Exchange Server 2010 Introduction to

Supporting Administration
Management Tools

Jonathan Runyon
Exchange 2010 BRE Content
Microsoft
1 1/1/2009 Microsoft Confidential - For Internal Use Only
 1

Module Overview
Before starting this module you should:
Be familiar with management tools used in previous
versions of Exchange.

After completing this module you will be able to:

Describe each management tool for Exchange Server 2010.
Identify individual management tool feature components.
Understand the basic components that make each
management tool work.
Troubleshoot management tools.
 2

Management Tools Overview

 2

Management Tools Overview

After completing this lesson you will be able to:
Identify management tools used in previous versions of
Exchange.
Identify management tools that are included with
Exchange Server 2010.
Describe the differences between both tool sets.
 3

Terminology
Term Definition
Cross Forest Activities that cross from one organization to another, for management,
messaging or sharing of resources.
DYI Do-It-Yourself or self-management using client management tools.
Fan-In Concept where multiple client machines running management tool
applications connect remotely to an Exchange server that acts as a
provider of management tool services.
Forest An Active Directory forest acts as a boundary for an On-Premises
Exchange organization. In this module organization and forest may be
used interchangeably.
Help Desk Support staff members that service requests for assistance with issues
related to messaging. Help desk staff are generally responsible for
recipient management tasks.
On-Premises An Exchange organization that is deployed and maintained “in house”.
Organization An Exchange organization is a collection of Exchange servers that provide
messaging services, bound by an identifying namespace.
RBAC Role Based Access Control – the new model used by Exchange 2010 to
limit access to a management task based on a role definition that
requires that task.
 4

Scenarios
Centralized Management
Recipient Management
Do-It-Yourself Management
 5

Legacy Exchange Management History

Features
Exchange 2003
Exchange System Manager
Active Directory Users and Computers
Exchange 2007
Windows PowerShell
Exchange Management Shell
Exchange Management Console
 6

Challenges
Access Control
Relies on granular permissions granted directly or indirectly on
recipient and configuration objects
Access to Management Tools
No real way to control who can install tools and attempt actions
Auditing
Limited methodology for auditing management actions
Self-Management
Burden of maintaining incidental information rests on
administrative resources
 6

Exchange 14 Management
New Features
Role Based Access Control
Remote PowerShell
Auditing and Logging
Self-Management using Exchange Control Panel
 10

Exchange 2010 Management Tools

 10

Exchange 2010 Management Tools

After completing this lesson you will be able to:
Describe Remote PowerShell and how it is used to make
Exchange 2010 management tools operate.
Identify the differences in the various Exchange
Management Tools.
Describe the ways each management tools can be used to
accomplish similar tasks.
Understand the relationship between Role Based Access
Control and Exchange 2010 management tools.
 11

Remote PowerShell
Exchange 2007 management tools rely on Local
PowerShell
Commands are executed in a local PowerShell session on the same
machine where the tools are installed
Exchange 2010 management tools rely on Remote
PowerShell
Made possible by Windows PowerShell v2.0 and Windows Remote
Management (WinRM) v2.0
WinRM is the MS implementation of Web Services for Management
(WSMan) protocol
WSMan is SOAP based and firewall compatible protocol based on
HTTP and HTTPS
 11

Fan-In Configuration
Clients running Exchange tools connect to Exchange
servers using remote PowerShell
True even when tool is opened on Exchange 2010 server
Enforces centralized connection point(s)
Remote PowerShell uses IIS on Exchange server to host
WSMan, load the PowerShell plug-in, and start remote
PowerShell sessions
All PowerShell sessions run in the same host process in IIS
PowerShell and WinRM must be installed on both client
and server to support remote PowerShell
Once session is initiated, RBAC enforces access control
Client is only allowed to run commands and access objects as
determined by role assignments
 14

Client-Side and Server-Side Runspaces

When you open PowerShell on client, you are in the local
runspace
Only native PowerShell commands are available
Connecting to an Exchange server creates a remote
PowerShell session (PSSession)
IIS authenticates the user and passes the context to RBAC for
evaluation
RBAC determines the commands that should be made available
Server-side runspace is created based on the RBAC evaluation
Contains all the commands and scope restrictions as determined by
RBAC
Client session receives information about the server-side runspace
as a PSSession object that can then be imported as a module that
contains references to the commands in the server-side runspace
 14

Client-Side and Server-Side Runspaces continued

Commands on the client-side are actually functions that
refer to the commands that are executed on the server-
side session
When command is run on client side, the function passes
information to the server-side session, where the command is
executed, and the results are passed back to the client for display
 15

Implementation
PowerShell virtual directory and Application Pool
Remote PowerShell Stack
Authentication Methods
Kerberos/Integrated Authentication
Certificate Authentication
Initial Server-Side Runspace
Enabling a User for Remote PowerShell
 16

PowerShell virtual directory and Application Pool

Installing any of the main Exchange 2010 server roles
results in the creation of:
The PowerShell virtual directory and
MSExchangePowerShellAppPool application pool

See Page 16 for details

 18

Remote PowerShell Stack

The components that make up the Remote PowerShell
stack are:

Non-CAS Implementation
IIS
WSMan IIS Module
Unmanaged RBAC
Authorization module
PowerShell Fan-In Module
Managed RBAC
Authorization module
AD Driver

CAS Implementation
 21

Kerberos/Integrated Authentication
Authentication mechanism for connections which originate
within the
On-Premise
organization
Requires a backing
Active Directory
account
Client machines
must be domain
joined
 22

Certificate Authentication
Authentication mechanism for connections that originate
from clients
outside of the
domain boundary
IIS provides support
for certificate
authentication used
by WSMan
Certificate must be
trusted by the client
 23

Initial Server-Side Runspace

 24

Enabling a User for Remote PowerShell

User must be enabled for Remote PowerShell before the
user can use a management tool that relies on Remote
PowerShell
User must be a member of a management role group that
enables the user to run Exchange cmdlets
Stored in user’s Active Directory account in the property,
protocolSettings, RemotePowerShell entry
Get property
[PS] C:\>(Get-User <user name>).RemotePowerShellEnabled
Set property
[PS] C:\>Set-User <user name> -RemotePowerShellEnabled $True
 26

Exchange Management Shell

EMS Basics
Implementing EMS using Exchange Management Tools
Implementing Manual EMS
 25

EMS Basics
Based on the PowerShell console host application
Relies on Remote PowerShell to connect and establish a
session
Two versions:
EMS Shortcut
Manual EMS
 26

Implementing EMS using Exchange Management Tools

Management Tools Structure

Exchange Management Shell Shortcut Commands

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-noexit -command ". 'C:\Program Files\Microsoft\Exchange
Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer
-auto"
 28

The RemoteExchange.ps1 Script File

Increase window width function
Load connection functions
Aliases
Confirmation preference
Exchange Variables
$exbin
$exinstall
$exscript
Load extended type information for Exchange commands
Prompt function
Additional functions
 31

The ConnectionFunctions.ps1 Script File

Connect-ExchangeServer Function
Automatic discovery of Exchange Servers
Create new PSSession object:
New-PSSession -ConnectionUri <server URL> -ConfigurationName
Microsoft.Exchange
Create Implicit Remoting Module
A module is a package that contains members that can be used in
Windows PowerShell
An implicit remoting module is based on the information that is
returned from the remote server in the PSSession object:
Export-PSSession –Session <current session> -OutputModule <path>
Import-Module –Name <path>
Cached module information can be re-used to speed up EMS
startup
Module File Package and Registry values allow EMS to take a short
path to loading module information – 72 hour TTL
 37

Discover-ExchangeServer Function
Available from the EMS command line
Returns the FQDN of a suitable Exchange server to which a
new session could be established
Uses the same discovery code as Connect-ExchangeServer
 38

Cross-Forest Functionality
Both Connect-ExchangeServer and Discover-
ExchangeServer make it possible to establish a connection
to an Exchange 2010 server in a different forest
User must specify:
The forest FQDN and
Provide credentials for a user with appropriate RBAC roles
assignments in the remote forest
Must be loaded as a result of starting EMS from the
shortcut
 38

Implementing Manual EMS

Allows management experience without management
tools installation
Client must have PowerShell v2.0 and WinRM V2.0
Client machine does not have to be domain joined
Downgraded User Experience from management tools
User Authentication required
Encrypted Communication between client and server via
certificate (HTTPS)
 40

Watch This: EMS

 41

Exchange Management Console

EMC Basics
EMC Features
 41

EMC Dependency on Remote PowerShell

Built on top of PowerShell
Depends on remote PowerShell to connect to Exchange
Server
Uses functions from ConnectFunctions.ps1
Connection must be successful before Exchange tasks are
possible
User must be enabled for remote PowerShell and have
RBAC role assignments
 41

EMC Layout
Console Tree Pane
Action Pane
Result Pane
Work Pane
 44

EMC Basic Features

Help
Property Dialog Command Exposure
Microsoft Exchange Node Features
Organization Level Features
Organization Configuration Level Features
Server Configuration Level Features
Recipient Configuration Level Features
 44

Help in EMC
Help is available in several places in EMC
Contextual Help in Action menu
Help in context menu of item
Help information comes from on-line sources
Ensures updates are timely
 45

Property Dialog Command Exposure

 46

Microsoft Exchange Node Features

Post-Installation Tasks
Community Resources
Add Exchange Forest
 51

Organization Level Features

Connection Properties
 52

Organization Configuration Level Features

Modify Configuration Domain Controller
 55

Server Configuration Level Features

Manage Diagnostic Logging
Manage Exchange Certificates
Manage Server Roles and Server Properties
Enter Product Key
 57

Recipient Configuration Level Features

Modify Recipient Scope
Recipient Tasks and Properties
Modify the Maximum Number of Recipients to Display
Find recipients
Send Mail (requires Outlook installation)
 61

Exchange Control Panel (ECP)

ECP Basics
DIY Management
IT-Pro Administration
ECP/EMC Functionality Overlap
Watch This: <Title>
 61

ECP Basics
Design
Role Evaluation
Implementation
ECP Management
ECP Design
ECP is an AJAX application designed to provide self-service
management of Exchange features to end-users (DIY)
ECP builds on top of business logic provided by Exchange
Management Shell cmdlets and uses ASP.Net and
Windows Communication Foundation (WCF) web services
to communicate between client and server.
The architecture of AJAX features in ASP.NET consists of
two pieces: client-script libraries and server components.
ECP Design continued
From a logical point of view, ECP is divided into three
parts.
Common Infrastructure
Parts of ECP are shared with other applications, like OWA
Includes RBAC, PowerShell, tracing, performance counters, event log,
etc.
ECP Application Infrastructure
ECP provides an infrastructure of common controls, services and
resources necessary to build Exchange features.
Feature Code
Pages and controls that implement one particular feature of Exchange.
This is the part of ECP that grows over time, as more and more
features are added.
 64

Layers and Components

Layers of the ECP solution.
The visible client portion which is the ECP Client Library

browser and is used to view the ECP by AJAX

the user. Web Browser
In the W3Wp.exe process on the server
are the layers used by ECP to process each HTTP.SYS (IIS)
request LiveId/FBA Auth
At the RBAC level to evaluate roles and
permissions for the user
At the Management Shell level to execute ECP Server Library

the action RBAC

Just like the EMC, for every action ECP Powershell

performs, there is at least one cmdlet Exchange Cmdlets
being run at the PowerShell level.
W3wp.exe / CAS
 56

Role Evaluation
Thanks to RBAC, a user only has access to tasks and
objects allowed to user's roles
In ECP, this manifests in access to self, other users, or
organization management.

Self Management Org Management

 67

How does ECP display appropriate UI?

RBAC determines RbacPrinciple based on user context
ASP.NET checks the web.config file authorization section
and checks if the user belongs to one of the roles listed
Every folder under the /ecp virtual directly has its own web.config
file with a list of all slabs and required roles to view
As the page is rendered, any controls (navigation menu,
pages/slab, and toolbar) in the page will evaluate the roles
assigned and if appropriate the control should be
displayed.
 73

Browser Compatibility
The ECP component runs on the Client Access server role
under the /ECP virtual directory thus making the interface
entirely web based.
The browser requirements are the same as they are for
Premium Outlook Web App for Exchange 2010:
Internet Explorer 7 or greater on Windows XP or higher
Firefox 3.0 or greater on Windows XP or higher
Safari 3.0 or greater on Macintosh-OS Leopard
 74

Implementation
ECP manifests in two forms
Outlook Web App options page
Administration page
 74

Outlook Web App options page

Users can manage their own settings
Self management pages:
Account - change personal account information
Organize Email - access Inbox Rules, Automatic Replies (OOF), and
Delivery Reports
Groups - Users can see what groups they are a member of and
choose to join other groups in the organization
Settings - modify settings related to Mail, Spelling, Calendar,
General, Regional, Password, S/MIME
Phone - Displays the phones synchronizing to mailbox and
configuration of text messaging
Block or Allow - allow users to add email addresses to lists of Safe
Senders or Blocked Senders
 86

Administration page
With appropriate role assignment, My Organization is
available from Select what to manage
Mailboxes – make changes to a user’s mailbox settings.
First Name, Last Name, Display Name, Address Info, Organization info
(Title, Dept, Company, Manger), Email Options (additional email
addresses), and MailTips.
Groups – Manage all of the distribution lists in the organization, see
the owner, the memberships, whether memberships need approval,
the delivery management settings, message approval settings, E-mail
options, and the mail tips.
External Contacts – create external recipient contacts that would be
included in address lists for the entire organization
Administrator Roles – Role Groups are listed where memberships can
be changed by adding or removing members.
User Roles – allows the administrator to assign specific roles to a
policy.
Reporting - allows administrators to retrieve delivery information.
 95

Managing another user’s settings

This option is also known as working on behalf of another
user
Two modes
Full Access – similar to explicit logon in Exchange 2007
Help Desk – requires membership in Help Desk role group
It is possible to manage another user’s settings as long as
appropriate permissions are assigned
Permission granted to Help Desk role group make it
possible to manage Resource mailboxes as well
 96

Custom Links to the ECP

Possible because the ECP slabs and pages are all
accessible with direct links.
Some examples are:
Calling ECP from Outlook: https://{SERVER}/ecp/?rfr=olk
Calling ECP from OWA: https://{SERVER}/ecp/?rfr=owa
Custom start page: https://{SERVER}/ecp/?p=Oof
If the user is not logged into the ECP, they are prompted
to log on.
See table on pg. 97 for direct links to all ecp pages
 101

ECP Management
Similar to OWA management
Handled by XCSI group
 108

RBAC and Exchange Management Tools

The Effect of RBAC on Exchange Management Tasks
Watch This: RBAC and Exchange Management Console
Watch This: RBAC and Exchange Management Shell
Watch This: RBAC and Exchange Control Panel
 108

The Effect of RBAC on Exchange Management Tasks

Every Exchange management tool uses RBAC to control
access to Exchange tasks
Controls what a user can do when
Control can be configured from a single cmdlet to all of
them
Level of control
Who
What
Where
 108

Watch This: RBAC and Exchange Management

Console
 108

Watch This: RBAC and Exchange Management

Shell
 108

Watch This: RBAC and Exchange Control Panel

Exchange 2010 Management Tool Features
 111

Exchange 2010 Management Tool Features

After completing this lesson you will be able to:
Describe features that are available for use with the
Exchange management tools.
 112

Management Tool Interoperability

Exchange Object Versions
Exchange 2003 Interoperability
Exchange 2007 Interoperability
Organization Configuration
Server Configuration
Recipient Configuration
Side-by-Side Management Tools
Prerequisites for Side-by-Side Deployment
Watch This: Side-by-Side Management Tools
 112

Exchange Object Versions

Each Exchange object stored in Active Directory has a
version property.
Active Directory property: msExchangeVersion
To check the Exchange version of an object, use Get
cmdlets. Example:
[PS] C:\> Get-Mailbox user1 | Format-List ExchangeVersion
ExchangeVersion : 0.10 (14.0.100.0)
 112

Exchange 2003 Interoperability

ESM relies on Active Directory Users and Computers for
managing recipient objects
Limitations
Exchange 2010 management tools can be used to view Exchange
2003 recipient objects, but not the other way around.
The ESM cannot be used to manage any configuration objects for
Exchange 2010.
The Exchange 2010 management tools can be used to view certain
Exchange 2003 configuration objects, but not make any
modifications.
 113

Exchange 2007 Interoperability

Organization Configuration
Organization objects
Special consideration for databases
Messaging Records Management v1.0 & 2.0
Server Configuration
Clear cut – must use right version for server version
Recipient Configuration
Exchange 2007 recipients can be managed from both versions
Exchange 2010 recipients can only be managed from Exchange
2010 tools
 116

Side-by-Side Management Tools

Prerequisites for Side-by-Side Deployment
Operating Systems
Windows Vista SP2 x64 bit
Windows 2008 SP2 x64 bit
Side-by-side Deployment
.Net Framework 3.5 and 3.5 SP1
Windows Remote Management v2.0
Windows PowerShell v2.0
Windows Installer version 4.5 is required to install Exchange 2007 SP2
on Vista SP2, but is not required on Windows Server 2008 SP2 because
it is already included.
Internet Information Services (IIS) features IIS 6 Metabase
Compatibility (Web-Metabase) and IIS 6 Management Console
(Web-Lgcy-Mgmt-Console).
 118

Binary Locations in Side by Side tools

 118

Watch This: Side-by-Side Management Tools

 119

Exchange Help
Watch This: Exchange Help from EMC and EMS
Online Help
Online Help Features in EMC
Online Help Feature in EMS
 121

Administrator Audit Logging

Auditing Management Tasks
Audit Logging Configurations
Watch This: Manage Administrator Audit Logging
 122

Auditing Management Tasks

Cmdlets run directly in the Exchange Management Shell
are audited
Operations performed in the EMC and Exchange Control
panel are also audited
Admin Audit Log extension agent runs on every Exchange
Server and is responsible for task logging
Designed to identify tasks by cmdlet and parameter names
Takes place at the organization level
 123

Audit Logging Configuration

Depends on AD replication for global settings
Exchange servers update settings on open sessions every 60 minutes
Examining Configuration Settings
Use Get-AdminAuditLogConfig to view these key parameters
Changing Configuration Settings
Use Set-AdministratorAuditLogConfig
Property Description
:
AdminAuditLogEnabled Designates that administrative audit logging is disabled (False) or
enabled (True). By default auditing is disabled.
Set-AdminAuditLogConfig
AdminAuditLogCmdlets -AdminAuditLogEnabled
Multi-valued $true
property that comprises a list of cmdlet that are audited.
-AdminAuditLogMailbox [email protected]
Wildcards are permitted for both verb and noun names. By default this
property is set to audit all cmdlets: {*}.
AdminAuditLogParameters Multi-valued property that comprises a list of parameters that are
audited. Wildcards are permitted. By default this property is set to
audit all parameters: {*}.
AdminAuditLogMailbox Identifies the SMTP address of the repository where audit log
messages are sent for storage.
 127

Audit Logs
Stored as e-mail messages in the audit logging mailbox
Sample message and fields

Field Description
Message Subject The account of the user who ran the cmdlet and the cmdlet that was run.
Cmdlet Name The cmdlet that was run by the caller.
Object Modified The object that was modified by the cmdlet.
Parameter The parameters that were specified when the cmdlet was run, and the values that were
provided. If more than one parameter was specified, multiple Parameter fields are shown.
Caller The user account of the user who ran the cmdlet.
Succeeded Specifies whether the cmdlet ran successfully. The value is either True or False.
Error Indicates the error message that was generated if the cmdlet failed to complete successfully.
Run Date Shows the date and time when the cmdlet was run. The date and time are stored in universal
time code (UTC) format.
 121

Watch This: Manage Administrator Audit

Logging
 129

PowerShell Command Logging

Working with Command Logging
Watch This: Using PowerShell Command Logging
 129

Working with Command Logging

Starting and Stopping Command Logging
Viewing Command Logging
Exporting the Command List
Clearing the Command Log
Modifying the Maximum Number of Logs
Maintaining Multiple Command Logs
 129

Watch This: Using PowerShell Command

Logging
 135

Managing Diagnostic Logging

Diagnostic Logging Basics
Watch This: Managing Diagnostic Logging from EMC and
EMS
 135

Diagnostic Logging Basics

Required Permissions
Exchange Servers management role
Managing Diagnostic Logging using EMC
Update Logging Levels
Reset to Default Logging Levels
Managing Diagnostic Logging using EMS
Viewing Diagnostic Logging Levels Using EMS
Changing Diagnostic Logging Levels using EMS
Managing Diagnostic Logging using the Registry
 135

Watch This: Managing Diagnostic Logging from

EMC and EMS
 147

Organizational Health
Organizational Health in EMC
Organizational Health in EMS
Watch This: Managing Organizational Health
 148

Organizational Health in EMC

Displayed from the On-Premises node
Permissions
View-Only Organization Management
Server Management
Organization Management
Updated by the Collect Organizational Health wizard
Health Report Summary Information
Information is stored on organization object in AD and is available
globally
Information divided into 3 segments
Organization Summary
Servers Summary
Recipient Summary
 149

Organizational Health in EMS

Use the Test-SystemHealth cmdlet to gather information
 147

Watch This: Managing Organizational Health

 159

Customer Experience Improvement Program

CEIP Basics
Opting-In using Exchange Setup
Managing CEIP using EMC
Managing CEIP using EMS
Watch This: Managing CEIP
 161

Opting-In using Exchange Setup

Administrator is prompted to opt-in to CEIP during setup
in two instances
Installing the first Exchange 2010 server administrator can join the
organization to the program, and join the first server
Installing additional Exchange 2010 servers administrator can join
the server, or join the program if not previously joined
 164

Managing CEIP using EMC

CEIP Wizard allows administrator to opt-in or opt-out
organization or individual servers
Server Properties expose Customer Feedback Options tab
 170

Managing CEIP using EMS

Managing Organization CEIP settings
Use the Get-OrganizationConfig cmdlet to view the current CEIP
settings for the organization
Use the Set-OrganizationConfig cmdlet to modify the current
CEIP settings
Managing Server CEIP settings
Use the Get-ExchangeServer cmdlet to view the current CEIP
settings for an Exchange 2010 server
Use the Set-ExchangeServer cmdlet to modify the current CEIP
settings
 170

Watch This: Managing CEIP

 172

Exchange Certificate Management

Managing Exchange certificates with EMC
Watch This: Managing Exchange Certificates
 173

Certificate Tasks
EMC now includes certificate management tasks
New Exchange Certificate
Import Exchange Certificate
Assign Services to Certificate
Renew Exchange Certificate
Remove Certificate
Managing Exchange Certificates
 205

Recipient Scope
What is Recipient Scope
Setting Recipient Scope
 205

What is Recipient Scope

Recipient scope refers to the specified portion of the AD
directory service hierarchy that the EMC and the EMS use for
recipient management
In LORGs, recipients may be spread across multiple
domains/OUs
Use a scope that focuses on the specific set of recipients to manage
Reduces the number of recipients returned, improving performance
Set the recipient scope to the entire forest only when
performing specific tasks that apply to all recipients in the
forest
When set to entire forest, management tools use a GC to access AD
The recipient information is dependent on the replication latencies of
AD, so information that is displayed may not be entirely up-to-date
 207

Setting Recipient Scope in EMC

From the Recipient Configuration node, select Modify
Recipient Scope
Forest scope warning:
Setting Recipient Scope in EMS
Get-AdServerSettings

[PS] C:\>Get-ADServerSettings
 
ConfigurationDo PreferredDomain PreferredGloba RecipientViewR ViewEntireFore
mainController Controllers lCatalog oot st
--------------- --------------- -------------- -------------- --------------
{} contoso.com False

Set-AdServerSettings

[PS] C:\>Set-ADServerSettings -RecipientViewRoot “contoso.com/Seattle”

[PS] C:\>Set-ADServerSettings -ViewEntireForest $True
[PS] C:\>Set-ADServerSettings -ConfigurationDomainController
conseadc1.contoso.com
[PS] C:\>Set-ADServerSettings -PreferredGlobalCatalog conseadc1.contoso.com
[PS] C:\>Set-ADServerSettings -SetPreferredDomainControllers
conseadc1.contoso.com, condaldc1.contoso.com
 211

What is Toolbox?
The tools available in the Toolbox work center are divided
into two categories:
Dedicated Microsoft Management Console (MMC) 3.0 tools Some
tools, such as Queue Viewer, are self-hosted in an MMC console.
The Exchange Management Console (EMC) does not have to be
running to use the MMC tools.
Independent tools Independent tools, such as the Best Practices
Analyzer, are not integrated with the EMC and function as separate
executable files when run from the Toolbox. These tools have their
own Help file content.
The tools in Toolbox are segmented into three groups:
Configuration Management Tools
Performance Tools
Security Tools
 211

Configuration Management Tools

Best Practices Analyzer
Details Templates Editor
Public Folder Management Console
Remove Connectivity Analyzer
Role Based Access Control (RBAC) User Editor
 212

Performance Tools
Mail Flow Troubleshooter
Message Tracking
Queue Viewer
Routing Log Viewer
 213

Security Tools
Performance Monitor
Performance Troubleshooter
 214

Importing/Exporting Files with Remote PowerShell

Importing and Exporting Files from EMS
The Problem: Local and Remote File Access
 214

Importing and Exporting Files from EMS

The Exchange 2007 version of EMS included several
cmdlets that read data from a file (for import) or wrote
data to a file (for export)
These cmdlets rely on access to file system resources
directly from the computer from where the commands are
used
Because Exchange 2010 uses Windows PowerShell
remoting for management tools, import and export files
are not considered to be “local” to the computer where
the Exchange commands are actually executed
Special syntax is required in these cases
 214

The Problem: Local and Remote File Access

Understanding PowerShell sessions
Local session only has access to local file system
Remote session has access to its own local file system
 216

Importing Files
Use the parameter –FileData:

<Cmdlet> -FileData $(Get-Content -Path <local path to file>

-Encoding Byte)
Import-ExchangeCertificate -FileData $(Get-Content -Path
c:\certnew.cer -Encoding Byte)

Limitations on importing files:

Amount of data that's transferred to a remote Exchange 2010 server
from a local computer is limited to:
500 MB for each cmdlet that's run
75 MB for each object that's passed to a cmdlet
Changing Transfer Limits
These values are determined by the corresponding parameter
values in the PowerShell virtual directory web.config file on the
Exchange server.
 219

Exporting Files
Use the parameter –FileData:

<cmdlet> | ForEach { $_.FileData | Set-Content <local path>

-Encoding Byte }
Export-ExchangeCertificate -Server condaltc.contoso.com
-Thumbprint 6612481164A70010F0595F0A3C9665C139F1FBE5
-BinaryEncoded -Password (Get-Credential).password |
ForEach { $_.FileData | Set-Content -Path c:\condaltc.pfx
-Encoding Byte }
 220

Cmdlet Extension Agents

Agent Basics
Built-in Agents
 220

Agent Basics
Agents modify, replace, or extend functionality of
Exchange Management Shell cmdlets. An agent can:
provide a value for a required parameter that isn't provided on a
command
override a value provided by a user
perform other actions outside of the cmdlet workflow while a
cmdlet runs
Example:
The New-Mailbox cmdlet accepts the Database parameter
If you don't specify a value, the New-Mailbox cmdlet calls the
Mailbox Resources Management agent when the cmdlet runs
The agent automatically determines a suitable mailbox database
on which to create the new mailbox and inserts that value into the
Database parameter value
 221

Built-in Agents
Agent name
Query Base DN Agent
Rus Agent
Mailbox Resources Management Agent
Provisioning Policy Agent
OAB Resources Management Agent
Scripting Agent
Admin Audit Log Agent
Priority Enabled by default
0 True
1 True
2 True
3 True
4 True
5 False
255 True

Agent Priority
The priority of an agent determines the order in which the agent is called
while a cmdlet runs.
An agent that has a higher priority, closer to 0, is called first.
The priority of an agent becomes important when two or more agents
attempt to set the value of the same property.
The highest priority agent succeeds, and all lower priority agents are
ignored.
 223

Agent Management
Examining Agent Configuration
Get-CmdletExtensionAgent
Changing Agent Priority
Set-CmdletExtensionAgent
-Priority parameter
Enabling an Agent
Enable-CmdletExtensionAgent
Disabling an Agent
Disable-CmdletExtensionAgent
 227

Windows PowerShell Execution Policies

Windows PowerShell execution policies determine the
conditions under which Windows PowerShell runs scripts.
Policies
Restricted - Permits individual commands, does not allow the execution
of any script files (default execution policy for Windows PowerShell)
AllSigned - Allows scripts to run. Requires all scripts be signed by a
trusted publisher. Prompts before running scripts from untrusted
publishers.
RemoteSigned - Allows scripts to run. Requires a trusted digital
signature on scripts downloaded from the Internet. Does not require
digital signatures on scripts written on the local computer.
Unrestricted - Allows unsigned scripts to run. Prompts with warning
before running scripts and configuration files downloaded from the
Internet.
Bypass - Nothing is blocked and there are no warnings or prompts.
Undefined - There is no execution policy set in the current scope.
Windows PowerShell Execution Policy Scope
You can set an execution policy that is effective only in a
particular Scope.
The Scope values are listed in precedence order:
Process - The execution policy affects only the current session (the
current Windows PowerShell process).
CurrentUser - The execution policy affects only the current user.
LocalMachine - The execution policy affects all users on the current
computer.
 228

PowerShell Security (continued)

Get the Execution Policy
Get-ExecutionPolicy
Change the Execution Policy
Set-ExecutionPolicy
Remove the Execution Policy
Set-ExecutionPolicy Undefined
Set-ExecutionPolicy Undefined -Scope LocalMachine
Set an Execution Policy when Starting PowerShell
powershell.exe -ExecutionPolicy -AllSigned
Use a Group Policy to Manage Execution Policy
Install the .adm file on a computer
Add the .adm file in the Group Policy Editor
Set the Group Policy Execution Policy
 234

PowerShell Security (continued)

Execution Policy Precedence
Group Policy: Computer Configuration
Group Policy: User Configuration
Execution Policy: Process (or PowerShell.exe -ExecutionPolicy)
Execution Policy: CurrentUser
Execution Policy: LocalMachine
 235

Management Tool Client Throttling

Understanding Client Throttling
Default Client Throttling Policy
Policy Parameters
Management Shell Parameters
Managing Client Throttling Policies
 235

Understanding Client Throttling

Client Throttling Policies manage the performance of your
Exchange organization by enforcing connection bandwidth
limits as necessary.
The benefits of client throttling:
Make sure that users aren't intentionally taxing the system
Make sure that users aren't unintentionally taxing the system
Make sure that users of various connectivity methods are
proportionally sharing resources
 235

Default Client Throttling Policy

A default throttling policy is automatically created that
implicitly governs all users within that organization
You can customize the default policy based on the needs
of your organization
The component types covered by throttling policies are:
Microsoft Exchange ActiveSync
Exchange Web Services
IMAP
Outlook Web App
POP
PowerShell
 238

Policy Parameters for PowerShell Throttling

(1) PowerShellMaxConcurrency - Defines the maximum number of
Remote PowerShell sessions that a remote PowerShell user can have
open at the same time
(2) PowerShellMaxCmdlets - Defines the number of cmdlets that can
be executed per time period without being throttled. Depends on the
value of parameter (3). Both values should be set at the same time.
(3) PowerShellMaxCmdletsTimePeriod - Defines the time period, in
seconds, that a user can execute the number of cmdlets defined by
the parameter (2)
(4) PowerShellMaxCmdletQueueDepth - Defines the number of
operations allowed to be executed by the user. This value directly
affects the behavior of the (2) and (1) parameters
(5) ExchangeMaxCmdlets - Specifies the number of cmdlets that can
be executed within a specific time period before their execution is
slowed down. The value specified by this parameter should be less
than the value specified by the (2) parameter.
 239

Managing Client Throttling Policies

The Exchange Management Shell (EMS) enables you to
modify and view the client throttling policy settings by
using the cmdlets described in this table.
Cmdlet name Description
New-ThrottlingPolicy creates a new throttling policy.
Remove-ThrottlingPolicy removes a throttling policy.
Get-ThrottlingPolicy view the settings of a throttling policy.
Set-ThrottlingPolicy modifies all available settings for a throttling policy.

You can use the ThrottlingPolicy parameter of the Set-Mailbox and

New-Mailbox cmdlets to associate client throttling policies with a
user or group of users by modifying properties on their mailbox.
 244

Diagnostics and Troubleshooting

 244

Diagnostics and Troubleshooting

After completing this lesson you will be able to:
Describe common tools for troubleshooting issues related to
Exchange Management Tools
 245

Diagnostic Logging for Management Tools

There are two components that can be configured to
generate diagnostic logging events for management tool
operations:

Management Tasks
Throttling
There are two
five services
services that
that generate
generate Management
throttling related
Taskevent
eventlogs:
logs:
MSExchangeThrottling
MSExchange Configuration Cmdlet - Control Panel
MSExchange Configuration Cmdlet - Management Console
MSExchangeThrottlingClient
For MSExchange
each service,Configuration
there is the Cmdlet
General- Management Shellgenerates
category, which
events related to
MSExchange throttling. Cmdlet - Management Web Service
Configuration
MSExchange Configuration Cmdlet - Remote Management
For each service, there are two categories:
General- Events related to the operation of the management tasks
RBAC - Events specific to RBAC processing
 248

Management Tool EXTRA Tracing

Management tool trace components can be separated into
two groups, depending on the problem under
investigation:
Control Panel – Use the Control panel component for
troubleshooting issues that are limited to the operation of the ECP.
Management Tasks (PowerShell) – Use the Management Tasks
components for troubleshooting issues related to management
tasks across all management tools.
See pages 248 – 250 for tags available for tracing
Management Tools operation.
 251

Troubleshooting Remote PowerShell

Common issues can be divided into two categories
Client Issues
Import-PSSession error caused by Windows PowerShell execution
policy
Connection Issues
Incorrect username or password or remote Shell user is disabled
Connection between client and server is broken
Server name provided doesn't exist
Incorrect virtual directory name
Connection attempt without SSL fails
Warnings when the Import-PSSession cmdlet is run
 254

Test Cmdlets for Troubleshooting

Exchange 2010 provides cmdlets for diagnosing and
resolving problems related to Remote PowerShell and
Exchange Control Panel.
Test-PowerShellConnectivity
Use the Test-PowerShellConnectivity cmdlet to test whether Windows
PowerShell remoting on the target Exchange 2010 server is
functioning correctly.
Test-EcpConnectivity
Use the Test-EcpConnectivity cmdlet to verify that the Exchange
Control Panel is running as expected.
Watch This: Troubleshooting
 273

Appendix
Client Throttling Performance Counters
Management Task Events
Exchange Control Panel Events
 Questions

129 1/1/2009 Microsoft Confidential - For Internal Use Only

 © 2009 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Microsoft Confidential - For Internal Use Only

Conditions and Terms of Use
Microsoft Confidential - For Internal Use Only

This training package content is proprietary and confidential, and is intended only for users described in the training materials. Content and
information designated for limited distribution is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or
disclosing all or any portion of the content and/or information included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether
express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-
infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft
must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

© 2009 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see “Use of Microsoft Copyrighted Content “at http://www.microsoft.com/about/legal/permissions/.
Microsoft®, Internet Explorer, and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries. Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries. All other trademarks are property of their respective owners.