Exchange 2010

In the first two parts of the blog series about troubleshooting federated sharing we had a look at the infrastructure and configuration which is required. Besides this we did some basic troubleshooting on the components involved during federated sharing. In this part we will look at some examples which I gathered during troubleshooting a federated sharing issue.

Below you will see an example of an error which was received when trying to retrieve the free/busy information from a user hosted on another Exchange environment.

Process 1212: ProxyWebRequest FederatedCrossForest from S-1-5-21-1671710892-3805255249-3875359145-102309 to https://mail.domain.com/ews/exchange.asmx/WSSecurity failed. Caller SIDs: WSSecurity. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)

   at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)

   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)

   — End of inner exception stack trace —

   at System.Web.Services.Protocols.WebClientAsyncResult.WaitForResponse()

   at System.Web.Services.Protocols.WebClientProtocol.EndSend(IAsyncResult asyncResult, Object& internalAsyncState, Stream& responseStream)

   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.Proxy.Service.EndGetUserAvailability(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.FreeBusyApplication.EndProxyWebRequest(ProxyWebRequest proxyWebRequest, QueryList queryList, Service service, IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequest.EndInvoke(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.AsyncWebRequest.EndInvokeWithErrorHandling():. The request information is ProxyWebRequest type = FederatedCrossForest, url = https://mail.domain.com/ews/exchange.asmx/WSSecurity

Mailbox list = <Johan@domain.com>SMTP:Johan@domain.com, Parameters: windowStart = 10/1/2013 10:00:00 AM, windowEnd = 10/31/2013 10:00:00 AM, MergedFBInterval = 30, RequestedView = Detailed

. —> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)

   at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)

   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)

   — End of inner exception stack trace —

   at System.Web.Services.Protocols.WebClientAsyncResult.WaitForResponse()

   at System.Web.Services.Protocols.WebClientProtocol.EndSend(IAsyncResult asyncResult, Object& internalAsyncState, Stream& responseStream)

   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.Proxy.Service.EndGetUserAvailability(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.FreeBusyApplication.EndProxyWebRequest(ProxyWebRequest proxyWebRequest, QueryList queryList, Service service, IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequest.EndInvoke(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.AsyncWebRequest.EndInvokeWithErrorHandling()

   — End of inner exception stack trace —

. Name of the server where exception originated:CAS01. Make sure that the Active Directory site/forest that contain the user’s mailbox has at least one local Exchange 2010 server running the Availability service. Turn up logging for the Availability service and test basic network connectivity.

When looking at the marked text you will see the actual cause, a certificate issue. So how to deal in this case? The first step you can take is try to access the Exchange Web Services of the other Exchange environment. In this case we can do it by browsing to https://mail.domain/com/ews/exchange.asmx/WSSecurity what will probably happen is that you receive a certificate warning. And that is exactly why the lookup fails. The certificate from the remote Exchange environment is not valid according to the validation procedure. However when you open it in a browser you will see the reason why the certificate is not trusted. This can be caused by several things among them:

  • Certificates is signed by a root CA which is not trusted
  • Name on the certificate is incorrect

In this case the root CA was not trusted by the Exchange environment. By importing the root CA in the Enterprise Trusted Root folder of the CAS the problem was solved.

The second one was pretty hard to troubleshoot but the solution to solve it was pretty easy. Again the error is marked in the text below. The error tells you that the other side did close the connection. OK nice and now what? In this case you will need to search in the IIS logs on the CAS of the target Exchange environment to see what happens when traffic from your Exchange environment arrives at the CAS.

Process 1212: ProxyWebRequest FederatedCrossForest from S-1-5-21-1671710892-3805255249-3875359145-102309 to https://mail.domain.com/ews/exchange.asmx/WSSecurity failed. Caller SIDs: WSSecurity. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. —> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. —> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

   at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)

   at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)

   — End of inner exception stack trace —

   at System.Net.Security._SslStream.EndRead(IAsyncResult asyncResult)

   at System.Net.TlsStream.EndRead(IAsyncResult asyncResult)

   at System.Net.PooledStream.EndRead(IAsyncResult asyncResult)

   at System.Net.Connection.ReadCallback(IAsyncResult asyncResult)

   — End of inner exception stack trace —

   at System.Web.Services.Protocols.WebClientAsyncResult.WaitForResponse()

   at System.Web.Services.Protocols.WebClientProtocol.EndSend(IAsyncResult asyncResult, Object& internalAsyncState, Stream& responseStream)

   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.Proxy.Service.EndGetUserAvailability(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.FreeBusyApplication.EndProxyWebRequest(ProxyWebRequest proxyWebRequest, QueryList queryList, Service service, IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequest.EndInvoke(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.AsyncWebRequest.EndInvokeWithErrorHandling():. The request information is ProxyWebRequest type = FederatedCrossForest, url = https://mail.domain.com/ews/exchange.asmx/WSSecurity

Mailbox list = <Johan@domain.com>SMTP:Johan@domain.com, Parameters: windowStart = 9/29/2013 12:00:00 AM, windowEnd = 11/10/2013 12:00:00 AM, MergedFBInterval = 30, RequestedView = MergedOnly

. —> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. —> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. —> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

   at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)

   at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)

   — End of inner exception stack trace —

   at System.Net.Security._SslStream.EndRead(IAsyncResult asyncResult)

   at System.Net.TlsStream.EndRead(IAsyncResult asyncResult)

   at System.Net.PooledStream.EndRead(IAsyncResult asyncResult)

   at System.Net.Connection.ReadCallback(IAsyncResult asyncResult)

   — End of inner exception stack trace —

   at System.Web.Services.Protocols.WebClientAsyncResult.WaitForResponse()

   at System.Web.Services.Protocols.WebClientProtocol.EndSend(IAsyncResult asyncResult, Object& internalAsyncState, Stream& responseStream)

   at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.Proxy.Service.EndGetUserAvailability(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.FreeBusyApplication.EndProxyWebRequest(ProxyWebRequest proxyWebRequest, QueryList queryList, Service service, IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequest.EndInvoke(IAsyncResult asyncResult)

   at Microsoft.Exchange.InfoWorker.Common.Availability.AsyncWebRequest.EndInvokeWithErrorHandling()

   — End of inner exception stack trace —

. Name of the server where exception originated: CAS01. Make sure that the Active Directory site/forest that contain the user’s mailbox has at least one local Exchange 2010 server running the Availability service. Turn up logging for the Availability service and test basic network connectivity.

Search for traffic destined to /ews/exchange.asmx/WSSecurity and you will probably find the error that did occur. Normally when everything works a 200 will be displayed. If you do receive a 4XX error then verify that the federation with the Microsoft Federation Gateway works correctly as explained in the first part. Besides this verify that WSSecurity is enabled on the Autodiscover and EWS directory.

However you might get other errors, in this case it was a 500 error. What this means and that it doesn’t know how to deal with the traffic which arrives and will close the connection. If this happens make sure WSSecurity is enabled on the virtual directories for Autodiscover and EWS. When this is confirmed verify that the svc-integrated handler is assigned to both the Autodiscover and EWS. If this is both configured correctly everything should be OK but why doesn’t it work?

In some occasions it may happen that EWSSecurity is correctly enabled but for some reason IIS doesn’t pick this up. If this happens an iisreset will fix your issue and you will be able to retrieve the free/busy information from the other Exchange organization.

Here ends the series of troubleshooting federated sharing. I am aware there might be other solution for the issues you might find during the implementation but these were just two examples of issues I found.

I hope you liked this series and if you have any questions use the contact form on the site to send me a message or ask your question by posting a comment.

 By using federated sharing it is possible to exchange free/busy informative between different Exchange organizations. This can be done by using the Microsoft Federation Gateway (MSFG) when no direct trust exists between the Active Directories. The MSFG is in this case responsible for providing a ticket which is used for authentication. By using a ticket a CAS can contact the CAS from the other organization to retrieve the free/busy information.

To use this feature several things will need to be configured:

  • trust with the Microsoft Federation Gateway
  • organizational relationship must be configured
  • autodiscover and EWS must allow WS Security authentication
  • the reverse proxy needs to allow unauthenticated traffic to the following url’s:
    • /EWS/exchange.asmx/WSSecurity
    • /autodiscover/autodiscover.svc/WSSecurity
    • /autodiscover/autodiscover.svc

Several sites contain a step-by-step plan on how to configured this. An overview of those sites can be found on the end of this article.

When you setup these things everything should work, indeed should. In most cases it will work but in some cases you will need to perform some troubleshooting. In this serie of blogs we will have a look how you can validate that it works and perform some troubleshooting in case something doesn’t work.

But how can you troubleshoot these issues? First of all it is very useful if you have a contact person who has access to the other Exchange organization. In most cases this isn’t a big issue but when using Office 365 or another form of hosting this can be very hard sometimes.

To start the troubleshooting process you mostly would like to verify your own Exchange organization first. Things that could be checked are:

  • verify if autodiscover allows WS Security for authentication
  • verify the external EWS url
  • verify if Exchange Web Services will allow WS Security for authentication

If your Exchange organization contains multiple CAS then Powershell is your friend and you can use several cmdlets to verify the steps above:

Get-AutodiscoverVirtualDirectory|select server, WSSecurityAuthentication

Get-AutodiscoverVirtualDirectory

You will get an output like above. Verify if the value of the column WSSecurityAuthentication is set to true

If WSSecurity is not true then use the following cmdlet to enable it:

Get-AutodiscoverVirtualDirectory|Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication:$true

Using this cmdlet the authentication method will be configured but to offer this authentication type you will need to perform an IISReset. Additional you can verify if the svc-integrated handler is attached to the autodiscover virtual directory:

IIS

Next step is to verify the Exchange Web Services, this can be done by using the Get-WebServicesVirtualDirectory cmdlet:

Get-WebServicesVirtualDirectory|select server, ExternalUrl, WSSecurityAuthenticationcmdle

Get-WebServicesVirtualDirectory

Again the same rule apples WSSecurityAuthentication needs to be set to true. Besides this the ExternalUrl needs to contains a valid value. This url needs to accessible from the internet. If this is not the case it simply won’t work.

In case that WSSecurity is not true enabled it by using the following cmdlet:

Get-WebServicesVirtualDirectory|Set-WebServicesVirtualDirectory -WSSecurityAuthentication:$true

The same applies for EWS as it did for autodiscover perform an IISReset to activate the authentication method. Besides this verify if the ws-security handler is attached to the EWS virtual directory.

If no external url is configured you will need to configure one. Before you do this make sure the certificate contains all the correct names. If you will configure a value but it is not part of your certificate you will get errors.

To verify if the certificate contains the correct names we will use Powershell again:

Get-ExchangeCertificate|? {$_.Services -like “*IIS*”}|select Subject, CertificateDomains|FL

Verify if the CertificateDomains contain the FQDN you are planning to use for EWS, for example mail.domain.com of ews.domain.com. If this name is not on the certificate you will need to renew your certificate.

If the certificate contains the name for the external URL then you can continue configuring it:

Get-WebServicerVirtualDirectory|Set-WebServicesVirtualDirectory -Externalurl “https://ews.domain.com/EWS/exchange.asmx”

Using the cmdlet above the external URL on all Client Access Servers will be configured the same. REMARK: in some scenarios this is not what you want. Please verify if this is the case in your scenario before configuring the external url.

When this has been configured and validated it is time to verify the Federation Trust and the Organization Relationship.

This can be done by starting with Test-FederationTrustCertificate which will verify if the certificate used for the trust is correct and is installed on all CAS. During the creation of the trust the self-signed certificate will normally be distributed to all CAS in your environment. But in some cases this may not happen. If this is the case the CAS will be unable to authenticate against the Federation Gateway of Microsoft which will eventually result the autodiscover process to fail.

Test-FederationTrustCertificate

Test-FederationTrustCertificate

Verify that the State column for all CAS contain the value installed.

Additionally you can run the Test-FederationTrust cmdlet to verify if the Federation Trust really works. By default this cmdlet will use the extest account:

Test-FederationTrust

If you don’t have an extest account or you would like to use another user add the UserIdentity parameter:

Test-FederationTrust -UserIdentity user@domain.com

This cmdlet will perform several tests and will output the results on the screen, verify if no errors did occur.

As final step of the process you can verify the Organization Relationship. This is only applicable if the other organization has issues when looking up the free/busy information for your mailboxes. By using an organization relationship you will give the other organization permission to retrieve free/busy information of your organization. If not all domains are listed here it can cause strange issues such as it works for domain A but not for domain B while they are located in the same Exchange environment.

To troubleshoot these kind of issues you can use two cmdlets:

  • Get-OrganizationRelationShip,  retrieves the current configuration
  • GetFederationInformation, will send an autodiscover request to the other organization to retrieve the configuration

The following parameters are important in this case:

  • DomainNames
  • TargetApplicationUri
  • TargetAutoDiscoverEpr

One remark must be made about the DomainNames parameter. In some cases this parameter doesn’t have to be the same for both cmdlets. Some organizations only want to share free/busy information with a specific domain and not all domains hosted by the other Exchange organization.

In this part of the series we did have a look which configuration items you will need to verify in your Exchange organization. Besides this we did had a look on how to fix them if they are configured incorrectly.

In the second part we will have a closer look at the reverse proxy and client part of troubleshooting.

Below are some pages which contain use full information about federated sharing:

Office 365 Community: How to configure TMG for Office 365: open
TechNet: How does Federated Calendar sharing work in Exchange 2010?: open
TechNet: Exchange 2013: Sharing: open

Several companies have published their Exchange environment by using TMG. As you may know Microsoft has announced to discontinue the product but when working in the field you will still see that customers are using TMG.

One of the features of the Lync 2013 mobile client is to retrieve your contacts and free/busy information using Exchange Web Services (EWS). It depends on your TMG config if this will work. You may wonder why? For this we will need to have a closer look at the listener. For those who do not work much with TMG using the listener we can configure:

  • Which certificate is used to provide HTTPS
  • What kind of authentication types do we accept

So the item we need to have  closer look at is the authentication types. Using the authentication types we can configure how clients can authenticate against our Exchange environment. There are various options which you can configure for authentication amongst them:

  • HTTP form
  • Basic

Let’s assume you created one rule to publish OWA, ECP, ActiveSync, EWS and Autodiscover. In this case the listener is probably configured to offer form based authentication. Which will perfectly work for Outlook, OWA, ECP and ActiveSync. But it doesn’t work for Lync 2013 mobile clients. Normally when clients try to authenticate they will hit the form. Some clients however can’t authenticate using the form and will fall back to basic authentication. ActiveSync devices are an example of clients which work like this.

But the Lync 2013 mobile client doesn’t contain the option to fall back to basic authentication which results in authentication to fail. When you have enabled the logging on your device and examine it after trying to authenticate you will see this:

First the form will be displayed (below a small part of the code):

<em><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"></em>
<em><!-- {57A118C6-2DA9-419d-BE9A-F92B0F9A418B} --></em>
<em><html></em>
<em><head></em>
<em>    <title>Microsoft Forefront TMG</title></em>
<em>    <meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8"></em>
<em>    <meta content="NOINDEX, NOFOLLOW" name="Robots"></em>
<em>    <link href="/CookieAuth.dll?GetPic?formdir=3&image=logon_style.css" type="text/css" rel="stylesheet"></em>
<em>    <script src="/CookieAuth.dll?GetPic?formdir=3&image=flogon.js" type="text/javascript"></script></em>
<em><script type="text/javascript"></em>

Followed by the following error:

2013-09-12 11:45:31.020 Lync[4120:5520] ERROR APPLICATION CEwsAutoDiscoverOperation.cpp/652:All possible ews autodiscover urls exhausted.Failing autodiscover operation

So how to solve the issue? Well the resolution is pretty simple allow basic authentication for autodiscover and EWS. This can be realized via two methods:

  • Create a new publishing rule for EWS and Autodiscover and select the option No delegation, but client may authenticate directly. Ensure the rule may be used for the All users group instead of the Authenticated users. This rule must be placed above the existing publishing rules which are used for publishing Exchange
  • Create a new web listener and new publishing rule for EWS and Autodiscover. The remark which must be made to this method is that it requires new IP-address

If you want to have more information about publishing your Exchange environment either using TMG or UAG then  good starting point is the document of Greg Taylor which contains some guidelines on how to publish your Exchange environment using TMG/UAG. This document can be found on the site below:

TechNet: Publishing Exchange Server 2010 with Forefront UAG and TMG: open

Exchange 2010 SP3 Rollup 2 released

Microsoft has released Exchange 2010 SP3 Rollup 2 yesterday. This rollup will fix the following issues:

  • 2837926 Error message when you try to activate a passive copy of an Exchange Server 2010 SP3 database: “File check failed”
  • 2841150 Cannot change a distribution group that contains more than 1,800 members by using ECP in OWA in an Exchange Server 2010 environment
  • 2851419 Slow performance in some databases after Exchange Server 2010 is running continuously for at least 23 days
  • 2853899 Only the first page of an S/MIME signed or encrypted message is printed by using OWA in an Exchange Server 2010 environment
  • 2854564 Messaging Records Management 2.0 policy can’t be applied in an Exchange Server 2010 environment
  • 2855083 Public Folder contents are not replicated successfully from Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010
  • 2859596 Event ID 4999 when you use a disclaimer transport rule in an environment that has Update Rollup 1 for Exchange Server 2010 SP3 installed
  • 2860037 iOS devices cannot synchronize mailboxes in an Exchange Server 2010 environment
  • 2861118 W3wp.exe process for the MSExchangeSyncAppPool application pool crashes in an Exchange Server 2010 SP2 or SP3 environment
  • 2863310 You cannot send an RTF email message that contains an embedded picture to an external recipient in an Exchange Server 2010 SP3 environment
  • 2863473 Users cannot access Outlook mailboxes that connect to a Client Access server array in an Exchange Server 2010 environment
  • 2866913 Outlook prompts to send a response to an additional update even though the response request is disabled in an Exchange Server 2010 environment
  • 2870028 EdgeTransport.exe crashes when an email message without a sender address is sent to an Exchange Server 2010 Hub Transport server
  • 2871758 EdgeTransport.exe process consumes excessive CPU resources on an Exchange Server 2010 Edge Transport server
  • 2873477 All messages are stamped by MRM if a deletion tag in a retention policy is configured in an Exchange Server 2010 environment

Especially when you are planning to migrate from Exchange 2010 from Exchange 2003 or Exchange 2007 this rollup is recommended. The rollup fixes an issue which can occur with Public Folder replication between Exchange 2003/2007 and Exchange 2010. Because replicating the public folder content is one of the steps you might see this issue if you won’t deploy Exchange 2010 SP3 rollup 2.

The second interesting thing in the release notes is a fix for the MsExchangeSyncAppPool which crashes. This issue occurs only when offering ActiveSync services to your end-users and you will use Apple devices. In this case it can happen that the CPU usage on the CAS is high (between 80% and 100%). Users might in this case not be able to sync their mailbox content because throttling is applied. Cause of this issue is the throttling mechanism. Exchange 2010 SP3 Rollup 2 contains a fix for this issue which should prevent this issue from occurring again.

Looking at the third issue you may think what? Slower performance which is experienced by users when their mailbox is hosted in a database which his created after Exchange 2010 SP3. This problem occurs only if the database is online for more then 23 days.

You can download Exchange 2010 SP3 rollup 2via the link below:

download

Exchange 2010 SP3 Rollup 1 released

Microsoft has released the first rollup for SP3 today. This rollups contains several interesting fixes among them a fix to resolve an issue which was introduced in SP3

Below an overview of the issues which are fixed in this rollup:

  • 2561346 Mailbox storage limit error when a delegate uses the manager’s mailbox to send an email message in an Exchange Server 2010 environment
  • 2729954 Can’t send voice message to a selected non-primary email address in an Exchange Server 2010 environment
  • 2750846 Information Store service crashes when you mount public folder databases on an Exchange Server 2010 server
  • 2751628 Event ID 9682 does not record the folder name when you delete a public folder in an Exchange Server 2010 environment
  • 2756460 You cannot open a mailbox that is located in a different site by using Outlook Anywhere in an Exchange Server 2010 environment
  • 2763065 Move request log is logged when you move a mailbox in an Exchange Server 2010 SP2 environment
  • 2777742 Address Book service crashes on an Exchange Server 2010 Client Access server when a server has been running for 25 days or more
  • 2781488 RPC_S_SERVER_UNAVAILABLE (0x6BA) error code when you use a MAPI or CDO-based application in an Exchange Server 2010 environment
  • 2782683 Email message that a user sends by using the “Send As” or “Send On Behalf” permission is saved only in the Sent Items folder of the sender in an Exchange Server 2010 environment
  • 2784210 Ethical wall does not function as expected when the ReportToOriginatorEnabled property is disabled in an Exchange Server 2003 and Exchange Server 2010 coexistence environment
  • 2793348 Read receipt is sent unexpectedly when you view an email message by using Outlook Web App
  • 2796490 Microsoft Exchange Information Store service crashes on an Exchange Server 2010 Mailbox server
  • 2802569 Mailbox synchronization fails on an Exchange ActiveSync device in an Exchange Server 2010 environment
  • 2806602 EdgeTransport.exe process crashes on an Exchange Server 2010 Hub Transport server
  • 2814723 Server loses network connectivity and UDP ports are used up on an Exchange Server 2010 server
  • 2814847 Rapid growth in transaction logs, CPU use, and memory consumption in Exchange Server 2010 when a user syncs a mailbox by using an iOS 6.1 or 6.1.1-based device
  • 2816934 Error code 0X800CCC13 when an additional POP3 or IMAP account is used to send an email message and Outlook online mode is used to connect to an Exchange Server 2010 environment
  • 2817140 Exchange Replication service crashes intermittently in an Exchange Server 2010 environment
  • 2817852 Cyrillic characters are displayed as question marks in the “To” field of message items in the Sent Items folder in an Exchange 2010 environment
  • 2818456 Attachments are missing from an embedded message in an Exchange Server 2010 SP2 environment
  • 2822208 Unable to soft delete some messages after installing Exchange 2010 SP2 RU6 or SP3
  • 2826066 VSAPI-based antivirus software causes delayed response in an Exchange Server 2010 environment
  • 2827037 Copy of an item is created in the Version subfolder in an Exchange Server 2010 environment
  • 2833888 No items are displayed in Outlook after you install Exchange Server 2010 SP3 or Update Rollup 6 for Exchange Server 2010 SP2
  • 2840099 ArgumentOutOfRangeException exception when an EWS application creates a new MIME email in an Exchange Server 2010 environment

 

Remark: before installing the rollup you may need to change the language settings if they are currently configured as Chinese or Japanese:

  1. Go to the Control Panel and change the language to English (United States)
  2. Install the rollup
  3. Change the language back to the original value

De update is te downloaden via onderstaande link:

download

Let’s cleanup the mess caused by iOS

21-2-2013: script has been updated due to a missing } which will cause the script to fail

You probably know about the iOS issue which had a great impact on Exchange environment. One environment might have had more issues then the other one and administrators may have taken actions via several actions.

Apple has released an update for iOS which should fix the issue, if it really is fixed is just a matter of waiting. Till now no negative messages have been posted on several sites so it looks like it is solved.

Cleanup proces

And now what to do? A lot of Exchange environment are polluted by the bug in iOS. Now the issue has been solved it’s time to cleanup all the mess.

To cleanup we first need to find out which mailboxes are really hit by the bug. To do this you can use the Powershell cmdlet Get-MailboxStatistics and use the select option with the parameters  Username, TotalItemSize, TotalDeletedItemSize, Items and DeletedItems.

Once you have found the mailboxes which are having the issue we will need to identify which item is causing the issue. To find the item you will need to use the Get-MailboxFolderStatistics cmdlet. Because the items are placed in the recoverableitems folder we will need to specify this as the folderscope. As last parameter we will need to use the analysis option which gives detailed information about the item. Using this cmdlet and parameters we will find the item which is most problematic item.

To cleanup the item you will need to use the search-mailbox cmdlet.

IOS6 cleanup script

As you have just discovered it can be a lot of work to cleanup the items. Because this maybe very hard in large environments I decided to create a script which finds the mailboxes, finds the item causing issues and optionally cleans up the item. The script will search per mailbox database. This because I have seen that it can cause a large amount of logging. The last one can have serious consequences for your storage, if the volume is almost full the databases will be dismounted automatically. Since this is not what we want it is very import to monitor the free space on the disk volumes when performing this process.

You can download the script via the Technet ScriptCenter of by using the link at the end of this blog.

In the current version the following functions are available:

  • search the specified database
  • create a report of the users which have a larger deleter item size then specified
  • create a report per user with the output of the analyses
  • automatically export the item to the specified mailbox and remove the item from the mailbox

But how to execute the script? Before doing this it is important to know which parameters you can use:

  • database, name of the database on which you want to perform the process (required)
  • minsize, minimum size of the deleted items (required)
  • topsubjectcounter, minimum value of how many times must the same item exist (only required if autoclean is used)
  • autoclean, performs a search, exports the item and removes the item (default false)
  • userreport, creates a list of users who are passing the configured threshold (default false)
  • targetmailbox, which mailbox may be used as target for the exported items (only required if autoclean is used)

For example: we want to search the database MBDB01 and want to know which mailboxes are having deleted items which are in total bigger then 1 GB.  Once we found those mailboxes we want to cleanup the item found during the analysis process only if it exists 1000 times or more. Besides this we want to get a report of which the mailboxes which will be cleaned up.

To do this execute the script like this:

.\IOS6.ps1 -database MBDB01 -minsize 1024 -topsubjectcount 1000 -autoclean $true -userreport $true

Disclaimer: This script should be used at your own risk. Using the autocleanup functionality
can cause data loss. Recommendation is to first test it in a test environment before using
it in your production environment.

During the cleanup process a large amount of logging can be created it is recommended to monitor your environment during this process.

If you’re missing things or you have a question about the script then please let me know.

download script

Let the rollups role

Today it is Microsoft Rollup day. Both for Exchange 2010 SP2 and Exchange 2007 SP3 new rollups have been released. The rollup for Exchange 2010 SP2 contains a lot of fixes. For Exchange 2007 SP3 it is the 10nd rollup which has been released although the fixes contained in the rollup are not as large as for Exchange 2010. The rollup for Exchange 2007 contains a security fix and one issue for a problem with OWA.

An overview of the fixes included on the rollups can be found below:

Exchange 2010 SP2 Rollup 6:

  • 2489941 The “legacyExchangeDN” value is shown in the “From” field instead of the “Simple Display Name” in an email message in an Exchange Server 2010 environment
  • 2717453 You cannot move or delete a folder by using Outlook in online mode in an Exchange Server 2010 environment
  • 2733608 Corrupted Japanese DBCS characters when you send a meeting request or post a reply to a posted item in a public folder in an Exchange Server 2010 environment
  • 2734635 Folder-associated information (FAI) items are deleted when you run the New-InboxRule cmdlet or change Inbox rules in an Exchange Server 2010 environment
  • 2737046 AutoPreview feature does not work when you use Outlook in online mode in an Exchange Server 2010 environment
  • 2741117 High CPU utilization by Microsoft Exchange Replication service on Client Access servers in an Exchange Server 2010 environment
  • 2746030 Incorrect ExternalURL value for EWS is returned by an Exchange Server 2010 Client Access server
  • 2750188 Exchange Service Host service crashes when you start the service on an Exchange 2010 server
  • 2751417 Synchronization fails if you sync an external device to a mailbox through EAS in an Exchange Server 2010 environment
  • 2751581 OAB generation fails with event IDs 9126, 9330, and either 9338 or 9339 in an Exchange Server 2010 environment
  • 2760999 “The signup domain ‘org’ derived from ‘<TenantDomainName>.org’ is not a valid domain” error message when you use the Hybrid Configuration wizard in an Exchange Server
  • 2776259 Msftefd.exe process crashes if an email attachment has an unexpected file name extension or no file name extension in an Exchange Server 2010 environment
  • 2779387 Duplicated email messages are displayed in the Sent Items folder in a EWS-based application that accesses an Exchange Server 2010 Mailbox server
  • 2783586 Name order of a contact is displayed incorrectly after you edit the contact in an Exchange Server 2010 environment
  • 2783631 User-Agent field is empty when you run the Get-ActiveSyncDeviceStatistics cmdlet in an Exchange Server 2010 SP2 environment
  • 2783633 You cannot move or delete an email message that is larger than the maximum receive or send size in an Exchange Server 2010 environment
  • 2783649 Private appointment is visible to a delegate in an Exchange Server 2010 environment
  • 2783771 Mailbox on a mobile device is not updated when EAS is configured in an Exchange Server 2010 environment
  • 2783772 Edgetransport.exe process crashes after a journal recipient receives an NDR message in an Exchange Server 2010 environment
  • 2783776 You cannot perform a cross-premises search in a mailbox in an Exchange Server 2010 hybrid environment
  • 2783782 Error message when you use Scanpst.exe on a .pst file in an Exchange Server 2010 environment
  • 2784081 Store.exe process crashes if you add certain registry keys to an Exchange Server 2010 Mailbox server
  • 2784083 Week numbers in the Outlook Web App and Outlook calendars are mismatched in an Exchange Server 2010 environment
  • 2784093 SCOM alerts and event ID 4 in an Exchange Server 2010 SP2 organization that has Update Rollup 1 or later
  • 2784566 Exchange RPC Client Access service crashes on an Exchange Server 2010 Mailbox server
  • 2787023 Exchange Mailbox Assistants service crashes when you try to change a recurring calendar item or publish free/busy data in an Exchange Server 2010 environment
  • 2793274 A new option is available that disables the PermanentlyDelete retention action in an Exchange Server 2010 organization
  • 2793278 You cannot use the search function to search for mailbox items in an Exchange Server 2010 environment
  • 2793279 Exchange Server 2010 does not restart when the Microsoft Exchange Replication service freezes
  • 2793488 Internet Explorer freezes when you connect to the OWA several times in an Exchange Server 2010 environment
  • 2810616 Email message delivery is delayed on a Blackberry mobile device after you install Update Rollup 4 for Exchange Server 2010 SP2

download

Exchange 2007 SP3 Rollup 

2783779 A hidden user is still displayed in the Organization information of Address Book in OWA in an Exchange Server 2007 environment

download

In the first part of this blog we did configure the Geo DNS server and the Database Availability Group. We now will continue with configuring the CAS role and after that perform some testing.

The first step is to set all the url’s to the same value. This because each user will use the same url when connecting from the internet and will be redirected to the correct datacenter using the GeoDNS solution.

Using the Get-WebServicesVirtualDirectory cmdlet we can see the current config. Because we only need a few parameters we will use the |select option to only select the parameters we need:

Get-WebServicesVirtualDirectory|Select Identity, ExternalUrl, InternalUrl

To set all the url’s to the same value we will use the Set-WebServicesVirtualDirectory cmdlet i.c.w. the Get-WebServicesVirtualDirectory cmdlet:

Get-WebServicesVirtualDirectory|Set-WebServicesVirtualDirectory –ExternalUrl https://mail.johanveldhuis.nl/EWS/exchange.asmx -InternalUrl https://mail.johanveldhuis.nl/EWS/exchange.asmx

After these URL’s have been fixed it’s time for the remaining URL’s to be corrected:

OWA:

Get-OwaVirtualDirectory|Set-OwaVirtualDirectory –ExternalUrl https://mail.johanveldhuis.nl/owa
–InternalUrl https://mail.johanveldhuis.nl/owa

ECP:

Get-EcpVirtualDirectory|Set-EcpVirtualDirectory –ExternalUrl https://mail.johanveldhuis.nl/ecp
–InternalUrl https://mail.johanveldhuis.nl/ecp

OAB:

Get-OabVirtualDirectory|Set-OabVirtualDirectory –ExternalUrl https://mail.johanveldhuis.nl/OAB
–InternalUrl 
https://mail.johanveldhuis.nl/OAB

ActiveSync:

Get-ActiveSyncVirtualDirectory|Set-ActiveSyncVirtualDirectory  -Internalurl https://mail.johanveldhuis.nl/Microsoft-Server-ActiveSync  -Externalurl https://mail.johanveldhuis.nl/Microsoft-Server-ActiveSync

When the URL’s for the webservices have been configured it’s time to configure the Autodiscover url on both servers:

Set-ClientAccessServer –Identity EX01 –AutodiscoverInternalUri https://autodiscover.johanveldhuis.nl/autodiscover/autodiscover.xml

And for the next server:

Set-ClientAccessServer –Identity EX02 –AutodiscoverInternalUri https://autodiscover.johanveldhuis.nl/autodiscover/autodiscover.xml

Since we haven’t enabled Outlook Anywhere will need to enable it and configure it to use the correct FQDN. To do this we will need to use the Enable-OutlookAnywhere cmdlet:

get-outlookanywhere|set-OutlookAnywhere -InternalHostname mail.johanveldhuis.nl -ExternalHostname mail.johanveldhuis.nl -InternalClientsRequireSsl: $true -ExternalClientsRequireSsl: $true

Now we have configured all services with the correct url’s it’s time to generate a certificate request:

First we generate the request and put the output in a variable called $newcert:

$newcert = New-ExchangeCertificate -GenerateRequest -SubjectName 
“c=NL,o=Johan Veldhuis,cn=mail.johanveldhuis.nl” -DomainName “autodiscover.johanveldhuis.nl”  -PrivateKeyExportable $true

Make sure you don’t forget the set the PrivateKeyExportable to true. This will give us the option to export the certificate including the private key which is needed on the other Exchange server.

Next step is to put the content of the variable in a txt file:

newcert | out-file c:\install\csr.txt

Now we can send the CSR to the CA. Once we received the certificate we can install it on the Exchange server which is used to create the CSR:

Import-ExchangeCertificate –FileData ([byte []]$(Get-Content –Path “c:\install\certificate.cer” –Encoding Byte –ReadCount 0))

Next step is to assign the certificate to the services:

Get-ExchangeCertificate –ThumbPrint thumbprintEnable-ExchangeCertificate –Services POP,IMAP,IIS,SMTP

In this example you will need to replace thumbprint by the thumbprint of the certificate we have installed. You can find the value of the thumbprint by running the following cmdlet:

Get-ExchangeCertificate|select Subject,Thumbprint

Once this step has completed we can proceed with the next server. First we need to export the certificate including the private key:

$cert = Export-ExchangeCertificate -Thumbprint thumbprint -BinaryEncoded:$true -Password (Get-Credential).password

This will export the certificate and will ask you for a password to protect the certificate as it includes the private key. The output is stored in a variable called $cert.

Once the output is stored in the variable it’s time to create the PFX file:

Set-Content -Path “c:\certificates\cert.pfx” -Value $cert.FileData -Encoding Byte

Copy the PFX file to the other Exchange server and import it:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\cert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

Once it has been imported we can assign it just as we did on the other server:

Get-ExchangeCertificate –ThumbPrint thumbprintEnable-ExchangeCertificate –Services POP,IMAP,IIS,SMTP

With this step we have completed the implementation of our Geo DNS solution.

As with every deployment now comes the most important step: verify if everything works.

There are various clients we can use for testing our Geo DNS solution among them are:

  • Outlook Web App (OWA)
  • Outlook

We will skip ActiveSync in this test but normally you would of course test each connection method which is available.

To perform these tests we will need to reconfigure our client so it matches one of the configured networks. For example:

IP: 192.168.2.100
Subnet: 255.255.255.0

Besides this don’t to change the DNS settings so the Geo DNS will be used for lookups.

Because all clients depend on DNS first verify if that works, although we checked it in the 1st part of this blog.

To test this we can use nslookup:

From a client in the 192.168.2.x range we will get this answer:

From a client in the 192.168.3.x range we will get this answer:

So far so good let’s verify if we can connect to OWA from both subnets. To perform this test simply open your favorite browser and browse to the OWA url, in this scenario https://mail.johanveldhuis.nl/owa:

As you can see OWA is displayed correctly. Once this test has been performed you will need to change the network settings of the client again to match the other network. Then perform the same test again and you should still have a working OWA only then proxied via the other server.

As a final test we will perform several checks using Outlook. After configuring the profile you can see we’re connected to Outlook. When this is completed we verified that both the connection to the mailbox and autodiscover work:

Now let’s change the client’s network settings and see what happens. You might see a short disconnected but after a few seconds you are connected via the other server:

And Outlook continuous to synchronize the mailbox for the user. Besides this test you might want to verify some other things via Outlook:

  • verify of free/busy works
  • verify if Outlook can download the addressbook
  • verify if you can connect to the Exchange Control Panel using Outlook

Here ends the second and last part of how to build a Geo DNS solution in your test environment. Keep in mind that if you are planning to use Geo DNS you will need a “real” Geo DNS solution. This solution was only used for testing purposes and should not be used in a production environment.

Microsoft release Exchange 2010 SP2 Rollup 5

Microsoft has release Rollup 5 for Exchange 2010 SP2 yesterday. This rollup contains fixes for the following issues:

  • 2275156
    The inline contents disposition is removed when you send a “Content-Disposition: inline” email message by using EWS in an Exchange Server 2010 environment
  • 2499044
    You cannot save attachments in an email message by using OWA if the subject line contains special characters in an Exchange Server 2010 environment
  • 2509306 

    Journal reports are expired or lost when the Microsoft Exchange Transport service is restarted in an Exchange Server 2010 environment

  • 2514766A RBAC role assignee can unexpectedly run the Add-ADPermission command on an Exchange Server 2010 server that is outside the role assignment scope
  • 2529715Slow network or replication issues after you change the number of virus scanning API threads in Microsoft Exchange Server 2010
  • 2536704
    Mailbox users who are migrated by using ILM 2007 cannot use the Options menu in OWA in an Exchange Server 2010 environment
  • 2537094French translation errors occur when you edit a response to a meeting request by using OWA in an Exchange Server 2010 SP1 environment
  • 2555800 

    You cannot use the GetItem operation in EWS to retrieve properties of an email message in an Exchange Server 2010 environment

  • 2555850
    You cannot delete a mailbox folder that starts with a special character in its name by using Outlook in an Exchange Server 2010 environment
  • 2556096
    The columns in the .csv logging file are not lined up correctly when you perform a discovery search on a mailbox in an Exchange Server 2010 environment
  • 2556107
    The columns in the .csv logging file are not lined up correctly when you perform a discovery search on a mailbox in an Exchange Server 2010 environment
  • 2556133
    A device that uses Exchange ActiveSync cannot access mailboxes in an Exchange Server 2010 environment
  • 2556156
    Extra.exe crashes when it performs RPC activity checks against an Exchange Server 2010 server
  • 2556352
    “ChangeKey is required for this operation” error message in Outlook for Mac 2011 in an Exchange Server 2010 environment
  • 2556407
    Certain client-only message rules do not take effect on email messages that are saved as drafts in an Exchange Server 2010 environment
  • 2559926
    “There are no items to show in this view.” error message when you try to view a folder by using Outlook in an Exchange Server 2010 environment
  • 2572958
    The “Test-OutlookConnectivity -Protocol HTTP” command fails with an HTTP 401 error in an Exchange Server 2010 environment

The rollup can be downloaded via the site below:

download

Microsoft has just released version 2 of the latest Exchange 2010 SP1 and SP2 rollups. At this moment you can’t find a lot of information about it. The only reference which can be found on the dowload pages of both rollups is a reference to security bulletin MS12-058. In this security bulletin an issue is described about a vulnerability in the Web Ready Document Viewing functionality of Exchange 2010 in the Oracle Outside In Libraries

The updates can be downloaded via the links below:

Exchange 2010 SP1 Rollup 7 v2: http://www.microsoft.com/en-us/download/details.aspx?id=34957

Exchange 2010 SP2 Rollup 4 v2: http://www.microsoft.com/en-us/download/details.aspx?id=34956

More information about the vulnerability can be found on the page below:

Security Bulletin MS12-058: http://technet.microsoft.com/en-us/security/Bulletin/MS12-058

Update: this updates rollup has been released because of the expiration of the signatures which are used to sign the code. The advice is to install the v2 of the rollup despite it was already a part of the v1 of this update.