Category Archives: PowerShell

Put your DAG into Maintenance

helo!

You install Exchange Cumulative Updates as soon as they arrive, right? You do your daily job while maintaining Mailboxes and Distribution Groups?.
Now it is time to get in touch with the upgrade-process. While you know the details about PAM/SAM from my other blog posts we can directly head over to installing your next Exchange Cumulative Update.

Important things to note prior the upgrade:

  • Disable the OS Anti Virus Engine
  • Disable/Stop Backup Jobs or Windows Services with Active Connections to Exchange
  • Check your AD Backup with repadmin /showbackup
  • Check your Database Backup with Get-Mailboxdatabase -Status | fl Name,*backup*
  • The the above output for “Backup in Progress” Messages.
  • You use a loadbalancer? The the “Real Server” into Maintenance/Disable the Server on the Loadbalancer for new connections
  • You use DNS Round-Robin? Remove the DNS record for the node you want to patch
  • Be aware for some “Relay” DNS records where SMTP devices will send messages.
  • You use Microsoft Operations Manager (SCOM)? or any other monitoring solution? Put your Server into Maintenance!
So now we can start over, right?
Not yet buddy! First we need to set the PowerShell Execution Policy to unrestricted
Set-ExecutionPolicy unrestricted
If your Server do not have Internet Access please disable the option “Check for publisher’s certificat revocation”. This will save you hours of waiting.
IE_Revocation

Now lets get started with the fun – ready for copy and paste into your environment:

#Define the Server to update
$Servername="YOUR_SERVERNAME_HERE"
#Define the Server where to move the databases
$ServerToSwitch="YOUR_FQDN_SERVERNAME_HERE"
#Define the DAG Name
$DAGName ="YOUR_DAG_NAME_HERE"
 #Set the components into maintenance
Set-ServerComponentState $SERVERNAME –Component HubTransport –State Draining –Requester Maintenance
#Redirect all Messages to the server available during maintenance
Redirect-Message -Server $SERVERNAME -Target $ServerToSwitch
#PAM/SAM Move
Move-ClusterGroup –cluster $DAGName –name "Cluster Group" –node:$ServerToSwitch
#Suspend the cluster Node
Suspend-ClusterNode –Name $SERVERNAME
#Do not allow to mount databases (PAM and BSCC disabled)
Set-MailboxServer $SERVERNAME –DatabaseCopyActivationDisabledAndMoveNow $true
Set-MailboxServer $SERVERNAME –DatabaseCopyAutoActivationPolicy Blocked
#Set Server Wide Offline for all Components
Set-ServerComponentState $SERVERNAME –Component ServerWideOffline –State InActive –Requester Maintenance
#Move all active Databases to the defined node.

Move-ActiveMailboxDatabase -Server $SERVERNAME -ActivateOnServer $ServerToSwitch

Your EXGuru – aka Peter Forster – aka Satschent Peter

Do you know the Full Access Permissions in your environment? – Be aware if you migrate your Exchange to a newer version!

ehlo!

During Exchange Migrations some ‘new’ features can make your day happy – or not. While migrating from Exchange 2007 a new feature on Exchange/Outlook can have a hughe impact on your access permissions for mailboxes.

Think about the following scenario:

User A – lets call him EXGuru and User B – lets call him User B should get access to the mailbox of User B. Years ago this permission was assigned on Exchange 2007. The permission was assigned but the Helpdesk-Team never added the mailbox into the existing Outlook-Profile from EXGuru. Everyone (EXGuru, UserB and the Helpdesk) did not remember about that permission.

Now the Mailbox will be moved to Exchange 2013/2016 and wohooo – the Mailbox of User B will show up at the EXGuru Outlook Profile. This happens because the existing permissions will be migrated and because of the ‘new’ auto mapping feature from Exchange those mailboxes will show up even if they were not shown in Exchange 2007.

Normally this shouldn’t be a problem but eventually it is. With this script you can check the existing permissions and recap the details if there are still permissions assinged they shouldn’t. Good place to start are Management mailboxes.

Get-Mailbox -Identity <mailbox> | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITYSELF" -and $_.IsInherited -eq $false -and $_.AccessRights -match "FullAccess" -and ($_.User -notlike 'S-1-5*')} | Select Identity,User,@{Name='AccessRights';Expression={[string]::join(', ', $_.AccessRights)}}

Your EXGuru – aka Peter Forster – aka Satschent Peter