O-Xchange Notes from the Field!

Tuesday, October 27, 2009

Assign send-as, receive-as and administer info store permissions

Assigning send-as, receive-as, and administer information store permissions to a user account, for eg besadmin
use this powershell script:
get-mailboxserver "servername" | add-adpermission -user besadmin -accessrights GenericRead, GenericWrite -extendedrights Send-As, Receive-As, ms-Exch-Store-Admin

Monday, October 26, 2009

Configuring Exchange Impersonation

Exchange Impersonation enables a caller to impersonate a given account so that a caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions that are associated with the caller's account. Microsoft Exchange Server 2007 provides two Active Directory directory service extended permissions that are used to determine which callers can perform Exchange Impersonation calls and which accounts can be impersonated by the caller.
This procedure grants fasapprov1 permission to impersonate fasaptest1
Add-ADPermission -Identity "username" -User "Username2" -extendedRight ms-Exch-EPI-May-Impersonate
See article link below to see step by step configuration instructions

Wednesday, October 21, 2009

Exchange is unable to mount the database that you specified

Issue: Exchange is unable to mount the database that you specified. Specified database: Server\EXVS25SG1\Mailbox; Error code: MapiExceptionCallFailed: Unable to mount database. (hr=0x80004005, ec=-2147467259)


Error was due to lag in AD replication. Whenever a new mailstore is created, it updates the config in AD. Trying to mount too soon may reproduce the error stated above. So wait about 5 to 10mins and try to mount it again. It should mount OK

Tuesday, October 6, 2009

How to exclude domain controllers from AD access list in Exchange

Exchange server 2007 relies extensively on Active directory. All directory lookups are done using the MS Exchange AD topology DS access service.
For optimal lookups performance in exchange, use this powershell script to exclude some domain controllers that are not required for optimal directory lookups and performance. You will choose the DC exclusion list based on the datacenter your exchange servers are homed. Note that The excluded domain controllers list is based on recommendations from the Active Directory team:
This script must be run in Exchange 2007 management shell. It's recommended that you run this script on all your exchange servers.

Set-ExchangeServer -Identity exchsrv1 -StaticConfigDomainController $null -StaticDomainControllers $null -StaticGlobalCatalogs $null -StaticExcludedDomainControllers dc1.domain.com,dc2.domain.com
Step by Step Configuration Steps:
1. Run the powershell script on the active node of your cluster. Remember to use the exchange server cluster name as the identity for Set-Exchangeserver command
2. Restart MSExchange Topology service. This will also restart transport log search, service host, search indexer, replication service, mail submission and mailbox assistants)
3. Verify by going to the exchange console, right click on cluster properties, system settings. You will see only domain controllers in the list
4. Repeat the same procedure for the passive node of your cluster
4. You have completed the change

Thursday, October 1, 2009

create or renew self-signed certificate on Exchange server 2007

After creating a new hub transport server(or any exchange 2007 server), a new self-signed certificate with the server name is created
THis cert can be used to establish TLS connections. However, if service TLS setting advertises with a different FQDN, the domain name must be included during certificate creation in exchange
for eg, to create a certificate for SMTP services using 2 domain names, use the following command
get-exchangecertificate | New-ExchangeCertificate -DomainName "servername", "publicname" -FriendlyName MSExchange

the certificate will be created with multi-domain names. In this case, server name and the public name
this resolves event 12014 on a hub transport server