Powershell – Webbanshee https://webbanshee.net Your Exchange Server Blog Thu, 28 Apr 2022 07:43:07 +0000 en-US hourly 1 https://webbanshee.net/wp-content/uploads/2017/01/WB_BL_RND-150x150.png Powershell – Webbanshee https://webbanshee.net 32 32 122610384 StalledDueToSource_DiskLatency Mailbox Export https://webbanshee.net/stalledduetosource_disklatency/ https://webbanshee.net/stalledduetosource_disklatency/#respond Sat, 05 Feb 2022 13:29:14 +0000 https://webbanshee.net/?p=4118 .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;}

Finish mailbox export requests that are StalledDueToSource_DiskLatency
Yesterday I exported a 30GB Mailbox to our SFTP server. The request always stalled at the end. As a consequence, the export started to loop and the the export .pst was growing much bigger than the initial mailbox size......read more

The post StalledDueToSource_DiskLatency Mailbox Export appeared first on Webbanshee.

]]> .num{margin-top:2px!Important; margin-right:10px;} h2 {font-weight: bold;text-decoration:none;font-size: 20px!Important;} .see {overflow-x: scroll!Important; overflow-y: hidden;white-space:nowrap;} .wpe-box-note3 {color:#333;} .wp-svg-sun-3 {font-size:24px!Important;position:relative;top:5px;left:5px;}

Hello fellow Exchange Admins, Yesterday I exported a 30GB Mailbox as a .pst file to our SFTP server. At about 90% the MailboxExportRequest stalled with StalledDueToSource_DiskLatency.

No other exports were running from the source server. I even disabled all scheduled tasks that could have an impact on the database where the mailbox is mounted.

However, the export request always switched to: StalledDueToSource_DiskLatency

As a consequence, the export started to loop. It just created a new folder hierarchy and started to export the items again.

Therefore the export .pst was growing much bigger than the initial mailbox size. In other words, this can blow up your storage capacities if you have a large mailbox and leave the export overnight! Not to mention that the export is useless afterward.

In this post, I want to share how I worked around the StalledDueToSource_DiskLatency condition.

The solution requires that you have a DAG in place.

Let’s start at the beginning:

First, I started the Mailbox Export Request using the Priority switch with Emergency.
So the export request is being prioritized over other jobs.

New-MailboxExportRequest -Mailbox MailboxToExport -Name IndividualNameOfTheExportRequest -BatchName BatchName -BadItemLimit 0 -LargeItemLimit 0 -FilePath “\\PathToExportLocation\NameOfExportedMailbox.pst” -Priority Emergency
Once the export was running I monitored the request. The following CMDlet will show all relevant information:

Get-MailboxExportRequest IndividualNameOfTheExportRequest -BatchName BatchName| Get-MailboxExportRequestStatistics -IncludeReport | select Report,MRSServerName,Name,SyncStage,Priority,LastFailure,FailureCode,FailureType,BadItemLimit,BadItemsEncountered,LargeItemLimit,LargeItemsEncountered,OverallDuration,Status,StatusDetail,EstimatedTransferSize,BytesTransferred,EstimatedTransferItemCount,ItemsTransferred,PercentComplete

You can find more useful details on monitoring export requests here:

Monitor Mailbox Exports

The pain started whenever the export reached completion of 100%.
The job was relinquished due to large delays and unfavorable server health on the source server-side.

As can be seen in the image below the export status stayed inProgress.
While SyncStage was CopyingMessages and StatusDetail was StalledDueToSource_DiskLatency:

StalledDueToSource_Disklatency

Therefore the export job was relinquished:

Relinquishing Job StalledDueToSource_Disklatency

Eventually, the export started all over again. StatusDetail: CreatingFolderHerarchy:

Creating Folder Hierarchy

Then PercentComplete was 10% again:

Copying Messages

As a result, the size of the export PST grew much bigger than the initial mailbox size.

After all, the solution for me was to switch the mailbox database that hosts the mailbox to another copy within the DAG:

Work around StalledDueToSource_DiskLatency

First, check which mailbox database hosts the mailbox you want to export:
Get-Mailbox -Identity MailboxToExport | select PrimarySmtpAddress, ServerName, Database

ServerName shows the server where StalledDueToSource_DiskLatency originates from.

Next, check to which servers the passive database copies are seeded:
Get-MailboxDatabaseCopyStatus -Identity DatabaseName

The output lists the active mailbox database ( Status: Mounted ), the passive copies ( Status: Healthy ), and the lagged mailbox database copy. ( Status: Healthy with ReplayQueueLenghth greater than the others )

Now switch the active mailbox database with Status: Mounted to one of the passive copies with Status: Healthy:
Note that you don’t switch it to the copy where the ReplayQueueLenghth is greater than on the other copies!
Move-ActiveMailboxDatabase DatabaseName -ActivateOnServer OneOfTheServersFromTheOutputBefore

As has been noted before take care that you don’t try to activate the mailbox database on the server that hosts the lagged database copy!

After the database is switched to another server try to export the mailbox with a new export request.
Given that the new server has no performance or disk issues the export should complete in a normal manner.

 

One more thing:
After I activated the mailbox database that hosts the mailbox on another server the ServerName did not change when querying the mailbox.

Get-Mailbox -Identity MailboxToExport | select PrimarySmtpAddress, ServerName, Database

The output of the command above will still show the old server under ServerName. But this is just visual. However, you can find a good explanation for that here.

Have a nice day

The post StalledDueToSource_DiskLatency Mailbox Export appeared first on Webbanshee.

]]> https://webbanshee.net/stalledduetosource_disklatency/feed/ 0 4118 Export Mailbox New-MailboxExportRequest https://webbanshee.net/export-mailbox-new-mailboxexportrequest/ https://webbanshee.net/export-mailbox-new-mailboxexportrequest/#respond Thu, 06 Jan 2022 14:21:06 +0000 https://webbanshee.net/?p=4149 .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;}

Export a mailbox and monitor the export request
Find a detailed description of how to export a mailbox with New-MailboxExportRequest and monitor the export request in this post. Get-MailboxExportRequestStatistics are explained as well.......read more

The post Export Mailbox New-MailboxExportRequest appeared first on Webbanshee.

]]> .num{margin-top:2px!Important; margin-right:10px;} h2 {font-weight: bold;text-decoration:none;font-size: 20px!Important;} .see {overflow-x: scroll!Important; overflow-y: hidden;white-space:nowrap;} .wpe-box-note3 {color:#333;}

Hello folks, Today I would like to share my experience so far on how to export a mailbox with New-MailboxExportRequest. There are a couple of parameters to query to get useful information about the status of an export request.

As long as everything goes smooth you will probably just need the percentage information. But when the New-MailboxExportRequest stalls or stops with an error you will be happy to have some additional parameters to query at your disposal.

So let’s get to the point straight away:

Start to export a mailbox with New-MailboxExportRequest:

New-MailboxExportRequest -Mailbox MailboxName -Name ExportRequestName -BatchName BatchName -BadItemLimit 0 -LargeItemLimit 0 -FilePath “\\ServerName\ExportLocationFolder\MailboxName.pst” -Priority Emergency

Use the -Priority switch with Emergency to prevent stalling!

After you have started the export request check the progress:

Get-MailboxExportRequest -Name ExportRequestName -BatchName BatchName | Get-MailboxExportRequestStatistics -IncludeReport | select Report, name,Priority, FailureCode, FailureType,DiagnosticInfo,BadItemLimit,BadItemsEncountered,LargeItemLimit,LargeItemsEncountered, OverallDuration, Status, StatusDetail,EstimatedTransferSize,BytesTransferred, EstimatedTransferItemCount, ItemsTransferred,PercentComplete

As a result, you will get the values of the selected parameters.
Adjust the selected parameters if the output gets too long or intransparent.
For example remove -IncludeReport

You can find a description of the selected parameters below.

First, a short info on the -IncludeReport switch:

When this switch is used in accordance with select Report the ouptut looks like this:

New-MailboxExportRequest -IncludeReport
The output displays the currently processed items. Depending on the mailbox size the output can get much longer. Below the report, the output of other parameters you have selected is displayed.

New-MailboxExportRequest relevant infos that can be selected:

Report: Displays the whole export request history when used with the -IncludeReport switch. Skipped items based on bad or large items limits are also displayed.
Name: The individual name of the mailbox export request.
Priority: Possible values are Lower, Low, Normal (This is the default value), High, Higher, Highest, Emergency [Use the highest priority to prevent stalling. I usually use Emergency]
FailureCode: Displays the failure code [ not really useful unless you find a list of failure codes for export requests. I couldn’t find one.]
FailureType: Description of the failure that stopped the mailbox export request.
DiagnosticInfo: This needs to be used with the -Diagnostic switch when selected to display diagnostic information. Among others, you will be able to see job pickup results and timestamps.
BadItemLimit: The max. amount of inconsistent items that will be skipped and will not be exported. When this limit is reached the export will fail. A BadItemLimit greater than 50 requires the -AcceptLargeDataLoss switch.
BadItemsEncountered: Number of bad items found during the export.
LargeItemLimit: The max. amount of items in the mailbox that exceeds the allowed message size. The default value is 0. A value higher than 50 requires the -AcceptLargeDataLoss switch. (not recommended)
LargeItemsEcountered: Number of large items found during the export.
OverallDuration: Duration of the mailbox export. Includes times of stalling as well.
Status: The current state of the export. Relevant values are inProgress, Queued, Completed, Failed, Suspended.
StatusDetail: Displays additional information on some states.
EstimatedTransferSize: Estimates and displays the amount of the exported data.
BytesTransferred: Displays the amount of data that has been really transferred. This usually differs from the EstimatedTransferSize.
EstimatedTransferItemCount: Estimates and displays the number of items that will be transferred.
ItemsTransferred: Displays the number of items that have been transferred. Can differ from EstimatedTransferItemCount. ( Among others depending on encountered bad or large items and the associated limits )
PercentComplete: The progress of the export request in percent.

See the standard reference to Get-MailboxExportRequest by Microsoft here.
Find more to Get-MailboxExportRequestStatistics by Microsoft under this link.

Modify parameters of a mailbox export request:

To modify the parameters of an existing mailbox export request you will need to suspend the request first. This can be useful when you retrospectively want to change the BadItemnLimit or want to raise the priority.

Suspend the mailbox export request:

Get-MailboxExportRequest -Name ExportRequestName | Suspend-MailboxExportRequest

In case you want to suspend all mailbox exports of the same batch:

Get-MailboxExportRequest -BatchName BatchName | Suspend-MailboxExportRequest

Now change the parameters [Example: BadItemLimit]

Get-MailboxExportRequest -Name ExportRequestName | Set-MailboxExportRequest -BadItemLimit 25

In order to change all export requests of the same batch:

Get-MailboxExportRequest -BatchName BatchName | Set-MailboxExportRequest -BadItemLimit 25

Resume the mailbox export request:

Get-MailboxExportRequest -Name ExportRequestName | Resume-MailboxExportRequest

In case you want to resume all mailbox exports of the same batch:

Get-MailboxExportRequest -BatchName BatchName | Resume-MailboxExportRequest
Note:
Modifying the BadItemLimit value makes sense when you have started the export with a low BadItemLimit ( for exmaple 5 ). While monitoring the export you assume that there will be more bad item than you have specified.

Another case would be when the export fails because the BadItemLimit threshold has been reached. In that case, you can modify the BadItemLimit after the export failed and resume the export. Suspend is not needed here as it has already failed. To be honest I usually trigger a New-MailboxExportRequest when this happens because I don’t trust the resume. I am not 100 percent sure that the resume picks up where it stopped and I want to prevent duplicated items. But if you trust the resume process more than me give it a try.

Remove-MailboxExportRequest

Here are two arguments to remove mailbox export requests you don’t need anymore:

  • To export a mailbox with New-MailboxExportRequest with the same request name.
  • Further, do some housekeeping and keep your environment clean and transparent.
Get-MailboxExportRequest -Name ExportRequestName | Remove-MailboxExportRequest

In case you want to remove all mailbox exports of the same batch:

Get-MailboxExportRequest -BatchName BatchName | Remove-MailboxExportRequest

In order to remove all mailbox export requests:

Get-MailboxExportRequest | Remove-MailboxExportRequest
Final remark:
Get-mailboxExportRequest vs. Get-MailboxExportRequestStatistics:
Whenever an export request got stalled and I monitored the request with Get-MailboxExportRequest it showed me InProgress as the current state.

Only Get-mailboxExportRequest | Get-MailboxExportRequestStatistics showed me the real status.
It seems regarding the state of the export Get-mailboxExportRequest is not as much reliable as Get-MailboxExportRequestStatistics.
For this reason I always use Get-MailboxExportRequestStatistics when I export a mailbox with New-MailboxExportRequest.

Have a nice day!

The post Export Mailbox New-MailboxExportRequest appeared first on Webbanshee.

]]> https://webbanshee.net/export-mailbox-new-mailboxexportrequest/feed/ 0 4149 ADFS Server Core Token Signing Certificate https://webbanshee.net/adfs-server-core-token-signing-certificate/ https://webbanshee.net/adfs-server-core-token-signing-certificate/#respond Wed, 27 Oct 2021 10:38:03 +0000 https://webbanshee.net/?p=4027 .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;}

ADFS Server Core Token Signing Certificate
With ADFS running on Server Core the method of the yearly renewal of the Token Signing Certificate has changed to PowerShell only. I have just finished the renewal of the Token Signing Certificate via Powershell in our test environment. In this post, I will sum up the steps.......read more

The post ADFS Server Core Token Signing Certificate appeared first on Webbanshee.

]]> .num{margin-top:2px!Important; margin-right:10px;} h2 {font-weight: bold;text-decoration:none;font-size: 20px!Important;} .see {overflow-x: scroll!Important; overflow-y: hidden;white-space:nowrap;} .wpe-box-note3 {color:#333;}

Hi there, we have upgraded our servers. ADFS servers are running on Windows Server 2019 Core now. Therewith the method of the yearly renewal of the Token Signing Certificate has changed to PowerShell only.

I have just finished the renewal of the Token Signing Certificate via Powershell in our test environment. In this post, I will sum up the steps.

In case you want to renew the Token Signing certificate via GUI on an appropriate server see this post: Renew ADFS Token Signing Certificate

Let’s start with a short description of relevant ADFS properties: [Get-ADFSProperties | fl *cert*]

CertficateGenerationThreshold :

Has by default a value of 20 ( days ). That means that 20 days before the current primary ADFS Token Signing Certificate expires, a secondary certificate will be generated ( this will be the new cert after the current one expires ). You can check if the secondary certificate has already been created withe the following commands:

Get-AdfsCertificate -CertificateType Token-Signing
Get-AdfsCertificate -CertificateType Token-Decrypting

When the secondary certificate exists the ouput should list minimum two certificates. Focus on the certificate which has the attribute IsPrimary set to False. Verify that the Not Before: date is correct.

AutoCertificateRollover :

The default value of this attribute should be set to $True and should only be changed to $False for the time when the automatically created secondary certificate will be assigned as the primary ADFS certificate. When you manually renew the Token Signing Certificate this should always be set to $False. Otherwise, the secondary certificate will be promoted as the primary certificate automatically. Web logins to application servers will not be possible until the new certificate has not been introduced on the affected application servers.

CertificatePromotionThreshold :

This attribute is important and should be monitored before the upcoming expiration of the current ADFS Token Signing Certificate. It defines after how many days ( counting from the creation date of the secondary ADFS certificate ) the new certificate will be defined automatically as primary.
If the value of this attribute is set to 15 it means that the secondary certificate will be assigned as primary automatically after 15 days.
Based on the example above the servers should be updated with the thumbprint of the new certificate maximum of 15 days ( better earlier ) after the creation of the secondary ADFS Token Signing Certificate.

CertificateRolloverInterval :

Defines the interval in minutes at which ADFS checks if a new certificate needs to be generated. The default value is 720. If you change the values above accordingly to their meaning and your needs you can lower this value to 5 minutes for instance to generate the secondary certificate if it has not been generated yet. Set it back to default afterward.

Microsoft describes these properties here.


With that being said we are good to go. Log on to your ADFS Server Core.

1 - ADFS Server CoreQuery the secondary Token Signing and Decrypting certificates

Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $False}

Note the thumbprints. You will need them later.

2 -Export the secondary Token Signing Certificate

Export the certificate to a location you can reach from the application servers. I usually export the cert to a local folder on the ADFS server.

$certRefs=Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}
$certBytes=$certRefs[0].Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes(“C:\PathToExportFolder\CertName.cer”, $certBytes)

3 -Import the certificate from your ADFS Server Core to all Exchange servers

The certificate will be imported to the Trusted Root Certification Authority of LocalMachine:

Import-Certificate -FilePath \\ADFSServerName\c`$\PathToExportFolderOnADFSServer\CertName.cer -CertStoreLocation Cert:\LocalMachine\Root

You can check that the certificate has been imported successfully via remote MMC from a GUI server:

MMC > Add/Remove Snap-in > Certificates > Computername > This snap-in will manage: Another Computer > Enter the ServerName where you just have imported the certificate.

Navigate to ServerName\Trusted Root Certification Authorities > Certificates and verify that the imported ADFS Signing certificate is there.

Of course you can check it with PowerShell as well:

Set-Location -Path cert:\LocalMachine\root
Get-ChildItem | where {$_.subject -like “*ADFS*”} | fl

4 -Promote the new secondary certificate to primary on ADFS Server Core

After this logins to web services on the involved application servers using ADFS will not be possible until the new certificate has been introduced on the application servers! ( E.g. Exchange OWA )

Set AutoCertificationRollover to False to be able to promote your secondary certificate to primary:

Set-ADFSProperties -AutoCertificateRollover $False

Query the thumbprint of the new Token Signing and Decrypting certificates:

Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $False}

Note the thumbprint of both certificates.

Promote both secondary certificates ( Token Signing and Decrypting ) to primary:

Set-AdfsCertificate -IsPrimary -CertificateType “Token-Signing” -Thumbprint ThumbprintGoesHere
Set-AdfsCertificate -IsPrimary -CertificateType “Token-Decrypting” -Thumbprint ThumbprintGoesHere
However, I got an error here stating that I need to add the certificate first. When I tried to add the Token Signing certificate on ADFS Server Core:

Add-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $False}

The output was a message stating the certificate is already added.

I think you need to wait a little bit after you set AutoCertificateRollover to True. Several tries later it succeeded. To be honest I could not identify the cause – I just assume it could have been the elapsed time after I set AutoCertificateRollover to True.

Verify that the new certificates have the primary status:

Get-AdfsCertificate -CertificateType Token-Signing | where {$_.IsPrimary -eq $True}
Get-AdfsCertificate -CertificateType Token-Decrypting | where {$_.IsPrimary -eq $True}

Switch AutoCertificateRollover back to True:

Set-ADFSProperties -AutoCertificateRollover $True

Check it:

Get-ADFSProperties | fl *cert*

AutoCertificateRollover should be True!

5 -Introduce the new Token Signing Certificate to the Exchange organization

It is enough to fire the following command once from an Exchange Server within your organization:

Set-OrganizationConfig -AdfsSignCertificateThumbprint ADFSTokenSigningCertThumbprint

Verify the AdfsSignCertificateThumbprint:

Get-OrganizationConfig | select adfs*

Restart IIS:

iisreset /noforce

Or Restart IIS remotely:

invoke-command -computername “ServerName” -scriptblock {iisreset /noforce}

Now try to login via web frontend to your application servers. ( try an Outlook on the Web login )

That’s it ADFS Server Core Smiley

Stay healthy!
 

The post ADFS Server Core Token Signing Certificate appeared first on Webbanshee.

]]> https://webbanshee.net/adfs-server-core-token-signing-certificate/feed/ 0 4027 Mailbox Audit Logging – Enable and Search Logs https://webbanshee.net/mailbox-audit-logging/ https://webbanshee.net/mailbox-audit-logging/#respond Fri, 12 Mar 2021 07:21:35 +0000 https://webbanshee.net/?p=3656 .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;}

Use Mailbox Audit Logging to gather insights about what happens in a certain mailbox.
When a mail went missing without interaction of the mailbox owner Mailbox Audit Logging can provide useful information.......read more

The post Mailbox Audit Logging – Enable and Search Logs appeared first on Webbanshee.

]]> h2 {font-weight: bold;text-decoration:none;font-size: 22px!Important;}h3 {font-weight: bold;text-decoration:none;font-size: 18px!Important;}h4 {font-weight: bold;text-decoration:none;font-size: 16px!Important;}.wp-image-2045,.wp-image-2051,.wp-image-2050,.wp-image-2049,.wp-image-2056, .wp-image-2055 {margin-top:2px!Important;margin-right:6px;}.red{background:#E86275;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;} .wpe-button-blue {background:#1072C1!Important; border: none!Important;} .txtred {color:#993333;font-weight:bold;} .txtbold {font-weight:bold;}

Did you ever receive inquiries about strange mailbox behavior like users state that mails have been deleted without any interaction of the mailbox owner? In cases like this, you are happy to enable Mailbox Audit Logging on the affected mailbox.

This post is about how to enable Mailbox Audit Logging on a certain mailbox and configure the auditing parameters to provide the most relevant insights. Let’s get to the point straight away:

 

1 -Enable Mailbox Audit Logging on a mailbox

Check the audit status on a certain mailbox:

get-mailbox -Identity MailboxName | select PrimarySmtpAddress, *audit* | fl

In the following examples, I will use intern@testlab.local as -Identity
The output shows that Mailbox Audit Logging is not enabled on this mailbox:
Mailbo Audit Logging Disabled

Enable Mailbox Audit Logging:

get-mailbox -Identity MailboxName | Set-Mailbox -AuditEnabled $True

When you check the status again using the first command it will show AuditEnabled as True now.
Operations audited by default are shown as well:
Mailbox Audit Logging Enabled

If your output is truncated with ellipses (…) change the $FormatEnumerationLimit value.

Define operations that should be audited:

Depending on what circumstances make a mailbox audit logging necessary you can change the predefined audit operations to more relevant ones. Find a list of actions logged by mailbox audit logging here.

Usually, I completely change the actions for AuditOwner. AuditOwner = MailboxOwner
To do so use the following command:

Set-Mailbox MailboxName -AuditOwner “Create, SoftDelete, HardDelete, Update, Move, MoveToDeletedItems,MailboxLogin”
Mailbox Audit Loggint
Adjust the logged actions according to the list by Microsoft mentioned above.
Use -AuditAdmin or -AuditDelegate instead of -AuditOwner to change logged operations for Admin or Delegates.

2 -Search Mailbox Audit Logs

Define your query:

The Search-MailboxAuditLog CMDlet seems only to work out of an Exchange Management Shell. Out of an ISE loaded with an Exchange PS-Snapin, I always get an error.

Undoubtedly the filter for date ranges in connection with the Search-MailboxAuditLog CMDlet is somewhat imprecise. If you want to query a range from 3 days ago until today for instance I recommend setting the end date of the query to the date of tomorrow. Otherwise, it can happen that no results will be shown for the current day or even the day before.

Search-MailboxAuditLog -Identity MailboName -StartDate “MM/DD/YYYY” -EndDate “MM/DD/YYYY” -LogonTypes Owner -ShowDetails | select lastaccessed, operation, logontype ,logonuserdisplayname,folderpathname,ClientIPAddress,ClientInfoString,ClientMachineName,ClientProcessName,MailboxOwnerUPN,DelegateUserDisplayName,MailboxResolvedOwnerName,SourceItemSubjectslist | sort lastaccessed |ft -autosize

Some notes to the query above:

-StartDate/-EndDate: The date format can vary depending on the regional settings of your system!
-LogonTypes: Narrow down your query to logon types you are interested in.

Selectors:

Operation: Displays the logged action.
ClientIpAddress: Shows the IP address of the client respectively the source network outgoing IP address.
ClientInfoString: Shows client connection types like RPC, ActiveSync, OWA
ClientProcessName: For example OUTLOOK.exe
SourceItemSubjectslist: The subject of mails where an action has been logged with.

I recommend to use only relevant selectors when searching an audit log.
Displaying all selectors can make the output confusing or will not fit in at all.

Stay safe folks!
 

The post Mailbox Audit Logging – Enable and Search Logs appeared first on Webbanshee.

]]> https://webbanshee.net/mailbox-audit-logging/feed/ 0 3656 Add Secondary IP Address Windows Server https://webbanshee.net/add-ip-address-windows-server/ https://webbanshee.net/add-ip-address-windows-server/#respond Mon, 07 Dec 2020 11:22:19 +0000 https://webbanshee.net/?p=3809 .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;}

Add or remove an IP address with PowerShell. Includes a script at the end of the post. Fell free to use.
If you want to add a secondary IP Address without using the Change Adapter Options in the GUI ( especially on Windows Core servers ) you can achieve this in a simple way via PowerShell.......read more

The post Add Secondary IP Address Windows Server appeared first on Webbanshee.

]]> .bckgr {background:#ccc;} .see {overflow-x:scroll!Important;overflow-y:hidden;white-space: nowrap;Background:#FDFDF4;border-left: 16px solid #7C98E2; border-top-left-radius:30px; padding-top:15px;padding-left:15px;padding-bottom:10px;scroll-behavior: smooth;}.MsoNormal {background:transparent!Important;} .code-bg {font-weight:bold; margin-top: -5px;} .BlueCopy:hover {opacity: 0.85;} h2 {font-weight: bold;text-decoration:none;font-size: 20px!Important;}h3 {font-weight: bold;text-decoration:none;font-size: 18px!Important;}h4 {font-weight: bold;text-decoration:none;font-size: 16px!Important;}.wp-image-2045,.wp-image-2051,.wp-image-2050,.wp-image-2049,.wp-image-2056, .wp-image-2055 {margin-top:2px!Important;margin-right:6px;} .wpe-button-blue {background: #1072C1!Important; border: none!Important;}.blue{background:#6666cc;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;}

If you want to add a secondary IP Address without using the Change Adapter Options in the GUI ( especially on Windows Core servers ) you could use sconfig or simply add the IP address with PowerShell.

In my case, I wanted to add a secondary IP address to a certain interface on some Windows Server Core servers. Unfortunately, an Invalid Index error was thrown when I chose the appropriate interface under sconfig – Network Settings:

Invalid Index Network Settings

However, I faced this error a couple of months ago already when I wanted to Disable IPv6 in my test lab.

Because this time it was production servers I didn’t want to change any settings while adding secondary IP addresses to the servers. The only option was to add a secondary IP address via PowerShell.

… and here we go:

Add Secondary IP Address to Network Interface:

1 -List Network Interfaces with name and Interface Index

Get-NetAdapter

List Network Interfaces

2 -Display existent IPs on chosen Network Interface

To list IPv4 and IPv6 IP addresses:
Get-NetAdapter -ifIndex  ifIndex Number | Get-NetIPAddress | select IPAddress | ftList IPv4 and IPv6 addressesTo display only IPv4 addresses:
Get-NetAdapter -ifIndex ifIndex Number | Get-NetIPAddress | where {$_.AddressFamily –eq “IPv4”} | select IPAddress
List IPv4 addresses

3 -Add new IP address

New-NetIPAddress –IPAddress “IpAddress goes here” –PrefixLength 24 –InterfaceIndex ifIndex Number
Add secondary IP address
The command adds the IP address to the ActiveStore and the Persistent Store.
You can read more about the PolicyStore values here.

4 -Verify that add a secondary IP address was successful

Get-NetAdapter -ifIndex ifIndex Number | Get-NetIPAddress | where {$_.AddressFamily –eq “IPv4”} | select IPAddress
Add Secondary IP Address done!

Thats all. You don’t need to specify a default Gateway since this has most likely be done already with the initial IP address.

Remove IP Address from Network Interface:

1 -List Network Interfaces with name and Interface Index

Get-NetAdapter

Add Secondary IP Address list

2 -Display existent IP addresses that can be removed on chosen Network Interface

We focus here only on IPv4 addresses. See point 2 - above to display IPv6 as well.
Get-NetAdapter -ifIndex ifIndex Number | Get-NetIPAddress | where {$_.AddressFamily –eq “IPv4”} | select IPAddress
add secondary IP address remove
Copy IP address to remove from the output.

3 -Remove IP address

Insert copied IP address in the command below:
Get-NetIPAddress –IPAddress IPAddressToRemove –InterfaceIndex ifIndex Number | Remove-NetIPAddressYou will need to confirm it for both PolicyStores.
Otherwise you could use the command with -Confirm:$false

4 -add secondary IP address verify

Get-NetAdapter -ifIndex ifIndex Number | Get-NetIPAddress | where {$_.AddressFamily –eq “IPv4”} | select IPAddress
Add secondary IP address IPv4 addresses

I have compiled the above steps in a script to make it more convenient:

Script to Add/Remove IP Address

The post Add Secondary IP Address Windows Server appeared first on Webbanshee.

]]> https://webbanshee.net/add-ip-address-windows-server/feed/ 0 3809 Remote PowerShell Session to Server Core https://webbanshee.net/remote-powershell-session/ https://webbanshee.net/remote-powershell-session/#respond Tue, 22 Sep 2020 14:59:13 +0000 https://webbanshee.net/?p=3619 .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;} .txtbold {font-weight:bold;}

Connect via a Remote PowerShell Session to another server.
Use the following commands to establish, enter, or remove a Remote PowerShell Session: New-PSSession, Enter-PSSession, Remove-PSSession ......read more

The post Remote PowerShell Session to Server Core appeared first on Webbanshee.

]]> h2 {font-weight: bold;text-decoration:none;font-size: 20px!Important;}h3 {font-weight: bold;text-decoration:none;font-size: 18px!Important;}h4 {font-weight: bold;text-decoration:none;font-size: 16px!Important;}.wp-image-2045,.wp-image-2051,.wp-image-2050,.wp-image-2049,.wp-image-2056, .wp-image-2055 {margin-top:2px!Important;margin-right:6px;}.red{background:#E86275;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;} .wpe-button-blue {background:#1072C1!Important; border: none!Important;} .txtred {color:#993333;font-weight:bold;} .txtbold {font-weight:bold;}.entry-title {color: #fefefe;font-size: 30px;font-weight: 400;margin-bottom: 10px;padding-left: 10px;background: #353535;border-top-left-radius: 5px;border-bottom-left-radius: 5px;}

Hello Folks, this is just a simple post on how to open and enter a Remote PowerShell Session from one server to another. A lot of tasks on different servers can be accomplished in a convenient way from one server.

For instance if you want to Change the Keyboard Layout on the login screen of a new Server Core installation.

We will use the cmdlets below to open, enter, exit, and remove a Remote PowerShell session.

Remote PowerShell Prerequisites:

To receive PowerShell remote commands PS-Remoting must be enabled on the computer. PS-Remoting is enabled by default. Further the WinRM Service needs to be started.

If you want to go for sure firstly check the PS-Remoting state of the remote computer with:

Test-WSMan -ComputerName NameOfRemoteComputer

Afterward, verify the state of the WinRM service on the remote computer that it is running:

Get-Service WinRM -ComputerName NameOfRemoteComputer | Select MachineName,Name,Status

Remote PowerShell Session Cmdlets:

Get-PSSession – [Shows current sessions]
New-PSSession – [Create a new persistent connection to the target host]
Enter-PSSession – [Enter a session as interactive session]
Exit-PSSession – [Exit session. The session will still be alive in the background]
Disconnect-PSSession – [Disconnect from the session]
Connect-PSSession – [connect to a disconnected session]
Remove-PSSession – [Remove an earlier created persistent session]

Ok, here we go …

1 -Create a Remote PowerShell Session with New-PSSession:

New-PSSession -Name NameOfSession -ComputerName NameOfRemoteComputer -Credential Domain\Username.

In case you don’t want to give the remote PowerShell session a name it will be named WinRM*

2 -Check the newly created session with Get-PSSession:

Get-PSSession

The output will show the state of the session:
Get Remote PowerShell SessionI gave my session the name “ServerCore”. It connects to an Exchange 2019 server running on Server 2019 Core with hostname “exchange2019”

If you have more sessions you can go for the computer name:
Get-PSSession -ComputerName NameOfRemoteComputer

… or explicit for the session name:
Get-PSSession -Name NameOfSession

… and also for the Id:
Get-PSSession -Name ID

3 -Enter a session directly as an interactive session with Enter-PSSession:

Enter-PSSession -ComputerName NameOfRemoteComputer
Enter-PSSession -name NameOfSession.
 
As a result, PowerShell switches to the entered interactive session:
 
Enter PowerShell Session
You can perform tasks on the target server via PowerShell from the localhost within this session now.
Enter-PSSession does not require a session that has been created with New-PSSession before.

Find more on how to run Remote Commands from a Remote PowerShell Session here.

4 -Exit an interactive session with Exit-PSSession:

Within the remote PowerShell type:
Exit-PSSession

Instead of Exit-PSSession, you can just type Exit as well. It will have the same effect.

Thereafter, the session remains open but you have left the interactive session into the localhost’s PowerShell:

Open Remote PowerShell Sessions

5 -Disconnect a session with Disconnect-PSSession:

You can disconnect a remote PowerShell session which has been created with New-PSSession.
But you can’t disconnect an interactive session that has been initiated with Enter-PSSession.

To disconnect a session run the command below from your localhost’s PowerShell:

Disconnect-PSSession -name NameOfSession 

…or disconnect it based on the ID:
Disconnect-PSSession -Id ID 

Further, you can disconnect all remote session for a certain remote host based on ComputerName:
Disconnect-PSSession -Id ComputerName 

Following you get an output like this:
Disconnect Remote PowerShell Session

You can later reconnect by using the Connect-PSSession cmdlet.

6 -Reconnect a disconnected PowerShell session:

As shown below you can reconnect an existing session that has been created with New-PSSession:

Connect-PSSession -name NameOfSession… or you connect it with its ID:
Connect-PSSession -Id ID… as well as with ComputerName:
Connect-PSSession -Id Computername

Remote PowerShell Session to Exchange Server

To connect with a Remote PowerShell Session to Exchange use:

$UserCred = Get-Credential

$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange –Name ExchangeSession -ConnectionUri “http://RemoteExchangeFQDN/powershell” -Credential $UserCred -Authentication Kerberos

Import-PSSession $ExSession

You can verify the session with name ExchangeSession you just openend with Get-PSSession:

Get Remote PowerShell Session Exchange
The Exchange CMDLets will be available now.

The same can be done from an Exchange Management Shell to connect through a Remote PowerShell session to another Exchange Server:

Open an Exchange Management Shell

If you are on a Server Core type LaunchEMS into the command window.

Use the CMDlets from above

That’s all.  smiley :)
 
 
To display the output of a PowerShell command completely without ellipses take a look here:

Expand PowerShell Output
 

The post Remote PowerShell Session to Server Core appeared first on Webbanshee.

]]> https://webbanshee.net/remote-powershell-session/feed/ 0 3619 Change the Input Language on Server Core https://webbanshee.net/change-input-language-on-server-core-login-screen/ https://webbanshee.net/change-input-language-on-server-core-login-screen/#respond Fri, 28 Aug 2020 03:30:30 +0000 https://webbanshee.net/?p=3553 .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;}

To be able to change the input language on Server Core's Welcome Screen with ALT + SHIFT you first will need to install the the input method of your preferred language.
The Get-WinUserLanguageList cmdlet returns language settings regarding input method, spelling, and text prediction.......read more

The post Change the Input Language on Server Core appeared first on Webbanshee.

]]> h2 {font-weight: bold;text-decoration:none;font-size: 20px!Important;}h3 {font-weight: bold;text-decoration:none;font-size: 18px!Important;}h4 {font-weight: bold;text-decoration:none;font-size: 16px!Important;}.wp-image-2045,.wp-image-2051,.wp-image-2050,.wp-image-2049,.wp-image-2056, .wp-image-2055 {margin-top:2px!Important;margin-right:6px;} .key{background:#444444;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;} .blue{background:#6666cc;padding-left: 5px;padding-right: 5px;padding-top: 2px;padding-bottom: 2px;color:#fefefe;border-radius: 3px;font-size: 14px;} .space{width: 1px;height: 20px;}

To be able to change the input language on Server Core’s Welcome Screen with ALT + SHIFT you first will need to install the the input method of your preferred language.

Open a remote Power Shell session from another server so you can log in with your preferred language layout. You can also log in directly to the server using the server core’s default language layout.

In case you log in directly type powershell into the CMD window.

1 -Check the WinUserLanguageList for installed languages:

$UserLangList = Get-WinUserLanguageList
$UserLangList

The Get-WinUserLanguageList cmdlet returns language settings regarding input method, spelling, and text prediction. Accordingly, this example shows a Server 2019 Core with only the default language installed:

Get-WinUserLanguageList - Default Language

2 -Change the input language by adding your preferred layout to the list:

You can find a list of language codes here: List of Language Codes

Find the relevant Syntax in the BCP 47 Code column.

In our example, we will add German as an additional input method.
As a result, one will be able to change the input language to German already at the login screen as well.

$UserLangList.Add(“de-DE“)
Set-WinUserLanguageList -LanguageList $UserLangList

Check the WinUserLanguageList again:

$UserLangList
The output will show the additional input language:
Change the Input Language on Server Core

From this point, you will be able to change your keyboard language with ALT + SHIFT

3 -Remove input language from the language list:

Just in case it is needed you can remove a language as follows …

First, you will need the position of the language you want to remove:

$UserLangList
Change the input language on server core
Bear in mind that the first language is position 0 and hence the second language is position 1!

Remove the language by pointing to the appropriate [position number]:

$UserLangList.Remove($UserLangList[1]“)
Set-WinUserLanguageList -LanguageList $UserLangList

Verify that the language has been removed:

$UserLangList
Change the Input Language on Server Core

The German input method has been removed from the WinUserLanguageList.

Enjoy your day and stay safe.  

The post Change the Input Language on Server Core appeared first on Webbanshee.

]]> https://webbanshee.net/change-input-language-on-server-core-login-screen/feed/ 0 3553 Entry is missing in the Global Address List https://webbanshee.net/entry-missing-in-the-global-address-list/ https://webbanshee.net/entry-missing-in-the-global-address-list/#respond Tue, 28 Apr 2020 10:01:30 +0000 https://webbanshee.net/?p=3520 After a mailbox or a distribution group has been created it can happen that the appropriate entry is missing in the Global Address List.
If an entry is missing in the Global Address List you can query the GAL on the server......read more

The post Entry is missing in the Global Address List appeared first on Webbanshee.

]]> Hello Folks! After a mailbox or a distribution group has been created it can happen that the appropriate entry is missing in the Global Address List.

Assuming the HiddenFromAddressListsEnabled attribute is set to $False on the mailbox or distribution group.

When an entry is missing in the Global Address List it is not necessarily needed but good to know if we can find the object in the GAL on the server.

If an entry is missing in the Global Address List you can query the GAL on the server:

## Add Exchange Server SnapIn to PS ##
Add-PSSnapin *exch*

## Get name of GAL ##
Get-GlobalAddressList

## Prepare data source ##
$customer = “NameOfGAL – GAL”
$members=Get-GlobalAddressList $customer

## Query for a certain object using a part of its name [ we use -like here ] ##
Get-Recipient -RecipientPreviewFilter $members.RecipientFilter -ResultSize unlimited | where {$_.Name -like “*PartOfObjectName*”} | fl

Independently from the outcome of the above PowerShell commands I usually update the Offline Address Book and the Global Address List afterward.

I have put in the option to query the Global Address List for the missing entry because I usually do it.

Ok here we go > Update the Offline Address Book:

Get-OfflineAddressBook
Get-OfflineAddressBook -Identity “NameOfOAB” | Update-OfflineAddressBook

Now update the Global Address List:

Get-GlobalAddressList
Get-GlobalAddressList -Identity “NameOfGAL” | Update-GlobalAddressList

In most cases, this solves it.
 
I usually wait 15 Minutes [ one AD sync cycle ] before notifying the customer.
The user should download the Address Book afterward or restart Outlook.
In OWA new entries should be visible straight away.
 

If the problem persists check the showInAddressBook attribute on the object in AD:

Entry is missing in the Global Address List

Compare the values of the attribute showInAddressBook with an account or DL that is available in the Global Address List and add them accordingly if one or more entries are missing.

If appropriate entries are missing here you wouldn’t get a result when querying the GAL for the missing entry at the beginning of this post. Further it is likely that HiddenFromAddressListsEnabled is set to $true.

When HiddenFromAddressListsEnabled is set to $true:

> Set it to $false and reload the attribute in AD.

Find some examples at the end of this Microsoft description.
 
If all entries are visible in showInAddressBook you should be fine.
Otherwise add the missing entries under showInAddressBook.

> Update OAB and GAL again.

 
Have a nice day!
 
 
Want to activate an Out of Office message while retaining the formating?

Out Of Office Multiline Message through PowerShell

 

The post Entry is missing in the Global Address List appeared first on Webbanshee.

]]> https://webbanshee.net/entry-missing-in-the-global-address-list/feed/ 0 3520 CU14 Exchange 2016 and KB4536987 https://webbanshee.net/cu14-exchange-2016/ https://webbanshee.net/cu14-exchange-2016/#comments Sat, 15 Feb 2020 09:22:28 +0000 https://webbanshee.net/?p=3327 CU14 Exchange 2016 is compatible with .NET versions 4.7.2 and 4.8. It comes with a vulnerability where Microsoft released KB4536987.
See how it went......read more

The post CU14 Exchange 2016 and KB4536987 appeared first on Webbanshee.

]]> h2 {font-weight: bold;text-decoration:none;font-size: 20px!Important;}h3 {font-weight: bold;text-decoration:none;font-size: 18px!Important;} h5{margin-bottom: 5px;} .wp-image-2045,.wp-image-2051,.wp-image-2050,.wp-image-2049,.wp-image-2056, .wp-image-2055 {margin-top:2px!Important;margin-right:6px;} .wpe-box-alert {background-color:#f9f6d9!important;border: 1px solid #aaa895;text-align: justify;} .wpe-box-error1 {background-color:#ffebe8!important;border: 1px solid #c00;text-align: justify;} .wpe-box-alert ul li {list-style:square;padding-bottom: 10px;} .wpe-box-note3 ul li {list-style:square; padding-bottom:10px;} .embedly-card-hug {background: #fefefe;}

We are currently upgrading our Exchange 2016 servers to CU14 Exchange 2016 and started to install CU14 on servers that host only relayed copies.

CU14 Exchange 2016 is a bridge CU. It is compatible with .NET 4.7.2 and compatible with .NET 4.8 as well. You can upgrade from .Net 4.7.2 to .Net 4.8 after you have CU14 Exchange 2016 in place.

CU14 ( and CU15 ) both come with a vulnerability for which Microsoft released a patch in February.
The patch is classified important and should be installed after CU14 has been installed.

You can read more about the mentioned vulnerability and download the patch from Microsoft here.

Tasks before installing CU14 Exchange 2016:

  • Backup your web.config files where you have modified parameters or have added new keys.

    As we experienced it still only the web.config file in the OWA directory takes over parameters and keys you have modified before. To be safe I recommend backup every web.config file you have ever touched/modified. So you can easily reapply the changes you have made.

  • Disable Check for publisher’s certificate revocation in IE.
  • Make sure you have enough free space on the install drive.
    I noticed from 2010 and 2013 times a recommendation for at least 10GB of free space.
  • Take a look at the supportability matrix if you plan to upgrade to .NET 4.8
  • Check Auth methods on service directories like Powershell, OWA, and ECP and note the output.
  • Switch mailbox databases and put the server in maintenance mode.

Order of install:

  • Install the regular Windows patches ( if necessary )
  • Install CU14 Exchange 2016
  • Install patch KB4536987 for Exchange Server 2016 CU14 from an elevated Command Prompt

The CU installation itself took between 2 and 3 hours on the servers in our environment.

Experiences after CU14 Exchange 2016 has been installed:

  • We had mailtips disabled. Mailtips were enabled afterward.
  • To go for sure we checked the Authentication methods on the Virtual Directories again and validated them against the output we made before. All fine.
  • The web.config files in the following directories have been overwritten. Changes needed to be reapplied.

    Active Sync – [ We have an increased attachment size ] :

    C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\sync
    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\sync

    ECP – [ We have additional keys in place. ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews

    Anyway, I always check the OWA web.config as well:

    OWA – [ We have additional keys in place ] :

    C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa

  • Virtual directories for additional OWA and ECP needed to be recreated.

Experiences vulnerability patch KB4536987:

After the install and restart it happened on some servers that the content index state on relayed copies was and stayed in status failed.

The following command displayed the cause:

Get-MailboxDatabaseCopyStatus -Server Servername | fl Identity, ContentIndexErrorMessage

Output:

ContentIndexErrorMessage:
The Microsoft Exchange Search Host Controller Service is not running on server Servername

After restarting the Microsoft Exchange Search Host Controller Service the ContentIndexState went back to AutoSuspend.

It took about 45 – 60 minutes to install the patch.

Update
The following subreddit gave me a hint. Thx! No problems appeared on servers where the patch has been installed through an elevated Command Prompt.

Anyone installed KB4536987 yet? from exchangeserver

Start the patch from an elevated Command Prompt.
 
Update
After installing KB4536987 on the last of our servers one of the mailbox database copies switched to failed and suspended and could not be resumed. A reseed failed with:

Error: The Microsoft Exchange Replication service encountered an unexpected error in log replay for database ‘DBName\ServerName’. Error MapiExceptionDatabaseError: LogReplayRequest rpc failed.

The cause was once again the Microsoft Exchange Search Host Controller Service. We installed KB4536987 through an elevated command prompt. The service was in a running state after the patch has been installed. So we restarted the service. After that, we were able to reseed the copy.

Good Luck!
 
A general description how to install a Cumulative Update on Exchange 2016 can be found here:
 
Install CU Exchange 2016

The post CU14 Exchange 2016 and KB4536987 appeared first on Webbanshee.

]]> https://webbanshee.net/cu14-exchange-2016/feed/ 3 3327 Mail Flow Rule Mark External Mail https://webbanshee.net/mail-flow-rule-mark-external-mail/ https://webbanshee.net/mail-flow-rule-mark-external-mail/#respond Wed, 15 Jan 2020 10:45:27 +0000 https://webbanshee.net/?p=3145 To filter mails for certain criteria like sender, recipients, domain, header-information and more it makes sense to create a new Mail Flow Rule and associate it with an action of your choice.
In this example we will create a rule that tags mails from external senders with [EXT]......read more

The post Mail Flow Rule Mark External Mail appeared first on Webbanshee.

]]> /*.entry-content img {border-bottom: 3px solid #F90;}*/h2 {font-weight: bold;text-decoration:none;font-size: 20px!Important;}h3 {font-weight: bold;text-decoration:none;font-size: 18px!Important;}.wp-image-2045,.wp-image-2051,.wp-image-2050,.wp-image-2049,.wp-image-2056, .wp-image-2055 {margin-top:2px!Important;margin-right:6px;}

Hello Folks. To filter mails for certain criteria like sender, recipients, domain, header-information and more it makes sense to create a new Mail Flow Rule ( former Transport Rule ) and associate it with an action of your choice.

You could, for example, use a Mail Flow Rule to pretend [EXT] to the subject when a mail comes from an external sender or you could use a rule to classify emails with certain header-information as SPAM and move them to the user’s Junk-Mail folder.

Ok, let’s get into it. In this example we will create a rule that tags mails from external senders with [EXT]:

> Login to your Exchange Control Panel ( ECP ) with an administrative account.
The URL should be like that: https://YourExchangeURL/ecp
> Or click here to create a new Mail Flow Rule via PowerShell

1 -Create a new Mail Flow Rule via ECP:

> In ECP navigate to mail flow > rules and click the + icon. Choose Create a new rule.
New Mail Flow Rule
The Drop-Down offers several templates for new rules.
We won’t use them here since we want to create a new Mail Flow Rule from scratch.

Specify the name and criteria of the new Mail Flow Rule:

We will create a rule which pretends [EXT] to the message subject when a mail comes from a sender outside of your organization.

> Specify the name of the rule
> Click More options
Name Mail Flow Rule

For an Exchange environment hosting a single tenant:

> Under Apply this rule if choose The sender… > is external/internal
> Set it to Outside the organization
> Add another condition
> Choose The recipient… > domain is
> Add the domain for which you want to mark external mails
> Under Do the following… choose Prepend the subject of the message with…
> Enter your preferred tag ( e.g. [EXT] )

Mail Flow Rule Single Org

> Further down set Match sender address in message to > Envelope
Mail Flow Rule matches envelope

For a multi-tenant Exchange environment:

Exchange considers a sender to be external if:
• The sender’s email address isn’t in an accepted domain.
• The sender’s email address is in an accepted domain that’s configured as an external relay domain.

In a multi-tenant environment where tenants send mails between each other, the sender will not be considered as an external sender from the recipient’s point of view since the sender’s domain is an accepted domain. This means we cannot use the same conditions as we have used in a single-tenant environment.

> Under Apply this rule if choose The sender… > address matches any of these text patterns
> Enter @ as a specified word or phrase
> Add another condition
> Choose The recipient… > domain is
> Add the domain for which you want to mark external mails
> Under Do the following… choose Prepend the subject of the message with…
> Enter your preferred tag ( e.g. [EXT] )
> Under Except if choose The sender > domain is
> Enter one or more domains you don’t want to be marked as an external sender

Mail Flow Rule multi-tenant
> Further down set Match sender address in message to > Envelope
Mail Flow Rule matches envelope

2 -Create a new Mail Flow Rule using PowerShell:

For an Exchange environment hosting a single tenant

Create a new Mail Flow Rule using the New-TransportRule cmdlet with the following parameters:

New-TransportRule -Name “Mark mails from external” -FromScope NotInOrganization -RecipientDomainIs testlab.local -SenderAddressLocation Envelope -PrependSubject “[EXT]” -Enabled $True

A Short explanation of the used parameters:

-Name:
The name of the rule

-FromScope:
Sets the scope to mails from external. This means mails from sender domains that are not in AcceptedDomains of the Exchange organization or are defined as an External Relay Domain.

-RecipientDomainIs:
The recipient domain you want to mark external mails for.

-SenderAddressLocation:
Set to Envelope to advise Exchange to fetch the sender’s address from the mail-header and not from the from field. Since the from field contains the visual address it can be prone to spoofing attempts. To make sure the real sender’s is address used in the rule use Envelope.

-PrependSubject:
Specify some patterns or words which will be prepended to the subject to tag external mails.

-Enabled:
Activates the rule. If you just want to set up the rule without activating it set the value to $False

For a multi-tenant Exchange environment
Create a new Rule with the parameters below:

New-TransportRule -Name “Mark mails from external” -FromAddressMatchesPatterns “@” -RecipientDomainIs testlab.local -ExceptIfSenderDomainIs testlab.local -PrependSubject “[EXT]” -SenderAddressLocation Envelope -Enabled $True

A Short explanation of the used parameters:

-Name:
The name of the rule.

-FromAddressMatchesPattern:
To catch all mails we give it a common pattern that can be found in all SMTP addresses.

-RecipientDomainIs:
The recipient domain you want to mark external mails for.

-ExcepIfSenderDomainIs:
An exception for your own domain makes sure that your internal mails ( means within the domain you specify here. Not within the Exchange organization! ) will not be marked.

-PrependSubject:
Specify some patterns or words which will be prepended to the subject to tag external mails.

-SenderAddressLocation:
Set to Envelope to advise Exchange to fetch the sender’s address from the mail-header and not from the from field. Since the from field contains the visual address it can be prone to spoofing attempts. To make sure the real sender’s address is used in the rule use Envelope.

-Enabled:
Activates the rule. If you just want to set up the rule without activating it set the value to $False

3 - Summary:

The 1st Mail Flow Rule, which can be used in a single-tenant environment, is triggered when Exchange detects the senders’ domain as a domain that is outside of the Exchange organization.
This means that the senders’ domain is not listed in Accepted Domains or is not configured as an External Relay Domain on the Exchange server.

The 2nd rule, which can be used in a multi-tenant environment ( and also in single-tenant environments ), considers mails from all senders as external emails since the parameter -FromAddressMatchesPattern is filled with the value “@” which matches every SMTP address in the envelope.

This is another fact that underlines the importance to set -SenderAddressLocation to Envelope. We have seen visual sender addresses in the FROM field where just a name without @ was displayed. ( only in mails where a malicious sender pretends to be someone out of the recipients’ organization. Spoofing. )

And here the results:

Mail Flow Rule External

With the parameter -ExceptIfSenderDomainIs filled with your recipient domain emails from your domain to your domain ( internal mails ) will not be tagged as external mails.
Mail Flow Rule Mark External Mail

Find a description on the conditions here: Mail flow rule conditions

Have a nice day!
 

The post Mail Flow Rule Mark External Mail appeared first on Webbanshee.

]]> https://webbanshee.net/mail-flow-rule-mark-external-mail/feed/ 0 3145