Alan's sysadmin Blog

Working smarter not harder

Archive for the ‘Exchange 2013’ Category

Bulk addition of Fortigate Firewall Addresses

Posted by Alan McBurney on September 24, 2015

During a recent Office 365 Exchange Hybrid project I had the need to lock down the on-premises Exchange servers to the Exchange Online IP addresses.

The published list from Microsoft is quite long and I didn’t fancy adding the address manually to the firewall, so I decided to use regex to edit the list into a format that I could then paste directly to the firewall via SSH.

I took the list from Microsoft and added this to NotePad++, where I then did a find and replace using the below Regex commands. (The inital list of IPs need to be in the format x.x.x.x/x for this to work properly)

Find
(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})(/\d{2})

Replace
edit ExchangeOnline-$1.$2.$3.$4\nset subnet $1.$2.$3.$4$5\nnext\n

Using the above regex commands takes a list of IP’s in the format

23.103.160.0/20
23.103.224.0/19
40.96.0.0/16
40.97.0.0/16
40.98.0.0/16

and creates the necessary Fortigate commands

edit ExchangeOnline-23.103.160.0
set subnet 23.103.160.0/20
next

edit ExchangeOnline-23.103.224.0
set subnet 23.103.224.0/19
next

edit ExchangeOnline-40.96.0.0
set subnet 40.96.0.0/16
next

edit ExchangeOnline-40.97.0.0
set subnet 40.97.0.0/16
next

edit ExchangeOnline-40.98.0.0
set subnet 40.98.0.0/16
next

edit ExchangeOnline-40.99.0.0
set subnet 40.99.0.0/16
next

edit ExchangeOnline-40.100.0.0
set subnet 40.100.0.0/16
next

edit ExchangeOnline-40.101.0.0
set subnet 40.101.0.0/16
next

Once SSH’d onto the Fortigate, the command to create the object is

config firewall address

Then simply copy and paste the code from Notepad++ and the end result is as below.

2015-09-24_11-50-34

Posted in Exchange 2013, Exchange Online, FortiGate, Office 365 | Tagged: , , , | Leave a Comment »

Script: Fixing Orphaned AdminSDHolder Accounts

Posted by Alan McBurney on August 27, 2014

This is intended as a follow up to Detecting members of Protected Groups within AD

It seems that no matter how many Exchange or Lync projects I do I always come across the issue of orphaned AdminSDHolders.

To overcome the tedium of detecting and fixing orphaned users I decided to put together a script to automate the task.

This script gets all users that are members of protected groups within AD and compares membership with users that have the AD Attribute AdminCount=1 set. If the user has the AdminCount=1 enabled but is not a member of a protected group within AD then the user is considered orphaned, the AdminCount is reset to 0 and inheritable permissions are enabled.

<#
.SYNOPSIS
Detects Orphaned SD Admin users, resets admin count attribute and enables inheritable permissions

.Author
Alan.McBurney

THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.

Version 1.0, July 10th, 2014

.DESCRIPTION
This script gets all users that are members of protected groups within AD and compares
membership with users that have the AD Attribute AdminCount=1 set.
If the user has the AdminCount=1 enabled but is not a member of a protected group then the user
is considered an orphaned admin user and the AdminCount is reset to 0 and inheritable permissions
are reset

.REFERENCES
"http://blogs.technet.com/b/heyscriptingguy/archive/2010/07/11/hey-scripting-guy-weekend-scripter-checking-for-module-dependencies-in-windows-powershell.aspx">http://blogs.technet.com/b/heyscriptingguy/archive/2010/07/11/hey-scripting-guy-weekend-scripter-checking-for-module-dependencies-in-windows-powershell.aspx</a>
"http://blogs.msdn.com/b/muaddib/archive/2013/12/30/how-to-modify-security-inheritance-on-active-directory-objects.aspx">http://blogs.msdn.com/b/muaddib/archive/2013/12/30/how-to-modify-security-inheritance-on-active-directory-objects.aspx</a>

.EXAMPLE
Reset-OrphanSDUsers

.Notes
To Do list: Enable logging
#>

#Check to Ensure Active Directory PowerShell Module is available within the system
Function Get-MyModule
{
Param([string]$name)
if(-not(Get-Module -name $name))
  {
    if(Get-Module -ListAvailable |Where-Object { $_.name -eq $name })
    {
      Import-Module -Name $name
      $True | Out-Null
    }
    else
    {
      Write-Host ActiveDirectory PowerShell Module Not Available -ForegroundColor Red
    }
  } # end if not module
  else
  {
    $True | Out-Null
  }   #module already loaded
} #end function get-MyModule

Get-MyModule -name "ActiveDirectory"

Function Set-Inheritance
{
Param($ObjectPath)
$Acl = Get-ACL -path "AD:\$ObjectPath"
  If ($Acl.AreAccessRulesProtected -eq $True)
  {
    $Acl.SetAccessRuleProtection($False, $True)
    Set-ACL -AclObject $ACL -path "AD:\$ObjectPath"
  }
}

#Get List of Proected Groups
$AdminGrp = Get-ADGroup -LDAPFilter "(adminCount=1)"

#Get List of Admin Users (Past and Present)
$AdminUsers = Get-ADUser -LDAPFilter "(adminCount=1)"

$Admins = ForEach ($Grp in $AdminGrp) {Get-ADGroupMember $Grp | Where-Object {$_.ObjectClass -eq "User"}}

#Create Empty Hash
$PGUSers = @{}
$OrphanUsers = @{}

#Compare $AdminUsers to $Admins and place in appropriate hash table
ForEach ($User in $AdminUsers)
{
If ($Admins -Match $User.Name)
  {
    $PGUsers.Add($User.Name, "Present")
  }
  Else
  {
    $OrphanUsers.Add($User.SamAccountName, "NotPresent")
  }
}

If ($OrphanUsers.Keys.Count.Equals(0))
{
  $True | Out-Null
}
Else
{
  #Clear AdminCount Attribute
  ForEach ($Orphan in $OrphanUsers.Keys)
  {
    $Orphan
    $ADUser = Get-ADUser $Orphan
    Set-ADUser $Orphan -Clear {AdminCount}
    Set-Inheritance $ADUser
  }
}

Posted in Active Directory, Exchange 2010, Exchange 2013, Lync, Lync 2013, PowerShell | Tagged: , | 1 Comment »

Detecting members of Protected Groups within AD

Posted by Alan McBurney on July 16, 2013

I do a lot Exchange and Lync work and typically post project I get calls from customers that things aren’t working quite as expected.

Some typical issues include insufficient rights to modify users within Lync, ActiveSync not working or send as permissions being stripped out for users within Exchange.

What all these issues have in common is that users affected are members of what’s termed as Protected Groups within AD and security inheritance is being stripped from the user object.

If you need a primer or a deep dive for that matter into Protected Groups see John Policelli’s article here

The following Active Directory PowerShell commands can be used detect which users and groups are affected by Protected Group status.

To get the list of protected users:
     Get-ADUser -LDAPFilter "(admincount=1)" | select name

To get the list of protected groups:
     Get-ADGroup -LDAPFilter "(admincount=1)" | select name

Once the users have been removed from the Protected Groups its just a matter of enabling security inheritance for the user object from within AD and the issues should be resolved. 

Posted in Active Directory, Exchange 2010, Exchange 2013, Lync, PowerShell, Windows 2008 R2, Windows Server 2012 | Tagged: , | 2 Comments »

Exchange 2013 CU1 Installation

Posted by Alan McBurney on April 3, 2013

The long awaited CU1 update for Exchange 2013 has finally arrived.
This updates allows for on-premises coexistence with Exchange 2010 SP3 & 2007 SP3 RU10 and brings the Exchange 2013 build number up to 15.0 (Build 620.29)

The admin display version from a pre and post CU1 install are shown below. (Ex2K13-01 running RTM & Ex2K13-02 running CU1)

image

CU1 also brings new Schema, AD & Domain updates so all three need to be prepared before running setup.

To prepare the schema run

  • setup.exe /PrepareSchema

To prepare AD run

  • setup.exe /PrepareAD

To prepare Domain its

  • setup.exe /PrepareDomain

Finally to install the update onto a RTM version of 2013 run

  • setup.exe /m:Upgrade

There are only a few click to navigate though before installation begins

Installation took a good 40 minutes on my machines.

If you have been hanging back on the installation of 2013 until CU1 there is no need to install the RTM version first.
As the updates are cumulative run setup straight from CU1 media and your done.

Happy patching.

Exchange 2013 CU1 can be downloaded here

Posted in Exchange 2013, Windows Server 2012 | Tagged: , , | 1 Comment »

Exchange 2013 Server installation – Part 2

Posted by Alan McBurney on November 5, 2012

In the first part of this multi part blog post I covered the installation of the Client Access Server

This time around we will cover the installation of the Mailbox role.

Lets get started by covering off the pre-requisites the Mailbox Role

One final reboot is required before we can install the Exchange 2013 Mailbox role.

Once the server is back up we can go ahead and launch the Exchange 2013 setup routine.

The following screenshots will guide you though the install

 

MBX Setup 1MBX Setup 2imageMBX Setup 3MBX Setup 4MBX Setup 5MBX Setup 6MBX Setup 7MBX Setup 8MBX Setup 9imageimage

Once the installation is complete we can check that the Exchange Admin Center comes up as expected.

Open your web browser and enter the IP\DNS name of your CAS server. For me its

https://cas01/ecp

As I installed a trusted certificate yet I will get a security error once I connect. This can be ignored as its expected behaviour

image

Once you have accepted the warning you will be presented with the Exchange Admin Center

EACimage

Repeat the installation process for MBX02 and once complete that concludes part 2 of this blog post.

Next time out I will configure up the Client Access Server Client URLs and setup the Kemp Virtual Load Master

Posted in Exchange 2013 | Tagged: , , | 2 Comments »

Exchange 2013 Server installation – Part 1

Posted by Alan McBurney on November 3, 2012

This is the first of a multi part blog post on the setup and configuration of Exchange Server 2013

The Exchange environment will be split out over 4 servers (2x Client Access & 2x Mailbox)

The backend mailbox will be configured in a DAG and the front end will be load balanced using a Kemp Virtual Load Master

All servers are running Windows Server 2012 RTM in vSphere 5.1

The lab is setup as per the table below

DC01 192.168.0.1
CAS01 192.168.0.2
CAS02 192.168.0.3
MBX01 192.168.0.4
MBX02 192.168.0.5
Kemp VLM 192.168.0.6

Ill will not be covering the initial OS configuration and all servers have been joined to the domain

In part 1 here we will deal with installation of the Client Access Server. (Configuration guides will come in later posts)

So with that in mind lets start the installation of Exchange Server 2013.

 

The Client access server requires some pre requisites before we can launch Exchange setup

These prereqs are the Windows Server Foundation feature and Microsoft Unified Communication API 4.

To install the Windows Server Foundation open PowerShell and run the following commands

Import-Module ServerManager (No need to import modules when running PowerShell v3 or v4 on Server 2012)

Add-WindowsFeature Server-Media-Foundation

Shutdown –r –t 00 Restart-Computer (Restart the PowerShell way)

image

When the server comes back up after its reboot install Microsoft Unified Communications API 4.0 Runtime

UCMA

With all the pre requisites now installed we can finally launch the Exchange Setup routine.

The following screenshots walk though the installation.

CAS Setup 1CAS Setup 2CAS Setup 4CAS Setup 3aCAS Setup 5CAS Setup 6CAS Setup 7CAS Setup 7aCAS Setup 8CAS Setup 9CAS Setup 10

And that’s part one finished. This process is repeated for the installation of CAS02

In part 2 I will be covering the installation of the Mailbox Server

Posted in Exchange 2013 | Tagged: , , , | Leave a Comment »