Exchange Remote Connectivity Analyzer out of beta!

More info at the MS exchange team blog!

Shawn and Brad work hard everyday on the RCA tool, taking input from Exchange administrators, consultants, and the product development and support teams to build a tool that will help anyone work through Exchange connectivity issues. Great tool, great guys, and they are really responsive. The newest updates (specifically the CAPTCHA) is a big win for everyone!

https://www.testexchangeconnectivity.com/

I also really like the ability to manually specify server settings. Great work guys!

Exchange 2010 - What is an arbitration mailbox?

If you found this searching you most likely found out about arbitration mailboxes much the way most people will. By either finding out they accidentally deleted them, or by finding out that you need to move, disable or remove them in order to delete a database, or uninstall Exchange 2010, or remove the mailbox role.

From TechNet:
"Arbitration mailboxes are used for managing approval workflow. For example, an arbitration mailbox is used for handling moderated recipients and distribution group membership approval."

This is part of the Moderated Transport features that are new in Exchange 2010.

A lot more information about using arbitration mailboxes can be found here: Understanding Moderated Transport

In short, arbitration mailboxes are where messages awaiting moderation are stored, as well as information about moderator decisions are kept.

Now back to getting over the two most common immediate needs for arbitration mailboxes.

I deleted my arbitration accounts from my AD
This isn't really all that bad. I did it the first time I installed Ex2010 and had a panic moment before I found the fixes. Pretty simply, you need to rerun the AD preparation steps from the 2010 media.

Setup.com /PrepareAD
Setup.com /PrepareSchema
Setup.com /PrepareDomain

Only /prepareAD is required to recreate these accounts, but I left the other steps in here as well just for documentations sake.

I am trying to remove Exchange 2010, or a database, or the Mailbox role and am being told there are arbitration mailboxes preventing me from continuing
This is also not too bad. When you try to remove the first DB in Exchange 2010, there are a few arbitration mailboxes that will prevent database deletion. You have the choice of moving, removing, or mail-disable these mailboxes. Since you cannot see these in the Exchange Management Console, you need to launch Exchange Management Shell (EMS)

Get-Mailbox -Arbitration

This will list the arbitration mailboxes. To narrow it down to a specific database, you can edit this to:

Get-Mailbox -Arbitration -Database DB1

If you are used to PowerShell cmdlets in Exchange 2007, one big change to recall here is that specifying servername\databasename won't work anymore. This is one of the reasons why the database names need to be unique to the organization - so you don't have to specify servers anymore!

Once you have your "get" command returning the correct list of mailboxes, it's time to move, disable or remove them. Disabling the last arbitration mailbox is not allowed, so I recommend moving them as the first preference here.

Move:
Get-Mailbox -Arbitration -Database db1 | New-MoveRequest -TargetDatabase db2

Disable:
Get-Mailbox -Arbitration -Database db1 | Disable-Mailbox -Arbitration

Remove:
Get-Mailbox -Arbitration -Database db1 | Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed

If there is enough interest a little later, I may do a write up on using the arbitration mailboxes, but at this point there is still a lot of other Exchange 2010 things to learn and figure out!

Exchange 2010 Hub Transport - building an automated signature

This article is something I wish I could have done in 2007. You can now not only do disclaimers appended to an email, but you can customize the appended data using macros surrounded by two percent signs� for example %%displayName%% would display your Active Directory AD Display Name.

Do note that for these rules to fire, your outbound SMTP must be Exchange 2010. I haven't gotten that far into our migration yet, but created a new send connector to another domain to explicitly route out the 2010 server.

Reasons why you want to do this:

1. Rich text sigs currently attach as images to each sent item and each reply. At 5-10k per message, that adds up a LOT under volume. With transport based signatures, these are applied on sending, and not saved in sent items. Since we use an IMG tag to support the image, it can go on an externally hosted web server.
   
2. Corporate control of signature content based on Active Directory gives a LOT more centralized control. If we allowed marketing the ability to update this transport rule via the new Exchange control panel - they could add/update the marketing line in one place instead of asking employees to comply to a policy.
   

Below are the steps to create the Transport Rule (note that these all say edit - I didn't take initial screenshots, but the steps are identical)

So now, let's see what that looks like on the receiving end:

Ick. Not exactly pretty. And it missed the newline I entered. Let's see what we can do with this. Trying HTML:

This results in:

I obviously skipped the tough part here just to proof of concept the formatting.

Let's see if some insane winword formatted HTML makes this break - Best practice here would be to have your web development company trim this down a LOT. This text block is 5k!

This got me here - can you tell which is from Outlook and which is generated? ( I fixed the </ there after!)

To make the HTML more navigable, I got it down to about 1kb!

OK, so we now KNOW we can duplicate a rich text signature - let's see what I can make work from AD. This is far from a complete list, just what I found with some gentle poking. I expect that Microsoft will eventually list a complete mapping of Macros to fields. If that doesn't happen for a long time, I will update this post or make a new one to list more.

Display Name	%%displayName%%
First Name	%%FirstName%%
Last Name	%%LastName%%
Business Phone	%%Phone%%
Title	%%Title%%
Fax	%%Fax%%
Manager	%%Manager%%

Unfortunately, I have not yet been able to find a slick way to pull Manager's email address out of this to REALLY complete the same effect.

That transport sig cost zero kb in the sent items, but if someone replies will add the 1k of html to the replied to email. Still a decent reduction if you multiply over many users and many emails.

Not too shabby, right? Now - other things like the certifications or the second phone number can be applied by either different transport rules based on departments, or by inserting additional desired fields into other attributes. If a marketing department wants to cross sell services more, they can put the top ten technologies on one transport rule, and the Exchange 2010 seminars on another transport rule, and modify the rules to apply by distribution group membership.

Exchange 2010 New Exchange Certificate GUI Wizard

In Exchange 2007, certificates were a thing for powershell. I personally relied on www.digicert.com's CSR generator to build MOST of my certificates for customers to ease the pain of this. Apparently this hit Microsoft's radar and in 2010, this has been addressed with the certificate wizard. In the EMC, this is located at the root of the Server Organization (since a valid certificate can be applied to both HT and CAS activity, this makes the most sense.

Clicking on New Exchange Certificate, we are presented with a series of questions.

1. Friendly Name - this can be anything you want "Chris Lehr cert" to the same as common name to "Exchange 2010 test cert" - whatever helps you recognize it.
   
2. Domain Scope - One option here, do you want a wildcard certificate? If you do, you skip the next step.
   
3. Exchange Configuration - I will screenshot this because it is pretty impressive. You get to run through the different certificate needs, what you will use, and what names (internally and externally) will be used. This then builds the certificate request for you.
   
   

   
   

   You can pick and choose the names as you select items you decide to use.
   

4. Organization and Location - be sure to use information matching your domain registration for any externally facing domains. Also, you can specify the certificate request file path here.
   
5. Review Settings and complete.
   

We utilized www.Digicert.com for a SAN cert again, and when I imported the certificate request on their website, I noticed the cert request included several domain names for autodiscover of other domains we host (that we did not need autodiscover for) - this particular certificate vendor allowed us to remove names from the certificate before issuing to keep our cost down. Some other vendors add names NOT in your request. Some will only issue exactly what you ask for (and that your registrar administrators approve)