Office 365 & Exchange 2013 In-Place Hold & E-Discovery

Data Governance and preserving Email has always been an important security concern in almost every type of business environments.

Attorneys in particular need access to search emails that are relevant for legal and compliance purposes.

With Office 365 – The process of searching, preserving and accessing email records was available all the time. The Technical terms that every Office 365 Admin should know when dealing with preserving emails are:

1. Litigation Hold … now, In-Place eDiscovery & Hold.

2. Discovery Management

3. Multi-Mailbox Search

With Exchange 2013 and Office 365, Multi-Mailbox Search is known as In-Place eDiscovery. The one place to visit in Office 365 portal to manage the email preservation is “In-Place eDiscovery & Hold ”

Let’s talk Technical now with Office 365. Consider the below Scenario.

SCENARIO: I’m an Office 365 Admin for my company. My Attorney wants to search and access emails and if required export the emails and he wants full access. The Attorney also wants to know how he can do this?

I login to the Office 365 portal first @ https://login.microsoftonline.com/

Once I login, I click on Admin at the top side of the portal and select Exchange. This opens up Exchange Admin center.

1

Now, I need to give the Attorney guy required permissions to perform Discovery Search and also place mailboxes or mail items he wants in-hold or to perform query based search.

All I need to do is to add Attorney to an admin role called ‘Discovery Management’,

2

3

Now, I need to train my Attorney so that he can do his legal work.

Attorney said: ‘I want to access emails for all users in the Org which has ‘confidential’ term in the subject.

Ok, Here you go, Mr. Attorney. You have been given an Admin role which means you are a Discovery Manager now.

Following steps are done on Attorney’s mailbox. His OWA in particular.

Open Exchange Control Panel. The ECP portal is: https://outlook.office365.com/ecp/

Since the Attorney user has been added as a member for Discovery Management admin role group, The Attorney’s ECP will show Compliance Management tab where he can create in-place hold like shown below:

Attorney user created a new in-place eDiscovery & hold query with keywords ‘Confidential’ and hold indefinitely and specified Mailboxes for the Search query to be kept in-hold.

Attorney user can search, export the search results to PST, preview the search results & even copy the results to the Discovery Mailbox. The steps are very user-friendly and easy to do.

5

6

7

8

9

10

The Search results can be previewed and also copied to the DiscoverySearch mailbox.

11

12

13

NOTE:

  • In-Place Hold in Exchange 2013 and Exchange Online includes additional features like Query-based Search, types of items to preserve (email, calendar, notes), maximum of 5000 users per In-place hold object and placing multiple holds on a mailbox.
  • By default, the Discovery Management role group doesn’t contain any members. Administrators with the Organization Management role are also unable to create or manage discovery searches without being added to the Discovery Management role group.
  • Members of the Discovery Management role group have Full Access mailbox permissions for the Discovery mailbox that’s created by Exchange Setup.
  • You can open Discovery Mailbox from OWA by removing the mailbox attribute to hide from GAL.

July 24, 2014   Posted in: Uncategorized  No Comments

Office 365 – Attachment Enhancements in OWA

Hello All

Office2010Logo

 

 

Earlier in the year at the Microsoft Exchange Conference, Office 365 team announced an enhanced document collaboration experience in Outlook Web App for Office 365 users. Today office 365 team introduced few of these enhancements, which aims to improve the way people interact with files as attachments in their email.

 

What’s new in Office 365 OWA? Below are features listed briefly that were introduced today by Office 365 team:

  1. Side-by-Sideview of document and email: When you open the attachment, you can now see the contents of that document in context (or “side-by-side”) with the email itself; you can see both at the same time. No more flipping back and forth between windows to get all the information you need. You can perform all of the standard messaging actions (reply, forward, and so on) right from within this view

OWA_SideAttachment

  1. Easy document editing and reply: When you’re ready to edit the attachment and send your comments back, you no longer need to download the attachment, make your changes, rename the file, reattach it, and send your email reply back. You can now do all of this without leaving this new side-by-side view. To do this, you simply click Edit a Copy right above the attachment and message.

OWA_EditAttachment

This new copy of the attachment is live, and any changes you make are automatically saved. Once you’re finished with your changes, you can simply type a response in the email and click Send.

  1. Bigger attachment view: The user experience for attachments in the attachment well has been updated, so now when you attach files, they’re bigger and better looking than they’ve ever been before.

OWA_AttachmentView

  1. Download all attachments: This feature was available with outlook.com from quite a while now.  You can now download multiple attachment at once in the form of a single zip file.

Note: This feature only supports attachment created with office 2007 and above. It will support viewing all Microsoft Word, Excel, and PowerPoint files, as well as .PDF files and most types of pictures.

Conclusion: Above enhancement will give end users richer experience in OWA clients and make emailing more efficient platform for them.

References: View article…

July 3, 2014  Tags: , , , , ,   Posted in: Office 365  No Comments

You Do not have permissions to Schedule Lync Meetings

Hello All

Lync

 

Many times I’ve seen delegates complaining that they’re unable to create Lync meeting on their manager’s or boss’s Outlook calendar, even though they’ve appropriate permission to create normal meetings. Today we’ll cover what permissions are required by delegate to carry out same operation and look at sefautil.exe as our rescue tool in these scenarios.

 

Issue: Delegates receive error “You do not have permissions to schedule Lync meetings on behalf of the owner of this account. Please contact owner of this account to get delegate permission in Microsoft Lync”

LyncDelegateError

Cause: As the error states, the issue is due to lack of appropriate permissions for delegate on manager’s or owner’s calendar OR Lync account.

Resolution: For delegate to be able to create Lync meetings on their manager’s calendar, they should have:

  1. Editor or above access on user’s Outlook calendar: To achieve this, you can
    1. Add assistant as delegate in Outlook by going to File – Account Settings – Delegate Access.

    DelegateAccess

    1. Alternatively, you can add the calendar permission by going to user’s Outlook calendar section and selecting Calendar Permission under Home tab

    CalendarPermission

    1. If you do not wish to manage permissions from user’s workstation and rather would prefer to manage it from server (my favorite), you can run below cmdlet on Exchange Management shell to configure calendar permissions:

    Add-MailboxFolderPermission <manageralias>:\calendar -user <delegatealias> -AccessRights Editor Get-MailboxFolderPermission <manageralias>:\calendar -user <delegatealias>

  2. You can configure AccessRights as Editor/PublishingEditor/Owner as per requirements. If you wish to check permissions before adding:
  3. Assistant should be added as Lync delegate on manager’s Lync account: Once you’ve ensured permissions on Outlook calendar are correct, you need to ensure that delegate is added as Lync delegate on manager’s Lync account. To do same, you can:
    1. Add assistant as delegate using manager’s Lync client. On manager’s Lync client, go to Settings – Tools – Call Forwarding Settings – Edit My Delegate Members as shown below.

    LyncCallForwarding

    1. Again, if you are not fan of disturbing high end users with assistants to configure small settings and would prefer to manage it from backend, you can use Sefautil.exe for same which is discussed in later portion of this post below.

Once you configure both Outlook and Lync delegate access as described above, assistant should see a prompt stating “<Manager> has added you as delegate” on his/her Lync client and should now be able to create Lync meetings on their manager’s calendar without any issue.

What is Sefautil?

SEFAUtil (secondary extension feature activation) is a command-line tool that enables Microsoft Lync Server communications software administrators and helpdesk agents to configure delegate-ringing and call-forwarding settings on behalf of a Lync Server user. The tool also allows administrators to query the call-routing settings that are published for a particular user.

The SEFAUtil tool allows the administrator to enable/disable/modify call forwarding on behalf of the user. The administrator can specify the target (in the form of a SIP URI) or use a target that has already been published by the user. This tool also allows administrators to add or remove delegates on behalf of the user. The tool supports enabling or disabling simultaneous ringing, delayed ringing, or call forwarding to delegates

This tool requires administrators create a trusted application in the central management store for Sefautil using Lync Topology Builder.

The features in this tool allow administrators and helpdesk agents to do the following:

  • View all call routing settings for a user (includes call forwarding, delegation, team ringing, and simultaneous ringing)
  • Enable/disable/modify call-forwarding setting (includes destination and no-answer timer)
  • Enable/disable/modify call-forwarding immediate configurations
  • Enable/disable/modify delegation settings

How to use Sefautil for managing delegates?

The SEFAUtil tool can be run only on a computer that is a part of a Trusted Application Pool. UCMA 3.0 must be installed on that computer. To run the tool, a new Trusted Application with the sefautil application ID must be created on that pool.

  1. To Check user’s or manager’s existing call forwarding setting:

SEFAUtil.exe /server:lyncserver.contoso.com katarina@contoso.com

Output 

User Aor: sip:katarina@contoso.com

Display Name: Katarina Larsson

UM Enabled: True

Simulring enabled: False

User Ring time: 00:00:20

Call Forward No Answer to: voicemail

Set the Call Forward/No Answer Destination

  1. To add delegate for user’s or manager’s Lync account:

SEFAUtil.exe /server: lyncserver.contoso.com sip:katarina@contoso.com /adddelegate:anders@contoso.com

Output: 

User Aor: sip:katarina@contoso.com

Display Name: Katarina Larsson

UM Enabled: True

Simulring enabled: False

Delay Ringing Delegates (delay:10 seconds): anders@contoso.com

  1. To remove delegate for user’s or manager’s Lync account:

SEFAUtil.exe /server: lyncserver.contoso.com sip:katarina@contoso.com /removedelegate:anders@contoso.com

Output 

User Aor: sip:katarina@contoso.com

Display Name: Katarina Larsson

UM Enabled: True

Simulring enabled: False

User Ring time: 00:00:30

Call Forward No Answer to: voicemail

Conclusion: Troubleshooting Lync meeting permission issue is mostly straight forward i.e. if you’ve configured Outlook calendar and Lync delegate access properly, you should not see this issue coming. You can find more details regarding above information in our reference section below.

References:

  • http://blogs.technet.com/b/meacoex/archive/2011/04/23/configure-simultaneous-ring-delegate-ringing-and-call-forwarding-settings-on-behalf-of-a-lync-server-2010-user.aspx
  • http://technet.microsoft.com/en-us/library/jj945659.aspx
  • http://support.microsoft.com/kb/2671103

Occasionally it might get more typical in nature. If you have encountered such typical scenarios, please do mention same in comment box below.

Thank you for reading, in the next blog we will be covering automation of Lync server performance monitors and discuss Call Quality management (CQM) and Key Health Indicators (KHI) for Lync server environment.

July 3, 2014  Tags: , , , , , , , ,   Posted in: Lync 2013, Lync Server 2010, Office 365, Outlook  No Comments

Lync cannot connect to the Exchange Server

Hello All

Lync

 

 

I was working with couple users today who had issue with Lync conversation history not saving within their Outlook clients even though the option was enabled to save conversation history within client.

 

 

 

Issue: Conversation history folder appears in Outlook, however the Lync conversation history is not saving in the folder.

We covered similar thread few months ago where we explained scenario where conversation history folder doesn’t appears itself and conversation history doesn’t saves in Outlook:

http://exchangeserverinfo.net/2013/02/lync-unable-to-save-conversation-history-in-outlook/

As covered in our previous post, The conversation environment feature leverages both Exchange Web Services (EWS) and MAPI to manage Conversation History items. Unlike previous versions of Lync, EWS is now the primary method used to provide Microsoft Exchange integration features for the Lync client.  MAPI will be used if EWS is unavailable, but only in a limited capacity. For more details, we encourage you to read resource kit chapter Understanding & Troubleshooting Exchange server integration

Today’s issue was different from above though as conversation history folder was present, just conversations were not saving in the folders.

In idle scenario, under Lync configuration information, the MAPI and EWS status should show OK:

EWSLyncConfiguration

And we should see EWS cached data in user’s registry HKCU\Software\Microsoft\Communicator\[User SMTP Address]\Autodiscovery

EWSCacheRegistry
When we checked the Lync configuration information, two users had two different EWS status which we’ll cover in this post.

Scenario 1 – EWS Status – EWS Unavailable: For first user, under Lync configuration information, EWS status showed as unavailable and below error was shown on Lync client:

EWS Unavailable

User had EWS Internal and External URLs populated in his client i.e. Lync was able to extract EWS URLs using Autodiscover service, however wasn’t able to connect to it. Hence the status.

Troubleshooting Scenario 1: EWS unavailable is generally caused due to:
1. Proxy/PAC file configuration on user’s workstation: In certain environments, all internal & external URLs are configured to go via proxy server and depending on infrastructure configuration, the proxy server may or may not be able to communicate directly with Exchange server on behalf of Lync client. At this point the communication breaks between Lync & Exchange server causing the issue. To resolve this issue, make sure EWS/OWA namespace is bypassed from proxy either using Internet explorer/group policy or hard coded in PAC/Proxy file itself
2. Invalid IP address or configuration issue: In this scenario, Lync was able to resolve the Autodiscover DNS values but was unable to contact the site due to invalid IP address or reverse proxy configuration.
3. Invalid Windows Credentials: User is logged in to windows using different credentials than normal user account (like admin account) due to which either Lync is unable to authenticate against EWS service OR Proxy server is unable to authenticate on behalf of user. In either scenario, EWS connection will fail and status will stay unavailable. To resolve the issue, ensure user is logged in using proper account and authentication is working without issue.

Resolution 1 – In my case, it was point 3 above i.e. user was logged in using his admin account into Windows which wasn’t authenticating as expected into EWS. Once user logged in using his normal windows account, the EWS status turned OK and conversation history started to save as expected.

Scenario 2 – EWS Status – EWS is not fully initialized: In this scenario, user doesn’t has EWS URLs populated in the Lync configuration/client altogether and EWS status stays in “EWS is not fully initialized”

User gets same error notification on Lync client stating “Lync cannot connect to the Exchange Server”

Lync client’s MAPI status was ok, Lync & Outlook Autodiscovery was working ok as well. However, Lync client wasn’t able to determine internal and external EWS URLs.

Troubleshooting Scenario 2: The issue can be caused due to one of following:
1. Invalid DNS or DNS Lookup failure: If Lync client is unable to find appropriate DNS A or SRV record to reach out Exchange autodiscovery service for looking up EWS URLs, it fails to populate them in Lync client itself. To check if this is issue, you can use nslookup command for troubleshooting and ensure proper DNS records are populated.
2. Invalid certificate or untrusted certificate: If Exchange certificate authority is not trusted by local client/workstation, Lync cannot reach out to Autodiscover URL and hence doesn’t gets any response back with appropriate EWS information. To fix this issue, ensure certificate authority used to generate exchange certificates is also trusted by workstations in your environment.
3. Untrusted Server name for Sign-in Address: If client is  connecting to a server that is unknown to Lync. Lync must have your permission to verify whether to trust this server.

LyncServerTrust

Above prompt can come for Lync client trying to connect to Lync server during sign-in OR Lync trying to connect to Exchange server after sign-in. This doesn’t reflects any issue in configuration, it is a security feature. Lync will not connect to any unknown server until you confirm that it is trusted.

Resolution 2 – In my case, it was point 3 above i.e. when Lync was trying to connect to Exchange server, above prompt was displayed, however user ignored the prompt due to which Lync didn’t process the autodiscover response from Exchange server. Hence the EWS information stayed blank on Lync client.

To prevent the dialog box from being displayed, you can edit the following REG_SZ registry value:
Lync 2010 – HKEY_CURRENT_USER\Software\Microsoft\Communicator\TrustModelData\
Lync 2013 – HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync

Add the Fully Qualified Domain Name (FQDN) of the server-based computer that is displayed in the Trust Model Dialog to the existing value data that is listed in the TrustModelData registry value. This will be the Lync Server/Exchange Server/Exchange CAS array for which you’re getting the prompt shown above.

If you have an Active Directory environment, you can push this registries via Group Policy as well. You can find sample GPO HTML report attached below for reference.

gpo-con-lynctrustmodel

In above example, we’ve added Exchange CAS arrays name mobile.contoso.com, mobile.fabrikam.com to existing value of TrustModelData. You can also download this file from Onedrive -> http://1drv.ms/1mbSmul

Conclusion: Lync not saving conversation history to Outlook client OR Lync status not changing based on Outlook calendar information are couple of most common issues encountered with Lync/Outlook integration. Depending on environment configuration and client side configuration, the troubleshooting can be complex. Hopefully above information gives you some starter points to check and reduce the troubleshooting time for you accordingly.

For more information regarding above post, please refer to reference section below.

References:
• http://support.microsoft.com/kb/2531068
• http://support.microsoft.com/kb/2833618
• http://exchangeserverinfo.net/2013/02/lync-unable-to-save-conversation-history-in-outlook/

In our next post, we’ll be discussing about Outlook delegate and Lync meeting issues. Till Next Time !

June 28, 2014  Tags: , , , , , ,   Posted in: Exchange Server, Exchange Server 2010, Exchange Server 2013, Exchange Server General, Lync 2013, Lync Server 2010, Office 365  One Comment

Exchange – OABGen Encountered Error

Hello All

Exchange2010

 

I was working with a client who recently moved their public folder databases to a dedicated public folder server such that they can remove that load from production mailbox servers, which made sense.

Part of this movement included moving of Offline Address Book (OAB) generation server as well, as they wanted to keep public folder distribution of offline address book available (even though with Exchange 2010 onwards, it uses web distribution method unless Outlook client is older than Outlook 2007 SP2) and to keep OAB generation server same as public folder server

 

Issue 1 – Everything went as per plan (I will write up the details of movement in other post), however, post movement of OAB generation server, we encountered below errors on the public folder server with respect to OAB generation:

Log Name:      Application
Source:        MSExchangeSA
Date:          6/25/2014 5:12:32 AM
Event ID:      9330
Task Category: (13)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server-PF01.contoso.com
Description:
OABGen encountered error 80040115 (internal ID 50004ca) accessing Active Directory Server-DC00 for ”.
- \Default Offline Address Book

Log Name:      Application
Source:        MSExchangeSA
Date:          6/25/2014 5:12:32 AM
Event ID:      9334
Task Category: (13)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server-PF01.contoso.com
Description:
OABGen encountered error 80040115 while initializing the offline address book generation  process. No offline address books have been generated. Check the event log for more information.
- \Default Offline Address Book

The error generally is caused if one of following condition is true:
• Server is not added properly to Active Directory domain and is unable to read the configuration partition properly. Since all other services were running properly, it didn’t seem like issue.
• Authenticated users do not have read/list permission on offline address book object. Since the issue started happening post movement, this didn’t seem like cause of issue either and when double checked, permissions were there correctly for Authenticated Users group.
• Server is unable to reach the domain controller reported with Error 9330. When I pinged and did some network troubleshooting, this didn’t seem like an issue either since both domain controller and exchange server were on same subnet.

On further digging, I realized that domain controller and exchange server are in different AD domains and client used Append these DNS suffixes option on NIC to try out all AD domains in particular order.

DNSSuffix

When checked the NIC, it was missing the AD domain which Server-DC00 was in and hence exchange server was unable to reach out to Server-DC00 for OAB generation.

Resolution 1- We added all required AD domains in the Append these DNS suffixes configuration of primary NIC so that it can contact all required domain controllers in environment without any issue.

Issue 2 – Once the domain controller issue was fixed and we used Update-OfflineAddressBook command to force update the OAB files, we encountered below errors in the logs:

Log Name:      Application
Source:        MSExchangeSA
Date:          6/25/2014 8:57:28 AM
Event ID:      9331
Task Category: (13)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server-PF01.contoso.com
Description:
OABGen encountered error 80004005 (internal ID 50103b7) accessing the public folder database while generating the offline address list for address list ‘/’.
- \Default Offline Address Book

Log Name:      Application
Source:        MSExchangeSA
Date:          6/25/2014 8:57:28 AM
Event ID:      9335
Task Category: (13)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server-PF01.contoso.com
Description:
OABGen encountered error 80004005 while cleaning the offline address list public folders under /o=Contoso/cn=addrlists/cn=oabs/cn=Default Offline Address Book.  Please make sure the public folder database is mounted and replicas exist of the offline address list folders.  No offline address lists have been generated.  Please check the event log for more information.
- \Default Offline Address Book

The above errors are pretty straight forward, basically stating that system attendant mailbox is unable to find copy or replica of OAB on public folder database referred by mailbox database of the same server. This generally happens if:
• Public folder database is inaccessible.
• MAPI connection issue to public folder server if it is on a different network.

In our case, since the public folder database was on same server and accessible, above two reasons weren’t cause of issue

PFReplica

Resolution 2 – We added the public folder server as replica of Offline address book system public folder and after the contents were replicated, the OAB generation process started to work without any errors or as expected.

For reading more about troubleshooting OAB generation in an Exchange 2013 environment, refer to our blog below:

http://exchangeserverinfo.net/2013/12/troubleshooting-oab-in-exchange-2013/

Hope above information save some troubleshooting time on your side. You can read more about above issues on below reference articles.

In our next post, we’ll be discussing about moving public folders in an Exchange 2010 environment and moving & forcing OAB generation process for end user clients.

References:
1. http://blogs.msdn.com/b/dgoldman/archive/2007/11/15/oab-generation-fails-to-generate-with-errors-9330-and-9334.aspx
2. http://support.microsoft.com/kb/922251

 

June 27, 2014  Tags: , , , , , , ,   Posted in: Exchange Server, Exchange Server 2007, Exchange Server 2010, Exchange Server General, Outlook  No Comments

IMPORTANT – Security Vulnerability in Lync

Hello All

Lync

 

 

Microsoft has released security bulletin on June 10th identifying security vulnerabilities in Lync Server 2010/2013 web components and Lync 2010/2013 desktop clients.

 

 

 

Security Risk Involved: An information disclosure vulnerability exists when Lync Server fails to properly sanitize specially crafted content. An attacker who successfully exploited this vulnerability could potentially execute scripts in the user’s browser to obtain information from web sessions.

The vulnerabilities could allow remote code execution if a user opens a specially crafted file or webpage. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Recommendation: For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software

Note: The security updates in MS14-036 and MS14-032 are not related. Customers should install the updates in both bulletins for the software installed on their systems. MS14-036 is related to Lync client on user workstations and is not related to Lync Server.

References:
Microsoft Security Bulletin MS14-036 – Critical
Microsoft Security Bulletin MS14-032 – Important
MS14-032: Vulnerability in Lync Server could allow information disclosure: June 10, 2014
MS14-036: Description of the security update for Lync 2010: June 10, 2014

June 13, 2014   Posted in: Uncategorized  No Comments

Backup Up Lync Server Environment

Hello All

LyncIn this post we’ll be discussing Lync Server environment backup requirements and how we can assist in streamlining this process for you.

 

 

On a broad scale, Lync components backup can be categorized into following:

LyncBackup

Settings and Configuration Requirements: The following table outlines settings & configuration that you need to backup and restore.

Type of data

Where stored

Description / When to back up

Topology configuration information

Central Management store (database: Xds.mdf)

Topology, policy, and configuration settings. Back up with your regular backups and after you use Lync Server Control Panel or cmdlets to modify your configuration or policies.

Location information

Central Management store (database: Lis.mdf)

Enterprise Voice Enhanced 9-1-1 (E9-1-1) configuration information. This information is generally static. Back up with your regular backups.

Response Group configuration information

Back End Server or Standard Edition server (database: RgsConfig.mdf)

Response Group agent groups, queues, and workflows. Back up with your regular backups and after you add or change agent groups, queues, or workflows.

Data Requirements: Here is a list of the Lync Server data that you need to back up so that you can restore Lync Server service in the event of a failure.

Type of data

Where stored

Description / When to back up

Persistent user data

Back End Server or Standard Edition server (database: RTCXDS.mdf)

User rights, user Contacts lists, server or pool data, scheduled conferences, and so on. This user data does not include content uploaded to a conference.

Archiving data

Archiving database (database: LcsLog.mdf)

Instant messaging (IM) and meeting content.

Monitoring data

Monitoring databases (LcsCDR.mdf and QoeMetrics.mdf)

Call detail records (LcsCDR.mdf) and Quality of Experience (QoE) metrics (QoeMetrics.mdf).

Persistent Chat data

Persistent Chat database (mgd.mdf).

Persistent Chat Data is actual chat content being posted in chat rooms. This data is often business critical.

File Store Data Requirements: In an Enterprise Edition deployment, the Lync Server file store is typically located on a file server. In a Standard Edition deployment, the Lync Server file store is located by default on the Standard Edition server. Typically, there is one Lync Server file store that is shared for a site. The Persistent Chat file store uses the same file share as the Lync Server file store.

Type of data

Where stored

Description / when to back up

Lync Server file store

Typically on a file server, file cluster, or a Standard Edition server

Meeting content, meeting content metadata, meeting compliance logs, application data files, update files for device updates, audio files for Response Group, Call Park, and Announcement applications, and files posted into Persistent Chat rooms.

Additional Backup Requirements: Other necessary components that are not part of Lync server itself:

○ Active Directory Domain Services

○ Certificate authority and certificates

○ System Center Operations Manager

○ PSTN Gateway Configuration

○ Infrastructure Information

○ Microsoft Exchange and Exchange UM

Now that’s a lot of variety of data to backup. Not good for lazy administrator within you at all. So our lazy administrator gets to work and writes two scripts that will help you backup this data in one go. You can download the scripts from below:

What do these scripts do? These scripts helps you backup your Lync server environment based on above guidelines by Microsoft.

What do these scripts backup? These scripts backup following for your Lync infrastructure:

• Lync Server settings and configuration which includes topology zip file, Lis Information and response group configuration Information.

• Lync File Share

• User contacts and conferencing data.

• Lync server certificates along with their private key with password as server’s name in CAPS

• (Additional) Lync SQL databases. Currently we haven’t provided parameter for same but you can expand script to do same as well. Since most environment prefer their own SQL backup routine independent of application itself.

How do these scripts work? Ah good question, the scripts take BackupLocation as parameter which specifies any location local or on network. Script then creates folder within that location with server name from where its been run from. In there, it backs up or dumps the data depending on other parameters you’ve chosen.

You can choose to include all three components to be backed up i.e. Configuration, Data, Certificate OR you can choose only one of component to be backed up. For example, to backup certificates, you need to run script from local server but you don’t need to backup Configuration & user data from each server. They can be done from only 1 server.

The script keeps the previous copy of folders created for 1 day i.e. when you run script second time, it’ll rename the previous created folder and create a new one accordingly. If you run third time, it’ll remove the folders created on first run.

It also dumps certificate store information into a csv file within same folder. Now why do you need it is discussed below.

For more details on how to use these scripts, download the scripts locally and run below commands in powershell to read help:

• Get-Help .\Get-Lync2010Backup.ps1 -Detailed

• Get-Help .\Get-Lync2013Backup.ps1 -Detailed

Why do I need csv with certificate information? Basically I was having hard time tracking all certificate expiry dates in Lync environment. Sure we have SCOM which alerts us 1 week prior to expiry and we can modify the rule to alert us more in advance/frequently but if by any chance we miss that alert and certificate expires, well it’ll be “I LET CERTIFICATE EXPIRE ! EVERYBODY PANIC !”

To help with same, we wrote below script that helps us keep track of expiry dates on weekly basis. You can download the script from below

Get-LyncCertificateDetails

How this script works? It reads all the csv files created in backup location by LyncBackup script and it populates them into a nice looking HTML which can be sent via email automatically as required. This way you’ve a customized report and alerting of your own that fits your need. Some might argue that if you still miss this email, true, but at-least this one is not hidden between swarm of other alerts SCOM generates, so makes it easier compared to same.

For more details on how to use this script, download the script locally and run below command in Powershell to read help:

Get-Help .\Get-LyncCertificateDetails.ps1 -Detailed

You can find these scripts in this folder as well -> http://1drv.ms/1mbSmul

Update (06/27/2014): We’ve added another column in Get-LyncCertificateDetails which depicts number of days remaining in certificate to expire from the day of report run and color codes the data accordingly. If any certificate is close to expire, it changes the subject line of report accordingly as well.

Conclusion: Lync backups can be tricky at times, specially due to variety of components involved like SQL/DFS/CA etc. Hopefully you find above information helpful and above scripts help make your job easier and make you a Rockstar in front of your boss ! :-)

Thanks for reading !

June 5, 2014  Tags: , , , , , , , , , , ,   Posted in: Lync 2013, Lync Server 2010  One Comment

What is Enterprise Vault?

Hello All

EV IconNew on our site, we’ll be starting posting blogs and knowledge articles about Symantec Enterprise vault server but before we start doing same, we should know what it exactly is first.

What is Enterprise Vault in a nutshell?
Enterprise Vault, the industry leader in archiving, enables organizations to efficiently store, effectively manage, and easily discover and retrieve unstructured information as needed for business

 

 

Primarily Enterprise vault is used in environments to archive emails from Exchange server environment. Additionally, it can also be used to archive file servers, SharePoint environment and SMTP archiving i.e. archiving emails from servers running Windows SMTP service.

Symantec is placed highest in Gartner’s Magic Quadrant as of 11th November 2013 for vision & execution in Enterprise Information Archiving:

GartnersReport

Release information:
• Current Major Release used in production: Enterprise Vault 10.0.4
• Newest Release for production: Enterprise Vault 11
• Newest Release in beta: Enterprise Vault 11.0.1

Key Features
• Unified Document Archiving Software Platform moves less-frequently accessed information off of expensive primary storage to lower-cost storage
• Global deduplication of Archived Content (i.e. email, files, sharepoint, IM, databases.)
• Easy to use Compliance and an E-Discovery options to enable roles-based search and access for self-service users to search, preserve, review and export electronically-stored information and messages
• Policy-based management and workflow to automate archiving processes and take control of data sprawl
• Supports virtualization infrastructure for flexible deployment without additional hardware

Additional Archiving Features
• Built-in Data Classification Services (DCS): Based on Symantec Data Loss Prevention technology, add context and relevance for more granular control over identification, retention, and deletion of Exchange messages Identify and flag email with private and sensitive information, such as social security numbers, bank accounts and phone numbers
• Discovery Accelerator Custodian-based Search: Quickly find all relevant information across email, SharePoint, files, IMs, etc., based on custodian Target searches to individual custodians within a case for increased search precision and recall
• Archive Microsoft File Servers and SharePoint Content: Extend governance to file servers and SharePoint. Archive SharePoint document libraries for storage optimization and compliance. Archive SharePoint document libraries, wiki’s custom SharePoint lists, social content and more.
• Social Media and Website Archiving: Extend compliance policies to sites such as Facebook, Twitter, and LinkedIn Preserve social media communications for eDiscovery requests
• Archive to the Cloud: Leverage Cloud Storage Connectors to designate AT&T Synaptic, Amazon S3 and others providers as a storage tier for archiving.

Key Benefits
• Enterprise archiving reduces storage footprint and costs by up to 60% or more by moving deduplication and compression closer to the source while retention and deletion policies keep information for only as long as it is needed
• Streamlines backup and recovery times by moving older, infrequently accessed data from production sources into a centralized archive
• Enables an in-depth search of Electronically-Stored Information (ESI) across the enterprise, giving organizations clear visibility into and control of the discovery, assessment, and management of unstructured and semi-structured information
• Allows for immediate early case assessments, legal hold and review without manual, time-consuming collection processes

Conclusion: Enterprise vault has many advantages over other archiving solutions available in market including in-house Exchange server 2013 archiving solution. Specially in legal area, there’s none stronger than Enterprise vault in present that I know of. With release of Enterprise vault 11 and it being available for archiving items from cloud solutions like Office 365, Google etc. it definitely is recommended solution that you can look into for your environment.

In coming posts, we’ll be comparing Enterprise vault with Exchange archiving solution and also discuss new features that are available with Enterprise vault 11 which you should consider before deploying.

Meanwhile, please refer to reference section below for more details about this product.

References:
• Enterprise Vault Introduction Video: http://www.symantec.com/products-solutions/products/videos-lightbox.jsp?cid=enterprise-vault-archiving-overview
• Gartner’s Magic Quadrant Report: http://www.gartner.com/technology/reprints.do?id=1-1MOTFJE&ct=131106&st=sb

Hope you find above information helpful and will enjoy reading more about enterprise vault in coming weeks

June 2, 2014  Tags: , , ,   Posted in: Enterprise Vault  No Comments

Exchange – Search Folder in Mailbox

Hello All

Recently we completed migrating PST files (personal folders) from user’s hard drives to their mailboxes. It was one big painful effort but glad its finally completed.

Problem:

Either way, post migration we started seeing some issues/calls where end users started losing folders from within mailbox or could no longer locate it. Not sure about you guys but it didn’t make sense to me since all the folders were in the mailbox.

OutlookFolders

In efforts of searching for particular folder, we used following ways:

  1. Expand all folders in OWA and try to locate for the missing folder. Most inefficient way, it’s like trying to find needle in haystack if users have more than 10K folders.
  2. Search for emails within mailbox using Search-Mailbox cmdlet and review the results/output in target mailbox. This might do the trick but it’ll yield lot of results and might return more folders than needed.
  3. Use Outlook VB Macro to search for folder using its name. It looked ok for 1 / 2 user but in long run it seems tedious and lengthy to first copy the macro on user machine then use it.
  4. Use below exchange management shell cmdlet:

Get-MailboxFolderStatistics <mailbox name> | Where-object {$_.FolderPath -like “*<keyword of folder name>*”} | Select-Object FolderPath.

Above cmdlet will return all folder along with full path that might have the missing folder. This helped me a lot at various occasions but still wasn’t fit for lazy admins like myself.

Solution:

So I decided to write a quick & dirty script that will allow me just to type mailbox name and folder name keyword to search for and give me results same as above cmdlet does named Search-MailboxFolder.

Search-MailboxFolder

Script takes input from administrator in parameter format which includes mailbox name and possible mailbox folder name which user is missing. Based on inputs script searches for said folder and displays the result in console/shell.
Pre-Requisites:
1. Exchange Management Shell/Exchange Module
2. Mailbox Name
3. Mailbox Folder Name Keyword.

For more details on how to run/use this script, run below cmdlet after downloading script:

Get-Help .\Search-MailboxFolder.ps1 –Detailed

You can also download the script from -> http://1drv.ms/1nsMKT6

Further Enhancements:

You can add more to this script like:

  • Generate emails for end user directly including all folder paths in return.
  • Search for particular folder for all mailboxes or set of mailboxes and report as needed.
  • Search and delete particular folders in all or set of mailboxes in your environment etc.

Conclusion: Turns out users in my environment were accidentally dragging & dropping folders within some other folders and then not able to find or recall what happened to given folder.

There are several occasions or scenarios where you might find yourself in similar situation. When you do, hope you find above script and information helpful & to your rescue.

For any additional script ideas or requirements, please drop them in comment section.

Thanks for reading !

May 28, 2014  Tags: , , , , ,   Posted in: Exchange Server, Exchange Server 2007, Exchange Server 2010, Exchange Server 2013, Exchange Server General, Outlook  No Comments

Security Kerberos Error – Event ID 3

Hello All

WindowsOSLogo

 

Recently I was troubleshooting a windows cluster issue which is discussed in a different post. But while troubleshooting & going through event logs, I noticed multiple entries of below error in System event log:

 

 

 

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          6/6/2014 2:02:54 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server02.contoso.com
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 18:2:54.0000 6/6/2014 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: CONTOSO.COM
Server Name: Server02$@CONTOSO.COM
Target Name: Server02$@CONTOSO.COM@CONTOSO.COM
Error Text:
File: 9
Line: f09
Error Data is in record data.

Summary: Frequent error logs with Kerberos event ID 3

KerberosError

Troubleshooting: Even though I was sure it was not related to the original cluster issue I was working on, still so many red errors were bugging me. So once the issue was resolved, I used setspn.exe to determine if the SPN namespace records its trying to reach out to exist in environment or not.

Setspn is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use setspn, you must run the setspn command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

To read more about Setspn, please refer to technet article in reference section below. In my case, I wanted to see all SPN records assigned to Server02 AD account, so I ran it in below format:

setspn.exe -L Contoso\Server02$

And got below output:

Registered ServicePrincipalNames for CN=Server02,DC=contoso,DC=com:
MSServerClusterMgmtAPI/SERVER02.contoso.com
MSServerClusterMgmtAPI/SERVER02
WSMAN/SERVER02
WSMAN/SERVER02.contoso.com
TERMSRV/SERVER02
TERMSRV/SERVER02.contoso.com
RestrictedKrbHost/SERVER02
HOST/SERVER02
RestrictedKrbHost/SERVER02.contoso.com
HOST/SERVER02.contoso.com

Which looked pretty much right to me, so wasn’t sure where the error is coming from.

Resolution: Turns out we had Kerberos logging enabled on the server using registry due to which all these noisy errors were being written in system log.

Basically, if you see multiple errors with event ID 3 for Security-Kerberos in system log and Extended Error: 0xc00000bb, they’re noisy errors written due to enabled Kerberos logging and can be ignored safely.

To disable Kerberos event logging, change value of below registry to 0 or remove it altogether:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel

KerberosRegistry

This change in registry does NOT requires any restart, it takes affect immediately and you should stop seeing noisy errors in your system log.

Conclusion: Make sure you disable any advanced logging you enable on your systems/servers once you’ve successfully diagnosed an issue. They might create nuisance for other administrators and send them off track for a while till they figure out its not related to what they’re looking for. Kerberos errors with Extended Error: 0xc00000bb can be safely ignored.

For further details, please refer to articles below:

Hope you find above information of helpful. Thanks for reading !

May 12, 2014  Tags: , , , , , , ,   Posted in: Active Directory, Windows OS  No Comments