Posts Tagged ‘exchange’

Can be done via IMAP Settings below

 

Settings for IMAP Configuration:

  EMAIL ADDRESS: sharedmailbox@domain.com (shared mailbox)

  IMAP SERVER: outlook.office365.com Port 993 with SSL
  SMTP SERVER: smtp.office365.com Port 587 with TLS

  USERNAME: user@domain.com\sharedmailboxalias  (user\shared mailbox alias)
  PASSWORD: UserPassword (user’s password)

SMTP LOGIN IS DIFFERENT (!)

  USERNAME: user@domain.com (users email)
  PASSWORD: UserPassword (user’s password)

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently had a client delay receiving emails

A check of SMTP logs showed

4.7.0 SMTP; 403 4.7.0 TLS handshake failed

To investigate : 

Open Exchange Management Console

Go to Server Configuration and check Exchange Certificates check if there are any expired with SMTP next to them

Renew Self Signed Certificates  :

  1. type Get-ExchangeCertificate to list the installed certificates

  2. Match the certificate to the expired certificate (using subject the name and services) from the Console then copy the associated thumbprint

  3. Type Get-ExchangeCertificate –Thumbprint INSERTTHUMBPRINTHERE | New-ExchangeCertificate

Renew Third Party Cert

  1. Go through the process of Renewal with your Third Party SSL Authority

To disable Receiving email via TLS

Go to Hub Transport under Server Configuration, then Untick Transport Layer Security (TLS) for each Receiver Connector

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

There are three ways to forward mail from one user to another in Exchange

  1. Exchange Forwarding Most Common – Done by Administrator
  2. Inbox Rule – Done by User
  3. Hub Transport Rule – Done by Administrator

1 and 3 can be checked easily and there will be references of when this is done and not done usually in tickets , however users can enable Inbox rules by themselves then contact your later to disable the forward.

Here is how to check for forwarding or redirecting rules on mailbox in 365

 foreach ($i in (Get-Mailbox -identity %USERNAME%))
{ Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo }
  foreach ($i in (Get-Mailbox -identity %USERNAME%))
{ Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ReDirectTo} | fl MailboxOwnerID,Name,RedirectTo}

To Disable
Disable-InboxRule -Identity "%NAME OF RULE%" -Mailbox "%USERNAME"
 
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Backup Exec VSS Error

back-up-exec[1]According to the Error logs of Backup Exec it is a VSS error.

Indeed there is VSS error for the Exchange VSS Writer, when I ran the command “VSSADMIN LIST WRITERS”.

I restarted the VSS service and started another backup which resolved the problem.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

The name of the security certificate is invalid or does not match the name of the siteRecently we moved exchange certificates to a certificate with no local SAN’s inside to be in compliance . This involves creating and A record for your external domain name internally , then changing all internet and external paths to the full qualified external domain name. Digicert has a great guide to do this : https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

After this is done, you can reissue the certificate with the local SAN’s removed using a new CSR ( .req file ) generated from Exchange and apply to all client access servers. 

This was done , however a few ( not all )  users in our organisation where getting the prompt above linking to autodiscover.domain.local . Checking on the effected users , it seems their Outlook were referencing old Exchange accounts that didn’t exist anymore in exchange. Removing these old accounts from outlook and restarting fixed this. Reprofiling will also fix this!

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
On trying to run a EWS Script the follow error came up

The request failed. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

The addition to of the following line above to silenced the problem but did not fix the communication. Instead brought up an new error

“The request failed. The underlying connection was closed: An unexpected error occurred on a send.”

First you can add this line after each of the errors to give you the full error
$error[0] | fl -force

The full error displayed :

System.Management.Automation.PSInvalidOperationException: There is no Runspace available t  scripts in this thread. self sign certificate

The below code needs to be added instead to properly ignore the self signed certificate issues:

## Code From http://poshcode.org/624
## Create a compilation environment
$Provider=New-Object Microsoft.CSharp.CSharpCodeProvider
$Compiler=$Provider.CreateCompiler()
$Params=New-Object System.CodeDom.Compiler.CompilerParameters
$Params.GenerateExecutable=$False
$Params.GenerateInMemory=$True
$Params.IncludeDebugInformation=$False
$Params.ReferencedAssemblies.Add("System.DLL") | Out-Null
 
$TASource[email protected]'
  namespace Local.ToolkitExtensions.Net.CertificatePolicy{
    public class TrustAll : System.Net.ICertificatePolicy {
      public TrustAll() { 
      }
      public bool CheckValidationResult(System.Net.ServicePoint sp,
        System.Security.Cryptography.X509Certificates.X509Certificate cert, 
        System.Net.WebRequest req, int problem) {
        return true;
      }
    }
  }
'@ 
$TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
$TAAssembly=$TAResults.CompiledAssembly
 
## We now create an instance of the TrustAll and attach it to the ServicePointManager
$TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
[System.Net.ServicePointManager]::CertificatePolicy=$TrustAll
 
## end code from http://poshcode.org/624
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: -1 (from 1 vote)

140257-thumb_exchange_original[1]Transport Limits

Organization Configuration | Hub Transport | Global Settings tab | Transport Settings| properties | General tab.

Send Connector

Organization Configuration> Hub Transport> Send Connectors section. If you double click on each of your connectors (most of you will probably only have one) you will see a “Maximum Message Size” setting.

Receive Connector

Again in the configuration of each of these connectors you set a “Maximum Message Size” like seen below. The setting is changed at Server Configuration> Hub Transport> Receive Connectors.

Mailbox Limits

To set these using the Exchange console: Recipients | Mailbox -> select mailbox (or select another recipient type such as a contact or mail user from the corresponding node) | properties | Mail Flow Settings tab | Message Size Restrictions.

Routing Limits between 2003 and 2010 Environment

Set-RoutingGroupConnector “CONNECTOR NAME” -MaxMessageSize 50Mb

AD Site Links

Set-ADSiteLink “SITE LINK NAME” -MaxMessageSize 50Mb

OWA Attachment Sizes:  (Note: This must be completed on every CAS server)
Use Notepad to change the maxRequestLength value

1. Find the Outlook Web App Web.config file on the Client Access server. The default location is <drive>\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa.
2. Make a backup copy of the web.config file.
3. Open the original file using an editor such as Notepad. Don’t use Internet Information Services (IIS) Manager to edit the Web.config file.
4. Find maxRequestLength and change it to the value that you want. The value is stored in kilobytes (KB). The default value is 35000. The following example shows the maxRequestLength value in the Web.config file.
<httpRuntime maxRequestLength=”51200″ />
Note: This is 50 MB (1024 X 50)
5. Save and close the file.

EWS Attachment Sizes:  (Note: This must be completed on every CAS server)
1. Find the EWS Web.config file on the Client Access server. The default location is C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\ews
2. Make a backup copy of the web.config file.
3. Open the original file using an editor such as Notepad. Don’t use Internet Information Services (IIS) Manager to edit the Web.config file.
4. Find maxRequestLength and change it to the value that you want. The value is stored in kilobytes (KB). The default value is 35000. The following example shows the maxRequestLength value in the Web.config file.
<httpRuntime maxRequestLength=”51200″ />
Note: This is 50 MB (1024 X 50)
5. Save and close the file.
Restart IIS.

ActiveSync Attachment Sizes:  (Note: This must be completed on every CAS server)
1. Find the EWS Web.config file on the Client Access server. The default location is C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Sync
2. Make a backup copy of the web.config file.
3. Open the original file using an editor such as Notepad. Don’t use Internet Information Services (IIS) Manager to edit the Web.config file.
4. Find maxRequestLength and change it to the value that you want. The value is stored in kilobytes (KB). The default value is 35000. The following example shows the maxRequestLength value in the Web.config file.
<httpRuntime maxRequestLength=”51200″ />
Note: This is 50 MB (1024 X 50)
5. Save and close the file.
Restart IIS.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

**Update**

Upon the below , I actually experienced this again , when I couldn’t break the Group down to members and add to another group. The issue was this group was a legacy Distribution Group from 2003 that just needed resetting per below ( with it’s correct details ) :

Set-DistributionGroup -Identity "Accounting" -DisplayName "Accounting Group"

**Old Fix**

I was trying to add group to group permissions in Exchange so all members of one group would have access to another groups Inbox and was getting the following error

“found in Active Directory but isn’t valid to use for permissions”

Powershell Code as below, I set the DistGrouptohavePermission to an SMTP email address of the group as well as confirming it was a Universal Security Group and it still came up with the error.

I then changed the DistGrouptohavePermission value to the MailNickName of the Group ( can be found in the Extended Attributes ) and it went through OK

# change to prefered accessrights (see "Get-Help Set-MailboxFolderPermission -Parameter AccessRights")
$accessrights = "Editor"
 
# set Identity to distributiongroup alias
$distributiongroup = Get-DistributionGroup -Identity "GroupWillAllTheUsers"
 
# normally no changing after this line
$groupmembers = Get-DistributionGroupMember -Identity $distributiongroup | Where-Object { $_.RecipientType -eq "UserMailbox" }
foreach ( $member in $groupmembers )
{
	$permissions = ""
	$mailbox = Get-Mailbox -Identity $member.alias
	$inbox = (($mailbox.SamAccountName) + ":\" + (Get-MailboxFolderStatistics -Identity $mailbox.SamAccountName -FolderScope Inbox | Select-Object -First 1).Name)
 
	foreach ( $perm in ( Get-MailboxFolderPermission -Identity $inbox ))
	{
		$permissions += @($perm.User.DisplayName)
	}
 
	if ( $permissions -contains $distributiongroup.Name )
	{
		# Distributiongroup already has permission groupmember inbox
		Set-MailboxFolderPermission -Identity $mailbox.SamAccountName -User "DistGrouptohavePermission" -AccessRights $accessrights
		Set-MailboxFolderPermission -Identity $inbox -User "DistGrouptohavePermission" -AccessRights $accessrights
	}
	else
	{
		# Distributiongroup has no permission to groupmember inbox
                Add-MailboxFolderPermission -Identity $mailbox.SamAccountName -User "DistGrouptohavePermission" -AccessRights $accessrights
		Add-MailboxFolderPermission -Identity $inbox -User "DistGrouptohavePermission" -AccessRights $accessrights
	}
}
VN:F [1.9.22_1171]
Rating: 3.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

ADUsers&Comps**SolarWinds make a free tool GUI for this : http://downloads.solarwinds.com/solarwinds/Release/FreeTool/SolarWinds-Freetools-MS-Mini-Utilities.zip

*****More AD Cleaup Tools

http://www.adaxes.com/blog/cleanup-active-directory-with-powershell.html

You can run these commands in a command prompt on any DC or PC With Active Directory Tools installed

Time Perioud = Weeks so for example let’s work with 6

Computer Accounts

Find Old Computer accounts across the whole domain older than 6 weeks

dsquery computer -inactive 6 -limit 0

Find computer accounts old than 6 weeks and disable

dsquery computer -inactive 6 -limit 0 | dsmod computer -disabled yes

Find Old Computers in a Group CN e.g. if the Icon Looks like this : CN_Group

dsquery computer -inactive 6 -limit 0 CN=Computers,DC=domain,DC=local (Add to stop it going further then the current folder) -scope onelevel

Find Old Computers in a Operation Unit OU e.g. if the Icon Looks like this : OU

dsquery computer -inactive 6 -limit 0 OU=Clients,DC=domain,DC=local (Add to stop it going further then the current folder) -scope onelevel

User Accounts

Find Old User accounts across the whole domain older than 6 weeks

dsquery user domainroot -name * -inactive 6

Exchange Active User accounts

(Get-MailboxStatistics -Server <exchangeservername> | where {$_.LastLogonTime -gt ((get-date).AddDays(-60))}).count

Find Old User accounts across the whole domain older than 6 weeks and disable

dsquery user domainroot -name * -inactive 6 | dsmod user -disabled yes

 

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: -1 (from 1 vote)