Memorise

CryptoLocker Decryption Service – helping to Decrypt Encrypted Files

As of 1st November 2013 I know there are lots of people are affected by CryptoLocker virus and there are plenty of article on web talking about how to remove the virus, but what about the files that are already encrypted?

I have been bombarded with emails, is there anyway to decrypt these file or How to decrypt the CryptoLocker encrypted files. To decrypt the encrypted files you will need to find your Public Key and Private Key.

Below is an image from Microsoft depicting the process of asymmetric encryption.

assemcrypto

The bad news is decryption is impossible unless a user has the private key, as it is stored on the cybercriminals’ server.

Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

Public key is generally located in your file and Private Key is located in CryploLocker Control Server, only way to get get the Private Key is to find the Control Server and pay the ransom. After many hours of research, I have managed to contact CryptoLocker control server and managed to help others purchasing Private Key for the encrypted file for who never had any shadow copy or backup of files. After downloading Private Key from CryptoLocker Control server at a cost, very high cost, up to 9BTC (equivalent to £2200 or $3,500) then I did managed to decrypt these files.

CryptoLocker Virus_infected PC
 
Normally this is what you will see when you have already infected or removed the virus from your PC, your wallpaper will have message similar to this image

Let’s say that your computer is infected with the malware, but you decide not to pay up. You remove the malware and try to restore your files from backups or Shadow Copy. However, you might come to realise that your choice isn’t the best one. Your backups might be broken or infected, or you might not have enough backups, so you come to the conclusion that it would have been best to pay the fee, in the first place.

A new malware warning was issued this week alongside a Cryptolocker virus removal tool and decryption service. Cryptolocker, new malware running rampant on the web right now, has taken a multitude of users computers for ransom, demanding those infected with the virus to pay up or see their encrypted files disappear forever. However, it seems things just getting worse, as a new warning for the malware has emerged, and ransom is getting higher. Not only are the makers of Cryptolocker demanding your money for a private key to decrypt your encrypted files, if you don’t pay up before the 72 hour time limit, the amount is upped from two or three hundred dollars, to 3,500 or more.

See the screens below how the process work, you will not be able to access the control server from normal web browsers.

upload-file-to-CryptoLocker-Control-server
 
This screen allow to upload the file and check against the CryptoLocker control server database

get_ordernumbe
 
Once the file is uploaded it will display an order number, Key pair creation time and it will search against CryptoLocker Control Server Database for your public key to find a match.

placing-order
 
When the match is found it will display your public key and how much it will cost you in BTC currency

 

getting-private-key
 
Once the payment is processed this will display your Public Key and Private Key with link to download a Decrypter for your Private key, this is unique to your public and private key

This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker. If you already purchased private key using CryptoLocker, then you can download private key and Decrypter for Free,” reads a notice posted on the website. However, the trick is that it’s far more expensive to use the Decryption Service than if you had paid up in the first place. When a computer is infected with CryptoLocker, victims are asked to pay 2 Bitcoins to have their files restored. On the other hand, using this service costs 10 Bitcoins or more. Of course, you shouldn’t pay up in case your computer is infected with CryptoLocker. However, there might be some scenarios in which victims simply don’t have any other choice. On the other hand, the best thing to do is avoid falling victim in the first place. Keep backups of your most important files, keep your antivirus and other pieces of software up to date, and avoid accessing links or email attachments that look suspicious.

I do not recommend anyone paying the ransom but at a last resort if you decided to pay then I can try to help with the process. I have setup a CryptoLocker test lab with an email address “xxxx at gmail dot com” for anyone need help on decrypting their file. All I need is one of the encrypted file emailed to me at “xxxx at gmail dot com” , once I have the file then I can try to contact one of control server and fine the Public Key & date of Key Pair was crated, and how much it will cost to get Private Key.

I do not ask for any money for my service to contact the CryptoLocker control server and upload your file to search for private key, if the match is found I will email you back with Public Key & date of Key Pair was crated & cost, this process can take up to 24hr-48hr. [Due to time constrain I have stopped taking any further cryptolocker query]

Please make sure you have tried everything before sending the files, because it can be very expensive, I have seen ransom paid up to £2500 ($3850).
Have you tried volume shadow copy or shadow explorer to restore you can check my blog posted on http://blog.shiraj.com/2013/10/shadowexplorer-how-to-use/  this will save you lots of money.

—   —– —

UPDATE [December 10, 2013: 17:50]: Unfortunately, I have lost my connection to cryptolocker server I believe it’s been take down. Until I track another command control server I can’t help anyone with getting the private key. I will post any further update on this page.

UPDATE [December 11, 2013: 10:50]: I have connection to another command control server.

 


Redirecting OWA URL in Exchange 2010

30% off your entire order at GoDaddy.com!

Redirecting requests that don’t go to https://owa.customer.com/owa (or /exchange) to the correct URL. So, if someone goes to http://owa.customer.com orhttps://owa.customer.com, they get redirected to the correct (secure) URL. Historically I’ve always done this with two components:

  • A custom website listening on Port 80 on each CAS server
  • A default.aspx file in the root of the Default Web Site redirecting to /owa

This approach no longer works with Exchange 2010 CAS because the PowerShell virtual directory actually operates over Port 80 (authentication is Kerberized). If you try and tinker with this, you’ll start getting errors from Remote PowerShell like this:

VERBOSE: Connecting to casarray01.customer.com
[casarray01.customer.com] The WinRM service cannot process the request because the request needs to be sent to a different machine. Use the redirect information to send the request to a new machine.  Redirect location reported: https://owa.customer.com/owa/PowerShell. To automatically connect to the redirected URI, verify “MaximumConnectionRedirectionCount” property of session preference variable “PSSessionOption” and use “AllowRedirection” parameter on the cmdlet.
+ CategoryInfo          : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [], PSRemotingTransportRedirectException
+ FullyQualifiedErrorId : PSSessionOpenFailed

In order to work around this, you need to use the HTTP Redirection feature in IIS (the default.aspx trick mentioned above should work too), as well as remove the requirement for SSL at the top level Default Web Site object. You have to be careful doing this because when you set settings on the web site, IIS will push them down to any virtual directory below which does not explicitly set that setting itself. To setup the redirect, select the Default Web Site in IIS Manager, and open the HTTP Redirect option under IIS. Complete it like this:

image

Warning: It’s very important that you check the checkboxes exactly as shown in the screenshot above!

Once this step is complete, you need to remove the enforced redirect from each of the virtual directories under the Default Web Site. To do this, select each virtual directory individually, and then open the HTTP Redirect property and uncheck the “Redirect requests to this destination” checkbox. You’ll need to do this on the following virtual directories:

  • aspnet_client
  • Autodiscover
  • ecp
  • EWS
  • Microsoft-Server-ActiveSync
  • OAB
  • PowerShell
  • Rpc
Note: The Exchange, Exchweb, and Public virtual directories should redirect to /owa.

If at this point you simply browse to http://casarray01.customer.com, you’ll get an HTTP 403.4 error. This is because SSL is required at the top-level website. In order to get the redirect working, we need to disable SSL for the toplevel website while leaving it enabled for the relevant child virtual directories.

Select the Default Web Site and open the SSL Settings properties. Uncheck the Require SSL checkbox as shown below:

image

Like the redirection settings, this change will be inherited down the tree for any virtual directory which does not explicitly set the setting independently. Ensure that SSL is required for the following virtual directories:

  • Autodiscover
  • ecp
  • EWS
  • Microsoft-Server-ActiveSync
  • OAB
  • owa
  • Rpc
Warning: If you require SSL for the PowerShell virtual directory, you will render Remote PowerShell inoperable!

Once you’ve configured the redirection and SSL settings, open a command prompt and run iisreset. At this point you should be able to browse to http://localhost on the CAS server and get redirected to https://owa.customer.com/owa. These steps were tested on Windows Server 2008 R2. While they should be similar under Windows Server 2008, they may not be identical.


Can’t download Offline Address Book, either it hangs or get error (HRESULT: 0x80070005)

OAB issue: Can’t download Offline Address Book, either it hangs or get error (HRESULT: 0x80070005) when trying to download copy of offline address book.

Troubleshooting process:

Using outlook (CTL+right click outlook icon) “Test E-Mail Autoconfiguration” type email address and password, unchcke guessmart and secure guessmart.

Once test is complete click XML tab then check the XML for </OABURL> it should be something like
<OABUrl>https://webmail.mycompany.co.uk/OAB/7cf12789-0f60-4c83-9f24- c42637ca00e8/</OABUrl>.

Now copy the link and add /OAB.xml and paste in explorer i.e https://webmail.mycompany.co.uk/OAB/7cf12789-0f60-4c83-9f24-c42637ca00e8/OAB.xml

The webpage should contain lots of XML data.

If you don’t see the xml data check the install location if the xml exists i.e: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\7cf12789-0f60-4c83-9f24-c42637ca00e8\OAB.xml

If OAB.xml exists, try server localhost in Explorer i.e: https://glob-srv-cas3.abc.mycompany.co.uk/OAB/7cf12789-0f60-4c83-9f24-c42637ca00e8/oab.xml

If you get Error message when you visit a Web site that is hosted on IIS 7.0: “HTTP Error 500.19 – Internal Server Error”

then check the KB942055 (http://support.microsoft.com/kb/942055) for error code and resolution.

In my error I was getting HRESULT: 0x80070005 and the fix was

I used the Ref:
http://support.microsoft.com/kb/2429946
http://support.microsoft.com/kb/942055

Grant the Read permission to the IIS_IUSRS group for the ApplicationHost.config file or for the Web.config file.

To do this, follow these steps:

In Windows Explorer, locate the folder that contains the ApplicationHost.config file that is associated with the Web site, or locate the virtual directories or the application directories that contain the Web.config file that is associated with the Web site.
(In my case it was IIS->Site->Default Web Site->OAB)

Note The Web.config file may not be in the virtual directories or the application directories in IIS.
Even in this situation, you need to follow these steps.
Right-click the folder that contains the ApplicationHost.config file, or right-click the virtual or application directories that may contain the Web.config file.
Click Properties. Click the Security tab, and then click Edit.
Click Add. In the Enter the object names to select box, type computername\IIS_IUSRS, click Check Names, and then click OK.

Note Computername is a placeholder for the computer name.

Click to select the Read check box, and then click OK.

In the Properties dialog box for the folder, click OK.

Note Make sure the folder’s properties are inherited by the ApplicationHost.config and Web.config files so that IIS_IUSRS has the Read permission for those files.


ShadowExplorer – How to use

ShadowExplorer allows you to browse the Shadow Copies created by the Windows Vista / 7 / 8 Volume Shadow Copy Service. It’s especially thought for users of the home editions, who don’t have access to the shadow copies by default, but it’s also useful for users of the other editions.

Shadow Copy

From time to time, Windows Vista / 7 / 8 creates point-in-time copies of your files. This allows you to retrieve older versions from files you accidentally deleted or altered. This service is turned on by default on all versions of Windows Vista/7, but Microsoft grants access to these copies only in Ultimate, Business, and Enterprise editions. This is where ShadowExplorer comes into play. For more information on Shadow Copy, visit Microsofts website.

Manual

  1. After successfully installing ShadowExplorer, you can find a shortcut on your desktop or in your start menu. Starting from version 0.5, running ShadowExplorer doesn’t require administrative privileges anymore. However, in certain circumstances, it can be helpful to run ShadoweExplorer with elevated privileges (using right click, run as administrator).
  2. Optional: The first thing you see after you start ShadowExplorer as administrator, is the user accound control screen, requiesting administrator privileges.
  3. This is what ShadowExplorer looks like if everything works correctly.
  4. From the drop down list you can select from one of the available point-in-time Shadow Copies.
  5. You can righ-click any file or folder and export it.
  6. Then you can choose a foldere where the files from the Shadow Copy are saved to.
  7. A progress bar shows the status of the retrieval process.
  8. If a file or folder in the destination directory already exists, ShadowExplorer asks for confirmation before overwritung. If you set the “Do not show this dialog again” check box, it won’t be shown ever again!
  9. There is a button in the settings dialog (File, Settings) to reset this decision.

A database availability group administrative operation failed.

New Customers get 25% off at GoDaddy.com!

Small Business Appreciation Sale - 50% off select products + Free Domain!
PROBLEM

You attempt to create a Database Availability Group (DAG) in Exchange 2010 and the wizard fails with the following error message:

Error:

A database availability group administrative operation failed. Error: Failed to add or remove the Failover-Clustering feature. Error: ArgumentNotValid: invalid role, role service or feature: ‘Failover-Clustering;. The name was not found

or

Error: A server-side database availability group administrative operation failed. Error: The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: Failed to add or remove the Failover-Clustering feature. Error: ArgumentNotValid: Invalid role, role service, or feature: ‘Failover-Clustering’. The name was not found.

CAUSE

This happens if you attempt to create a DAG on Exchange server that is installed on Windows Server 2008 Standard.

Althought the DAG high availability functionality is available in Exchange 2010 Standard, the underlying Windows operationg system stll has to be Enterprise or Datacenter edition (as the standard Windows edition does not have the needed clustering functionality)

SOLUTION

Upgrade you Windows Server Standard installation to Enterprise or Datacenter Edition
Due to fact that all Winows Server 2008 Editions share the same code base, you can easily convert your existing installation via the built in Deployment Image Servicing Management utility (DISM)
Start/ All Programs / Accessories. Right click the Command Prompt and select Run As Administrator

To convert you  Windows Server 2008 R2 Standard to Enterprise
DISM /online /Set-Edition:ServerEnterprise /ProductKey:489J6-VHDMP-X63PK-3K798-CPX3Y

To convert you  Windows Server 2008 R2 Standard to Datacenter
DISM /online /Set-Edition:ServerDatacenter /ProductKey:74YFP-3QFB3-KQT8W-PMXWJ-7M648

The keys given are the KMS client keys and can only be used for conversion. After the conversion is complete you will need a regular product key to activate the Windows Server product.


Exchange 2010 & iPhone Active Sync Issue

I’ve spent the last few weeks migrating to Windows Server 2008 R2 and Exchange 2010 from 2 different forest. The last thing is users calling me with iphone not working and not synching. As per the below event log on my Exchange 2010 Server.

– System – Provider [ Name] MSExchange ActiveSync
-EventID 1053 [ Qualifiers] 49156 Level 2 Task 2 Keywords 0x80000000000000
– TimeCreated [ SystemTime] 2013-09-17T13:54:30.000000000Z
EventRecordID 34801 Channel Application Computer LOB-SRV-EXCH01.arc.company.co.uk Security
– EventData CN=Richard Hnderson,OU=Users,OU=M,OU=Area,DC=arc,DC=company,DC=co,DC=uk Active Directory operation failed on LOB-SRV-DC01.arc.company.co.uk. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


or in Mobile / Apple device you get error “Cannot Get Mail, connection to server failed”

The work around was pretty simple, however took me some time trolling through external and internal Knowledge Base Articles.

Here’s how I managed to get it sorted –

On a Domain Controller, Click on Start/All Programs/Administrative Tools/Active Directory Users and Computers

advance features

Click on View and Select Advanced Features

Select a mailbox that isn’t working with Active Sync, double click on the account, Select the Security Tab and then the Advanced Button.

security settings

Select Exchange Servers, and tick the Include inheritable permissions togglethen Apply and OK.

inheritable permission

I believe this is a bugg, who know if it will ever get fixed in update in the future – This resolved my users iphone sync issue.

Also, I have notice for couple of users didn’t work with just making above changes I did additional changes below from http://support.microsoft.com/kb/2579075

Assign the Exchange Servers group the right to change permissions against msExchActiveSyncDevices objects. To do this, follow these steps:

  1. Start Active Directory Users and Computers.
  2. Click View, and then click to enable Advanced Features.
  3. Right-click the object where you want to change the Exchange Server permissions, and then click Properties.Note You can change permissions against a user, an organizational unit, or a domain.
  4. On the Security tab, click Advanced.
  5. Click Add, type Exchange Servers, and then click OK.
  6. In the Apply to box, click Descendant msExchActiveSyncDevices objects.
  7. Under Permissions, click to enable Modify Permissions.
  8. Click OK three times.

Also Make sure the user has inherited permission granted to domain\Exchange Servers to
allow List, Create child, Delete child of object type “msExchActiveSyncDevices” and
doesn’t have any deny permissions that block such operations.


UPDATE: If you still can’t get the device to connect you may be exceeding number of ActiveSync Devices for mailbox, maybe check this first how many devices are doing sync, for Exchange 2010 open Exchange Management Console -> Select Mailbox then -> Mange Mobile phone.

Remove all devices that haven’t tried to sync in the past 30 days:

Get-ActiveSyncDevice -ResultSize unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-30)}| Remove-ActiveSyncDevice

When you get error use force:

foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}

You can use it like this:

$DevicesToRemove = Get-ActiveSyncDevice -result unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSuccessSync -le (Get-Date).AddDays("-30")} 
$DevicesToRemove | foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}

Remove single mailbox devices that haven’t tried to sync in the past 30 days:

$DevicesToRemove = Get-ActiveSyncDevice -Mailbox shiraj.ali -result unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSuccessSync -le (Get-Date).AddDays("-30")} 
$DevicesToRemove | foreach-object {Remove-ActiveSyncDevice ([string]$_.Guid) -confirm:$false}

How to speed up a large Exchange 2010 Migration

Throttling the Mailbox Replication Service

If you go to your CAS server and navigate to the c:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxReplication.exe.config file using a text editor such as Notepad, you will see the following settings at the bottom of the config file.

 By default, the CAS servers are set to:
MaxActiveMovesPerSourceMDB = “5″    
MaxActiveMovesPerTargetMDB = “2″    
MaxActiveMovesPerSourceServer = “50″    
MaxActiveMovesPerTargetServer = “5″    
MaxTotalMovesPerMRS = “100″
 

Essentially, these settings only allow 5 concurrent moves from the source database, 2 concurrent moves for the target database, 50 per sources server, and 5 per target server, and 100 moves per CAS server.  If you are running high-end disk or have plenty of IOPS to spare, you can change the settings to:

MaxActiveMovesPerSourceMDB = “15″    
MaxActiveMovesPerTargetMDB = “15″    
MaxActiveMovesPerSourceServer = “50″    
MaxActiveMovesPerTargetServer = “40″    
MaxTotalMovesPerMRS = “250″

Once changed you must restart the MRS services on the CAS server.

source: http://technet.microsoft.com/en-us/library/ff963524.aspx

 


Creating Exchange 2010 Relay for Anonymous

This example uses the New-ReceiveConnector cmdlet to create the Receive connector Anonymous Relay that listens on local IP address 192.168.10.1 on port 25 from a source server at IP address 192.100.2.30

New-ReceiveConnector -Name "Relay Mail" -Usage Custom -PermissionGroups AnonymousUsers -Bindings 192.168.10.1:25 -RemoteIpRanges 192.100.2.30

Use the Shell to grant relay permission to anonymous connections on the new Receive connector

Note: You can’t use the EMC to perform this task.

This example retrieves the specified Receive connector information and pipes the result to the Add-ADPermission cmdlet to grant relay permission to anonymous connections on the new Receive connector.

Get-ReceiveConnector "Relay Mail" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Exchange Server 2010 Database Availability Groups

Other Advantages of Exchange Server 2010 Database Availability Groups

Before we proceed with an example of how to install an Exchange Server 2010 DAG I will also mention some of the other advantages of Database Availability Groups.

  • Unlike previous versions of Exchange Server (particularly Exchange Server 2007) Exchange Server 2010 has just one high availability feature for Mailbox servers for all high availability deployment scenarios
  • When you create a Database Availability Group the underlying Windows Failover Cluster is automatically created and configured for you
  • A Database Availability Group can be created at any time without requiring Exchange Server 2010 to be removed and reinstalled from the server, unlike previous versions that required that clusters be established first before Exchange was installed
  • Exchange Server 2010 DAG members can host other server roles, unlike Exchange Server 2007 that prevented clustered Mailbox servers from hosting other roles

Exchange Server 2010 Installation Step by Step

In this tutorial I will demonstrate the installation of an Exchange Server 2010 Database Availability Group on Windows Server 2008 R2.

For this tutorial the following Exchange servers have already been installed.

  • EX1 – Exchange Server 2010 SP1 Mailbox server
    • Primary interface: 192.168.0.32/24
    • Secondary interface: 10.0.5.1/30
  • EX2 – Exchange Server 2010 SP1 Mailbox server
    • Primary interface: 192.168.0.33/24
    • Secondary interface: 10.0.5.2/30
  • EX3 – Exchange Server 2010 SP1 Client Access and Hub Transport server
    • Primary interface: 192.168.0.34/24

Note: for details of how to deploy these server roles see Installing Exchange Server 2010 Pre-requisites on Windows Server 2008 R2 and Installing Exchange Server 2010.

Exchange Server 2010 DAG Tutorial Setup

Exchange Server 2010 DAG Tutorial Setup

Each of the Mailbox servers has been configured with its own mailbox database.

  • EX1 – Mailbox Database 01
  • EX2 – Mailbox Database 02

Note: in Exchange Server 2010 each mailbox database must have a unique name within the organization.

Because the Mailbox servers are configured with dual interfaces it is important to make sure that the secondary interface is not configured to register itself in DNS.  Open the TCP/IPv4 properties for the secondary interface one each server, click the Advanced button, navigate to the DNS tab and untick Register this connection’s address in DNS.

Open the Advanced TCP/IPv4 Properties

Open the Advanced TCP/IPv4 Properties

Disable DNS registration for the secondary interface

Disable DNS registration for the secondary interface

Creating the Database Availability Group

Log in to one of the Mailbox servers and launch the Exchange Management Console.  Navigate to Organization Config/Mailbox and choose New Database Availability Group from the action pane.

Create a new Exchange Server 2010 Database Availability Group

Create a new Exchange Server 2010 Database Availability Group

When the New Database Availability Group wizard starts give the DAG a name, specify the Witness server, and also specify the file path for the Witness server to use.

New Database Availability Group Wizard - Basic Info

New Database Availability Group Wizard – Basic Info

Click on the New button to create the new Database Availability Group, and then click Finish to close the wizard.

Adding Database Availability Group Members

Right-click the newly created Database Availability Group and choose Manage Database Availability Group Membership.

Manage Database Availability Group Members

Manage Database Availability Group Members

Click the Add button and select the Mailbox servers that you wish to make members of the DAG.

Select Mailbox Servers to become Database Availability Group Members

Select Mailbox Servers to become Database Availability Group Members

Click the Manage button to commence adding the Mailbox servers to the DAG.  This involves installation and configuration of Windows Failover Clustering on the servers, so it can take a few minutes to finish.

After it has finished the next step is to configure the DAG networking.

Configure Database Availability Group Networking

Right-click the newly created Database Availability Group and choose Properties.

Open the Properties of the Database Availability Group

Open the Properties of the Database Availability Group

Select the IP Addresses tab, click the Add button and add a static IP address for the Database Availability Group.

Adding IP addresses to an Exchange Server 2010 Database Availability Group

Adding IP addresses to an Exchange Server 2010 Database Availability Group

You will notice that the Database Availability Group has been automatically configured with DAG networks for the subnets that the DAG members have network interfaces connected to.

Exchange Server 2010 Database Availability Group Networks

Exchange Server 2010 Database Availability Group Networks

Open the Properties of each DAG network and configure them with meaningful names.  If you have configured your network to have a dedicated replication network for the DAG then you should disable replication on the DAG network that is intended for MAPI communications (ie client connections).

Exchange Server 2010 Database Availability Group Networks Configured

Exchange Server 2010 Database Availability Group Networks Configured

Adding Mailbox Database Copies to DAG Members

With the Database Availability Group established and the networking configured you can now add mailbox database copies to other DAG members.

In the Exchange Management Console navigate to Organization Config/Mailbox and choose the Database Management tab.  Right-click a mailbox database and select Add Mailbox Database Copy.

Adding a Mailbox Database Copy in Exchange Server 2010

Adding a Mailbox Database Copy in Exchange Server 2010

Click the Browse button and choose the Mailbox server to add the database copy to.

Add Mailbox Database Copies to an Exchange Server 2010 Mailbox Server

Add Mailbox Database Copies to an Exchange Server 2010 Mailbox Server

Click the Add button to add the mailbox database copy and then click Finish to close the wizard.

The Exchange servers will now commence seeding the replica servers with an up to date copy of the database and all of the current transaction log files.  Depending on the amount of data to be replicated this may take some time.

Status of the Database Copies for Exchange Server 2010

Status of the Database Copies for Exchange Server 2010

Repeat the same process for any other mailbox databases you wish to add database copies for.

Configuration of the Exchange Server 2010 Database Availability Group is now complete.