Category Archives: Exchange

Exchange 2013 Emails stuck in Drafts

No outgoing Emails in Exchange 2013 fresh install , sent emails get stuck in Drafts folder in OWA,

Scenario: The problematic environment was a fresh install of exchange 2013, no migration and new mailboxes were created, but when emails were sent they got stuck in the drafts folder, OWA or outlook both failed sending emails. This is a 2012 environment, main DC and a member 2012 server, both being virtual and the server hosting exchange was a clone server.

Diagnosis: After enabling verbose logging on the default receive connector, the following error messages were seen in the SMTP recieve located here: C:\Program Files\MicrosoftExchange Server\V15\TransportRoles\Logs\Hub\ProtocolLogSmtpReceive\

X.X.X.X:2525,X.X.X.X:53103,>,421 4.3.2 Service not available,

Enabled kerberos logging  using :http://support.microsoft.com/default.aspx?scid=kb;EN-US;262177

after this checked the eventlogs showed a huge number of Kerberos related errors under System:

A Kerberos error message was received:
on logon session DOMAIN.LOCALExchangeservername$
Client Time:
Server Time: 0:35:49.0000 3/19/2014 Z
Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN

Checked to make sure all services are running and checking SPN are set correctly using the setspn commands:

setspn -L hostname
setspn -r AccountName

more details here: http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

Also checked to make sure correct DNS settings were used in the Exchange server under EAC=>Servers=>edit=>DNS lookups.

In my case both internal and external lookups were set to ” all network adapters ipv4″

Solution: Eventually it turned out to be the Security Policy setting wasnt enabled for Access this computer from the network Policy in Group Policy

The default domain policy was applied to the OU where the Exchange 2013 server was, hence updated default domain policy: so open Group Policy Editor and go to

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Put a tick on Define these policy settings and add the default groups as per : http://technet.microsoft.com/en-us/library/cc740196(v=ws.10).aspx

  • Administrators
  • Backup Operators
  • Users 
  • Everyone

Please note this is a 2012 server and for some reason there are no power users as per the article.

Did a gpupdate /force on DC and exchange and reboot exchange services and voila all stuck emails were going out one at a time.

At this point in time the kerberos errors are still being generated, I still need to fix this…more soon.

 

Advertisements

Create a Shared Mailbox in Exchange 2007

Create shared mailboxes in Exchange 2007  using powershell  as the EMC in Exchange 2007 doesnt allow you to create shared mailboxes like the new exchange 2010.

You can do this with the help of the new-mailbox cmdlet.

Below is an example of creating a shared mailbox called Info and then assigning the info security group full access to the shared mailbox.

New-Mailbox -Name:’info’ -OrganizationalUnit:’contoso.loal/OU/users OU’ -Database:’Mailbox Database’ -UserPrincipalName:’info@contoso.com’ -Shared

Exchange 2007 will now create a shared mailbox and also create a disabled active directory account.

Now to assign full access

Add-MailboxPermission Info -User:’info group’ -AccessRights:FullAccess

You can also convert a mailbox to shared one usin the set-mailbox cmdlet.

Set-Mailbox Info -Type:Shared

Once this is done, you are now able to manage the shared mailbox via Exchange Management console if you need to assign permissions for full access or send as permission. The following powershell command is used to assign send-as rights and read/write personal information.

Add-ADPermission info -User:’info Group’ -ExtendedRights:Send-As -AccessRights:ReadProperty, WriteProperty -Properties:’Personal Information’

Manage Exchange 2010 Calendar Permissions Using Powershell

You can add  Calendar Permissions Using Powershell for users using the following command:

if user2 needs to access user1’s calendar

Add-MailboxFolderPermission -identity “user1:\calendar” –user “user2” -AccessRights Reviewer

the same can be done to give permission to a security group

Add-MailboxFolderPermission -identity “user1:\calendar” –user “DomainName\securitygroup” -AccessRights Reviewer

Below is the list of access rights and explanation

None                                                   FolderVisible
Owner                                                CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
PublishingEditor                       CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
Editor                                                 CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
PublishingAuthor                    CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
Author                                              CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
NonEditingAuthor                   CreateItems, ReadItems, FolderVisible
Reviewer                                          ReadItems, FolderVisible
Contributor                                   CreateItems, FolderVisible

Redirect Exchange OWA to default site and force SSL in Exchange 2010

OWA redirect to default site forcing SSL

is useful If you have those one or two users who cant seem to remember to add the https or the OWA to the exchange OWA url.

To do this via IIS manger can be time consuming and tricky, below is the script which I came across (Mark Smith) which does it for you, just create a batch file with the script and run it once. The only thing you need to modify is https://mail.domain.com/owa

——-
c:
cd \Windows\System32\inetsrv

appcmd.exe ADD Backup “OWA REDIRECT BACKUP 01”

appcmd set config “default web site” -section:httpRedirect /childonly:true /enabled:true
appcmd set config “default web site” -section:system.webServer/httpRedirect -destination:”https://mail.domain.com/owa”

appcmd set config “default web site/Aspnet_Client” -section:httpRedirect /enabled:false
appcmd set config “default web site/Autodiscover” -section:httpRedirect /enabled:false
appcmd set config “default web site/ECP” -section:httpRedirect /enabled:false
appcmd set config “default web site/EWS” -section:httpRedirect /enabled:false
appcmd set config “default web site/Exchange” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Exchweb” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Microsoft-Server-ActiveSync” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/OAB” -section:httpRedirect /enabled:false
appcmd set config “default web site/OWA” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/PowerShell” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Public” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Rpc” -section:httpRedirect /enabled:false
appcmd set config “default web site/RpcWithCert” -section:httpRedirect /enabled:false

appcmd set config “default web site” -section:access -sslflags:”” -commit:apphost

appcmd set config “Default Web Site/Aspnet_Client” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Autodiscover” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/EWS” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/ECP” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Exchange” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Exchweb” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Microsoft-Server-ActiveSync” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/OWA” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “default web site/PowerShell” -section:access -sslflags:”” -commit:apphost
appcmd set config “default web site/OAB” -section:access -sslflags:”” -commit:apphost
appcmd set config “Default Web Site/Public” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Rpc” -section:access -sslFlags:Ssl -commit:apphost
appcmd set config “Default Web Site/RpcWithCert” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost

cacls “C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\web.config” /E /P “NT Authority\authenticated Users”:R

iisreset
——

Insufficient System resources in Exchange 2010, disable back pressure/resource monitoring

Starting from Exchange 2007,  the edge transport service uses the system resource monitoring feauture to determine vital resources such as hard drive space and memory and take action in an attempt to prevent service outages. This can be a pain as the whole thing is calculated on a formula,

100 * (hard disk size – fixed constant) / hard disk size

this feature is called Backup pressure, more info on http://technet.microsoft.com/en-us/library/bb201658.aspx and how this formula works http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/back-pressure-exchange-2010-part1.html

Now simply put, you have this error from other smtp servers trying to contact yours : Insufficient System resources, to get around this you will need to increase the hard drive space or memory, until then you could temporarly disable this monitoring feature so that you can start recieving important emails. WARNING: this is not a recommended permanent solution, do this until youve figured what resource needs looking at i.e hard drive space, RAM etc.

Make a backup copy of the edgetransport.exe.config file before you start.

  1. Open the EdgeTransport.exe.config file from \Exchange Server\bin directory using notepad
  2. Add the following key+value pair:
    <add key=”EnableResourceMonitoring” value=”false” />
  3. Save file
  4. Restart the Microsoft Exchange Transport Service (MSExchangeTransport):
    Restart-Service MSExchangeTransport
  5. and you’ve got mail

Other options are to

configure the edgetransport.exe config file to reflect your server configuration and resources (not recommended by MS)

OR

move the queue database to another volume which has lots of space, add the following key to change the path of the queudb.

  1. Open the following file by using Notepad: C:\Program Files\Microsoft\Exchange Server\V14\Bin\EdgeTransport.exe.config.
  2. Modify the following line in the <appSettings> section.
    <add key="QueueDatabasePath" value="<LocalPath>" />

    This example creates a queue database at the location C:\Queue\QueueDB.

    <add key="QueueDatabasePath" value="C:\Queue\QueueDB" />
  3. Save and close the EdgeTransport.exe.config file.
  4. Restart the Microsoft Exchange Transport service.
  5. Verify that the new Mail.que and Trn.chk files are created at the new location.
  6. Remove the unused Mail.que and Trn.chk files from the original location.

ref: http://technet.microsoft.com/en-us/library/f170cb0c-04a9-4fa7-b594-206e3a787e14.aspx
The following event logs will be logged:

  • Event ID 15004: Increase in the utilization level for any resource (eg from Normal to Medium)
  • Event ID 15005: Decrease in the utilization level for any resource (eg from High to Medium)
  • Event ID 15006: High utilization for disk space (ie critically low free disk space)
  • Event ID 15007: High utilization for memory (ie critically low available memory)

Have look out for the Event id which will help you in diagnose what resource needs to be looked at.

ref:http://exchangeserverpro.com/exchange-transport-server-back-pressure

Deleted Mailbox missing in Disconnected Mailbox under Recepient configuration in Exchange 2010

This is because the clean up agent hasnt run yet, to run it use PS:

Clean-MailboxDatabase databasename

Recover deleted Active directory user account and restore Mailbox in Server 2008 and Exchange 2010

Scenario:  Restore user account where the account was accidentally/ purposely deleted and the mailbox resides on an Exchange 2010 in a mixed 2003, 2008 environment. The deleted mailbox is now showing in disconnected mailboxes.

The first step is to recover the deleted user account in AD. Hoping that you have left the tombstones on the server to either 60 days or 180 days which is the default for windows 2003 and up.

There are several ways too restore the account, the most painstaking one using system state restore after booting into directory services restore mode which means downtime.

The easiest and simplest way is using adrestore CLI available from Microsoft, if you need GUI adrestore.net is the best.

Download it from the link and install on the DC.

Adrestore.net

The how to is available from the developers site http://blogs.microsoft.co.il/blogs/guyt/archive/2007/12/15/adrestore-net-rewrite.aspx and http://www.petri.co.il/recovering-deleted-items-active-directory.htm

Now that you have restored the user account the next problem is to connect the disconnected mailbox which is rather easy, just open EMC 2010 right-click on a disconnected mailbox, select Connect and choose a matching user in this case.

If the online maintainence hasn’t run then the deleted mailbox will not show in disconnected mailbox, you will need to run this command in PS

Clean-MailboxDatabase databasename

And now you can connect the mailbox to the user you just restored

Updating Exchange 2010 SP1 to SP2

Exchange 2010 has been there for a while now and SP2 was also released a while ago and the roll up being released in Feb 2012, now is a good time to install SP2.

So before you install SP2 on your Exchange 2010 environment have a read of the following technet articles regarding preparing your Active directory, schema, domain and legacy 2003 DC’s if you have any.

http://technet.microsoft.com/en-us/library/bb125224.aspx

The SP2 setup file does do schema changes if you don’t do them, but just in case you have multiple DC’s of 2003 and 2008, then the best will be to do schema prep on your schema master and then make sure you wait for the replication to complete of or do it force replication and then proceed with the installation.

All in all these are the following bits you need to do before installing SP2,

1. Have a good tested backup as always .

On the schema master perform the following using the setup file you download of Microsoft

2. Open CMD and then setup /PrepareLegacyExchangePermissions or setup /pl, this is only if you have 2003 DC’s in your domain

3. setup /PrepareSchema or setup /ps

4setup /PrepareAD

5. setup /PrepareDomain , this is only needed if you run multiple domains, otherwise prepareAD takes care of one local domain.

Once done, follow the steps to complete the pre-requisites: http://technet.microsoft.com/en-us/library/bb691354.aspx

For a standard install with 2008 R2 you will need to install these components from powershell. You can check this in the exchange-typical.xml which located in the scripts folder in the sp2 download.

In PS:

Import-Module ServerManager and then
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,Web-Asp-Net,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-ISAPI-Filter,Web-Request-Monitor,Web-Static-Content,Web-WMI,RPC-Over-HTTP-Proxy -Restart

There is no harm installing all the components for peace of mind. Once your done rebooting, start the SP2 GUI installation and sit back and watch it complete flawlessly.

Replacing a 1024 bit SSL certificate with a 2048 bit or higher without downtime

As most of the Certificate Authorities now only issue a  minimum 2048 or greater one has issues when you are IIS is using a 1024 bits certificate and when you generate a CSR for renewal you end up with a 1024 CSR and to get around it you need to remove the production SSL certificate and start from scratch which affects anything running of 443 and of course dependencies like Outlook Anywhere will stop functioning.

With this method you can increase the key size of your certificate without any downtime to your website by creating a temporary website.

Creating a Temporary Website

In the Internet Information Services (IIS) Manager window, right-click on the Web Sites folder and select New and Web Sites from the drop down menu.

The Web Site Creation Wizard will appear. In that new window, click on Next.

On the next screen, type in “Temporary” into the Description field. Once you have done that, click on Next.

At the IP Address and Port Settings screen, leave the defaults and click on the Next button.

In the Web Site Home Directory screen, click on the Browse folder and navigate to the Inetpub folder. Once selected, click on the Next button.

The next screen shows the Web Site Access Permissions. Uncheck all of the boxes and click on Next.

At the final screen click on the Finish button.

Back in the Internet Information Services (IIS) Manager window, right-click on the Temporary website and select Stop from the drop down menu.

Creating a CSR for Temporary site

Right-click on the temporary website and click on Properties from the drop down menu.

A new window will appear. In that new window, click on the Directory Security tab at the top.
In the same window, you will see three sections. The bottom section named Secure communications has three buttons.

Click on the Server Certificate… button.
The IIS Certificate Wizard appears.

Select the circle, Create a new certificate. and click on Next.

On the next step on the Wizard, select the circle, Prepare the request now, but send it later and click on Next.

At the next step in the Wizard, enter in a Name for your certificate. In the field where you see Bit length: select 2048 from the drop down. Leaving the other two check boxes unchecked, select Next.

On the next screen, enter in the full legal name of the company which the certificate belongs into the Organization field. In the Organizational unit field, enter in the department of the organization, such as ‘IT’ or “Marketing”. Click on Next.

At the next screen, you will need to enter in your FQDN (fully qualified domain name) of your website in the field named Common name. It looks like “secure.example.com” or “example.com”. Click on Next.

On the next screen, you will need to select the country of your organization from the Country/Region drop down. You will then need to type in the State/province of that country along with city within that state within the City/locality field. Once you have done that, click on Next.

At the next step of the Wizard, you will need to specify where to save the CSR text file that will be created. To change the location, you should click on the Browse… button. After you have selected a location, click on the Next button.

At the final screen, you will see a summary of all the certificate details that you have created. Click on Next to generate the CSR file.
Note: When you have generated a CSR file, you will have a pending request held for this website. If this pending request is deleted before a certificate response can be installed, the set of private keys that were created will be deleted as well. This will render the CSR file and the certificate response useless, including during installation.

Paste this CSR on your CA and generate and download the SSL certificate.

Installing the certificate onto Temporary

Right-click on the Temporary website and click on Properties from the drop down menu.

A new window will appear. In that new window, click on the Directory Security tab at the top. In the same window, you will see three sections. The bottom section named Secure communications has three buttons.

Click on the Server Certificate… button.

A wizard appears. Click on Next.

On the next screen, select the option, Process the pending request and install the certificate. Click on Next.
Note: If you do not see this option, this could mean that the CSR may have been deleted. If this is the case, then the certificate file cannot be used and the process may have to be restarted.

At the next step of the wizard, you must click on browse and navigate to the .crt that was supplied to you by QuoVadis.
Note: By default, the IIS Certificate Wizard looks for files with the extension of .cer. In order for it to accept the .crt file, you will need to drop the File of type: field down to look for All files and the .crt file should appear. Once you can see it, select it.

Click on Next.

On the next screen, leave the default to port 443. Click on Next.

You should now see a summary screen. When you have finished looking at the summary, you should click on Next.

At the final screen, click on Finish.

Assigning the Stronger Certificate

In IIS, right-click on the production website that has the 1024-bit certificate installed and then click on Properties from the drop down menu.

A new window will appear. In that new window, click on the Directory Security tab at the top. In the same window, you will see three sections. The bottom section named Secure communications has three buttons.

Click on the Server Certificate… button.

A wizard appears. Click on Next.

On the next screen, select the option, Replace the current certificate. Click on Next.

Important Note: If you do not receive this option, it may be possible that you have an already pending request for this website. In order to have the Replace the current certificate option available, you will need to delete the pending request on this website.

You should see a list of certificates which contains the certificate you have installed on the Temporary website. Select the newly installed certificate that contains a key size of 2048-bits from this list. Once selected, click on Next.

IIS will display the new replacement certificate’s details. Verify these details and then click on Next.

Click on the Finish button on the next screen.

Back in the Properties window, click on the OK button. The certificate on your website has been updated with the stronger 2048-bit certificate with no downtime.

The final step of this article is to delete the Temporary website that you created in Part I. To do this, right-click the Temporary website from IIS and select Delete from the drop down menu. Click on Yes at the, “Are you sure you want to delete this item?”

source: https://support.quovadisglobal.com/KB/a88/how-to-increase-your-csr-key-size-on-microsoft-iis.aspx

Full Mailbox permission to an entire Mailbox DB using power shell

SO here is the thing, if you are faced with a request that a specific user/group needs full mailbox access to all users and also anyone who is added in the future, you can set a blanket permission to all current and future mailboxes, the way to do it is using the following cmdlet in exchange 2010:

Get-MailboxDatabase -identity “[mailbox database name]” | Add-ADPermission -user [username] -AccessRights GenericAll

You would need run this command again if you add another mailbox database.