Category Archives: Exchange 2013

Microsoft Exchange Vulnerability affects all Exchange versions

image

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Security Vulnerability

Date of Publishing: February/11/2020

Microsoft has announced a vulnerability has been found in all Exchange Server 2010 through 2019 versions, The vulnerability allows an attack to send a specially crafted request to the affected server in order to exploit it.

When could this happen?

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.

Affected Versions:

  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
  • Microsoft Exchange Server 2013 Cumulative Update 23   
  • Microsoft Exchange Server 2016 Cumulative Update 14   
  • Microsoft Exchange Server 2016 Cumulative Update 15   
  • Microsoft Exchange Server 2019 Cumulative Update 3   
  • Microsoft Exchange Server 2019 Cumulative Update 4

image

Solution:

Until now Microsoft has not provided any solution or work around to cover this vulnerability.

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

NOTE:

Keep an eye on the below link for any change

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

Microsoft Exchange 2013–2016-2019 Security Vulnerability (URGENT)

CVE-2019-0586 | Microsoft Exchange Memory Corruption Vulnerability

image

Yesterday Microsoft has published an KB article about a security threat to Exchange 2013-2016 and 2019.

The article mentions CU10-CU11 for Exchange 2016, CU21 for Exchange 2013 and RTM version of Exchange 2019 as well.

I spoke to Microsoft of whether this issue affects earlier CU versions for Exchange and they confirmed it

 

image

Vulnerability details:

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

 

Download link:

https://support.microsoft.com/en-us/help/4471389/description-of-the-security-update-for-microsoft-exchange-server-2019

 

Create 10 years Certificate template for Skype for Business, Exchange Server .etc

Having a certificate template that would last for years is a requirements that’s become more of a need during these days due to the amount of time it takes to renew the servers which are certificate dependent.

Some servers would automatically be renewed their Certificate using GPO’s auto enrollment however when this doesn’t work or if you don’t like dealing with GPO and its headache then the best way to solve this is to create a template that would last for sometime and leave you at peace.

Note that having a long term certificate (10 years for example) is not a good practice since encryption algorithm changes over the time and security related issues rise up every now and then so if you decided to go with this article and create 10 years template for your servers, you will need to keep an eye on latest news related to certificates, encryption and signature algorithm so they are not exploitable.

To begin with this article, I will tell a small story of a company that had suffered production disasters due to this might look tiny kind of problem.

A company called AP have deployed Lync 2013 (Currently Skype for Business) and decided to use the default CA (Webserver) template which lasts for 2 years by default.

This company called me when their Lync servers were all down and PSTN calls were not going through so the first thing that came to my mind is to check Services and as soon as I saw services were not able to run I checked the eventlog’s Lync tab.

The errors were mostly referring to an expired certificate. upon renewing the certificates for all servers everything went back to normal but that took long downtime and delayed the company’s productivity.

Here came the idea of creating a long template which would last for 10 years, achieving this on Exchange is done through the following steps:


On CA Server Find and open the Certification Authority MMC

Right click on Certificate Templates and click Manage

clip_image001[4]

IN certificate templates console right click on Web Server and click Duplicate template

clip_image002[4]

Select Windows Server 2003 Enterprise

clip_image003[4]

clip_image004[4]

Enable “Allow private key to be exported”

clip_image005[4]

clip_image006[4]

Select Enroll for the Authenticated users

clip_image007[4]

Back to the Certificate Authority Console, Right click on Certificate Templates and click New -> Certificate template to issue and add the certificate template you created to the list.

clip_image008[4]

Web Server V2 is on top

clip_image009[4]

Let’s check it on Certserv IIS

clip_image010[4]

Certificate is generated for 5 years. The reason why the certificate is generated for 5 years is because the Certification Authority server’s Certificate is limited to 5 years.

So the CA certificate must be set to longer then the client’s requested Certificate limit.

clip_image011[4]

Certification Authority Issuing Certificate validity period extending

To change the Validity Period for the Root CA you can configure a CAPolicy.inf.  To create a CAPolicy.inf file that changes the lifietime of the certificate to 30 years, you would type the following into a text file, and save it with the name CAPolicy.inf in the

C:\Windows directory,:

[Version]

Signature= “$Windows NT$”

[Certsrv_Server]

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=30

From <http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-windows-pki-renewing-ca-certificates.aspx>

After this you will need to renew the CA certificate from the CA console : right click on your certification authority and choose All Tasks -> then choose -> Renew CA Certificate

clip_image012[4]

When you click on Renew CA certificate you will get the following prompt asking you to stop the CA to renew its Certificate, Click Yes

clip_image013[4]

Once you click on Yes the service will stop and you will get this window telling you if you would like to generate new public and private key it’s up to you to use a new or not but if you choose Yes the clients using the old Certificate might be provoked and you might need to install the new CA Certificate on all clients using GPO.

Click Ok

clip_image014[4]

After clicking OK you will see that you were able to generate the new CA Certificate and then you can issue clients certificates.

clip_image015[4]

In order to allow the CA to issue certificates that has longer than the default age (2 years) you must run the following command line on the CMD on the CA server.

clip_image016[4]

Run the certutil commands above to change the maximum lifetime of certs issued by the CA

certutil -setreg ca\validityperiodunits 30
certutil -setreg ca\validityperiod years
net stop certsvc net stop certsvc

Now when you try to generate a new certificate for your Exchange or any other app you should choose the new template which is 30 years valid.

clip_image018[4]

clip_image019[4]

Corrupted Databases on Exchange 2010/2013/2016 and how to recover with Stellar Phoenix Mailbox Exchange Recovery software review

23 May 2018 By Mohammed Hamada

Exchange administrators go through hard times when servers crash, Reason of these crashes can vary but the result will most likely be a corrupted Database with dirty shutdown status.

In my case as an Exchange Senior Consultant I came through many clients who have had power issues or an update that cause their Servers to go down and crash Exchange servers. Some of them had 20K users with a very busy environment and huge amount of data being written on their databases.

Most organizations will likely have backup solution which backs up the database on daily basis but I have seen that even these kind of organizations will still lose data due to the interval of data backup they have which is around minimum of 12 hours. so if a database gets corrupted in +5 over the past backup then there would be a disaster.

This where recovery solution is a must, Stellar Phoenix Mailbox Exchange Recovery have the capability to recover data in the mailbox which is no longer visible on Exchange but it is still on a backup for example or from a corrupted database since has the mechanism of rescuing a corrupted database which can’t be mounted or read by Exchange server.

Installation:

The installation process is pretty straight forward. You can check the demo version and see for your self how that this software can read the database and mailboxes prior to make any decisions on purchasing.

image

image

image

image

image

image

image

image

Use of Stellar Phoenix Mailbox Exchange Recovery

Loading a DB into the application will show you all mailboxes inside the DB, You can see all the content of each user, their calendar, contacts and even mail items‘s content.

Menu Navigation

The use of the app is pretty easy as you can see from the main ribbon menu below:

To load a corrupted EDB you simply click File > Select EDB and load the DB then once it loads you’ll be able to navigate through the mailboxes within the DB

image

Exporting Data:

Once the list of users loads, you can choose users then right click on the user and save button as whatever file type that’s convenient for you to restore your data. The Save button is also added to the ribbon from which you can save or export the items you require. 

image

Check Data Integrity

Read data from within the application and see for yourself if the items are still readable. If not then you still can fix the database and restore the damaged or lost data.

image

Exchange Version Support:

  • Supports MS Exchange Server 2016 / 2013 / 2010 / 2007 / 2003 / 2000 & 5.5

Licensing

You can purchase the license online and will receive a registration key or a dongle to register the product, although in the demo you can see most of the features in action.

Main Features

  • Recovers Dismounted & Offline Database files which you think are no longer mountable on Exchange server
  • The ability to repair large databases and several databases at the same time.
  • You can also exports recovered Mailboxes from corrupted databases directly to Exchange Online/Office 365.
  • Restores Mailbox items like emails, contacts, calendars, tasks etc.
  • Allows saving recovered database items in different formats e.g.  PST, MSG, EML, HTML, RTF & PDF formats

To learn more, Please visit the vendor’s website

https://www.stellarinfo.com/edb-exchange-server-recovery.htm

Reference: 

https://www.linkedin.com/pulse/corrupted-databases-exchange-201020132016-how-recover-mohammed-hamada/

Corrupted Databases on Exchange 2010/2013/2016 and how to recover with Stellar Phoenix Mailbox Exchange Recovery software review





Exchange administrators go through hard times when servers crash, Reason of these crashes can vary but the result will most likely be a corrupted Database with dirty shutdown status.

In my case as an Exchange Senior Consultant I came through many clients who have had power issues or an update that cause their Servers to go down and crash Exchange servers. Some of them had 20K users with a very busy environment and huge amount of data being written on their databases.

Most organizations will likely have backup solution which backs up the database on daily basis but I have seen that even these kind of organizations will still lose data due to the interval of data backup they have which is around minimum of 12 hours. so if a database gets corrupted in +5 over the past backup then there would be a disaster.

This where recovery solution is a must, Stellar Phoenix Mailbox Exchange Recovery have the capability to recover data in the mailbox which is no longer visible on Exchange but it is still on a backup for example or from a corrupted database since has the mechanism of rescuing a corrupted database which can’t be mounted or read by Exchange server.

Installation:

The installation process is pretty straight forward. You can check the demo version and see for your self how that this software can read the database and mailboxes prior to make any decisions on purchasing.

image

image

image

image

image

image

image

image

Use of Stellar Phoenix Mailbox Exchange Recovery

Loading a DB into the application will show you all mailboxes inside the DB, You can see all the content of each user, their calendar, contacts and even mail items‘s content.

Menu Navigation

The use of the app is pretty easy as you can see from the main ribbon menu below:

To load a corrupted EDB you simply click File > Select EDB and load the DB then once it loads you’ll be able to navigate through the mailboxes within the DB

image

Exporting Data:

Once the list of users loads, you can choose users then right click on the user and save button as whatever file type that’s convenient for you to restore your data. The Save button is also added to the ribbon from which you can save or export the items you require. 

image

Check Data Integrity

Read data from within the application and see for yourself if the items are still readable. If not then you still can fix the database and restore the damaged or lost data.

image

 

Exchange Version Support:

  • Supports MS Exchange Server 2016 / 2013 / 2010 / 2007 / 2003 / 2000 & 5.5

 

Licensing

You can purchase the license online and will receive a registration key or a dongle to register the product, although in the demo you can see most of the features in action.

Main Features

  • Recovers Dismounted & Offline Database files which you think are no longer mountable on Exchange server

  • The ability to repair large databases and several databases at the same time.
  • You can also exports recovered Mailboxes from corrupted databases directly to Exchange Online/Office 365.
  • Restores Mailbox items like emails, contacts, calendars, tasks etc.
  • Allows saving recovered database items in different formats e.g.  PST, MSG, EML, HTML, RTF & PDF formats

 

To learn more, Please visit the vendor’s website

https://www.stellarinfo.com/edb-exchange-server-recovery.htm

Reference: 

https://www.linkedin.com/pulse/corrupted-databases-exchange-201020132016-how-recover-mohammed-hamada/









Useful Powershell script to resolve the X500 address





In migration, Powershell can be a very crucial tool to achieve success and finalize projects within deadline or even fix issues.

During the time of working with Exchange we had lots of issues with users not able to send an email to their migrated colleagues due to some issues with contacts which was caused by the Legacy Exchange DN not being migrated with the user or lost due to some wrong deletion.

Once users try to send an email to that particular user with the missing Legacy Exchange DN. The receiving Exchange server will result an error and send it to the user as NDR message explaining to them that the error is due to not finding the particular address.

image

The solution to this particular problem is very simple especially if it’s couple of users however to resolve the address you’ll need to google and understand the language that Exchange server users to match the original used address in the missing user’s attributes.

The below script would work accordingly with whatever situation that faced me and it became very handy to me.

How to use:

1- Copy the script to a notepad and save as convert.ps1 on Desktop

2- Run script and try to type in powershell convert-X500 then hit enter.

3- Copy and paste the address you got from the error message above.

image

Once you copy and paste hit enter and you’ll get the final result

image

Note: Make sure you remove the @domain.local in the end

Function Convert-X500{ # Define the Legacy Exchange DN here
Write-Host “”Enter your X500 Address here…”” -ForegroundColor Green -BackgroundColor Black
$X500Source  = read-host

# Converts the various strings to the proper syntax
$X500 = $X500Source.Replace(“_”, “/”)
$X500 = $X500.Replace(“+20″, ” “)
$X500 = $X500.Replace(“IMCEAEX-“, “”)
$X500 = $X500.Replace(“+28”, “(“)
$X500 = $X500.Replace(“+29”, “)”)
$X500 = $X500.Replace(“+2E”, “.”)
$X500 = $X500.Replace(“+5F”, “_”)
$X500 = $X500.Replace(“@YourDC.localHere“, “”)

Write-Host X500:$X500}









Preparing, Migrating users and Handling contacts between two forests in Microsoft Exchange Cross Forest migration





This article presumes that you have setup all the initial steps for the Cross Forest migration to work:

– Configure DNS resolution and trust between two AD forests.

– Create and configure Send connector between Source.com and Target.com


– Create and configure Availability service between Source.com and Target.com

– Configure Source.com as accepted domain in blue.com

 

– Install and configure ADMT server at the target domain Target.com

 

– Install and configure Password Encryption Server (PES) on the source domain Source.com
– Configure MRSProxy on Source and Target CAS Servers (Enabling MRSProxy, Increase limits..etc.).
– Configured Public Certificates between both CAS Servers or installed self signed CA certs.

image

In order for two Cross forest Exchange users to send an E-mail to one another before or during Cross forest migration; Each forest have to have the other forest’s users as external contacts on their Exchange environment to ease the finding of any particular user in that other organization and avoid X500 errors after the migration.

During the migration this process is critical and very important to be up to date in order to not mess users included in distribution groups before, during and after user migration from source to target forests.

For Cross forest user migration, User has to be prepared via Microsoft’s own prepare-moverequest Powershell which is included in the $Exscript directory that prepares the target user’s attributes (Before or after ADMT copy) for the migration using the Powershell script new-moverequest.

However, before that user is migrated and before doing the prepare move request the user must have their user object mail user enabled in order to get all the proper attributes for the move request to work which means the Contact has to either be deleted or lose the SMTP which is goin to be enabled on the mail enabled user.

For this process and in a big environment a tool, 3rd party or a script must be used to hasten the migration of users otherwise it would take ages and would be a very problematic process.

User Creation:

Using ADMT then Prepare-Moverequest script

Starting with the creation of target user using ADMT or by Prepare-MoveRequest Script, If ADMT is used prior to PrepareMoveRequest. The target user will have exchange attributes migrated and mail-user enabled by default but due to some incomplete or incorrect attributes the user will most probably have a corrupted mail user object that needs to be disabled and re-enabled with the proper mail address.

Using Prepare-MoveRequest before ADMT

In the case of using Prepare-Moverequest the user will be created in the target forest properly without any issue but will not have their SIDHistory copied so after creation of the user account ADMT must be used to copy user’s SIDHistory with Exchange attributes excluded.

Note:

– This method has an advantage over using ADMT first, User don’t have to create a new outlook profile in order to use their target mailbox after migration.

– You don’t have to mailenable user.

Mail Enabling User:

The first step for the migration to work is to Mail enable user in the target forest. Assuming you have a user called Tim@source.com the user gets his AD Object copied to the target forest with ADMT and user gets his UPN changed from tim@source.com to tim@target.local automatically, still user will get his SIDhistory and the Groups he’s in if groups are migrated prior to that however, in some rare cases that I have seen while doing this kind of project the SIDHistory might not get copied and you might not notice that unless you take a very close look at the log that ADMT is generating for you, In the script I am attaching below and prior to preparing the user for migration I added a script to bulk check user list for SIDHistory. The script below will disable mailuser that’s migrated with ADMT and show you their SIDHistory attribute in order to double check before you migrate their mailbox. 

$Users = import-csv -path “C:\List\List1.csv”
foreach ($User in $Users)
{
$Identity = $User.Alias
$UIdentity = $User.Sam
$Mail = $User.Proxy
$NProxy = $User.NewProxy
#Before Migration, Show if user has SIDHistory or Not, If not don’t migrate User
$UserSID = dsquery * -filter “&(objectcategory=user)(samaccountname=$Identity)” -attr objectsid sIDHistory
Write-host User $User.Alias has $UserSID -ForegroundColor Green -BackgroundColor Black

The CSV file format for this powershell should be as following, I will explain why in detail below

Alias,Proxy,NewProxy,NewIdentity
Alias,MailAddress@domain.com,MailAddress@domain.local,NewIdentity

image

In order for the Prepare-Moverequest to work we will have to MailUser enable this user by using the following script

Enable-Mailuser –Identity SamAccountName –ExternalAddress PrimarySMTPAddress

Enable-Mailuser –Identity Tim –ExternalAddress tim@domain.com

In this case user will be ready for the prepare moverequest script to work and get his source Exchange attributes to be copied to the target one.

Prepare-MoveRequest for Single mailbox:

The Prepare-Moverequest powershell is pretty easy to use for a single user and all you need is to enter target and Remote credentials in a variable to use it with the command.

Once you use the script it’ll copy the source user and their Exchange attributes including Proxy Addresses, it’ll convert the LegacyExchangeDN into X500 address in the target user’s mailbox object so users in the source forest wont get any cache issue reaching to the migrated user and will set other attributes like Displayname, MailNickName..etc like in the screenshot below.

Script is as the following

$TargetCredentials = Get-Credential

 

$RemoteCredentials = Get-Credential

.\Prepare-MoveRequest.Ps1 -Identity UPN@targetdomain.com -RemoteForestDomainController “SourceDCHostname.SourceDC.local” -RemoteForestCredential $RemoteCredentials -LocalForestDomainController “TargetDCHostname.TargetDC.local” -LocalForestCredential $TargetCredentials -TargetMailUserOU “OU=DestinationOU,DC=TargetDC,DC=local” -UseLocalObject -OverwriteLocalObject –Verbose

image

Prepare-MoveRequest for Bulk mailboxes:

For bulk users the script is simpler but for it to work you’ll need to prepare a CSV file that meets the requirements of the powershell script.

Bulk Users Script:

cd $exscripts
Write-Host “Starting to Prepare-MoveRequest for users in your CSV List….” -ForegroundColor Green -BackgroundColor Black

 

Import-Csv C:\Identity\Identity_1.csv | .\Prepare-MoveRequest.ps1 -RemoteForestDomainController “SourceDCHost.SourceDC.local” -RemoteForestCredential $RemoteCredentials -UseLocalObject -OverwriteLocalObject –Verbose

CSV Example:

Alias,Proxy,NewProxy,NewIdentity
Alias,MailAddress@domain.com,MailAddress@domain.local,NewIdentity

image

Moving Users

Moving Single Mailbox:

After preparing the Move request, The only thing left to do is to move users. This process is pretty easy and only one script line is used.

[PS] C:\Exchange 2010\scripts>New-MoveRequest -Identity “outlook.test@SourceSMTPDomain.com” -RemoteHostName “webmail.SourceOwaUrl.com” -Remote -RemoteCredential $RemoteCredentials -TargetDatabase DestinationDB1 –TargetDeliveryDomain SourceSMTPAcceptedDomain.com

image

 

Moving Multiple Mailboxes:


Import-Csv C:\Identity\Identity_15.csv | New-MoveRequest -RemoteHostName “webmail.calikenerji.com” -Remote -RemoteCredential $RemoteCredentials -TargetDatabase CEDB12 -TargetDeliveryDomain calikenerji.com

CSV Example:

Identity

Outlook.user@SourceSMTPDomain.com

Outlook.user2@SourceSMTPDomain.com

Outlook.user3@SourceSMTPDomain.com

image

Once the list is ready and you run the powershell script the target CAS server would connect to the source CAS and start migration as in the following screenshot.

image

Once users migration is finished, On the source forest user will be converted to MailUser so non-migrated users in the source forest will still be able to send emails to this user however, The Groups on target forest must be manually maintained and updated with users that are being migrated.

image

– Contacts Issue

In the target forest those two migrated users were already contacts there prior to migrating them.

Target forest users who have sent those two users email have the LegacyExchangeDN Address of those contacts cached in their Outlook in X500 format which will create an issue if those contacts are deleted without exporting their LegacyExchangeDN and add it to the migrated users’s ProxyAddress Attributes.

Prior to deleting those contacts, From the Target forest I have exported their info to CSV with the following attributes.

Name, Alias, PrimarySMTPAddress and LegacyExchangeDN Attribute using the following powershell script

Get-MailContact -result unlimited | where {$_.PrimarySmtpAddress -like *@TargetSMTPDomain.com} | select Name,Alias,Primarysmtpaddress,legacyExchangeDN | Export-Csv c:\TargetContacts.csv -notypeinfo -encoding utf8

The PowerShell will export contacts in the following format and in order to import them you’ll need to bulk edit the file using Notepad or Notepad++

image

In notepad replace “/o= with X500:/o=

image

and Replace all “ with nothing

image

After you save the file in the target forest, Only in the condition of migrating Source users to the target forest use the following script to Import those users’ LegacyExchangeDN as X500 to their migrated Mailbox objects.

Import-CSV “C:\TargetContacts.csv” | foreach{Set-Mailbox -identity $_.Name -EmailAddresses @{add=$_.LegacyExchangeDN}}

Hope this helps and if you have any questions in mind please don’t hesitate to contact me at info@moh10ly.com or call me 320-200-9663.

Mohammed JH









Exchange 2010 CrossForest group Migration





In an Exchange Crossforest migration the distribution groups can be a very painful operation that would cause loss of time, lots of issues and continues headache if not solved within a timely manner.

The migration can be a long boring process that needs to be as accurate as possible to avoid any issue related to members in the group or/and Group’s Primary SMTP details.

While doing a Crossforest migration I came through through this headache and tried to seek a script that would satisfy my migration’s requirements but only thing I found is the export Powershell made by Satheshwaran Manoharan.

Export Process:

The script exports all groups and their members from the source forest, but to import there’s no option and I had to write my own script.

To make use of this script first make sure you that you have migrated the Groups with ADMT in the recommended order otherwise the migration would be problematic.

  • First: Universal Groups
  • Second: Global Groups
  • Third: Domain Local Groups

Once groups are migrated to the target forest you can check how they look like through Exchange management shell and whether they have members added or SMTP address set.

image

After I checked it apparently shows that group is empty and has no Primary SMTP address associated with it.

Import Process:

In order to add members during the migration since this is a Hybrid/Coexistence migration not cutover, It took time to migrate users and therefore I have to add non-migrated users in target forest as External Contacts to the Distribution Groups and add migrated users as Mailbox users.

Then after adding the users I have to setup Primary SMTP address for the groups according to the exported CSV file from the Source Forest.

image

To Import users, I had to setup a CSV file with the following format:

In this format, the Display name, Alias, RecipientType and PrimarySMTPAddress belong to the User object that’s included in the group meanwhile, The Dgroup is the Distribution group’s Alias and DGSMTP is the Group’s Primary SMTP address.

image

The following script imports groups members to their relative groups

#########################################################################################
# If user type is Usermailbox then it’ll be in Target forest as a Contact #
#########################################################################################
$Users = Import-Csv “C:\Groups\dgs.csv”
Foreach ($User in $Users){
$GroupAlias = $User.Dgroup
$GroupSMTP = $User.DGSMTP
Write-Host “$User.Alias” has been Added to the Group $User.Dgroup -ForegroundColor Green -BackgroundColor Black
if ($User.RecipientType -Match “UserMailbox”){
Add-DistributionGroupMember -Identity $GroupAlias -Member $User.PrimarySMTP -BypassSecurityGroupManagerCheck}}

Fixing Distribution Groups Primary SMTP Address:

Since distribution groups are mostly imported without Primary SMTP address through ADMT then we’ll have to also make sure that we fix this for our groups, but what if the destination forest has similar groups or the SMTP is used already ? In order to avoid any mistake when associating the Primary SMTP address I have created a script that would check distribution groups with null value in their primary SMTP Address and copy the SMTP address to these groups avoiding any overwrite or change of the destination Distribution groups.


#########################################################################################
# Setup groups with Primary SMTP Address
#########################################################################################
$Groups = Import-Csv “C:\Groups\Group_test.csv”
Foreach ($Group in $Groups){
$GroupAlias = $Group.dgroup
$GroupSMTP = $Group.DGSMTP
if ((Get-DistributionGroup $GroupAlias | {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}{$_.PrimarySmtpAddress}) -match “$GroupSMTP”) {
Write-Host Group $GroupAlias already has $GroupSMTP Setup as primary SMTP address -ForegroundColor Yellow -BackgroundColor Red}else{
Set-DistributionGroup -Identity $GroupAlias -PrimarySmtpAddress $GroupSMTP -EmailAddressPolicyEnabled $False
Write-Host Group $GroupAlias has $GroupSMTP Setup as primary SMTP -ForegroundColor Green -BackgroundColor Black }}


The script will check if the groups has primary SMTP matches the one in the CSV file, if it doesn’t it’ll setup the primary SMTP address for that group with green color like in the below screenshot

image

You can use this script with the same CSV file that you will use for adding members to the groups too , If groups SMTP exists already you’ll get the following error

image










Get all mailbox Exchange Servers IP address remotely





Sometimes while we do Exchange projects in big environments where there more than 10 or 15 servers we need to quickly get a particular server’s hostname or IP.

I created a simple PowerShell script that does the work for you

#Get all mailbox Exchange Servers IP address remotely

#Import Exchange Management Shell if ran from PowerShell
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

# Find Mailbox Server Roles
$Servers = Get-ExchangeServer | Where-Object {$_.Serverrole -eq “mailbox”}

# Print Servername and IP
foreach ($Server in $Servers) {Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName $Server | Select-Object -Property IPAddress,PsComputerName,Name}

image









Configure Proxy addresses (SMTP) to all the users in OU using SAM Account and a Public Domain on Active Directory





 

This PowerShell will look up at your active directory user’s Proxy Addresses attribute and see if it’s empty, it’ll change it to include a Primary SMTP Address using user’s SamAccount + domain you configure in the PowerShell.

 

image

## READY

 

Import-Module ActiveDirectory

 

Write-host “If the user’s proxy attribute is empty the powershell will add user proxy address..” -ForegroundColor yellow

 

$proxydomain = “@PublicDomain.com” #Specify the domain you’d like to add as user’s primary SMTP Address.

$userou = “OU=Test,DC=moh10ly,DC=com” #Specify the OU where you want the PowerShell to work in your AD

$users = Get-ADUser -Filter { ProxyAddresses -notlike “*” } -SearchBase $userou -Properties SamAccountName, ProxyAddresses, givenName, Surname

 

Foreach ($user in $users) {

write-host $user.DistinguishedName

Set-ADUser -Identity $user.SamAccountName -Add @{Proxyaddresses=“SMTP:”+$($user.samaccountname)$($proxydomain)}

#

write-host “ProxyAddress is Set” -ForegroundColor Green -BackgroundColor Black

}

 

 

 

### for Mail Attribute ###

 

## READY

Import-Module ActiveDirectory

$proxydomain = “@Publicdomain.com”

$userou = “OU=Test,DC=moh10ly,DC=com”

Write-host “Set user’s mail attribute to $proxydomain -ForegroundColor White

$users = Get-ADUser -Filter * -SearchBase $userou -Properties SamAccountName, ProxyAddresses, givenName, Surname, mail

Foreach ($user in $users) {

 

    write-host $user.mail

 

    Set-ADUser -Identity $user.SamAccountName -Replace @{mail=$($user.samaccountname)$($proxydomain)}

 

    #

 

    write-host “ProxyAddress is Set” -ForegroundColor Green -BackgroundColor Black

 

    }