Monday, 14 April 2014

Document finger printing with DLP in Exchange 2013 SP1

Exchange 2013 SP1 has introduced many new features, one of these features is document finger printing for Data Loss Prevention.

DLP is available to administrators via the EAC or through a set of Powershell commands.

In the EAC Data Loss Prevention sits under compliance management

With Exchange 2013 SP1 we can immediately see the impact document finger printing has made in the EAC as it is clearly visible to the administrator.

So let's create a document finger print from a document template.

I  have created in Microsoft Word a simple document template with a detailed page footer. With document finger printing we can upload this template into DLP, and then any documents that are sent by a user that match the heuristics of my template will trigger DLP into action.

Let's upload my document to DLP. I click on 'Manage document fingerprints'

I select Add and give the new document finger print a name and description

I select add to upload my document template

Once uploaded (and note I can upload multiple documents) click 'save'

So I now have a document finger print uploaded and can see it under 'Oliver Test'

However upon closing the window I am back to data loss prevention and no DLP policies are configured

This is because we now have to create one, matching it against our document finger printing template we have just created.

Click + to create a new DLP policy rule and select 'New customer DLP policy'

Give the new custom policy a name, set it to enabled, and leave it for the time being as 'Test DLP policy without Policy Tips'

Once saved we need to open it

We can now specify some rules. Select rules in the left pane

We'll add a new rule

I will create a rule based on 'Notify sender when sensitive information is sent outside the organization'

I am leaving the rule for this demo purpose on it's defaults and will drill into 'Select sensitive information types' as shown above

From here I can add my document finger print template policy rule

Once added it is appended to the sensitive information types. Note I can add more If I wished, simplifying the possible need to add additional DLP policies.

We must now create some rules

I am choosing to create an incident report and send it to someone in my organisation

And include certain message properties I am interested in

So what happens if someone send an email with a document that matches my template?

Once the sender has sent the email, the person or group chosen in the rule to be alerted if someone sends a document matching the finger print are alerted immediately

You can see it includes the message properties I selected and also a copy of the email – which I specified in the custom DLP policy.

This is a fantastic feature in Exchange 2013 SP1 that allows organisations to create DLP finger prints for all corporate documents and then create DLP policy workflows to ensure they are controlled and managed in the enterprise with Exchange 2013 Data Loss Prevention.

DLP requires an Enterprise CAL for use, but the cost of the CAL versus the additional cost via third party tools to achieve the same functionality may actually make the CAL up sell and native support the best option for organisations looking to implement this feature.

For more information on Data Loss Prevention document finger printing in Exchange Server 2013 SP1 please see the following articles

For a comprehensive list of DLP powershell cmdlets see:

Take care,

Oliver Moazzezi - MVP Exchange Server

Wednesday, 2 April 2014

Rolling back the Unified Contact Store

The first blog of April '14. Rather than get down at not being at MEC I thought I would do something positive and push this out. Enjoy.

Exchange 2013 and Lync 2013 work better together. Microsoft have made strong ground in ensuring these premium server products are a strong coupling when deploying both together – better together is the terminology that we hear here, and indeed that is true. In fact there's a strong coupling of a range of server products; Exchange, Lync and Sharepoint and the assumption can only be this will continue to improve in the next waves.

Lync and Exchange require a few different setup configurations for all elements to work correctly. We have the entire Trusted Application Pool setup for Exchange IM integration into OWA (I blogged it here), and we have the oAuth intergration to provide the Unified Contact Store, or UCS, as well as other features like Online meeting creation in OWA and allowing Lync IM archiving into Exchange.

Today I don't want to go into detail on covering oAuth integration between Exchange and Lync , this has been covered many times in blogs in the last few months. However I wanted to concentrate rolling back the Unified Contact Store to users, or at least a subset of users and this hasn't been covered before.

The Unified Contact Store instructs Lync to place all contacts for Lync enabled users into Exchange, or specifically the users Exchange mailbox, providing they have a policy that allows it.

Let's take a look in Outlook Web App to see what I'm talking about:

So it's a great feature and it makes a lot of sense. Why would you want to revoke it? Well that's a good question, so here's a few examples.

You might be in a hybrid configuration with Office365 where UCS with Lync on-premise is not supported
The user might not have a mailbox at all, or be on a legacy version of Exchange (different but means you must have UCS and non UCS policies in place and know when to use them)
The user might have corruption in their mailbox causing multiple Lync contacts or similiar, so you might want to roll it back for the user whilst you fix their mailbox

So taking that on board, let's take a look at my user, Test1. (I am looking at 'configuration information' by holding ctrl and right clicking the lync icon in the system tray)

We can see the UCS is enabled. It explicitly states under 'UCS Connectivity State' that 'Exchange connection Active', and the Contact List Provider is 'UCS'. Fantastic.

So what do we have to do to revoke UCS for my Test1 user? Read on.

   1. First of all we need to create, if one doesn't exist already, a policy that does not allow UCS.

       Check to see what your policies are Get-CsUserServicesPolicy

I     I only have a Global one here and you can see UCS is allowed. So let's create a new one that does not have UCS enabled.

   2. Create a new policy with New-CsUserServicesPolicy –Identity UCSdisable –UcsAllowed $false Call it whatever you want but you will likely want to clarify it has UCS disabled.

   3. We now need to push our UCSdisable policy to our test user Grant-CsUserServicesPolicy –Identity –PolicyName UCSdisable

   4. Let us confirm they have the policy that denies UCS Get-CsOnlineUser |select SipAddress, UserServicesPolicy

   5. Finally we roll back UCS on the user. This takes the Lync contacts from the Exchange mailbox and places them back into Lync. Invoke-CsUcsRollback –Identity

   6. It may take a good 10 minutes (or longer if you have hundreds of Lync contacts) before this process completes. But when checking the Lync client of the user you should then be able to confirm UCS is disabled

And that's the process completed. You can then define in certain scenarios who can have UCS enabled and who has to continue to use Lync Server as their Contact List Provider dependant on your needs, or just document the steps for your DR plans.

One thing to note is that if you invoke the rollback from UCS to Lync but you do not give the user a disabled policy for UCS, after 7 days Lync will then start pushing all contacts back into Exchange.

Take care,
Oliver Moazzezi - MVP Exchange Server

Tuesday, 25 March 2014

Customising Exchange 2013 Outlook Web App

The question for the last year has been whether it is supported to customise Exchange 2013 OWA and where the Technet documentation was, if like in previous versions of Exchange it was supported.

Technet Forum threads going back as far as April 2013 and indeed many blog posts exist about toying with the customisation of the OWA logon page, for example, here and here. But apparently no official guidance existed.

So as per the Technet Forums thread that I posted a response to here, I said I would find out where that guidance was from the Exchange PG.

Well that answer came into my inbox yesterday courtesy of Microsoft:

The official Technet Exchange 2013 OWA customisation articles are here:

Customize the Outlook Web App Sign-In, Language Selection, and Error Pages

Create a Theme for Outlook Web App

Now the confusion exists as these are for Exchange 2013, but they inform the reader that they are really for Exchange 2010 SP2.

I have been informed that this will be cleared up and they will correctly say they apply to Exchange 2013 imminently.

So if you want to customise Exchange 2013 OWA within the realms of supportability until your hearts content, then use the two Technet articles above. And if in the meantime you are referencing them and they say they apply to Exchange 2010 SP2, don't be put off, use them confidently.


Take care,
Oliver Moazzezi - MVP Exchange Server

Wednesday, 15 January 2014

Exchange 2013 DAG Seeding Error: An address incompatible with the requested protocol was used

Recently this issue came up in our test lab whilst updating to and testing Exchange 2013 CU3.

"The mailbox database copy 'DATABASE\SERVER has failed to update from server . Do you want to clean up that
update request now? Seeding cannot be requested for the same database copy until the failed request has been cleaned up
by the server, which should automatically happen within 15 minutes.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):"

Prompting Yes then presented this error:

"The seeding operation failed. Error: An error occurred while performing the seed operation. Error: An error occurred
while communicating with server 'SERVER'. Error: An address incompatible with the requested protocol was used
    + CategoryInfo          : InvalidOperation: (:) [Update-MailboxDatabaseCopy], SeedInProgressException
    + FullyQualifiedErrorId : [Server=SERVER,RequestId=6e64fbd7-a753-453d-805c-704363ec7495,TimeStamp=03/01/201
   4 11:34:54] A35E0624,Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateDatabaseCopy
    + PSComputerName        :"

Additionally this was logged in Event Viewer:

Subsequent retries failed to successfully seed the database.

However, once the Replication Service was restarted on the DAG member this issue was resolved and seeding was succesful.

Test-ReplicationHealth was not run to see if this would have given in any insight to the offending DAG member. It would be interesting to see if this would have provided anymore useful information. You can find the Technet article on the Exchange cmdlet here.

Take care,
Oliver Moazzezi - MVP Exchange Server

Monday, 13 January 2014

Distribution Groups and Lync 2013 LHPv2 - Part 3

Please see here for Part 1, and here for Part 2

The final part of Distribution Groups and Lync 2013 LHPv2!

This part automates the SQL clean up with the use of the SQL Stored Procedure 'rtcDeleteABEntry'.

In Part 1 we used the SQL T statement to delete the offending ObjectGUID from the rtcab database as can be seen here:

This is great for a single or a very small number of deletions but not so great if you have many ObjectGUIDs that need to be deleted for a Tenant.

The following script will automate this for you. Please be aware you need to export the ObjectGUIDs to a CSV, which was covered in Part 2.

#Distribution Groups and Lync 2013 LHPv2 – Bulk SQL deletion
#  Oliver Moazzezi 2014
# SQL automation help gratefully received from James Sperring – thanks!

$SqlConnection = New-Object System.Data.SqlClient.SqlConnection
$SqlConnection.ConnectionString = "Server=.;Database=rtcab;Integrated Security=True"

$guids = Import-Csv C:\test.csv
$spName = "RtcDeleteAbEntry"
$paramName = "@_AdObjectGuid"

foreach ($g in $guids.Guid) {
  Write-Host "Executing $spName for $g"

  $guid = [guid]$g

  $SqlCmd = New-Object System.Data.SqlClient.SqlCommand
  $SqlCmd.CommandType = [System.Data.CommandType]::StoredProcedure
  $SqlCmd.CommandText = $spName
  $SqlCmd.Connection = $SqlConnection
  $parameter = $SqlCmd.Parameters.Add("@_AdObjectGuid", [System.Data.SqlDbType]::UniqueIdentifier)
  $parameter.Value = $guid

  $SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
  $SqlAdapter.SelectCommand = $SqlCmd
  $DataSet = New-Object System.Data.DataSet

Write-Host "All Tenants GUIDs have been removed from the rtcab database. Remember to run Update-CsAddressBook" -foregroundcolor red -backgroundcolor yellow

Ensure to save locally as a PS1 script.

Ensure you update "$guids = Import-Csv C:\test.csv" to be the location of your CSV file, otherwise simply rename it to test.csv at the root of C:\.

Also note that the line "$SqlConnection.ConnectionString = "Server=.;Database=rtcab;Integrated Security=True" points to the local SQL server, as I have used "." – change this to the Server name that is hosting the SQL rtcab database if you aren't running this locally!

Once it has ran in Powershell you will see the following output:

Note that each 0 is the output from the SQL stored procedure saying that command completed successfully.

And finally after this has completed ensure that you run Update-CsAddressBook !


Oliver Moazzezi - MVP Exchange Server

Friday, 10 January 2014

Distribution Groups and Lync 2013 LHPv2 - Part 2

Yesterday I posted Part 1 of this blog here, so thought it prudent to get Part 2 out of the door as soon as possible.

Part 1 showed how to make existing mail enabled Distribution Groups show within the Lync client for Lync 2013 LHPv2 tenants. This part will show how to bulk prep all Distribution Groups for a tenant in Active Directory, ready for removal from SQL via the rtcDeleteAbEntry Stored Procedure

1. Import-Module ActiveDirectory

This will loads up the Active Directory shell

2. We now need to take the ObjectGUID of the tenants OU and append this to the msRTCsip-groupingID and msRTCSip-tenantID of each Distribution Group. Yesterday this was a manual process against a single Distribution Group to show you how it worked. Today we'll script it within Powershell so you can update all Distributions groups for a tenant.

Take the distinguishedName of the tenants OU (I am using the same tenant as I did for Part 1). Run in the Exchange Management Shell:

$OU = " OU=TestLyncPlan2013,OU=Provider,OU=Hosting,DC=hslab2,DC=net "

$OUObject = Get-ADOrganizationalUnit -Identity $OU

$GUID = $OUObject.ObjectGUID

What this is essentially doing is binding the Organizational Units distinguishedName to $GUID

3. If you want we can then do a quick count of the Distribution Groups in the tenants OU.

(Get-AdGroup -SearchBase $OU -filter *).count

4. We will now bulk set the missing msRTCSIP-GroupingID onto all the Distributions Groups above.

Get-AdGroup -SearchBase  $OU -filter * -Properties msRTCsip-groupingID |set-adgroup -Replace @{'msrtcsip-groupingid'=$GUID}

This is taking the Distribution Groups via the Get-AdGroup cmdlet and getting the property msRTCsip-groupingID. From there we are telling it to replace the value it finds with $GUID using Set-AdGroup

5. Let's now do the same again for the msRTCsip-TenantID:

Get-AdGroup -SearchBase  $OU -filter * -Properties msRTCsip-TenantID |set-adgroup -Replace @{'msrtcsip-tenantid'=$GUID}

6. That's it all done!

We can turn this into a Powershell script. This would look like the following (copy it and add it to a PS1 file locally):

# Lync 2013 LHPv2 Distribution Group bulk set for msRTCsip-GroupingID and msRTCsip-TenantID
# Oliver Moazzezi 2014

$OU = "Enter tenants DistinguishedName for OU here"

$OUObject = Get-ADOrganizationalUnit -Identity $OU

$GUID = $OUObject.ObjectGUID

Write-Host The total number of Distributions Groups for the Tenant are:
(Get-AdGroup -SearchBase $OU –filter * -Properties msRTCsip-groupingID).count

#We will now set the msRTCSIP-GroupingID

Get-AdGroup -SearchBase $OU -filter * -Properties msRTCsip-groupingID |set-adgroup -Replace @{'msrtcsip-groupingid'=$GUID}

#We will now set the msRTCSIP-TenantID:

Get-AdGroup -SearchBase $OU -filter * -Properties msRTCsip-TenantID |set-adgroup -Replace @{'msrtcsip-Tenantid'=$GUID}

Write-Host Distributions Group attributes completed successfully -foreground yellow

So now all the tenants Distribution Groups have the correct multi tenant attributes set. You can now export all their ObjectGUIDs as covered in Part 1, and begin the task of deleting them via the rtcDeleteAbEntry SQL Stored Procedure.

Part 3 will cover bulk automating this!

Take care

Oliver Moazzezi - MVP Exchange Server

Thursday, 9 January 2014

Distribution Groups and Lync 2013 LHPv2 - Part 1

The Lync 2013 LHPv2 official documentation goes into some detail about setting users for Tenant creation – however it does not state what to do for Distribution Groups – further it doesn't state how to make Mail enabled Distribution Groups work within the Lync client if a tenant already has Exchange, and enables Lync as a add-on later. Which is especially relevant seeing Lync 2013 LHPv2 has come to market later than Exchange 2013.

Because no documentation or blog exists flat out ANYWHERE on the Internet for this, I thought it a worthy addition to my 2014 blogs!

I also want to state this is Part 1 of a 3 part overview of Distribution Groups in LHPv2.

This part, Part 1, will cover the entire end to end process for making Distribution Groups show up, expand and work in the Lync client for an LHPv2 tenant.

Part 2 – this will cover automating the steps required in Active Directory on a per tenant basis

Part 3 – this will cover automating the steps required in SQL Server on a per tenant basis.

As you can see by Part 3 both the technical detail and automated procedures should be in place to help with this process once and for all. Which is great if you have a tenant with 300 Distributions Groups!

Firstly, for anyone looking for the official Lync 2013 LHPv2 documentation it is here:

I recommend reading it. Please also be aware it is sensible to have a sound understanding of Lync, Active Directory and SQL to really get the best of this break down. A sound understanding of LHPv2 (Again! Read the official documentation in the download link above!) is also a wise investment – take some time to read the documentation if you haven't already, prior to proceeding.



Please see the end of this post if this is vanilla Distribution Group creation.

1. Ensure you have added the msRTCsipTenantID and msRTCsipGroupingID attributes to the required distribution group. Copy them from a user within the tenant that is already created, or via the ObjectGUID of the tenants OU itself.

2. It is a good idea to wait for AD replication to occur – especially if you are multi site and do not have change based notification enabled. Go grab a cup of coffee.

3. Grab the distinguishedName from the Tenants OU in Active Directory:

4. From the Exchange Management Shell run the following including the Tenants OU distinguishedName from the previous step:

Get-DistributionGroup -OrganizationalUnit "distinguishedName here"

5. As we can successfully retrieve the Tenants distribution groups back, we will now export this data:

Get-DistributionGroup -OrganizationalUnit "distinguishedName here" |select guid |export-csv c:\GUIDExport.csv

This will export all valid ObjectGUIDs of each Distribution Group to CSV:

6. We now need to open SQL Management Studio on the SQL server that is hosting the rtcab database for address book query data. If you have a SQL mirror you can use the following command to work out which is the Principle and which is the Mirror:

Get-CsDatabaseMirrorState -PoolFqdn "Your Front End Pool FQDN holding the CMS"

7. Once in SQL Management Studio, search under 'rtcab' for the 'RtcDeleteAbEntry' Stored Procedure

8. Take the first GUID from your exported CSV and create a new Query. Run the following:

exec [dbo].[RtcDeleteAbEntry] 'Enter GUID here'

9. Finally Execute your SP. You will see the command completes successfully:

10. Repeat this for the remaining GUIDs you have.

11. Finally, open the Lync Management Shell and run:


This will then start the process of trawling Active Directory and picking up these deleted Distribution Groups, and adding them back in with the correct multi tenant attributes.

12. Once the above process has completed you should see the Distribution Group now working for your Tenant. This can take anything from 15 minutes to an hour or so depending on the size of your deployment.  Enjoy!

So that is the entire end to end process to fix broken Distribution Groups in Lync 2013 LHPv2.

I did say I would cover vanilla DL creation as a lot less work is required. These are the steps.

1. Create your Distributions Groups – ensure they are NOT mail enabled at this point in time. This is very important, otherwise the Lync address book service will pick them up and add them to the rtcab database.

2. Ensure you have added the msRTCsipTenantID and msRTCsipGroupingID attributes to the required distribution group. Copy them from a user within the tenant that is already created, or via the ObjectGUID of the tenants OU itself.

3. You are now free to mail enable them for Exchange use, wait for AD replication to occur from the previous step before doing this.

4. Once the address book service has run, it will automatically add them to the tenant without anymore work. If you want to speed this process up, change the times your address book service runs (default is once every 24 hours), or invoke Update-CsAddressBook at your leisure. If you want to check the schedule, invoke Get-CsAddressbookConfiguration.

So that's it, how to get Distribution Groups working in Lync 2013 LHPv2 in it's entirety. If at this point you are still having issues, there's two things to check:

The first: Ensure you are testing as an external user! Hit the external web services and not internal. I had issues with Internal Web Services, which is no surprise as LHPv2 has no concept of internal users.

The Second: Ensure Group Expansion is enabled. You can check this using Get-CsWebServiceConfiguration:

If it isn't you can set it to True using the following command: Set-CsWebServiceConfiguration –EnableGroupExpansion $true

Parts 2 and 3 will follow later this week.

Take care,

Oliver Moazzezi - MVP Exchange Server