Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In

UFIT Wiki

:

UF Exchange Tier-2 Operations

UF Exchange Tier-2 Operations Guide


Overview:

This guide documents the daily tasks that Tier-2 Administrators may need to perform in support of their departmental Exchange users.

UF Exchange utilizes the Roles Based Access Control (RBAC) model to delegate permissions to unit administrators. Administrators are granted rights over their respective People and Department OU’s to perform management tasks. Exchange management is performed via the Exchange Admin Center (EAC) and the Exchange Management Shell (EMS). The Exchange Admin Center is a web-based administrative portal; this has changed from 2010 which used the EMC – an MMC based console. The Exchange Management Shell remains unchanged.

Departmental administrators need to download the Exchange 2013 media from the Microsoft Download Site and install the client tools. These tools should be run on Windows 7+ x64. 

Your installed Exchange management tools must match the exact service pack and cumulative update levels on the UF Exchange servers. 

The current Exchange version is: Exchange 2013 CU7

Management Tools:

When installing the Exchange 2013 management tools you should use to use the default options. Following the installation you will have a programs group that contains the following:

  • Exchange Administrative Center - Shortcut to the EAC on the local computer. Will not work on management workstations. 
  • Exchange Management Shell - Exchange Powershell
  • Exchange Server Help - Link to Exchange Server 2013 documentation on Technet.
  • Exchange Toolbox - MMC interface to Queue Viewer
For UF Exchange (not, UF Health) Tier-2 there is an extra step that needs to be done following the installation of the Exchange Management tools. Exchange 2013 in now deployed across two different Active Directory Sites. Because of this, the default installation of the Exchange Management Shell will try to connect to an Legacy Exchange server in the Default AD site. We recommend that you modify the EMS shortcut to connect to a specific Exchange server.

In Windows Explorer - Navigate to the following folder.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2013

Right Click the Exchange Management Shell Shortcut and select Properties.

Modify the Target value to read the following.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -ServerFqdn exmbxprd01.ad.ufl.edu -ClientApplication:ManagementShell "​

Click Apply.


Exchange Admin Center (EAC):

The EAC is a web interface which allows you to manage your Exchange users and resources. You access the EAC by pointing a browser at: https://mail.ufl.edu/ecp using your ADM username and password. 

Note: during coexistence with 2010 you may find that your ECP session takes you to 2010. In this case append ?ExchClientVer=15 to your url to force it to 2013. https://mail.ufl.edu/ecp/?ExchClientVer=15​

Tier-2 will be primarily interested in the Recipients and Permission sections of the web interface. 


EAC-FrontPage.PNG




Recipients:

Recipient management is split out into 5 types: 

Mailboxes – Primary User Mailboxes
Groups – Distribution and Mail Enabled Security Groups
Resources – Resource Mailboxes
Contacts
Shared
 
By default only 500 objects are returned in a paged view with 50 results per-page. While you can modify the Maximum number of recipients to view it’s a better practice to filter your results. You can use the “Advanced Search” feature to scope your query using a number of attributes. For instance you can select only user mailboxes associated with your department by click the ellipses – Advanced Search selecting Department, entering a department identifier such as CNS-OSG, and clicking OK.

EAC-AdvancedSearch.png



Optionally you could specify this search directly as: 

Department:"CNS-OSG”

To modify a recipient you can double-click on their entry in the results. 

 EAC-UserMailbox.PNG


For mailboxes located in the People OU you will be able to edit a smaller number of attributes than Departments OU (service mailboxes). Attributes that you cannot edit will typically be grayed our otherwise inaccessible. 

E-mail Addresses can be edited by selecting “email address” and using the add, remove and edit icons to manage SMTP addresses. 


For People OU mailboxes the following addresses are always present

gatorlink@ufl.edu
gatorlink@mail.ufl.edu
gatorlink@uflorida.mail.onmicrosoft.com

with the @ufl.edu set as primary. If your College / Unit does not use third-level domains there is no reason to edit these addresses; in fact; doing so can interfere with processes that manage SMTP addresses following events such as renames. 

For Colleges / Units that use third-level domains UFIT recommends that you use e-mail address policies. These are rules in Exchange that automatically add SMTP addresses based on criteria such as OU location or typically group membership. E-mail Address Policies are the preferred method for assigning SMTP addresses in Exchange and are the _only_ supported method for assigning third-level domains to Office 365 mailboxes.

Exchange Management Shell (EMS)

The EMS is a command-line Powershell interface used to manage Exchange. You can use the EMS to modify any configuration that you would in the EAC. You can actually perform more actions within the EMS than you can within the EAC. When you use the EAC you are actually calling Powershell under the hood. 


Recipient Management:

Creating mailboxes:
    
Mailboxes are created by a back-end script at a 15 minute interval. To enable a mailbox add the AD user to the following groups. 

 ad.ufl.edu/UF/Groups/Exchange User Groups/DEPT-Exchange-Users
 
 ad.ufl.edu/UF/Groups/Exchange User Groups/UFX-Enable-Mailbox-2013

The mailbox provisioning process has 2 requirements. 
      1) The user exists in a DEPT-Exchange-Users group
      2) The user is not located in the “Other” or “Disabled” People OU.
              a. Service Account mailboxes (eg. Department OU) do not have this requirement.
   
This means that your users must have a valid Network Managed By. It is important to keep the NMB up to date, since RBAC roles and permissions are assigned based on OU location, you cannot manage a user until he or she is in your departments “People” OU.

Disabling mailboxes: 
  
Disabling mailboxes is a similar process to enabling them and also runs on a 15 minute interval. To disable a mailbox you must first remove the user from your Exchange users group at: 

 ad.ufl.edu/UF/Groups/Exchange User Groups/DEPT-Exchange-Users

You then add their Gatorlink to the following group. 
 
 ad.ufl.edu/UF/Groups/Exchange User Groups/UFX-Disable-Mailbox-2013

The process will remove all Exchange attributes on the user object, disconnect the mailbox and set an External SMTP address of gatorlink@ufl.edu. 

Please note: If you wish to export a user mailbox to PST, this must be performed before the NMB change. Once the NMB change is made the user will be moved out of your OU and your RBAC write scopes will not apply.

Creating a Distribution Group (List)

  1. Create a Universal Security group in UFAD and add your intended recipients.
  2. Using Exchange Management Shell, execute Enable-DistributionGroup "Name of Group".
  3. In EAC, navigate to recipients > groups and search for your UFAD object. Double-click to manage e.g. SMTP addresses and distribution list options.
Managing Delegation:

EAC (web):

Recipients – Mailboxes – Search – double-click mailbox – mailbox delegation

From here you can manage Send-As, Send-On-Behalf, and Full Mailbox permissions by choosing the add or remove icons and searching for a recipient.

EMS (Powershell):

Managing Full Access:

Grant Josh Full Access over James’ mailboxes.

Add-MailboxPermission -Identity James -User Josh -AccessRights FullAccess  -Inheritancetype all

Granting SendAs permission: 

The following command would grant Josh Rights to SendAs James.

Add-ADPermission –Identify James –User UFAD\Josh –ExtendedRights “Send As”
  
Import and Export (PST) operations:


In 2013 administrators two cmdlets, New-MailboxImportRequest and New-MailboxExportRequest are used to import and export mailboxes respectively. As part of the command syntax you can direct Exchange to read or write against a fileshare hosted in your department. There are two requirements for this share. 

1) It must be accessible by all Exchange systems. Be mindful of ACL’s. [see subnet info below]
2) Access must be granted to the “Exchange Trusted Subsystem” group. 

The following snippet from Microsoft Technet details the -filepath requirements:

 “The FilePath parameter specifies the network share path of the .pst file from which data is imported, for example, 

\\SERVER01\PST Files\ToImport.pst. 

You need to grant read/write permission to the group Exchange Trusted Subsystem to the network share where you'll export or import mailboxes. If you don't grant this permission, you'll receive an error message stating that Exchange is unable to establish a connection to the target mailbox. “


Importing Mailboxes:

New-MailboxImportRequest -Mailbox User –FilePath \\SRV\PST$\Gatorlink.pst 

Note: There are other options that direct where in the mailbox hierarchy the imported mail is placed (Target Root Folder). Please consult the Technet documentation: http://technet.microsoft.com/en-us/library/ff607310.aspx

Exporting Mailboxes:

New-MailboxExportRequest -Mailbox User –FilePath \\SRV\PST$\Gatorlink.pst 

UF Exchange currently uses the following subnets:

2013 systems: 

10.36.133.32/27
10.36.197.32/27



​​

 
 Last modified at 12/1/2016 4:45 PM by Gasper, Joe