Creating Multiple Mailboxes Using Powershell in Exchange 2010

In any situation, you may need to create multiple exchange 2010 mailboxes on your server. So you can create bulk users in exchange 2010 using the below basic information.

First create a CSV file in containing user’s information and save it on Exchange Server. In my care it is saved in Drive C:\

Step 2: Open the EMS and run the below command..

Import-CSV “C:\Bulk-User\NewUserstest.csv” | foreach {new-mailbox -FirstName $_.FirstName -LastName $_.LastName -Name $_.name -DisplayName $_.DisplayName -Alias $_.alias -UserPrincipalName $_.LoginID -SamAccountName $_.SamAccountName -Database $_.Database -OrganizationalUnit $_.OU -password (ConvertTo-SecureString $_.password -AsPlainText -force) -ResetPasswordOnNextLogon $true}

This will result the below output on the screen..

 

Important: One more parameter has been added ResetPasswordOnNextLogon has been set to TRUE so that users can change their password at next loon.

 

 

 

 

 

Exchange Server 2007/2010 interview questions and answers – Part 2

Dear All, this is the second part, I hope the below question bank will help you.

Click here for Part 1

 

Exchange Transport Role

1. Where does Exchange 2007 get its routing topology from?
Exchange 2007 uses the Active Directory site topology to determine how messages are transported in the organization. The Hub Transport server uses the Active Directory Topology service to retrieve the Exchange organization’s configuration information. Unlike earlier versions of Exchange, Exchange 2007 does not use a link state routing table and does not try to calculate an alternative route when a connection is unavailable.

2. What is a Mail Relay? Name a few known mail relay software or hardware options?
3. What’s a Smart Host? When would you configure and use it?
4. What is Send Connector?
Send Connector

5. What is Receive Connectors? Provide two default receive connector names?
Receive Connector: By default, when you install the Hub Transport server role, two Receive connectors exist. No additional Receive connectors are needed. The default Receive connectors do not require any additional configuration changes.

 

Default Receive connector:
(A) Client <Servername>: This Receive connector accepts SMTP connections from all non-MAPI clients, such as POP and IMAP. This connector work on port 587.
(B) Default <Servername>: This Receive connector accepts connections from Edge Transport servers to receive messages from the Internet and from other Hub Transport servers. This connector work on port 25

What’s the major issue blocking you from receiving e-mail from the world, considering you’ve enabled the right port(s) on the firewall, and properly configured MX records for your domain(s)?
6. What’s the difference between the “Client” and the “Default” Receive Connectors?
You’re looking to troubleshoot e-mail delivery issues. Name 4 options/tools/logs that are built into Exchange 2007/2010 that can help you in your task.

7. How to enable Anti-Spam features on the HT role and what is the recommendation?
8. Where does Edge role store its settings?
Edge Transport server role installed doesn’t have access to Active Directory. The Edge Transport server stores all configuration and recipient information in ADAM. Because Active Directory and ADAM both use Lightweight Directory Access Protocol (LDAP), and because both directory services use the Exchange 2007 schema, you can replicate data from Active Directory to ADAM.

Types of Data Replicated to ADAM
A. Edge Subscription information
Provision and maintain the credentials to help secure the LDAP connection.
Arbitrate the synchronization lock and lease process.
Optimize the EdgeSync synchronization process

B. Configuration information
Hub Transport servers
Accepted domains
Message classifications
Remote domains
Send connectors
Internal SMTP servers
Domain Secure lists

C. Recipient information
Recipients
Proxy addresses
Safe Senders List and Safe Recipients List
Per recipient anti-spam settings

D. Topology information
Notification of newly subscribed Edge Transport servers. This data is refreshed every five minutes.

9. How to enable high-availability and load balancing on Edge servers?
10. What is Edge subscription and process to enable Edge subscription?
Exchange 2007 Edge Transport server role is always deployed in organization’s DMZ (perimeter) network. Edge Transport server handles all Internet mail flow. It also provides some additional protection and security provided by a series of agents running on the Edge Transport server. These agents protect messages against viruses and spam and apply transport rules to control message flow.

This is an optional process, subscribing an Edge Transport server provide anti-spam features, recipient lookup or safelist, or secure SMTP communications.

Edge Subscription Process
A. Make sure that the Hub Transport servers and the Edge Transport server can resolve the each other FQDNs by using DNS.
B. Run the New-EdgeSubscription cmdlet in the EMS on the Edge Transport server to export the Edge Subscription file.
C. Copy the Edge Subscription file to a Hub Transport server.
D. Run the New-EdgeSubscription cmdlet in the EMS or EMC to import the Edge Subscription file.

11. What’s the default replication interval for Edge sync and what is the step to force replication?
When the Exchange Edge server starts, the Microsoft Exchange EdgeSync service starts and establishes a synchronization schedule.
Configuration data is synchronized to ADAM once every hour.
Recipient data is synchronized to ADAM once every four hours.

You cannot modify the synchronization intervals.

Steps to Sync Edge sync replication
Use the EMS to immediately start synchronization of data from the Active Directory service to the subscribed Edge Transport servers. Run the below command on the HB transport server.

Start-EdgeSynchronization -Server <Hub Transport server name>

12. What ports required to open between the DMZ holding the Edge role and internal network?

13. How to configure E-mal routing to be able to send e-mail externally (to the Internet) and what do you need to do?

14. What are the default connectors created during the Exchange Edge subscription?

When we do the EdgeSync synchronization process, it creates two send connector which then replicated to ADAM.
A Send connector that is configured to relay e-mail messages from the Exchange organization to the Internet.
Connector Name: EdgeSync – <Site Name> to Internet

A Send connector that is configured to relay e-mail messages from the Edge Transport server to the Exchange organization.
Connector Name: EdgeSync – Inbound to <Site Name>

Name EdgeSync – <Site Name> to Internet EdgeSync – Inbound to <Site Name>
Address Space SMTP:*;100 SMTP:–;1
Source Servers Edge Subscription name Edge Subscription name
Note:
The name of the Edge Subscription is the same as the name of the subscribed Edge Transport server.
Enabled

TRUE

TRUE

DNS Routing Enabled

TRUE

FALSE

Domain Secure Enabled (Mutual Auth TLS)

TRUE

15. What is Accepted Domains and difference?

Exchange Mailbox Role


What is OAB?  OAB? When it is used and what are the OAB distribution options?
What is the GAL and when would you decide to create more than one GAL?
What are the major changes in the way Exchange 2007 stores work?
What’s a Recovery Storage Group? How do you work with one?
Can you use Exmerge in Exchange 2007/2010? Why?
How do you export a mailbox content in Exchange 2007/2010?
What’s a Dial Tone recovery?
Describe the concept behind Log Shipping.
What’s the difference between LCR, CCR and SCR and SCC?
What are the high availability solutions introduced in Exchange Server 2010?
What id DAC and when it need to enable?
What’s the major difference in store high availability in Exchange 2007?
What Exchange edition version do you need for LCR? What Windows edition version do you need for LCR?
How do you recover from a store corruption when using LCR? Name the procedures you would use.
What are the major changes in the way Exchange 2010 stores work? Name some of the changes in comparison with Exchange 2003 and Exchange 2007.


Exchange Tools, Backup
1. What is Eseutil and Isinteg, Name a few scenarios for using both tools?
Eseutil
Isinteg
Scenario when you need there utilities.
When there is a logical corruption in database.
When you have enough free white space in Exchange database.
When your Exchange database disk going to full and need to free disk space.

For more details go to URL

2. What backup solutions are you familiar with in Exchange 2007/2010?
3. What built-in tool do you have to allow you to manage Exchange store recoveries?
4. What the difference is between online and offline defrag?
5. What are streaming backups and VSS backups?
6. How would you backup Exchange 2007/2010 on a Windows Server 2008/R2 machine without using 3rd-party tools?
7. What’s a Brick-Level backup?
8. What is ROLA BASED ACCESS CONTROL?

Redirect /OWA login page to IIS default directory

 

Objective :  User in you organization never like to type https://webmail.nakshatrait.com/owa but always like to open OWA login page by just typing https://webmail.nakshatrait.com .

 

If Using Windows server 2003

1. Log onto the CAS server
2. Open the IIS Manager
3. Open the properties for the default web site
4. Under the Home Directory Tab, do the following

(a) Choose redirection to a url
(b) Type /owa in the text box
(c) Check the “directory under this one” radio button

5. Click “apply”, “OK”, and exit the IIS manager.
6. Go to Run and type IISReset

Testing: Test the setting by opening the webmail page without typing /owa. Now it should take you directly to the OWA Logon page.

 

If using Windows server 2008

Step 1: Install HTTP Redirect Feature in IIS using Add role feature
1. Open Server manager
2. Expend Roles
3. Select IIS (Web server)
4. Click Add Role Services in Action pan.
5. Check HTTP Redirection and install it.

Step 2: Redirect HTTP from Default website to OWA virtual directory.
1. Open IIS Manager
2. Expend Sites then click Default Web Site
3. In Middle pan, Highlight and open The HTTP Redirect Feature
4. Click to select the option, “Redirect Requests”
5. Enter the path to your OWA eg https://webmail.nakshatrait.com/owa
6. Click on Apply
7. Restart IIS service

Testing: Test the setting by opening the webmail page without typing /owa. Now it should take you directly to the OWA Logon page.

Active Directory Interview Questions and Answers

1. What is AD?
Active directory is a centralized database that contains information about objects and their attributed like Users, Groups, Computers, Printers, OUs, and Contacts & shared folders, domains, forest ant, Replication and trusts.
2. What is the Component of AD?
  • Logical Structure Component: Domains, Tress, Forests and OU.
  • Physical Structure Component: Sites and Domain Controllers.
3. What is the protocol used by AD for directory Access?
LDAP (Light Weight Directory Access Protocol)
4. What are the naming conventions used by LDAP?
  • DN (Distinguished Name):
  • CN=mycomputer,OU=MyOrganizationalUnit,DC=nakshatraitlabs,DC=com
  • RDN (Relative Distinguished Name):
  • UPN (User Principal Name):
  • GUID (Global Unique Identifier)
  • Canonical Name: Microsoft.com/MyOrganizationalUnit/
5. .What is a Forest?
Collection of trees which don’t share contiguous name space
6. What is a Domain?
Domain is collection of computers connected together with a server and users.
7. How to promote DC on a member server?
Start > Run > Type DCPROMO
8. What are the additional tools found after installing a DC?
Active Directory User and Computers,
Active Directory Sites and Services,
Active Directory Domain & Trust,
Domain Controller Security Policy,
Domain Security Policy
9. What is the diff. functional level of 2003?
Domain functional level:
Forest functional level:
10. What is the diff. operation master of 2003 and impact if in case any one is down?
Schema Master: Is responsible for overall management, structure and design of schema Only one schema master in entire forest
Domain naming master: Is responsible for addition or removal of domains and maintaining unique domain names only one domain naming master in entire forest
PDC Emulator: Is responsible for providing backup compatibility for NT BDCs, in mixed mode it acts like a PDC for BDCs. It updates the password changes, synchronizes time between DCs. Only one PDC Emulator per domain.
Infrastructure Master: Is responsible for updating user and group information and updating Global Catalog Only one infrastructure master per domain
RID Master: Relative identifier is responsible for assigning unique IDs to the object s created in the AD. Only one RID Master per domain.
11. How do you change the DS Restore admin password?
Start > Run > type ‘ntdsutil’ and click OK.
C:\Ntdsutil>set dsrm password
C:\Ntdsutil\set dsrm password>Reset password
C:\Ntdsutil\set dsrm password>quit
C:\Ntdsutil >quit
12. What are the scopes of Groups?
Local groups: These are truly local, defined on and available to a single computer. Local groups are created in the security accounts manager (SAM) database of a domain member computer on both workstations and servers have local groups.
Its Membership A local group can include as members:
• Any security principals from the domain: users, computers, global groups, or domain local groups.
• Users, computers, and global groups from any domain in the forest
• Users, computers, and global groups from any trusted domain.
• Universal groups defined in any domain in the forest.
Domain Local Groups: Domain local groups are used primarily to manage permissions to resources.
Its Membership: A domain local group can include as members:
• Any security principals from the domain: users, computers, global groups, or other domain local groups
• Users, computers, and global groups from any domain in the forest
• Users, computers, and global groups from any trusted domain
• Universal groups defined in any domain in the forest
Global Groups: Global groups are used primarily to define collections of domain objects based on business roles.
Its Membership: A global group can include as members users, computers, and other global groups in the same domain only.
Universal Groups:  A universal group is defined in a single domain in the forest but is replicated to the global catalog. Universal groups are useful in multidomain forests. They let you define roles, or manage resources, that span more than one domain.
Its Membership:  A universal group can include as members users, global groups,and other universal groups from any domain in the forest.
GROUP SCOPE
MEMBERS FROM THE SAME DOMAIN
MEMBERS FROM ANOTHER DOMAIN IN THE SAME FOREST
MEMBERS FROM A TRUSTED EXTERNAL DOMAIN
Local
Users, Computers
Global groups
Universal groups
Domain local groups
Local users defined on the same
computer as the local group
Users, Computers
Global groups
Universal groups
Users
Computers
Global
groups
Domain Local
Users, Computers
Global groups
Universal groups
Domain local groups
Users, Computers
Global groups
Universal groups
Users, Computers
Global groups
Global
Users, Computers
Global groups
Users, Computers
Global groups
Universal groups
N/A
Universal
Users, Computers
Global groups
Universal groups
N/A
N/A
13. What are Directory Partitions?
To scale to tens of millions of objects, a forest is partitioned into domains. Each Active Directory domain controller can be a member of one domain, and domain controllers within the same domain contain the same information. Domain controllers from different domains share the same configuration and schema data, but they do not share the same domain data. The means to distributing storage in this manner is the directory partition , which is also called a “naming context.”
In Active Directory, a directory partition is a portion of the directory namespace. Each directory partition contains a hierarchy of directory objects in the directory tree. The same directory partition can be stored as copies on many domain controllers.
Schema: Contains the Schema container, which stores class and attribute definitions for all existing and possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest. You can view the contents of the Schema container in the Active Directory Schema console.
Configuration: Contains the Configuration container, which stores configuration objects for the entire forest in cn=configuration,dc= forestRootDomain. Updates to this container are replicated to all domain controllers in the forest. Configuration objects store information about sites, services, and directory partitions. You can view the contents of the Configuration container by using ADSI Edit.
Domain: Contains a < domain > container, which stores users, computers, groups, and other objects for a specific domain. Updates to the < domain > container are replicated to only domain controllers within the domain and to Global Catalog servers. The hierarchy of domain directory partitions can be viewed in the Active Directory Domains and Trusts console, where trust relationships between domains can be managed.
Application directory partitions: An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only Domain controllers running Windows Server 2003 can host a replica of an application directory partition.
14. What is LDAP?
The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directorinformation services over an Internet Protocol (IP) network
The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories.
The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory.
15. Where is the AD database stored?
AD stores database n “C:\Windows\ntds\ntds.dit” as default location where as it can be changed during or after DC promotion.
There are some other files are generated in NTDS folder..
ntds.dit –  Actual file of AD database where the objects and its information is written.
edb.log  – Transaction written in this logs before written to AD database.
res1.log – It is a log file for reserve space during the low disk space.
res2.log – It is 2nd temp log file, used when res1 is filled.
edb.chk – It is a check point file and contains information of las transition written into AD databse.
16. What is AD replication and difference between Intersite and Intrasite replication?
In AD directory service maintain an exact copy of directory data on al domain controllers in a forest that ensure all updated directory  information available for all users.
All domain controllers within a forest hold a replica of the schema and configuration partitions for that forest and all domain controllers within a particular domain hold a replica of the domain partition for their domain.
Application directory partitions hold directory data specific to a particular application and can be stored by domain controllers belonging to different domains.
Active Directory uses remote procedure call (RPC) over Internet Protocol (IP) to transfer replication data between domain controllers. RPC over IP is used for both intersite and intrasite replication. To keep data secure while in transit, RPC over IP replication uses both authentication and data encryption.
Intrasite Replication:  The replication that occurs within all domain controllers within an AD site called Intra-site replication. The Active Directory Knowledge Consistency Checker (KCC) builds the intrasite replication topology using a bidirectional ring design. bidirectional ring topology attempts to create at least two connections to each domain controller (for fault tolerance) and no more than three hops between any two domain controllers.
Intersite Replication:  The replication that occurs between all domain controllers between two or more different AD sites called Intersite replication. The Active Directory Knowledge Consistency Checker (KCC) builds the intersite replication topology using a least-cost spanning tree design.
One domain controller per site, called the intersite topology generator, is assigned to build the topology.
17. What are the tools used in Active Directory?
DCDiag. NETDiag, Repadmin, Replmon, NLTest
18. What is tombstone lifetime in active directory?
The tombstone lifetime in an Active Directory determines for how longtime a deleted object (called a “tombstone”) is retained in Active Directory. The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.
19. What are the trusts in Active Directory?
20.  What are the port in `
21.

DNS Interview Questions and Answers

 Interview questions and answers on dns server n Windows 2003 and 2008

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Q1. What is DNS?
Domain Name System is a service that can be installed on any windows server operating system to resolve the Name to IPAddress and vice-versa. TCP/IP networks, such as the Internet, use DNS to locate computers and services through user-friendly names

Q2. What is DDNS?
Dynamic DNS or DDNS is a method of updating, in real time, a Domain Name System to point to a changing IP address on the Internet. This is used to provide a persistent domain name for a resource that may change location on the network.

Q3. What are the resource records in DNS?

  • A (Address) Maps a host name to an IP address. When a computer has multiple adapter cards and IP addresses, it should have multiple address records.
  • CNAME (Canonical Name) Sets an alias for a host name. For example, using this record, zeta.tvpress.com can have an alias as www.tvpress.com.
  • MX (Mail Exchange) Specifies a mail exchange server for the domain, which allows mail to be delivered to the correct mail servers in the domain.
  • NS (Name Server) Specifies a name server for the domain, which allows DNS lookups within various zones. Each primary and secondary name server should be declared through this record.
  • PTR (Pointer) Creates a pointer that maps an IP address to a host name for reverse lookups.
  • SOA (Start of Authority) Declares the host that is the most authoritative for the zone and, as such, is the best source of DNS information for the zone. Each zone file must have an SOA record (which is created automatically when you add a zone).

Q4. What are a Forward and Reverse Lookup?

  • Forward Lookup: When a name query is send to the DNS server against to IP address, it is generally said a forward lookup.
  • Reverse Lookup: DNS also provides a reverse lookup process, enabling clients to use a known IP address during a name query and look up a computer name based on its address.

Q5. What is Primary zone?
This is the read and writable copy of a zone file in the DNS namespace. This is primary source for information about the zone and it stores the master copy of zone data in a local file or in AD DS. Dy default the primary zone file is named as zone_name.dns in %windir%\System32\DNS folder on the server.

Q6. What id Secondary zone?
This is the read only copy of a zone file in the DNS namespace. This is secondary source for information about the zone and it get the updated information from the master copy of primary zone. The network access must be available to connect with primary server. As secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS.

Q7. What is stub Zone?
A stub zone is a read only copy of a zone that contains only those resource records which are necessary to identify the authoritative DNS servers for that particular zone. A stub zone is practically used to resolve names between separate DNS namespaces. This type of zone is generally created when a corporate merger or acquire and DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.

A stub zone contains:
The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the stub zone.

Q8. What is Caching Only Server?
Caching-only servers are those DNS servers that only perform name resolution queries, cache the answers, and return the results to the client. Once the query is stored in cache, next time the query in resolved locally from cached instead of going to the actual site.

Q9. What is Aging and Scavenging?
DNS servers running Windows Server support aging and scavenging features. These features are provided as a mechanism to perform cleanup and removal of stale resource records from the server and zone. This feature removes the dynamically created records when they are stamped as stale.

By default, the aging and scavenging mechanism for the DNS Server service is disabled.

Scavenging and aging must be enabled both at the DNS server and on the zone

Q10. What is SRV record in DNS?
The SRV record is a resource record in DNS that is used to identify or point to a computer that host specific services i.e Active directory.

Q11. What is Forwarding in DNS?
A forwarder is a feature in DNS server that is used to forward DNS queries for external DNS names to DNS servers outside of that network. We ca configure a DNS server as a forwarder to forward the name query to other DNS servers in the network when they cannot resolve locally to that DNS server.

Q12. What is Conditional Forwarding in DNS?
We can configure the DNS server to forward queries according to specific domain names using conditional forwarders. In this case query is forward to an IP address against a DNS domain name.

  • Q13. What are Queries types in DNS?
    Recursive Query: This name queries are generally made by a DNS client to a DNS server or by a DNS server that is configured to pass unresolved name queries to another DNS server, in the case of a DNS server configured to use a forwarder.
  • Iterative Query: An iterative name query is one in which a DNS client allows the DNS server to return the best answer it can give based on its cache or zone data. If the queried DNS server does not have an exact match for the queried name, the best possible information it can return is a referral. The DNS client can then query the DNS server for which it obtained a referral. It continues this process until it locates a DNS server that is authoritative for the queried name, or until an error or time-out condition is met.

Q13. What are Tools for troubleshooting of DNS?
DNS Console, NSLOOKUP, DNSCMD, IPCONFIG, DNS Logs.

Q14. How to check DNS health?
Using the DCdiag.
i.e. (dcdiag /test:dns /v /e)

Perform Active Directory Metadata Cleanup

Perform Active Directory Metadata cleanup

I hope the article will help you to perform metadata cleanup in the following……
 
Situation:

  1. After unsuccessful demote on a domain controller.
  2. Domain controller is down and passed tombstone limit.

Infrastructure Details:
Forest Name: NAKSHATRAIT.COM
Domain Name: NAKSHATRAIT.COM
Site Name: MySite1
Domain Controller (MySite1): DC1= NAKIT-RDC01,  DC2= NAKIT-ADC01
Perform metadata cleanup in Windows Server 2003

In Windows Server 2000/2003, you can use the Ntdsutil.exe utility to run metadata cleanup and manually remove the NTDS Settings object.

I

To clean up metadata

1. Logon on Main Domain Controller and Open the command line, type Ntdsutil and then press ENTER.

C:\WINDOWS>ntdsutil
ntdsutil:

2. At the Ntdsutil: prompt, type metadata cleanup and press Enter.

ntdsutil: metadata cleanup
metadata cleanup:

3. At the metadata cleanup: prompt, type connections and press Enter.

metadata cleanup: connections
server connections:

4. At the server connections: prompt, type connect to server <servername>, and Press Enter.
Note: <servername> is any functional domain controller in the same domain from which you plan to clean up the metadata of the failed domain controller.

server connections: connect to server NAKIT-RDC01
Binding to NAKIT-RDC01 ..
Connected to NAKIT-RDC01 using credentials of locally logged on user.
server connections:

Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.
5. Type quit and press Enter to return you to the metadata cleanup: prompt.

server connections: quit
metadata cleanup:

6. Type select operation target and press Enter.

metadata cleanup: Select operation target
select operation target:

7. Type list domains and press Enter. This lists all domains in the forest with a number associated
with each.

select operation target: list domains
Found 1 domain(s)
0 - DC=NAKSHATRAIT,DC=COM
select operation target:

8. Type select domain <number>, where <number> is the number corresponding to the domain
in which the failed server was located. Press Enter.

select operation target: Select domain 0
No current site
Domain - DC=NAKSHATRAIT,DC=COM
No current server
No current Naming Context
select operation target:

9. Type list sites and press Enter.

select operation target: List sites
Found 1 site(s)
0 - CN=MySite1,CN=Sites,CN=Configuration,DC=NAKSHATRAIT,DC=COM
select operation target:

10. Type select site <number>, where <number> refers to the number of the site in which
the domain controller was a member. Press Enter.

select operation target: Select site 0
Site - CN=MySite1,CN=Sites,CN=Configuration,DC=NAKSHATRAIT,DC=COM
Domain - DC=NAKSHATRAIT,DC=COM
No current server
No current Naming Context
select operation target:

11. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.

select operation target: List servers in site
Found 2 server(s)
0 - CN= NAKIT-RDC01,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=NAKSHATRAIT,DC=COM
1 - CN= NAKIT-ADC01,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=NAKSHATRAIT,DC=COM
select operation target:

12. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.

select operation target: Select server 0
Site - CN=MySite1,CN=Sites,CN=Configuration,DC=NAKSHATRAIT,DC=COM
Domain - DC= NAKSHATRAIT,DC=COM
Server - CN= NAKIT-ADC01,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=NAKSHATRAIT,DC=COM
DSA object - CN=NTDS Settings,CN=NAKIT-ADC01,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=NAKSHATRAIT,DC=COM
DNS host name - NAKIT-ADC01.NAKSHATRAIT.COM
Computer object - CN=NAKIT-ADC01,OU=Domain Controllers,DC=NAKSHATRAIT,DC=COM
No current Naming Context
select operation target:

13. Type quit and press Enter.

select operation target: quit
metadata cleanup:

14. Type remove selected server and press Enter.
You will receive a warning message. Read it and press Yes.

metadata cleanup: Remove selected server
"CN=NAKIT-ADC01,CN=Servers,CN=MySite1,CN=Sites,CN=Configuration,DC=NAKSHATRAIT,DC=COM" removed from server "NAKIT-RDC01”
metadata cleanup:

15. Type quit, and press Enter until you return to the command prompt.

Perform metadata cleanup in Windows Server 2008/R2
You can use the below URL to perform the metadata cleanup on Windows Server 2008 Active directory domain controller.
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

Steps after Perform metadata cleanup in Windows Server

1. Make sure you have delete the Computer account from Active Directory User and Computer.
2. Make sure you have delete the Computer from Active Directory Site and Services.
3. Also delete any DNS record from NAME Server, Host (A) record.
4. Let the replication completely.

Exchange Server 2007/2010 interview questions and answers – Part 1

Dear All, I hope the below question bank will help you.

Click here for Part 2

 

Exchange General

1. What is the server roles in Exchange 2007?
2. What are the Exchange 2003 sever roles equivalents of the various Exchange server 2007/2010 roles?

Exchange server 2003 Exchange server 2007/2010
Front End Server (SMTP Service) HUB Transport Server
Front End Server Client Access Server
Backend End Server Mailbox Server
Edge Transport Server (NEW)
Unified Messaging

 

3. Name the system prerequisites for installing Exchange 2007?
4. Why doesn’t we install Outlook on the same machine running Exchange 2007/2010?
5. Where does Exchange store its configuration settings?
6. How do you prepare the AD for Exchange 2007?
7. How would you verify that the schema was in fact updated?
8. What are in the installation folder root setup.com and setup.exe. Which would you use and when?
9. What is PowerShell in Exchange server and Name one major benefit of PowerShell v2 over V1?
10. What’s the difference between the Enterprise and Standard editions of Exchange in relation with the number and size of the stores on the server?
11. What is Cached Mode in Outlook 2007/2010?
12. What is S/MIME? What are the usage scenarios for S/MIME?
13. What are E-Discovery features?
14. In Exchange 2007, what are the minimum requirements for implementing a high availability topology, in relation to the server roles and server numbers?

Exchange Recipient Level

1. What are the different Exchange Recipient types?

User mailbox: This mailbox is created for an individual user to store mails, calendar items, contacts, tasks, documents, and other business data.

Linked mailbox: This mailbox is created for an individual user in a separate, trusted forest. For example AD account is created in A.COM and Mailbox is created in B.COM Exchange Server.

Shared mailbox: This mailbox is not primarily associated with a single user and is generally configured to allow logon access for multiple users.

Legacy mailbox: This mailbox is resides on a server running Exchange Server 2003 or Exchange 2000 Server.

Room mailbox: This mailbox is created for a meeting location, such as a meeting or conference room, auditorium, or training room. When we create this mailbox, by default a disabled user object account is created.

Equipment mailbox: A resource mailbox is created for a non-location specific resource, such as a portable computer projector, microphone, or a company car. When we create this mailbox, by default a disabled user object account is created. Equipment mailboxes provide a simple and efficient way for users to use resources in manageable way.

2. What is the difference between mail user and mail contact?

Mail user: This is an Active Directory user that represents e-mail address outside your Exchange organization. Each mail user has an external e-mail address to which all messages sent to the mail user are routed.

Mail contact: This is an Active Directory contact that contains e-mail address information about people or organizations that exist outside your Exchange organization. Each mail contact has an external e-mail address. All messages sent to the mail contact are routed to this external e-mail address.

3. What is the difference between Distribution group and Dynamic Distribution group?

Mail-enabled (Universal distribution group): This is an Active Directory distribution group object that can be used only to distribute messages to a group of recipients.

Mail-enabled (Universal security group):A mail-enabled Active Directory security group object that can be used to grant access permissions to resources in Active Directory, and can also be used to distribute messages.

Mail-enabled (Non-universal group): This is an Active Directory global or local group object. Mail-enabled non-universal groups are de-emphasized in Exchange 2007 and can exist only if they were migrated from previous versions of Exchange. You cannot use Exchange 2007 to create new non-universal distribution groups.

Dynamic distribution group: A distribution group that uses recipient filters and conditions to derive its membership at the time messages are sent.


Exchange CAS Role

1. What is OWA?
OWA refer to Outlook Web Access in Exchange 2007 by you access your e-mail from any Web browser. Outlook Web Access contains many new features such as meeting booking, Microsoft SharePoint Services and Windows file share integration, and a rich user experience from any computer that has a Web browser.

2. What is the Exchange ActiveSync?
Exchange ActiveSync is a feature which synchronize you email data between your mobile device and Exchange server. Using Active sync you can synchronize e-mail, contacts, calendar and tasks. Mobile devices running Windows Mobile software and Windows Mobile 5.0, are all supported.

3. What is Availability service

The Availability service provides free/busy information using secure, consistent, and up-to-date free/busy data to users that are running Outlook 2007. Outlook 2007 uses the Autodiscover service to obtain the URL of the Availability service.

4. What is Autodiscover service?
This service enables Outlook clients and some mobile devices to receive their necessary profile settings directly from the Exchange server by using the client’s Active Directory domain credentials or user’s SMTP domain.

5. What is Outlook Anywhere and describe the method for enabling Outlook Anywhere?
Outlook Anywhere feature (previously known as RPC over HTTP) provide a facility to connect your Internet-based Microsoft Outlook clients to connect to your Exchange Server 2007. This featureeliminates the need to use virtual private networks (VPNs) if Exchange server 2003 with Sp1 and Exchange 2007.

Outlook Anywhere can be enabled by using the
Exchange Management Console
Open Exchange Management console tree > expand Server Configuration > then click Client Access.
In the action pane, click Enable Outlook Anywhere.

Exchange Management Shell
Enable-OutlookAnywhere -Server: <ServerName> -ExternalHostName: <ExternalHostName> -ClientAuthenticationMethod:Basic -IISAuthenticationMethods <MultiValuedProperty> -SSLOffloading:$false

Requirement of Outlook anywhere
Install a valid Secure Sockets Layer (SSL) certificate from a trusted certification authority (CA).
Install the Windows RPC over HTTP Proxy component

6. What are the certificates can be installed on Exchange 2007 and Name a few commercial CAs?
Wildcard Certificate: Exchange Server support certificates with wildcard names, such as *.nakshatrait.com. This is an acceptable domain. Please make sure that some legacy clients and mobile devices do not support wildcard names on a certificate.

SAN Certificate: This is the most widely used certificate type such as it has one common name like webmail.nakshatrait.com and some additional domain name refer to Exchange other services like Autodiscover.nakshatrait.com, pop.nakshatrait.com, imap.nakshatrait.com.

7. How to Determine When to Use Certificates Issued by Public CAs and When to Use Self-Signed Certificates?
Whenever your users are access Exchange components that require authentication and encryption from outside your corporate firewall, it is time to deploy a certificate issued by a public CA. Let users are accessing Exchange ActiveSync, POP3, IMAP4, and Outlook Anywhere. so in this case you require a certificate that is issued by a public CA.

A self-signed certificate used by Exchange 2007 component that uses Kerberos, Direct Trust, or NTLM authentication. These are all internal Exchange 2007 components, to the fact that the data paths are between Exchange 2007 servers and within the corporate network that is defined by Active Directory.

8. Named the Exchange 2007 components use certificates?
SMTP
EdgeSync synchronization
POP3 and IMAP4
Unified Messaging
Autodiscover
Client Access applications such as Outlook Anywhere, OWA, and Exchange ActiveSync

Exchange 2010 DR Site Failover and Fail back

Microsoft Exchange DR and High Availability features have evolved a long way to reach DAG in Exchange 2010. DAG provides the features to recover Exchange 2010 Database from Database, Server or Network Failures. It is uses asynchronous replication and log reply technology concept from Exchange 2007 CCR and SCR. Exchange 2010 DAG provides more robust, easy and quicker HA and DR Failover faculty. Let’s understand the how to create DAG and how to failover and fail back on a DR scenario within the Site and cross Sites.

Current Infrastructure:

In our lab I have Created Two sites and it has the following Infrastructure in each of the sites Ref. Table 1. Mailbox Role servers has two NICs. Nic with IP address 172.x.x.x is for MAPI connection and Nic with 10.x.x.x is for replication traffic. Router has to be configured between Asite and Bsite for the communication. To be more specific we should be able to reach both the IP address 172.x.x.x and 10.x.x.x.x from other mailbox servers from the same site and from the other site. This link has information on how to configure Windows 2008 machine as router using RRAS

ASite – Primary Site

Server name IP Address Role
ADC 172.168.1.1 Domain Controller
AHC1 172.168.1.2 Hub and CAS
AMBX1 172.168.1.3(MAPI) Mailbox Server
10.0.1.1(Replication)
AMBX1 172.168.1.4(MAPI) Mailbox Server
10.0.1.1(Replication)

clip_image001

10.0.2.10 -NIC2 NIC1 – 172.168.1.10

Router

clip_image002 10.0.2.10 -NIC2 NIC1 – 172.168.2.10

BSite – Secondary Site

Server name IP Address Role
BDC 172.168.2.1 Domain Controller
BHC1 172.168.2.2 Hub and CAS
BMBX1 172.168.2.3(MAPI) Mailbox Server
10.0.2.1(Replication)

Table 1: LAB Infrastructure

Great, now we have the complete LAB Infrastructure created for testing our DAG across the Site. I will just run throw the steps on creating and configuring DAG on the above Infrastructure as we will be more focusing on Failover and fail back settings. If you wanted more In-depth details on DAG configuration then you can always refer TechNet and some nice articles from Neil Hobson, Link 1 and Link 2.

We will begin by creating a DAG to spread across two sites, Site Asite and Bsite. So we need some details from both the Sites and below Table 2 has the all the required details. Lets Create DAG using below details

Create A DAG

 

We will create a DAG which will spread across both the sites, we need some information from both the sites and below are the details

DAG Name DAG01
Witness Server AHC1
Witness Directory C:\DAG01Witness
Alternate Witness Server BHC1
Alternate Directory C:\DAG01Witness
IPAddress from both the sites 172.168.1.9,172.168.2.9

Table 2: Details for DAG Creation

Login to the Mailbox Role Server AMBX1 on a Primary Site. Execute the below commands on the PowerShell Console to create a new DAG with name DAG01. File Share Witness will be created on the Hub Transport Server (AHC1) and DAG IP from both the AD sites Figure 1. File share witness is a server outside DAG and it can be any server with the Same AD Site and recommended to be on Hub transport Server it’s one of the important component of the DAG

1 New-DatabaseAvailabilityGroup -Name DAG01 -WitnessServer AHC1 -WitnessDirectory C:\DAG01Witness -DatabaseAvailabilityGroupIPAddresses 172.168.1.9, 172.168.2.9

 

clip_image004

Figure 1. New DAG Creation

Once we have DAG created we also need to configure Alternate file share witness on the DAG. Alternative File Share witness is configured to point to secondary site. If there is DR and if Secondary sites needs to bring up then this file share witness directory will be used

Let’s understand an Example: If there is a DR scenario and we failover to the secondary Site and secondary site is up and running with its exchange servers and File share witness. In the mean while if servers from the Primary Site up then primary Site has the majority of the nodes and it also has File share witness accessible from primary site. This can cause database on the primary Site to mount. This scenario is known as split brain syndrome. To avoid this situation we configure DAG in Database Activation Coordination (DAC) mode.

Database Activation co-ordination

Database Activation co-ordination mode uses the protocol DACP. One of the DAG member will always have the special memory bit set to 1. If any time any server wants to mount the Database it is to find the DAG node which has memory bit set to 1 and then it will mount the Database. If the above split brain syndrome scenario when primary site come up Active manager will try to find if the DAG is the DAC mode or not. If the DAG is running in DAC mode then server will have DACP flag set to 0 and try to query all the DAG members for DACP flag 1. If it finds all the members and member with DACP flag set to 1, then Active manager running on the DAG member will set DACP to 1 and mount the database. If the Active manager could not find the DAC member with DACP with 1 then database will remain unmounted state. This will avoid split brain Syndrome.

Let’s understand DAP with above example :If the network is restored between primary Datacenter and Secondary Datacenter and primary server is also up then these database which are is in unmounted state will remain unmounted. This is because during the process of activation of secondary site exchange servers will evict all the primary DAG servers from the DAG configuration. So, the members on primary Site contain old information which is no longer valid and this will not allow primary site Exchange severs to participate in the DAG.

This is exactly what we are trying to configure and achieve in the article.

Let’s now configure the alternative file share witness using the Powershell cmdlets shown below

1 Set-DatabaseAvailabilityGroup -Identity DAG01 -AlternateWitnessDirectory C:\DAG01Witness -AlternateWitnessServer BHC1

 

clip_image006

Figure 2. Configuring Alternative File share Witness

Once we have the DAG created we can able to see the properties of the DAG with the PowerShell cmdlets. It has detail information on DAG like IP address, File share witness Ref. Figure 3.

1 get-DatabaseAvailabilityGroup DAG01 | fl

 

clip_image008

Figure 3. Properties of new DAG Created

Once we have created DAG we need to ADD members to the DAG. Let’s add all the mailbox servers from Asite and Bsite into the DAG. Each mailbox server can participate is only one DAG. All DAG members must be running the same OS (windows 2008 R2 or Windows 2008 Sp2). Below Powershell cmdlets lets us to add the entire mailbox server AMBX1, AMBX2 and BMBX1 into the DAG01. Figure 4 is the execution snap of adding AMBX1 mailbox servers to DAG

1 Add-DatabaseAvailabilityGroupServer -Identity DAG01 -MailboxServer AMBX1
2 Add-DatabaseAvailabilityGroupServer -Identity DAG01 -MailboxServer AMBX2
3 Add-DatabaseAvailabilityGroupServer -Identity DAG01 -MailboxServer BMBX1
4

 

clip_image010

Figure 4. Adding AMBX1 to the DAG01

When any mailbox Server is added to the DAG, it installs Windows failover clustering component on to the server and creates a failover cluster and joins the mailbox server to the newly created cluster.

Now let’s configure the DAG to DAC (Database Activation co-ordination) mode and we have already discussed the importance of DAC with the example

1 Set-DatabaseAvailabilityGroup -Identity DAG01 -DatacenterActivationMode DagOnly

 

clip_image012 Figure 5. Enable DAG into DAG mode

Once we have DAG created with member servers in it then we need configure database copies for the Databases in the DAG. I have created two Database in each of the mailbox server in Asite (Primary) and below is Powershell to get the list of Data from the both the mailbox servers Ambx1 and Ambx2 under Primary Site.

1 Get-MailboxDatabase |?{$_.Server -like "AMBX*"}

 

clip_image014

Figure 6. Databases list from Primary Site (Asite) mailbox Servers

Let’s configure each of the Databases from AMBX1 and AMBX2 with one non lagged passive copy on the other server on the same site and one lagged passive copy on the other BSite server BMBX1. Below Table 3 Has defined the list of Database configuration to be configured.

Source Database Destination Server Preference Lagged/Non Lagged passive copy
MDB01 AMBX2 2 Non Lagged
MDB01 BMBX1 3 Lagged
MDB02 AMBX2 2 Non Lagged
MDB02 BMBX1 3 Lagged
MDB03 AMBX1 2 Non Lagged
MDB03 BMBX1 3 Lagged
MDB04 AMBX1 2 Non Lagged
MDB04 BMBX1 3 Lagged

Table 3. Database copy configuration table

Let’s configure the each of the Database define in the above Table 3.

Below are the PowerShell cmdlet to add Database MDB01 to Mailboxdatabasecopy. First cmdlet adds MDB01 Mailbox Database Non lagged copy into the mailbox Server AMBX2 with the Activation Preference set to 2. Activation Preference is used by the Active manager for best Database selection process. Lower the preference number higher the priority. Similarly the next command adds MDB01 to the BMBX1 with Lag reply time of 3 days and truncation lag time is set to 0 and activation preference is set to 3. ReplayLagTime parameter specifies the amount of time that the Microsoft Exchange Replication service should wait before replaying log files that are copied to the database copy and TruncationLagTime parameter specifies the amount of time that the Microsoft Exchange Replication service should wait before truncating log files that have replayed into a copy of the database.

Once we have Database are configured with mailbox database copy then automation seeding starts. Seeding is the process of copying of Database from Active to Passive. For non-lagged copy we allow seeding to happen immediately but for lagged copy we configure with seeding postponed. This stops from seeding immediately. This is because we have to configure the mailbox database copy with Activationlyonly. To Configure lagged mailbox database copy as activation only we need to suspend and updated and configure -activationonly. Below PowerShell cmdlets does it for us.

We need to make sure that we configure -Activationonly on the Lagged mailbox database copy. Activation occurs automatically as process of database or server failure. If there is any datacenter failover then his activation has to be manually performed. -Activationonly disables the database to automatically mount in case of Datacenter failures. Figure 7 shows the execution of the below cmdlets

1 Add-MailboxDatabaseCopy -Identity MDB01 -MailboxServer AMBX2 -ActivationPreference 2
2
3 Add-MailboxDatabaseCopy -Identity MDB01 -MailboxServer BMBX1 -ReplayLagTime 3.00:00:00 -SeedingPostponed -ActivationPreference 3
4
5 Suspend-MailboxDatabaseCopy -Identity MDB01\BMBX1 -SuspendComment "Seed from AMBX1" -Confirm: $False
6
7 Update-MailboxDatabaseCopy -Identity MDB01\BMBX1 -SourceServer AMBX1

clip_image016

Figure 7. Execution of Powershell cmdlets to configured lagged and non-lagged

Mailbox Database copy

We have configured MDB01 with one lagged copy on BMBX1 and one non lagged copy on AMBX2. Now let’s configure Database MDB02 in the same fashion. Below PowerShell cmdlets configures non-lagged copy on AMBX2 and lagged copy on BMBX1. Lagged database is also configured with -Activationonly settings

1 Add-MailboxDatabaseCopy -Identity MDB02 -MailboxServer AMBX2 -ActivationPreference 2Add-MailboxDatabaseCopy -Identity MDB02 -MailboxServer BMBX1 -ReplayLagTime 3.00:00:00 -SeedingPostponed -ActivationPreference 3
2 Suspend-MailboxDatabaseCopy -Identity MDB02\BMBX1 -SuspendComment "Seed from AMBX1" -Confirm: $False
3
4 Update-MailboxDatabaseCopy -Identity MDB02\BMBX1 -SourceServer AMBX1 -Deleteexistingfiles
5
6 Suspend-MailboxDatabaseCopy -Identity MDB02\BMBX1 -ActivationOnly
7

With the above cmdlets we have configured both the database of AMBX1, now let’s configure databases of AMBX2. Below PowerShell adds non-lagged mailbox Database copy to AMBX1 and lagged mailbox Database copy on BMBX1. Lagged database is also configured with -Activationonly configuration

1 Add-MailboxDatabaseCopy -Identity MDB03 -MailboxServer AMBX1 -ActivationPreference 2
2 Add-MailboxDatabaseCopy -Identity MDB03 -MailboxServer BMBX1 -ReplayLagTime 3.00:00:00 -SeedingPostponed -ActivationPreference 3
3 Suspend-MailboxDatabaseCopy -Identity MDB03\BMBX1 -SuspendComment "Seed from AMBX3" -Confirm: $False
4 Update-MailboxDatabaseCopy -Identity MDB03\BMBX1 -SourceServer AMBX1 -Deleteexistingfiles
5 Suspend-MailboxDatabaseCopy -Identity MDB03\BMBX1 -ActivationOnly

Below PowerShell cmdlets configures MDB04 with Non-lagged mailbox database copy on AMBX1 and lagged mailbox database copy on BMBX1. Lagged Database is configured with -Activationonly

1 Add-MailboxDatabaseCopy -Identity MDB04 -MailboxServer AMBX1 -ActivationPreference 2Add-MailboxDatabaseCopy -Identity MDB04 -MailboxServer BMBX1 -ReplayLagTime 3.00:00:00 -SeedingPostponed -ActivationPreference 3
2 Suspend-MailboxDatabaseCopy -Identity MDB04\BMBX1 -SuspendComment "Seed from AMBX3" -Confirm: $False
3 Update-MailboxDatabaseCopy -Identity MDB04\BMBX1 -SourceServer AMBX1 -Deleteexistingfiles
4 Suspend-MailboxDatabaseCopy -Identity MDB04\BMBX1 -ActivationOnly
5 Suspend-MailboxDatabaseCopy -Identity MDB02\BMBX1 -ActivationOnly

With this we have configured the entire database on Asite with lagged copy and non-lagged copy. Let’s check if they are configured properly and there status with the below PowerShell cmdlets. It looks like all the Database copy is in healthy status which is very god for us. Figure 8 shows the complete mailbox Database copy status

1 Get-MailboxDatabaseCopyStatus -Identity MDB0* | select name, status, SelectcontentIndexState | sort Status | ft -auto

clip_image018

Figure 8. Mailbox Database copy Status

Let’s Discuss couple of failures and try to simulate the same and discuss how to fix the same

Type of Failure

1. Database Failure

2. Server Failure

3. Site/Datacenter Failure

Database Failure

If there is a situation where one of the database is failed and it is in Dismounted state and it’s not able to mount the same then we bring other passive database up, this process is knows a Database switchover. In this example we have one of our Database MBX01 is dismounted. Below Powershell gets us the status of the MDB01 which is in Dismounted and Figure 9. Shows the execution result.

1 Get-MailboxDatabaseCopyStatus -Identity MDB01 | select name, status, SelectcontentIndexState | sort Status | ft -auto

clip_image020

Figure 9. Cmdlet to get Mailbox Database copy Status.

Let’s try to enable to the passive copy of MDB01 on AMBX2. Execute the below PowerShell cmdlet to do the same. Once the PowerShell cmdlet is executed it show the complete result of the status on Figure 10. PowerShell cmdlet parameter MountDailoverride is set not to override the default settings. Below are the MountDailoverride’s options with their details

BestAvailability (default)

Mount the database if the copy queue length ≤12. Those logs are replicated and the database is mounted

GoodAvailability

Mount the database if the copy queue length ≤6. Those logs are replicated and the database is mounted;

Lossless

Only mount the database if the copy queue length is 0, meaning all logs on the original active copy have been replicated. In that case the database is mounted.

1 Move-ActiveMailboxDatabase MDB01 -ActivateOnServer AMBX2 -MountDialOverride: None

 

clip_image022

Figure 10. Enabling the passive copy of the MDB01 on AMBX02

Now the active database copy on the AMBX2 may be still Dismounted state. This is because the previous statue of the Database is dismounted. To mount the database uses the PowerShell cmdlet with mount-Database. Once the database is mounted that old database which was failed will reseed with the latest copy and bring the status into healthy state. This may take some time and it depends on the size of the database. Figure11. With red mark show the mounted state of MDB01 on AMBX2

1 Get-MailboxDatabaseCopyStatus -Identity MDB01 | select name, status, SelectcontentIndexState | sort Status | ft -auto

 

clip_image024

Figure 11. MDB01 Mailbox Database copy is mounted on AMBX2 server

We have successfully moved the database to new node and you may need to move back the database to the original server then execute the below PowerShell cmdlet. This time database automatically mounts it because we have the Active copy in mounted state and replicated copy is also healthy. Figure 12 also show the mounted status on the result of Move Active Mailbox Database cmdlet execution

1 Move-ActiveMailboxDatabase MDB01 -ActivateOnServer AMBX1 -MountDialOverride: None

 

clip_image026

Figure 12. Moving MDB01 back to AMBX1

With this we have successfully tested and completed Database failure and Fail back

Server Failure /Fail back

 

Let’s assume scenario where we have the server AMBX1 down due to hardware failure or server is reboot accidentally

Let’s check what the Mailbox database copy status is after the server failure with the help of below PowerShell cmdlet. We see from the Figure 13. That all the database of AMBX1 has been mounted on AMBX2 and Database copy of AMBX1 has the status service down.

Primary Active manager running of the DAG use the preference settings and Best copy Selection process by listing the available copies and mounts the Best possible copy. During this process PAM has determine AMBX2 is the Best server to mount the database MDB01 and MDB02.

1 Get-MailboxDatabaseCopyStatus -Identity MDB0* | select name, status | sort Status | ft -auto

 

clip_image028

Figure 13. Mailbox Database copy Status after AMBX1 Failure

Let’s bring AMBX1 up and check the Database copy status using the below PowerShell Cmdlet. It shows that database copy on AMBX1 is in healthy state Figure 14.

1 Get-MailboxDatabaseCopyStatus -Identity MDB0* | select name, status | sort Status | ft -auto

 

clip_image030

Figure 14. Mailbox Database copy status after AMBX1 server is up.

Now if you think it’s time to move back the database from MDB01 and MBX02 to AMBX1 then let’s do it..

Move-ActiveMailboxDatabase MDB01 -ActivateOnServer AMBX1 -MountDialOverride: NoneMove-ActiveMailboxDatabase MDB02 -ActivateOnServer AMBX1 -MountDialOverride: None

This is great right, now finally let’s take a scenario that you wanted to patch AMBX2 and you wanted to move the entire database for now to AMBX1. You run a single line below PowerShell cmdlet to mount all the passive Database of AMBX2 on AMBX1. Then if the AMBX2 server is up then you can move/mount back the database using the above cmdlet Move-ActiveMailboxDatabase and using the right parameters.

Move-ActiveMailboxDatabase -Server AMBX2 -ActivateOnServer AMBX1

With this we have successfully tested and completed Server failure and Fail back

Site/Datacenter Failure and Fail back

 

Now this is most Interesting part of the above all. This is because in the above scenario PAM (Primary Active Manager) helps to bring the database up in case of the failure. But here we have defined not to bring the database up in case of failure by setting Activation bit. So, we have to manually execute some PowerShell cmdlets to bring the services up and running…

Before we understand and simulate Datacenter failure and fail back let’s do some post configuration on the DAG network. We know that all the servers which are in the DAG have two NIC, Public and Private. We also know that Private is for replication traffic and public IP is for MAPI traffic but it not defined in the DAG. We need to disable replication traffic happening thought MAPI network and dedicate only replication IP for replication. Let’s see what the current status of DAG network is? Below cmdlet pulls the details. Figure 15. Shows the details of the current DAG network. It has 4 subnets from both the sites and they are 172.168.1.0/24, 172.168.2.0/24, 10.0.1.0/24 and 10.0.2.0.0/24 and Replication is enabled on the entire Network

Get-DatabaseAvailabilityGroupNework

clip_image032

Figure 15. DAG network Status

The current DAG network looks very odd and replication is enabled on the entire DAG Networks. Let’s rework to create two new DAG Network using below PowerShell, one for MAPI with replication disabled and other for replication. Then add only the required subnets into it.

New-DatabaseAvailabilityGroupNetwork -DatabaseAvailabilityGroup DAG01 -Name MAPI -Subnets 172.168.1.0/24,172.168.2.0/24 -ReplicationEnabled: $falseNew-DatabaseAvailabilityGroupNetwork -DatabaseAvailabilityGroup DAG01 -Name Replication -Subnets 10.0.1.0/24,10.0.2.0/24

clip_image034

Figure 16. Execution result after creating two new DAG network with required subnets

Now we create two new DAG network and added the subnets into it. It’s time to remove the old subnets. Before that let’s see what the status of the DAG network is? Figure 17 show the details. It has two new DAG network, MAPI with replication set to False and MAPI subnets from both the Sites and Replication network with replication enabled

clip_image036

Figure 17. DAG network status after new DAG Network creation

Let’s remove the old DAG network01 – 04 which does not have any subnets in it. lets use below PowerShell cmdlet to do the same. Figure 18. Shows the result of the Powershell execution

Get-DatabaseAvailabilityGroupNetwork DAG01\DAGNetwork* | Remove-DatabaseAvailabilityGroupNetwork

clip_image038

Figure 18. Removing old DAG network

Let’s talk and understand how we can simulate the Datacenter failures and how we can fail back once the Primary datacenter come up. Now I have disconnected the Network between the AD sites and brought down all the Servers in ASites to have complete Datacenter failure. Lets see the status of the DAG01 from the BMBX1 using the below Powershell cmdlet. Figure 19. Show that the entire Database from Primary site is service down and Passive copy is in Disconnected state and healthy. We have also defined not to bring Secondary server Database up in case of Primary Datacenter Failures. This is done using DAC configuration

Get-MailboxDatabaseCopyStatus -Identity MDB0* | select name, status | sort Status | ft -auto

clip_image040

Figure 19. DAG status after the Primary DC Failure

Let’s understand some more important concept here.

In a our 3 server DAG, cluster quorum is maintained by a node majority – so at this point with two nodes offline the remaining server cannot hold quorum and this is also a reason our secondary server database is dismounted and cannot be re-mounted as well.

In Figure 20. Marked in red has the details about started mailbox servers and Stopped Mailbox Servers. Started mailbox servers are the servers which are available for DAG for bringing the Database online. Stopped mailbox Servers are no longer participating in the DAG. They me be servers which are offline or down because of Datacenter failures. When we are restoring the service on secondary site, ideally all the servers which are in primary should be marked as stopped and they should not use when the services are brought online.

clip_image042

Figure 20. DAG details

To move the Primary Site Servers into stopped state we need use the below PowerShell cmdlet. We also have to use the parameter -Configurationonly. This is because we cannot connect directly to the server as the server is offline. Use these below two PowerShell cmdlet to remove both the servers out to Stopped server state and Figure 21. Show the result of the same. You may see some warning and error message because these servers are not reachable.

Stop-DatabaseAvailabilityGroup -Identity DAG1 -Mailboxserver AMBX1 -ConfigurationonlyStop-DatabaseAvailabilityGroup -Identity DAG1 -Mailboxserver AMBX2 -Configurationonly

clip_image044

Figure 21. Stopping the DAG server to stopped Server State

Let’s verify again to see if the server has moved to stopped state. Figure 22. Show AMBX1 and AMBX2 has been moved to stopped state. Now these servers are not available for the DAG recovery.

clip_image046

Figure 22. DAG status after moving Asite servers into stopped mailbox Servers

Let’s now work on Recovering the DAG. Next we need to verify and make sure if cluster services are stopped on all the mailbox servers on Secondary Site. In our Secondary site we have only one mailbox servers BMBX1. So, let’s stop the cluster service using the command “Net stop Clussvc” or manually stop the cluster service from services console.

Now we need to restore DAG at the BSite. To restore use the below PowerShell cmdlet. Restore-databaseavailablilitygroup cmdlet does the following

1. Custer Quorum will be formed at the new server BMBX1 as old Quorum is no

Longer reachable

2. AMBX1 and AMBX2 nodes will be marked as stopped state and it will evict servers

One by one leaving only one node BMBX1 into the DAG

3. Switch to use Alternative file share Witness which was defined while creating the DAG

Restore-DatabaseAvailabilityGroup -Identity DAG01 -ActiveDirectorySite BSite

clip_image048

Figure 23. Execution result of Restore Database availability group

Let’s look at the DAG -status before we continue. Figure 23 should has the new details like Operational Servers is BMBX1 as we have evicted other servers out and also PAM(Primary Active Manager) is operational from BMBX1

clip_image050

Figure 23. Dag PAM and Operation Server Status

Let’s check out how the Failover cluster manager looks. We should see that there is only one Node BMBX1 and current node hosting cluster is BMBX1 and it’s using the alternative file share witness BHC1 which is good from Figure 24

clip_image052

Figure 24. Failover Cluster manager Status

Let’s verify again the Mailbox Database copy status using the powershell cmdlet and Figure 25 shows that we have still Databasecopies on BMBX1 is in Disconnected and Healthy state

clip_image054

Figure 25. Mailbox Database copy Status

During the DAG configuration we had set activation block on database copies on BMBX1. To remove the activation block on all the copies, we need to execute the blow Powershell cmdlets. Figure 26 has the execution result

Resume-MailboxDatabaseCopy ‘MDB01\BMBX1’Resume-MailboxDatabaseCopy ‘MDB02\BMBX1’Resume-MailboxDatabaseCopy ‘MDB03\BMBX1’ 

Resume-MailboxDatabaseCopy ‘MDB04\BMBX1’

 

clip_image056

Figure 26. Execution result of Resume mailbox Database copy

With this we have resumed all the Mailbox Database copies on BMBX1. Now let’s check the status. Figure 27 show that DAG status with the entire database mounted on BMBX1 and serving the email for the users

clip_image058

Figure 27. DAG Status with all the Database copies mounted on BMBX1

This cool right… Just to make you remember every day is not Sunday and some times it can also be a Friday evening and things don’t come up. Friday even at office its worst than Monday morning :) . If databases are not mounted automatically using above technique then you can use below Powershell command to manually mount. You bunch of options to troubleshoot and mount the database. TechNet has more details description on parameters of Move-Activemailboxdatabase

Move-ActiveMailboxDatabase –Server FQDNofaServerinPrimarySite –ActivateOnServer FQDNofaServerinDRSite

Thank God lets go home and come back on Monday… Haa haa

Fail back to Primary Site

Lets bring all the servers at primary site up and as these servers are out of DAG configuration, it will have no impact on the DAG. Now the DAG has only one server BMBX1. To fail back to the primary site we need add the Primary Site mailbox servers AMBX1 and AMBX2 into DAG back. To add the server back, below Powershell cmdlet would help us to do the same. You also need to make sure cluster service has been started on the mailbox servers before running this command.

Start-DatabaseAvailabilitygroup -Identity DAG01 -mailboxServer AMBX1Start-DatabaseAvailabilitygroup -Identity DAG01 -mailboxServer AMBX2

clip_image060

Figure 28. Execution result of adding AMBX1 and AMBX2 into the DAG

If we see the Database available group status you would find that all the mailbox servers are in started and operation state. Figure 29 has the details of the same.

clip_image062

Figure 30. DAG status after adding mailbox servers back

Execute the below PowerShell cmdlet to set the changes. This would seed all the changes from the Active copies and bring the passive copies into the healthy state

Set-DatabaseAvailabilitygroup -Identity DAG01

Let’s now verify the Mailbox Database copy to make sure that we have all active copies mounted on BMBX1 and passive copies replicated and also it’s in healthy state both on AMBX1 and AMBX2. Figure 31

Get-MailboxDatabaseCopyStatus -Identity MDB0* | select name, status | sort Status | ft -auto

clip_image064

Figure 31. Mailbox Database copy Status

To bring the respective copies of AMBX1 and AMBX2 up, we need to run

Move-Activemailboxdatabase PowerShell cmdlet and other complete set of cmdlets are below. Figure 32 show the result of the same

Move-ActiveMailboxDatabase MDB01 -ActivateOnServer AMBX1 -MountDialOverride: GoodAvailabilityMove-ActiveMailboxDatabase MDB02 -ActivateOnServer AMBX1 -MountDialOverride: GoodAvailabilityMove-ActiveMailboxDatabase MDB03 -ActivateOnServer AMBX2 -MountDialOverride: GoodAvailability 

Move-ActiveMailboxDatabase MDB04 -ActivateOnServer AMBX2 -MountDialOverride: GoodAvailability

clip_image066

Figure 32. Move Active mailbox Database execution result.

Verify and confirm again, to see if we have the entire database moved and mounted on the primary node and other copies are replicated in Healthy state. Figure 33. Show the details of the same

clip_image068

Figure 33. Mailbox Database copy Status after the recovery of Database at Primary Site

Finally last but not least we wanted to disable automatic activation of database in secondary (DR) Site. This configuration is very important and it can be again disabled using the same old below PowerShell cmdlet and Figure 34 show the result of the same

Suspend-MailboxDatabaseCopy -Identity MDB01\BMBX1 -ActivationOnlySuspend-MailboxDatabaseCopy -Identity MDB02\BMBX1 -ActivationOnlySuspend-MailboxDatabaseCopy -Identity MDB03\BMBX1 -ActivationOnly 

Suspend-MailboxDatabaseCopy -Identity MDB04\BMBX1 -ActivationOnly

clip_image070

Figure 34. Disabling Activation bit on Passive copy of the Database on secondary site

With this we have tried to simulate all different type of failure – Database Failure, Server failure and Datacenter failure and how to recover back from the failure. DAG has made HA very easy and quicker to recover. Here we just talked about the DAG and the mailbox servers and Mailbox Database and the recovery it. Exchange is not just DAG. We have to plan and design for the failover and fail back of other servers like Hub, Client etc. This TechNet article has good details on other servers. I hope this article is information and you can use this in your real life scenario.