Category: Powershell

troubleshooting Outlook logon prompt for users

Synopsis: group of outlook users homed on Exch2007 reported logon prompt issues. Users(who already logged in the domain) get prompted to login upon launching Outlook. In some cases, users login successfully, but receive logon prompts intermittently
Systems/Software Affected: Outlook 2007, Outlook 2010, Exchange 2007
Things to check on Exchange 2007 CAS servers when such issues happen:
1. Please note that Issue could be related to a reboot of Domain Controller. Confirm with AD team prior to troubleshooting
2. Issue is also likely related to Offline Address Book (OAB)
login to the Exch2007 cas servers and confirm the following:
1. launch IIS manager and under default website
2. right click OAB, properties, directory security
3. make sure integrated windows authentication and basic auth are checked
4. Go to Exchange installation folder, for eg E:program filesexchange serverclient access
5. Right click on OAB, properties, ensure that authenticated users is in the ACE and check to make sure the group at least read and execute right
6. If all the settings are correct, you are done with your checks. If not, make the changes and do iisreset /noforce from the command prompt
 
as part of the test, you can type this url to verify you can reach the OAB xml file;

Resolving Quarantined Mailboxes in Exchange 2010

Exchange 2010 has a security measure when it comes across a ‘poisoned’ mailbox’ in its Information Store database. If it deems the mailbox ‘dirty’ or ‘poisoned’, it will quarantine the mailbox. This keeps it safe from corruption and crashing.
Usually, quarantined mailboxes will be released after some hours (2-6hrs). In some cases, that may not be feasible, as user will have to stay without access to email.
You can follow these steps to resolve if critical: (you must be admin to do these)
1.Run Get-MailboxStatistics -identity ‘username’ | fl
2.Copy the mailbox GUID and keep it handy.
3.Open up the registry and navigate to HKLMSYSTEMCURRENTCONTROLSETSERVICESMSEXCHANGEIS<SERVERNAME>PRIVATE-(DB GUID)QUARANTINEDMAILBOXES(MAILBOX GUID)
4.Delete the key.
5.Restart the Information Store
6.Run an IISRESET

 
 
Important repair considerations:
Consider repairing the mailbox upon expiration of 6hrs(release of mailbox from quarantine)
 
A. This example detects and repairs the folder view for the mailboxob@domain.com
New-MailboxRepairRequest -Mailbox obtest@domain.com -CorruptionType FolderView
 
 
B.This example detects and repairs all corruption types for mailboxes that have CustomAttribute2 set to RepairCorruption.
 
Get-Mailbox -Filter {CustomAttribute2 -like “RepairCorruption”} | New-MailboxRepairRequest -CorruptionType SearchFolder,AggregateCounts,ProvisionedFolder,FolderView
 
During the repair operation, there will be no mailbox access for the user.
 

The output of New-MailboxRepairRequest will be a number of Event IDs with a source of “MSExchangeIS Mailbox Store” and you will need to watch for the following events related to a repair request “0044,10045,01146,10047,10048,10049,10050,10051,10059,10062”

Apply ad permission to multiple databases at once

Apply ad permission on multiple databases at once using these steps:
 
scenario: customer wants admin acct to have receive-as permissions on all databases that start with on
 
soln: use this powershell one liner
 
get-mailboxdatabase | where-object {$_.identity -like “on*”} | Add-ADPermission -user “admin” -accessrights extendedright -extendedrights receive-as, ms-exch-store-admin -inheritancetype ‘All’
 

Single Item Recovery

get-mailbox mailboxname| f1 singleitem*
–To set single item recovery on all users in a specific database run the following command:
Get-Mailbox -Database <DatabaseName> | Set-Mailbox -SingleItemRecoveryEnabled $true
–And for newly created mailboxes (24h):
Get-Mailbox -Database <DatabaseName> | Where { $_.WhenCreated -gt (get-date).adddays(-1) } | Set-Mailbox -SingleItemRecoveryEnabled $true
  
–Enabling Single Item Recovery
( By Server)
Get-Mailbox -Server servername| Set-Mailbox -SingleItemRecoveryEnabled $true
(By Database)
Get-mailbox -database dbname | Set-Mailbox -SingleItemRecoveryEnabled $true

configure RBAC for restoring mailboxes to recovery database

request/issue: customer wants to be able to restore mailboxes to recovery database
recommended solution:
step 1: Find which role has the role entry
use this cmdlet to find out:
Get-ManagementRoleEntry “*Restore-Mailbox” | fl Name,Role
result:
Name : Restore-Mailbox
Role : Disaster recovery
step 2: Create a new role for eg ServerAdmins-Restore-Mailbox that inherits all the permissions of ‘disaster recover’ built in role
for eg New-ManagementRole -Name ‘ServerAdmins-Restore-Mailbox’ -Parent ‘Disaster recovery’
 Step 3: Add the newly created role to the role group using shell or ECP
Note: You can choose to ONLY allow restore-mailbox cmdlet to the “serveradmins-restore-mailbox” role
by using this command:

Add-ManagementRoleEntry “ServerAdmins-Restore-Mailboxrestore-mailbox”
use this command to view the mgmt role entries for the newly created role “serveradmins-restore-mailbox”
Get-ManagementRoleEnty “serveradmins-restore-mailbox*”

you do not have sufficient permission to perform this operation on the object

Issue: Customer was getting this error message ” Changes to the public group membership cannot be saved. you do not have sufficient permission to perform this operation on the object
Finding: Users(owners) who managed groups were put in a universal distribution/security group called grp-groupname. In AD console, the groups were added as managers under the managed by tab. This worked ok in Exchange 2007. However, group owners that are migrated to Exchange 2010 get permission errors trying to add a member to the group via Outlook 2007/2010. Exchange 2010 console now has managed by property beneath newly added group information tab. By so doing, one can’t use groups to manage security/distribution group, mail enabled or not. Exchange 2010 console shows the grp-groupname as object not found.
This problem doesn’t apply to groups that only 1 owner assigned.
Resolution: While in exchange mgmt console, Add the owners of the group under managed by property of Group information tab. Note that this will upgrade the group to exchange 2010 group. Only Exchange 2010 groups can allow multiple owners of the mailbox. Customers that want multiple owners for a group will need that group upgraded. Another way to upgrade a group is by using this powershell cmdlet. You must do this in exchange 2010 shell
set-distributiongroup -Name -forceupgrade

Managing Database Content Index State

From time to time the search indexes on Database copies in Exchange 2010 will become corrupt.  This will prevent the Activation Manager in the DAG from being able to “fail” the active database to that copy.
 
You can determine if any DB Copies have a Content Index State of failed by running the following cmdlet in the Exchange Management Shell:
 

Get-MailboxDatabase | Get-MailboxDatabaseCopyStatus|where { $_.contentindexstate -like “failed” }

If any copies report as having a failed Content Index State, they will need to be repaired.
 
Mounted Databases cannot be updated with the Update-MailboxDatabaseCopy cmdlet.  All copies reporting as failed can be updated with this cmdlet:

Get-MailboxDatabase | Get-MailboxDatabaseCopyStatus|where { ($_.contentindexstate -like “failed”) -and ($_.status -ne
 “Mounted”) }| Update-MailboxDatabaseCopy -CatalogOnly