2015. augusztus 28., péntek

Exchange 2013 Survival Kit 2. - restore and purge

Just found a great MS doc that efficiently explains the basics of how Exchange 2013 handles Recoverable Items Folder. In short: if one user asks you to restore some accidentely deleted and purged email, you no more need to restore the whole database from Windows Backup and mount it to be able to restore the whole mailbox into a former state. At least, in theory.
If you are lucky enough your user remembers the properties of the emails he purged:
- the senders names, or
- the subject strings, or
- the date interval in which the email(s) was.
Unfortunately, Exchange 2013 can't restore a subfolder in your mailbox. Find out why here.
"This seems like it would be a simple enhancement into the cmdlet since the attribute exists on the mail item object.  It would be my vote to make this enhancement since it make single-item restores almost worthless if a folder is accidentally deleted. [...] Thanks for making my life more difficult than it needs to be Microsoft."
(/me also grateful.)

Clearing a Recoverable Items Folder while Single Item recovery is enabled is a bit problematic. See Use the Shell to clean up the Recoverable Items folder for mailboxes that are placed on hold or have single item recovery enabled

Easiest way to export only the Recoverable Items Folder from the mailbox to a .pst:
New-MailboxExportRequest -mailbox joecool -filepath \\localhost\backup\joe.pst -IncludeFolders "Recoverable Items"
An other interesting method explained here using In Place eDiscovery but there are some limitations. According to MS: "You can use In-Place eDiscovery in the Exchange admin center (EAC) to search for missing items. However, when using the EAC, you can’t restrict the search to the Recoverable Items folder. Messages matching your search parameters will be returned even if they’re not deleted. After they’re recovered to the specified discovery mailbox, you may need to review the search results and remove unnecessary messages before recovering the remaining messages to the user’s mailbox or exporting them to a .pst file.
For details about how to use the EAC to perform an In-Place eDiscovery search, see Create an In-Place eDiscovery search. "
Frankly, I've never done a search like this in EAC. Instead, doing a similar thing in Powershell:
First, search your RIF and place the results to Discovery mailbox.
Search-Mailbox "Joe Cool" -SearchQuery "from:'Sam Knows' AND keyword1" -TargetMailbox "Discovery Search Mailbox" -TargetFolder "JoeRecovery" -LogLevel Full Second, search the Discovery again with the same phrase and put the results back into your user (or anyone's) mailbox. The results will show in a strange folder structure: in the upper level there is a short report about the search, a .csv attached with the matching files and somewhere deep in the folders you will find the actual mails.
Search-Mailbox "Discovery Search Mailbox" -SearchQuery "from:'Sam Knows' AND keyword1" -TargetMailbox "Joe Cool" -TargetFolder "Recovered Messages" -LogLevel Full -DeleteContent
(Note the DeleteContent switch: it's important to clear up the Discovery Search Mailbox after yourself.)
Putting the results directly into a .pst:
New-MailboxExportRequest -Mailbox "Discovery Search Mailbox" -SourceRootFolder "April Stewart Recovery" -ContentFilter {Subject -eq "April travel plans"} -FilePath \\MYSERVER\HelpDeskPst\AprilStewartRecovery.pst

You can use the EstimateOnly switch to return only get an estimate of the search results and not copy the results to a discovery mailbox. So, just simulating a search to see what would actually happen: (Examples from Microsoft):
New-MailboxSearch "FY13 Q2 Financial Results" -StartDate "04/01/2013" -EndDate "06/30/2013" -SourceMailboxes "DG-Finance" -SearchQuery '"Financial" AND "Fabrikam"' -EstimateOnly -IncludeKeywordStatistics Start-MailboxSearch "FY13 Q2 Financial Results"
Get-MailboxSearch "FY13 Q2 Financial Results" | FL Name,Status,LastRunBy,LastStartTime,LastEndTime,Sources,SearchQuery,ResultSizeEstimate,ResultNumberEstimate,Errors,KeywordHits

To check a user state:
Get-Mailbox "Joe Cool" | FL SingleItemRecoveryEnabled,RetainDeletedItemsFor
To enable a single user:
Set-Mailbox -Identity "Joe Cool" -SingleItemRecoveryEnabled $true
To enable everybody and raise the default retention time limit:
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Set-Mailbox -SingleItemRecoveryEnabled $true -RetainDeletedItemsFor 30
Some more advanced search examples here.

How to destroy your mailboxes permanently


Just find your disconnected mailboxes:
Get-MailboxStatistics -Database "Database name" | where {$_.disconnectdate -ne $null} | select displayname,MailboxGUID

How to purge them:
Get-MailboxStatistics –Database <DB NAME> | where {$_.disconnectdate –ne $null} | select displayname,MailboxGUID Remove-StoreMailbox –Database <Database-Name> -Identity <MailboxGUID-from-the-previous-cmdlet> -MailboxState Disabled (The Remove-StoreMailbox only works against Disconnected and soft-deleted mailboxes!)

Remove all soft-deleted mailboxes:

Get-MailboxStatistics -Database MBD01 | where {$_.DisconnectReason -eq "SoftDeleted"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted}
or
Get-MailboxStatistics -Database MDB01 | where {$_.DisconnectReason -eq "disabled"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState disabled -Confirm:$False}  
Hard delete a mailbox (no option to restore it from the actual database!) Remove-Mailbox <Mailbox> -Permanent:$True
Search for specific (or all) emails and delete them from a mailbox
Search-Mailbox -Identity "Joe Cool" -SearchQuery 'Subject:"Very important"' -DeleteContent
Search-Mailbox ... |or: New-MailboxExportRequest -ContentFilter {(Received -lt '11/21/2013') 
-and (Received -gt '11/15/2013') -or (Sent -lt '11/21/2013') -and (Sent 
-ge '11/15/2013')} -Mailbox joecool –FilePath \\Server01\e$\Exports\joecool.pst 
Search-Mailbox -Identity "Joe Cool" -DeleteContent  
Purge  recoverable items and deletions both
Search-mailbox -identity joe.cool -SearchDumpsterOnly -DeleteContent
Check back if it's OK
Get-MailboxFolderStatistics -Identity "Joe Cool" -FolderScope RecoverableItems | Format-Table Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders -Auto
before
after

2015. augusztus 19., szerda

ntopng install on Debian Sqeeze

If you are careless enough to just follow a step-by-step tutorial like this being on a good old Squeeze you surely will end up with a failing and buggy ntopng. E.g. you won't be able to see your newly created users (users tab is totally empty: No Results Found)
Looks somewhat broken
or can not switch between your monitored interfaces. If you start ntopng from shell you may see something like this:
19/Aug/2015 13:28:28 [src/Redis.cpp:170] ERROR: ERR unknown command 'HSET' [HSET ntopng.host_labels ]
19/Aug/2015 13:28:28 [src/Redis.cpp:170] ERROR: ERR unknown command 'HSET' [HSET ntopng.host_labels ]
19/Aug/2015 13:28:30 [src/Redis.cpp:148] ERROR: ERR unknown command 'HGET'
19/Aug/2015 13:28:30 [src/Redis.cpp:148] ERROR: ERR unknown command 'HGET'
19/Aug/2015 13:28:30 [src/Redis.cpp:148] ERROR: ERR unknown command 'HGET'
19/Aug/2015 13:28:30 [src/Redis.cpp:148] ERROR: ERR unknown command 'HGET'
19/Aug/2015 13:28:36 [src/Redis.cpp:148] ERROR: ERR unknown command 'HGET'
19/Aug/2015 13:28:36 [src/Redis.cpp:148] ERROR: ERR unknown command 'HGET'
19/Aug/2015 13:28:36 [src/Redis.cpp:148] ERROR: ERR unknown command 'HGET'

This whole thing is because your Redis installation is out of date. Another nice thing in Debian Squeeze is its repositories includes Version: 2:1.2.6-1 Redis. Simply fix that with:
echo "deb http://backports.debian.org/debian-backports squeeze-backports main" >> /etc/apt/sources.list
apt-get update
apt-get -t squeeze-backports install redis-server

Now it is:
redis-server                       2:2.4.15-1~bpo60+2    
How to reset your forgotten ntopng admin password.
You might don't want to bother with compiling ntopng-2.0 packages on a simple standard Squeeze. In that case here are the x64 and x86 versions. You're welcome.