Exchange 2010 Remote Management using Powershell

I've been doing a lot of work recently with Exchange 2010 and Powershell and have come across this neat way of managing the Exchange Server within your network from a remote client PC without having to install the Exchange Management Tools and do it through the GUI.


You need to complete these commands from a Windows 7 client machine (or any machine that has Powershell installed) for it to work.


Firstly, you need to enable remote scripts to run on your Windows 7 machine by typing the following command from an elevated Powershell prompt:

Set-executionpolicy remotesigned

At this point, it's worth trying to input an administrative Exchange Powershell command into your client to see if it understands it. Try entering something like:  get-mailbox

Your Windows 7 client will come back with an error stating that the command is not recognisable as an internal Powershell cmdlet - this is correct as we haven't imported the Exchange 2010 session into the local client's Powershell Library yet

Once the 'set-executionpolicy remotesigned' command is completed, enter the following commands to get control of your Exchange 2010 server:

$session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri http://servername.domainname.local/PowerShell -Authentication Kerberos

(This command makes contact with the Exchange 2010 server and initiates a new Powershell session -don't forget to substitute your own servername and domainname into the line above!)

Import-PSSession $session

(This command then imports the new Powershell session into the local client library)

Now try to run the get-mailbox command again or any other Exchange 2010 Powershell command for that matter and you should now be able to work through administering your server remotely from your client pc!

DPM 2010 Monitoring Management Pack Released!

Finally the RTM version of the DPM 2010 Monitoring Management Pack has been released. There are some nice features around SLA based alerting and integration with your in-house ticketing systems.

Here's the link from Microsoft to download it:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32077d99-618f-43d0-843d-4ba4f8019f84&displaylang=en

Hyper V and SCVMM Missing Updates Script

I came across this really handy little script on Microsoft SCVMM Engineer JonJor's blog. This script is basically a reporting tool that checks all of the relevant Hyper-V, Failover Cluster, SCVMM, Bits,VDS, VSS,WMI and WinRM components for installed updates and reports back with any that are missing.

Most of these updates are generally deployed automatically using Windows Update but there are some that slip through the net and this tool will help you find them.

Make sure that you check back to the link below regularly for an updated script as the author continually makes changes and additions to it.

I've already resolved issues on two Hyper-V cluster sites just by installing the recommended updates from this report.

It's worth noting that you are best running the script from a folder on the root of the System Drive with no spaces in the name as I had some initial syntax issues when I named the folder something like 'Hyper V Updates', try naming it to 'missingupdates' or 'hypervupdates' to be sure it works first time.

Here's the link:

http://blogs.technet.com/b/jonjor/archive/2010/10/14/vmmupdate.aspx

Using DPM 2010 to Restore a System State or Perform a Bare Metal Recovery for a Windows 2008 Server

Here's a step by step video from Microsoft's Shane Brasher on how to restore the system state of a Windows 2008 Server using DPM 2010.

http://www.microsoft.com/showcase/en/us/details/bb0b5339-445b-4298-8705-350f13227b93

And here's one detailing how to perform a Bare Metal Recovery of a Windows 2008 Server - the Bare Metal recovery is a new feature to DPM 2010 and will come in really handy in a non-virtualised environment or if you choose not to back up the entire VHD each day:

http://www.microsoft.com/showcase/en/us/details/bec0b1c6-d1fd-41f0-b4bc-df5791dfc68d

Always handy to know how to do this in case of emergency!

Windows 2008 R2 RADIUS with Cisco ASA

I came across an issue last week when a customer had retired their old Windows 2003 RADIUS server and replaced it with a new Windows 2008 R2 server. They had their Cisco ASA device integrated for Authentication of remote IPSec VPN clients to Active Directory through the RADIUS server.

When the old Windows 2003 server was removed and the new Windows 2008 R2 server went in, naturally, the RADIUS had stopped working and needed to be reconfigured.

After playing around with this problem for nearly half a day I found the solution wasn't too technical but more a step by step configuration of both sides of the Authentication process (RADIUS and Cisco ASA) needed to be carried out exactly as outlined below.

One of the main differences of the old RADIUS on the Windows 2003 Server versus the new Windows 2008 R2 server is that the Windows 2008 R2 Server uses the new Microsoft Network Policy Server to provide RADIUS and NAC (Network Access Control) to the network.

When the NPS component is deployed out of the box, it comes pre configured with some policies that can conflict with how you want your Cisco ASA to communicate with it and these policies will need to be deleted and recreated to get the Cisco to communicate with it.

The following blog post outlines exactly the process needed to properly configure your Cisco ASA with a Windows 2008 R2 RADIUS / NPS Server:

http://fixingit.wordpress.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/

MBSA, SCOM and SCCM Connectors for Microsoft Visio

O.K., so I suppose for some people these products are old news but I came across them this week when creating detailed documentation for some clients and found the add on's they provide are quite useful and informative when creating Visio Network Diagrams for clients.

Basically, these add ons allow you to add MBSA security scan reports to your individual or collective servers and computers on any given LAN and can then change the color of your server stencil depending on the security staus of the machine - e.g. Red for Critical, Yellow for Information and Green for all good!

It will also update the properties of the stencil to tag in the MBSA report and provide better detail information too.

Here's the links to them if you're interested!

http://blogs.msdn.com/b/nickmac/archive/2008/04/14/microsoft-visio-toolbox.aspx

http://technet.microsoft.com/en-us/security/cc184925.aspx

IE 9 Beta Released!

Click below to read about the new Internet Explorer 9 Web Browser from Microsoft. Looks nice at first glance, getting more and more integrated like Windows Explorer and some nice features such as pinned websites too!

http://blogs.technet.com/b/uktechnet/archive/2010/09/15/internet-explorer-9-beta-for-it-professionals-ie9-a-guest-post-by-simon-may.aspx

Enabling UAG 2010 UPN Logon

Another UAG 2010 issue that we came across!!

By default, true UPN logon (e.g. username@domain.com) is not enabled when logging onto a UAG trunk. As a result, we had a site with UAG 2010 enabled and an SSL Portal presenting OWA and Sharepoint out to the internet. We had SSO configured for AD authentication.

When we would logon to the SSL Portal with a standard username such as kevin.greene, then OWA and Sharepoint would work fine. When we attempted to logon to the portal with a UPN such as kevin.greene@domain.com, then the OWA application would work fine, but the Sharepoint app would present us with a 'Permission Not Granted' error message and would proceed no further. When we monitored the UAG Web Monitor, we found that UAG was processing the UPN logon as domain\kevin.greene@domain.com and when Sharepoint attempted to read this logon string, it didn't want to know about it!!!

We found this on Microsoft's Technet site that pointed us in the right direction to resolving the UPN logon issue:

http://technet.microsoft.com/en-us/library/ee809087.aspx

If you take a look at the section that describes the 'TranslateUPN' registry key, there are 5 steps to follow that will enable UPN logon to pass through correctly to the Sharepoint server.

Hope this saves someone else out there some time on site!!

Publishing Sharepoint 2007 with UAG 2010 SSL Portal

We have been working on a site which requires a bespoke configuration to present their internal applications such as OWA, Sharepoint,CRM and some legacy out onto the Internet.

The solution that we have recommended to securely publish these resources and integrate them into Active Directory authentication is to install TMG 2010 alongside UAG 2010 within a Microsoft Hyper V 2008 R2 cluster environment.

We had suggested to the customer that they could present the resources either through a single url SSL Portal - e.g. https://vpn.domainname.com/ or through individual application trunks such as - https://owa.domainname.com/ or https://sharepoint.domainname.com/

When we went about deploying the remote access, the OWA publishing worked straight away both inside the UAG SSL Portal and also as an individual trunk through https://webmail.domainname.com/

The problems all started when we tried to get the published Sharepoint resources out through UAG. Firstly, this customer had a contiguous namespace for their DNS as per the recommended configuration by Microsoft, e.g. internal was domainname.com and external was domainname.com. Secondly, they were accessing their internal Sharepoint server over port 80 (HTTP) and naturally wanted to access their external Sharepoint resource through port 443 (SSL).

When the Sharepoint was presented through the SSL Portal configuration, we would have all of the applications contained within one single window after the original Single Sign On (SSO)of Active Directory was authenticated. The url at the top of this Portal was https://vpn.domainname.com/

When we clicked on the Sharepoint application to open the site, the site would open in an new page, but would have a url of https://vpn.domainname.com/

Although most of the links worked, when documents were tested to be checked in or out, created or deleted, we came across a number of errors and quickly realised that we needed to translate the original url of the internal Sharepoint site across to the UAG SSL Portal application - https://sharepoint.domainname.com/ instead of the Portal url of https://vpn.domainname.com/

This is where the fun began! Mainly because of our lack of experience on the installation of this product, and also because of the lack of concise documentation on UAG, we had all kinds of issues trying to get this to work.

Eventually, we called in our resources from Microsoft Ireland who put me in touch with a UAG Specialist in the UK. Here is the basics of what we had to do in order to get the URL Translation working between Sharepoint and UAG 2010:


1.Changed the Web Servers Tab and Portal link tab so that https://sharepoint.domainname.com was used as the public host name for SharePoint

2.Changed the Path on the Web Servers tab to ‘/’

3.Used a ‘fake’ host header to allow SharePoint to distinguish between intranet and internet clients

4.Configured SharePoint AAM rules to generate the correct public URLs for Internet clients
It's worth noting that these steps were additonally on top of the original configuration that we had implemented and they were the changes needed to get the configuration working the way we needed.
After all that, I'm now at last much clearer on configuring UAG 2010 with Sharepoint thankfully!

Creating Graphical Reports in Exchange 2007

For those of you that ever wanted to utilise the raw data contained within the Exchange Server message logs, then here is an excerpt from an excellent article from msexchange.org explaining how to deploy a reporting solution using free Microsoft tools to create nice bar charts, data tables and even 3D pie charts!

We had a customer that had a particular need to present a report to internal management that contained the top 50 senders and receivers of email. Now this might sound like a simple enough report to generate from any anti spam or email monitoring device, but as we found out, the reports these devices can churn out, are mainly based around top spam users or top blocked users. This customer wanted a report that detailed everything - spam included!

This solution will work on Exchange 2003, Exchange 2007 and also Exchange 2010 (DAG configuration not supported though).

This solution utilises the Microsoft Log Parser tool version 2.2 to query the log files and generate the reports that you need.

Once the Log Parser is installed and the additional Microsoft Office Addins (pre-requisites too), then it is all about old fashioned command line scripting (no advanced training needed though) to get the reports that you need.

We had to stray slightly from the steps within the document I've linked to but with a little perseverence, we managed to generate some pretty cool reports that the customer was delighted with considering it cost nothing to implement!

Here's the link to the full document on msexchange.org's website:

Part 1
http://www.msexchange.org/articles_tutorials/exchange-server-2007/monitoring-operations/creating-graphical-reports-exchange-2007-part1.html


Part 2
http://www.msexchange.org/articles_tutorials/exchange-server-2007/monitoring-operations/creating-graphical-reports-exchange-2007-part2.html


Part 3
http://www.msexchange.org/articles_tutorials/exchange-server-2007/monitoring-operations/creating-graphical-reports-exchange-2007-part3.html



Happy scripting!