Tag Archives: Exchange

Microsoft Exchange 2013–2016-2019 Security Vulnerability (URGENT)

CVE-2019-0586 | Microsoft Exchange Memory Corruption Vulnerability

image

Yesterday Microsoft has published an KB article about a security threat to Exchange 2013-2016 and 2019.

The article mentions CU10-CU11 for Exchange 2016, CU21 for Exchange 2013 and RTM version of Exchange 2019 as well.

I spoke to Microsoft of whether this issue affects earlier CU versions for Exchange and they confirmed it

 

image

Vulnerability details:

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

 

Download link:

https://support.microsoft.com/en-us/help/4471389/description-of-the-security-update-for-microsoft-exchange-server-2019

 

Install Exchange 2019 Core using PowerShell

You probably already know that Exchange 2019 RTM has been released and even CU1 is about to come too.

But what’s interesting about 2019 is that it has a lot of new features, some that lot of people wanted to have in legacy versions especially for security, performance, resiliency and scalability.

image

As per Microsoft Security has been improved to suit the needs of corporations removing all vulnerable ciphers and follow best practices.

Security: Exchange Server 2019 requires Windows Server 2019. In fact, we recommend installing Exchange Server 2019 onto Windows Server 2019 Server Core. Exchange Server 2019 installed on Windows Server 2019 Core provides the most secure platform for Exchange. You also have the option of installing Exchange 2019 onto Windows Server 2019 with Desktop Experience, but we have worked hard to make sure running Exchange on Server Core is the best choice for our code.

We’re aware all media for Windows Server 2019 and Windows Server, version 1809 has been temporarily removed and Microsoft will provide an update when refreshed media is available. Exchange Server 2019 will be fully compatible with version 1809, and the refreshed version.

We also built Exchange Server 2019 to only use TLS 1.2 out of the box, and to remove legacy ciphers and hashing algorithms. To understand how this affects coexistence with earlier versions, please reference our previous series of postson TLS.

Regarding Performance, Microsoft has released the following statement:

Performance: We’ve done significant work to allow Exchange Server to take advantage of larger core and memory packed systems available in market today. With our improvements, Exchange Server can use up to 48 processor cores and 256GB of RAM.

We’ve re-engineered search using Bing technology to make it even faster and provide better results, and in doing so have made database failovers much faster, and administration easier.

We’re adding dual storage read/write capabilities to Exchange Server 2019 using Solid State Drive (SSD) technology to provide a super-fast cache of key data for improving end user experience. We also talked about this in our Email Search in a Flash! Accelerating Exchange 2019 with SSDs session at Ignite.

We also changed the way database caching works to allocate more memory to active database copies, again improving the end user experience. You can learn more about Dynamic Database Cache from Welcome to Exchange Server 2019!video and slides.

The improvements we have made to Exchange Server 2019 will enable you to scale to a larger number of users per server than ever before, use much larger disks, and see the latency of many client operations being cut in half.

Installation:

Installing Exchange 2019 on Core is something that’s been recently supported, along with other features like in-place upgrade from Exchange 2016 to Exchange 2019.

In this guide we’ll go through the process of installing Exchange 2019 using PowerShell starting from naming the server, joining it to the domain and installing prerequisites of Exchange 2019.

Configuring Static IP address:

In order to give a static IP address to the machine from Windows Core we’ll be using the following script:

Assuming you have subnet 192.168.18.0 with mask /24 and gateway 192.168.18.1. we will use the below script to provide the machine with an IP.

$wmi = Get-WmiObject win32_networkadapterconfiguration -filter “ipenabled = ‘true'”

$wmi.EnableStatic(“192.168.18.69”, “255.255.255.0”)

$wmi.SetGateways(“192.168.18.1”, 1)

$wmi.SetDNSServerSearchOrder(“192.168.18.150”)

 

clip_image001

Join Domain

Exchange must be part of the domain which you’re using in your lab / Production environment. next we’ll be joining this machine to our domain using the following script:

First we’ll change the hostname, restart and then join the domain

clip_image001[4]

Change Computer name:

Rename-Computer -NewName “Exch2019” -DomainCredential WIN-EPM2CRB5MN9\administrator –Restart

clip_image001[6]

Join the domain

add-computer –domainname cloud-tech.net -Credential cloud-tech\administrator -restart –force

clip_image001[9]

After restarting

clip_image001[11]

Configuring Drives:

Since I am doing a lab test only, I will use the default C drive to install Exchange, but if you’d want to configure a second Drive please let me know and I will add that part as well.

clip_image001[13]

Diskpart

List volume

clip_image002

clip_image003

 

Installing Prerequisites – Exchange 2019 on Windows 2019 Core

Prerequisites

​EX2019 will require 2012R2 AD FFL​

Check out your windows Version first for compatibility

[System.Environment]::OSVersion.Version

clip_image001[15]

clip_image002[4]

 

 

 

 

 

GUI Version of Windows 2019

Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

 

 

Windows 2019 Core

Install-WindowsFeature RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Metabase, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, RSAT-ADDS, Server-Media-Foundation

clip_image003[4]

clip_image004

After installing prerequisites, Installing UCMA

For UCMA on Windows Core you need to get a certain UCMA customized in order to work with Windows 2019 core.

http://tapfiles.azureedge.net/private/UCMA.zip?sv=2014-02-14&ss=2018-03-14T21%3A59%3A22Z&se=2019-01-01T22%3A58%3A56Z&sp=r&sr=b&sig=tgpQ84Wp3j%2FZmEOgPcdjcXgULLXMRX%2BDmCjoSbKOZbM%3D

After Extracting and copying the file to the C root drive

The setup file is called Ironmansetup.exe

clip_image005

clip_image006

clip_image007

clip_image008

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

After the Installation of UCMA, there will be another requirement,

Visual C++ Redistributable Packages for Visual Studio 2013

https://www.microsoft.com/en-us/download/details.aspx?id=40784

clip_image009

clip_image010

.\setup.exe /InstallWindowsComponents /CustomerFeedbackEnabled:False /LogFolderPath:C:\Logs\db4 /DbFilePath:C:\Mailbox\Database01\Database01.edb /MdbName:Database01 /DisableAMFiltering /IAcceptExchangeServerLicenseTerms /roles:mb,mt

 

clip_image011

 

clip_image015

clip_image016

clip_image017

clip_image018

clip_image019

 

 

Setting URLS

clip_image001[17]

I will be upgrading this with the latest Windows 2019 releases since this installation was done with Microsoft Windows 2019 Preview edition

For any consultation requirements please contact me admin@moh10ly.website or info@moh10ly.com

Thank you

Corrupted Databases on Exchange 2010/2013/2016 and how to recover with Stellar Phoenix Mailbox Exchange Recovery software review

23 May 2018 By Mohammed Hamada

Exchange administrators go through hard times when servers crash, Reason of these crashes can vary but the result will most likely be a corrupted Database with dirty shutdown status.

In my case as an Exchange Senior Consultant I came through many clients who have had power issues or an update that cause their Servers to go down and crash Exchange servers. Some of them had 20K users with a very busy environment and huge amount of data being written on their databases.

Most organizations will likely have backup solution which backs up the database on daily basis but I have seen that even these kind of organizations will still lose data due to the interval of data backup they have which is around minimum of 12 hours. so if a database gets corrupted in +5 over the past backup then there would be a disaster.

This where recovery solution is a must, Stellar Phoenix Mailbox Exchange Recovery have the capability to recover data in the mailbox which is no longer visible on Exchange but it is still on a backup for example or from a corrupted database since has the mechanism of rescuing a corrupted database which can’t be mounted or read by Exchange server.

Installation:

The installation process is pretty straight forward. You can check the demo version and see for your self how that this software can read the database and mailboxes prior to make any decisions on purchasing.

image

image

image

image

image

image

image

image

Use of Stellar Phoenix Mailbox Exchange Recovery

Loading a DB into the application will show you all mailboxes inside the DB, You can see all the content of each user, their calendar, contacts and even mail items‘s content.

Menu Navigation

The use of the app is pretty easy as you can see from the main ribbon menu below:

To load a corrupted EDB you simply click File > Select EDB and load the DB then once it loads you’ll be able to navigate through the mailboxes within the DB

image

Exporting Data:

Once the list of users loads, you can choose users then right click on the user and save button as whatever file type that’s convenient for you to restore your data. The Save button is also added to the ribbon from which you can save or export the items you require. 

image

Check Data Integrity

Read data from within the application and see for yourself if the items are still readable. If not then you still can fix the database and restore the damaged or lost data.

image

Exchange Version Support:

  • Supports MS Exchange Server 2016 / 2013 / 2010 / 2007 / 2003 / 2000 & 5.5

Licensing

You can purchase the license online and will receive a registration key or a dongle to register the product, although in the demo you can see most of the features in action.

Main Features

  • Recovers Dismounted & Offline Database files which you think are no longer mountable on Exchange server
  • The ability to repair large databases and several databases at the same time.
  • You can also exports recovered Mailboxes from corrupted databases directly to Exchange Online/Office 365.
  • Restores Mailbox items like emails, contacts, calendars, tasks etc.
  • Allows saving recovered database items in different formats e.g.  PST, MSG, EML, HTML, RTF & PDF formats

To learn more, Please visit the vendor’s website

https://www.stellarinfo.com/edb-exchange-server-recovery.htm

Reference: 

https://www.linkedin.com/pulse/corrupted-databases-exchange-201020132016-how-recover-mohammed-hamada/

Hosted Exchange 2013 Tenant setup step by step

 

Starting with Exchange 2013 Hosted .. this is a brief article about how to setup Tenants correctly step by step

1- Create OU

Create New-ADOrganizationalUnit -Name Test10 -Path ou=test10,OU=ExchHosting,DC=lab,DC=com

clip_image001[6]

2- Set OU’s UPN

set-adforest -identity exch01.lab.com -UPNSuffixes @{add=”test10.com”}

clip_image002[6]

Moving to Exchange Management Shell

3- create accepted domain on Exch

New-AcceptedDomain -Name “test10” -DomainName test10.com -DomainType:authoritative

clip_image003[6]

clip_image004[6]

4- Create address book

New-GlobalAddressList -Name “test10 – GAL” -ConditionalCustomAttribute1 “test10” -IncludedRecipients MailboxUsers -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image005[6]

Note:

Address books once created is virtually separated (That means you don’t have to do anything to separate Address books unless you want them to see each other)

https://technet.microsoft.com/en-us/library/hh529948(v=exchg.150).aspx

clip_image006[6]

  1. If needed then create All Rooms Address List

New-AddressList -Name “Test10 – All Rooms” -RecipientFilter “(CustomAttribute1 -eq ‘test10’) -and (RecipientDisplayType -eq ‘ConferenceRoomMailbox’)” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image007[6]

6- And time to create All Users Address List

New-AddressList -Name “Test10 – All Users” -RecipientFilter “(CustomAttribute1 -eq ‘Test10’) -and (ObjectClass -eq ‘User’)” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image008[6]

7- The All Contacts Address List

New-AddressList -Name “Test10 – All Contacts” -RecipientFilter “(CustomAttribute1 -eq ‘Test10’) -and (ObjectClass -eq ‘Contact’)” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image009[6]

8-The All Groups Address List

New-AddressList -Name “Test10 – All Groups” -RecipientFilter “(CustomAttribute1 -eq ‘Test10’) -and (ObjectClass -eq ‘Group’)” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com”

clip_image010[6]

9-Now for something quite useful: Offline Address Book

New-OfflineAddressBook -Name “Test10” -AddressLists “Test10 – GAL”

clip_image011[6]

  1. Mail address policy

New-EmailAddressPolicy -Name “Test10 – EAP” -RecipientContainer “ou=test10,OU=ExchHosting,DC=lab,DC=com” -IncludedRecipients “AllRecipients” -ConditionalCustomAttribute1 “Test10” -EnabledEmailAddressTemplates “SMTP:{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}g.{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}s@test10.com”,”smtp:{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}m@test10.com” -EnabledPrimarySMTPAddressTemplate “SMTP:{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}g.{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}s@test10.com”

clip_image012[6]

Set current enabled mail in the test10 organization’s smtp address to test.com

Set-EmailAddressPolicy -Identity “Test10 – EAP” -EnabledPrimarySMTPAddressTemplate “SMTP:{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}g.{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}s@test10.com”

clip_image013[6]

If you’re connected from the Normal Exchange management shell you’ll normally get an error stating that users don’t exist on your Active Directory which is normal since the session you’re connected to is connected to the top forest users and can’t see the address book that’s isolated from other tenants.

clip_image014[6]

You will need to open Powershell (not Exchange management Shell) and use the following cmdlet

Let’s connect to exchange, but before we have to add one of our Organization test10 users to the Organization Management Group in order to be able to administer his organization

$cred = get-credential

$Session = New-PSSession -Authentication basic -Credential $cred -ConnectionUri https://mr.moh10ly.website/PowerShell/ -ConfigurationName Microsoft.Exchange -AllowRedirection

Import-PSSession $Session

clip_image015[6]

clip_image016[6]

clip_image017[6]

11- Address book policy

Now we need to create the Address Book Policy

New-AddressBookPolicy -Name “Test10” -AddressLists “Test10 – All Users”, “Test10 – All Contacts”, “Test10 – All Groups” -GlobalAddressList “Test10 – GAL” -OfflineAddressBook “Test10” -RoomList “Test10 – All Rooms”

clip_image018[6]

12- Optional

New-Mailbox -Name ‘Test10 Conference Room 1’ -Alias ‘test10_conference’ -OrganizationalUnit ‘ou=test10,OU=ExchHosting,DC=lab,DC=com’ -UserPrincipalName ‘test10conf1@test10.com’ -SamAccountName ‘test10_conference’ -FirstName ‘Conference’ -LastName ‘Room 1’ -AddressBookPolicy ‘Test10’ -Room

clip_image019[6]

To mark this conference room for the tenant test10 I’ll have to use this cmdlet otherwise it won’t show in the address book of test 10

Set-Mailbox test10_conference -CustomAttribute1 ‘Test10’

clip_image020[6]

Set calendar settings for the conference room we have just created as following

Set-CalendarProcessing -Identity test10_conference -AutomateProcessing AutoAccept -DeleteComments $true -AddOrganizerToSubject $true -AllowConflicts $false

clip_image021[6]

13- Create mailboxes

$c = Get-Credential

New-Mailbox -Name ‘Mohammed Test’ -Alias ‘test10_mohammed’ -OrganizationalUnit ‘ou=test10,OU=ExchHosting,DC=lab,DC=com’ -UserPrincipalName ‘mohammed@test10.com’ -SamAccountName ‘test10_mohammed’ -FirstName ‘Mohammed’ -LastName ‘HAmada’ -Password $c.password -ResetPasswordOnNextLogon $false -AddressBookPolicy ‘Test10’

clip_image022[6]

Now once I use this script the user will be created and you’ll be able to see In from the ECP

clip_image023[6]

But you won’t be able to see the user in the address book of the tenant since we didn’t apply the tenant which this user belongs to

clip_image024[6]

To do so we’ll have to use the following CMDLET

Set-Mailbox arthas@test10.com -CustomAttribute1 “Test10”

clip_image025[6]

clip_image026[7]

Changing Proxy Address for local AD users

If your Exchange users have problem with Active Sync’s Autodiscover configuration or you’re intending to configure a Hybrid configuration with Microsoft office 365 Exchange Online or Your Lync/Skype for business users are having troubles signing in right after you enable users from the Lync/SfB Panel then this article is for you.

Note: For Lync you’d want to change Account (UPN) Instead of the Proxy Address Attribute for users. For each scenario it might be a different case.

Assuming that I have the following domain list, and I want to add them to my AD user’s proxy address attribute so they can use it as SMTP address

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain1.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain2.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain3.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain4.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain5.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@cardtekcloud.onmicrosoft.com

First to add main SMTP address we’ll use the attribute {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain.com

Next to add alternative Proxy addresses we’ll use

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@domain.com

image

I’ll open ADModify.net app and select the organization that I would like to apply the changes for

I’ll select Domain from the domain list. Then choose the Domain controller and choose only to show users

Click on the green Next button then click Add to List then click Next under the user to continue

clip_image002

I’ll navigate to Email addresses tab to do the changes and place the domain that I would like to use.

I’ll enter whatever domain and use sAMAccountName since it matches the user’s Email address .

IMPORTANT NOTE:

It’s very important to notice that if you’d like to change the domain in the Proxy Address . You ‘ll need to choose an attribute that matches the user’s existing Proxy address username ..

clip_image003

clip_image004

clip_image005

To add the other domains e.g. domain2, domain3 ..etc I’ll follow the exam same steps just change the end @domain2.com.

That should be all. If you have any questions please don’t hesitate to contact me or comment.

Deploying Azure RMS with Exchange 2010 and Exchange 2013 on-premises and in Hybrid Environment with Exchange online

In this post I am going to demonstrate how to integrate Office 365 RMS (Basic) with Office 365 Exchange online in Hybrid Environment with Exchange 2013 and Exchange 2010 in the same organization and then I’ll activate Azure RMS to deploy a new template and apply it on my on-premises Exchange servers.

To do this, you will need

1- an active Office 365 subscription with Exchange online.

2- Azure Subscription.

3- One Public IP to publish RMS URL.

4- Access to your public domain’s DNS to create the RMS A record.

5- Public Certificate that includes the RMS SAN in order to work with Azure RMS.

 

Starting with the deployment I will start by Introducing a small summary of what’s RMS from MS KB article.

 

1- AZURE RMS in Exchange Hybrid deployment:

Overview of the Microsoft Rights Management connector

The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations. You can use this connector even if some of your users are connecting to online services, in a hybrid scenario. For example, some users’ mailboxes use Exchange Online and some users’ mailboxes use Exchange Server. After you install the RMS connector, all users can protect and consume emails and attachments by using Azure RMS, and information protection works seamlessly between the two deployment configurations.

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

Applications that support Azure RMS

From <https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedApplications>

Requirements for Azure Rights Management

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

Prerequisites for the RMS connector

  1. The Rights Management (RMS) service is activated

clip_image001[4]

Click Manage

clip_image002[4]

Click Activate

clip_image003[4]

Click Activate

clip_image004[4]

clip_image005[4]

Activated

2. Second Requirement: Organization must have Azure AD and AADSync enabled with local AD.

clip_image001[6]

I’ll activate Azure AD in order to support user authentication for RMS.

clip_image002[6]

Azure RMS templates

clip_image003[6]

3. Third Requirement: Clients must support RMS (Windows)

https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedDevices

clip_image004[6]

4. Users must run applications that support RMS.

https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedApplications

5. Firewall must be enabled for RMS

Check ports and IPs

https://support.office.com/en-US/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2

Note:

The following deployment scenario is not supported:

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

6. RMS Licenses:

Cloud subscriptions that support Azure RMS

To use Azure RMS, you must have at least one of the following subscriptions:

  • Office 365
  • Azure RMS Standalone
  • Enterprise Mobility Suite
  • RMS for individuals

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

Note: In Enterprise Plan 3 RMS already exists with basic access

clip_image001[8]

Subscription to use (Office 365 or Azure RMS) and control RMS templates

Azure AD

If you want to manage and control RMS templates you’ll need to have Azure Subscription where you can manage the templates of your Azure AD.

Office 365

If you only have Office 365 subscription and you don’t want to activate your azure AD then you won’t have access to the templates to configure new templates.

clip_image002[8]

 

7. Integration of Azure RMS with Exchange 2013 On-premises (With Exchange 2010) and Hybrid integration with Exchange online

Windows Requirements

You will also need to install on these servers, a version of the RMS client that includes support for RMS Cryptographic Mode 2. The minimum version that is supported in Windows Server 2008 is included in the hotfix that you can download from RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008. The minimum version for Windows Server 2008 R2 can be downloaded from RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2. Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

Exchange Requirements

Note:

To Use RMS with Exchange 2010 you will need Exchange 2010 SP3 RU6 installed and for Exchange 2013 you’ll need CU3 or Later (Build 15.00.0775.038).

  • Exchange Server 2010 with Exchange 2010 Service Pack 3 Rollup Update 6

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

My Servers

My Exchange 2010 server (Exch01) has SP3 but no RU installed. So I’ll install the latest RU since it includes all the previous rollups already.

http://go.microsoft.com/fwlink/p/?LinkId=616365

clip_image001[10]

Exchange 2013 Server has CU8 installed so I don’t need to install anything on it.

clip_image002[10]

Requirements to Install RMS connector

A- A minimum of two member computers on which to install the RMS connector:

  • A 64-bit physical or virtual computer running one of the following operating systems:
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
  • At least 1 GB of RAM
  • A minimum of 64 GB of disk space
  • At least one network interface
  • Access to the Internet via a firewall (or web proxy) that does not require authentication
  • Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector

From <https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_Prereqs>

B- Download the RMS connector tool from http://go.microsoft.com/fwlink/?LinkId=314106

clip_image003[8]

clip_image004[8]

clip_image005[6]

clip_image006[4]

clip_image007[4]

clip_image008[4]

clip_image009[4]

Validating installation if successful or not by navigating to the below link on the server where RMS connector is installed.

A successful installation will show the below screenshot.

http://localhost/_wmcs/certification/servercertification.asmx

clip_image001[12]

clip_image002[12]

clip_image003[10]

clip_image004[10]

clip_image005[8]

Configuring DNS for the URL

Configure the Exchange servers on premises to use Windows Azure Active Directory via the newly installed connector.

clip_image006[6]

In order to setup the URL on Exchange 2013, you must download the script GenConnectorConfig.ps1 on Exchange 2013 Server and run it as following

Download Link

http://go.microsoft.com/fwlink/?LinkId=314106

clip_image007[6]

I have published the RMS on my Pfsense Firewall (Reverse proxy) and I am able to browse to the page… (not able to authenticate though because I selected only Exchange servers group for authentication.

clip_image008[6]

Now I will run the same script on Exchange 2010 but will change the parameter

.\GenConnectorConfig.ps1 -ConnectorUri http://rms.adeo-office365.ga -SetExchange2010

clip_image009[6]

Now Enable Information Rights Management on Exchange on-premises Servers

In Microsoft Exchange Server 2013, Information Rights Management (IRM) is enabled by default for internal messages.

From <https://technet.microsoft.com/en-us/library/bb124077(v=exchg.150).aspx>

(NOTE: Seems that Microsoft is wrong about the IRM enabled by default for Internal messages as the InternalLicensingEnabled is set to False on my Exchange 2013 server).

clip_image010[4]

Now On Exchange 2013 ECP I’ll check if the RMS is there or not!

clip_image011[4]

I will create a new transport rule as following

clip_image012[4]

If I am the recipient, I will be allowed to only view the email … let’s see this after we apply it

I have sent an email and it seems that the email has been encrypted and is asking me for my email confirmation or Phone number.

clip_image013[4]

Trying to take a screenshot of the Email, It seems that the RMS is working perfectly since part of the view only permission is not taking screenshots of Outlook while the RMS is enabled.

clip_image014[4]

Azure RMS Client for Windows

http://go.microsoft.com/fwlink/?LinkId=313954

clip_image001[14]

clip_image002[14]

clip_image003[12]

REF

https://technet.microsoft.com/en-us/library/dn375964.aspx

https://technet.microsoft.com/en-us/library/dd638140(v=exchg.150).aspx#irm

https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_ExchangeServer

https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_Prereqs

https://fazarsusanto.wordpress.com/2015/05/02/azure-rms-rms-connector/

To open a RMS encrypted PDF you’ll need to download the following:

  1. RMS Client Download

http://download.microsoft.com/download/3/C/F/3CF781F5-7D29-4035-9265-C34FF2369FA2/setup_msipc_x64.exe

  1. Microsoft Online Service Assistant

http://www.microsoft.com/en-us/download/details.aspx?id=28177

Once Signed in, you’ll get the following protection

clip_image004[12]

Note:

If you try and share protected documents with any other mail service like Gmail or Hotmail you will get the following error.

Coming Soon

We can’t yet share protected files with some of your recipients.

clip_image005[10]

-WORD documents

clip_image006[8]

 

NOTES

Monday, September 14, 2015

1:56 PM

NOTEs:

  1. If a user is activated in a transport role with RMS protection role (Office 365 RMS). Then the user won’t be allowed to use Azure RMS rules (Configure specific rule).

During this time the permission to use RMs will show up as following “Loading permissions…”

clip_image001[16]

  1. Transport rule may take 15 minutes to take affect after being created or deleted.
  2. Sending email with Exchange online (Azure RMS Rule) with (View online rule) to another Office 365 tenant mail gives the following

clip_image002[16]

clip_image003[14]

clip_image004[14]

In order to access e-mails that are sent to users from different tenants or business e-mails. You’ll have to get a free Microsoft RMS account from here

https://portal.aadrm.com/

Once you are signed up , you will get an e-mail like the following

clip_image005[12]

After you sign in you’ll be able to access the protected document as in the below snapshot. And you can also view your permissions or whether you can edit/modify the document or not

clip_image006[10]

The person who sent an email will also get a notification e-mail telling him that you’ve got access to the document if he has ticked the option that allow him to track the email that he sent along.

clip_image007[8]

 

To compare between Azure RMS and AD RMS please navigate to the following link

Azure RMS comparison

 

If you have any question please don’t hesitate to contact me or leave a comment.

Installation of Exchange 2016 with DAG

1- Prepare for Installation of Exchange 2016

Friday, July 31, 2015

10:53 AM

Install-WindowsFeature RSAT-ADDS

From <https://technet.microsoft.com/en-us/library/bb691354{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}28v=exchg.160{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}29.aspx?f=255&MSPPError=-2147217396>

clip_image001[5]

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

From <https://technet.microsoft.com/en-us/library/bb691354{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}28v=exchg.160{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}29.aspx?f=255&MSPPError=-2147217396>

Windows 2016 (Windows Server)

Install-WindowsFeature Net-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

clip_image002[4]

1- (Extending Schema)

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

clip_image003[4]

  1. (Preparing AD)

Setup.exe /PrepareAD /OrganizationName:”<organization name>” /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

Setup.exe /PrepareAD /OrganizationName:TEST /IAcceptExchangeServerLicenseTerms

clip_image004[4]

  1. Prepare one domain in the forest or all domains

Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

clip_image005[4]

To prepare all domains run the following cmd

Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

How do you know this worked?

Once you’ve done all the steps above, you can check to make sure everything’s gone smoothly. To do so, you’ll use a tool called Active Directory Service Interfaces Editor (ADSI Edit). ADSI Edit is included as part of the Active Directory Domain Services Tools feature in Windows Server 2012 R2 and Windows Server 2012. If you want to know more about it, check out ADSI Edit (adsiedit.msc).

clip_image006[4]

Warning:

Never change values in ADSI Edit unless you’re told to do so by Microsoft support. Changing values in ADSI Edit can cause irreparable harm to your Exchange organization and Active Directory.

After Exchange extends your Active Directory schema and prepares Active Directory for Exchange, several properties are updated to show that preparation is complete. Use the information in the following list to make sure these properties have the right values. Each property needs to match the value in the table below for the release of Exchange 2016 that you’re installing.

  • In the Schema naming context, verify that the rangeUpper property on ms-Exch-Schema-Verision-Pt is set to the value shown for your version of Exchange 2013 in the Exchange 2016 Active Directory versions table.
  • In the Configuration naming context, verify that the objectVersion property in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container is set to the value shown for your version of Exchange 2016 in theExchange 2016 Active Directory versions table.
  • In the Default naming context, verify that the objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain is set to the value shown for your version of Exchange 2016 in the Exchange 2016 Active Directory versions table.

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

Software Prerequisites

clip_image007[4]

clip_image008[4]

clip_image009[4]

clip_image010[4]

clip_image011[4]

 

clip_image001[7]

clip_image002[6]

clip_image003[6]

clip_image004[6]

clip_image005[6]

clip_image006

clip_image007[6]

clip_image008[6]

clip_image009[6]

clip_image010[6]

clip_image011[6]

 

Creating DAG

 

Since this is a LAB and I only have 2 nodes (DAG must have an odd number for Failover), so I am going to use the DC server as my FSW (Which is highly not recommended for Production Environment).

In order for the FSW on DC to work, you will have to add your DC to the Exchange Trusted Subsystem group

clip_image001[9]

Here I added the DC as a member of the group

clip_image002[8]

Normally file server feature is already added to the server by default, but to make sure I’ll run the following command

clip_image003[8]

It’s already there

Now I’ll go back to Exchange servers and add a second NIC for Replication..

I usually rename each NIC so I know which is which, the default NIC belongs to the MAPI traffic and the other one is the replication NIC.

clip_image004[8]

I will configure the Replication NICs on both exchange servers to disable the “Register this connection’s addresses in DNS”

clip_image005[8]

clip_image006[4]

Checking ping between Exchange servers on the Replication NIC

clip_image007[8]

Now I will create the NGO Object (Computer Object) in the Active directory for the DAG

clip_image008[8]

clip_image009[8]

I will disable the object

clip_image010[8]

Double click on the DAG object and go to Security tab and add Exchange servers

clip_image011[8]

Now configure the security for the Exchange members to full

clip_image012

Apply and close…

Now on the DC I will create the FSW’s folder and give it full permission to the Trusted Subsystem group and exchange servers

clip_image013

clip_image014

Click apply and go back to EAC and I’ll start configuring the DAG

clip_image015

Microsoft says that one of the enhancements that have been added to Exchange 2016 is that DatabaseAvailabilityGroupIpAddresses is no longer required when creating a DAG. By default, the failover cluster will be created without an administrative access point, as this is the recommended best practice.

From <http://blogs.technet.com/b/exchange/archive/2015/05/05/exchange-server-2016-architecture.aspx>

So in this case we won’t need to assign any IP address to the DAG…

clip_image016

I’ll click on save and see what happens

clip_image017

Navigating to the administrators group on AD, The Exchange subsystem group is not added so I’ll add it.

clip_image018

clip_image019

Now I will add Exchange servers as members to the DAG

clip_image020

clip_image021

clip_image022

error

A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: Windows Failover Clustering isn’t installed on ‘EXCH2K16.test.com’.. [Server: EXCH2K16.test.com]

error

A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: Windows Failover Clustering isn’t installed on ‘EXCH2k1602.test.com’.. [Server: EXCH2k1602.test.com]

clip_image023

Error occurs due to firewall being enabled on the DC (Where the FSW is )

clip_image024

I disabled the firewall and gave full permission to the Exchange trusted system to the DAG object

clip_image025

After that I signed out of Exchange servers, signed back in.. Deleted DAG and recreated it… that didn’t work either

Tried using Exchange management shell but it didn’t work too

clip_image026

clip_image027

Checking the log coming in the description, I find out the log is complaining about not finding DAG while trying to resolve it.

clip_image028

Also the log says that it has installed Failover cluste rbut still the cluster can’t find FQDN called DAG.

So I will have to configure DAG in the dns and give it an IP of my first Exchange server

clip_image029

clip_image030

Checking DAG resolving from Exchange server

clip_image031

As the log says, restart is required after installing failover cluster so I’ll restart Exchange servers and then retry to add Exchange servers to the dag.

After restarting the server, It seems that things are working

clip_image032

clip_image033

The second server gave the following error

The Microsoft Exchange Replication service does not appear to be running on “EXCH2k1602”. Make sure that the server is operating, and that the services can be queried remotely.

Apparently the error is correct, After restarting the server it turned out that most of the second Exchange server’s services were not working.. To be honest I didn’t ask myself why did not the services started since I am using a preview version of Exchange 2016.

clip_image034

Interestingly while checking services, I noticed new services e.g. (DAG Management, Compliance Audit, Notifications broker)

After starting the services, now I tried to add the second server again to the DAG.

clip_image035

clip_image036

So eventually, DAG doesn’t need an IP address but still a DNS value needs to be created for the NCO object and needs to have an IP assigned to it which will be the Exchange server IP address..

clip_image037

Next: I will add a database copy and see how it’s improved and do I need to restart the IS service as in Exchange 2013.

clip_image038

clip_image039

I will leave all the default values and add the second server for the database to be copied on. Unlike Exchange 2013 in most of the times the database would fail first and gives an error .. In 2016 it starts directly seeding the database to the second Exchange server that’s member of the DAG.

clip_image040

clip_image041

clip_image042

On the second Server where the database has been copied to, I checked the Logs and Fastsearch was throwing errors as usual since database logs are not copied … as soon as the database logs finished copying the fastsearch will return ok and the database will appear as Healthy in EAC.

clip_image043

Fastsearch finally reported that indexing started on the newly copied DB.

clip_image044

The database copy should now report healthy in the EAC.

clip_image045

I will add the second database to the DAG and then create a new test mailbox and publish the Exchange server online to check the rest of the functionalities.