (EU1).

Solution: you need to setup a contact for EU1 that points to the users external email address. Setup a distribution group that contains the contact for EU1 as well and PM1. Then go into the mailbox settings and set it up so that the Delivery of email to SB1 is fowarded to the distribution group. That will make it so that if someone sends an email to SB1, it will go to SB1, PM1, and EU1.

Problem: But here is the problem. The forward worked correctly for internal emails, but did not work for external emails.   I had no idea that the little checkbox on the Distribution list that requires authentication works for forwards as well.  So if you want email from an outside address to foward correctly, you have to take off the check box for “Require that all senders are authenticated” on the distribution groups Message Delivery Restrictions settings.

To verify that this is the issue, you will want to check the message tracking logs and see if you can find one that shows the failure.  Then look for a “Recipient Status of 550 5.7.1 RESOLVER.REST.AuthRequired; authentication required”

To do this, I used the following command.

get-transportserver | get-messagetrackinglog -messagesubject "PUT SUBJECT HERE" -start 8/2/2012 -EventID Fail | FL | more

I always put a get-transportserver before any message tracking log commands.  We have several HUB servers, and this command will then search the traking logs for ALL of the HUB servers.

Note:  To make sure you don’t confuse the heck ot of your end users you will want to make the DL you created for the forward, as well as the Contact to the external user hidden from the address book.

I hope that is now clear as mud.  Comment if you have questions, or suggestions on how to do this.  I don’t like using rules in the actual mailbox because they are harder to maintain than the ability to use the EMC and powershell.

new-mailboxexportrequest fails – TimeoutErrorTransientException

Sometimes when you do a new-mailboxexportrequest you receive the following error:
The call to 'net.tcp://prexchu01/Microsoft.Exchange.MailboxReplicationService PREXCHU01.******** ( caps:0 7)' timed out.

Error details: This request operation sent to net.tcp://prexchu01/Microsoft.Exchange.MailboxReplicationService
did not receive a reply within the configured timeout (00:01:00). The time allotted to this operation may have been a portion of a longer timeout. This may be because the service is still processing the operation or because the service was unable to send a reply message. Please consider increasing the operation timeout (by casting the channel/proxy to IContextChannel and setting the OperationTimeout property) and ensure that the service is able to connect to the client.

+ CategoryInfo : NotSpecified: (0:Int32) [New-MailboxExportRequest], TimeoutErrorTransientException

+ FullyQualifiedErrorId : C857038,Microsoft.Exchange.Management.RecipientTasks.NewMailboxExportRequest

I have found that it is because the CAS server is located behind a hardware load balancer. We are using a BIGIP load balancer for all our CAS/HUB functions. If you do a get-mailboxdatabase on the database of the mailbox you are trying to move, you will probably see that the RpcClientAccessServer is set to point to the VIP of the CAS pool instead of the actual CAS server.

I have found two ways to fix this, the first (not recommended) is to do a set-mailboxdatabase and set the RpcClientAccessServer to the UNC for the CAS server you are going to use for the export request. Make sure you change it back after you make the change.

The second way, and the way I recommend is to modify the HOSTS record on the CAS server so that the UNC found in the RpcClientAccessServer points to the IP address of that CAS server. This is a suggestion that Microsoft gives on there site (KB2675690).

Also, make sure that you have setup the file share you are creating the PST file on correctly by following instructions found on the new-mailboxexportrequest instructions.

The FilePath parameter specifies the network share path of the .pst file to which data is exported, for example, \\SERVER01\PST Files\exported.pst.

You need to grant read/write permission to the group Exchange Trusted Subsystem to the network share where you’ll export or import mailboxes. If you don’t grant this permission, you’ll receive an error message stating that Exchange is unable to establish a connection to the target mailbox.

Also, make sure you use the -MRSSever switch so that it is using the CAS server that you modified the Hosts file on.

Then make sure you remove or comment out the entry in the HOSTS file after the new-mailboxexportrequest finishes.

Mailbox Permissions

We have a lot of shared mailboxes. Mailboxes that are setup as -type shared. It basically is a mailbox that the AD account has been disabled on, that people use their own username and password to access. One of my tasks as and Exchange Admin is to give people and remove peoples rights from these mailboxes. To help me with this process, I have created a permissions.ps1 script that I use. The syntax is .\permission.ps1 shared_mailbox_name user_name

 param($mailboxname,$user) $mailbox = get-mailbox $mailboxname

#Give user full mailbox rights 
Add-MailboxPermission -Identity $mailbox -User $user -AccessRights 'FullAccess'

#Give user send-as rights to mailbox 
Add-ADPermission -Identity $mailbox.DisplayName -User $user -ExtendedRights 'Send-as'

NOTE: If you give a person Full Mailbox rights to a mailbox, if they are running Outlook 2010, then it will automatically add that new mailbox as a mailbox to their Outlook. If you are using SP2 of Exchange 2010, you can add a parameter to the add-mailboxpermission cmdlet that will block this from happening. You can add the -AutoMapping $false to the command.

The Automapping parameter specifies whether to ignore the auto-mapping feature in Outlook. If a user is granted Full Access permissions to another user’s mailbox or to a shared mailbox, Outlook, through Autodiscover, automatically loads all mailboxes to which the user has full access. This parameter accepts $true or $false values. For more information about auto-mapping, [Source]

You can find more details here.

I also sometimes use the following script to remove permissions from the shared mailbox.


$mailbox = get-mailbox $mailboxname

#Give user full mailbox rights 
Remove-MailboxPermission -Identity $mailbox -User $user -AccessRights 'FullAccess'

#Give user send-as rights to mailbox 
Remove-ADPermission -Identity $mailbox.DistinguishedName -User $user -ExtendedRights 'Send-as'