You sometimes need some (or even many) test user objects in Active Directory.
This script helps you create any number of test users in your Active Directory domain, which you can easily enable for on-premises or remote mailboxes afterward.
# Number of user accounts to create $UserCount = 5 $RandomPassword = $true $DefaultPassword = 'Pa55w.rd' # User name prefix # New user object will be named TestUser1, TestUser2, ... $TestUserPrefix = 'TestUser' # User object properties $GivenName = 'Test' $Surname = 'User' $Company = 'Varunagroup' $JobTitle = @('Junior Consultant','Senior Consultant','Technical Consultant','Business Consultant') $PreferredLanguage = 'de-DE' # Name of the new organizational unit for test user object $TestOU = 'Test User' # Target OU path where the script creates the new OU $TargetOU = 'OU=IT,dc=varunagroup,dc=de' # Import Active Directory PowerShell Module Import-Module -Name ActiveDirectory # Build OU Path $UserOUPath = ("OU={0},{1}" -f $TestOU, $TargetOU) # Check if OU exists $OUExists = $false try { $OUExists = [adsi]::Exists("LDAP://$UserOUPath") } catch { $OUExists =$true } if(-not $OUExists) { # Create new organizational unit for test users New-ADOrganizationalUnit -Name $TestOU -Path $TargetOU -ProtectedFromAccidentalDeletion:$false -Confirm:$false } else { Write-Warning ('OU {0} exists please delete the OU and user objects manually, before running this script.' -f $UserOUPath) Exit } Write-Output ("Creating {0} user object in {1}" -f $UserCount, $UserOUPath) # Create new user objects 1..$UserCount | ForEach-Object { # Get a random number for selecting a job title $random = Get-Random -Minimum 0 -Maximum (($JobTitle | Measure-Object). Count - 1) # Set user password if($RandomPassword) { # Create a random password $UserPassword = ConvertTo-SecureString -String (-join ((33..93) + (97..125) | Get-Random -Count 25 | % {[char]$_})) -AsPlainText -Force } else { # Use a fixed password $UserPassword = ConvertTo-SecureString -String $DefaultPassword -AsPlainText -Force } # Create a new user object # Adjust user name template and other attributes as needed New-ADUser -Name ("{0}{1}" -f $TestUserPrefix, $_) ` -DisplayName ("{0} {1}" -f $TestUserPrefix, $_) ` -GivenName $GivenName ` -Surname ("$Surname{0}" -f $_) ` -OtherAttributes @{title=$JobTitle[$random];company=$Company;preferredLanguage=$PreferredLanguage} ` -Path $UserOUPath ` -AccountPassword $UserPassword ` -Enabled:$True ` -Confirm:$false }
Use your on-premises Exchange Management Shell to enable all test users with an on-premises mailbox.
$UserOU = 'OU=Test User,OU=IT,dc=varunagroup,dc=de' Get-User -OrganizationalUnit $UserOU | Enable-Mailbox -Confirm:$false
Use your on-premises Exchange Management Shell to enable all test users with a new remote mailbox in Exchange Online. Do not forget to change the tenant name of the remote routing address.
Get-User -OrganizationalUnit 'OU=Test User,OU=IT,dc=varunagroup,dc=de' | %{Enable-RemoteMailbox -Identity $_ -Confirm:$false -RemoteRoutingAddress "$($_.SamAccountName)@TENANT.mail.onmicrosoft.com"}
You find the most recent version of the script at GitHub.
Enjoy.
Once upon a time at an Exchange Conference near you, a member of the Exchange Product Group (PG) announced that the very last Exchange Server will go away when having an active Exchange hybrid setup.
This was a hot topic for discussions at the Microsoft Exchange Conferences (MEC, @IamMEC) in 2012 and 2014, already. Since then the Exchange PG came up with a number of reasons why this is not possible. The question on when we will finally be able to remove the very last Exchange Server from the on-premises Exchange organization was asked every year at the Ignite Conference.
Currently, the supported scenario for hybrid configurations between your on-premises Exchange organization and Exchange Online requires that you keep the last Exchange Server for creating, and managing Exchange related objects, even if those objects are located in Exchange Online.
The following diagram illustrates the current requirements:
In the past, there was communication on certain interim solutions that were supposed to support you in removing the last Exchange Server from your Exchange organization. Such interim solutions were:
At Ignite those solutions even made it into the official session catalog:
All those interim solutions leave your on-premises Exchange organization and the Active Directory configuration in an uncomfortable twilight-zone. It was still something that worked somehow, but you knew it was officially not supported, and the secure and stable operation of the hybrid configuration was at risk.
But wait...
Removing the last Exchange Server is supported! (at least when all components are released)
The new approach for managing your Exchange Online tenancy after migrating your on-premises Exchange organization to Exchange Online does not require an on-premises Exchange Server.
The new mode of operation reduces your on-premises requirements to:
The following diagram illustrates the new modern Exchange Online Management experience:
Simply you remove the requirement to use on-premises Exchange Server to write to your on-premises Active Directory. Instead, Azure AD Connect uses a new synchronization capability to handle the new Exchange Management experience in the AAD Connect MetaVerse. The on-premises AD-connector writes the changes to Active Directory which keeps the Active Directory up-to-date for all other on-premises solutions that require identities to have a proper state.
You execute all Exchange-related actions using the new Exchange Online Management PowerShell module, or, if needed, the new Modern Exchange Admin Center (EAC, which was announced at Ignite 2019.
Before you uninstall the last Exchange Server from your on-premises Exchange organization, ensure that you
PS C:\> Get-WindowsFeature Display Name Name Install State ------------ ---- ------------- [ ] Active Directory Certificate Services AD-Certificate Available [ ] Certification Authority ADCS-Cert-Authority Available [ ] Certificate Enrollment Policy Web Service ADCS-Enroll-Web-Pol Available [ ] Certificate Enrollment Web Service ADCS-Enroll-Web-Svc Available [ ] Certification Authority Web Enrollment ADCS-Web-Enrollment Available [ ] Network Device Enrollment Service ADCS-Device-Enrollment Available [ ] Online Responder ADCS-Online-Cert Available [ ] Active Directory Domain Services AD-Domain-Services Available [ ] Active Directory Federation Services ADFS-Federation Available [ ] Active Directory Lightweight Directory Services ADLDS Available [ ] Active Directory Rights Management Services ADRMS Available [ ] Active Directory Rights Management Server ADRMS-Server Available [ ] Identity Federation Support ADRMS-Identity Available [ ] Device Health Attestation DeviceHealthAttestat... Available [ ] DHCP Server DHCP Available [ ] DNS Server DNS Available [ ] Exchange Online Remote Features EXORemote Available [ ] Fax Server Fax Available [X] File and Storage Services FileAndStorage-Services Installed [X] File and iSCSI Services File-Services Installed [X] File Server FS-FileServer Installed [ ] BranchCache for Network Files FS-BranchCache Available [...]
PS C:\> Install-WindowsFeature -Name EXORemote Display Name Name Install State ------------ ---- ------------- [ ] Active Directory Certificate Services AD-Certificate Available [ ] Certification Authority ADCS-Cert-Authority Available [ ] Certificate Enrollment Policy Web Service ADCS-Enroll-Web-Pol Available [ ] Certificate Enrollment Web Service ADCS-Enroll-Web-Svc Available [ ] Certification Authority Web Enrollment ADCS-Web-Enrollment Available [ ] Network Device Enrollment Service ADCS-Device-Enrollment Available [ ] Online Responder ADCS-Online-Cert Available [ ] Active Directory Domain Services AD-Domain-Services Available [ ] Active Directory Federation Services ADFS-Federation Available [ ] Active Directory Lightweight Directory Services ADLDS Available [ ] Active Directory Rights Management Services ADRMS Available [ ] Active Directory Rights Management Server ADRMS-Server Available [ ] Identity Federation Support ADRMS-Identity Available [ ] Device Health Attestation DeviceHealthAttestat... Available [ ] DHCP Server DHCP Available [ ] DNS Server DNS Available [X] Exchange Online Remote Features EXORemote Installed [ ] Fax Server Fax Available [X] File and Storage Services FileAndStorage-Services Installed [X] File and iSCSI Services File-Services Installed [X] File Server FS-FileServer Installed [ ] BranchCache for Network Files FS-BranchCache Available [...]
Even though not explicitly stated, you should restart the server after installing the Windows feature.
As part of the next AAD Connect synchronization cycle, the magic happens.
Verify that you can edit the Exchange related attributes of synchronized Active Directory objects in Exchange Online or Azure AD before you remove your last Exchange Server.
Whey ready to uninstall the last Exchange Server you must use the following command line parameters to remove the server as intended. Otherwise, you'll leave the Exchange organization in an inchoate state. Ensure that you use an administrative PowerShell session.
./Setup.exe /mode:uninstall /SwitchToMEMA /IAcceptExchangeOnlineLicenseTerms
Normally, you do not have to accept license terms when uninstalling Exchange Server, but in this case, you have to accept the Exchange Online license terms.
Enjoy the modern experience and management options of Exchange Online!
Exchange Conferences
Sometimes you might be interested in gathering a list of all computer from an Active Directory domain in preparation for migration.
You can gather a list of all computer objects using the following command.
# Fetch a sorted list of all computer objects Get-ADComputer -Filter * -Property * | Sort-Object Name
The wildcard used with the Property parameter fetches all available attributes for a computer object. Check the available attributes in the result set to identify the attributes you are interested in.
# Example output for the first computer object gathered from Active Directory (Get-ADComputer -Filter * -Property * | Sort-Object Name)[0] AccountExpirationDate : accountExpires : 9223372036854775807 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False BadLogonCount : 0 badPasswordTime : 0 badPwdCount : 0 CannotChangePassword : False CanonicalName : DOMAIN.local/Computers/COMPUTER01 Certificates : {} CN : COMPUTER01 codePage : 0 CompoundIdentitySupported : {False} countryCode : 0 Created : 9/2/2013 3:01:13 PM createTimeStamp : 9/2/2013 3:01:13 PM Deleted : Description : DisplayName : DistinguishedName : CN=COMPUTER01,CN=Computers,DC=DOMAIN,DC=local DNSHostName : COMPUTER01.DOMAIN.local DoesNotRequirePreAuth : False dSCorePropagationData : {12/31/1600 7:00:00 PM} Enabled : True HomedirRequired : False HomePage : instanceType : 4 IPv4Address : IPv6Address : isCriticalSystemObject : False isDeleted : KerberosEncryptionType : {RC4, AES128, AES256} LastBadPasswordAttempt : LastKnownParent : lastLogoff : 0 lastLogon : 130942520427754509 LastLogonDate : 12/10/2015 3:02:53 PM lastLogonTimestamp : 130942513734007331 localPolicyFlags : 0 Location : LockedOut : False logonCount : 194 ManagedBy : MemberOf : {} MNSLogonAccount : False Modified : 12/10/2015 3:02:53 PM modifyTimeStamp : 12/10/2015 3:02:53 PM msDS-SupportedEncryptionTypes : 28 msDS-User-Account-Control-Computed : 0 Name : COMPUTER01 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Computer,CN=Schema,CN=Configuration,DC=DOMAIN,DC=local ObjectClass : computer ObjectGUID : da59afcc-e00a-430b-9cbc-01adeed568f3 objectSid : S-1-5-21-3143343262-845931634-422089675-1179 OperatingSystem : Windows 7 Professional OperatingSystemHotfix : OperatingSystemServicePack : Service Pack 1 OperatingSystemVersion : 6.1 (7601) PasswordExpired : False PasswordLastSet : 12/2/2014 7:21:09 AM PasswordNeverExpires : False PasswordNotRequired : False PrimaryGroup : CN=Domain Computers,CN=Users,DC=DOMAIN,DC=local primaryGroupID : 515 PrincipalsAllowedToDelegateToAccount : {} ProtectedFromAccidentalDeletion : False pwdLastSet : 130619964697110685 SamAccountName : COMPUTER01$ sAMAccountType : 805306369 sDRightsEffective : 15 ServiceAccount : {} servicePrincipalName : {RestrictedKrbHost/COMPUTER01, HOST/COMPUTER01, RestrictedKrbHost/COMPUTER01.DOMAIN.local, HOST/COMPUTER01.DOMAIN.local} ServicePrincipalNames : {RestrictedKrbHost/COMPUTER01, HOST/COMPUTER01, RestrictedKrbHost/COMPUTER01.DOMAIN.local, HOST/COMPUTER01.DOMAIN.local} SID : S-1-5-21-3143343262-845931634-422089675-1179 SIDHistory : {} TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 4096 userCertificate : {} UserPrincipalName : uSNChanged : 1721509 uSNCreated : 45981 whenChanged : 12/10/2015 3:02:53 PM whenCreated : 9/2/2013 3:01:13 PM
As a next step, you gather the selected information and
# Fetch data for an operating system overview, sorted by property Name only Get-ADComputer -Filter * -Property * | Sort-Object Name | Select Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion # Fetch data for an operating system overview, sorted by property OperatingSystem first, then Name Get-ADComputer -Filter * -Property * | Sort-Object OperatingSystem,Name | Select Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion
You can export the gathered information to a comma separated file easily using the Export-Csv cmdlet.
# Export the gathered and sorted information to a CSV file using a semicolon as the delimiter # Adjust the file path for the CSV file to fit your environment Get-ADComputer -Filter * -Property * | Sort-Object OperatingSystem,Name | Select Name,OperatingSystem,OperatingSystemServicePack,OperatingSystemVersion | Export-Csv -Path C:\SCRIPTS\ComputerOverview.csv -NoClobber -NoTypeInformation -Delimiter ';'
Enjoy!
This script reads the Exchange schema version from the Active Directory schema partition.
The Exchange organization name is fetched from Active Directory automatically. The script fetches at forest level:
The script fetches at domain level:
Code Samples
# Fetch all version information in the Active Directory forest .\Get-ExchangeServerVersionInfo.ps1
Sample Output:
PS D:\Scripts> .\Get-ExchangeServerVersionInfo.ps1 Exchange Server Schema and Object Information for forest [VARUNA.ROOT] Exchange Organization Name : VARUNA-GROUP Active Directory Schema rangeUpper: 15332 Working on VARUNA.ROOT MESO Container objectVersion : 13236 Exchange Configuration msExchProductId : 15.01.1466.003 Exchange Configuration objectVersion : 16213 Working on VARUNAGROUP.DE MESO Container objectVersion : 13236
Enjoy Exchange Server!
This blog post is about creating an Twitter Bot to tweet messages using Azure Automation. The steps and the script itself are based on Trevor Sullivan's TechNet Gallery post. His post assumes that you are familiar with some Azure Automation steps. So I am going to describe the required steps in more detail.
You'll need the following components to setup your personal Twitter Bot.
First you'll need to create a Twitter application to reference your Azure Automation bot. The authentication information of your Twitter application will be needed in step 2.
The information required are
You need to create a new Twitter application by accesssing the following link: https://apps.twitter.com/
Ensure that you've added your mobile phone number to your Twitter account before creating a new Twitter application. This is a requirement for creating Twitter applications.
Log on to Twitter using the Twitter account you want your Twitter Bot to post as.You'll see something similar as this:
Just click Create New App.
Enter the information as needed. The application name must be a globally unique name. So it might be tricky to find a suitable application name. Click Create your Twitter application to finally create the application.
Select Keys and Access Tokens and copy the Consumer Key (API Key) and the Consumer Secret (API Secret) value into a text editor of your choice.
Further down on the same web page you'll find the Your Access Token section.
Click Create my access token.
After you've created the access token, copy the Access Token and the Access Token Secret to your text editor document. You'll need all four values in just a moment.
The Azure automation component will require application credentials for posting Tweets on your behalf. These required credentials are stored in a JSON file. Yo do not need top worry about the JSON data format.
The PoshTwit PowerShell module helps you to create the required JSON file.
The simpliest way to get the PoshTwit module is by installing the module directly from the PowerShell Gallery using an Administrative PowerShell session.
Install-Module PoshTwit
If you cannot use the Install-Module cmdlet, use the link provided in the Links section.
Remember that this step is only needed to create the JSON file containing the required credential information for Azure Automation.
After you've successfully installed the PoshTwit module, call the Set-PoshTwitToken cmdlet using all four Twitter app credential information to create the authentication JSON file.
Set-PoshTwitToken -ConsumerKey [YourConsumerKey] -ConsumerSecret [YourConsumerSecret] -AccessToken [YourAccessToken] -AccessSecret [AccessSecret]
The JSON file wil be created in the PowerShell module installtion folder. Which is by default:
C:\Program Files\WindowsPowerShell\Modules\PoshTwit\0.1.6
The version number might differ depending on the version you've installed.
Open the token.json file and copy the content to your text editor. The content of the token.json file will be the password for the Azure Automation credential object. The content will look like this:
{"ConsumerKey":"9FX***********","ConsumerSecret":"4kIxa***********","AccessToken":"24540854***********","AccessSecret":"OSYP***********"}
You should see your Twitter application authentication information. You will nedd to copy & paste this string including the curly brackets as account credentials at a later step.
Log on to the Azure Portal and create a new Azure Automation account. The Azure Automation will host your automation runbooks, variables and other settings. You can have multiple Azure Automation accounts. This is especially usefull when you want to delegate access and control of Automation accounts to different members of staff.
Click '+', enter Auto as search text and select Automation.
Click Create on the next blade.
Configure your new Azure Automation account by using a unique name, select the appropriate Azure subscription, create a new Resource Group or use an existing, select the Azure location, leave Yes as the default option for creating an Azure Run As account, select the checkbox to pin the Azure Automation account to your Azure dashboard, and click Create.
After you've been redirected to the Azure Dashboard wait for the Azure Automation Account to be created. If you are not redirected to the Azure Automation blade automatically, select the Automation Account tile on the Azure dashboard.
Select Process Automation - Runbooks. You'll notice two tutorials and two tutorial scripts which are automatically provisioned for you.
Click Add a runbook to create the Twitter Bot runbook.
The next step requires that you've download the Tweet-PowerShellTips.ps1 script. If you haven't, download it now.
Select Import an exisiting runbook and browse for the downloaded PowerShell script on the next blade. After selecting the PowerShell file the fiel will be uploaded and validated automatically. The Runbook type and Runbook name properties will be set automatically for you. Just enter a short description for your runbook. Click Create.
The uploaded PowerShell script utilizes the PoshTwit PowerShell module. This PowerShell module needs to be available within the Azure Automation account as well. Additonal PowerShell modules are configured within the Shared Resources section of your Azure Automation account. The PoshTwit module is added from the PowerShell Gallery.
Select Modules Gallery, enter PoshTwit as search text and press Enter, click the PoshTwit search result tile.
Click Import to import the PowerShell module to thre shared ressources of your Azure Automation account. Click OK on the following blade. Close the PoshTwit module blade.
Now you'll add the required Twitter application credentials to the Shared Resources of the Azure Automation account.
Select Shared Resources - Credentials and click Add a credential.
Use TwitterCredential as Name and User name. The variable is accessed by the PowerShell script using the cmdlet
Get-AutomationPSCredential -Name TwitterCredential
Now copy and paste the full JSON file content as Password and Password confirmation. Click Create to save the new credential information.
Select the new runbook from the list of runbooks to edit the runbook properties.
Click Edit to edit the PowerShell code to adjust the tweets to match your needs (at least). YOu are able to edit the PowerShell code directly from the browser window.
Ensure to click Save, after you've edited the PowerShell code.
Each time you've edited an Azure Runbook, you need to publish the new version of the runbook. Click Publish and confirm the publishing with Yes.
You can test your runbook using the Test pane. The script itself will not write any output to the output windows, as the script does not use any Write-Output cmdlets.
You can add the following PowerShell code to the script to output the Tweet Id and Tweet text.
Write-Output "Publish Tweet $($TweetId) | $($TweetList[$TweetId])"
As a last step you need to create a schedule to post random tweets automatically. Automation schedules are created as shared resources again.
Select Shared Resources - Schedules and click Add a schedule.
Configure a schedule name, the start date, the schedule time zone, and the recurring interval. Click Create.
Select your runbook to link the just created schedule.
Select Schedules and click Add a schedule.
Click Link a schedule to your runbook, select the schedule and click OK.
The runbook schedules overview will show an information when the next run will be initiated.
That's it. Your Azure Automation Twitter Bot is up and running.
Now you can simply edit the runbook, add new tweets to the string array, save the changes and publish the changed runbook for production use. As long as the changes are not published, Azure Automation will use the last published version of the runbook.
Enjoy Azure.
This is the source code of the updated PowerShell script.
# Array of tweets # Ensure that the length of each tweet does not exceed 140 characters # Ensure to have at least 2 entries $TweetList = @( 'Find more #PowerShell #scripts at http://scripts.granikos.eu ', 'More #Office365 and #MSFTExchange tips at http://JustCantGetEnough.granikos.eu ' ) # Get a tweet text by random $TweetId = Get-Random -Minimum 0 -Maximum ($TweetList.Count - 1); # Fetch automation credentials $TwitterCredential = Get-AutomationPSCredential -Name TwitterCredential; $TwitterCredential = ConvertFrom-Json -InputObject $TwitterCredential.GetNetworkCredential().Password; # Provision the tweet $Tweet = @{ ConsumerKey = $TwitterCredential.ConsumerKey; ConsumerSecret = $TwitterCredential.ConsumerSecret; AccessToken = $TwitterCredential.AccessToken; AccessSecret = $TwitterCredential.AccessSecret; Tweet = $TweetList[$TweetId]; }; # Publish the tweet Publish-Tweet @Tweet;
Exchange Server 2016 introduced the PowerShell cmdlet Get-MailboxServerRedundancy. This cmdlet helps you plan and prepare for Exchange Server maintenance by querying the current maintenance readiness of the database availability group (DAG).
Interestingly, there is no PowerShell help available for this vital cmdlet. Microsoft Docs or Exchange Management Shell's Get-Help provide any valuable information.
When querying a DAG about the server redundancy status, the cmdlet's default output provides you with the essential information.
The default output contains information about:
This example shows the Get-MailboxServerRedundancy output of a six server DAG, before activating maintenance mode for server LOCEXS06.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup EXDAG01 Identity IsServerFound IsInMainten RepairUrgency SafeForMaintenance HealthInfoLastUpdateTime InAD ance -------- ------------- ----------- ------------- ------------------ ------------------------ LOCEXS01 True False Prohibited False 17.02.2020 09:10:11 LOCEXS02 True False Normal True 17.02.2020 09:10:11 LOCEXS03 True False Normal True 17.02.2020 09:10:11 LOCEXS06 True False Normal True 17.02.2020 09:10:11 LOCEXS05 True False Normal True 17.02.2020 09:10:11 LOCEXS04 True False Prohibited False 17.02.2020 09:10:11
As Exchange Administrator, you are most interested in the information displayed in columns RepairUrgency and SafeForMaintenance.
As you can see in this screenshot, no server is in maintenance mode. Servers S01 and S04 have a RepairUrgency state of Prohibited, and a SafeForMaintenance state of False. The latter tells us that we cannot activate maintenance mode for servers safely without risking mailbox database redundancy.
What is the reason for this? Let's have a look.
You can use the same cmdlet to query detailed information for each member server of the DAG. The default output for a single server does not provide any additional information on the server status.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup EXDAG01 -Identity LOCEXS01 Identity IsServerFound IsInMainten RepairUrgency SafeForMaintenance HealthInfoLastUpdateTime InAD ance -------- ------------- ----------- ------------- ------------------ ------------------------ LOCEXS01 True False Prohibited False 17.02.2020 09:11:11
Because we cannot activate maintenance mode for server LOCEXS01 safely, we are interested in identifying which redundancy state is responsible.
You can find this information by displaying the detailed server information.
Use the Format-List, or short FL, cmdlet to display the Get-MailboxServerRedundancy cmdlet output as a formatted list.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup EXDAG01 -Identity LOCEXS01 | FL RunspaceId : 70d82f8d-e6ca-4bfc-863f-11300a9784ff Identity : LOCEXS01 IsServerFoundInAD : True IsInMaintenance : False RepairUrgency : Prohibited SafeForMaintenance : False ServerContactedFqdn : LOCEXS04.VARUNAGROUP.DE HealthInfoCreateTime : 15.06.2018 15:16:19 HealthInfoLastUpdateTime : 17.02.2020 09:11:11 ServerFoundInAD : CurrentState: Active; LastActiveTransition: 15.06.2018 15:22:16; LastInactiveTransition: InMaintenance : CurrentState: Inactive; LastActiveTransition: 17.01.2020 09:07:02; LastInactiveTransition: 17.01.2020 10:42:02 AutoActivationPolicyBlocked : CurrentState: Inactive; LastActiveTransition: 09.01.2020 10:14:50; LastInactiveTransition: 09.01.2020 11:00:51 ActivationDisabledAndMoveNow : CurrentState: Inactive; LastActiveTransition: ; LastInactiveTransition: 15.06.2018 15:22:16 HighAvailabilityComponentStateOffline : CurrentState: Inactive; LastActiveTransition: 17.01.2020 09:07:02; LastInactiveTransition: 17.01.2020 10:42:02 CriticalForMaintainingAvailability : CurrentState: Inactive; LastActiveTransition: 31.01.2020 16:52:49; LastInactiveTransition: 31.01.2020 16:56:49 CriticalForMaintainingRedundancy : CurrentState: Active; LastActiveTransition: 29.01.2020 11:43:06; LastInactiveTransition: 29.01.2020 11:42:06 PotentiallyCriticalForMaintainingRedundancy : CurrentState: Active; LastActiveTransition: 01.02.2020 05:49:37; LastInactiveTransition: CriticalForRestoringAvailability : CurrentState: Inactive; LastActiveTransition: 06.05.2019 09:16:36; LastInactiveTransition: 06.05.2019 09:20:36 CriticalForRestoringRedundancy : CurrentState: Inactive; LastActiveTransition: 29.01.2020 11:42:06; LastInactiveTransition: 29.01.2020 11:43:06 HighForRestoringAvailability : CurrentState: Inactive; LastActiveTransition: 29.01.2020 11:42:06; LastInactiveTransition: 29.01.2020 11:43:06 HighForRestoringRedundancy : CurrentState: Inactive; LastActiveTransition: 10.02.2020 09:05:02; LastInactiveTransition: 10.02.2020 09:06:02 IsSafeForMaintenance : CurrentState: Inactive; LastActiveTransition: 03.11.2019 09:42:35; LastInactiveTransition: 12.11.2019 06:29:58 IsValid : True ObjectState : Unchanged
The lines 24-27 show the information we want to know. Both, the CriticalForMaintainingRedundancy and PotentiallyCriticalForMaintainingRedundancy parameters have a CurrentState value of Active. The Primary Activation Manager (PAM) considers the server availability critical to provide redundant availability of the database copies hosted by this server.
Each of state-parameter shows three pieces of information:
But there is still the bothering question of why are two of the six servers not safe for activating maintenance?
The reason is simple. The mailbox databases mounted by the member servers of the DAG have a different number of database copies. This configuration is due to data storage capacity constraints.
The mailbox databases storing primary user mailboxes use four database copies per database. Those copies are evenly distributed across all six mailbox servers. Mailbox database storing online archive mailboxes use three copies per database. This database copy layout allows for safely activating server maintenance for one server at a time without risk to database redundancy.
The servers LOCEXS01 and LOCEXS04 hold mailbox databases with just two copies per configured database. Placing one of those two servers into maintenance mode reduces the database availability for these mailbox databases to one. Therefore, PAM informs us that database redundancy is at risk when activating maintenance for those two servers.
This example shows the member server redundancy state while LOCEXS06 is in maintenance. The reason for monthly maintenance for installing Windows updates.
Maintenance was activated using the StartDagServerMaintenance.ps1 PowerShell script.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup indag01 Identity IsServerFound IsInMainten RepairUrgency SafeForMaintenance HealthInfoLastUpdateTime InAD ance -------- ------------- ----------- ------------- ------------------ ------------------------ LOCEXS01 True False Prohibited False 17.02.2020 11:04:12 LOCEXS02 True False Normal True 17.02.2020 11:04:12 LOCEXS03 True False Prohibited False 17.02.2020 11:04:12 LOCEXS06 True True High True 17.02.2020 11:04:12 LOCEXS05 True False Prohibited False 17.02.2020 11:04:12 LOCEXS04 True False Prohibited False 17.02.2020 11:04:12
Having a single server in maintenance has a significant impact on all other servers in the DAG. The servers LOCEXS03 and LOCEXS05 are not safe for maintenance as well. Activating maintenance for those two servers would affect the database redundancy for the databases hosted by those two servers.
After completing all maintenance tasks, e.g., installing Windows Updates or a new Exchange Server Cumulative Update, you end server maintenance using the PowerShell script StopDagServerMaintenance.ps1.
We query the server redundancy state again.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup indag01 Identity IsServerFound IsInMainten RepairUrgency SafeForMaintenance HealthInfoLastUpdateTime InAD ance -------- ------------- ----------- ------------- ------------------ ------------------------ LOCEXS01 True False Prohibited False 17.02.2020 11:23:12 LOCEXS02 True False Normal True 17.02.2020 11:23:12 LOCEXS03 True False Normal True 17.02.2020 11:23:12 LOCEXS06 True False High True 17.02.2020 11:23:12 LOCEXS05 True False Normal True 17.02.2020 11:23:12 LOCEXS04 True False Prohibited False 17.02.2020 11:23:12
Server LOCEXS06 is not in maintenance, but the RepairUrgency state is High. The local Exchange Server replication engine is still busy replicating and processing log files, and updating the search indices. When CopyQueueLength and ReplayQueueLength are back to 0, and ContentIndexStates are back to Healthy, the RepairUrgency switches to Normal.
You receive an error message when activating maintenance for an Exchange Server not safe for maintenance using StartDagServerMaintenance.ps1 -serverName [SERVER] In this case, you must use:
.\StartDagServerMaintenance.ps1 -serverName SERVERNAME -overrideMinimumTwoCopies:$true
When you run the following cmdlet to prepare Active Directory for the installation of an Exchange Server Cumulative Update (in this case CU17) you might encounter a System.UnauthorizedAccessException.
D:\tmp\Cu17>setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms Microsoft Exchange Server 2013 Cumulative Update 17 Unattended Setup Unhandled Exception: System.UnauthorizedAccessException: Access to the path 'C:\ Windows\Temp\ExchangeSetup\ExSetup.exe' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.File.SetAttributes(String path, FileAttributes fileAttributes) at Microsoft.Exchange.Setup.CommonBase.SetupHelper.DeleteDirectory(String pat h) at Microsoft.Exchange.Bootstrapper.Setup.BootstrapperBase.CopySetupBootstrapp erFiles() at Microsoft.Exchange.Bootstrapper.Setup.Setup.Run() at Microsoft.Exchange.Bootstrapper.Setup.BootstrapperBase.MainCore[T](String[ ] args) at Microsoft.Exchange.Bootstrapper.Setup.Setup.Main(String[] args)
There is a simple reason for the the System.UnauthorizedAccessException:
The required .NET Framework 4.6.2 had been installed just minutes before executing setup.exe. Preparation of the Active Directory schema ran without any issues. But when the /PrepareSchema call finished, the temporary folder in C:\Windows\Temp\ExchangeSetup could not be fully cleaned up, as mscorsvw.exe had an open file handle on ExSetup.exe.
Additionally, when you run Setup.exe and the folder C:\Windows\Temp\ExchangeSetup exists, the setup will not try to copy required installation files. Regardless if the folder files exists in the folder or not.
D:\tmp\Cu17>setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms Microsoft Exchange Server 2013 Cumulative Update 17 Unattended Setup Copying Files... File copy complete. Setup will now collect additional information needed for installation. Performing Microsoft Exchange Server Prerequisite Check Prerequisite Analysis COMPLETED Configuring Microsoft Exchange Server Organization Preparation COMPLETED The Exchange Server setup operation completed successfully.
Enjoy Exchange!