Category: Exchange 2010

configure RBAC for restoring mailboxes to recovery database

request/issue: customer wants to be able to restore mailboxes to recovery database
recommended solution:
step 1: Find which role has the role entry
use this cmdlet to find out:
Get-ManagementRoleEntry “*Restore-Mailbox” | fl Name,Role
result:
Name : Restore-Mailbox
Role : Disaster recovery
step 2: Create a new role for eg ServerAdmins-Restore-Mailbox that inherits all the permissions of ‘disaster recover’ built in role
for eg New-ManagementRole -Name ‘ServerAdmins-Restore-Mailbox’ -Parent ‘Disaster recovery’
 Step 3: Add the newly created role to the role group using shell or ECP
Note: You can choose to ONLY allow restore-mailbox cmdlet to the “serveradmins-restore-mailbox” role
by using this command:

Add-ManagementRoleEntry “ServerAdmins-Restore-Mailboxrestore-mailbox”
use this command to view the mgmt role entries for the newly created role “serveradmins-restore-mailbox”
Get-ManagementRoleEnty “serveradmins-restore-mailbox*”

you do not have sufficient permission to perform this operation on the object

Issue: Customer was getting this error message ” Changes to the public group membership cannot be saved. you do not have sufficient permission to perform this operation on the object
Finding: Users(owners) who managed groups were put in a universal distribution/security group called grp-groupname. In AD console, the groups were added as managers under the managed by tab. This worked ok in Exchange 2007. However, group owners that are migrated to Exchange 2010 get permission errors trying to add a member to the group via Outlook 2007/2010. Exchange 2010 console now has managed by property beneath newly added group information tab. By so doing, one can’t use groups to manage security/distribution group, mail enabled or not. Exchange 2010 console shows the grp-groupname as object not found.
This problem doesn’t apply to groups that only 1 owner assigned.
Resolution: While in exchange mgmt console, Add the owners of the group under managed by property of Group information tab. Note that this will upgrade the group to exchange 2010 group. Only Exchange 2010 groups can allow multiple owners of the mailbox. Customers that want multiple owners for a group will need that group upgraded. Another way to upgrade a group is by using this powershell cmdlet. You must do this in exchange 2010 shell
set-distributiongroup -Name -forceupgrade

Balancing Active Databases

Server reboots, Domain Controller issues and other interruptions can cause databases to fail-over to another healthy database in the DAG. Since our DAG was designed to keep roughly half of the mailboxes in the Mount Washington Datacenter and the remainder in the East Baltimore Data Center it is important to be sure that the active databases are balanced and on the copy with an activation preference of 1.
To help with this, Exchange 2010 SP1 includes the script RedistributeActiveDatabases.ps1.
To use this script logon on to a Mailbox server in the DAG and go to the scripts directory by entering the following in the Exchange Management Shell:

cd ‘E:Program FilesMicrosoftExchange ServerScripts’
To determine which copy each database is active, run the RedistributeActiveDatabases.ps1 script with the following syntax:
.RedistributeActiveDatabases.ps1 -ShowDatabaseCurrentActives >C:db.txt
This will output a list detailing the activation preference of each active database to file on the root of C: called db.txt.
After reviewing this file, you may find that some of the databases are active on lower preference copies. To rebalance them run the RedistributeActiveDatabases.ps1 script with the following syntax:
.RedistributeActiveDatabases.ps1 -dagname <dagname> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution -Confirm:$false
This will attempt to balance the number of active databases on each server by moving them to the copy with an activation preference of 1. Depending on how unbalanced the databases are, this may have to be run more than once.

could not establish TLS/SSL session to IMAP4/POP3

Issue/Error message: A certificate for the hostname “imap.domain.com” could not be found. SSL or TLS encryption cannot be made to the IMAP service.
Synopsis: The certificate was there in the cert store for the computer account, and nothing else had any trouble recognizing it. Even the Exchange console recognized it just fine, but the service just would not take it on start.
Resolution: Figured out that imap/pop services required smtp as part of the services when assigning services to the certificate. Re-Enabled the exchange
certificate with imap and pop, which automatically added the S. Restarted IMAP and POP3 service and all started working

Managing Database Content Index State

From time to time the search indexes on Database copies in Exchange 2010 will become corrupt.  This will prevent the Activation Manager in the DAG from being able to “fail” the active database to that copy.
 
You can determine if any DB Copies have a Content Index State of failed by running the following cmdlet in the Exchange Management Shell:
 

Get-MailboxDatabase | Get-MailboxDatabaseCopyStatus|where { $_.contentindexstate -like “failed” }

If any copies report as having a failed Content Index State, they will need to be repaired.
 
Mounted Databases cannot be updated with the Update-MailboxDatabaseCopy cmdlet.  All copies reporting as failed can be updated with this cmdlet:

Get-MailboxDatabase | Get-MailboxDatabaseCopyStatus|where { ($_.contentindexstate -like “failed”) -and ($_.status -ne
 “Mounted”) }| Update-MailboxDatabaseCopy -CatalogOnly