Exchange mailbox/folders permissions – dependency graph between users.

Following solution uses GraphViz application to visualize mailboxpermissions dependencies in the company.

Some time ago I published a scripts for reading mailbox permissions:

https://paweljarosz.wordpress.com/2016/03/04/script-to-check-mailbox-permissions/

and mailbox folder permissions:

https://paweljarosz.wordpress.com/2016/05/28/powershell-script-to-check-permissions-on-mailbox-folders-also-recursively/

If some of you are wondering what GraphViz is, a quick look on google graphics and phrase “graphviz”, gives us an idea of how gorgeous graphs it can create:

fancy_graphviz.JPG

All the GraphViz needs is to have properly formatted input file – that’s it!

68543429.jpg

The need of having such script showed up as one time I was standing in front of migrating users to Exchange Online. I started to wonder how shall I visualize in a simply way, who need to be migrated together…

vlcsnap-2012-06-20-22h11m40s86.png

It was not an easy task, going though a excel/csv file, or even creating lists were not satisfying for me, so I started to think about it more, even during meals…

hqdefault

And then I found GraphViz:

http://www.graphviz.org/

It was looking really good! So now just a matter of quick reading about it checking if it will apply…

tumblr_m1kpqqLxkj1r8yo2fo1_1280

…reviewing the idea…

eeddcbaa20c45eb5c3e1e4e3c73c330f

…some calculations…

ik53723e34

And after all that research the idea became clear…

homer-simpson-donut-dream

As I mentioned at the beginning, input file can be done with one of the mailbox permissions / mailbox folder permissions reading scripts – links provided on the top (you might need to change delimiters a little bit as I guess in these files are “;” but go for adventure and modify something :))

The proper input should look like:

The_Input_File

So it has columns named “Mailbox”, “User” and “AccessRights”

And now the script. In organization I was building script for – it appeared that we have so many permissions I almost shat brikcs when I saw the actual output (graph)…

Just take a look by yourself, here is just a very small piece of graph when I was checking dependencies of just one mailbox – mine:

giphy.gif

Silly_Permissions

Let’s go closer:

Silly_Permissions

really

Imagine now that whole dependency graph contained like 10 more same chunks/pieces, 10 more, 10 fuck*ng times!

Well, I needed somehow to…

dealwithitdrgrant.gif

So the idea of migrating people together in chunks fell down and broke into pieces :] but at least we have that nice script.

  1. First thing is to get GraphViz application and install it:

Here you can find it:

http://www.graphviz.org/Download_windows.php

After installation all you need to to read your mailbox permissions – you can choose to read it with scripts from links given at the beginning of that article.

     2. Next thing, is to set up 3 variables:

GraphViz_variables.JPG

$GraphImageFile = “GraphImageFile.png” -> this is the name/path of your output file – actual graph

$GraphGraphVizFile = “GraphVizFile.gv” -> this is the name/path of the input file that will be passed to GraphViz to visualize your data, it will look similar to this one:

GraphViz_File

$CSVPermissionsFile = “Permissions.csv” –> and finally this is the input file for the script – so output from your script that reads permissions from mailboxes

    3. Having CSV we can start reading permissions, so here are some examples.

After running below:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz”

Permissions_1_PS

We will get:

Permissions_1

Users mentioned in “Users” array will be marked on blue, nice arrows will show direction of permissions 🙂

After running:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -SingleUser $true

Permissions_2_PS

We will get:

Permissions_2

And finally after running same but with “level” set to 1 we will get:

.\PermissionMatrixGraphBuilder.ps1 -users “Pawel Jarosz”, “Wladek Ksiegowicz” -Level 1

Permissions_3_PS.jpg

That will runthough the whole file ONLY ONE TIME, and what we will get would be something like:

Permissions_3.jpg

So summing up – for me script does a good job when it comes to visualize data that would be actually really hard to see from a excel file.

It is just an easy script, please note that you can add here features like:

  • adding description to each “connection” saying to which folder permissions are given
  • reading mailboxes sizes and adding them to the graph so it can ease planing of migration of certain groups of people
  • remember – possibilities are endless:

 

possibilities1possibilities2

 

Script can be found on TechNet and GitHub.

 

Advertisements

Exchange 2016 how to change ECP language

Just installed Exchange 2016, opened OWA – I chose polish language, then opened ECP and first impression was like: ‘Ok, Great! Now how to change language to English…’ 🙂 Same like Exchange 2013, if we choose timezone and language for OWA, same will be set for us in ECP (actually same like in other versions, but in Ex2013 we really use that ECP as we do not have other console).

So here is nice Nuno’s article telling how to change it:

http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2013/ManagementAdministration/how-change-exchange-2013-eac-language.html

Easiest way: simply add ?mkt=EN-us to the EAC’s URL: https://mail.domain.com/ecp?mkt=EN-us

SingleItemRecovery in Exchange 2013, recovering emails from Purges folder with Search-Mailbox cmdlet.

Sometimes I got a call from a user claiming that some data from his mailbox has been removed by an invisible force.

Usually I am able to find lost folder/files under other sub folder (Well! Would you look at that!)

User then tries to tell he/she didn’t do anything. IT WAS OUTLOOK!

tea_thinkerYup, definitely Outlook…

There are moments when items indeed haven’t been moved but deleted. What options do we have? Here I would like to highlight functionality called “Single Item Recovery”. To enable it we can use:

Set-Mailbox <mailbox_name> -SingleItemRecoveryEnabled $true

single_item_recovery_1

What happens when user deletes data from his mailbox? Those go to “Deleted items” on the first place, later, if item has been removed from there as well it goes to “Recover Deleted Items”, that allows user to recover items from Outlook doing those 4 steps:

single_item_recovery_2

When user removed the elements from above place, items go to another folder that is not visible for user – called “Purges”.

There is a great article about that work-flow on technet:

https://technet.microsoft.com/en-us/library/ee364755%28v=exchg.150%29.aspx

Below picture comes from there as well:

single_item_recovery_3On testuser1 I have removed everything from “recover deleted items” but one item – just to let you see how it would be visible. To get number of items that are sits in “Purges” we can use below command:

Get-MailboxFolderStatistics -Identity “<mailbox_name>” -FolderScope RecoverableItems -IncludeAnalysis | ft

single_item_recovery_4So we clearly see here that there is something we can recover, there is also one item in “Deletions” and that folder shows us items in “Recover Deleted Items” option in Outlook.

Now how to get those elements from there? We can use Search-mailbox query for that:

Search-Mailbox <source_mailbox_name> -TargetMailbox <destination_mailbox_name> -TargetFolder ODZYSK3 -SearchDumpsterOnly

With SearchDumpsterOnly we specify scope of our search only for “Deletions” and “Purges” – it is not searching in “Deleted Items” folder as you would think of.

single_item_recovery_5

single_item_recovery_6Interesting thing is, if any of the messages that have been recovered has had already been read – here in that example where we haven’t had read any of them – that status would be remembered, and that status would be also reflected in the target mailbox after recovery. So for example if 4 messages that were in purges were read, the unread counter on the Purges folder in target mailbox will show us 3135.

What we can do now is to export that to PST and import to the proper mailbox 🙂

We need to do it that way as we cannot give name of the target mailbox same as the source mailbox in Search-Mailbox cmdlet.

So hey! We have recovered the deleted elements! We didn’t let to surprise ourselves, we were prepared! Just like Ross 😀

single_item_recovery_7

Circular logging and adding new (second) database copy in Exchange 2013 DAG

Database “<DB_NAME>” has circular logging enabled. It is not possible to add or remove database copies while circular
logging is enabled. Please disable circular logging before adding or removing mailbox database copies. – this kind of error you might receive when trying to run command: Add-MailboxDatabaseCopy

Adding new (second) mailbox database copy in DAG enforces on us turning off JET circular logging on the database, of course we need to do it only when creating the first copy.

When you try to do it without it you might see below error:

circular_logging_1

Disabling DB copy can be made using command:

Set-MailboxDatabase wrodb02 -CircularLoggingEnabled $false

So after that we are getting below message with a reminder abut dismounting database:

circular_logging_2But let’s say what will happen if we won’t believe in that and we will try to add DB copy without re-mounting the database?

We may get:

The seeding operation failed. Error: An error occurred while performing the seed operation. Error: Failed to open a
log truncation context to source server ‘<SERVER_NAME>’. Hresult: 0xc7ff07db. Error: Failed to open a log
truncation context because ESE-level circular logging is enabled. Please dismount and then mount the database.

circular_logging_3Ok, so now I definitely see that this cannot be done this way, I knew that, but now we’ve tested it.

It ain’t that I don’t understand what they give in books.

circular_logging_9I just want to try what would happen! 😉

However, after re-mounting the DB, and trying to add DB copy we got another error though:

The database “WRODB02” already has a copy hosted on server “<SERVER_NAME>”. Choose a different server.

circular_logging_4

Weird, so it looks like the database is already mounted, checking that…and yeah, it is!:

circular_logging_5Ok! So let’s resume the database copy:

circular_logging_6

Hell yeah! So actually I was thinking that despite of warning it worked, no need to re-mount the database. Buuut.. my joy was not lasting long, after few minute I got “FailedAndSuspended” status. I thought that it was somehow fault of “ContentIndexState” was “Suspended”, but repairing that didn’t help:

circular_logging_7So..I ended up with full update of the database from the other server.

After the database is already in DAG, there is no need for dismounting it when switching On/Off from circular logging, that goes smoothly without need of re-mounting it:

circular_logging_8

Creating DAG on Windows Server 2012 R2 and Exchange 2013 SP1 without Administrative Access Point? YES!

So we know that creation of DAG was always connected to creating a DAG computer object in AD, when using Windows Server 2012 or 2013 R2 pre-staging of  the CNO in AD is required.

So we use one additional computer account, and an IP address. However, Is it possible to create a DAG not having those at all? The answer is – YES and here is the great article telling us how to do it:

Cluster Administrative Access Point and Database Availability Group

bender_applauze

Dynamic memory for Exchange 2013 – why not supported?

Recommendation why to not to use dynamic disks on crucial applications might be explained quite easily – since system is saving new stuff on the disk, each save operation equals disk expansion – which takes valuable time. But what is so special with Exchange and dynamic memory which usage is also not recommended by Microsoft?

Bhargav Shukla and Paul Robichaux in their book “Core Solutions of Microsoft Exchange Server 2013 (MCSE)” explain why dynamic memory might be a problem for Exchange 2013, here is the piece that is very interesting:

“Exchange 2013 code is optimized to strike a balance between the efficient use of memory and reducing the I/O footprint. To achieve these efficiencies, Exchange relies on a calculated cache for each database being hosted on the server, as well as the memory reserved for Exchange subsystems. When dynamic memory is in use, this can result in incorrect memory calculations and it can cause Exchange to start with less memory than is available.”

So that makes sense, and here is the place where RAM allocation is shown in a really nice way:

http://blogs.technet.com/b/samdrey/archive/2014/02/03/exchange-2013-memory-ram-allocation-by-the-store-with-an-example.aspx

Also interesting thing is that oversubscription of processor is supported, the recommended ratio is 1:1 (of course ;]), but supported is 2:1, so that would mean that for ex. 1 physical CPU of an ESX host, can be shared only between two machines (Exchange or any other).

Capacity planning for Exchange

As I am preparing now for MCSE in Exchange 2013 and reviewing book for 70-341 exam [Core Solutions of Microsoft Exchange Server 2013 (MCSE)].

Just going through chapter about capacity planning and found some useful links in relation to that, thought worth sharing:

How to Calculate Your Disk I/O Requirements (Exchange 2003)

https://technet.microsoft.com/en-us/library/bb125019%28v=exchg.65%29.aspx

Exchange 2013 Server Role Requirements Calculator v7.6

https://gallery.technet.microsoft.com/office/Exchange-2013-Server-Role-f8a61780

Disk Performance Testing with JetStress 2013

http://www.msexchange.org/articles-tutorials/exchange-server-2013/planning-architecture/disk-performance-testing-jetstress-2013.html

Exchange 2010 Sizing Cheat Sheet

http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-2010-sizing-cheat-sheet.html

Exchange 2013 Mailbox Role Counters (Advanced)

https://thwack.solarwinds.com/docs/DOC-171452

Ask the Perf Guy: Sizing Exchange 2013 Deployments

http://blogs.technet.com/b/exchange/archive/2013/05/06/ask-the-perf-guy-sizing-exchange-2013-deployments.aspx

Virtualization of Exchange 2013

https://technet.microsoft.com/en-us/library/jj619301