Exchange 2010 – Certificates for Client Access

How Certificates are Used

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are methods for securing communications between servers and between a client and a server. For a Microsoft Exchange Server 2010 Client Access server, SSL is used to help secure communications between the server and clients, whilst TLS is used to secure communications between Exchange Servers.  SSL and TLS require the use of digital certificates.

Types of Certificates

Certificates can be broken down into three types:

•Self Signed. When you install Exchange 2010, a self-signed certificate is automatically configured. A self-signed certificate is signed by the application that created it. A Self signed certificate will not be trusted by other computers.
•Windows Public Key Infrastructure (PKI).  Organisations can deploy their own PKI infrastructure.  If it is domain-joined then certificates issued can be trusted automatically by domain-joined computers.
•Trusted Third-Party. Third-party or commercial certificates are certificates that are generated by a third-party or commercial CA and then purchased for use on your network servers.  Microsoft maintain a list of recommended Unified Communications Certificate Partners athttp://support.microsoft.com/kb/929395.

Continue reading Exchange 2010 – Certificates for Client Access

Datacenter Switchover – Updating DNS

As part of a Datacenter switchover, the DNS record of the CAS array in the failed site should be updated to the IP address CAS Array (or server) in the new site.  This will allow AutoDiscover to continue to continue to return the same fqnd of  the RPCClientAccessServer but have it resolve to a different IP address.

As most organisations will script the other steps necessary for a Datacenter switchover it makes sense to script this DNS change too.  This can be done with the Get-WMIObject cmdlet (alias GWMI).  Generally when people use the Get-WMIObject they access classes from the “Root\CIMv2” namespace.  As this is so common it is the default namesapce for Get-WMIObject so generally the -Namespace parameter is ommited.

To access DNS records we need to specify the “Root\MicrosoftDNS” namespace.  ‘A’ resource records can be accessed using the class “MICROSOFTDNS_ATYPE” and a filter can be used to only return the record we want for the CAS Array.

$a = Get-WmiObject -ComputerName DNS01.bret-tech.com 
 -namespace "root\microsoftdns"
 -class MICROSOFTDNS_ATYPE  
 -filter {OwnerName=CASArray.bret-tech.com} 

If the CAS Array has multiple IP addresses then $a will contain more than one object and ForEach will be required to loop through them individually, however as a CAS Array represents a shared IP address there should only be one IP
address.

To change the DNS record we can call the Modify method on this returned object.  This method requires two parameters:  the first the Time to Live or TTL of the record, setting this to $null creates a static entry, the second parameter is the IP address as a string.

$a.modify ($null , "10.20.0.30")

Updating Email addresses programmatically

Recently I was asked the question: ‘Can you remove a mailbox from email address policies to stop the reply address changing, but still have additional email addresses added automatically?’  The answer to this is no, not using the standard admin tools, but you could write a script to do this.  Below is the script I wrote to prove the concept.

The key elements are:

1.  Identifying which mailboxes are not controlled with email address policies.

$Addresses = @(get-mailbox `
      -filter {EmailAddressPolicyEnabled -eq $false})

2.  Extracting the current email addresses and appending an additional one. (Generate-Address is a function I wrote in the script that generates the email address in the format specified by the user running the script).

$old= @($Mailbox.emailaddresses | foreach `
      {$_.ProxyAddressString});
$new= Generate-Address $af1 $af2 $mailbox;
$old+=$new;

3.  Setting the new list of email addresses back to the mailbox. Continue reading Updating Email addresses programmatically

Using a Hash Table to format data

When you use Format-Table you can choose which columns you wish to view.

Get-WMIObject Win32_LogicalDisk -Filter "DriveType=3" | Format-Table DeviceID, FreeSpace, PercentFree

Instead of specifying just a property name you can use a Hash Table to have more control including:  What the Column header will be, calculating values to be shown and formatting the data.

Get-WMIObject Win32_LogicalDisk -Filter "DriveType=3" | Format-Table DeviceID, FreeSpace, @{Label = "Percent Free" ; Expression = {$_.FreeSpace / $_.Size}}

To control the data in the Hash Table we need to provide the following name/value pairs:

  • Label (or Name or n) / The text to be displayed in the column heading
  • Expression (or e) / The calculated value to be shown

Adding the Hash Table to the Format-Table command can lead to some long, hard to read commands.  One technique to tidy this up is to save the Hash Table as a variable first, and then to refer to the variable names in the Format-table command. Continue reading Using a Hash Table to format data