Sunday, November 28, 2010

#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ## when recreating an email account

A week ago, one of our customers had a corrupt email account . Now they are using MS Exchange 2010, but they migrated to this solution a couple of months ago from MS Exchange 2003.

To fix the corrupted mailbox issue, we recommended them to export the valid emails, to delete the corrupted account, to recreate it and to import all the saved emails. Everything work as expected but soon some of their employees started to receive non delivery reports when trying to communicate with that person.

The reports look like:

The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:

Generating server:

#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

This is an issue that I’ve seen before. The obvious reason for this is the fact that outlook client caches the emails recipients and when you try to send an email to such a recipient, the email client uses the cached LegacyExchangeDN instead the one from the Organization GAL.
Since it was a migrated account from Exchange 2003 to Exchange 2010, the old LegacyExchangeDN attribute was different from the one generated for the new account.
The new one looks like: /o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=username and the old one looks like: /o=Contoso/ou=first administrative group/cn=recipients/cn=username

A friend of mine (Brad Simionescu) that is working for that client came with an interesting idea:
- Remove the old disconnected mailbox
- Force the domain replication
- Using ADSI editor, replace the new LegacyExchangeDN with the old one
- Force the domain replication again
- Rebuild the Exchange address books

If somebody already downloaded the address book with the new LegacyExchangeDN, you have to follow article to delete the new cached info and to download again the address book.

Saturday, October 30, 2010

Configuring Office Communication Server 2007 R2 integration with Exchange Server 2010 SP1

A new feature in Outlook Web App (OWA) is the possibility to integrate it with Office Communication Server 2007 R2 and to be able to use OWA as a client for OCS with IM, contact list and presence.

To configure the integration you have to do the following steps:

1. Download the Microsoft Office Communications Server 2007 R2 Web Service Provider
2. Run the CWAOWASSPMain.msi file and select a location to install the files

3. From the location selected at the previous point run (in this order):

  • Visual C++ Redistributable (vcredist_x64.exe)
  • Unified Communications Managed API (ucmaredist.msi)
  • OCS Service Provider (cwaowassp.msi) – it has to be run from a command prompt with elevated rights
4. Find out which certificate is used for OWA by running on the CAS server (s) the Get-ExchangeCertificate cmdlet. The one that has W as service is the one that you need.

Thumbprint Services Subject
---------- -------- -------
AB8A56B7676E463A5C823C498FF480C4E83DF0D1 ..U... CN=*, OU=IT, O=IT, L=Bucharest, S=Bucharest, C=RO
0BD7302E7B6015E4F849675B34EB037BBB715FE3 ....S. CN=exch2010
EF5E22DA6B07DD0FE732585E292EAF67BD0AD802 ...... CN=WMSvc-EXCH2010
54E2F64780F295685694FA5CA525D5193FFDAF02 IP.WS., OU=Information Technology, O=PRAS Consulting S...

5. On the CAS server run: Get-OwaVirtualDirectory
fl InstantMessage* to get the current OCS integration settings. You should get a result like:

InstantMessagingCertificateThumbprint :
InstantMessagingServerName :
InstantMessagingEnabled : False
InstantMessagingType : None

6. Run the following cmdlets on the CAS server (ocspoolname is the pool name from your OCS installation, thumbprint is the one obtained at step 5)

  • Set-OwaVirtualDirectory “owa (default web site)” -InstantMessagingServerName ocspoolname
  • Set-OwaVirtualDirectory “owa (default web site)” -InstantMessagingCertificateThumbprint thumbprint
  • Set-OwaVirtualDirectory “owa (default web site)” -InstantMessagingEnabled $True
  • Set-OwaVirtualDirectory “owa (default web site)” -InstantMessagingType OCS

7. Reset IIS server by running on command prompt: iisreset /noforce

8. On the OCS server, add Exchange CAS name(s) to the Host Authorization tab.

  • While logged in as an OCS administrator, start the OCS Management Console
  • Navigate to the OCS 2007 R2 Pool. Right-click the OCS Pool name and select Properties, then select Front End Properties
  • Click on the Host Authorization tab, then click the Add button.
  • In the Add Authorized host window, select the FQDN radio button and type the name of the CAS
  • Select (checkbox) the following options: Treat as Authenticated and Throttle as Server.
  • Click OK to save the configuration changes.
  • To allow changes to take effect immediately, stop and restart the OCS front-end services; note that doing so will disconnect any active users.

That should do it, when you will open a new OWA client you should be able to see the presence info, your contact list and to be able to IM them

Wednesday, October 20, 2010

Exchange Unified Messaging notifications are not received by the users

These days we reconfigured our OCS 2007 R2 installation to make a demo for a possible customer. All worked well until we tried to connect the OCS with the Exchange 2007 UM.

We could place calls to the voice mailing system but no voice mail was received in the recipient’s mailbox.
The notifications for missed calls were not working either.
Searching through the Application log on our Exchange 2010 server, I found the following event log.

Log Name: Application
Source: MSExchange Unified Messaging
Date: 10/26/2010 3:45:53 PM
Event ID: 1423
Task Category: UMCore
Level: Error
Keywords: Classic
User: N/A

The Unified Messaging server encountered an error while trying to process the message with header file "C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\voicemail\048696bb-3475-41d8-b497-b839c9e1daa8.txt". Error details: "Microsoft.Exchange.UM.UMCore.SmtpSubmissionException: Submission to the Hub Transport server failed. The operation will be retried. ---> Microsoft.Exchange.Net.ExSmtpClient.UnexpectedSmtpServerResponseException: Unexpected SMTP server response. Expected: 220, actual: 500, whole response: 500 5.3.3 Unrecognized command

Googling was not very successful so I started to check our settings on the Exchange server. One of them seemed to be wrong. The Exchange Server authentication was disabled on the Default Receive Connector from our Exchange 2010 Hub Transport server.

On some previous tests, we disabled the setting. As soon as I enabled the setting, we started to receive all the notifications from the UM server.

Tuesday, October 5, 2010

Business Days at Targu Mures

Last week, I took part as a speaker to the “Business Days” event in Targu Mures. I had two less technical :-) presentations:
1. Software and Services in the Cloud – Microsoft vision - a very short comparison (7 minutes) between email services in the cloud and email services on premises
2. User Experience in Microsoft Exchange 2010 – what makes Outlook Web App and Outlook 2010 the best tools for email and collaboration

My presentations were made together with Valentina Ion from Microsoft and Marius Turlea from Crescendo.
Even, I was not expected, the business community in Targu Mures seems well developed. With an almost perfect organization and a lot of participants, it was a pleasure to be there.
The only regret that I had was that Microsoft presentations took part before the lunch and late in the afternoon. This took to a smaller number of participants to our presentations.
You can find bellow some pictures from the event.

Wednesday, August 11, 2010

Upgrade from Exchange 2007 to Exchange 2010: An IIS directory entry couldn’t be created. The error message is Access is denied. HResult = -2147024891

After we upgraded our infrastructure from Exchange 2007 to Exchange 2010, when I tried to access the CAS from Exchange 2010 EMC I received “An IIS directory entry couldn’t be created. The error message was “Access is denied. HResult = -2147024891 It was running the command ‘Get-OWAVirtualDirectory’” and the OWA Virtual Directory wasn’t visible in EMC.
If you run the same command from PowerShell you will get

[PS] C:\>Get-OwaVirtualDirectory |fl
An IIS directory entry couldn’t be created. The error message is Access is denied.
. HResult = -2147024891
+ CategoryInfo : NotInstalled: (EXCH01\owa (Default Web Site):A
DObjectId) [Get-OwaVirtualDirectory], IISGeneralCOMException
+ FullyQualifiedErrorId : 46C81F27,Microsoft.Exchange.Management.SystemConfi

In my configuration, EXCH01 was the old Exchange 2007 server. This error is generated because the Exchange 2010 does not have rights to enumerate IIS virtual directory from the old Exchange 2007 server. To solve this issue you have two options:

1. Add the “Exchange Trusted Subsystem” group to the Local Administrators group on the Exchange 2007 server.

2. Open Internet Information Service (IIS) Manager role on the Exchange 2007 server, expand to SERVER (local Computer) -> Sites -> Default Web Site select Edit Permissions, add “Exchange Trusted Subsystem” group and grant it Full Control, Run “iisreset /noforce”

Thursday, August 5, 2010

Exchange impersonation not working

We had a request from a customer regarding Exchange Impersonation. The customer wanted to use impersonation for an application that had to send emails as another user. He didn’t wanted to use “Send As” right and he asked us specifically to use Impersonation.
Exchange Impersonation enables a caller to impersonate a given user account. This enables the caller to perform operations by using the permissions that are associated with the impersonated account, instead of the permissions that are associated with the caller's account.

Our customer’ application was trying to send emails in the name of an user using SMTP protocol, connecting to an Exchange HUB Transport Server. We configured user1 to be able to impersonate user2.

Microsoft Exchange Server 2010 uses Role-Based Access Control (RBAC) to assign permissions to accounts. You can read more about impersonation configuration here: .

If you still use Exchange 2007, you have to read this:

We configured the application to authenticate to the SMTP service as user1 and send emails as user2. We made a lot of tests and all we've got was “5.7.1 Client does not have permissions to send as this sender”. After some extensive research we found out a simple thing. You cannot use impersonation to send emails as another user using SMTP authentication, OWA or Outlook.
Exchange impersonation is designed to be used only for Exchange Web Services (EWS). For other requirements, you should use “Send As” right ( 

Sunday, August 1, 2010

Configure Autodiscovery and EWS to work with HTTP in Exchange 2010

Last week we upgraded our email system to Exchange 2010. It’s strange that a company that sells implementation services for MS Exchange has waited so long to migrate to the latest version ☺, but we are always short on time and we prefer to work for our customers instead of working on our own network. Now it’s summer, and everybody is on vacation so we decided to upgrade our network and to implement some new internal services. The obvious start was to upgrade the email system. Of course that we encountered some issues and I will blog about them here ☺.

Our Exchange 2007 was configured not to 'Require secure channel (SSL)’ for Internet Information Services (IIS). All the encryption is offloaded to another device. We tried to do the same configuration with new Exchange 2010 server and surprise, it was not working as expected. The Autodiscovery service and Exchange Web Services (EWS) were not functioning. When I tested the services using a browser via HTTP and answer was “HTTP 404 Resource Not Found”.

It seems that in Exchange 2010 RTM this kind of configuration is no longer possible, maybe this issue will be solved in SP1 but for the moment to make it work you must do some tricks.
Exchange 2010 Web Services are now based on Windows Communication Foundation (WCF). WCF attempts to locate the endpoint for HTTP but there is not endpoint defined for this service and the system gives you a System.ServiceModel.EndpointNotFoundException exception which is treated by the client as HTTP 404 error.

The trick to make it work is to change some settings in the web.config files for Autodiscovery and EWS virtual directory.

Autodiscovery Service

1. Verify that 'Require SSL' in IIS box is not checked
2. Open the C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover folder
3. Save a backup of the current web.config file and modify the it using the following settings
4. Replace

<endpoint address="" binding="customBinding" bindingConfiguration="AutodiscoverHttpsBinding"
contract="Microsoft.Exchange.Autodiscover.WCF.ILegacyAutodiscover" />


<!-- Autodiscovery HTTP endpoint-->
<endpoint address="" binding="customBinding" bindingConfiguration="AutodiscoverHttpBinding"
contract="Microsoft.Exchange.Autodiscover.WCF.ILegacyAutodiscover" />
<!-- Autdiscovery HTTPS endpoint -->
<endpoint address="" binding="customBinding" bindingConfiguration="AutodiscoverHttpsBinding"
contract="Microsoft.Exchange.Autodiscover.WCF.ILegacyAutodiscover" />

5. Replace

<endpoint address="" binding="customBinding" bindingConfiguration="AutodiscoverSoapHttpsBinding"
contract="Microsoft.Exchange.Autodiscover.WCF.IAutodiscover" />


<!-- Autodiscovery Soap HTTP endpoint-->
<endpoint address="" binding="customBinding" bindingConfiguration="AutodiscoverSoapHttpBinding"
contract="Microsoft.Exchange.Autodiscover.WCF.IAutodiscover" />
<!-- Autodiscovery Soap HTTPS endpoint -->
<endpoint address="" binding="customBinding" bindingConfiguration="AutodiscoverSoapHttpsBinding"
contract="Microsoft.Exchange.Autodiscover.WCF.IAutodiscover" />

6. Replace

<binding name="AutodiscoverHttpsBinding">
<LegacyMessageEncoderBindingElement />
<httpsTransport maxReceivedMessageSize="8388608" authenticationScheme="Anonymous"
<extendedProtectionPolicy policyEnforcement="Never" />


<!-- Autodiscovery endpoint binding for HTTP-->
<binding name="AutodiscoverHttpBinding">
<LegacyMessageEncoderBindingElement />
<httpTransport maxReceivedMessageSize="8388608" authenticationScheme="Anonymous"
<extendedProtectionPolicy policyEnforcement="Never" />
<!-- Autodiscovery endpoint binding for HTTPS -->
<binding name="AutodiscoverHttpsBinding">
<LegacyMessageEncoderBindingElement />
<httpsTransport maxReceivedMessageSize="8388608" authenticationScheme="Anonymous"
<extendedProtectionPolicy policyEnforcement="Never" />

7. Replace

<binding name="AutodiscoverSoapHttpsBinding">
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
<httpsTransport maxReceivedMessageSize="8388608" authenticationScheme="Anonymous"
<extendedProtectionPolicy policyEnforcement="Never" />


<!-- Autodiscovery Soap endpoint binding for HTTP-->
<binding name="AutodiscoverSoapHttpBinding">
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
<httpTransport maxReceivedMessageSize="8388608" authenticationScheme="Anonymous"
<extendedProtectionPolicy policyEnforcement="Never" />
<!-- Autodiscovery endpoint binding for HTTPS -->
<binding name="AutodiscoverSoapHttpsBinding">
<textMessageEncoding messageVersion="Soap11WSAddressing10" />
<httpsTransport maxReceivedMessageSize="8388608" authenticationScheme="Anonymous"
<extendedProtectionPolicy policyEnforcement="Never" />

8. Save the file. The IIS should detect the change in the web.config and reload the settings. If not you sould run iisreset /noforce to restart the IIS.
9. If you want to enable 'Require secure channel (SSL)’ for this virtual directory, you have to get back to the old settings, otherwise you will receive HTTP 500 - Internal Server Error and the service will not work.

Exchange Web Services (EWS)

1. Verify that 'Require SSL' in IIS box is not checked
2. Open the C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Exchweb\EWS folder
3. Save a backup of the current web.config file and modify the it using the following settings
4. Replace

<endpoint address="" binding="customBinding" bindingConfiguration="EWSHttpsBinding"
contract="Microsoft.Exchange.Services.Wcf.IEWSContract" />


<!-- EWS HTTP endpoint-->
<endpoint address="" binding="customBinding" bindingConfiguration="EWSHttpBinding"
contract="Microsoft.Exchange.Services.Wcf.IEWSContract" />
<!-- EWS HTTPS endpoint -->
<endpoint address="" binding="customBinding" bindingConfiguration="EWSHttpsBinding"
contract="Microsoft.Exchange.Services.Wcf.IEWSContract" />

5. Replace

<binding name="EWSHttpsBinding">
<EWSMessageEncoderSoap11Element />
<httpsTransport maxReceivedMessageSize="13600000" authenticationScheme="Anonymous"
maxBufferSize="81920" transferMode="Streamed" />


<!-- EWS endpoint binding for HTTP -->
<binding name="EWSHttpBinding">
<EWSMessageEncoderSoap11Element />
<httpTransport maxReceivedMessageSize="13600000" authenticationScheme="Anonymous"
maxBufferSize="81920" transferMode="Streamed">
<!-- EWS endpoint binding for HTTPS-->
<binding name="EWSHttpsBinding">
<EWSMessageEncoderSoap11Element />
<httpsTransport maxReceivedMessageSize="13600000" authenticationScheme="Anonymous"
maxBufferSize="81920" transferMode="Streamed" >

8. Save the file. The IIS should detect the change in the web.config and reload the settings. If not you sould run iisreset /noforce to restart the IIS.
9. If you want to enable 'Require secure channel (SSL)’ for this virtual directory, you have to get back to the old settings, otherwise you will receive HTTP 500 - Internal Server Error and the service will not work.

Tuesday, June 8, 2010

Client Throttling policies in Exchange 2010

Last week we had two clients complaining about various issues regarding connectivity to the Exchange 2010 Client Access server from various sources:

- Error when activating new devices in Blackberry Enterprise Server with the following info:

[20400] (01/13 15:27:09.003):{0x21AC} {} MAPIMailbox::MAPIMailbox - OpenMsgStore (0x8004011d) failed, MailboxDN=/o=CGP/ou=First Administrative Group/cn=Recipients/cn=SERVER, ServerDN=/o=AD/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=SERVER/cn=Microsoft Private MDB

[40720] (01/13 15:27:09.003):{0x21AC} MAPI call failed. Error 'The information store could not be opened.', LowLevelError 0, Component 'MAPI 1.0', Context 649

You can find the solution published on the Blackberry support site:

- Error when accessing the Exchange Management Shell or Exchange Management Console with the following info:

The WS-Management service cannot process the request. The user load quota of X requests per Y seconds has been exceeded. Send future requests at a slower rate or raise the quota for this user. The next request from this user will not be approved for at least Z milliseconds.

You can find the solution here:

Both issues were related to a new feature from Exchange 2010 called “Client Throttling”. Client throttling policies control the performance of the Exchange Server infrastructure by tracking the resources used by each user and limiting connection bandwidths as necessary. The feature controls the resources access by component basis. The following clients are controlled by the policies:
- Microsoft Exchange ActiveSync
- Exchange Web Services
- Outlook Web App
- POP3
- PowerShell
- Unified Messaging (UM)

The problems that we encountered were generated by the default policy for Client Throttling. For common Exchange installations this policy does not generate problems but there are installations, usually large installations, with many clients, that may generate issues.

To find out what is the default Client Throttling policy you may run the following command
Get-ThrottlingPolicy | Where-Object { $_.IsDefault –eq $true }

You can find more info about this new feature and how to set it up correctly on the Technet site

Wednesday, May 12, 2010

Configure email routing based on sender email address

We had a request for one of our customers that have an MS Exchange 2007 hosting infrastructure about configuring the users from one hosted domain to send their emails via a certain smart host. If you haven’t tried that yet, you will say: “it’s simple, we create a transport rule and it will work”. When you will start the configuration of the transport rule you will see that there are no options regarding the connector that a certain rule should use.

Making some research, I found out that you can create your own routing agent that will take care of this. It involves a little programing skills but it’s doable. I recommend you to read the following articles:

Monday, May 10, 2010

Pictures from "The new efficiency community launch 7 Mai 2010"

On 7th May I took part to "The new efficiency community launch 7 Mai 2010 " speaking about MS Exchange 2010. You can find more details about the presentation agenda here:

You can find also some pictures (thanks Adrian Stoian!) bellow:

Saturday, May 8, 2010

Windows seminar for Linux professionals

Last week, together with Todi Pruteanu and Florentina Taune from Microsoft Romania I participated at two seminars (Bucharest and Constanta) about Windows Server for Linux professionals. The seminars were about features of Microsoft products compared with Open Source products and how we can make them work together.
When Todi proposed me to do that I said ok without blinking. After a while, when I started to realize what I had to do I was starting to think that I am crazy. I was going in the lion pit with Linux professionals. Considering the animosity between Open Source professionals and Microsoft, I was starting to think that they will eat me alive. Another challenge was that I had to speak about a lot of Microsoft products and features, not only abut MS Exchange.
When Todi started to talk and all the participants introduced themselves I understood that none of them was using only Open Source programs and some were Microsoft fans. My first impression was that the audience not chosen right. After two full days of seminars, I realized that all of them were using products from both sides and their most challenging task is to make them work together.
There are two more seminars like this, one in Craiova and again in Bucharest. I am looking forward to speak there, not because I want to convince somebody that Microsoft is better but because I think that I have a lot learn from the participants.

Saturday, April 24, 2010

Windows 2008 R2 NLB using virtual machines in HyperV not working

During last week I had to configure a Windows NLB for two Exchange 2010 with Client Access Role. The machines were installed as virtual machines in Windows 2008 R2 HyperV architecture. Both virtual machines were configured with two network cards, one of them dedicated for NLB. We configured the NLB using Unicast. You can find an excellent article about configuring CAS NLB
After configuring the NLB, I found out that the IP address of the NLB was not accessible from nowhere else then the nodes of the NLB cluster.
This actually occured because as part of the cluster setup process (when using Unicast) the MAC address of the interface used in the NLB on each of the servers that becomes part of the cluster is changed to a common and different MAC address to anything currently on the servers. This occurs on the server, and the hypervisor knows nothing about it. This way the MAC address set up within Hyper-V on the interfaces used by NLB bears no relation to the MAC address that the cluster thinks it’s using on the guest machines themselves and no traffic is routed to that interface.
To solve the problem I had to modify MAC address settings for each NLB network card configured in virtual machines.
The Hyper-V Synthetic Network Adapter does not allow you to dynamically modify the MAC address. A legacy network adapter does, but a Hyper-V Legacy Network Adapter does but does not support x64. To change MAC address for virtual machines you have shut down the virtual machines and go into the properties of the Hyper-V Synthetic Network Adapter used for NLB. I modified two settings:
- I changed the Ethernet (MAC) address setting the MAC address to Static, using Generate button.
- I selected the Enable spoofing of MAC address. This allows the guest operating system of a Hyper-V virtual machine to provide an alternate MAC address to the one that the virtual machine provides. This option is new option in VMM 2008 R2. If you use Windows Server 2008, this capability is automatic in Hyper-V, in Windows Server 2008 R2, the feature is turned off by default.

Saturday, April 10, 2010

Exchange 2010 SP1 will be available in the near future

On April 7th, 2010, Microsoft Exchange Team has made an announcement regarding future Service Pack 1 for Exchange 2010.
For me Exchange 2010 was a major step from Exchange 2007 but it seems there is always room for more nice features. This service pack will also include all the roll-ups to the date and fixes for known issues.
The major enhancements of this service pack are:
Archiving and Discovery Enhancements
• The possibility to store Personal Archive in a different mailbox database;
• Support in Outlook 2007 for Personal Archive;
• Delegate user access for Personal Archive;
• New tools to create Retention Policy Tags;
• Direct import of data from PSTs to Exchange server;
• Multi-Mailbox Search enhancements.
Outlook Web App Enhancements
• Enhancements in the UI (increased speed for current time consuming tasks);
• UI visual improvements;
• Web-Ready Document Viewing of IRM-protected documents;
• Calendar Sharing to anonymous viewers via the web.
Mobility Enhancements
• support for send-as;
• notifying the user if their device has been placed on block or quarantine;
• full implementation of conversation view;
• Calendar Sharing to anonymous viewers via the web.
New Management UI
• Create/configure Retention Tags + Retention Policies in EMC;
• Configure Transport Rules in ECP;
• Configure Journal Rules in ECP;
• Configure MailTips in ECP;
• Provision and configure the Personal Archive in ECP;
• Configure Litigation Hold in ECP & EMC;
• Configure Allow/Block/Quarantine mobile device policies in ECP;
• RBAC role management in ECP;
• Configure Database Availability Group (DAG) IP Addresses and Alternate Witness Server in EMC;
• Recursive public folder settings management (including permissions) in EMC.

The Beta of this service pack will be released in June this year. You can read more details here:

Friday, April 2, 2010

I am MVP for Exchange

It has been more than an month since I wrote here. I intend to come back with interesting technical articles but until then I am honored to say that I am the new proud Microsoft Most Valuable Professional (MVP) for Exchange in Romania.
Microsoft MVPs are exceptional technical community leaders from around the world who have been awarded for voluntarily providing technical expertise towards technical communities supporting Microsoft products or technologies.
I don't know if I fit exactly the above definition, but I hope there is something true here :-). In the near future I intend to increase the time and the quality of the support that I provide to the MS Exchange community in Romania to be sure that I deserve this award.
You can access my MVP profile here

Thursday, February 25, 2010

Tool for testing Exchange connectivity

After all the Exchange 2007 and 2010 we made we had to check if everything is configured correctly and if the external clients can access the server using all kind of email clients. There are two ways to do that, one is to waste time and configure each type of client that you might have, and the other one is to use a very nice tool that was created by Microsoft. It’s a web page that can help you to test different scenarios of exchange connectivity directly to your email server. You can access it at

Here are a few hints to use it with success:
- Even they say it’s secure, do not use an account with extended rights like your domain admin account
- Pay attention to the certificate settings. If you don’t have an trusted certificate use the “Ignore trust for SSL” setting
- Start with simple tests and continue until everything works as expected
- At the beginning use it without using autodiscovery. When everything is working fine, test the autodiscovery service

Sunday, February 21, 2010

Exchange Management Console/Shell errors

Today I encountered a new error when configuring an Exchange 2010 server for a client. The Exchange server was installed on machine that was also a domain controller.
When I was trying to connect to Exchange 2010 Management Console you I’ve got the following error:

I tried to access the Exchange 2010 installation using the shell and I’ve got the same error:
VERBOSE: Connecting to Rombiosrv01.rombiomedica.local
[rombiosrv01.rombiomedica.local] Connecting to remote server failed with the following error message : The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig". For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
Searching through eventlog, I found the event 10154:
The WinRM service failed to create the following SPNs: WSMAN/Rombiosrv01.rombiomedica.local; WSMAN/Rombiosrv01.
Additional Data
The error received was 8344: %%8344.
User Action
The SPNs can be created by an administrator using setspn.exe utility.

First thing I tried was to check if "WinRM IIS Extension” was installed and surprised it wasn’t.
To add “WinRM IIS Extension”, you have to use “Add features” from Server Manager. After you install the extension, you have to reboot the server and run (with elevated rights) "winrm quickconfig” to configure it.

The second thing I found out was that if you install Exchange 2010 on a domain controller you will lose some permissions and you have to add them manually. If you get the same error, using ADSI Editor, check the Properties of the AD object for this server in the Domain Controllers OU. On the Security tab, check if NETWORK SERVICE has the Validated Write to Service Principal Name permission.
Now, the System event log was clean, but I still coudn't manage the server.

Third thing, and the easiest one, was to check if everything was working fine within IIS and surprise: the default web site was stopped. I tried to start it without success. Soon I found out that the HTTPS port was used by another application. Once I solved this problem, the server was fully operational.

If the steps above does not succed, check if you have the .NET Extensibility role services for IIS installed.  You can read more here

Monday, February 15, 2010

IT Efficiency School - Exchange Server 2010 - Upgrade and Coexistence

A new online meeting will take place The next online meeting will take place on Wednesday, February 17, 2010 4:30 PM-5:30 PM (UTC+02:00) and it will cover Exchange 2010 Upgrade and Coexistence. To register for this, please access the following link:

How to increase the send and receive size for email messages in Exchange 2010

To modify the send and receive settings for your Exchange 2010 server you have to configure:

1. The global transport settings for the organization
2. The settings for all send/receive connectors from your organization

There are two possible way to do that, one is using the graphical interface, and the other is to use the cmdlets. I will describe the second one.

1. To set up global transport settings, first you have to check the current configuration by using the get-transportconfig cmdlet and check the output that is marked bellow

[PS] C:\Windows\system32>get-transportconfig
ClearCategories : True
DSNConversionMode : UseExchangeDSNs
ExternalDelayDsnEnabled : True
ExternalDsnDefaultLanguage :
ExternalDsnLanguageDetectionEnabled : True
ExternalDsnMaxMessageAttachSize : 10 MB (10,485,760 bytes)
ExternalDsnReportingAuthority :
ExternalDsnSendHtml : True
ExternalPostmasterAddress :
GenerateCopyOfDSNFor : {5.4.8, 5.4.6, 5.4.4, 5.2.4, 5.2.0, 5.1.4}
HygieneSuite : Standard
InternalDelayDsnEnabled : True
InternalDsnDefaultLanguage :
InternalDsnLanguageDetectionEnabled : True
InternalDsnMaxMessageAttachSize : 10 MB (10,485,760 bytes)
InternalDsnReportingAuthority :
InternalDsnSendHtml : True
InternalSMTPServers : {}
JournalingReportNdrTo : <>
MaxDumpsterSizePerDatabase : 18 MB (18,874,368 bytes)
MaxDumpsterTime : 7.00:00:00
MaxReceiveSize : 20 MB (20,971,520 bytes)
MaxRecipientEnvelopeLimit : 5000
MaxSendSize : 20 MB (20,971,520 bytes)
MigrationEnabled : False
OpenDomainRoutingEnabled : False
Rfc2231EncodingEnabled : False
ShadowHeartbeatRetryCount : 3
ShadowHeartbeatTimeoutInterval : 00:05:00
ShadowMessageAutoDiscardInterval : 2.00:00:00
ShadowRedundancyEnabled : True
OrganizationRelationshipForExternalOrganizationEmail :
SupervisionTags : {Reject, Allow}
TLSReceiveDomainSecureList : {}
TLSSendDomainSecureList : {}
VerifySecureSubmitEnabled : False
VoicemailJournalingEnabled : True
HeaderPromotionModeSetting : NoCreate
Xexch50Enabled : True

Then you have to run
Set-TransportConfig -MaxReceiveSize "X MB" -MaxSendSize "X MB"
where X is the size in MB.

2. To configure the SEND and RECEIVE connectors, check the current config of all connectors using:

get-sendconnector |fl
get-receiveconnector |fl

then run

Set-SendConnector -Identity "name of  the connector" -MaxMessageSize "X MB"
Set-ReceiveConnector -Identity "name of the connector" -MaxMessageSize "X MB"

If you are using an EDGE server, you wont have to do anything there if the server is syncronized with your internal HUB servers, otherwise you have to repeat the second step there.

Sunday, January 17, 2010

Unable to connect Outlook 2003 to Exchange 2010

When you try open an email account located on an Exchange 2010 server using Outlook 2003 you will get the “Unable to open your default e-mail folders” error. If you try to connect to the same mailbox using Outlook 2007 or Outlook 2010 beta version you can connect without any problems.
This is caused by the fact that in Exchange 2010, by default, you need an encrypted conection to access the server. In Outlook 2007 and later this is the default setting but in previous versions this was optional.
To solve this issue, you have two options:
1. You configure your email client to use encryption (recommended). You can do this by accesing your email profile and check the “Encrypt data between Micrososoft Office Outlook and Microsoft Exchange” as you can see bellow:

2. Or you can disable the encryption on the Exchange 2010 Client Access Server using the following cmdlet (not recommended):
Set-RpcClientAccess –identity <ServerIdParameter> –EncryptionRequired $false

Usually I would go with the first choice. It is more secure and there is no reason not to do it. If you need to configure a large number of computers you can always use Group Policy. You can find more info about GPO templates for Office 2003 here:

Free/Busy information and Out of Office settings are not available in Outlook 2007

If you try to access Free/Busy info or OOF settings from outside your company firewall and you are not allowed, most of the time it means that you have a bad configured Autodiscover service.
Former versions of Outlook (Outlook 2003 or older) were using public folders to get access to these features.
In the newer versions, like Outlook 2007 and the future release of Outlook (2010), to get access to this important features of Microsoft Exchange messaging environment you are using the Autodiscover web service. This service is used by the Web-based offline address book (OAB), the Availability service, Out of Office or Unified Messaging (UM). The Autodiscover service must be deployed and configured correctly for Outlook 2007 clients to automatically connect to all this Microsoft Exchange features.
To find out how to configure correctly the Autodiscovery service and the associated digital certificates using various scenarios you can use the following links:

Saturday, January 16, 2010

IT Efficiency School - Exchange Server 2010 - Installation and configuration

This year, together with Microsoft Romania, I will continue to deliver new live meeting sessions regarding unified messaging and especially Microsoft Exchange 2010.

The next online meeting will take place on Thursday, January 28, 2010 3:30 PM-5:30 PM (UTC+02:00) and it will cover Exchange 2010 installation and configuration. To register for this please access the following link:

Tuesday, January 5, 2010

Error creating a new mailbox database on exchange 2010 in a multiple domain environment

When you try to create a new mailbox database on Exchange 2010 in a multiple domain environment, the database is created but you may get the following error when trying to mount it:

Failed to mount database

Couldn't mount the database that you specified. Specified database:
<test>; Error code: An Active Manager
operation failed. Error: The database action failed. Error: Operation
with message: MapiExceptionNotFound: Unable to mount database.
[Database: <test>, Server:
An Active Manager operation failed. Error: The database action failed. Error:
Operation failed with message: MapiExceptionNotFound: Unable to mount
(hr=0x8004010f, ec=-2147221233)
[Database: <test>, Server:
An Active Manager operation failed. Error: Operation failed with message:
MapiExceptionNotFound: Unable to mount database. (hr=0x8004010f,
[Server: <servername>]
MapiExceptionNotFound: Unable to mount database. (hr=0x8004010f,

The following event is logged in the Application log:

Log Name: Application
Source: MSExchange Configuration Cmdlet - Remote Management
Date: 9/17/2009 12:26:00 PM
Event ID: 4
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: <servername>
Description: (PID 8136, Thread 2652) Task New-MailboxDatabase writing error when processing record of index 0. Error: Microsoft.Exchange.Data.Directory.ADOperationException: Active Directory operation failed on <domain controller>. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.

According to Microsoft support site ( , the problem occurs when the value of the ConfigurationDomainController parameter and the value of the PreferredGlobalCatalog parameter are different. Their solution is to run the following cmdlet:

Set-ADServerSettings –PreferredServer <DC FQDN>

We encountered this problem with one of our clients and the solution provided by Microsoft did not work. What we did was to mount the database specifying the domain controller that writes the configuration change to Active Directory. The cmdlet is:

Mount-Database -Identity <database> -DomainController <DC FQDN>