Task 3: Analyze output from the Exchange Mailbox Server Role Requirements
Calculator
1. In the E2013Calc, click on the Role Requirements tab.
2. Review the calculated requirements provided in this sheet.
3. Click the Distribution sheet.
4. Click Fail Server for each server. Observe where the databases will be distributed.
5. Click Export DAG Scripts.
6. In the Storage Calculator Export Scripts window, click OK twice.
7. Click the LUN Requirements sheet. Review the calculated requirements provided in this sheet.
8. Click the Backup Requirements sheet. Review calculated requirements provided in this sheet.
9. Click the Replication Requirements sheet. Review the calculated requirements provided in this
sheet.
10. Click the Storage Design sheet. Review the calculated requirements provided in this sheet.
11. Open File Explorer, and navigate to C:\Files.
12. Right-click the CreateMBDatabases.ps1 file, and select Edit. Review the contents of the generated
script.
13. Right-click the CreateMBDatabaseCopies.ps1 file, and select Edit. Review the contents of the
generated script.
14. Right-click the Diskpart.ps1 file, and select Edit. Review the contents of the generated script.
15. Close the Windows PowerShell ISE window.
Task 4: Discuss the solution with the instructor and the class
1. Discuss the solution provided by the Exchange Mailbox Server Role Requirements Calculator with
other students and with the instructor.
2. Change the values on the Input tab of the Exchange Mailbox Server Role Requirements Calculator,
and see how that reflects on the results that this tool provides.
31. In the New iSCSI Virtual Disk Wizard, on the Select iSCSI virtual disk location page, under Storage
location, click C:, and then click Next.
32. On the Specify iSCSI virtual disk name page, in the Name box, type iSCSIDisk3, and then click
Next.
33. On the Specify iSCSI virtual disk size page, in the Size box, type 500, make sure MB is selected in
the drop-down list, and then click Next.
34. On the Assign iSCSI target page, click lon-mbx1, and then click Next.
35. On the Confirm selections page, click Create.
36. On the View results page, wait until the creation is completed, and then click Close.
Task 2: Connect Exchange Server to the storage
1. On LON-MBX1, click the Desktop tile.
2. From the task bar, click Server Manager.
3. In Server Manager, click Tools, and then click iSCSI Initiator.
4. In the Microsoft iSCSI dialog box, click Yes.
5. Click the Discovery tab.
6. Click Discover Portal.
7. In the IP address or DNS name box, type 172.16.0.10, and then click OK.
8. Click the Targets tab.
9. Click Refresh.
10. In the Targets list, select iqn.1991-05.com.microsoft:lon-dc1-lon-mbx1-target, and then click
Connect.
11. Select Add this connection to the list of Favorite Targets, and then click OK two times.
Task 3: Configure storage
1. On LON-MBX1, in Server Manager, click Tools, and then click Computer Management.
2. Expand Storage, and then click Disk Management.
3. Right-click Disk 1, and then click Online.
4. Right-click Disk 1, and then click Initialize disk. In the Initialize Disk dialog box, click OK.
5. Right-click the unallocated space next to Disk 1, and then click New Simple Volume.
6. On the Welcome to the New Simple Volume Wizard page, click Next.
7. On the Specify Volume Size page, click Next.
8. On the Assign Drive Letter or Path page, click Next.
9. On the Format Partition page, in the Volume Label box, type DB1. Select the Perform a quick format
check box, and then click Next.
10. Click Finish. (Note: If the Microsoft Windows window pops up with prompt to format the disk, click
Cancel.)
11. Repeat steps 3 through 10 for Disk 2 and Disk 3. (Note: Use DB2 and Logs for Volume Labels,
respectively.)
12. Close the Computer Management window.
11. On LON-CAS1, in the EAC, on the groups tab, click New, and then click Dynamic distribution group.
12. Fill in the following information:
3. At the command prompt, type the following command, and press Enter.
Update-GlobalAddressList -id TreyResearchGAL
4. At the command prompt, type the following command, and press Enter.
New-OfflineAddressBook -Name TreyResearchOAB -AddressLists TreyResearch
5. At the command prompt, type the following command, and type Enter.
New-AddressList -Name TreyResearchRooms RecipientContainer TreyResearch -IncludedRecipients Resources
6. At the command prompt, type the following command, and press Enter.
Update-AddressList TreyResearchRooms
7. At the command prompt, type the following command, and press Enter.
Set-OfflineAddressBook -id "TreyResearchOAB" VirtualDirectories LON-CAS1\oab (Default Web Site),LONMBX1\oab (Exchange Back End)
8. At the command prompt, type the following command, and press Enter.
Update-OfflineAddressBook -id "TreyResearchOAB"
9. At the command prompt, type the following command, and press Enter.
New-AddressBookPolicy -Name TreyResearchABP -AddressLists \TreyResearch -OfflineAddressBook
TreyResearchOAB -GlobalAddressList TreyResearchGAL RoomList \TreyResearchRooms
10. At the command prompt, type the following command, and press Enter.
Get-Mailbox -OrganizationalUnit TreyResearch | Set-Mailbox AddressBookPolicy TreyResearchABP
27. In the Outlook Web App window, click the Settings icon in the top right corner, and click Options.
28. Under options, click groups.
29. Under distribution groups I belong to, click Join.
30. In the all groups dialog box, double-click Trey_SalesMgrs.
31. In the Trey_SalesMgrs dialog box, click Join.
32. Review the error message stating that the group is closed and click ok. Click close.
33. In the all groups dialog box, double-click TreyResearchNews.
34. In the TreyResearchNews dialog box, click Join.
35. Close the all groups dialog box, and verify that Aaron is now a member of the TreyResearchNews
distribution group. Close Internet Explorer.
36. In Outlook 2013, click New Email.
37. In the To box, type treyintegration@adatum.com. Type a subject and short message and click
Send.
38. Open Internet Explorer, and connect to Https://lon-cas1.adatum.com/owa.
39. Sign in as adatum\aidan using the password Pa$$w0rd. Click save.
40. In the Outlook Web App window, verify that Aidan received the message sent to the
treyintegration dynamic distribution group.
8. Click finish.
9. Make sure that mail.adatum.com appears in the list.
10. Click on mail.adatum.com, and click the pencil icon on the toolbar.
11. Click services.
12. Select IIS, and click save.
in GPO. For mobile devices, you can use configuration utilities to distribute certificates, or you can
send a Root CA certificate file in an email to all users with a smartphone, along with instructions on
how to import it.
11. Is there a way to control hardware features of mobile devices?
Exchange Server 2013 does not support policies for hardware control on mobile devices.
12. Can you implement certificate-based authentication for mobile devices?
Currently, certificate-based authentication is selectively supported. You should check with mobile
platform vendors to see if this feature is supported.
13. How will you implement the requirement for deleting content from a lost mobile device?
For deleting the content on a lost mobile device, you should train users on how to use the Remote
Wipe functionality available in the Exchange Outlook Web App interface.
How will you achieve the requirement that settings be consistent on each mobile device?
You can implement a mobile-device mailbox policy to achieve consistent settings.
How will you implement the password requirements on your mobile device?
You will enforce password requirements to all devices that connect to your Exchange by
implementing appropriate policy.
How will you implement the requirements for quarantine?
Requirements for quarantine can be implemented by configuring mobile device access options in the
Exchange Administration Center.
Task 2: Configure mailbox policies for mobile devices
1. On LON-CAS1, switch to Internet Explorer and in the EAC, click mobile, and then click mobile
device mailbox policies.
2. Click the New icon.
3. In the new mobile device mailbox policy window, type Adatum Mobiles for the policy name.
4. Select the This is the default policy check box.
5. Do not select the Allow mobile devices that dont fully support these policies to synchronize
check box.
6. Select the Require a password check box.
7. Select the Require an alphanumeric password check box.
8. Select 2 in the drop-down box called Password must include this many character sets.
9. Select the Minimum password length check box, and type 5 in the text box.
10. Select the Number of sign-in failures before device is wiped check box, and type 4 in the text box.
11. Select the Require sign-in after device has been inactive for, check box and type 5 in the text box.
12. Click save.
Task 3: Configure device access rules
1. On LON-CAS1, in the EAC, click mobile, and then click mobile device access.
2. Click the edit button.
3. In the Exchange ActiveSync access settings window, click Quarantine Let me decide to block or
allow later.
4. In the Quarantine Notification Email Messages section, click the Add icon.
5. In the Select Administrators window, select Administrator, click add, and then click ok.
6. In the text box below, type the following text: Your device is temporary in quarantine. The
Administrator will examine your request and will allow or block your connection according to the policy.
7. Click save.
8. In the Device Access Rules pane, click the New icon.
9. In the new device access rule, in the Device family section, click browse.
10. In the Device Family window, click All families, and then click ok.
11. Under the Only this model section, click browse. Verify that no devices are listed, and then click
cancel. In a production environment, you could expect to see several models listed here.
12. In the new device access rule window, click Quarantine Let me decide to block or allow later.
13. Click cancel.
3. Click Certificates and then click Add. Select Computer account and click Next.
4. Select Local computer, and then click Finish. Click OK.
5. Expand Certificates, expand Personal, and then click on Certificates.
6. Right-click the certificate Webmail.adatum.com, navigate to All Tasks, and select Export.
7. On the Welcome page, click Next.
8. On the Export Private Key page, select Yes, export the private key and click Next.
9. On the Export File Format page, click Next.
10. On the Security page, select Password and type Pa$$w0rd in both fields. Click Next.
11. On the File to Export page, type C:\CAS1.pfx as the file name, and then click Next.
12. Click Finish. In the pop window click OK. Close Console1 and click No to the Save console settings
to Console1? prompt.
13. Switch to LON-TMG machine.
14. On LON-TMG, click Start. In the Search box, type MMC, and then press Enter.
15. On the File menu, click Add/Remove Snap-in.
16. On the Add or Remove Snap-in page, click Certificates, and then click Add.
17. Click Computer account, click Next, click Finish, and then click OK.
18. Expand Certificates, right-click Personal, point to All Tasks, and then click Import.
19. On the Certificate Import Wizard page, click Next.
20. On the File to Import page, type \\LON-CAS1\C$\CAS1.pfx, and then click Next.
21. On the Password page, type Pa$$w0rd in the Password field, and then click Next.
22. On the Certificate Store page, click Next, and then click Finish.
23. Click OK, and then close Console1 without saving changes.
24. On LON-TMG, click Start, point to All Programs, click Microsoft Forefront TMG, and then click
Forefront TMG Management.
25. Expand Forefront TMG (LON-TMG), and then click Firewall Policy.
26. On the Firewall Policy Tasks pane, on the Tasks tab, click Publish Exchange Web Client Access.
27. On the Welcome to the New Exchange Publishing Rule Wizard page, type OWA Rule, and then
click Next.
28. On the Select Services page, in the Exchange version list, click Exchange Server 2010, select the
Outlook Web Access check box, and then click Next.
29. On the Publishing Type page, click Next.
30. On the Server Connection Security page, ensure that Use SSL to connect the published Web server
or server farm is configured, and then click Next.
31. On the Internal Publishing Details page, in the Internal site name text box, type
LON-CAS1.Adatum.com, and then click Next.
32. On the Public Name Details page, ensure that This domain name (type below) is configured in the
Accept requests for drop-down list. In the Public name box, type webmail.Adatum.com, and then click
Next.
33. On the Select Web Listener page, click New.
34. On the Welcome to the New Web Listener Wizard page, type HTTPS Listener, and then click Next.
35. On the Client Connection Security page, ensure that Require SSL secured connections with clients is
selected, and then click Next.
36. On the Web Listener IP Addresses page, select the External check box, and then click Next.
37. On the Listener SSL Certificates page, click Select Certificate.
38. In the Select Certificate dialog box, click Webmail.adatum.com, click Select, and then click Next.
39. On the Authentication Settings page, accept the default of HTML Form Authentication, and then
click Next.
40. On the Single Sign On Settings page, type Adatum.com as the single sign-on (SSO) domain name,
click Next, and then click Finish.
41. On the Select Web Listener page, click Next.
42. On the Authentication Delegation page, accept the default of Basic authentication, and then click
Next.
43. On the User Sets page, accept the default, and then click Next.
44. On the Completing the New Exchange Publishing Rule Wizard page, click Finish.
45. Click Apply twice to apply the changes, and then click OK when the changes have been applied.
46. Switch to the LON-CAS1 machine.
47. Switch to Internet Explorer and in the EAC, click servers in Feature pane.
48. Click virtual directories tab.
49. On the virtual directories tab, double-click owa (Default Web Site) LON-CAS1.
50. In the External URL box, type https://webmail.adatum.com/owa.
51. Click authentication, and then click Use one or more standard authentication methods, and then
select the Basic Authentication check box, and click save. Read the information on the window that
appears, and click ok.
52. On the virtual directories tab, double-click ecp (Default Web Site) LON-CAS1.
53. In the External URL box, type https://webmail.adatum.com/ecp.
54. Click authentication, and then click Use one or more standard authentication methods, and then
select the Basic Authentication check box, and click save.
55. Click yes on the warning window. Click ok.
56. Open the Windows PowerShell. At the PS prompt, type IISReset /noforce, and then press Enter.
57. Wait until IIS service restarts.
58. Switch back to LON-TMG machine.
59. In the Forefront TMG console, double-click OWA rule.
60. In the OWA rule properties windows, click on the Application Settings tab.
61. In the Published server logoff URL, type /owa/logoff.owa. (Note: you are doing this because TMG
2010 does not have publishing rule for Exchange 2013 so logoff page still direct users to old location
used by Exchange Server 2010.)
62. Click OK and then click Apply two times.
63. Click OK.
64. Double-click OWA rule.
65. On the General tab, click Test Rule.
66. In Web Publishing Rule Test Results window, look for results for
https://webmail.adatum.com:443/ecp and https://webmail.adatum.com:443/owa. You should have
green check marks for these URLs. Click Close, and then click OK.
Task 2: Publishing rule testing
1. On the host computer, in Hyper-V Manager, right-click 20341B-LON-CL1, and then click Settings.
2. Click Network Adapter, and in the Network drop-down list, click Private Network 2, and then click
OK.
3. Log on to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
4. On LON-CL1, in the Start screen, type control panel. Click on the Control Panel icon.
5. Open the Control Panel, and then click View network status and tasks.
6. Click Change adapter settings.
7. Right-click Ethernet, and then click Properties.
8. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
9. Change the IP address to 131.107.0.2, change the Default Gateway to 131.107.0.1.
10. Delete the value for DNS server.
11. Click OK, and then click Close. Close the Control Panel.
12. On the Start screen, type cmd and press Enter.
13. In the command prompt window, type notepad c:\windows\system32\drivers\etc\hosts, and then
press Enter.
14. At the bottom of the hosts file, type 131.107.0.1 webmail.adatum.com, and then save and close
the file.
9. In the Object Types dialog box, click Computers, and then click OK.
10. In the Select Users, Computers, Service Accounts, or Groups window, in the Enter the object names
to select field box, type LON-MBX1$, then click Check Names, and then click OK.
11. On the Security tab, select LON-MBX1 (ADATUM\LON-MBX1$), then in the Allow column in the
Permissions for LON-MBX1 list, click Full control.
12. On the Security tab, select Exchange Trusted Subsystem (ADATUM\Exchange Trusted
Subsystem), then in the Allow column in the Permissions for Exchange Trusted Subsystem list, click Full
control, and then click OK.
13. In the Active Directory Users and Computers window, in the right pane, right-click DAG1, and then
click Disable Account.
14. In the warning window, click Yes, and then on the next information window, click OK.
Task 2: Create a DAG and add mailbox servers to the DAG
1. Switch to LON-CAS1. Open Internet Explorer, and type https://lon-cas1.adatum.com/ecp, and
then press Enter.
2. Sign in as Adatum\administrator with the password Pa$$w0rd.
3. In the EAC, in the Feature pane, click servers.
4. On tabs, click database availability groups, and then on the toolbar, click New.
5. In the New database availability group window, in the Database availability group name field, type
DAG1, then click Witness server, and type LON-CAS1 in the Witness server field. Click
Witness directory, in the Witness directory field, type C:\FSWDAG1, click Enter an IP address, in
Database availability group IP addresses field, and type 172.16.0.33. Then click Add, and then click
save.
6. In the list view, click DAG1, and on the toolbar, click Manage DAG membership.
7. In the manage database availability group membership window, click Add.
8. In the Select Server window, click LON-MBX1, click add, and then click LON-MBX2. Click add, and
then click ok.
9. In the manage database availability group membership window, click save.
10. In the Saving completed successfully window, click close.
Task 3: Create a mailbox database copy
1. In the EAC, in tabs, click databases, then click Mailbox Database 1 on the toolbar, click More, and
then click Add database copy.
2. In the add mailbox database copy window, click browse.
3. In the Select Server window, click LON-MBX2, and then click ok.
4. In the add mailbox database copy window, click save.
5. Wait until the saving completes successfully, then click close.
Task 4: Verify successful completion of copying a database
1. In tabs, click Refresh, and wait until the details pane shows Mailbox Database 1\LON-MBX2 as
Passive Healthy. This might take several minutes and up to several hours depending on the size of the
database.
2. In the details pane, under Mailbox Database 1\LON-MBX2, click View details.
3. Make sure that the Status displays Healthy and the Content index state also displays Healthy. Then
click cancel. Note that this might take some time, so please wait.
Task 5: Suspend and resume a database copy
1. In the EAC, in the details pane, click Mailbox Database 1, and then under Mailbox Database
1\LON-MBX2, click Suspend.
2. In the Suspend database window, in the Comments field, type Test Suspend, and then click save.
Now the database copy is suspended and will not receive any updates.
3. In the details pane, under Mailbox Database 1\LON-MBX2, click Resume. If the Resume button is not
available, wait and then click Refresh a few more times.
4. In the warning window, click yes.
5. In tabs, click Refresh, and then wait until the details pane shows Mailbox Database 1\LON-MBX2 as
Copy queue length: 0.
11. In the left pane, right-click Webmail.adatum.com (172.16.0.6), and then click Add Host To Cluster.
12. In the Add Host to Cluster: Connect dialog box, type LON-CAS2 in Host field, click Connect, and
then click Next.
13. In the Add Host to Cluster: Host Parameters dialog box, click Next.
14. In the Add Host to Cluster: Port Rules dialog box, click Finish.
15. In Network Load Balancing Manager, wait until the LON-CAS2 icon turns green, and the Status says
Converged.
Task 3: Create a DNS record for the virtual IP address
1. Switch to LON-DC1, and in Server Manager, click Tools, and then click DNS.
2. In the DNS Manager, in the left pane, expand Forward Lookup Zones, select and then right-click
Adatum.com, and then click New Host (A or AAAA).
3. In the New Host dialog box, in Name field type Webmail, in the IP address field, type 172.16.0.6,
and then click Add Host.
4. Click OK, and then click Done.
Task 1: Simulate failure on LON-CAS1 and verify Microsoft Outlook Web Access functionality
1. Switch to LON-CAS1, then in Network Load Balancing Manager, in the left pane, right-click
LON-CAS1(Ethernet), click Control Host, and then click Stop.
2. Switch to LON-DC1, open Internet Explorer and type https://webmail.adatum.com/owa, and
then press Enter.
3. In Outlook Web App, sign in as Adatum\administrator with the password Pa$$w0rd.
4. You should now see your Inbox. This indicates that LON-CAS2 is currently serving as the Client
Access server.
1. Switch to the LON-CAS1 virtual server, in Network Load Balancing Manager, in the left pane,
rightclick
LON-CAS1 (Ethernet), click Control Host, and then click Start.
2. In Network Load Balancing Manager, wait until the LON-CAS1 (Ethernet) icon turns green, and the
Status says Converged.
3. Switch to the Host machine, in Hyper-V Manager, right-click 20341B-LON-CAS2, and then click
Turn Off. Click Turn Off.
4. Switch to the LON-DC1 virtual machine. In Internet Explorer, click Refresh (F5).
5. In Outlook Web App, if the sign in page appears, sign in as Adatum\administrator with the
password Pa$$w0rd.
6. In Outlook Web App, in the left pane click, Sent Items to make sure Outlook Web App is still
working. This verifies that LON-CAS1 took over the Client Access server role for the client.
Task 3: Verify high availability of the database copies
1. Switch to LON-CAS1, and in the EAC, click servers, and then on tabs, click databases.
2. In list view, click Mailbox Database 1, and in the details pane, verify that Mailbox Database
1\LON-MBX1 is Active Mounted and Mailbox Database 1\LON-MBX2 is Passive Healthy.
3. Switch to the Host machine, in Hyper-V Manager, right-click 20341B-LON-MBX1, and then click
Turn Off. Click Turn Off.
4. Switch to the LON-CAS1 virtual machine. In Internet Explorer, click Refresh (F5).
Note: If you receive an error in Internet Explorer, close it and reopen it and reconnect to the EAC.
5. In the EAC, if the sign-in page appears, sign in as Adatum\administrator with the password
Pa$$w0rd.
6. In the EAC, in the Feature pane, click Servers.
7. On tabs, click databases, and then in the list view, click Mailbox Database 1.
8. Verify that in the details pane Mailbox Database 1\LON-MBX1 shows as Passive ServiceDown, and
Mailbox Database 1\LON-MBX2 shows as Active Mounted.
9. Switch to the LON-DC1 virtual machine, and in Internet Explorer and Outlook Web App, in the left
pane, click Inbox. Create and send a new message to make sure the mailbox is available and can be
used.
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do this, complete
the
following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-CAS2, 20341B-LON-MBX1, and
20341B-LON-MBX2.
Note: Although some of the servers are not running, you must still revert them.
5. In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6. In the Actions pane, click Connect. Wait until the virtual machine starts.
7. Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8. Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX1,
repeat steps 5 to 7 for 20341B-LON-CAS1.
Notice the name and the GUID of the Mailbox Database. This is needed for the restore.
15. Close the Exchange Management Shell.
Task 2: Install Windows Server Backup
1. On LON-MBX1, on the Start screen, click Server Manager.
2. In the Dashboard, click Add roles and features. The Add Roles and Features Wizard opens.
3. On the Before You Begin page, click Next.
4. On the Installation Type page, select Role-based or feature-based installation, and click Next.
5. On the Server Selection page, select Select a server from the server pool, click
LON-MBX1.Adatum.com in the Server Pool, and click Next.
6. On the Server Roles page, click Next.
7. On the Features page, scroll down in the Features list, select Windows Server Backup, and click
Next.
8. On the Confirmation page, do not select the Restart the destination server automatically if required
option, and then click Install.
9. On the Results page, click Close.
Task 3: Perform a backup of a mailbox database using Windows Server Backup
1. On LON-CAS1, open File Explorer, and create a folder named Backup on drive C:\.
2. Right-click the Backup folder, select Share with, and select Specific people.
3. Check that the Administrator account has Read/Write permissions, and click Share. Click Done.
4. Close File Explorer.
5. On LON-MBX1, on the Start screen, click Administrative Tools.
6. Scroll down the tools list and double-click Windows Server Backup.
7. In the left navigation pane, select Local Backup.
8. In the Actions pane on the right side, click Backup Once.
9. In the Backup Once Wizard on the Backup Options page, select Different options, and click Next.
10. On the Select Backup Configuration page, select Full server (recommended), and click Next.
11. On the Specify Destination Type page, select Remote shared folder, and click Next.
12. On the Specify Remote Folder page, under Location type \\LON-CAS1\Backup, under Access
control, select Do not inherit and click Next.
13. In the Windows Security pop-up window, enter Administrator as the name and Pa$$w0rd as the
password, and click OK.
14. On the Confirmation page, click Backup.
15. On the Backup Progress page, click Close.
16. When the backup completes, close Windows Server Backup. It may take 10 to 15 minutes to
complete.
Task 4: Delete message in mailbox
1. On LON-CAS1, open Internet Explorer. Type https://lon-cas1.ADatum.com/owa.
2. Sign in as Adatum\Mark with the password Pa$$w0rd.
3. Delete the message received from Michael.
4. Empty the Deleted Items folder.
5. Right-click the Deleted Items folder and select recover deleted items.
6. In the recover deleted items window, select the message received from Michael, and click purge.
7. Click ok to confirm the purge action on the selected item.
8. Close the recover deleted items window.
9. Sign out from Outlook Web App.
3. In the Exchange Management Shell, type the following command to create the Recovery database,
and press Enter. Verify that the GUID, database and transaction log names match the output from the
previous command.
New-MailboxDatabase Recovery Name RecoveryDB EdbFilePath C:\Restore\3c32c739-a0ce-43bc-a2992f56f2bcb20c\C_\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database 1808842331\Mailbox
Database 1808842331.edb
LogFolderPath C:\Restore\GUID\C_\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database
1808842331 Server LON-MBX1
4. At the Exchange Management Shell prompt, type the following command, and then press Enter.
Restart-service msexchangeis
5. At the Exchange Management Shell prompt, type the following command, and then press Enter.
CD C:\Restore\3c32c739-a0ce-43bc-a299-2f56f2bcb20c\C_\Program Files\Microsoft\Exchange
Server\V15\Mailbox\Mailbox Database 1808842331
6. At the Exchange Management Shell prompt, type the following command, and then press Enter.
Eseutil /r E00 /i /d
7. At the Exchange Management Shell prompt, type the following command, and press Enter.
Mount-Database RecoveryDB
8. At the Exchange Management Shell prompt, type the following command, and press Enter.
Get-MailboxStatistics -Database RecoveryDB
9. This cmdlet displays all mailboxes within the recovery database. Check that the Mark Bebbington
mailbox is listed.
2. At the Exchange Management Shell prompt, type the following command, and press Enter.
Get-MailboxRestoreRequest
8. Click security.
9. Select the Anonymous users check box, and click save.
11. Click the add exception button. In the Except if drop-down box, point to The sender and then click
is a member of this group.
12. In the Select Members window, click Administrator, and click add->. Then click ok.
13. Select the check box on the option Activate this rule on the following date and select tomorrows
date in drop-down box and then click save.
14. Switch to LON-CL1, and in Outlook 2013, click New Email.
15. In the To field, type administrator@adatum.com.
16. In the Subject field, type disclaimer test.
17. In the message body, type Test, and then click Send.
18. Open Internet Explorer, and type https://lon-cas1.adatum.com/owa.
19. In the Outlook Web App window, sign in as Adatum\Administrator with the password Pa$$w0rd.
20. In the Outlook Web App, ensure that you received an email from Aidan, and that the disclaimer
text is appended to the messages.
21. Reply to that message with any text.
22. Switch to Outlook 2013, and make sure that you received the message from Administrator, but
without the disclaimer.
Task 2: Create a Data-Loss Prevention policy
1. On LON-CAS1, in the EAC, click compliance management in the Feature pane.
2. Click on the data loss prevention tab.
3. Click an arrow next to the + sign.
4. Select New custom DLP policy.
5. In the new custom DLP policy window, in the Name text box, type IP address block.
6. Click Enforce, and then click save.
7. Select the IP address block policy, and then click Edit.
8. In the IP address block window, click rules.
9. Click an arrow next to the + sign, and then select Block messages with sensitive information.
10. In the New Rule window, click Outside the organization. In the select recipient location window,
select Inside the organization, and click ok.
11. Click Select sensitive information types.
12. In the sensitive information types windows, click Add.
13. Scroll down the list and select IP Address, and then click add->. Then click ok two times.
14. In the Do the following drop-down box, select Generate incident report and send it to, and then
click Select one.
15. In the list, select Administrator, and click ok.
16. Click Include message properties, select sender checkbox. Click OK.
17. Click Block the message.
18. In the notify the sender with a Policy Tip, type Your message is blocked in the Enter the message for
the NDR that users will receive text box, and click ok.
19. Click Include message properties, and in the Include message properties window, select the original
mail check box and then click ok.
20. Select the check box on the option Activate this rule on the following date, and then click save.
21. In the IP address block, click save.
Task 3: Verify data-loss prevention policy functionality
1. Switch to LON-CL1, and switch to Outlook 2013.
2. Click New Email.
3. In the To field, type amr@adatum.com.
4. In the Subject field, type block test.
5. In the message body, type This is my IP address: 192.168.0.100, and then click Send.
6. Wait for a few moments, and see if you receive an email with the message that your previous
message to Arm Zaki is undeliverable. Also ensure that Your message is blocked text appears.
Review the message content.
7. Switch to Internet Explorer, and in the Outlook Web App window, ensure that you received an email
from Aidan and that the original message that Aidan sent to Amr is attached.
8. Sign out from Outlook Web App.
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do this, complete
the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 to 3 for 20341B-LON-CAS1, 20341B-LON-MBX1, and 20341B-LON-CL1.
5. In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6. In the Actions pane, click Connect. Wait until the virtual machine starts.
7. Sign in using the following credentials:
a. User name: Adatum\Administrator
b. Password: Pa$$w0rd
8. Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX1,
repeat steps 5 to 7 for 20341B-LON-CAS1.
3. In the Exchange Management Shell, enable antimalware scanning by typing following script, and
then press Enter.
.\Enable-AntimalwareScanning.ps1
4. Verify that the following message appears: Antimalware engines are updating. This may take a
few minutes. Note that because the lab environment does not have an Internet connection, the
engine update cannot complete. Type CTRL-C to stop the script.
5. In the Exchange Management Shell, restart the Microsoft Exchange Transport Service by typing
following cmdlet, and then press Enter.
Restart-Service MSExchangeTransport
6. In the Exchange Management Shell, list installed transport agents by typing the following cmdlet,
and then press Enter.
Get-TransportAgent
7. Verify that the following antimalware agent is listed: Malware Agent. Note that the status of
3. In Exchange Management Shell, restart the Microsoft Exchange Transport Service by typing
following cmdlet and then press Enter.
Restart-Service MSExchangeTransport
4. In Exchange Management Shell, specify the IP addresses of the internal SMTP servers LON-MBX1
and LON-MBX2 that should be ignored by the Sender ID agent, by typing following cmdlet and then
press Enter.
Set-TransportConfig -InternalSMTPServers @{Add=172.16.0.22,172.16.0.223}
5. In Exchange Management Shell, list installed transport agents by typing following cmdlet and then
press Enter.
Get-TransportAgent
6. Verify that following anti-spam agents are listed: Content Filter Agent, Sender ID Agent, Sender
Filter Agent, Recipient Filter Agent, Protocol Analysis Agent. Verify that the status of anti-spam
agents is Enabled True.
Task 2: Configure content filtering on LON-MBX1
1. In the Exchange Management Shell, verify that content filtering is enabled by typing the following
cmdlet, and then press Enter.
4. In the Exchange Management Shell, configure the allowed phrase Report document by typing the
following cmdlet, and then press Enter.
Add-ContentFilterPhrase -Influence GoodWord -Phrase "Report document"
6. In the Exchange Management Shell, configure SCL thresholds and enable quarantine by typing the
following cmdlet, and then press Enter.
Set-ContentFilterConfig -SCLRejectEnabled $true -SCLRejectThreshold 8 -SCLQuarantineEnabled $true
-SCLQuarantineThreshold 7
7. In the Exchange Management Shell, configure a custom rejection response by typing the following
cmdlet, and then press Enter.
Set-ContentFilterConfig -RejectionResponse "Your message was rejected by our spam filter. Contact your administrator."
8. In the Exchange Management Shell, configure the SCL junk threshold with value 6 for all mailboxes
in your organization by typing the following cmdlet, and then press Enter.
Set-OrganizationConfig -SCLJunkThreshold 6
2. In the Exchange Management Shell, configure recipient filtering to block messages sent to
helpdesk@adatum.com by typing the following cmdlet, and then press Enter.
Set-RecipientFilterConfig -BlockListEnabled $true BlockedRecipients helpdesk@adatum.com
3. At the PS prompt, type the following command, and then press Enter:
New-RoleGroup -Name SupportDesk -roles Mail Recipients, Mail Recipient Creation, Distribution Groups
4. Click to the Start screen, and then click Internet Explorer, connect to https://LONCAS1.adatum.com/ecp. Sign in as Adatum\Administrator using the password
Pa$$w0rd.
5. In the EAC, in the feature pane, click permissions.
6. On tabs, click admin roles, and then double-click SupportDesk in the list view.
7. In the Role Group window, under Members, click Add.
8. On the Select Members page, select Ryan Spanton, click add, and then click ok.
9. In the Role Group window, click save.
10. In the list view, double-click HelpDeskAdmins.
11. In the Role Group window, under Members, click Add.
12. On the Select Member page, select Carol Troup, click add, and then click ok.
13. In the Role Group window, click save.
14. Close Internet Explorer.
Task 3: Verify the permissions for the three role groups created
1. On LON-MBX1, open Internet Explorer, and connect to https://LON-CAS1.adatum.com/ecp. Sign
in as Adatum\Tony using the password Pa$$w0rd.
2. In the feature pane, click servers.
3. In tabs, click databases.
4. In the list view, double-click Research.
5. On the Mailbox database dialog box, in the left pane, click limits, then click the Issue a warning at
(GB) drop-down list, select unlimited, and then click save.
6. In the feature pane, click unified messaging. Verify that you can see the UM dial plans, but not
create or modify them. Remember that Tony is part of the IT group, and therefore is able to modify
server properties but not unified messaging settings.
7. Close Internet Explorer.
8. Open Internet Explorer, and connect to https://LON-CAS1.adatum.com/ecp. Sign in as
Adatum\Ryan using the password Pa$$w0rd. Recognize that in the feature pane, there are no servers.
This is because Ryan does not have permissions to manage servers.
9. In the feature pane, click recipients.
10. In the list view, double-click Alan Steiner.
11. In the User Mailbox window, in the left pane, click organization.
12. In the Department field, type IT, and then click save.
13. In tabs, click groups.
14. In the list view, double-click Research. Verify that you cannot modify the group properties by
typing a group description and then click save.
15. An error window appears that shows you that you do not have sufficient permissions to modify
the group, click ok, and then in the Security Group window, click cancel.
16. In tabs, click mailboxes, and then click New in toolbar.
17. In the User Mailbox window, type Test in the Alias field, and then click New user.
18. Type Test in the First name field, and then type Test in Last name field. Type Test in the User
logon name field, and Pa$$word in the New password and Confirm password fields, and then
click save. This confirms that Ryan is able to create new mailboxes.
19. Close Internet Explorer.
20. Open Internet Explorer, and connect to https://LON-CAS1.adatum.com/ecp. Sign in as
Adatum\Carol using the password Pa$$w0rd.
21. In the feature pane, click recipients. Note that there is no New user button on the toolbar.
22. In the list view, double-click Alan Steiner.
23. In the User Mailbox window, in the left pane, click organization.
24. In the Department field, type Customer Service, and then click save.
25. Verify that groups is not available in tabs as Carol does not have permission to manage groups.
26. Close Internet Explorer.
6. In the Search for access by drop-down box, select All non-owners, and then click Search.
7. In the search results, click Info, and view the report that shows that Tony Smith accessed the Info
mailbox.
8. Click close, and then close Internet Explorer.
3. In the Exchange Management Shell, at the PS prompt, type the following command, and then press
Enter.
Add-RoleGroupMember "HRAdmins" -Member Tony
4. Open Server Manager, click Tools, and then click Active Directory Users and Computers.
5. In the left pane, click Microsoft Exchange Security Groups, and then double-click HRAdmins.
6. Click the Managed By tab, click Change and type HRAdmins, and then click OK.
7. Select the Manager can update membership list check box, and then click OK.
8. In the right pane, double-click Recipient Management.
9. Click the Members tab, click Add and type HRAdmins, and then click OK. This is required to assign
the HRAdmins group the necessary permissions to be able to create a mailbox. Click OK.
10. Close the Active Directory Users and Computers console.
Task 2: Remove the permission to create AD DS objects from other Exchange Server administrator
groups
3. After you see which groups have delegated role assignments for this role, run the following cmdlet
to remove all groups except HRAdmins:
Get-ManagementRoleAssignment -Role "Mail Recipient Creation" | Where {$_.RoleAssigneeName -NE "HRAdmins" } |
Remove-ManagementRoleAssignment
4. In the User Mailbox window, type New in the Alias field, and then click New user. Note that all
fields required to create a new user are greyed out. This is because you do not have the permission to
create a new user account in AD DS.
5. Click cancel, and then close Internet Explorer.
6. Open Internet Explorer, connect to https://LON-CAS1.adatum.com/ecp. Sign in as Adatum\Tony
using the password Pa$$w0rd.
7. Click the mailboxes tab, click New in toolbar, and then click User mailbox.
8. In the User Mailbox window, type Test2 in the Alias field, and then click New user.
9. Type Test2 in First name field, and Test2 in Last name field. Type Test2 in the User logon name
field, and Pa$$word in the New password and Confirm password fields, and then click Save. This
confirms that Tony is able to create user accounts for new mailboxes.
10. Close Internet Explorer.
Task 4: To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do this, complete
the following steps:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20341B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 to 3 for 20341B-LON-CAS1 and 20341B-LON-MBX1.
5. In Hyper-V Manager, click 20341B-LON-DC1, and in the Actions pane, click Start.
6. In the Actions pane, click Connect. Wait until the virtual machine starts.
7. Sign in using the following credentials:
o User name: Adatum\Administrator
o Password: Pa$$w0rd
8. Repeat steps 5 to 7 for 20341B-LON-MBX1. When you have successfully signed in to LON-MBX1,
repeat steps 5 to 7 for 20341B-LON-CAS1.
Task 2: Create a new performance-counter data collector set for monitoring basic Exchange Server
performance
1. In the Performance Monitor, in the navigation pane, expand Data Collector Sets, expand User
Defined, click Exchange Monitoring, click the Action menu, click New, and then click Data
Collector.
2. In the Create New Data Collector Wizard, in the Name box, type Base Exchange Monitoring, select
Performance counter data collector, click Next, and then click Add.
3. In the Available counters object list, expand Processor, and then click % Processor Time. Press and
hold the Ctrl key, click % User Time, click % Privileged Time, and then click Add.
4. In the Available counters object list, expand Memory, and then click Available Mbytes. Press and
hold the Ctrl key, click the following items, and then click Add:
o Page Reads/sec
o Pages Input/sec
o Pages/sec
o Pages Output/sec
o Pool Paged Bytes
o Transition Pages Repurposed/sec
5. In the Available counters object list, expand MSExchange ADAccess Domain Controllers, and
then click LDAP Read Time. Press and hold the Ctrl key, click the following items, and then click Add:
o LDAP Search Time
o LDAP Searches Timed Out per Minute
o Long Running LDAP Operations/min
6. In the Available counters object list, expand System, click Processor Queue Length, click Add, and
then click OK.
7. In the Create New Data Collector Wizard, in the Sample interval box, type 1, in the Units drop-down
list, select Minutes and then click Finish to create the data collector.
Task 3: Create a new performance-counter data collector set for monitoring Mailbox server role
performance
1. In the Performance Monitor, in the navigation pane, click Exchange Monitoring, click the Action
menu, click New, and then click Data Collector.
2. In the Create New Data Collector Wizard, in the Name box, type Mailbox Role Monitoring, select
Performance counter data collector, click Next, and then click Add.
3. In the Available counters object list, expand LogicalDisk, and then click Avg.Disk sec/Read. Press and
hold the Ctrl key, click the following items, and then click Add:
o Avg.Disk sec/Transfer
o Avg.Disk sec/Write
4. In the Available counters object list, expand MSExchangeIS Store, and then click RPC Average
Latency. Press and hold the Ctrl key, click the following items, and then click Add:
o RPC Operations/sec
o RPC Requests
o Messages Delivered/sec
5. Click OK.
6. In the Create New Data Collector Wizard, in the Sample interval box, type 1 in the Units drop-down
list, select Minutes, and then click Finish to create the data collector set.
Task 3: List the probable causes of the problem, and rank the possible solutions if multiple options
exist
List the problems and possible solutions:
Problem
Disk errors are preventing access to the
database.
Database path is incorrect because of storage
changes.
Possible solution
Replace disks and restore from backup.
Change storage or database configuration.
4. Press Enter.
5. In the EAC, on the features pane, click on servers, and then click on the databases tab.
6. In the list view, click on MailboxDB100 database, and then in the details pane, verify that it is
Mounted.
6. Press Enter. Verify that the output does not return any errors.
7. In the Exchange Management Shell, type the following Test cmdlet, and then press Enter:
Test-OwaConnectivity URL https://LON-MBX1.adatum.com/OWA -TrustAnySSLCertificate
Task 2: List the probable causes of the problem, and rank the possible solutions if multiple options
exist
List the problems and possible solutions:
Problem
Internet Information Server (IIS)
Configuration is not configured correctly
Microsoft Outlook Web App authentication is
not configured correctly.
Possible solution
Modify the IIS configuration.
Modify Outlook Web App authentication
configuration.
9. In the Exchange Management Shell, type following command, and then press Enter.
Iisreset
10. In the Internet Explorer window, type https://lon-cas1.adatum.com/ecp, and then press Enter.
11. On the Outlook Web App web page, in the Username box, type Adatum\Administrator, and in the
Password box, type Pa$$w0rd and then click on the Sign In button.
12. Verify that now you can sign in to EAC. If you receive a navigation error in Internet Explorer, close
and reopen Internet Explorer and repeat the process from step 10.
Note: If you receive an error indicating that the service did not start, start the World Wide
Web Publishing Service in the Services management console.
Task 4: Verify that you resolved the problem
1. Open Internet Explorer, and connect to https://LON-CAS1.adatum.com/owa.
2. Log on to Outlook Web App as Adatum\Administrator with the password Pa$$w0rd.
3. Confirm that Administrator can now access Outlook Web App, and then close Internet Explorer.