Let me explain about the current situation .

–  Exchange Transport Service Keeps Crashing

“Windows Could not Start the Microsoft Exchange Transport Service on Local Computer. Error 1053 – The Service did not respond to the start or Control request in a timely Fashion.”

– Queue Database Will rapidly increase and Transport service will stop.

Queue Database Default Location –

"C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue"

And We can see the resource pressure / Back pressure event in Exchange Server  –

I strongly feel if we can understand the event properly and spend some time on it . We can reach a solution . or any Transport Service Event if you don’t receive this one.

Log Name:      Application
Source:        MSExchangeTransport
Event ID:      15004
Task Category: ResourceManager
Level:         Warning
Computer:      EX01.careexchange.in
Description:
The resource pressure increased from Medium to High.

The following resources are under pressure:
Version buckets = 366 [High] [Normal=80 Medium=120 High=200]

The following components are disabled due to back pressure:
Inbound mail submission from Hub Transport servers
Inbound mail submission from the Internet
Mail submission from Pickup directory
Mail submission from Replay directory
Mail submission from Mailbox server
Mail delivery to remote domains
Content aggregation
Mail resubmission from the Message Resubmission component.
Mail resubmission from the Shadow Redundancy Component

The following resources are in normal state:
Queue database and disk space (“C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\mail.que”) = 77% [Normal] [Normal=95% Medium=97% High=99%] Queue database logging disk space (“C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\”) = 77% [Normal] [Normal=95% Medium=97% High=99%] Private bytes = 5% [Normal] [Normal=71% Medium=73% High=75%] Physical memory load = 64% [limit is 94% to start dehydrating messages.] Submission Queue = 0 [Normal] [Normal=2000 Medium=4000 High=10000] Temporary Storage disk space (“C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Temp”) = 77% [Normal] [Normal=95% Medium=97% High=99%]

Aspects of the Event in my case – Things are Normal – Its not the disk or disk space issue .

if things are not normal below – Free some space or – Change the location of the queue database

Queue database and disk space = 77% [Normal]

Queue database logging disk space  = 77% [Normal]

Private bytes = 5% [Normal]

Physical memory load = 64% [Normal]

Submission Queue = 0 [Normal] [Normal]

Temporary Storage disk space = 77% [Normal]

“

Version buckets = 366 [High]

“

Restarted the server. Still no change.

Stopped the Transport Services – Cleared the Queue Folder data to a different location and started the service. (Risk of Losing Emails if Queue is not 0 or Not Processed Mails)

Now we have tried recreating the transport Database. still Same issue seems to be re-appearing. (Queue Database will rapidly increase and transport service will stop)

Now we need to check what’s been getting submitted to the transport database making it grow large.

Lets see Message Tracking Logs –

get-messagetrackinglog -resultsize unlimited -start "01/12/2017 00:00:00" | select sender, subject, recipients,totalbytes | where {$_.totalbytes -gt "1048576"}

Oh Shit. Some Crazy Guy Sent a 2 GB file as attachment. Oh wait . Why Exchange Allowed it ?

Get-TransportConfig | fl

MaxSendSize – unlimited

MaxReceiveSize – unlimited

Set-TransportConfig –Maxsendsize 30MB –MaxReceiveSize 30MB

Restarted Transport Service.

Now Seeing the user Mailbox – Respective Message is not in the Outbox. Respective Message is in the Sent Item

Disabled the Mailbox Temporarily – Before Disabling always –  Make sure Deleted Mailboxes retention is not Set to 0” in Mailbox Database properties.

Cleared Transport Database and temp folder and things are now normal .

Now Waited for few hours. Re-Enabled the mailbox

Things were normal . Removed the 2 GB email anyways from the mailbox – Don’t ask me why I removed. but I removed it.

At last it was some movie clips . Sent by User.  Be curious about the Max Send Size . It can really Screw up things big time. Can’t blame the end user.

The post Resource Pressure in Exchange Server appeared first on CareExchange.in.

Moving to Office 365 – Mailbox Migration Error

Error: MigrationPermanentException  “Target mailbox doesn’t have an SMTP proxy matching ‘<domain>.mail.onmicrosoft.com'” error when you try to move mailboxes to Exchange Online

Issue happens only to users where email address policy is not enabled

–

Checking this Automatically Update Email Address on bulk for multiple mailboxes can give serious implications if the number of mailboxes are more .As in some environments people rename email address out of the email address policy for various reasons (Update/Customize,More friendly).

When you check Automatically Update Email Address . It will apply as specified in the policy like firstname.lastname@careexchange.in or Alias@careexchange.in which you can see in the email address policy settings.

Now lets see how to add the proxy address in bulk , Without updating the email address policy.

List Mailboxes where EmailAddressPolicyEnabled  is  False

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.EmailAddressPolicyEnabled -like "False"}

Export to CSV –

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.EmailAddressPolicyEnabled -like "False"} | Select-object Alias,PrimarySmtpAddress | Export-Csv UsersneedProxyaddress.csv

CSV looks like below –

Now Create a CSV like below Having the Custom Proxy address needs to be added to user mailboxes.

For Dummies – Using Excel Features.

To Add these Additional Proxy Addresses to these mailboxes –

Import-Csv AddProxyaddress.csv | ForEach-Object{Set-Mailbox $_.PrimarySmtpAddress -EmailAddresses @{add=$_.AddAddress}}

Verifying –

Import-Csv AddProxyaddress.csv | ForEach-Object{Get-Mailbox $_.PrimarySmtpAddress} | FT Emailaddresses

To Revert Back –

Import-Csv AddProxyaddress.csv | ForEach-Object{Set-Mailbox $_.PrimarySmtpAddress -EmailAddresses @{remove=$_.AddAddress}}

The post Target Mailbox doesn’t have a proxy matching – Bulk add Proxy Address appeared first on CareExchange.in.

Microsoft Outlook 2016.

• Outlook Cannot Log on. Verify you are connected to the network and are using the proper server and mailbox name . The Microsoft Exchange information service in your profile is missing required information.Modify your profile to ensure that you are using the correct Microsoft Exchange Information Service.

System Resources are Critically Low. Close Some Windows.

Why its happening all of a Sudden ?

While doing a Auto discover Test. Just Confirm its going to the Right Place .

Ideally most of the cases it should going to autodiscover.careexchange.in

But autodiscover tests the the root domain first .As Root domain listens on HTTPS by mistake and responds to autodiscover abnormally. It downloads the wrong XML file by mistake.

Its going to  https://careexchange.in:443/Autodiscover/Autodiscover.xml

and downloading the wrong XML file

https://testconnectivity.microsoft.com/

Location –

C:\Users\sathesh\appdata\local\Microsoft\outlook\16

Now . Stop the domain from listening to HTTPS 443.

or delete the A record of domain.com and keep www.careexchange.in only.

Wrong / Abnormal XML File example –

<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
 <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
 <User>
 <DisplayName>sath@careexchange.in</DisplayName>
 </User>
 <Account>
 <AccountType>email</AccountType>
 <Action>settings</Action>
 <Protocol>
 <Type>IMAP</Type>
 <Server>careexchange.in</Server>
 <Port>993</Port>
 <DomainRequired>off</DomainRequired>
 <SPA>off</SPA>
 <SSL>on</SSL>
 <AuthRequired>on</AuthRequired>
 <LoginName>sath@careexchange.in</LoginName>
 </Protocol>
 <Protocol>
 <Type>SMTP</Type>
 <Server>careexchange.in</Server>
 <Port>465</Port>
 <DomainRequired>off</DomainRequired>
 <SPA>off</SPA>
 <SSL>on</SSL>
 <AuthRequired>on</AuthRequired>
 <LoginName>sath@careexchange.in</LoginName>
 </Protocol>
 </Account>
 </Response>
</Autodiscover>

Working XML File of Office 365 –

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
 <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
 <User>
 <DisplayName>Sath | CareExchange</DisplayName>
 <LegacyDN>/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=a454655555980555598a83a-sathesh_758</LegacyDN>
 <AutoDiscoverSMTPAddress>sath@Careexchange.in</AutoDiscoverSMTPAddress>
 <DeploymentId>b787ddaf-ec3e-4ccf-965750e3849b</DeploymentId>
 </User>
 <Account>
 <AccountType>email</AccountType>
 <Action>settings</Action>
 <MicrosoftOnline>True</MicrosoftOnline>
 <ConsumerMailbox>False</ConsumerMailbox>
 <Protocol Type="mapiHttp" Version="1">
 <MailStore>
 <ExternalUrl>https://outlook.office365.com/mapi/emsmdb/?MailboxId=f26e24bc-5555-4544-0047-af993fbcbd43@careexchange.in</ExternalUrl>
 </MailStore>
 <AddressBook>
 <ExternalUrl>https://outlook.office365.com/mapi/nspi/?MailboxId=f26e24bc-5555-4544-0047-af993fbcbd43@careexchange.in</ExternalUrl>
 </AddressBook>
 </Protocol>
 <Protocol>
 <Type>WEB</Type>
 <Internal>
 <OWAUrl AuthenticationMethod="LiveIdFba, OAuth">https://outlook.office365.com/owa/</OWAUrl>
 <Protocol>
 <Type>EXCH</Type>
 <ASUrl>https://outlook.office365.com/EWS/Exchange.asmx</ASUrl>
 </Protocol>
 </Internal>
 <External>
 <OWAUrl AuthenticationMethod="Fba">https://outlook.office365.com/owa/Careexchange.in/</OWAUrl>
 <Protocol>
 <Type>EXPR</Type>
 <ASUrl>https://outlook.office365.com/EWS/Exchange.asmx</ASUrl>
 </Protocol>
 </External>
 </Protocol>
 <Protocol>
 <Type>EXHTTP</Type>
 <Server>outlook.office365.com</Server>
 <SSL>On</SSL>
 <AuthPackage>Basic</AuthPackage>
 <ASUrl>https://outlook.office365.com/EWS/Exchange.asmx</ASUrl>
 <EwsUrl>https://outlook.office365.com/EWS/Exchange.asmx</EwsUrl>
 <EmwsUrl>https://outlook.office365.com/EWS/Exchange.asmx</EmwsUrl>
 <SharingUrl>https://outlook.office365.com/EWS/Exchange.asmx</SharingUrl>
 <EcpUrl>https://outlook.office365.com/owa/</EcpUrl>
 <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>
 <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>
 <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&amp;exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;&amp;realm=Careexchange.in</EcpUrl-mt>
 <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>
 <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>
 <EcpUrl-publish>?path=/options/calendarpublishing/id/&lt;FldID&gt;</EcpUrl-publish>
 <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>
 <EcpUrl-connect>?path=/options/socialnetworks&amp;ignore1=&lt;Action&gt;&amp;ignore2=&lt;Provider&gt;</EcpUrl-connect>
 <EcpUrl-tm>options/ecp/?rfr=olk&amp;ftr=TeamMailbox&amp;exsvurl=1&amp;realm=Careexchange.in</EcpUrl-tm>
 <EcpUrl-tmCreating>options/ecp/?rfr=olk&amp;ftr=TeamMailboxCreating&amp;SPUrl=&lt;SPUrl&gt;&amp;Title=&lt;Title&gt;&amp;SPTMAppUrl=&lt;SPTMAppUrl&gt;&amp;exsvurl=1&amp;realm=Careexchange.in</EcpUrl-tmCreating>
 <EcpUrl-tmEditing>options/ecp/?rfr=olk&amp;ftr=TeamMailboxEditing&amp;Id=&lt;Id&gt;&amp;exsvurl=1&amp;realm=Careexchange.in</EcpUrl-tmEditing>
 <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>
 <OOFUrl>https://outlook.office365.com/EWS/Exchange.asmx</OOFUrl>
 <UMUrl>https://outlook.office365.com/EWS/UM2007Legacy.asmx</UMUrl>
 <OABUrl>https://outlook.office365.com/OAB/e238e51d-463a-4dab-8387-85555395925/</OABUrl>
 <ServerExclusiveConnect>On</ServerExclusiveConnect>
 </Protocol>
 </Account>
 </Response>
</Autodiscover>

The post Outlook Cannot Logon System resources are critically Low appeared first on CareExchange.in.

Scenario 1 –

• Domain never Existed in the Forest.
• All Mailboxes will be in the Cloud.
• Hybrid Exchange Server will be used only for Recipient management.

• Add the Additional Domain in Office Admin Center
• Add required DNS records – Point MX,Autodiscover,SPF to the Cloud

Open On Premises Active Directory –

Active Directory Domains And Trust.

Properties

Add the Additional Suffix –

Now you can set –

• UserLogonName@newDomain.com
• PrimarySmtp@newdomain.com

To Change Email Addresses ,used Accepted Domain and Email Address Policies In Exchange Control Panel.

Try Creating test users and check user sync to the cloud with the new domain.

Scenario 2 –

• Domain Already Exist in the Forest.
• All Mailboxes with this domain exist in the Forest.
• Mailboxes are yet to move to the cloud but hybrid configuration was completed with the new domain.

• Add the Additional Domain in Office Admin Center
• Add only verification DNS
• Don’t Change MX or Auto discover Records.

Open On Premises Active Directory –

Active Directory Domains And Trust.

Properties

Add the Additional Suffix –

Now you can set –

• UserLogonName@newDomain.com
• PrimarySmtp@newdomain.com

To Change Email Addresses ,use Accepted Domain and Email Address Policies In Exchange Control Panel.

Add the Domain in Organization Sharing –

Add the Domain in Existing Hybrid Mail flow Connectors – 

• From Office 365 To Your Organization’s Email Server

Edit the Connector – Add Domain – Validate the Connector before Applying.

In my Case the domain was from a different site al together

So Added a new migration End Point

Followed the normal Process to Migrate Mailboxes use the new migration end point.

See –

Office 365 Hybrid Configuration Wizard Step by Step

Office 365 Hybrid Duplicate Mailboxes

The post Adding Domain in Existing Hybrid Configuration appeared first on CareExchange.in.

Symptoms –

• Microsoft Exchange Topology Service Crashing on restart
• PDC cannot replicate to any Server with RPC server is unavailable Error

Events on Exchange Server –  Couldn’t Retrieve Topology information properly by Exchange server it should be “1 7 7 1 0 1 1 7 1 “

Log Name:      Application
Source:        MSExchangeADTopology
Date:          3/27/2017 7:10:43 AM
Event ID:      2142
Task Category: Topology
Level:         Error
Keywords:      Classic
Computer:      MAIL.domain.local
Description:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=104388) Forest domain.local . Topology discovery failed, error details
No Minimal Required Number of Suitable Directory Servers Found in Forest ad.local Site Orange and connected Sites..

Log Name:      Application
Source:        MSExchange ADAccess
Date:          3/27/2017 6:58:55 AM
Event ID:      2080
Task Category: Topology
Level:         Information
Keywords:      Classic
Computer:     MAIL.domain.local

Description:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=104388). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site

PDC.domain.local    CDG 1 6 0 0 0 0 0 0 0
DC1.domain.local    CDG 1 7 7 1 0 1 1 7 1

Events on Domain Controller –   The DNS server could not initialize the remote procedure call (RPC) service.

Log Name:      System
Source:        NETLOGON
Date:          3/27/2017 10:23:51 AM
Event ID:      5774
Task Category: None
Level:         Error
Keywords:      Classic
Computer:      PDC.domain.local
Description:
The dynamic registration of the DNS record ‘_ldap._tcp.A-Default-First-Site-Name._sites.ForestDnsZones.domain.local. 600 IN SRV 0 100 389 PDC.domain.local.’ failed on the following DNS server:

DNS server IP address: 192.168.111.2
Returned Response Code (RCODE): 5
Returned Status Code: 10055

For computers and users to locate this domain controller, this record must be registered in DNS.

USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run ‘nltest.exe /dsregdns’ from the command prompt on the domain controller or restart Net Logon service.
Or, you can manually add this record to DNS, but it is not recommended.

Event Type:    Error
Event Source:    DNS
Event Category:    None
Event ID:    140
Date:        3/27/2017
Time:        10:29:26 AM
User:        N/A
Computer:    PDC.domain.local
Description:
The DNS server could not initialize the remote procedure call (RPC) service. If it is not running, start the RPC service or reboot the computer. The event data is the error code.

Solution –

• Restarted Primary Domain Controller – DNS server got initialized

Waited for Sometime like 10 minutes for Active Directory Replication to work

repadmin /syncall /AePdq

• Ran Preparead

Downloaded Existing version of Exchange setup –

Preparing Active Directory

.\setup /Preparead /IAcceptExchangeServerLicenseTerms

Active Directory Permissions came back – Environment back to normal

Events on Exchange Topology –

Log Name:      Application
Source:        MSExchange ADAccess
Date:          3/27/2017 6:59:04 AM
Event ID:      2080
Task Category: Topology
Level:         Information
Keywords:      Classic
Computer:      PDC.domain.local
Description:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=104388). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
PDC.domain.local    CDG 1 7 7 1 0 1 1 7 1
DC1.domain.local    CDG 1 7 7 1 0 1 1 7 1

The post Microsoft Exchange Topology Service Crashing on restart appeared first on CareExchange.in.

Newly Created Mailbox not showing in Hybrid Exchange Server Control Panel.

User Created Directly on Active Directory and created a mailbox on Office 365 without using the hybrid server.

Below Commands will enable you to get the mailbox under Get-RemoteMailbox in Hybrid Exchange server.

Run on Azure AD Connect Server or Hybrid Exchange server with Active Directory Tools installed.

$uid = read-host "Please enter User's username"

$mailnick = read-host "Please enter User's mail nickname"

$tmail = $uid+"@domain.mail.onmicrosoft.com"

$pmail = $mailnick+"@domain.com"

Set-ADUser $uid -Clear homemdb, homemta, msExchHomeServerName, msExchPoliciesExcluded

Set-ADUser $uid -Add @{msExchRemoteRecipientType="4"}

Set-ADUser $uid -Add @{mailNickname="$mailnick"}

Set-ADUser $uid -Add @{msExchProvisioningFlags="0"}

Set-ADUser $uid -Add @{msExchModerationFlags="6"}

Set-ADUser $uid -Add @{msExchAddressBookFlags="1"}

Set-ADUser $uid -Replace @{targetaddress="$tmail"}

Set-ADUser $uid -Replace @{msExchRecipientDisplayType="-2147483642"}

Set-ADUser $uid -Replace @{msExchRecipientTypeDetails="2147483648"}

Set-RemoteMailbox $uid -PrimarySMTPAddress $pmail

The post Office 365 Mailbox not showing in Hybrid Exchange server appeared first on CareExchange.in.

Dump All Proxy Address/Email Addresses from Exchange Server using PowerShell.

Mailboxes –

Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName,Servername,EmailAddressPolicyEnabled,PrimarysmtpAddress, @{Name="EmailAddresses";Expression={$_.EmailAddresses | Where-object {$_.PrefixString -ceq "smtp"} |Foreach-object {$_.SmtpAddress}}} | Export-Csv EmailAddresses_MBX_Dump.csv

Distribution Groups –

Get-DistributionGroup -ResultSize Unlimited | Select-Object DisplayName,Servername,EmailAddressPolicyEnabled,PrimarysmtpAddress, @{Name="EmailAddresses";Expression={$_.EmailAddresses | Where-object {$_.PrefixString -ceq "smtp"} |Foreach-object {$_.SmtpAddress}}} | Export-Csv EmailAddresses_DG_Dump.csv

Mail Contacts –

Get-MailContact -ResultSize Unlimited | Select-Object DisplayName,Servername,EmailAddressPolicyEnabled,PrimarysmtpAddress, @{Name="EmailAddresses";Expression={$_.EmailAddresses | Where-object {$_.PrefixString -ceq "smtp"} |Foreach-object {$_.SmtpAddress}}} | Export-Csv EmailAddresses_Contact_Dump.csv

you can create a CSV as below,

The post Dump All Proxy Address from Exchange Server appeared first on CareExchange.in.

Exchange Server 2016 Hybrid Server , Hybrid remote move Migration Error.

Error: MigrationTransientException: The call to ?’https://mail.careexchange.in/EWS/mrsproxy.svc?’ failed. Error details: The HTTP request was forbidden with client authentication scheme ?’Negotiate?’. –> The remote server returned an error: ?(403)? Forbidden.. –> The call to ?’https://mail.careexchange.in/EWS/mrsproxy.svc?’ failed. Error details: The HTTP request was forbidden with client authentication scheme ?’Negotiate?’. –> The remote server returned an error: ?(403)? Forbidden.. –> The HTTP request was forbidden with client authentication scheme ?’Negotiate?’. –> The remote server returned an error: ?(403)? Forbidden.
Report: anon@careexchange.in

Make sure MRS Proxy is Enabled.

Get-WebServicesVirtualDirectory –identity SERVERNAME\EWS (Default Web Site) | FL MrsProxy*

To Enable

Set-WebServicesVirtualDirectory –identity SERVERNAME\EWS (Default Web Site)  -MRSProxyEnabled $true

To Disable

Set-WebServicesVirtualDirectory –identity SERVERNAME\EWS (Default Web Site)  -MRSProxyEnabled $false

In my case MRS Proxy is already Enabled. Enabling Basic Authentication on Web Services Virtual Directory resolved the issue.

Set-WebServicesVirtualDirectory –identity SERVERNAME\EWS (Default Web Site) -BasicAuthentication $TRUE

The post The HTTP request was forbidden with client authentication scheme ‎’Negotiate‎’ appeared first on CareExchange.in.

If you have two Exchange servers and try to retrieve virtual directory from other server. you may get below error

An IIS directory entry couldn’t be created . The Server message is Access is denied.

HResult – 2147024891 IISGeneralCOMException

Symptoms-

• OAB (Offline Address Book) may not download properly to users.
• Outlook Credential Prompt.

Solution –

Add missing groups in local administrators in the problematic Exchange server.

• Exchange Trusted Subsystems
• Organization Management

The post An IIS directory Couldn’t be created . The Error Message is Access is denied appeared first on CareExchange.in.

I had to do a Exchange Datacenter Switchover Procedure on a 3 Node Dag. Two on primary site and one on Secondary site.

Primary datacenter needs maintenance and both primary nodes have to go offline. so we had to do a datacenter switchover prior to the primary datacenter maintenance . The procedure is simple if you plan it properly. lets see the aspects we checked. Before the maintenance of the primary datacenter.

• Made Outbound Mail flow to go via the secondary site.
• Made MX Records / Inbound Mail flow to come via the secondary site.
• Public DNS Records changed to the secondary site.

We made sure DAC mode is Enabled with Value DagOnly.It will avoid the split  brain syndrome across these nodes.

Get-DatabaseAvailabilityGroup -Identity DAGNAME | Fl Name,DatacenterActivationMode

To Enable DAC – you can set it with

Set-DatabaseAvailabilityGroup -Identity DAGNAME -DatacenterActivationMode DagOnly

Make sure witness server and Alternate witness server is specified

Make sure no activation block is set on any mailbox servers

To Check

Get-MailboxServer | fl name,DatabaseCopy*

All Activation block has been removed

Get-MailboxServer | Set-MailboxServer –DatabaseCopyAutoActivationPolicy "Unrestricted"

Check where the quorum and move to secondary site

Get-ClusterGroup "Cluster Group"

Its showing my primary site server.

So we moved it to the secondary site

Get-ClusterGroup “Cluster Group” | Move-ClusterGroup –Node SECONDARYSERVERNAME –Verbose

Moved all the active databases to Secondary Server

Get-Mailboxdatabase | Move-ActiveMailboxDatabase –ActivateOnserver SECONDARYSERVERNAME

Now

Stop-DatabaseAvailabilityGroup –Identity DAGNAME  –ActiveDirectorySite "Default-First-Site-Name"

To check your site name

nltest /dsgetsite

To check on Completion

Get-DatabaseAvailabilityGroup –Status

Stopped Dag nodes will be removed from Operational server list.

Now go to your secondary site server – Run

Stop-Service clussvc

Ran below on Secondary site

Restore-DatabaseAvailabilityGroup DAGNAME –ActiveDirectorySite "SECONDARYSITENAME"

Now Alternate witness become active and it formed a single node cluster without the primary site servers and databases stayed active on secondary site as we moved prior.

Opening Failover cluster to verify the same.

Now Primary servers can be safely turned off

—

Once Maintenance is over in the primary datacenter. Run below

Start-DatabaseAvailabilityGroup DAGNAME –ActiveDirectorySite "Default-First-Site-Name"

Failover Cluster is Back to Normal

If you see witness is not changing back to normal . you can run

Set-DatabaseAvailabilityGroup DAGNAME

Note :

Odd Nodes – no witness server works on node majority

Even Nodes – works with a witness server to act as a node.

Make sure Quorum is moved back to primary site

Get-ClusterGroup "Cluster Group"

Get-ClusterGroup "Cluster Group" | Move-ClusterGroup –Node PRIMARYSERVERNAME –Verbose

Now make sure all copies are healthy or you can update it with

Update-mailboxdatabaseCopy "Databasename\server" –DeleteExistingFiles

Make sure Mail flow and Public DNS changes is done via the primary site.

Datacenter Switch-over process has been successfully completed.

The post Exchange Datacenter Switchover appeared first on CareExchange.in.

iPhone keep sending plain text emails losing my HTML email signature which is a server side email signature software. there is a quick fix for it.

Make your Signature to Bold letters . Then it will start generating a HTML email when you send my default.

Settings – Mail

Signature –

Make the signature to Bold –

The post iPhone keep sending plain text emails appeared first on azure365pro.com.

Had to extend schema before installing Exchange 2016 on a Exchange 2010 Server environment. Eventually there was an error stating Exchange schema extension can’t proceed until Exchange 2003 servers are removed. while browsing the server objects in Adsiedit.msc the exchange 2003 old object was still exist in the environment where it wasn’t uninstalled properly.Lets see how to remove it safely using adsiedit as the Exchange 2003 servers already removed from the environment.

Note : Before doing anything using adsiedit.msc . please take a full system state backup of active directory .

.\setup /PrepareSchema /IAcceptExchangeServerLicenseTerms

Microsoft Exchange Server 2016 Cumulative Update 9 Unattended Setup

Copying Files…
File copy complete. Setup will now collect additional information needed for installation.ad
Performing Microsoft Exchange Server Prerequisite Check

Prerequisite Analysis                                                                             100%

Cannot find the Recipient Update Service responsible for domain ‘DC=azure365pro,DC=com’. New and existing users may not be
properly Exchange-enabled.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.RusMissing.aspx

One or more servers in the existing organization are running Exchange 2000 Server or Exchange Server 2003. Installation
can’t proceed until all Exchange 2000 or Exchange 2003 servers are removed.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.Exchange2000or2003Pr
esentInOrg.aspx
The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the
<SystemDrive>:\ExchangeSetupLogs folder.

Solution –

In my case – Public Folder Hierarchies wasn’t moved to Exchange 2010.

Logged in to adsiedit.msc – Configuration Partition –

CN=Services,CN=Microsoft Exchange,CN=<ORGANIZATION>,CN=Administrative Groups,CN=first administrative group,CN=Folder Hierarchies,CN=Public Folders

CN=Services,CN=Microsoft Exchange,CN=<ORGANIZATION>,CN=Administrative Groups,CN=first administrative group,CN=Server,CN=Exchange 2003 object name.

Now Created a Folder Hierarchies below Exchange Administrative Group. (Right Click on Exchange Administrative Group)

Create Object – msExchPublicFolderTreeContainer , Enter Folder Hierarchies

Now Right click on CN=Public Folders . Select Move. And move to E

Now Move CN=Public Folders move to Folder Hierarchies below Exchange Administrative Group

Then Delete the Folder Hierarchies below First Administrative Group. (Which should be empty now)

Remove the Exchange 2003 Server object below servers container. and Remove the empty servers container.

Now Extend the schema . Exchange server 2016 schema will extend successfully.

The post Installation can’t proceed until all Exchange 2003 Servers are removed appeared first on azure365pro.com.

Had to deploy Exchange server 2016 with F5 Local Traffic manager (LTM) and F5 Application Security Manger (ASM) . Lets see how to configure it

Points to Consider –

• F5 Local Traffic Manager (LTM) should be the gateway for the exchange server. (Highly recommended to reduce complexity and retain SMTP source IP)

Load balancing SMTP traffic and to retain the source ip in the exchange logs you need to disable SNAT/Auto map. so make sure f5 is your gateway when you deploying exchange with f5.  I have stretched my Exchange server VLAN and added as a Self IP in F5 and self ip will be my gateway for the exchange servers in the same VLAN.

As a first step your f5 should act as a router .Create a forwarding virtual servers and set source address translation snat/automap to none. So that now all my Exchange server outbound traffic goes out to the gateway and but it won’t know the route to come back to exchange server

• Create a Forwarding IP virtual Server
• Source address 0.0.0.0/0
• Destination address 0.0.0.0/0
• Service Port All Ports
• State Enabled

• Choose All Protocols so that ICMP will work
• Choose protocol client Profile as fastL4
• Choose Enable on Exchange server VLAN only
• Source address translation set to none

Now Exchange servers gateway is f5 on the same VLAN and VLAN is forwarding all traffic from the f5 to its default gateway .

Now whatever is your default gateway Cisco Router or Firewall . Create a static route to route back the traffic to f5 floating ip. So you are making sure all the traffic via exchange servers goes to f5 and comes via f5.

get the ssl ready on exchange servers  Configuring 3rd Party SSL Exchange Certificate in Exchange 2016

we need to export the file as .pfx or use mmc to export the cert as .pfx with the private key.

Configuring SSL Profiles in F5 –

• Import the Exchange Certificate (.pfx with private key)  to the f5 device

System – File management – SSL Certificates list –

• Import type  – PKCS 12 (IIS)
• Create new – Exch_Cert
• choose file – Choose .pfx file
• Enter the password
• Key security – Normal

Choose Import

also import the root chain. get it from your certificate authority. in my case its digicert

Creating Client SSL Profile.

Choose the SSL Client Profile Name

Choose Parent Profile

Choose Custom

Add the Certificate you imported.

• Choose Certificate
• Choose Certificate for key ( As we imported with private key)
• Choose Chain
• Leave the passphrase empty
• OCSP Stapling – none
• Click add

• Choose Finished now SSL Client is ready.

Create Server SSL Profile . Redo the same process of choosing the same cert.

Now you have a client ssl and server ssl profile.

• Now we are on the same VLAN
• Have the SSL profiles ready.

lets go the iApp templates

We need iApp Templates to configure the internal LTM . As you have a f5 account. login to https://downloads.f5.com and download iApp Templates

Download iapps .zip and extract it

Extract the zip file.

C:\iapps-1.0.0.500.0\Microsoft\Exchange_2016\f5.microsoft_exchange_2016.v1.0.2.tmpl

Login to F5 Local Traffic Manager (LTM)

iApps – Templates – Templates + – Choose Import

Choose the f5.microsoft_exchange_2016.v1.0.2.tmpl and Click on Upload

Click on Application Services – Create

Choose Name and Template

• Exchange-2016_.
• f5.microsoft_exchange_2016.v1.0.2

Choose – Yes , Show all inline help

Choose – Local Big-IP load balances and optimizes traffic

• Choose incoming traffic as Encrypted
• Choose Re-encrypt (SSL Bridging) – You have to choose this as Exchange can’t run on HTTP
• Choose Client SSL Profile you created
• Choose Server SSL Profile you created
• Choose Optimize Connections for WAN clients. (As majority of my users are connecting via WAN)
• Choose Same Subnet for BIG ip virtual servers and mailbox servers ( In most the network designs you can always stretch the VLAN and use in on F5 .It will be a clean design)

• Choose the maximum number of concurrent users fewer than 6000 . 64,000 concurrent connections is more than sufficient for a 3000+ mailbox environment in this specific case.
• Choose Use a single IP address for all connections
• Choose All services will be handled by the same set of mailbox servers (In my case – have 4 nodes with same configuration in parallel )
• All Services will be handled by the same set of mailbox servers

• Choose – Server pool settings – Use settings recommended by f5
• choose the Virtual ip will be used
• Choose yes for deploying ECP ( Disable Admin ECP at Server level if required)
• Choose Deploy EWS and OAB ( most common)
• Choose MAPI over HTTP and RPC over HTTP  (Only Exchange 2016 mailboxes use MAPI over HTTP by default)

• Choose Yes of Active sync
• Yes for Autodiscover
• Choose yes , if imap and pop3 needs to be enabled
• Enter the mailbox server ips

Choose FQDN for OWA/MAPI/Outlook anywhere/EWS/Active sync/autodiscover

Choose finish. Now iApp with Exchange HTTPS traffic is Configured.

Now lets see how to retain the source ip for http/https traffic and Source address translation is enabled by default on the HTTPS pool Configured by the template. I want to keep the design and configuration minimal so that when you import or replace or upgrade templates. no much additional configuration is needed. Also note that X-Forward-For is enabled by default on the http profile which will remain untouched.

Now Open Exchange server IIS . Choose logging

Select Fields

• Field Name – Source-IP
• Source Type – Request Header
• Source – X-FORWARDED-FOR

Add the Custom Field

Do iis reset

C:\inetpub\logs\LogFiles\W3SVC1 Check the latest log. you can see the correct source ip and not the F5 floating / non floating ips

Lets configure the SMTP Load balancing now .

As seen above , now choose the SMTP template , Import it.

Basic – Use F5’s recommended settings

• Choose BIG IP virtual Server IP and SMTP servers are on the same subnet
• Choose fewer than 64,000 Concurrent connections per user

Choose Encryption – Do nothing (No Encrypted SMTP Traffic)

Choose the same VIP as HTTPs to simplify the setup.

Choose create new pool and add the mailbox servers

Choose the fqdn for smtp and choose no authentication required and no message submitted as Exchange will handle the rest.

Choose the defaut frontend receive connector

• Uncheck anonymous users to stop using this connector to receive internet email .  ( Recommended )

and create anonymous relay connectors for Applications which need to send out to the internet.

Anonymous Application relay connectors in Exchange 2016

and create a dedicated internet connector To receive email from internet or anti-spam appliances

Make sure connector log set to verbose

Check connector logs in below location to check your valid source ip of SMTP Traffic

C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

Hope it will help many . As I wasted too much time on this. F5 deployment guides are huge.  I will be sharing the F5 asm configurations on my next blog

The post Configure f5 LTM with Exchange Server 2016 appeared first on azure365pro.com.

When you import a certificate from a certificate authority . It checks the revocation status of an SSL Certificate, the client connects to the URLs and downloads the CA’s CRLs. Then, the client searches through the CRL for the serial number of the certificate to make sure that it hasn’t been revoked.

but when exchange servers has internet. It will not have any issues. But when its behind the proxy. it may not have issues if your proxy is configured through .use automatic detect settings.

As it uses the system account  –  System account has its own proxy settings – Lets see how to access the systems account proxy settings.

Revocation Check failure

To check your CRL urls – Use internet explorer – Security lock – view certificates

Solution –

Download Sysinternals to check the system proxy settings

Get PsExec.exe into a folder. browse to command prompt.

psexex –i –d –s cmd

run whoami make sure you are in system account proxy settings

inetcpl.cpl to access system proxy settings

Entered my proxy settings. Click ok.

Reboot the server.

Certificate is valid now.

The post Certificate is invalid and revocation check failure in Exchange Server appeared first on azure365pro.com.

Log Name:      Application
Source:        Microsoft-Filtering-FIPFS
Event ID:      6027
Level:         Error
Keywords:
User:          NETWORK SERVICE
Computer:      EXCH1.azure365pro.com
Description:
MS Filtering Engine Update process was unsuccessful to download the engine update for UM from Primary Update Path.
Update Path:http://amupdatedl.microsoft.com/server/amupdate
UpdateVersion:
Reason:”There was an error while downloading the universal manifest. Error:Unable to load universal manifest from: http://amupdatedl.microsoft.com/server/amupdate/metadata/UniversalManifest.cab : The operation timed out
(Universal Manifest)”

Solution –

Make sure Proxy is Configured

Load PowerShell Snap in

Add-PsSnapin Microsoft.Forefront.Filtering.Management.Powershell

You can check its not updating – UpdateAttemptFailed

Get-EngineUpdateInformation

Get-ProxySettings

Set-ProxySettings -Enabled $true -Server 172.17.17.10 -Port 80

Browse to

C:\Program Files\Microsoft\Exchange Server\V15\Scripts

.\Update-MalwareFilteringServer.ps1 -Identity mbx.azure365pro.com

Now you can see Malware engine is updated.

You can see UpdateAttemptNoUpdate with lastUpdated date

You can see a successful event.

Log Name:      Application
Source:        Microsoft-Filtering-FIPFS
Event ID:      6036
Level:         Information
User:          NETWORK SERVICE
Computer:      exch1.azure365pro.com
Description:
MS Filtering Engine Update process has successfully committed and handed off updates for Microsoft
Last Checked:2018-04-28T17:23:07Z
Last Updated:2018-04-28T17:23:17Z
Engine Version:1.1.14800.3
Signature Version:”1.267.523.0″
Update Version:1804280009
Last Definition Update:?2018?-?04?-?28T10:16:10.000Z
Update Path:http://amupdatedl.microsoft.com/server/amupdate

The post MS Filtering Engine Update process was unsuccessful to download appeared first on azure365pro.com.

iOS device – The Connection to the server Failed.

Get-CASMailbox -Identity MailboxName| fl

Set-CASMailbox MailboxName -ActiveSyncBlockedDeviceIDs $null

–

Now the device will be allowed to the Exchange server.

Root Cause – I suspect we had active sync policy pushed from Airwatch (Mobile device management solution which applied incorrectly. Not 100 % sure .

The post Your device won’t be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server appeared first on azure365pro.com.

For Autodiscover  to work properly in On premises and Exchange Online , We need email and User principal name to match. Every time IT admin cannot keep checking this its tiring to do it manually.

Its better to run it on a task scheduler so that it maintains the UPN and Email to be same for the ones which is not matching.

Supported on Exchange 2013 or above | Premise or Exchange Hybrid Server

NOTE : Before running the script run below commands to check which are the mailboxes it will apply to

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.Primarysmtpaddress -ne $_.UserPrincipalname}

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.Primarysmtpaddress -ne $_.UserPrincipalname} | ForEach-Object {Set-Mailbox $_.identity -UserPrincipalName $_.Primarysmtpaddress -whatif}

Download Change_UPN_equals_Email.ps1

Task Scheduler

Create Basic Task

Choose Daily

Set a time

Start a Program

• Powershell
• C:\Scripts\Change_UPN_equals_Email.ps1

Download Change_UPN_equals_Email.ps1

Made to stop the task if it exceeds 4 hours

Download Change_UPN_equals_Email.ps1

# NOTE : Before running the script run below commands to check which are the mailboxes it will apply to
# Get-Mailbox -ResultSize Unlimited | Where-Object {$_.Primarysmtpaddress -ne $_.UserPrincipalname}
# Get-Mailbox -ResultSize Unlimited | Where-Object {$_.Primarysmtpaddress -ne $_.UserPrincipalname} | ForEach-Object {Set-Mailbox $_.identity -UserPrincipalName $_.Primarysmtpaddress -whatif}

# Include Exchange Powershell Module
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

#Lists All Mailboxes
#Checks Email and UPN are same
#Lists which are not email
#Applies UPN Matching email

Get-Mailbox -ResultSize Unlimited | Where-Object {$_.Primarysmtpaddress -ne $_.UserPrincipalname} | ForEach-Object {Set-Mailbox $_.identity -UserPrincipalName $_.Primarysmtpaddress}

# Exit Exchange Powershell Module
Remove-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

Download Change_UPN_equals_Email.ps1

The post Automate Changing UPN equals Email with a simple script appeared first on azure365pro.com.

When ever you login to Exchange Control Panel ,  you will get a error on Delegation Tab

The Object user has been corrupted or isn’t compatible with Microsoft Support Requirement and it’s in an inconsistent state. The Following validation errors happened

Warning
The object azure365pro.com/user/test has been corrupted or isn’t compatible with Microsoft support requirements, and it’s in an inconsistent state. The following validation errors happened:
The access control entry defines the ObjectType ‘d819615a-3b9b-4738-b47e-f1bd8e000ea4’ that can’t be resolved..
The access control entry defines the ObjectType ‘e2d6986b-2c7f-4cda-9851-d50003fb6706’ that can’t be resolved..

Get-AdPermission “DC=Azure365pro,DC=com”

Warning
The object azure365pro.com/user/test has been corrupted or isn’t compatible with Microsoft support requirements, and it’s in an inconsistent state. The following validation errors happened

The access control entry defines the ObjectType ‘d819615a-3b9b-4738-b47e-f1bd8e000ea4’ that can’t be resolved..

Get the corrupted Access Control Entry object value place in below command and run it.

Get-ACl “AD:\DC=Azure365pro,DC=com” | Select Access -ExpandProperty Access | Where-Object {$_.ObjectType -eq “e2d6
986b-4505059851-d5b5f3fb6706”}

Now Its points to a null reference which is a SID value. if you see a valid object. action only on that object. in my case its inheriting from the root domain.

Open Active Directory users and computers

Make sure Advanced Features is checked – Right Click on the root domain properties

Check list –

• No connectivity problems between domain controllers
• Windows will show “Account Unknown” if it can’t connect to a Active Directory Server
• if you have multiple domains or trust relation ships it might take a few moments or connectivity between them domains may cause account showing unknown
• Have a good system state backup . Whatsoever permissions cannot be reverted backup unless you use tools like icacls.exe to backup permissions. Still it can’t be applied back as these objects doesn’t exist.

Most of the Old SID may show because of account being removed and permission was not able to remove by active directory.

Example –

Account Unknown (S-1-5-21-#########-#########-#########-1835)
Account Unknown (S-1-5-21-#########-#########-#########-1835)

Once you confirm above 100 % . Permissions are the most risky part in active directory. take extreme care when you touch permissions on the root domain.

Security – Advanced –

Removed the objects listed in identity reference In my case first identity reference was listed 5 times and second reference was listed 3 times.

Removed them safely.

Click on Apply.

Prompt Appears on Changing 80 to 90 permissions _ Clicked Yes.

It resolved the delegation error on Exchange Control Panel

The post Exchange Control Panel Error Access Control entry not resolved appeared first on azure365pro.com.

Authentication prompts in Outlook is one of the worst to troubleshoot in a Messaging Environment. But if your clear about your Architecture and the connectivity flow it could be much easier for you to isolate the issue. I have listed the most common scenarios . Lets see one by one.

• Microsoft Office Patches
• Understanding Outlook Behaviour and Credential Manager`with HTTP MAPI
• Proxy Exclusions
• Hardware Load Balancers
• Custom Outlook Add-ins
• Conflicting Outlook Anywhere Settings in Co-existence Environment.
• Public Folders Co-existence not configured Properly.
• Additional Mailboxes
• SSL misconfiguration
• Customized Virtual directory authentication settings
• Autodiscover Request failure
• Offline Address Books
• Outlook Integration like Instant Messaging
• Active Directory Replication

Microsoft Office Patches –

I know Microsoft patches are crazy sometimes . But i strongly recommend to upgrade the Microsoft Office to the latest version to stay secured also so that you don’t work on a issue which is already fixed. There are many feature optimizations and Protocol enhancements made over these months . So before even start troubleshooting make sure you have the latest version of Office running . So that it helps you to isolate the issue faster and quicker.

Understanding Outlook Behaviour and Credential Manager`with HTTP MAPI –

when we are using RPC HTTP it wasn’t mandatory to store credentials on the local machine. But here comes the HTTP MAPI where it makes it mandatory for users to store the password in the credential manager when the users leave the domain network.

As of today when a domain joined machine leaves the domain / corporate / internal network and goes external. Outlook Prompts for credential to enter it once to store in the credential manager. So that it won’t ask you again. Until the password expires on it. This wasn’t the case or behaviour with RPC HTTP.

Seeing Connection Status in Outlook shows you. The Outlook is using RPC HTTP or HTTP MAPI.

Note : Office 365 / Exchange Server 2016 uses HTTP MAPI as default

when the user stores the credential . You can see them as

MicrosoftOffice16_DataSSPI:user@domain.com in the Windows Credential Manager

If user checks : Remember Password It shows as Enterprise. It means its going to ask again until the password expires from the External Network

If user doesn’t check Remember Password it will show as Logon Session . It means when user logs of and logs in . Credential are stored only for the logon session and it will prompt the user when the user is on the external network

Seeing in the Control Panel Credential Manager – Remembering Credentials

Seeing in the Control Panel _  Credential Manager without remembering the credentials

MicrosoftOffice16_DataSSPI:user@domain.com

Logon Session

this behavior is by design when user is on the External Network for Exchange Server 2016 .

Proxy Exclusions –

Proxy Exclusions play a major role when it comes to credential prompts .  Lets see the most seen issue is using a PAC file

if your using a pac file , Outlook may fail with Authn “Error” in connection status

Sample Proxy Settings on Pac File – http://pac.zscloud.net/azure365pro.pac

If your using On Premises you make it to bypass the traffic and go direct. So that when they are in Domain it goes to the Exchange Server Directly.

Sample –

if you using Exchange Online – Its preferred to go via proxy and you will not set direct settings on pac file. Make sure all Office 365 Urls are excluded from the proxy. For Example zscaler gives One Click Configuration for Office 365

Hardware Load Balancers –

ByPassing Hardware load balancers is more important as Outlook loses session persistence , Load balancer may give out the request to a different exchange server every time it connects. So most of the time it could be a configuration issue.  As we cannot go into details of those issues . As its wide scope. Just to make sure its not a load balancer issue. Make a host file pointing to the Exchange Server see if you are experiencing the same issue which can answer you many things

I have documented the steps on F5 if you use one http://www.azure365pro.com/configure-f5-ltm-exchange-server-2016/

Custom Outlook Add-ins –

There are many Add-ins for Outlook . Which may cause credential prompts. Outlook Safe mode can answer you those. Safe mode removes all the Addins on start up temporarily for you to test the behaviour of Outlook to isolate the same issue.

Conflicting Outlook Anywhere Settings in Co-existence Environment –

Credential prompts may be a reason when they are not able to proxy into the destination server. Where Outlook anywhere wasn’t mandatory in environments . When it comes to Exchange Server 2016 . Outlook anywhere has to be enabled on all Exchange 2010 servers for example . when you want to start with an co-existence. Outlook anywhere settings has to match between the legacy servers and the new exchange servers when you setup a coexistence . In order to have smooth client connectivity.

In my case . In my recent migrations  – Exchange Server 2010 was set to use NTLM . so made the same configuration on Exchange 2016 then the co-existence connectivity was successful.

Once the Co-existence period is over . we have put back recommended settings on Exchange Server 2016 having them to use negotiate

Basic authentication: If you select this authentication type, Outlook will prompt for username and password while attempting a connection with Exchange.

NTLM authentication: If you select this authentication type, exchange does not prompt users for a user name and password. The current Windows user information on the client computer is supplied by the browser through a cryptographic exchange involving hashing with the Web server. If the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password. So, when Outlook is trying to connect to Exchange and if the machine is domain joined, there isn’t a need to provide password.

Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.

As explained these Outlook anywhere settings are not matching between the legacy servers and the new prompts . There are more chances of getting Intermittent Outlook prompts

Public Folders Co-existence not configured Properly –

If you have Exchange 2016 and Exchange 2010 in your environment. Outlook may prompt or slow it down to connect when its not able to reach the public folders of Exchange 2010 via Exchange 2016.

In our case we have decided to remove Default Public Folder Database as we are not planning to migrate it to the new system.

Cleared using msExchHomePublicMDB attribute on Exchange 2010 Database

Start – run – adsiedit.msc – Configuration partition

CN=Services -> CN=Microsoft Exchange -> CN=(your organization name) -> CN=Administrative Groups -> CN=Exchange Administrative Group (FYDIBOHF23SPDLT) -> CN=Databases.

Now make sure Outlook is not trying to reach Exchange 2010 or legacy server public folders , You can always see the Outlook Connection status to check the same.

or you can try to setup co-existence https://technet.microsoft.com/en-us/library/dn690134(v=exchg.150).aspx

Additional Mailboxes –

Make sure Outlook is not configured with additional mailboxes . As sometime the primary mailbox may be on the new version and the additional mailbox is still on the legacy servers or vice versa which may cause prompts. You can always remove them and check it ,

SSL misconfiguration –

SSL misconfigurations like

• Wrong Entries on Get-OutlookProvider
• Unsupported wild card certs.

Customized Virtual directory authentication settings –

There could be change in Authentication settings.  Listed Exchange 2016 default authentication settings on virtual directories from a healthy environment.

MAPI  –

EWS –

OAB –

RPC –

Backend Site bindings –

MAPI _ Backend

EWS _ Backend

OAB _ Backend

Autodiscover Request failure –

Hold Ctrl key and right click on outlook icon on the task bar. test email configuration run autodiscover. verify its returning right urls in a timely manner.

Offline Address Books –

Make sure Offline Address Book assigned properly on Databases.

Make sure Outlook can download Offline Address books properly from the client side.

Instant Messaging Integration –

This prompt is one of the finest example where Cisco Jabber trying to get request data from Outlook before Outlook Connects to Exchange server. you can isolate the issue by simply removing such products from startup

Happy Authentication Prompts .

The post Troubleshooting Authentication prompts in Outlook appeared first on azure365pro.com.

421 4.4.2 Message submission rate for this client has exceeded the configured limit.

In my case Application was using Port 25 and using the app custom connector on load balanced Exchange 2016 servers and message rate limit was set to unlimited.

Get-ReceiveConnector SERVERNAME\* | FT Name,bindings,MessageRateLimit

Also verified in load balancer rate limit is set to unlimited. Lets see how to check the same in F5

Application services _ Applications _ smtp

Connection limit is set to Unlimited.

Solution –

Late realized its the Client proxy connector causing the bottleneck. Increased from 5 which is the default value . Changed to 30.

NOTE  : Below Commands sets the rate limit for all Exchange servers in the environment. Use Servername\ for specific server.

Get-ReceiveConnector "*\Client Proxy*" | FT Name,*RateLimit*

Get-ReceiveConnector "*\Client Proxy*" | Set-ReceiveConnector -MessageRateLimit 30

The post Message submission rate for this client has exceeded appeared first on azure365pro.com.