Scott Feltmann's Blog

Well, I’ve been trying to write this article for about a month now and finally had some time to sit down and type it out.  I was inspired by this article when I had a client request to move their Root Certificate Authority on a Windows 2003 Domain Controller to a new Windows 2008 Domain Controller.  To be honest, there really isn’t anything to it but the information I found out on the net wasn’t that great so I thought I would provide the world with some info on how to perform this process. 

The Client setup involved a Windows 2003 domain controller that was acting up.  On this DC was their Root Certificate Authority for their entire Active Directory environment.  The client is small and does not have any special requirements for an Enterprise CA and wanted to move their CA to Windows 2008 Active Directory Certificate Services. 

The key principles here are that we need to move the private key associated with the Root Certificate Authority and also the Certificate Authority Database.  When moving a certificate Authority we need to preserve the CA name in the environment, otherwise nothing will work!  The clients will not be able to locate the CA nor will the Root certificate match up with the certificates.  Things just won’t be trusted.

To get started I reviewed the Support Article on How to move a certification authority to another server to backup the existing Windows 2003 Root CA Info.  I first used the Certificate Authority snap-in to backup the CA database and private key.  To perform the backup follow these steps:

• In the Certification Authority snap-in, right-click the CA name, click All Tasks, and then click Back up CA to start the Certification Authority Backup Wizard.
• Click Next, and then click Private key and CA certificate.
• Click Certificate database and certificate database log.
• Use an empty folder as the backup location. Make sure that the backup folder can be accessed by the new server.
• Click Next. If the specified backup folder does not exist, the Certification Authority Backup Wizard creates it.
• Type and then confirm a password for the CA private key backup file.
• Click Next, and then verify the backup settings. The following settings should be displayed:
• Private Key and CA Certificate
• Issued Log and Pending Requests
• Click Finish.

Next we have to save the registry settings.  To save the registry settings perform the following:

• Click Start, and then Run.  In the Run field type regedit and click Ok
• Locate and then right-click the following registry subkey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration (While you are here, why not take a look at the settings, take a screen shot, make sure they match up in the end)
• Click Export
• Save the Registry file in the CA Backup folder that was defined above

Now that we have the database, certificate and registry backed up the next step was to remove Certificate Services from the old computer.  This process is pretty straight forward.  Go into the Control Panel, Add/Remove Programs, Windows Components and remove the Tick from Certificate Authority.  Note Be sure to remove the Certificate Authority from the old computer prior to deploying Certificate Services on the new machine.  If you deploy AD CS first the target CA will become unusable. 

Finally, rename the old server or permanently disconnect it from the network. 

In the step above I took the existing Domain Controller, removed the Certificate Services from it and then performed a DCPromo to remove Active Directory from the computer.  Once the computer was no longer a domain controller I renamed the old server.  I wanted to keep the server online for a fail back just in case, which wasn’t necessary since the move went over successfully!

Now, looking at where we stand right now I had the database, the Private Key and the certificate authority database backed up.  The data I backed up above should be copied to the new server that will be used for Active Directory Certificate Services.  This will need to be imported below. Now, the next step is to deploy Active Directory Certificate Services on the Windows 2008 domain controller.  BTW I should point out that when deploying Active Directory Certificate Services that you should use Windows 2008 Enterprise edition.  W2K8 Enterprise gives you more functionality of your Certificate Services.  For a list of features in Windows 2008 Standard vs Windows 2008 take a look at this link: Active Directory Certificate Services Step-by-Step Guide.  If you scroll down a bit you will see a comparison chart which will note which features are available with which version of Windows you use. 

Now, let’s move on to the part where we deploy and restore the Certificate Services.   Log on with local or enterprise administrator permissions to the CA computer and perform the followign:

• Launch the Service Manager for Windows 2008. 
• In the console tree, click Roles.
• On the Action menu, click Add Roles.
• If the Before you Begin wizard appears, click Next.
• In the list of available server roles, select the Active Directory Certificate Services check box, and click Next twice.
• Make sure that Certification Authority is selected, and click Next. (Note: If you are going to use Web Enrollment make sure to check this box.  You can always add it later but Why not add it now?  All the required roles will also be installed when you check this box since you will get a list of Add role service required)
• Select Enterprise and click Next.  (We are doing this because this is an Enterprise Root CA that will integrate with Active Directory.  Just like the one I decommissioned.  Best practice is to have a Standalone Root CA but given the size of this organization they are not too concerned with having a Standalone Root CA.)
• Specify Root  and click Next.  (If the CA you’re moving from was a Subordinate CA then we would want to tick the Subordinate CA option.  But since in my example this is a Root CA we are sticking with root.  Keep in main that if you’re coming from a Root CA or a Subordinate CA this option must match with what you’re coming from.)
• At this stage, you have a choice between creating a new private key or using an existing private key.  For a migration, on the Set Up Private Key page, select Use existing private key and choose Select a certificate and use its associated private key.

You should have something that looks like this:

Click Next and continue the steps below:

• If the CA certificate we backed up above has been installed on the computer, it will be listed in the Certificates box. Otherwise, click Import to import a certificate from the .pfx file created by exporting the CA certificate and private key from the source CA.
• Click Browse, and locate and select the file containing the certificate and private key exported from the source CA.
• Enter the password you selected when exporting the CA certificate and key from the source CA, and click OK.  Select the Certificate that was just imported and click Next
• When choosing your path you can either use defaults or browse to new ones.  Once done click Next
• Complete the installation of the AD CS
• Click Yes to accept the warning to overwrite AD DS. (This appears only if you are installing an enterprise CA.)

Congratulations, you’re almost there!  We have deployed Active Directory Certificate Services on Windows 2008.  There are still two more steps that must be completed.  This is the process of restoring the Certificate Authority Database that was backed up in the first section and restoring the registry component. 

To restore the registry simply locate the registry value that was saved above, right click the file and select merge.  This will import the Registry settings to the W2K8 server.  Next we have to restore the database.   You can check to make sure the settings were imported correctly by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration and verify your settings are there.  (Remember that screen shot?)

To restore the database and log files perform the following:

• Open Server Manager on the Windows 2008 Server.
• Expand Roles and then Expand Active Directory Certificate Services.
• Locate the name of the CA you just deployed.
• Right Click the CA name and select Restore CA…
• You will get a warning message that the AD CS cannot be running to perform this action.  Simply click Ok to stop AD CS.  AD CS will begin to stop
• On the Wizard click Next
• On the Items to Restore screen check the box Certificate database and certificate database log only.  Click Browse to locate the database that was copied over above.  (Note: I need to point out here that you select the folder you backed up to.  i.e. if you backed up the database and logs to C:\Temp\CABackup then this will be the folder you will restore from.  The backup process will create a subdirectory that it will look for during Restore, if you go one folder too deep the restore will fail.)  Once you have located your backup click Next.
• On the completion screen click Finish and the restore will begin. 
• Once the restore is complete you will receive a action box that asks if you would like to restart the AD CS.  Simply click Yes.  (We shouldn’t have any incremental backups since we are doing a migration.)
• Once the AD CS service is restarted we are good to go!

Well, what do you guys think?  Worth the effort?  Migrating to W2K8 AD CS will help your CA remain alive much longer.  During this process I also had to renew the CA Certificate which was pretty much easy. 

 I hope this article will help someone out there, I know I was able to get through it but had to go to a couple of different sources to get the exact process down.

 Enjoy!

The MS Exchange Team has a nice post (http://msexchangeteam.com/archive/2010/02/22/454051.aspx) on their site explaining the history of Single Instance Storage (SIS) and where it went!

Reading the article I couldn’t help think that many clients are still concerned about space on their SANs and fear the idea of placing anything on local disk.  The idea in the article is placing your production mailboxes on Cheap Disk.  The only time a client or anyone should consider this is where you are using Database Availability Groups and have at least three servers in the DAG.  This will allow you to go backupless but also have all bases covered in your environment surrounding performance and recoverability. 

My only other beef though is Archiving.  The biggest question I get from clients is, “can I have my production mailboxes on one database and put the archived mail on cheap disk?”  Currently in Exchange 2010 an archived mailbox is stored on the exact same database as the users’ production mailbox. I have heard rumors that this is being looked into for future releases but nothing concrete.   What this means is that using SAN space which is typically RAID 10 or RAID 5 requires expensive disk for the production mailbox, which by default (if leveraged) archiving is also placed on expensive disk.   Explaining to clients that they can use local disk, have HA, but need at least three mailbox servers isn’t easy.  Not to mention that if you want multiple CAS in your environment with WNLB you need separate machines.  This is due to WNLB and MS Clustering cannot run on the same server.

Otherwise, given the way Exchange is deployed these days it is an enterprise solution.  There are times where departments will be included in a single database and other times where users are stored based on their last names.  I do love what they have done with Exchange 2007 and then what they have also done with Exchange 2010.  I just felt that I had to put in my 2 cents on the SIS discussion since I felt the post was a bit misleading.  While the applications are true, we have to consider real life usage and still address client concerns. 

So, an interesting call came to me last week regarding a client who was having some issues with Voicemails from Cisco Unity (I believe it was 7.0) transporting voice mails to Exchange.  Their Exchange 2007 instance was moved from W2K8 to W2K8 R2 due to an issue they had with the W2K8 server.  Not realizing that Unity (or Exchange) was not compatible with Windows 2008 R2 they started to have problems.

Basically the problem they were having was when a voice mail was left for a user, it was not being delivered to the user.  Voicemails would pile up on the Unity server.  The recommendation was to reinstall Exchange 2007 on a W2K8 server WITHOUT R2.  The client decided to take a path to resolve the issue but I am not certain what they did.

On another note Exchange 2007 is not supported on Windows 2008 R2 yet, however I have heard rumors that if you install Exchange 2007 SP2 on Windows 2008 R2 if you run the install in Windows Vista Compatibility mode the install will work.  When will Exchange 2007 officially support Windows 2008 R2?  Well, Exchange 2007 SP3 will allow support for Windows 2008 R2.   Exchange 2007 SP3 should be released some time this year (2010). 

Moral of the story, do not put Exchange 2007 on W2K8 R2, and do not use Unity with Windows 2008 R2. 

I also understand that Cisco Unity does not support Windows 2008 R2 domain controllers.  Exchange 2007 SP2 will support Windows 2008 R2 domain controllers.  So, take your pick, but you can’t use Unity to query W2K8 R2 DCs. 

I hope this helps some people out there!  Thanks for visiting.

So, yesterday I was out at a client site to review their Exchange 2007 deployment.  In my previous post I talked about how the Subnet the Exchange 2007 servers were in did not have the IP subnet associated with an AD site.  Well, I did come across another interesting issue that was a bit more troublesome.

The client is deploying an Exchange 2007 SP2 environment leveraging a Single Copy Cluster (SCC) and two CAS/HUB servers. 

While testing the failure over process of the SCC we came to the point where using the manage clustered mailbox command in the Exchange Management Console or the Exchange Management Shell would not work.  We were receiving an error message that the Database failed to initialize.  The error log was huge, errors on creating the D drive (where the database was located), errors opening the database, mounting the database, it just wasn’t working!

I then suggested to go back and use the MS Failover Cluster Management tool.  We took a node off line, and failover worked.  How Odd!  This appeared to be an issue with permissions on the servers.  Something was prevent Exchange from performing the failover.  We then tried another failover vial the managed clustered mailbox command and I noticed that the shared disk drives were attempting to fail over to the passive node but they couldn’t!

We then proceeded to check permissions into the Windows Cluster and Exchange Cluster, adjusted a few settings but nothing worked.  Well, I then asked, is there a Group Policy blocking any time of assignment to “Manage auditing and security log”, he said no.  We checked Group Policy to be certain and there was nothing configured.  I then asked him to take a look at the local security policy on the system, sure enough, only the Administrators were in the group Manage auditing and security log.  Once adding the Exchange Servers to this group on each system the Single Copy Cluster was able to fail over with no problems! 

I am not certain as to why the Exchange Servers did not get added to the local security policy, there was nothing in group policy or anything on the system to over write this to my knowledge.  But none the less, it is very important to make sure the Exchange Servers do have access to the security setting.

Either way it was quite an interesting day at my client site, a few more issues came up but nothing as notable as the ones discussed here. 

Hope you have a great day!

One of the new features in Exchange 2010 that many people are not familiar with is the CAS Array.  The CAS array is a really neat feature for clients looking for High Availability in their Exchange organization and wants to remove the chance for a single point of failure.

In the old versions of Exchange clients would connect directly to the mailbox server but that is no longer the case in Exchange 2010 (http://www.scottfeltmann.com/index.php/2009/10/26/sizing-exchange-2010-client-access-servers).  This leads us to the reason why CAS arrays are so important in the Exchange 2010 environment.  In Exchange 2010 clients now connect directly to the CAS.  The CAS then will proxy the client to the mailbox server.  This means that all outlook client connectivity is now routing through the CAS.  When not using the CAS array the outlook client will connect directly to the CAS and remain connected to that CAS.  In the event of an outage the Outlook client will lose connectivity to the Exchange Mailbox Server and will not be able to fail over to another CAS in the Active Directory Site since it has already established a connection to a CAS which is now down.  How does the Outlook client find the CAS?  When a CAS is deployed in Active Directory it will create a service connection point (SCP).  This SCP then tells clients the clients via autodiscover how to find a CAS.  If an organization has multiple CAS then there are multiple SCP created in AD.  This process holds true in both Exchange 2007 and Exchange 2010.  The difference is Exchange 2010 has the ability to create Client Access Array’s.

So, you’re asking yourself, ok, what is a Client Access Array?  Well, I’m glad you asked!  In Exchange 2010 Microsoft introduced a new concept for High Availability for the Client Access Servers called a CAS Array.  What organizations are now capable of doing is configuring a set of Client Access Servers to act as one by using Network Load Balancing (NLB), either Windows or a Hardware Load Balancer will do.  When using NLB admins create a DNS record that points to a Virtual IP address (VIP).  Behind this VIP will be the Client Access Servers.  You may have one or twenty.  Keep in mind though, if using one, when that server goes down, users lose connectivity.  (I’m assuming that you know how to NLB the Client Access Servers, unfortunately I don’t have anything written on setting up NLB but there are some good articles out there.)  So, if you have three CAS in your environment you are capable of creating a new array which will include all three of these servers.  The array will point to the NLB hostname which will then route the traffic to one of the CAS behind the NLB URL.  In the event that a CAS should go offline, and since the client is connecting directly to the NLB URL and IP the client will be redirected to a functioning CAS and be able to maintain their connection!

Now that we have an idea of what a Client Access Array is the next logical step is creating the array!  In order to create a new Client Access Array we will use the new command of “New-ClientAccessArray”.  This command will create an object that represents a load balanced array of CAS within a single Active Directory Site.  Keep in mind, that each array is specific to the AD site.  This means if you have multiple sites with Client Access Servers you can create arrays specific to that site.

The following example is the command for creating a new array, this command will create a server array named cas.scottfeltmann.com:

New-ClientAccessArray –FQDN cas.scottfeltmann.com –Name “cas.scottfeltmann.com” –Site “HQ”

The Fqdn parameter specifies the fully qualified domain name (FQDN) of the Client Access server array. (Required)

The Name parameter specifies the name of the Client Access server array.
The Site parameter specifies the Active Directory site to which the Client Access server array belongs.  (Required)

In the event that exchange databases already existed prior to the creation of the CAS array you will need to configure the databases to point to the new array.  To do this you can use the following command:

Set-MailboxDatabase Databasename –RpcClientAccessServer “cas.scottfeltmann.com”

Otherwise, when a new database is created it will automagically detect the Client Access array and point users to the load balanced URL.

In close if you’re looking for some HA you will want to use the Client Access Array to provide the highest level of redundancy for your Outlook client connection.  Keep in mind you will still need another form of HA for OWA and ActiveSync.  ISA 2006 presents a group solution for this process as well since ISA can direct traffic to multiple Exchange Client Access Servers.  For more information on NLB Exchange 2010 CAS see my link here: (http://www.scottfeltmann.com/index.php/2009/10/21/network-load-balancing-recommended-for-exchange-2010-cas-public-facing-internet-facing-and-internal/)

Edit:

I would also like to point out that if you would like to remove a CAS from a CAS Array you will need to remove that Client Access Server from the NLB array.  This can be done either through WNLB if that is what you are using or via your NLB appliance.  Simply remove the desired server from the NLB and that server will no longer be included in the CAS Array. 

In the first three parts of this four post series on Exchange archiving I talked about how to enable Archiving for Exchange 2010 using retention policies.  This last post will talk about disabling archiving for a user and what happens to the archived information. 

Disabling archive for a user is pretty straight forward.  In the EMC locate the user under Recipient Configuration, right click on the user name and select Disable Archive.  You will get prompted are you sure?  Click Yes. 

Once archiving has been disabled the user will no longer be able to see their archived folder in the outlook folder list.  Also, all the content that was in the archived mailbox just went away with the archive database after it was disabled.  What this means is that the data that was moved into the Archive mailbox has just went away.  No worries though!  If you check in the Disconnected Mailbox folder under Recipient Configuration you will see that the archive mailbox is now listed there.  I should point out if you look and don’t see the mailbox you may need to run the Clean-MailboxDatabase –Identity “DatabaseName”.  This will clean the database and drop the archive mailbox into the Disconnected Mailbox folder.  You can see that in the Disconnected Mailbox folder the archive mailbox will be listed.  There is actually a column in the folder that says Is Archive and the option is true or false.  If true, it’s an old archive mailbox.  If false, well, it isn’t!

So, now that we have located our disconnected archive mailboxes which contain data that the user archived in the past the question becomes, how do we get the data out!  Simple.  If you see the archive mailbox listed you can simply Right Click and select the option Connect to Primary Mailbox.  This will then connect the archive mailbox back to the user folder.  Keep in mind that disconnected mailboxes will reside in the Disconnected Mailbox folder for 30 days by default.  Anything beyond that you may have to recover from tape or another means.  Once the archive mailbox has been reconnected the user will be able to extract or add content from/to the archived mailbox.   

I should point out that if you disabled both the archive mailbox and the actual user mailbox the process above will fail.  Since the default mailbox has been deleted the archive mailbox cannot connect to the primary mailbox.  This can cause issues for an organization.  Say for example you need to get some data back that was archived and that user is no longer with the organization.  The users mailbox was deleted and now their archive mailbox can no longer be reconnected to the parent mailbox.  I also noticed that you cannot connect a disabled archive mailbox to another users account.  It appears that the archive mailbox can only be connected to the primary mailbox.  So, if you’re looking to get data from a former employee’s mailbox and/or archived mailbox you can either keep the original account and reactivate it or there is one other thing you can do if you’re stuck.  If you still have both the original users mailbox and the users archived mailbox you can connect the users mailbox to another AD account that does not have a mailbox.  Once this is completed you can then connect the archive mailbox back to the primary account mailbox which is now owned by the AD account you created!  This can come in handy in the event where you deleted the users AD account but still have the mail data.

Now that the archive mailbox is reconnected with the primary account one interesting thing I noticed is that archiving does resume, even when in Exchange I have archiving disabled for the user.  My only thought is because of retention policies that are applied to the mailbox are set to move data based on the RPTs.  So heads up! Just because you disabled archiving, if you reconnect the archive mailbox and the retention policy is still applied to the end user archiving will resume.  I could see this being a problem for some clients, so be wary!

If you would like to remove the retention policy from the user you can do so by performing the following command at the EMS:

Set-mailbox user –RetentionPolicy $null

I would suggest doing this for any user whom you decide to disable archiving for.  This will prevent additional items from accidently being dropped into the archive mailbox automatically after you reconnect the mailbox. 

This concludes my series on archiving in Exchange 2010.  I hope it will give you guys out there some good insight on what archiving is, how to enable it, and how to disable it. 

Thanks for reading!

One question I get from a lot of my clients is when will Cisco Unity work with Exchange 2010?  To be honest this is actually holding up a lot of my clients from moving to Exchange 2010.  First of all they need to be certain that their Phone System will work with Exchange 2010 and second they want to make sure it works with Exchange 2010.  Yes, I know, I repeated myself there but honestly clients want to know when it will first be supported.  The second part is they want the technology to be tested and proven, which typically means they want to wait a few months before they make the switch.

Well, I came across a post from about two weeks ago (I know, I’m slow, just been very busy) that had some estimates on when Cisco Unity will support Exchange 2010. 

Here is an excerpt from Matt Wade’s blog:

Cisco is now working aggressively to validate the new MAPI version as well as make the necessary changes in Unity to support Exchange 2010 as follows:

Unity 7.X – March 31, 2010

Unity 5.X – May 31, 2010

Unity 8.X – June 30, 2010

We urge Unity 4.X Unified Messaging customers who plan to upgrade to Exchange 2010 to first upgrade to Unity 7.X once the ES is available in preparation for their upgrade to Exchange 2010.

So, it looks like we are still about two months out.

In my previous post I talked about the Exchange 2010 Archiving and Retention Tags.  This post continues on from that previous post.

In order to enable Archiving in Exchange 2010 the exchange administrator needs to be familiar with Retention Polices and Retention Tags.  My previous post talked about Retention Tags and how to create a retention tag focused on archiving data in the entire mailbox.  Once this Retention Tag has been created it will need to be linked to a Retention Policy.  Once the Retention Policy has been created it will need to be linked to a user or users who have archiving enabled on their account.  First let’s talk more about Retention Policies.

Retention Policies are use retention tags to apply to mailboxes.  You can have one or multiple retention tags applied to a Retention Policy which are then assigned to a user or group of users.  The retention policy can have the following retention tags:

• One or more RPTs for supported default folders
• One DPT of type All (this is typically the best option for archiving)
• Any number of personal tags

It should be noted that you cannot have more than one RPT configured for the same folder applied to a Retention policy.  This means that if you have one RPT called users configured for the inbox, and another RPT called Finance configured for the inbox, that these to RPTs cannot be assigned to the same Retention Policy. 

In order to create a Retention Policy the Admin will need to use the EMS.  The EMC is not supported for creating retention policies.  To create a retention policy we will use the New-RetentionPolicy command.  This command is pretty straight forward.  In order to create a new policy and link it to our RPT we created in the previous post we will simply type:

New-RetentionPolicy “Users-RP” –RetentionPolicyTagLinks “Users-RPT”

This command will give us a new Retention Policy called “Users-RP” and link it to our DPT we created in the previous post called “Users-RPT”.  We created the DPT in order to create a default policy to all folders capable of being archived in the user’s mailbox. 

Say for example we only want to create the retention policy but not assign any tags to it.  No Problem!  We can simply add retention policy tags at a later time.  (Note: It is not recommended to have blank retention policies in your exchange environment.  If you have an empty one it is suggested you link your RPTs to it sooner rather than later.)  Pretend in the example above we did not specify the –RetentionPolicyTagLinks command and just left the command New-RetentionPolicy “Users-RP”.  In order to add a RPT to a Retention policy type the following:

Set-RetentionPolicy –Identity “Users-RP” –RetentionPolicyTagLinks “Users-RPT”

If you like you can add additional RPT but separating them with a comma, i.e. –RetentionPolicyTagLinks “Users-RPT”, “More-RPTs”, “HR-RPT”     or whatever you would like to call them….

Once we have our Retention Policy we now must enable archiving for our users.  Locate the users you wish to enable for archiving using the EMC under Recipient Configuration and Mailbox, highlight their names and from the action menu select Enable Archive.  You will get prompted if you would like to continue and simply click Yes.  The user will now have an archive mailbox.  You will notice this because the icon will appear differently in the EMC. 

Once the user has been configured for archiving we will need to apply our Retention Policy we created above to the archive mailbox.  We can apply that retention policy by performing the following command:

Set-Mailbox “Username” –RetentionPolicy “Users-RP”

This command will then apply the Retention Policy we created above with the RPT we created in the previous post.  The user’s content of their mailbox will then archive anything older than 30 days.

Keep in mind that you can create multiple Retention Policies and Retention Tags for different business units in your organization.  Some may want to have a retention policy of 1 month (30 days), 3 months (90 days), six months (180 days), or a year (365 days), or ten years (3653 days).

So, once archiving is enabled we will now see a new archiving mailbox in our folder list.

Before Archiving:

After Archiving:

Now, you may be asking yourself “What!  I enabled archiving for the users but there is no content in the archive mailbox!”  Well, no worries friend!  This is because the Managed Folder Assistant has not run its scheduled maintenance.  By default this process will run between 1am – 4am daily.  This process will need to run prior to any items being archived into the archive mailbox.  The good news is this process can be ran manually.  Open your EMS and type “Start-ManagedFolderAssistant”.  Since this process runs on the Exchange Server, and the production mailbox and the archive mailbox reside on Exchange 2010 the users do not need to be logged in for the archiving to occur, unlike the old Auto Archive feature in Outlook!

So, now we have a mailbox folder list like below.  Note the additional folders created also appear in the Archive!

Once Archiving is in place we have to consider the Archiving warning quota and archive quota.  By default the archive warning quota and archive quota are set to Unlimited.  The trick to configuring these quotes is that we need to meet the user’s requirements.  Some users may need very little space for an archive while others need a great deal of space.  If you choose to leave the quota’s as unlimited then I would keep a close eye on your storage usage for the database because it can grow rather quickly as some users will keep everything.  If you do set the archive quota, once it is reached, messages will no longer be moved into the archive and a warning message will be sent to the mailbox user.  Either way, it can be difficult to determine the proper sizing for the archive.  Each user or department will likely have different requirements. 

Either way, to configure the warning and archive quota’s you should use the EMS.  The EMC can be used to configure the archive warning quota but not the archive quota.

To configure the archive quota and warning quota perform the following:

Set-Mailbox –Identity “Scott” –ArchiveQuota 2GB –ArchiveWarningQuota 1750MB

This will in essence give the user Scott an archive quote of 2GBs.  The system will issue me a warning once I get to 1.75GBs.  Again, the current setting is unlimited.  So if you have the disk space, or if the information archived is that important I would leave it at this setting and monitor your space usage.  The figures above are just examples, I am not saying you should set your archive quota to 2GB.  You can set it to whatever you like.  Keep in mind that the recommended DB size for Exchange 2010 is up to 16TBs.  You’ll be crazy to go that high, not to mention 2TB is the recommended max in a DAG and 200GB non DAG. 

Well, this concludes my posts on Enabling Exchange 2010 Archiving.  I hope you were able to learn something from these posts and thanks for visiting!

Next post will talk about disabling archive and what happens to an archive mailbox in that situation so stay tuned!

In my previous post I talked about the Exchange 2010 Archiving and what it does.  This post continues on from that previous post.

In order to enable Archiving in Exchange 2010 the exchange administrator needs to be familiar with Retention Polices and Retention Tags.

First let me start out on Retention Tags.  Retention Tags are used to apply retention settings to folders and individual items such as messages, notes, and contacts. These settings specify how long a message remains in a mailbox, and the action to be taken when the message reaches the specified retention age. When a message reaches the specified retention age, it’s moved to the personal archive, deleted, or flagged for user attention.  If you recall in my previous post there are five different actions that can be taken on a mailbox item when it reaches the retention age.  Again, those actions are: move to archive, move to deleted items folder, delete and allow recovery, permanently delete, or mark as past retention limit. 

Now when considering a RPT keep in mind that you can create RPT’s to the following default folders:

• Deleted Items
• Drafts
• Inbox
• Junk Mail
• Outbox
• Sent Items
• RSS Subscriptions
• Sync Issues
• Conversation History

To note you can not include more than one RPT for the same folder type in one retention policy.  This means that if you have a retention policy with a RPT for the inbox, that you cannot add another RPT configured for the inbox to that retention policy.  You will need to create another retention policy and assign that RPT to that retention policy. 

The next type of Retention Tags is the Default policy tags (DPTs).  DPTs are created to apply retention settings to untagged mailbox items. Untagged items are mailbox items that don’t have a retention tag applied to them either by inheritance from the folder they are located in, or applied explicitly by the user. DPTs are created by specifying the type All. A retention policy shouldn’t contain more than one DPT.  The DPT gives the Exchange Admin the ability to specify a retention policy to all objects in the users mailbox (except Calendar, Contacts, Journal, Notes, and Tasks).  By specifying a DPT the admin is able to control all contents of the mailbox.  What about custom folders that users create in their Exchange mailbox you ask?  Well, those items can be archived as well!  While you can create a RPT to specify a default folder you can also create the DPT that will act as a default policy tag.  This default Policy tag will then perform the specified action assigned to the Retention Policy on all folders in the mailbox.  This even includes folders created by the user to store mail data, i.e. a client’s folder containing email only specific to that client either as a sub folder to the inbox or a new folder under the root. 

The final type of Retention Tag is the Personal tags.  Personal tags are retention tags available to users as part of their retention policy. Users can apply personal tags to folders they create or to individual items. For example, you can create a personal tag to allow users to tag messages that are business critical, that have a higher message retention age of three years, and use the MoveToArchive retention action to move the messages to the user’s archive mailbox after three years.

From the perspective of Archiving however the best course would be to use the Default Policy tags.  What the Default Policy tag will do is create a retention policy that is applied to all users assigned the Retention Policy.  Perhaps in your organization you are not looking for a default policy, but rather one that applies strictly to the inbox, that’s great, but when coming to archiving you want to get all folders possible.  Think from a perspective where you have users who create another folder for certain clients, or filter items in another folder based on a month.  If you simply apply a RPT to the inbox, those items will not be included in the archiving process and risk being lost.  The same idea can be applied to an area where you want to delete items after x days.  You don’t want to miss anything!

So, how do we create the new tag that will be later applied to a policy?  Well, in the effort to archive you will want to leverage the command New-RetentionPolicyTag.  Basically what this command does will create a new retention policy tag.   Anyway, in effort to archive everything in the mailbox that is possible you will want to use the following command at the EMS.  Please note, you cannot use the EMC to create or delete retention policies. 

The command to use is:

New-RetentionPolicyTag “Users-RPT” -Type All -Comment “Items older then one month will be moved to Archive” -RetentionEnabled $true -AgeLimitForRetention 30 -RetentionAction MoveToArchive

What this command will do is create a new RPT called Users-RPT.  The key to this is the –Type.  By specifying the Type “All” it creates a DPT which will then include all folders capable of being archived in the users mailbox.  Comment I simply added what this policy does.  For the Age Limit I added 30 days.  Keep in mind the default setting for this is setting is in days, not years or months.  Finally the action we have is MoveToArchive.  This will archive the content of the users mailbox to the users archive mailbox which by current standards is stored in the same mailbox database as the users production mailbox. 

As a result of the command we now have a new retention policy tag which is configured to archive all content in the users mailbox except Calendar, Contacts, Journal, Notes, and Tasks. J 

In my next post I will talk about the Retention Policy and how to connect the Policy Tags to the Retention Policy and apply it to users or a group of users.

One of the new features of Exchange 2010 is the ability to perform archiving on user mailboxes that reside on the Exchange 2010.  With the combination of Outlook 2010 users now have the ability to have a primary mailbox which will host their Exchange 2010 production data and an Archiving mailbox which will store mail items based on the users preference or organizational Retention Policies.  I say Outlook 2010 because as I write this Outlook 2007 is not able to support the users archive mailbox.  Microsoft’s idea on archiving is to reduce the number of items and the size of a users production mailbox thus improving the performance on that production mailbox, while the archiving mailbox will retain the users old mail and will have a slower level of performance users will still be able to be search for material.  The other benefit to the Archiving piece in Exchange 2010 is that it is included with Exchange 2010!  Basically small organizations will not need to buy another solution to perform archiving.    Please note however, that in order for a user to benefit from Exchange 2010 Archiving an Outlook 2010 Enterprise CAL is required. 

So, from a user perspective the way archiving works is that a user is presented with two mailboxes (similar in Outlook 2007 where a user opens their mailbox and another user’s mailbox in the folder list).  Their folder list has two mailboxes, their primary mailbox and an archiving mailbox.  The advantage to using the archiving feature is that now all legacy mail items are stored on the exchange server where they can be properly backed up and managed by IT.  The shortfall to the Microsoft version of archiving is that the users archiving mailbox is stored in the same database as the users production mailbox.  I have heard rumors that storing the production mailbox and archive mailbox in the same database will change in the future, but no time frame has been released for this.  Depending on what you’re using for a storage platform that archiving data could reside on expensive disk, which would rather be used for production data.  Another thing to note is that archiving does not support the calendar!  I actually found this rather surprising being that many people (including myself) will want to go back and look at their calendar to figure out what they were doing say a year ago.  While this data resides on the calendar in the production mailbox it would still be nice to off load some of this data to the archive. 

Now, going back to archiving, technically it can be considered records management.  The reason I say this is because an organization is managing what to do with the data stored in the users mailbox.  Records Management has a number of options that can be configured through Retention Policy Tags.  The data in the mailbox can be moved to archive, move to deleted items folder, delete and allow recovery, permanently delete, or mark as past retention limit.

The MoveToArchive action moves a message to the user’s archive mailbox. Messages are moved to a folder in the archive mailbox with the same name as the source folder in the user’s primary mailbox.

The MoveToDeletedItems action moves messages to the Deleted Items folder. This emulates the behavior experienced by users when they delete a message. Items in the Deleted Items folder can be moved back to the Inbox, or any other mailbox folder. Depending on the user’s mailbox settings in Microsoft Office Outlook Web App or Microsoft Outlook, the Deleted Items folder may be emptied when the user logs off Outlook Web App or closes Outlook. You can also create an RPT for the Deleted Items folder to take the required action on messages in the folder after a certain period.

The DeleteAndAllowRecovery action emulates the behavior when the Deleted Items folder is emptied or the user hard deletes a message. When this happens, and deleted item retention is configured for the mailbox database or the user, messages move to the Recoverable Items folder. The Recoverable Items folder, also known as the dumpster, provides the user another chance to recover deleted messages.

The PermanentlyDelete action permanently deletes a message. When this action is applied to a message, it’s purged from the mailbox. This action is like a deleted message being removed from the Recoverable Items folder. After this happens, the user can no longer recover the message.

The MarkAsPastRetentionLimit action marks a message as past the retention limit. Supported Outlook clients (Outlook 2010 and Office Outlook 2007) display messages that are past their retention limit using strikethrough text. Users who use a supported client notice the changed display and recognize the message as expired, and they can be encouraged to take further action, such as deleting the message or moving it to the archive mailbox. This action is intended to make expired messages noticeable, which encourages users to follow the organization’s messaging policies, and makes an action such as deleting the message unnecessary. This can be used as the initial step to create awareness about MRM.

Since I’m focusing on archiving I will stick with that angle.  I should point out however organizations like to retain items for legal reasons or like to delete items for legal reasons.  Either way the records management included in Exchange 2010 can perform both.

In my next post I will discuss the steps required to enable archiving.