All posts by aclstrat

Rebuild Exchange 2013 Search Indexes

1) Stop the following services:

Microsoft Exchange Search
Microsoft Exchange Search Host Controller

2) Locate the existing index directory folders.

They should be in the same path as the mailbox database with a GUID and word ‘Single’ at the end. With both services stopped, rename the GUID folder to GUID_OLD.

3) Restart the 2 services:

Microsoft Exchange Search
Microsoft Exchange Search Host Controller

The GUID folders should be recreated and reindexing of the databases started. It will take a fair amount of time for the rebuild. You can issue the following command to check the index status:

Get-MailboxDatabaseCopyStatus

Exchange 2007 – Create Managed Folder Mailbox Policy to clean out Inbox items older than 90 days

1) CREATE A MANAGED DEFAULT FOLDER

Open EMC > Organization Configuration > Mailbox > Managed Default Folders tab > New Managed Default Folder

Name: Operations_90Days
Folder Type: Inbox

2) CONFIGURE MANAGED CONTENT SETTINGS

Right-click new default folder ‘Operations_90Days’ > New Managed Content Settings

Name: Delete Items Older Than 90Days
Message Type: All Mailbox Content
Length of retention period: 90
Retention Period Stars: When delivered, end date for calendar and recurring tasks
Action to take at the end of the rention period: Permenantly Delete

3) CREATE MANAGED FOLDER MAILBOX POLICY

In EMC > Organization Configuration > Mailbox > Managed Folder Mailbox Policies > New Managed Folder Mailbox Policy

Name: Operations_90Days_MFM
Managed folder that are associated with this policy: Operations_90Days

4) ASSIGN MANAGED FOLDER MAILBOX POLICY TO A SPECIFIC MAILBOX

In EMC > Recipient Configuration > Mailbox > open properties of the mailbox you want to apply the policy to > Mailbox Settings tab > Messaging Records Management

Check Managed folder mailbox policy
Browse and select ‘Operations_90Days_MFM’ policy you created

5) FORCE NEW POLICY TO RUN AGAINST MAILBOX

Open Administrative Exchange Management Shell prompt and run the following command:

Start-ManagedFolderAssistant -Mailbox “operations”

Dealing With CryptoLocker

Cryptolocker (and its variants) suck! The virus typically strikes one persons machine, and once infected, that PC will crawl local drives, mapped drive, folder after folder, file after file, encrypting them with a 256 bit, thus taking your data hostage.

The best methods of protection I’ve found are:

  • Don’t open or run any email attachments that come from someone you do not know, or appear suspicious. ie. you will never receive an email from Fedex or UPS that has a .ZIP file attachment with information about your shipment! Don’t open it, don’t touch it, delete it!
  • Make sure your servers have a working and tested backup solution in place. Make sure this backup solution is setup to send alerts on failures should a backup problem arise! Nothing worse than the backup software experiencing a failure, and you’re not alerted to it until you look at it during an emergency.
  • Make sure Shadow Copies are enabled on your critical server data volumes. You can right click on the data drive letter, select Properties, Previous Versions to turn on various snapshots to be taken throughout the day. I recommend one at 6am and another at 12pm. Usually those aren’t super huge usage times.

Isolating the virus:

  • You will likely hear about this from a user who calls saying they can’t open their Word or Excel documents, or that they look scrambled. This is due to the virus having encrypted those files.
  • First thing to do is log into the server, and change all of it’s shares to ‘Read Permission’ only under sharing permissions.
  • The virus typically leaves 3 files behind in every directory that it has crawled, HELP_DECRYPT.TXT, .JPG and .HTML. Look at the properties of these files to try and determine the ‘Owner’. Depending on the variant, the ‘Owner’ alot of the time is the source of the infection.
  • The source infected machine should be the only one who has encrypted files on its own C:\. The desktop, local My Documents, or contents on the C:\ are the best sign. If you can find this PC, disconnect it from the network immediately.

Options for recovery:

  • Depending on how quickly you’ve caught the virus determines how many folders you’re going to need to restore. Many times, using ShadowCopies to restore folders to an earlier point in time is better, more convenient and a less dataloss option than going to last night’s backup.
  • Should the server be the source of the infection, you will likely be doing a full, bare-metal restore of the entire server back to the previous full backup.
  • Once files are rolled back, you will need to clean up the remaining HELP_DECRYPT.xxx files. The easiest way to do this is to:
    • Open Admin CMD Prompt
    • Navigate to the root drive affected: cd c:\
    • Issue the delete command for all files with that title: DEL /S HELP_DECRYPT.*
    • Let it crawl the directories and remove all instances found