Page tree
Skip to end of metadata
Go to start of metadata

The following tasks must be completed before deploying Netmail Archive in an Exchange environment:

Create a Service Account for Netmail Archive to Use

1. Know the UPN and Exchange alias for this account.

2. Ensure this account, and the archive servers, are in an OU which will exempt them from GPOs and password policy changes.

3. Assign proper Active Directory rights to this account:

  • For Netmail Archive against Exchange 2010 or 2013, no elevated rights are required.
  • For Netmail Archive against Exchange 2007, Domain Admin rights are required.
  • In all cases, the service account must be the administrator of the local machine (Archive server).
  • Ensure account has access to all relevant network shares.

4. Assign proper Exchange rights to the service account:

  • For Exchange 2010 and 2013, the account should be part of the Organization Management role group. If this level of privilege is not permissible, it can be made part of the View Only Organization Management; however, in this case the impersonation setting must be performed manually by the administrator:
New-ManagementRoleAssignment -Name:NMArchiveImpersonation –Role:ApplicationImpersonation –User “mydomain\netmail_svc"
  • For Exchange 2007, the process is more complicated. First, we need to use the ms-Exch-EPI-Impersonation permission to give the service account the ability to submit an impersonation call through each Client Access Server. To apply this to the service account against all your CAS servers, use the following Exchange Management Shell command:
Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity nmarchive | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

where nmarchive is the name of the service account used for Netmail Archive.

Now we must also use the ms-Exch-EPI-May-Impersonate permission to grant the service account access to specific mailboxes or to all mailboxes in a mailbox database. To apply this for the service account against all current mailbox databases, use the following Exchange Management Shell command:

Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User nmarchive -ExtendedRight ms-Exch-EPI-May-Impersonate}

For Exchange 2007, the requirement to add permissions for specific CAS serversand user mailboxes means that if new message databases or CAS servers are added to the Exchange infrastructure, these impersonation rights will need to be updated for the new components.

For more information about configuring Exchange Impersonation for Exchange Server 2007, visit

Supporting Software

1. PowerShell:

  • Must be installed on any server on which SyncAB will run.
  • The minimum version is v2.0.
  • Un-restrict the scripting capabilities:
Set-ExecutionPolicy unrestricted

2. For all Netmail Archive servers, verify prerequisites as per System Requirements for Netmail Archive.

3. Decide on an eDirectory tree. 

  • Netmail Archive will store its configuration in eDirectory containers. These containers can be part of your production tree or set up on an independent tree specifically for Netmail purposes. The latter option is usually recommended for most cases.
  • Whichever option is chosen, the eDirectory tree must be ready when the Netmail Archive installer is run.

4. Decide on a logging database.

  • Netmail Archive will log its jobs, traces, and reports in an SQL database.
  • Most SQL implementations are supported (eg. MSQL2000/2008, MySQL, etc)
  • The Netmail Archive installer will provide the option of installing PostgreSQL on the Master server (recommended).

Configure all CAS Servers in the Array

1. Autodiscovery must be functional.

2. Know the names present on the CAS’s certificate.  These names are how the URL will be specified to reach to CAS for Addressbook Sync.

3. Enable Basic Authentication on the PowerShell vdir (virtual directory) in IIS.
    Test access via command line:

$cred = Get-Credential
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionURI -Credential $cred -Authentication Basic -AllowRedirection
$importresults = Import-PSSession $s

This will validate the service account credentials, URL to the CAS, and Powershell authentication mechanisms.

4. SSL settings on EWS vdir (virtual directory) in IIS should be set to “ignore certificates.”  Test by navigating to "" in a browser and authenticating successfully.

5. SSL Certificate on IIS server MUST match the autodiscover server address.    Go to IIS Manager and check the certificate subject.     CN should equal and not simply CN=ServerName.   Recreate certificate with correct server name.     Normally Autodiscover will return

Be Aware of Load Balancers

1. Be cognizant of the presence of load balancers in the organization, especially to/from the CAS array.

2. Become acquainted with their configuration with respect to:

  • Session persistence:  Netmail software requires "sticky" connections to the same IP for the duration of its activities (this is probably easier to achieve with a layer-4 NLB vs a layer-7 NLB).
  • Cookie stripping:  Netmail software makes use of cookies for OWA integration, so they must not be interfered/tampered with by network appliances.
  • SSL off-loading:  Understanding who terminates the SSL connection is important for troubleshooting.
  • Failure detection:  Understanding whether the NLB can detect and route around failures is important in troubleshooting.
  • No labels