Exchange Database Maintenance

Perform Integrity Checks
Exchange performs the automated maintenance tasks on its databases every night. You should still perform a manual integrity check on a quarterly basis. Manual checks let you see if there are any problems with the databases and take corrective action if necessary.

Before performing an integrity check, make sure you have a full backup of the database. In rare situations, performing manual database maintenance can cause database corruption. You also need to make sure you have adequate disk space. If you have to perform any type of repair on the database, you’ll need enough free space on the volume for a full copy of the database, plus another 10 to 20 percent for overhead.

To perform a server-level integrity check, you first need to dismount the Store. In Exchange 2007, open Exchange Management Console and navigate through the console tree to Server Configuration\Mailbox. Next, right-click the database you want to check and select Dismount Database from the shortcut menu. To dismount a database in Exchange 2003, open Exchange System Manager, navigate through the console tree to your store, right-click it, and choose Dismount Store from the shortcut menu.

After the database is dismounted, you can use Isinteg to check for errors in the database. Open a command prompt window, navigate to the \Program Files\Microsoft\Exchange Server\Bin folder, and enter the following command:

isinteg -s <servername> -test allfoldertests

When you run this command, you’ll receive a list of the databases on the server, as Figure 2 shows. Next, enter the number from the list for the database you want to test. Isinteg prompts you for confirmation; press Y to start the tests. If any errors are reported, Isinteg tells you what corrective action to take, and you should perform such actions right away.

If the server-level integrity check with Isinteg doesn’t return any errors, you should perform a database-level integrity check by using Eseutil. To do so, enter the following command:

eseutil /G "<database file path>"

In the above command, you would replace <database file path> with the actual database path (in quotes). For example, the command might be

eseutil /G "Q:\program Files\<br>     MicrosoftExchange Server\<br>     Mailbox First Storage Group\Database.edb"

Isinteg and Eseutil work the same in Exchange 2007 and Exchange 2003.

Check Your Database for Free Space
As already mentioned, Exchange defragments its databases as a part of the nightly maintenance cycle. However, an online defragmentation doesn’t actually shrink the size of the database. Instead, empty database pages, known as free space, are simply grouped together so they can be efficiently reused.

Usually this technique doesn’t present much of a problem, but there are circumstances when you might need to shrink a database. For example, if you moved some mailboxes to a different store as a way of freeing up disk space, you wouldn’t accomplish your goal unless you ran an offline defragmentation afterward.

Even if you aren’t trying to reduce the amount of space consumed by your databases, it’s a good idea to perform a quarterly check to make sure that the databases don’t contain excessive amounts of free space. Generally, free space is considered to be excessive if it occupies more than 15 percent of the total database. The easiest way to find out how much free space is in a database is to search your server’s application log for event ID 1221. As you can see in Figure 3, the Event Properties dialog box tells you how many megabytes of free space are in the database. Use this number along with the database’s total size to figure out the percentage of free space.

If you need to remove free space from a database, you can do so with the Eseutil command. You’ll have to dismount the database first, and be sure to follow the earlier words of caution about having a full backup and enough disk space for a backup copy. You would enter the command

eseutil /D "<database file path>"

where <database file path> is the actual database path.

ASA VPN Tunnel Groups

From Command Line
In this example my main site (123.123.123.123) has changed its IP address to (234.234.234.234), and I need to reconfigure the remote site(s).

1. First – you need to understand a couple of things, for a VPN to work, it needs the IP address of the “Other End” of the tunnel in two places.
a. In the Cryptomap.
b. In a Tunnel Group.

2. First lets find the cryptomap, connect to the ASA, log in go to enable mode then configuration mode.

Sent username “pix”
Type help or ‘?’ for a list of available commands.
RemoteSite>
RemoteSite> enable
Password: ***********
RemoteSite# configure terminal
RemoteSite(config)#

3. To see all the cryptomaps issue a “show run crypto map” command. (you may see more or less depending on the amount of VPN tunnels you have.
RemoteSite(config)# show run crypto map
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 111.111.111.111
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 123.123.123.123 <<< crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 133.133.133.133
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 144.144.144.144
crypto map outside_map 4 set transform-set ESP-3DES-SHA
RemoteSite(config)#

4. From the example above we can see the tunnel we want to change is using “outside_map 2” so lets remove the entry for the old IP address and put one in for the new IP address.
RemoteSite(config)# no crypto map outside_map 2 set peer 123.123.123.123
WARNING: The crypto map entry will be incomplete!
RemoteSite(config)# crypto map outside_map 2 set peer 234.234.234.234
RemoteSite(config)#

5. That’s the cryptomap changed, now for the tunnel group. You can see all your tunnel groups with a “sho run tun” command.
RemoteSite(config)# sho run tun
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key *****
tunnel-group 123.123.123.123 type ipsec-l2l <<< tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *****
tunnel-group 133.133.133.133 type ipsec-l2l
tunnel-group 133.133.133.133 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 2
tunnel-group 144.144.144.144 type ipsec-l2l
tunnel-group 144.144.144.144 ipsec-attributes
pre-shared-key *****

6. To delete a tunnel group, you use the “clear config tunnel-group” command.

Note: Before you delete it, make sure you know the pre shared key / shared secret – to see this, issue a “more system:running-config” command.

RemoteSite(config)# clear config tunnel-group 123.123.123.123
RemoteSite(config)#

7. Then simply create a new tunnel group, with the new IP address, and the same shared secret / pre shared key as the old one.

RemoteSite(config)# tunnel-group 234.234.234.234 type ipsec-l2l
RemoteSite(config)# tunnel-group 234.234.234.234 ipsec-attributes
RemoteSite(config-tunnel-ipsec)# pre-shared-key 123456789

8. Save the new config with a “write mem” command
RemoteSite(config)# write mem
Building configuration…
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948

9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
RemoteSite(config)#

10. Job done!

Well that didn’t seem very quick? No, but for the sake of explanation I did go a little deep, if you have multiple sites, just have the following in notepad.

configure terminal
no crypto map outside_map 2 set peer 123.123.123.123
crypto map outside_map 2 set peer 234.234.234.234
clear config tunnel-group 123.123.123.123
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key 123456789
write mem

How to restore missing user licenses in SBS 2003

1. Look for licstr.cpa & Autolicstr.cpa files under c:\windows\system32 folder.
2. Exclude these two files from being scanned by Anti Virus.
3. Make a backup copy of both the files on a different folder.
4. Delete licstr.cpa from c:\windows\system32 folder.
5. Rename autolicstr.cpa file to licstr.cpa.
6. Restart the Licensing Service.
7. Go to Server Management Console -> Licensing and you will have the actual number of CALS.

Exchange Management Console pointing to wrong server “The attempt to connect to http://server.domain.com/PowerShell using “Kerberos” authentication failed

I came across this error during an Exchange 2010 Unified Messaging deployment. The EMC would not connect:

“The attempt to connect to http://server.domain.com/PowerShell using “Kerberos” authentication failed: connecting to remote server failed with the following error message : The WinRM client cannot complete the operation within the time specified.  Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled.  For more information, see the about_Remote_Troubleshooting Help topic.”

There are various blog posts on the internet around how to fix the connectivity problem to the server, but in this case the server EMC was pointing to had been decommissioned properly and was no longer listed in AD. EMS would connect fine to a different working server.

In my case I had to take two actions to fixed it.

Close EMC

Under C:\users\<specific user>\AppData\Roaming\Microsoft\MMC\Exchange Management Console\ there is a config file. Delete it

In the registry under HKCU\Software\Microsoft\Exchangeserver\v14\AdminTools\NodeStructureSettings delete the value NodeStructureSettings

Only after both of these are done, did the EMC correctly rediscover an active Exchange 2010 server. If one or there other is done, the incorrect server information is retained.

“Help and Support” is missing after you upgrade to Windows Server 2003 Service Pack 2

To resolve this problem, reinstall the Help and Support service. To do this, follow these steps:

  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. At the command prompt, locate the following folder:
    %windir%\PCHealth\HelpCtr\Binaries
  3. At the command prompt, type the following commands, and then press ENTER after each command:
    • HelpSvc.exe /regserver /svchost netsvcs /RAInstall
    • HSCUpd.exe -i hscmui.cab
    • HSCUpd.exe -i hscsp_s3.cab

      Note The following commands do not apply to some language versions of Windows Server 2003:

      • HSCUpd.exe -i hscmui.cab
      • HSCUpd.exe -i hscsp_s3.cab

      The reason is that the Hscmui.cab compressed file is not included in some language versions of Windows Server 2003, such as the Japanese version of Windows Server 2003.

 

Recovering Disk Space on the C: Drive in Small Business Server 2008

SBS 2008 installs all of its features using a single volume (C:), there are tools available to move some of the data to other locations, but a number of folders that remain in the C: volume can continue to grow if left unchecked, this can potentially eat all the available disk space on the C: drive. Once the C: drive reaches certain low space thresholds, some services will stop functioning properly on the server, while others will change their behavior to prevent data loss. Usually, administrators realize they have a problem when e-mail flow is impacted, under low disk space conditions, due to the Exchange Back Pressure features, mail flow will stop. Users may experience some of the following errors or non-delivery-reports: Error 0x800CCC6C, SMTP_452_NO_SYSTEM_STORAGE, or 452 4.3.1 Insufficient system resources.

These are some of the steps that can be performed to help recover and prevent these issues.

IIS and SBS Logs

(This is expanding on the existing post “Reclaiming Disk Space Lost to IIS Logs on SBS 2003 and SBS 2008”)

By default, all IIS hosted web sites have logging enabled, this can lead to some large folders in C:inetpublogsLogFiles (Review this post in case you have moved your log files). You may also want to specifically stop logging all together for certain web sites, in particular, the “WSUS Administration” web site (Site Id 1372222313). For this, perform the following steps:

  1. Launch IIS Manager from Administrative Tools.
  2. Expand Server, Sites, and select the WSUS Administration web site.
  3. On the feature panel, click to open Logging.
  4. Click Disable in the Actions panel (rightmost panel)
  5. Repeat the steps for any other web site. Please note that logging may be needed for troubleshooting or auditing purposes on sites that are public facing, this is usually not the case on the WSUS Administration site.

Some of the SBS 2008 log files can grow to very large sizes, all SBS logs are stores in this folder (and subfolders): C:Program FilesWindows Small Business ServerLogs. Some of the logs that will grow the most and may need trimming are:

  • Console.log, this log will continue to grow while the SBS Console is running.
  • *.evtx files, these are the event logs before the setup of the server completed, they can be safely removed if the server has been in production and had no setup issues.
  • W3wp.log, in the C:Program FilesWindows Small Business ServerLogsWebWorkplace folder. This is the log for Remote Web Workplace.
  • The C:Program FilesWindows Small Business ServerLogsMonitoringServiceLogs folder. These are the logs for the Windows SBS Manager service.

POP3 Connector Badmail directory

If you are using the POP3 Connector, you may end up with emails that failed to be delivered (rejected by the local Exchange server) inC:Program FilesWindows Small Business ServerDatabadmail. This folder will be automatically trimmed to 400mb once it reaches 450mb once a week.

The licensing log can consume a significant amount of hard disk space

This is discussed on the Windows Small Business Server 2008 Release Documentation
You can delete the events in the Windows SBS 2008 licensing log to free up additional space on the hard disk drive.

To delete events in the Windows SBS 2008 licensing log

  1. From the server, open a Command Prompt window as an administrator. To do this, click Start, and then in the Search box, typecommand prompt.
  2. In the list of results, right-click Command Prompt, and then click Run as administrator.
  3. At the command prompt, type the following command: del “%systemroot%system32winevtlogsMicrosoft-Windows-Server Infrastructure Licensing*%4Debug.etl.*”

You can also use Registry Editor to disable the licensing log.

  1. Click Start, type regedit, and then press ENTER.
  2. In Registry Editor, locate and then click the following registry key:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftServerInfrastructureLicensing
  3. In the details pane, right-click TraceMask, and then click Modify.
  4. In the Edit DWORD dialog box, change the value for Value data to 0 (zero), and then click OK.
  5. Restart the server.

Windows Server Update Services (WSUS) Server Cleanup Wizard

In WSUS, you can delete unused updates and update revisions, computers not contacting the server, unneeded update files, expired updates and superseded updates. In order to accomplish this, you have to manually go through the WSUS Server Cleanup Wizard.
To run the Server Cleanup Wizard :

  1. In the WSUS administration console (launch it from the Administrative Tools), select Options, and then Server Cleanup Wizard.
  2. By default this wizard will remove unneeded content and computers that have not contacted the server for 30 days or more. Select all possible options, and then click Next.
  3. The wizard will begin the cleanup process, and will present a summary of its work when it is finished, depending on the server performance, this may take a very long time. Click Finish to complete the process.

Very large SharePoint SQL transaction log file

Please read the following KB article for an explanation and instructions on how to prevent this:
2000544 SBS 2008 BPA Reports that The Windows SharePoint Services configuration databases log file is getting large (currently over 1gb in size)

Active Directory Certificate Services transaction log files

When completing a critical or system state backup of the C: volume, a new transaction log will be generated under thec:windowssystem32certlog folder. Removing these logs is only safe as long as the CA database file is consistent. In order to remove these logs and reclaim disk space, follow these steps:

  1. Open the Services MMC and stop the Active Directory Certificate Services service.
  2. Make a backup copy of ALL the file contents present in the c:windowssystem32certlog folder.
  3. Delete EDB.CHK and all the files that have an extension of .LOG (*.LOG)
  4. Restart the Active Directory Certificate Services service.

Windows Component Clean Tool

The Windows Component Clean Tool (COMPCLN.exe) can be used to remove the files that are archived after Windows Vista SP2 or Windows Server 2008 SP2 is applied. It also removes the files that were archived after Windows Vista SP1 was applied, if they are found on the system. Running this tool is optional.

Installing Windows Server 2008 service packs increases the amount of disk space that is used by the operating system. This space is used to archive files so that the service pack can be uninstalled. Typically, you should run COMPCLN.exe if you want to reclaim this disk space after applying SP2 and if you will not need to uninstall SP2.

NOTE: You cannot uninstall Windows Vista SP2 or Windows Server 2008 SP2 after you run this tool on an image.

Move Data Wizards

We are not going to focus on these wizards on this post, but as a reference, SBS 2008 provides an automated way of moving the following:

  • Move Exchange Server Data: which moves both the exchange database file as well as your exchange transaction logs for all storage groups.
  • Move Windows SharePoint Services Data: Moves the SharePoint Content and Configuration databases.
  • Move Users’ Shared Data: Moves C:UsersShares directory and all sub directories
  • Move Users’ Redirected Documents Data: Moves C:UsersFolderRedirections directory and all sub directories
  • Move Windows Update Repository Data: Moves the repository data from C:WSUSWSUSContent and C:WSUSUpdateServicePackages. Please note it does NOT move the SUSDB Folder and the WSUS database which contains the metadata.
  • More Resources:
    Manage Server Storage by using Windows SBS Console
    Moving Data on Windows Small Business Server 2008
    Introducing Server Storage Management in SBS 2008

Update #1 3/3:
Added reference to WSUS Administration web site ID (Site Id 1372222313)
Added reference to Exchange 2007 BackPressure NDRs and errors due to low disk space


From Microsoft Technet

[Post comes to us courtesy of Damian Leibaschoff and Wayne Gordon McIntyre from Commercial Technical Support and Chris Puckett from Product Quality]

Uninstall Internet Explorer 9

To uninstall Internet Explorer 9

The following instructions apply to both Windows 7 and Windows Vista.

  1. Click the Start button Picture of the Start button, type Programs and Features in the search box, and then click View installed updates in the left pane.
  2. Under Uninstall an update, scroll down to the Microsoft Windowssection.
  3. Right-click Windows Internet Explorer 9, click Uninstall, and then, when prompted, click Yes.
  4. Click one of the following:
    • Restart now (to finish the process of uninstallingInternet Explorer 9, and restore the previous version ofInternet Explorer).
    • Restart later (to wait until you shut down or restart your computer).
Note

Note

After you uninstall Internet Explorer 9, the previously installed version of Internet Explorer will be available on your computer. It is not necessary to reinstall.

 

Restoring Mailbox Data from a Recovery Database in Exchange 2010

Getting the Database into a Clean Shutdown State

In order for Exchange to mount a database, it needs to be in a clean shutdown state. I’ll use the eseutil tool to play any outstanding transactions into the database to get it clean. Before I begin, I’ll open a command prompt, switch to the directory that contains the database and logs, and use the following command to view the status:

eseutil /mh DB01.edb

When reviewing the output, the database state will be reported as Dirty Shutdown:

What I will do next is perform a soft recovery to get the database consistent. I’ll run the following command to do this:

eseutil /r e01 /d

The /r specifies that I’m doing a soft recovery. The e01 is the log generation prefix for the database. I’m using the /d switch without any arguments to specify the database path, which is in the current directory. Since the logs are also located here, I don’t need to use the /l switch, as it defaults to the current path. Once the operation has completed successfully, I can runeseutil again with the /mh switch to verify the database is clean shutdown:

Now that my database has been restored and brought to a clean shutdown state I can create the Recovery Database.

Creating the Recovery Database

The next step in the process is to create the Recovery database using the database files restored from the backup. To do this, I’ll use the New-MailboxDatabase cmdlet with the following syntax:

New-MailboxDatabase -Name RecoveryDB -EdbFilePath E:\RecoveryDB\E_\DB01\DB01.edb -LogFolderPath E:\RecoveryDB\E_\DB01 -Recovery -Server mbx1

Notice that I’ve specified the path to the database and log files using the location where the database was restored. Also, the key to creating the Recovery database is to make sure you use the -Recovery switch parameter, as shown above. You can see I got a warning message after running the command stating the Recovery database was created using an existing file, and that I need to ensure that the database is in a clean shut down state before I try to mount it. I already did this in the previous step, so I can safely ignore this message and mount the database using the following command:

Mount-Database RecoveryDB

The Recovery database is now mounted, and I’m ready to restore mailbox data.

Finding Mailboxes and Performing a Simple Mailbox Restore

Now that my Recovery database is online, I need to be able to see what mailboxes are available for restores. I can use the Get-MailboxStatistics cmdlet to do this:

Get-MailboxStatistics -Database RecoveryDB

If you’re looking for a specific mailbox, you can filter the results using the following syntax:

Get-MailboxStatistics -Database RecoveryDB | ?{$_.DisplayName -like 'Mike*'}

You can see in this command I’ve used the ? alias for the Where-Object cmdlet. I’m using the -like operator to filter the results and only show me the mailboxes that start with Mike.

When restoring mailbox data from a Recovery database in Exchange 2010 SP1, we use the New-MailboxRestoreRequestcmdlet. When running this cmdlet, the source mailbox in the recovery database needs to be identified using one of three possible values; the DisplayNameMailboxGUID, or LegacyExchangeDN values. Keep in mind that you cannot reference the source mailbox using the Exchange Alias when performing a restore.

So, let’s take a look at the restore process. Based on the previous commands I can see that there is a copy of my mailbox in the Recovery database. To do a complete restore of the mailbox data to the original mailbox that is currently active in the production database I’ll use the following command:

New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox 'Mike Pfeiffer' -TargetMailbox mpfeiffer

Depending on the size of the mailbox, it may take quite some time to perform the restore. I can keep tabs on the progress using the following one-liner:

Get-MailboxRestoreRequest | Get-MailboxRestoreRequestStatistics

Dealing with Multiple Mailboxes with the same DisplayName

It’s possible that a Recovery database will have multiple mailboxes with the same display name. This can happen if there were one or more disconnected versions of a mailbox, in addition to an active mailbox, in the same database during the time of the back up. In this case, you can use the MailboxGuid value to identify the source mailbox when doing a restore. Consider the following:

Get-MailboxStatistics -Database RecoveryDB | ?{$_.DisplayName -like 'Isabel*'} | fl DisplayName,MailboxGuid,DisconnectDate

Here you can see that there are two mailboxes with the same display name in the Recovery database. One has aDisconnectDate defined, meaning it is a disconnected mailbox, and the other one does not which means it was the active mailbox in the database at the time of the backup. If you run into a scenario where there are multiple mailboxes in a database with the same display name, use the above command to determine the MailboxGuid of each mailbox. You can then use this value to identify the correct mailbox when performing a restore.

New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox 4a1d2118-b8cc-456c-9fd9-cd9af1f549d0 -TargetMailbox ihill

Restoring Individual Mailbox Folders

Here you can see that I am using the -IncludeFolders parameter to specify that only data from the Inbox should be restored from the mailbox in the recovery database:

New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox administrator -TargetMailbox administrator -IncludeFolders '#Inbox#'

The -IncludeFolders will accept a list of one or more mailbox folders. You can specify well-known folder names as well as personal folders using this parameter. Notice that the value needs to be enclosed in hash marks (#). For example, if you wanted to restore only the contacts folder, use #Contacts#, or #Tasks# for the Tasks folder, and so on. For more details, check out the help for this parameter in the TechNet documentation for the New-MailboxRestoreRequest cmdlet. If you simply want to restore a single root folder, check out the -SourceRootFolder parameter.

Restoring to an Archive Mailbox

Restoring a mailbox to a users archive is as simple as tacking on the -TargetIsArchive switch parameter to our original restore command. Here’s the command and output:

New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox 'Mike Pfeiffer' -TargetMailbox mpfeiffer -TargetIsArchive

Obviously, you’ll need to ensure that the target mailbox has been archive enabled for this to work.

Restoring to an Alternate Mailbox

By default, the New-MailboxRestoreRequest cmdlet looks for a matching LegacyExchangeDN on the source and destination mailbox, or checks to see that an X500 proxy address on the target mailbox corresponds to the LegacyExchangeDN on the source mailbox. This ensures that you do not accidentially restore mailbox data to the wrong location. If you need to restore data to an alternate mailbox, you can use the -AllowLegacyDNMismatch switch parameter:

New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox 'Mike Pfeiffer' -TargetMailbox administrator -TargetRootFolder Restore -AllowLegacyDNMismatch

In this example, I am restoring the data from my mailbox in the recovery database to a sub-folder of the administrator mailbox called Restore. Here’s a screen shot of the administrator mailbox after running the above restore command:

Be careful when restoring to alternate mailboxes. If you omit the -TargetRootFolder parameter, the data will be restored and merged into the existing folders in the target mailbox. On the other hand, that might be exactly what you want — if so, just remove the -TargetRootFolder parameter.

Bulk Restores

You might find yourself in a situation where you need to restore data from all mailboxes in a recovery database. For example, let’s say you need to restore the Contacts folder for all of your mailboxes. In this case, you could use a foreach loop to iterate through each mailbox in the recovery database and restore that particular folder to the active mailboxes:

foreach($mailbox in Get-MailboxStatistics -Database RecoveryDB) {
  New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox $mailbox.DisplayName -TargetMailbox $mailbox.DisplayName -SourceRootFolder Contacts
}

This might take a while; you can monitor the progress using the Get-MailboxRestoreRequest with the -Status parameter:

Get-MailboxRestoreRequest -Status Queued

As you’ve seen, there are a lot of steps and multiple options when it comes to restoring data from a recovery database. Obviously, this is not something you want to learn on the fly when a disaster strikes. I’d highly recommend documenting and testing your restore procedure on a regular basis.

Prevent a user from sending and receiving internet mail in Exchange

1. Create a Distribution Group – let’s call it “DG-NoInternetMail”. Add the recipients you want to prevent from sending internet email as members of the group.

2 . Create a Transport Rule

  1. Fire up Exchange console | Organization Configuration | Hub Transport| Transport Rules tab | click New Transport Rule
  2. Enter a name for the rule – e.g. Rule-NoInternetMail
  3. On the Conditions page, select “From a member of a distribution list”
  4. In the rule description, click the link for distribution list (underlined)
  5. Click Add | Select the distribution list “DG-NoInternetMail”
  6. Under Conditions, select a second condition “Sent to users inside or outside the organization”
  7. In the rule description, click Inside (underlined) | change scope to Outside
  8. Click Next
  9. On the Actions page, select “send bounce message to sender with enhanced status code”
  10. If you want to modify the text of the bounced message (optional): In the description, click “Delivery not authorized, message refused” | enter new message text
  11. Click Next | verify the rule conditions and action in the summary
  12. Click New | click Finish

Inbound internet mail: In Exchange Server 2003/2000, you can prevent a recipient from receiving internet mail by requiring authentication to be able to send to the recipient. Internet senders are not authenticated. There are other ways to prevent inbound mail for certain users – like using Recipient Filtering, or generating an invalid email address from a non-existent domain, e.g. foo@nonexistentdomain.corp.

3. Exchange Server 2007 recipients can be set up to require sender authentication to receive email.

Using the Exchange console:
– Recipient Configuration -> select recipient -> recipient properties | Mail Flow Settings tab | Message Delivery Restrictions | Properties
– check “require that senders are authenticated”

Using the shell:

Set-Mailbox “Foo User” -RequireSenderAuthenticationEnabled $true

Additionally, either of the other 2 alternatives mentioned above for Exchange Server 2003/2000 can be used to prevent users from receiving internet email.

Setting delivery restriction based on group membership: Rather than setting up each recipient to receive inbound mail from authenticated senders only, you can get membership of the above distribution group and pipe it into the Set-Mailbox command:

Get-DistributionGroupMember “DG-NoInternetMail” | Set-Mailbox -RequireSenderAuthenticationEnabled $true

4. Use OWA/Outlook to test sending internet mail from a user who is a member of the distribution group.

ASN1 bad tag value met. 0x8009310

Question:
I get CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b on IIS 7 and I am unable to install my certificate.

Answer:
This can be a result of IIS placing the certificate in the wrong certificate store or forgetting where it places the private key, in many cases it gets placed in Other People Certificate store for theCurrent User account. Only certificates that are stored in the Personal Section of the Local Computer store can be used in IIS.

Option #1: Repair a damaged certificate.

  1. Open up DOS prompt (cmd.exe)
  2. Type: certutil -repairstore my “THUMBPRINT/SERIALNUMBER”
    Note: Also, sometimes the certificate is not available and needs to be imported in order for this command to work.
  3. Go back into the IIS Manager and re-edit the bindings for this site. (Where you can select the certificate.
    Note: Sometimes, you will get an error, so just ignore the error and try again. When trying again, the certificate may already be selected and nothing else needs to be done.

Option #2: Restore Certificate to the Local Computer Store

  1. Open the Certificate Snap-In from within the MMC (Microsoft Management Console)
    Start -> Run -> Type “mmc” -> File -> Add/Remove Snap-in -> Add -> Certificates
  2. Add Current User account.
    My User Account -> Finish.
  3. Add Local Computer account.
    Computer account -> Local Computer -> Finish.
  4. Close Add Standalone Snap-in.
  5. Click Ok.
  6. Now you should have a screen similar to this:

  7. Drag the certificate that will not install, out of the Other People store and drop it under theLocal Computer -> Personal -> Certificates.
  8. Do not close out of the MMC at this time.

  9. Open up a command prompt.
    Start -> Run -> Type cmd.
  10. Type: certutil -repairstore my “THUMBPRINT_OF_CERTIFICATE”. (with quotes)
  11. You should now have the private key back on the certificate so now open up IIS and assign it to your website.