Microsoft. Microsoft MCSE: Messaging (Exchange 2016) Courseware Version V1 KIT CODE: K

Microsoft Microsoft MCSE: Messaging (Exchange 2016) Courseware Version V1 KIT CODE: K-441-01 www.firebrandtraining.co.uk Table of Contents 1. Ins...
Author: Hilary Black
2 downloads 0 Views 398KB Size
Microsoft Microsoft MCSE: Messaging (Exchange 2016)

Courseware Version V1

KIT CODE: K-441-01 www.firebrandtraining.co.uk

Table of Contents 1.

Installation and Networking ................................................................................................... 2

2.

User Administration and Client Access.................................................................................. 4

3.

Anti-Spam and Mail Delivery .................................................................................................. 6

4.

T-Shoot, External Access and Retention ............................................................................... 9

5.

DLP / Retention / Security ................................................................................................... 10

6.

Migration / HA / Office 365 .................................................................................................. 12

7.

Power Shell examples .......................................................................................................... 15

8.

To install a custom App for OWA ......................................................................................... 18

9.

Install and Enable the Address Book Policy Routing agent ................................................. 19

1 © Firebrand Training Ltd

1. Installation and Networking Tools to asses you environment for Exchange 2016: Validate that all of the planned servers will meet the IOPS requirements of the planned organisation >> Microsoft Exchange Server Jestress. Identify how many IOPS are required to provide the fast access to mailboxes for all of the users in the planned environment >> Exchange Mailbox Server Role Requirements Calculator. Identify the number of email messages sent and received by users in the current Exchange Server Organisation >> Microsoft Exchange Server profile Analyzer. To deploy the first Exchange 2016 Server in the organisation, you should be part of: Schema Admins, Domain Admins and Enterprise Admins. You can’t deploy an Exchange in an Active Directory Site with a RODC. You should replace the RODC with a DC or with a GC. MX Records are used to configure mail routing. You can configure priority so the record with the lowest value will also be used first. To give a user the opportunity to install an Exchange Server in the Organisation without having full admin permissions: • Run setup and specify the /new provisioned server parameter • Add the person to the Delegated Setup management role group If there is a mixed environment with Exchange 2010 (EX01) and Exchange 2016 (EX02) the url to access ECP is: • https://EX02/ecp?ExchClientVer= 16 Deploy Exchange in a Forest with child domains: training.com uk.training.com

setup /preparead setup /preparedomain

To install Exchange with shared permissions: Setup /preparead -ActiveDirectorySplttPermissions:False /IAcceptExchangeServerLicenseTerms Exchange 2016 can be virtualised. The preferred storage method still should be Pass through disks and the backup method should be to install the agent on the VM. 2 © Firebrand Training Ltd

In Exchange 2016, RPC over TCP has been disabled. All outlook communications are now through RPC over HTTP (Outlook Anywhere). This unifies the CAS protocol methods and provides a stable and reliable connectivity network between clients and server and between the servers. It also reduces the number of namespaces required. It also eliminates end user interruptions. Hence moving mailboxes around in DAG and moving mailboxes between mailbox databases are now easy. So the best solution but must expensive one is a Hardware Load Balancer (Layer 7) that balances traffic on port 443 to load balancer the server access. If there are multiple Exchange 2017 servers, you can use: • Layer 3 / 7 Hardware Load Balancers Active Directory Users and Computers is the best tool so check the permission of the Exchange Trusted Subsystem Group. A Hardware Load Balancer can discover if one of the members is offline and then redirects users to the remaining ones. When using source NAT, the client IP address is not passed to the load balanced server. The insertion of the Client IP address into the header allows the exchange servers to see the IP that made the connection. Layer 3 Load Balancer: A load balancer is a server computer with a very specialised operating system tuned to manage network traffic using user-created rules. Enterprises and hosting companies rely on load-balancing devices to distribute traffic to create highly available services L3 load balancing is fairly simple, two servers sharing the same IP address. You get redirected to the less-busy server.

3 © Firebrand Training Ltd

2. User Administration and Client Access To configure a new domain as accepted email domain and change the address policy for some users without overriding the existing mail address: • Create a new accepted domain for adatum.com and set the domain type to Authoritative Domain. • Create a new email address policy and apply the policy to the users in SalesOU. With a device access rule, you can, for example, configure that only Apple iPhones can connect and Android devices are banned. To deny the use of extended storage using ActiveSync, create a device mailbox policy and then run Set-CasMailbox. If a user can successfully sign in in his mailbox using Outlook Web App and Outlook Anywhere but gets HTPP Error 500 when he tries it with an Active Sync Device, you should check the permission inheritance for his Account. To configure Active Sync to use certificates from the company’s internal CA: • From Exchange Admin Center, configure the Microsoft-Server-ActiveSync virtual directory to require client certificates. • From Internet Information Services (IIS) Manager on each Client Access server, enable Active Directory Client Certificate Authentication. If users are having an issue with downloading the address book or setting up the ‘Out of Office’ assistant but are able to connect from external, you should check the OAB and EWS directory settings. Windows Authentication (NTLM) needs to be enabled on the Exchange 2013 Client Access Server to enable the Exchange 2016 Server to proxy connections. For GAL Segmentation it is best practice to use Address book policies. If you want that a Server in another location to get messages from the internet for a specific user on another site and route them to him, configure a HUB Site. If you run Exchange 2010 and 2016 and you enable Outlook Anywhere on the 2010 and the internal and external namespace is not pointing to the 2013 server make sure that the IISAuthentication value is Basic and NTLM. To enable autodiscover for Outlook Anywhere you can use 2 types of DNS records: • SRV (Old version) • A Record 4 © Firebrand Training Ltd

There is a mixed environment with Exchange 2010 and 2016. The external access point to the 2016 server. To enable Outlook Anywhere must run the following commands: Ex2016 Set-OutlookAnywhere CAS2010 Enable-OutlookAnywhere Internal Outlook Web App works out of the box; it doesn't require any additional configuration at the beginning. If you would like a user to access his mailbox using http instead of https, one of the things you have to do is configure HTTP redirect on the default website. Administrators can create additional Organisation Mailboxes for fault tolerance or serving users in a geographically disbursed Exchange Deployment. • Create a new mailbox arbitration mailbox > New-Mailbox • Enable OABGent capability > Set-Mailbox When you are migrating Exchange 2010 to Exchange 2016 and a user is not able to access his mailbox anymore using OWA, make sure that you export the certificate from Exchange 2016 on all the 2010 servers and the name legacy.company.com must be in the certificate. RBAC examples: View the status of messages in a queue >> View-Only Org Management Create, mount and dismount database >> Server Management Restore mailboxes from a recovery database > Org Management Modify the settings of Exchange Active Sync Devices >> Recipient Management To require permissions to move mailboxes between servers is at least Recipient Management.

5 © Firebrand Training Ltd

3. Anti-Spam and Mail Delivery Deploy Antispam on a server: • Install the Mailbox server role • Run Install-AntispamAgents.ps1 • Run Restart-Service MSExchangeTransport Agent examples: Place email messages that contains the Word Test in a quarantine folder > Content Filter Agent Block all email messages sent to former employees who no longer work for the company > Recipient Filter Agent Reject all messages sent from a source that has a send reputation level of 7 and greater > Protocol Analysis Agent The anti-spam agents are only installed on the mailbox server. Anti-Malware Filtering is enabled on the mailbox server only. The best way to ensure that email messages between two partner organisations is to create a Send connector of the type Partner. If there is a SMTP domain named sales.firebrand.com and you want to configure this so that external user can use Outlook and auto configuration: • Create an A record for autodiscover.sales.firebrand.com • On the Exchange server deploy a certificate with the name autodiscover.sales.fireband.com For domain security on the send connector, make sure that all the necessary certificates are enabled and have not expired. There are 2 companies, Firebrand and Fast Traders. To enforce TLS for all messages from users send to Firebrand: Install a Certificate and assign the certificate to the SMTP service. Exchange the root certificate between the Organisations. Create a new Send Connector and specify the TLSDOMAIN parameter. Run set-transportconfig -tlssendedomainsecurelist FastTraders.

6 © Firebrand Training Ltd

Transport Rule and Security examples: Messages set to firebrand.com must NOT include a disclaimer > transport rule exception. Messages that contain credit card numbers must NOT be sent to firebrand.com > data loss prevention policy. If a user writes a message that contains a credit card number and this message is addressed to a recipient at firebrand.com the user must receive a notification before the message is sent > a Policy Tip. Mailbox Role (DAG) / Maintenance Tasks Setting up a DAG: • Add a computer account for the DAG, disable it and give Exchange Trusted Subsystem Full Control Permission • Make Trusted Subsystem local admin on the Witness Server • Create the DAG • Add the members Restore DAG member: • Run RemoveMailboxDatabaseCopy and Remove-DatabaseAvailibilityGroupServer on working server • On the new server run setup/m:recoverserver • Run Add-DatabaseAvailibilityGroupServer and Add-MailboxDatabaseCopy on a working server To recover a message from a lagged mailbox database: • Run Suspend-MailboxDatabaseCopy • Run vssadmin • Run eseutil To add an offline copy of a DB to a DAG member: • Dismount database on the server hosting a copy • Copy files to the server that will be hosting the passive copy • Run Add-DatabaseCopy cmdlet on the server that will be hosting the passive copy

7 © Firebrand Training Ltd

To perform a single item, restore for a user: • Restore the file to an alternate location for example f:\RDB • Run eseutil /r /e00 /a • Run New-MailboxDatabase -name rdb -server EX01 -logfolderpath f:\rdb -ebdfilepath f:\rdb\db1.edb -recovery • Mount the database • Run New-MailboxRestoreRequest To recover a deleted folder in a user’s mailbox: • Restore the DB from a tape to an alternative location • Run New-MailboxDatabase with the Recovery Option • Run New-MailboxRestoreRequest To minimise the loss of large email messages if a single DAG member fails. You should configure the settings for shadow redundancy. SafetyNet is a component of Shadow Redundancy To configure a high available public folder mailbox and you still want local users connecting to their local public folders: • Create a public folder mailbox • Add a Database Copy • Specify the public folder mailbox with set-mailbox -defaultpublicfoldermailbox If there is a DAG configured with 2 Servers and there is a DB mounted on both servers, the Exchange Server transport services will restart automatically, and then put all delivery queues in a Retry state if one server fails. All the logging for send and receive connectors is stored in the HUB folder in the Logs directory. You can configure retention for a mailbox database, for example that disconnected mailboxes are removed after 360 days.

8 © Firebrand Training Ltd

4. T-Shoot, External Access and Retention You can clone an Edge config and import the config on another Edge: Export-EdgeConfig.ps1 Import-EdgeConfig.ps1 To move mails older than 30 days for example to the archive, you have to configure retention. You require Retention Tags inside a Retention Policy. After a file restore to an alternative location you should run eseutil to ensure that the data is consistent before mounting into the dial-tone database. You can allocate resources using a workload policy. If for example POP3 consumes too many resources and OWA doesn't have enough: • Create a workload policy for POP3 and set the Classification to Discretionary, also create a Workload Policy for OWA and set the Classification here to Customer Expectation. The Exchange Remote Connectivity Analyser is a tool to perform a series of tests against the Exchange environment for example if a user cannot access his mailbox from external, this is something the tool can be used for to troubleshoot. If messages are staying in the Drafts Folder of a user using Outlook Web App, make sure that the Microsoft Exchange Mailbox Transport Submission service is running. You can use the Outlook Connectivity Test to troubleshoot Outlook Anywhere.

9 © Firebrand Training Ltd

5. DLP / Retention / Security DLP can be used to prevent the sending of bank account numbers. To configure DLP to block social security numbers of the United States enable the following: • U.S. State Breach: Scan email sent outside - low count • U.S. State Breach: Scan email sent outside - high count Another feature of a DLP is the document fingerprint.Document Fingerprinting is a Data Loss Prevention (DLP) feature that converts a standard form into a sensitive information type, which you can use to define transport rules and DLP policies You need then: • A document fingerprint • A transport role The supported template for fingerprinting is a dotx file. Compliance works with Retention Tags, they are inside a retention policy and they are linked to the user’s mailbox The following items can be archived using retention policy: • • • •

calendar items mail items note items taks items

There are 3 types of policy tags: Default policy Tag: Automatically to entire mailbox. Retention policy Tag: Automatically to a default folder. Personal Tag: Manually to items and folders. This means that: Folder Projects: personal retention tag. Deleted items: retention policy tag. Mailbox: default retention policy tag. Projects: personal retention policy tag. If you want to prevent a user from permanently deleting messages in his mailbox, configure in-place hold.

10 © Firebrand Training Ltd

If you want to encrypt messages addressed to users inside the organisation, Microsoft recommends to use IRM. To make sure that email messages are encrypted automatically before they are stored in the mailbox of the recipients: • Create a Transport Rule • S/MIME If a user has issues when opening an encrypted email from another user. Instruct the user to send a signed email message. To identify a mailbox is accessed when and from another person other than the owner: • Run a non-owner mailbox access report • Export the mailbox audit log Audit tool examples: The manager of the sales department must be able to search for email messages that contain specific key words in the mailboxes of users in the sales department > in-place Discovery report. The manager of the human resources department must receive a report that contains list of all the sales users mailboxes that were searched by the sales manager > Export the mailbox audit logs. To perform mailbox searches you have to be part of the Discovering Management Group and then you can run the New-MailboxSearch cmdlet. RMS for individuals is a free self-service subscription for users in an organisation who have been sent sensitive files that have been protected by Azure Rights Management (Azure RMS), but their IT department has not implemented Azure Rights Management (Azure RMS), or Active Directory Rights Management Services (AD RMS). To minimise costs, you can link Office 365 to Azure RMS so users outside of Office 365 tenant can view protected emails.

11 © Firebrand Training Ltd

The following must elements must be accessible if you are using RMS und you want to open encrypted messages: • The CRL • Active Directory Domain Controllers To configure RMS for mobile Devices: • On Exchange: Run Set-ActiveSyncMailboxPolicy and specify the IRMEnabled parameter • AD RMS Cluster: Add the federation mailbox to a super user group Configure Edge: • Create an Edge Subscription • Allow SMTP traffic between the Edge and Mailbox server • Allow TCP 50636 Traffic from the Mailbox to the Edge server Safety Net is used to store successfully sent messages of a period of time on the servers queue. When you use Outlook Anywhere with a private certificate, publish the CRL on a server which is accessible over the Internet. The easiest way to block servers that are known as spam is the IP Block list providers You can request a certificate for the Exchange Servers with New-ExchangeCertificate. You should specify the eprivatekeyexportable parameter.

6. Migration / HA / Office 365 The minimum amount of Exchange servers for HA is 2. To prevent a split-brain condition if a restore operation of a DAG occurs, modify the Datacenter Activation Coordination (DAG) mode. If you purchase a new domain and you want to use it as soon as possible with Exchange • Create an Authoritative accepted domain • Modify the email address policy

12 © Firebrand Training Ltd

To configure free/buy information exchange between two organisations: • Create and configure a federation trust • Create an organisation relationship • Create a sharing policy In the ECP you can use central manger you’re on premise and Office 365 environment. If you are in a hybrid scenario and you discover that mail messages from Office 365 are still routed through the on premise Exchange Server, rerun the Hybrid Configuration Wizard. On premise you can configure the following modifications for Azure Active Directory Sync: Only objects in the Sales OU must be synched to Office 365: Windows Azure Active Directory connector. AzureAD must be force to replicate every hour: Modification in the MicrosoftOnlineDirSyncScheduler.exe config file. The UPN of users must be updated in Office 365: Windows Azure Active Directory connector. To make sure that only a specific group of devices are allowed to access Office 365 services from outside the company and ADFS 3.0 is deployed, you need to add claims to Active Directory claims provider trust. If you have ADFS and SSO deployed only non-domain joined endpoints will be asked to enter the password more than once. To start a public folder migration form Exchange 2007 to Exchange 2013: • Create a public folder mailbox on the Exchange 2013 server. • Run New-PublicFolderMigrationRequest on the Exchange 2013 server. If you move users cross forest and you want internal users to still use the nickname in the cache that existed in Microsoft Outlook before their mailbox moved: For all of the users in the new organisation, add their LegacyExchangeDN value as an x500 proxy address.

13 © Firebrand Training Ltd

Sequence to move Public Folders from Exchange 2010 to 2016: • New-PublicFolderMigrationRequest. • Set-OrganizationConfig. • Set-PublicFolderMigrationRequest. • Resume-PublicFolderMigrationRequest. To export messages suspended on one server because of a failure and you want to export the messages to a different drive and prevent duplicates: • Suspend the messages in the queue • Export the messages from the queue • Remove the messages from the queue • Copy the exported message to the Relay directory

14 © Firebrand Training Ltd

7. Power Shell examples You need to configure anti-spam to meet the following requirements: Email messages sent from the Internet to a distribution list named Executives must be rejected. Email messages that contain the words casino and jackpot must be rejected, unless they were sent to [email protected], use the following commands: Add ContentFilterPhrase Set-ContentFilterConfig Set-RecipientFilterConfig To specify the quarantine mailbox: Set-ContentFilterConfig To send a message that contains a log of all the Server administrative Actions: New-AdminAuditLogSearch -ExternalAccess $true -StartDate 07/25/2013 -EndDate 10/24/2013 -StatusMailRecipients [email protected] -Name "Datacenter admin audit log“ To make modifications to a Send Connector: Set-SendConnector To disable replication for the MAPIDagNetwork configure and disable auto configuration: Set-DatabaseAvailabilityGroup Dag1 –ManualDagNetworkConfiguration $true Set-DatabaseAvailabilityGroupNetworkMapiDagNetwork –ReplicationEnabled $false To modify the schedule of anti-spam definitions: Set-MalwareFilteringServer EX01 -UpdateFrequency 10 -DeferWaitTime 10 If there is an organisation with multiple branch and regional offices and you want to configure that only people in the regional office and branches can send files with a specific size run: Set-AdSiteLink DEFAULT_IP_SITE_Link -ExchangeCost 25 -MaxMessageSize 10MB

15 © Firebrand Training Ltd

To check the replication status of a machine in a DAG to troubleshoot for example what prevents the database from being mounted use: Test-ReplicationHealth To configure that a user can only pair 2 Active Sync devices, use the command: Set-ThrottlingPolicyAssociation You need to prevent the transport agents from overloading the processors on one of the Exchange servers, use the command: Set-WorkloadPolicy The Script Disable-AntimalwareScanning.ps1 deactivates malware filtering but the engine is still receiving updates: To configure that outbound traffic is proxied through the Exchange 2016 server run SetSendConnector and specify the FrontEndProxyEnabled $true parameter. To create a public folder mailbox: New-Mailbox -PublicFolder Testing To activate Outlook Anywhere on an Exchange 2010 Server run: Enable-OutlookAnywhere To limit the amount of processor resources that the Exchange Server Transport Service consumes: • New-WorkloadManagementPolicy • New-WorkloadPolicy • Set-ExchangeServer To repair items inside a user’s In-Place Archive, run • New-MailboxRepairRequest To reseed a mailbox, run: • Update-MailboxDatabaseCopy

16 © Firebrand Training Ltd

To remove the auto mapping permission from a mailbox: • Remove-MailboxPermission -Identity [email protected] -user [email protected] -AccessRights FullAccess • New-MailboxPermission -Identity [email protected] -user [email protected] -AccessRights FullAccess -AutoMapping:$false To configure the Unified Contact Store with Exchange 2016 .\Configure-EnterprisePartnerApplication.ps1 on the Exchange Server Configure that all deleted mailboxes must be recoverable for six months and after that they are deleted: Get-MailboxDatabase | Set-MailboxDatabase -MailboxRetention 180.00:00:00 To remove the Calendar Synchronisation Assistant workload from the workload management policy before you assign the policy to the servers: Remove-WorkloadPolicy To configure that users, receive a notification if the delivery of a message is delayed for more than one hour: Set-TransportService Mailbox01 -DelayNotificationTimeout 1:00:00 To ensure that only a user named User1 can add content to the public folder by using email: Set-MailPublicFolder -Identity [email protected] AcceptMessagesOnlyFrom "User1" To wipe a phone: Clear-MobileDevice If there is a DAG over multiple AD Sites and Data Center and you want to configure this, a copy of a DB must be available in a backup DC and it is consistent before you move the DB to another server then run: Set-MailboxDatabase DB7 -DataMoveReplicationConstraint -SecondDatacenter To configure that a group of users can send only 75 messages per minute: New-ThrottlingPolicy limits messageratelimit 75 $b = Get-ThrottlingPolicy limits Set-Mailbox user01 -throttlingPolicy $b 17 © Firebrand Training Ltd

To configure an Autodiscover Scope for the Servers: Set-ClientAccessServer EX1 -AutodiscoverSiteScope „Site1;Site3“ To apply a custom Workload Management Policy: Set-ExchangeServer -Identity EX01 -WorkloadManagementPolicy Pol1 Block messages between group 1 and group two unless the email message contains the string Test and send an NDR 5.7.3 New-TransportRule "Block Messages" -BetweenMemberOf1 "Group1 " -BetweenMemberOf2 „Group2" -SmtpRejectMessageRejectText „Test“ SmtpRejectMessageRejectStatusCode "5.7.3" To install a custom App for OWA Run the $DATA=GET-CONTENT -PATH "C:\APPS\SOCIALMEDIAPP.XML" = ENCODING BYTE READCOUNT 0 Command > Establishes the Data variable which defines the location of the Outlook App. Run the NEW-APP -FILEDATA $DATA Command > This statement and the above statement install socialmediapp.xml Run the SET-APP CMDLET > Enables the app To configure Outlook Anywhere for external access: Set-OutlookAnywhere -ExternalHostname mail.fb.com ExternalClientAuthenticationMethod Basic -ExternalClientRequireSSL $True Prevent messages that cannot be protected by shadow redundancy from being delivered. Set-TransportConfig -RejectMessageOnShadowFailure $true Configure external IMAPS Set-IMAPSettings -ExternalConnectionSettings mail.fb.com:993:SSL To enforce that mails from training.com are protected by using mutual TLS. Set-TransportConfig -TLSReceiveDomainSecureList training.com Configure that messages from Group 3 sent to Group 1 bypass moderation. Set-DistributionGroup -Identity G1 -ByPassModerationFromSendersorMembers DG3

18 © Firebrand Training Ltd

To get the changes Exchange writes to which DC. Get-OrganizationConfig If you have multiple GALs (Virtual Organisations) in the environment and it has been segregated using address book policies. GAL1 user can view the information residing contact cards of the GAL2 user. Install and Enable the Address Book Policy Routing agent Install-TransportAgent -Name "ABP Routing Agent" -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.AddressBookPolicyRoutingAgent.AddressBookPolicy RoutingAgentFactory" -AssemblyPath $env:ExchangeInstallPath\TransportRoles\agents\AddressBookPolicyRoutingAgent\Microso ft.Exchange.Transport.Agent.AddressBookPolicyRoutingAgent.dll Enable-TransportAgent "ABP Routing Agent“ Set-TransportConfig -AddressBookPolicyRoutingEnabled $true To provide users with the ability to access their mail from Intent Explorer even when the users are disconnected from the network. This ability must only be available if the users log on to Outlook Web Access by using the private option Set-OwaViritualDirectory -AllowOfflineOn PrivateComputersOnly LogonPagePublicPrivateSelectionEnabled $true To be able to recover email messages handled by the transport service for the next 5 days: Set-TransportConfig -SafetyNetHoldTime 5.0:00:00 To define a send receive quota for all databases. Get-MailboxDatabase | Set-MailboxDatabase -ProhibitSendReceiveQuota 5GB To setup the file Scripting Agent: • Edit the ScriptingAgentConfig.xml • Copy the Scripting AgentConfig.xml to all the Mailbox servers • Run Enable-cmdletExtensionAgent „Scripting Agent“ To get the Health Status of the Store process: Get-ServerHealth | where {$_.HealthSetName -eq „Store“} | Get-HealthReport

19 © Firebrand Training Ltd

Remove Messages with a specific Subject without send a NDR: Get-TransportService | Get-Queue | Get-Message -ResultSize unlimited | where {$_.Subject -eq „This is an internal alert Test“} | Remove-Message -WithNRD $false Defining the auto discover URI: Set-ClientAccessServer -AutodiscoverInternalURI https://autodiscover.trainining.com/autodiscover/autodiscover.xml Bulk Disable Active Sync: Get-CasMailbox -OrganizationalUnit Training | Set-CasMailbox -ActiveSyncEnabled $false Exchange 2016 includes a script called CollectOverMetrics.ps1, which can be found in the Scripts folder. CollectOverMetrics.ps1 reads DAG member event logs to gather information about database operations (such as database mounts, moves, and failovers) over a specific time period. Split-PublicFolderMailbox.ps1 can be used to move some of the public folders in another public folder mailbox in Exchange 2013. You can user NewPublicFoderMoveRequest as well. Set-MsolUser is used to configure all settings for a user in Office 365 for example unlock the account. Configure Retention for 2-year-old mails as soon as possible: • Add a new retention tag in a new retention policy • Assign the policy with Set-Mailbox • Run Start-ManagedFolderAssistant To test Exchange UM Access: Test-UMConnectivity To get a list of all the calls received by a specific user: Get-UMCallDataRecord To perform end-to-end test of the UM components: Test-ExchangeUMCallFlow

20 © Firebrand Training Ltd

To make sure that the UM service accepts encrypted and unencrypted VoIP traffic: Set-UMService -Server EX01 -UMStartupMode Dual To configure Dial Plan Settings for example a user extension use: Set-UMDialPlan To get statistics for all the calls for the last 12 months’ use: Get-UMCallSummaryReport To find out which user is able for example to run the New-Mailbox command, use: Get-ManagementRoleEntry Get-ManagementRoleAssignment Use the Get-ManagementRoleEntry cmdlet to retrieve management role entries that have been configured on management roles. Use the Get-ManagementRoleAssignment cmdlet to retrieve management role assignments. To activate the sharing of free/busy information if the company is already verified against the Microsoft Federation Gateway: Get-FederationInformation -DomainName training.com | NewOrganizationRelationship -FreebusyAccessEnabled -FreeBusyAccessLevel LimitedDetails Add-AvailabilityAddressSpace cmdlet to define the access method and associated credentials used to exchange free/busy data across forests New-SharingPolicy cmdlet to create a sharing policy to regulate how users inside your organisation can share calendar and contact information with users outside the organisation. Users can only share this information after federation has been configured in Exchange If there is Federation configured with the Microsoft Federation Gateway and the certificate is about the expire and you want to configure the new certificate use: Set-FederationTrust To activate litigation, hold: Set-Mailbox user1 -LitigationHoldEnabled $true

21 © Firebrand Training Ltd

To configure audit and send a report to the administrator Set-Mailbox user01-AuditEnabled $true -AuditLogAgeLimit 60:00:00:00 AuditOwerner Move,HardDelete New-MailboxAuditLogSearch -ExternalAccess $true -StartDate 09/01/2013 -EndDate 10/24/2013 -StatusMailRecipients [email protected] To configure that IRM protected message are excluded from the search results performing an In-Place eDiscovery run: Set-IRMConfiguration -SearchEnabled $false With Set-OWAVirtualDirectory -FailbackURL you can configure a tailback mechanism if the first OWA url isn’t working. To ensure that if the number of healthy database copies of a DB is less than three during a 24-hour period, the logs in the lagged database replay automatically configure Set-MailboxDatabaseAvailibilityGroup DAG1 -ReplayLagManagerEnabled $True To reseeds a DB run: Update-MailboxDatbaseCopy -identity DB1\EX02 BeginSeed The Begin Seed parameter is useful for scripting reseeds, because with this parameter, the task asynchronously starts the seeding operation and then exits the cmdlet

22 © Firebrand Training Ltd