What are /r/exchangeserver's favorite Products & Services?

From 3.5 billion Reddit comments

1. You can either install it via the IIS Web Platform Installer or downloading v2.1 directly
2. This is only relevant if Exchange 2016 is running on Windows Server 2012 R2 (it's built in to WinSvr2016), and even then this should be automatically installed through Windows Update but if not you can just download it
3. AMSI was introduced in CU21, you'd need to check with CrowdStrike whether it supports AMSI
4. There are no schema changes between CU21 and CU22
5. I believe that this applies to newly generated certificates, so if you specifically want to regenerate anything using SHA1 you'd need to do so manually

https://zerossl.com/free-ssl/#crt Leverages Let's encrypt, just make sure you get a wild card. Also you need to own a domain as well. Should only cost like $10 for a year. Use https://namecheap.com for the domain registrar. Thank me later :)

You really would be better off useing MigrationWiz or IMAP to migrate

pretty sure microsot now has brought https://mover.io/ and you can use it for free.
it really would be a much easier option for you. probably quicker 2

See Understanding Exclusive Scopes, specifically this line:

When you create an exclusive scope, only those who are assigned that exclusive scope, or an equivalent exclusive scope, can modify the objects that match the scope. Role assignees who aren't assigned that exclusive scope, or an equivalent, can't modify the objects that match the scope, even if their own roles have scopes that would otherwise include the objects. Exclusive scopes override any other regular scope that isn't exclusive. This behavior is similar to how a deny access control entry (ACE) on an Active Directory access control list (ACL) functions.

Also Create a Regular or Exclusive Scope, step 1, Exclusive Scope:

Caution:

When you create exclusive management scopes, only the role assignees assigned exclusive scopes that contain objects to be modified can access those objects. Only those administrators assigned a role with the exclusive scope can access these exclusive, or protected, objects.

You can use delegate permissions to control the access: http://office.microsoft.com/en-us/outlook-help/allow-someone-else-to-manage-your-mail-and-calendar-HA010075081.aspx

If you are using Exchange 2010 you can also use Add-MailboxFolderPermission and Set-MailboxFolderPermissions cmdlets: http://technet.microsoft.com/en-us/library/dd298062%28v=exchg.141%29.aspx

Edit: folder not fodler

If your ISP blocks outbound port 25 then you're going to be out of luck.

On top of that, a lot of providers will block traffic from residential IP ranges entirely and almost all of them will block traffic from servers without a valid reverse (PTR) DNS record.

Try this test to see if you've got the basics up and running.

Yes this has been possible at least as far back as Exchange 2007. You can check the IIS logs on the Exchange Client Access Server(s).

I'm currently looking at an Exchange 2010 CAS and the logs are in this folder: C:\inetpub\logs\LogFiles\W3SVC1

The logs can get quite large if you have lots of users (ours exceed 1 GB per day) so you may want to use a script or 3rd-party tool to parse them automatically. For manual viewing and searching of the logs I love to use Glogg http://glogg.bonnefon.org/

You should be backing up Active Directory on a regular basis already. While Windows Server Backup can do this, you are probably better off with something more potent, such as Veeam Backup & Replication Community Edition (Free).

Likewise, you should also already be backing up Exchange in order to flush the transaction logs on a regular basis, which would otherwise chew through your disk space in no time at all.

​

If things really mess up during the upgrade, you'll have to implement Exchange Server recovery procedures. But that has been so-far unheard of around here. The CU is a complete Exchange installation and it goes through a whole battery of prerequisite checks before it even allows you to proceed. The worst case that I've read about on here is that somebody had to re-run the setup process to fix things.

You get .net 4.5, Perhaps you need to install 3.5

Which, even though it shows up in ROles and Features as something you can add, can be a bit of a pain in the arse...so you have to do some work arounds

http://superuser.com/questions/817096/installing-net-framework-3-5-on-windows-server-2012 or http://blog.dbi-services.com/winows-server-2012-r2-failed-to-install-net-framework-35/

There are a few methods, but basically you either download the offline installer for it, or you mount an ISO of server 2012, run a DISM command to point it to the mounted drive, and tell Add Roles and Features where to look for it.

• In the console tree, click Server configuration or any other server container.
• In the Actions pane, select Manage Diagnostic Logging Properties.
• On the Manage Diagnostic Logging Properties wizard page you can return to the default logging levels by selecting Reset all services to default logging levels and then clicking Configure.
• On the Completion page, confirm whether the process completed successfully. A status of Completed indicates that the wizard completed the task successfully. A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
• Click Finish to complete the Manage Diagnostic Logging Level wizard.

http://technet.microsoft.com/en-us/library/bb201670%28v=exchg.80%29.aspx

fuck I forgot there is one more attribute.

Here, just use this toolbox and edit the limit to the send/receive limit + 20%. There is a known issue with some clients (mainly MAC) where the bloat of an file attachment goes up 20% over the original size. For example: when I sent a message through Outlook for Mac 2011 that is 11MB, it bloats up to 20MB. Insane, I know but its the way the ASP.NET module encodes the packet.

Here is the link: http://technet.microsoft.com/en-us/library/hh529949(v=exchg.141).aspx

The other attribute we are missing is "http MaxReceivedMessageSize"

First off, the Exchange Mgmt tools on your system will need to be at the same version as Exchange to properly manage them. So update Exchange locally & when you're done update the tools on the client.

As for your environment, assuming all the basics like an EXCHANGE AWARE backup that will truncate the log files (which will speed up the update because it will make updates to the db & the fewer transaction logs the quicker it will go) then it should be pretty straightforward.

Reboot the servers before you start anything, this is to verify there are no pending updates.

Traditionally in clustered environments you would update the passive node then fail over to it, then update the formerly active node then fail back. I would follow the below guidance for SCR clusters.

http://technet.microsoft.com/en-us/library/bb885043(v=EXCHG.80).aspx

After that verify all databases are mounted & mailflow is working. Maybe bounce the servers again for good measure & verify nothing ugly is showing up in the event logs.

I've been working with my fellow Exchange MVPs Tony Redmond and Michael Van Horenbeeck, as well as Jeff Guillet and others helping with technical reviews, on a new ebook titled "Office 365 for Exchange Professionals".

We're planning to have the ebook released in early May.

I wanted to post about it here for two reasons:

1) We're focusing on ebook publishing for this title, because the rate of change and innovation in Office 365 would make traditional publishing processes impossible. This allows us to more easily update the ebook over time to stay accurate and relevant. I strongly believe that e-publishing is the future of tech publications. You can read more about this from Tony (he has many years of experience in traditional publishing) here:

http://thoughtsofanidlemind.com/2015/03/03/office-365-for-exchange-professionals/

2) We'd love to hear from you about any topics or challenges you'd like to see covered in a guide for Exchange professionals who want to transition their skills to Office 365. We've got heaps of stuff already, but nothing beats hearing directly from people in the trenches what they need help with. If you've got something in mind, please fill out this very simply survey form:

https://www.surveymonkey.com/s/GSB38HC

Fix the legacyExchangeDN attribute / add X.500 addresses to the mailboxes corresponding to the failing name. See http://www.rackspace.com/apps/support/portal/6233 for examples--the relevant Google search keywords are: exchange x.500 address

Why are you using a different FQDN for internal connections? Is this name on the certificate as well? I highly recommend to use split-DNS and use the same names internal and external.

Your test with browser seems to be successful, an 600 Invalid Request is the expected result.

How did you configure the InternalURL and ExternalURL values for the virtual directories?

And please run this test with Outlook: http://www.addictivetips.com/microsoft-office/outlook-2010-test-email-auto-configuration/ Create a POP/IMAP SMTP with fake server details to load Outlook, then use the process described in the article to verify AutoDiscover.

Well, this message is coming from the recipients mail server, so you will have to contact their admins to obtain details about why they are deferring mail from your server.

In the mean time, verify your reverse DNS, SPF, DKIM, DMARC are in order, and check your IP against blacklists with a tool such as MXtoolbox.

Yeah you have an open relay someone is connecting to. You can punch your mail server in here and it will run a diagnostics and tell you if you have one or not.

https://mxtoolbox.com/diagnostic.aspx

LetsEncrypt is a certificate authority, just like StartCom, GoDaddy, Digicert, or anyone else who can issue a certificate. It's not Linux specific or anything. The difference between LetsEncrypt and GoDaddy, for example is that LetsEncrypt's certificates are only valid for 90 days, whereas GoDaddy's are valid for a year or more (depending on how much you're willing to pay upfront). LetsEncrypt certificates are widely supported across all major browser vendors, and free.

In order to get a cert from LetsEncrypt, you would need an ACME client, a list of those can be found on this page.

This document appears to have the general guide of how to do Exchange 2010-2016 with LetsEncrypt.

Switch them to use the Outlook Android app (free) or Nine (paid, has versions for various MDMs and Android Enterprise too but regular versions works fine usually). They're both leagues better than the built-in Samsung up, not as fucky (it's been a problem for years), and has the same calendar app integrations. Just as easy to configure.

Unless they're domain admins or in some special domain group that Exchange needs inheritance on, you're likely gonna keep banging your head against a wall on this.

Ah, I believe you still have the transparency built into the distribution group, when you add them to a distribution group you can expand the distribution group from within outlook and the users can all see who is involved with the conversation.

If you want to lock down the distribution group so only certain users can email it, that is another option.

So some of your users do not like it if they receive the email they just sent because they are in a distribution group. They can setup a rule.

Using Outlook 2010/2013:

Click the File tab.

Click Manage Rules & Alerts. - In the Rules and Alerts dialog, select the E-mail Rules tab and click the New Rule... button.

In the Rules Wizard dialog, select Apply rule on messages I receive and then click Next. Check the from people or public group condition. In the lower box, click the people or public group link and then select your own name in the Rule Address dialog.

Click OK to close the Rule Address dialog, and then click Next.

Check the following actions: delete it stop processing more rules Click Next. (Optional) If you routinely send yourself mail for other reasons, you may want to check the except if my name is in the To or Cc box exception.

Click Next. In the last step, specify the name for your rule. (Optional) If you want to delete existing emails already in your inbox, check Run this rule now on messages already in "Inbox".

Click Finish.

Something else to consider is if you're looking to capture all email conversations, you may want to look into journaling the messages within your organization if public records are a concern. (Source 'credit where credit is due'- http://superuser.com/questions/615462/how-can-i-avoid-receiving-a-copy-of-an-email-i-send-to-an-exchange-distribution/741633)

I am a bit busy running ESEUTIL /R (no joke, god damn it) but take a look at this:

http://technet.microsoft.com/en-us/library/dd351049(v=exchg.141).aspx

You have a three node DAG, so the FSW is not required or utilized. The FSW is used in an even number of DAG nodes, as to reach a quorum technically you need an odd number of votes.

If the site running the Active nodes fail, you are going to need to run through the steps in the link above.

As one of the Exchange Principle PM said once during a class he was giving..

*over (fail or switchovers) are not automatic by design in Exchange 2010. You can program some stuff to do it, but they are a manual process.

The *over comment talks about everything (CAS, Mailbox) during a site *over. Local you should be fine, once again we are talking if one of the DC / Sites explode and you are attempting to recover.

So I can assume the two RODC are joined to AD intergrated DNS ? Reference: http://technet.microsoft.com/en-us/library/cc742490(WS.10).aspx

The second portion to this would be to ensure that the passwords are being stored on the RODC from the DC.

You should check out both RODC for NETLOGON errors or other errors within the Event Viewer: Application log.

Ok, I got through it and was able to uninstall cleanly. Here was my process.

• created a mailbox in the 2003 mail store "pf delete"
• copied out the contents of the troublesome folder to a PST
• added the folder back in as a replica
• used MFCMAPI to check the PR_REPLICA_SERVER of the folder was pointing to the 2003 server
• deleted the folder
• checked and replica instance was gone in 2003 System manager
• deleted 2003 PF store
• copied folder back into public folders and checked permissions
• checked in PF Mgmt console on 2010 server to see if folder is there
• deleted SystemMailbox{GUID} from AD
• deleted pfdelete user from AD
• ran cleanup agent
• deleted mailbox store from 2003 server
• completed the rest of the process from this guide: http://technet.microsoft.com/en-us/library/gg576862%28v=exchg.141%29.aspx

Thanks for the help!

To the Exchange MailUser object.

This is not an end state design, it's a cross forest mailbox migration

http://technet.microsoft.com/en-us/library/bb124251(v=exchg.141).aspx

Configuring Autodiscover for Cross-Forest Moves The Autodiscover service can provide user profile information to connecting Outlook clients for mailboxes that have been moved from one Microsoft Exchange forest to another. For this to happen, you must configure a mail-enabled user in both the original forest where the user's mailbox resided and in the target forest using the New-MailUser cmdlet. In the source forest, you should use the ExternalEmailAddress parameter in the cmdlet to specify the new e-mail address of the mailbox in the target forest. For more information, see New-MailUser. When you configure a mail-enabled user, the Autodiscover service in the original forest will redirect the authenticating user to the new e-mail address in the target forest. The connecting Outlook client will then be redirected to the Client Access server in the target forest where the mailbox has been moved. For more information, see

You should simply be pointing them to the correct SMTP address space (e.g: my source forest was contoso.com, and the new forest is exchangeserver.com) and Autodiscover does the rest. I mean, for a domain joined computer its a little more complicated (not really - but it can be) but just make sure Autodiscover is setup properly, OA is working and authentication is right. Below is an updated CAS Article about Autodiscover. I would recommend reading it through and post your questions here :)

http://technet.microsoft.com/en-us/library/bb124251(v=exchg.141).aspx

if anything is confusing just ask, I wont bite. I am just a little busy right now trying to catch up on work (was out "sick" yesterday).

You would follow the procedure for performing a Datacenter Switchover. Basically creating another FSW (Alternate FSW) & forcing quorum on the other 2 DAG nodes. Process is detailed below http://technet.microsoft.com/en-us/library/dd351049(v=exchg.141).aspx

Not sure on 2010 but this 2007 article says the FSW can't be placed on DFS.

http://technet.microsoft.com/en-us/library/bb124521(v=EXCHG.80).aspx

Schnoll says it here to, but again only for 2007 CCR http://social.technet.microsoft.com/Forums/en-US/exchangesvravailabilityandisasterrecovery/thread/3728a3d6-dc51-40ae-a631-a92e93a358b8

Not saying it won't work, probably just a supportability issue. They probably just don't want to mess with it. The only thing I can see it helping with is if a node had to lock the FSW to maintain quorum & get the extra vote; then someone reboots the FSW. However, I would still think the cluster service would detect the reboot & go down anyways.

Page Faults are normal, it's when it tries to find a page in memory but has to go to disk instead because the page is not in memory. Database page fault stalls should never happen and indicates a disk/memory issue. It's when the same thing happens and it is unable to pull from database into memory.

I'd work with the vendor to look at performance. Also, don't do tiered storage/data progression with jetstress, you're just wasting your time; it'll always fail.

Check out this session, my friend who works in Compellent Engineering presented. The recommendation is to use loadgen instead if you plan to use tiered storage.

http://channel9.msdn.com/Events/MEC/2014/MNG302

I've used imapsync to do migrations successfully from various non-exchange systems to exchange.

I've always used it for bulk migrations, so it may be a bit too fiddle to bother setting up for a single mailbox. There are a list of online based migration services on the imapsync website too

Just so we're on the same page, this is the screen that you're getting the size from, correct? Also, what version of Outlook?

Looks like you might be having the reverse of the issue that this guy is having

Maybe this will help: Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2. Step 12 addresses how to hand over FSMO and what to do before/afterwards

Upon searching some more I found an experts exchange post (http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28470202.html) that prompted me to look into the same issue and noticed there were several pages of results (in powershell) when running

"(Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | % {[XML]$.toXml()}).event.userData.eventXml| ?{$.ActionID -like "ForceReboot"} | ft RequesterName"

against both servers. This led me to a KB article on Microsoft regarding the issue (https://support.microsoft.com/en-us/kb/2969070). I will have to wait until tomorrow around 10:50am central time to see if the problem persists as that is the time each day one of the servers would reboot.

If making this NIC config change fixes the issue, I will update here.

> Has anyone else seen this?

http://msexchangeguru.com/2012/08/21/quota-warning/

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28419380.html

It does seem to work if you set the values on the mailbox level, not per database. Interesting...

Some get through because they look legit. Look at the headers particularly the IPs. If you look at a few you will probably notice a trend and pattern in the IPs. From there you can block a range of IPs. Also a good tool is http://www.dnsstuff.com/tools to analyze the headers.

Have you locked down incoming port 25 traffic to ONLY google, at your firewall? I had one client that had the receive connector open to the internet. Spammers were bypassing their filtering entirely by ignoring the public MX record and emailing the server directly.

Edit:

Also check your incoming display names for lookalike ASCII characters. Spammers are wise to the display name blocking tricks now, so they will change one character in the display name to something else that looks exactly like an english character.

Plug them into this site and compare them: https://www.browserling.com/tools/text-to-ascii

Copy/paste your value from the mail flow rule, then copy/paste the value from the email as it was received and compare the ASCII codes

I'm not really sure you could track that unless you know who the senders are. By removing all the info listed (recipient, subject, body) you're removing a lot of the search options that would be used. The only thing left to trace would be the sender but sounds a lot like you don't know that either. I would start with having the users complaining about the issue to forward you a copy of messages so you can take a look at the email headers. Users will need to save the message as a .eml to ensure the headers are preserved and then send the .eml to you as an attachment. That will show you all the paths and info for the entire message. You can then use MXToolbox or the Microsoft Header Analyzer to make it legible and readable.

Have you read through this: https://technet.microsoft.com/en-us/library/dn789058%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396

Is DKIM setup for your domain?

I agree with the other poster, about running tests on https://mxtoolbox.com

I've see this before, but never used it:

https://mxtoolbox.com/productinfo/mailflowmonitoring?utm_campaign=1280&utm_medium=banner&utm_source=mailflow

Otherwise, you could get a domain and a cheap web/mail host and setup a script. Pair that with an auto-forwarding rule in an on-prem mailbox.

You have a script running on the external site so sends a message to . Auto-forwards it to . Script is monitoring the mailbox and confirms the message arrived. Inbound and outbound mail flow are tested. Would take some work to setup.

Let's Encrypt will provide a free TLS certificate that is valid for 90 days.

Build some automation around renewing and installing the certificate, and you should be able to have a functional setup without spending a dime on TLS certs.

In this Ex2003 environment, what are the mailbox sizes? It's been some time since I had to manage a 2003 environment, though back then mailboxes sizes were fairly small compared to today. Ex2003 just didn't scale large mailboxes very well. 50 or 100mb were common limits at the time. So if the mailbox sizes are small, Exmerge can likely get the job done. I don't know if the connectors for mover.io can even work with Ex2003. Most connectivity was over MAPI. I'm sure I have copies of exmerge around here somewhere. I recall a version of it was released sometime around Exchange 2010 and 2013 that did away with the 2GB limit.

I recently held a copy of this book for an hour or 2 from a colleague studying for 341 I found it insightful and helpful in a practical sense for administrators trying to study as it cuts away the unhelpful parts i find in most MS press books.

It all depends on your study process i guess, I generally don't use books to study and only half look at study guides. searching Technet and Channel 9 is where I get most of my info.

Any reason why you are trying to use email for this? Even if this was easily doable how many respondants would forget to remove their signature with contact details in it (probably giving their identity away).

Why not use a proper survey tool for this like surveymunkey or one of the many alternatives. And if you don't trust externally hosted stuff I quick google turns up this FOSS option you can host internally: https://www.limesurvey.org/en/

Are we supposed to be mind readers?

Buy this book.
https://www.amazon.com/70-345-Designing-Deploying-Microsoft-Exchange/dp/1509302077/ref=sr_1_1?dchild=1&keywords=paul+cunningham+exchange+2016&qid=1596566030&sr=8-1

OK - in agreement with Stormblade73 - I have been going down the "Intermedia will fix this" route now for several days now. After more examination and testing, it seems they may be washing their hands of the problem. From some Wireshark captures, they determine that some Outlook clients going to the specific hosted Exchange server are spontaneously falling back TLS 1.0 from TLS 1.2. When this happens, the connection fails. I disabled TLS 1.0 on these machines, both the Internet options and within the Registry, but it does not matter. Outlook is somehow making its own decision to reset.

Here is the last reply from Intermedia:

"The only thing I still think could be causing an issue is something client/network side filtering for west.xxxx.serverxxx.net. As I mentioned before, we see no other customers experiencing this type of behavior on West xxxx091, the TLS versions and availability between xxxx091 and xxx092 as well as between Westxxxx1 and Easxxxx1 are configured the same way.

On the xxxx91 capture for Outlook, I do see it starts out as TLS 1.2 as expected, Client Hello, Server Hello, Cipher Suite agreement, Key Exchange, etc all happen using TLS 1.2. Something then appears to occur after a "FIN, ACK" packet from our server to your client machine. After that packet, a "RST, ACK" packet is issues from the client side to us. After that RST is sent, thats when I see the Client Hello switch over to TLS 1 and this continues with us then sending a RST since the TLS 1 version isn't available on the servers."

I have tested relocating these machines behind a different firewall and also fully disabling AV during email config.

Here is the WireShark Capture:

https://monosnap.com/file/FniFN85eyyrUNRZsRbDy92qEpc2zZH

Back to square one now....

Can anyone think of any reason that Outlook would fall back to TLS 1.0 on its own?

It adds the following Keys / values to the registry at HKCU:\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover\.

see image:

https://monosnap.com/file/qq3RnQPq80BCqSoOPV9QL9nu0tntMP

>level 1uval13 · 19 hr. ago · edited 19 hr. agoI face something similar. I assume it keeps try to go on office365 servers because its prefering the root domain autodiscover redirection Could you try the following?Set-ItemProperty HKCU:\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover\ ExcludeExplicitO365Endpoint 1 -Type DWord
Set-ItemProperty HKCU:\SOFTWARE\Microsoft\Office\16.0\Ou

Yes have tried this. See reg key here:

https://monosnap.com/file/qq3RnQPq80BCqSoOPV9QL9nu0tntMP

Yes - I tried their AutodiscoverReg.fix, and it put the following keys in:

https://monosnap.com/file/qq3RnQPq80BCqSoOPV9QL9nu0tntMP

Have been working with L2 Support at Intermedia for multiple hours / days, and they do not have an answer yet.

You can override Implicit Write & Configuration scopes but not Read scopes.

http://technet.microsoft.com/en-us/library/dd335146(v=exchg.141).aspx

Most organizations are fine with this. They don't care if a jr admin can see objects, they just don't want them to be able to change anything. However, if this is unacceptable to you then I'm not exactly sure how to get around it.

Your workaround seems sound but the error you're getting is because any write or config scopes you configure must fall within your read scope. Below is a quote from the article I linked to above:

"The implicit write scope of a role is always equal to, or less than, the implicit read scope. This means that a role can never modify objects that can't be seen by the scope."

[disclaimer - I work at MSFT]

If I were in your position with only 17 users in my org, I'd seriously consider moving to Office 365. On-premises Exchange is overkill for the size of your organization. If you go with Office 365 Midsize Business, for example, you not only get Exchange 201*3* but also get Lync and SharePoint - two tools that greatly increase business productivity and collaboration. Without the need to purchase and maintain that additional infrastructure. You also get rights to the full Office 2013 suite for each licensed user.

With Office 365 Midsize Business you also get SkyDrive storage, the ability to do single sign on, and other stuff. Check out Office 365 Midsize Business for more info.

We even have tools to help you move from your on-premises deployment to Office 365. Check out the Exchange Deployment Assistant and click "Cloud Only".

Sounds good pal :) Cheers!

The 500MB isnt bad, but you want to make sure you have enough free disk space in the event that backpressure occurs:

http://technet.microsoft.com/en-us/library/bb201658(v=exchg.141).aspx

I would explain this - but its long. The article does a good job.

Editing

This post helped me remember something critical:

http://technet.microsoft.com/en-us/library/bb123996(v=exchg.80).aspx

The clustering methods and builds within Server 2003 and 2008 are different. With this said the following bullet point towards the bottom:

> oth nodes in the cluster must have the Windows Server 2008 Enterprise operating system or the Windows Server 2003 Enterprise Edition operating system installed on each node of the cluster using the same boot and system drive letters. You cannot have a cluster with one node running Windows Server 2008 and the other node running Windows Server 2003. Mixing operating system versions in a failover cluster is not supported.

Its not supported. Why? Because the way the Failover Cluster Manager / Cluster Administrator operate, they are quite.

Im stumped. I looked through my old notes, and I saw this but on a system folder, which is explainable. This is not a system folder.

Maybe try making a new Exchange Org Admin account, and doing this:

http://technet.microsoft.com/en-us/library/bb123522(v=exchg.141).aspx

Basically replacing the permission set on the folder to make the new admin the owner, and then replicate the PF to the other DB so it can delete.

Interesting. The defaults should be below but it definitely shouldn't be trying it that frequent. Are there any third-party Transport Agents or Anti-V/Anti-Spam plugins installed on Edge? I've sometimes seen them cause issues with hanging connections open or in this case potentially causing excessive retries. Looks like my work is blocking your log repository so I may have to look later.

http://technet.microsoft.com/en-us/library/aa998043(v=EXCHG.80).aspx

http://technet.microsoft.com/en-us/library/bb123505(v=EXCHG.80).aspx

It needs to be mail-enabled. This cmdlet only accepts Alias and SMTP address for the user parameter.

http://technet.microsoft.com/en-us/library/dd298062(v=exchg.141).aspx

User Required Microsoft.Exchange.Management.StoreTasks.MailboxFolderUserIdParameter The User parameter specifies who's granted permission to view or modify the folder contents of the user specified in the Identity parameter. The following values are acceptable: Alias SMTP address

Looks like you had a better/more detailed link than I do. I usually reference this one

http://technet.microsoft.com/en-us/library/aa996835.aspx

Added your EWS one to my onenonte for future use though. Thanks.

In Exchange 2010, the only thing that needs to be the same is the Exchange Organization name.

Technically this can be done with the Legacy DN Tool but is unsupported

http://download.cnet.com/Microsoft-Exchange-Server-LegacyDN-Utility-tool/3000-2383_4-10732125.html

There is the old iPhone Configuration Utility but Apple stopped supporting it about 18 months ago so I'm not sure how it handles newer iOS versions.

Once you're in the Apple ecosystem you just kind of have to accept they're going to fuck you over if you're not all in. If you're lucky they might do a Windows version of a thing, but it's purely a courtesy on their part and not something to rely on a) working properly or b) being around for any length of time.

To migrate from Exchange 2007 to 2013 for smaller organizations like yours, it would be best to keep number of servers required to as minimum as possible so you should choose double hop migration technique fro migration. But as Microsoft did not allow direct migration from one version to another skipping previous one. So while doing migration manually, First you need to Migrate From Exchange 2007 to 2010 and then further from 2010 to 2013 .As this process is very time consuming and insecure and high risk of data loss is also there, So safest way is to try Third part tool for Migration. I would like to recommend a professional migration Software Stellar EDB to PST converter which migrate quickly and securely from one version to another keeping your data intact. To know more about this tool visit: http://download.cnet.com/Stellar-EDB-to-PST-Converter/3000-2369_4-75605150.html

This looks to maybe be a different issue and didn't solve anything even though I've had these regedits fix things in the past.

When I apply these regedits and verify that they exist I'm getting the following: https://snipboard.io/QAIbdo.jpg - I know for a fact that I have an encrypted connection to my mail server. I'm sort of at a loss here.

Any customization on OWA pages? FrameElements errors are generic for wepages. Something like (http://serverfault.com/questions/714794/owa-users-getting-critical-error-when-accessing-their-options ) or (https://support.microsoft.com/en-us/kb/317471) may help. I have read elsewhere its a bug, so might as well be one. :)

Exchange has a deep relationship with AD and it will need some Active Directory environment, with one domain controller being at the least a full global catalog server to stand up properly.

Least path of resistance if you do happen to still have the old server(s) handy - you only need one operational server housing the main active copy to access MBs:

If you have access to the old server - work on getting that up and running temporarily. Access server (RDP/remote/terminal, etc) then download and run WinDirStat. Its just a quick way to see and map out where the hell the data is, what is taking what room.

If it is a VM, expand the data drives on your virtual platform. If its an old POS physical server, then look to carve out garbage to build room for Exchange to take off.

With WinDirStat reporting your data points, to quick carve some room you will want to look at "delete friendly" items, even old logs, like IIS logs, etc. DO NOT delete your EDBs (your exchange databases), or their related transaction logs. Look to carve fat and nonsense away to get space back like ISOs, installers, downloads folder - anything to regain some space.

If you have access to the servers, you can expand their drive space or clean up space to get exchange to start - if you can at least get the application layer going, services running - you can then start to see what databases are mounting, or the state of things at that point.

ok, are you sure ? : )

I read this thread : http://www.experts-exchange.com/questions/22056515/Do-I-need-to-keep-the-local-email-address-in-AD-or-in-the-Recipient-Policy-for-any-reason.html

Where Sembee (Exchange MVP which I have used his advice a lot over the years) says it is a bad idea ( it is a post from 2006 though : )

>"Sembee > >Expert Comment 2006-11-10 at 11:14:01ID: 17916877 > >What is the AD's DNS domain? > >Is it domain.local or something else? >If it is domain.local then you need to leave it in place. >If it is something else (domain.com for example) then you can remove it. > >Never remove the domain that matches the internal DNS domain of the AD. > >Simon."

I tested the command and was able to successfully get the csv output. It was a lot of info, so I checked into a csv file size limit and found there isn't one (though I did find instances where people run into issues with large csv files due to the record limit in Excel, but that's another issue.

I did find this though when checking the error message:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28331448.html

Given the fact that your script is running for a few minutes before returning this error leads me to think that it is running correctly until it encounters a mailbox that is throwing the error, possibly due to corruption.

I would recommend trying to break up mailboxes into groups and seeing if you can get the csv to populate for each group. If you can, that would seem to confirm that the issue lies with one of the mailboxes and not the PS command.

I just did some quick searching, havent really looked into this or tested but the script says it'll target all items in a folder:

http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28505817.html

Did some quick searching.

http://www.experts-exchange.com/Software/Server_Software/Microsoft_Server_Applications/Q_28240960.html

https://social.technet.microsoft.com/Forums/exchange/en-US/34b1c301-ad12-4655-aeea-772e70c654bc/event-id-2142-2077-2069-msexchangeadtopology-exchange-2013?forum=exchangesvradmin

Read through this one and check the response from Russian Wings.

Hope it helps.

I know it's best practice but since it's for such a small personal setup I thought it would be ok and also unnecessary to have another AD VM to manage just for Exchange.

Haven't had any issues so far when testing things, I might separate the two roles onto different VMs when I put together production system. The reason for this being that I read Microsoft doesn't support upgrading the OS on a server where Exchange is installed. So worried about this causing problems in the future, might not be worth it to put it all on the same box.

SPF has different categories of actions - it’s what YOU are telling other orgs to do with your email. So if you have a hard fail on your SPF, move to soft fail. Then verify if it improves. Also please note that while you may have contracted out, you can’t assume that contractor handled it correctly. I spend a large amount of my time policing work done by vendors.

https://mxtoolbox.com/problem/spf/spf-record

You probably took a hit with major recipients too. Try https://support.google.com/mail/contact/bulk_send_new?rd=1

Just because you aren’t blacklisted doesn’t mean aol, Gmail, and others aren’t doing it internally. Additionally your marketing should come from a service, a sub domain, be easy to unsubscribe from.

Open the message (any message originating from your server), copy the header and paste it in the box here:

https://mxtoolbox.com/EmailHeaders.aspx

Post the results here.

As a general rule of thumb you can check your email health on mxtoolbox:

Domain Health Check - Online Domain Tools - Blacklist, Email, Website, DNS - MxToolBox

...I'd recommend resolving all errors/warnings apart from DMARC for the time being.

Do you have access to your spam filter/relay logs on the No-IP servers? Have you checked your Exchange logs to see when the email hit the Exchange server? Does it hit the Exchange server a day after the 3rd party has sent it or does it hit the Exchange server and take a day to process?

In your receive connectors, do you only allow inbound traffic from the No-IP smarthosts or is it allowing from anywhere?

​

After further digging a lot of services dont appear to be configured for automatic configuration like Autodiscover. I'd also recommend setting up a new subdomain of mail.devonenet.com and hide your Exchange server(s) behind it rather than using the parent domain or devexch02.devonenet.com

Current DNS records for devonenet.com - SecurityTrails

​

From the lack of basic setup, no trusted cert and and No-IP usage I assume this is a dev environment?

Check the message headers for the problematic emails and then plug it all into an analyzer, and let it tell you where the delay is. Might not even be with your end, or any portion you manage.

How about you open a message that is delayed, copy the header info into mxtoolbox.com under analyze headers. It will show you at which hop it was delayed. Are you using an upstream email filtering provider?

Strong passwords don’t really mean anything if a user falls for a phishing attempt and types in their current password. You really need multi-factor authentication to help with that.

If you have a client facing SMTP service published to the internet it can be used with those phished credentials. There are other programmable / scriptable interfaces as well (EWS, Outlook client Macros, etc.) that can make use of them as well.

What does your inbound internet SMTP email situation look like? Verify it can’t be used as an open relay on the internet:

https://mxtoolbox.com/diagnostic.aspx

If you have a anti-spam service in front of Exchange, verify you only accept inbound smtp from that service.

There have been some Exchange 2010 exploits that require the latest service pack and roll up as well. Usually it is an exploit in OWA with a specially crafted message a user clicks on.

>Here's an example in the real world
>
>https://mxtoolbox.com/SuperTool.aspx?action=SPF%3asalesforce&run=toolpage#

I'm guessing you mean the exists and %{i} stuff? That's really interesting and I'll need to look into that, although in our case it's all 3rd-party infrastructure so might be more difficult without some serious automation in play...

>Also if you are doing Dmarc you can ignore SPF it will never survive mail forwarding. Just make sure DKIM passes and validates.

Easier said than done. Still many third-party platforms that don't offer DKIM support, so SPF is the only option. Example: The HR platform that's prompted this whole question in the first place. And yes we are doing DMARC, although that required getting a service that didn't do either DMARC nor properly-aligned SPF effectively shuttered (if you're curious, that was actually Google of all things -- specifically Google Classroom; technically we're still using it, but not receiving emails from it).

>Then SPF is useless, and if the server you're sending to doesn't support DMARC you shouldn't be doing business with them.

Yeah, as a K-12 school district I don't have the luxury of dictating who we "do business" with, so I have to be able to send to any mail server.

Here's an example in the real world https://mxtoolbox.com/SuperTool.aspx?action=SPF%3asalesforce&run=toolpage#

Also you can do SPF flattening but that causes issues since you're doing includes when they update DNS. The sbkve gets around that since it's continually updates. https://dmarcian.com/spf-survey/

Also if you are doing Dmarc you can ignore SPF it will never survive mail forwarding. Just make sure DKIM passes and validates. Then SPF is useless, and if the server you're sending to doesn't support DMARC you shouldn't be doing business with them. Then if you use something like Mimecast for inbound you can use their SPF bypass feature to get around that limit.

Hi sorry,

​

I think we spelled the domain wrong. I know its a weird company name.

​

eurofase dot com

not

eruofase dot com

https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3aeruofase.com&run=toolpage

Probably a dumb question but have you looked at the message header? Could the message originate from a compromised internal mailbox?

If you push the header through something like mxtoolbox do you see external servers listed?

There's no (supported) way to use the free domain-validated Class 1 certificates from StartSSL for an Exchange system.

If you can wait about 2 months, Let's Encrypt will launch in the week of November 16th according to this revised launch schedule. You will be able to request free domain-validated SAN and wildcard certificates to your heart's content.

In this Ex2003 environment, what are the mailbox sizes? It's been some time since I had to manage a 2003 environment, though back then mailboxes sizes were fairly small compared to today. Ex2003 just didn't scale large mailboxes very well. 50 or 100mb were common limits at the time. So if the mailbox sizes are small, Exmerge can likely get the job done. I don't know if the connectors for mover.io can even work with Ex2003. Most connectivity was over MAPI. I'm sure I have copies of exmerge around here somewhere. I recall a version of it was released sometime around Exchange 2010 and 2013 that did away with the 2GB limit.

In this Ex2003 environment, what are the mailbox sizes? It's been some time since I had to manage a 2003 environment, though back then mailboxes sizes were fairly small compared to today. Ex2003 just didn't scale large mailboxes very well. 50 or 100mb were common limits at the time. So if the mailbox sizes are small, Exmerge can likely get the job done. I don't know if the connectors for mover.io can even work with Ex2003. Most connectivity was over MAPI. I'm sure I have copies of exmerge around here somewhere. I recall a version of it was released sometime around Exchange 2010 and 2013 that did away with the 2GB limit.

In this Ex2003 environment, what are the mailbox sizes? It's been some time since I had to manage a 2003 environment, though back then mailboxes sizes were fairly small compared to today. Ex2003 just didn't scale large mailboxes very well. 50 or 100mb were common limits at the time. So if the mailbox sizes are small, Exmerge can likely get the job done. I don't know if the connectors for mover.io can even work with Ex2003. Most connectivity was over MAPI. I'm sure I have copies of exmerge around here somewhere. I recall a version of it was released sometime around Exchange 2010 and 2013 that did away with the 2GB limit.

First I would recommend using https://testconnectivity.microsoft.com/ and going through both ActiveSync tests and see if that picks up any problems. You will always see it fail on the first step as it will attempt to use your root domain (i.e. domain.com) , and then it will use your correct mail server DNS (i.e. mail.domain.com)

Other than that you should see green marks all the way down.

If you are having issues with ActiveSync where you are having to manually input the details, then your AutoDiscover settings, and DNS are not correct.

This is speaking from Exchange 2010 land.

If TestExchange looks good, and Autodiscover looks good, and adding manual settings look good, then you are simply missing another UPN in Active Directory. For example, your internal domain may be DOMAIN.NET , but email flows to DOMAIN.COM. Once you create a new UPN, you would go to the AD User Object Properties -> Account Tab -> Change the user logon name

http://www.tutorialspoint.com/shorttutorials/adding-alternate-upn-suffix-to-active-directory-domain

Ah OK. Makes more sense.

Firstly using what you got. I would make some email groups and put them in the handout. A miniature directory.

Please use the following email accounts to reach our various departments.

For recordings: Recordings

To be added to the Prayer Chain:

To meet with a pastor;

Etc.

This seems like the perfect use case for a ticketing system, it will allow you to track issues for progress/completion, will allow multiple people to work on an issue, can be assigned to the correct department/person, additionally it can be integrated into calendars etc. You could have one or two people monitor it and assign issues to the correct people so they only see what they need to see.

https://www.atlassian.com/software/jira/service-desk

Have an email address setup like , or multiple, etc. and have them auto assign to the correct staff. Could even share the interface for submitting requests with the congregation.

This will have many benefits for the organization outside of cleaning up his inbox as well.

There may be a terminology problem. People tend to use SSL and TLS interchangeably, but in the case of SMTP they are really different. I've had vendors with a similar issue I think, and they essentially didn't support STARTTLS only SSL.

Exchange doesn't support SMTPS or implicit SSL, it supports STARTTLS

https://www.fastmail.com/help/technical/ssltlsstarttls.html

Same thing applies: any Exchange client on an Android or Apple device uses the same mechanism: add the account, give it email and password, it autodiscovers everything. I personally have used the native Android client, Outlook for Android (which I dislike) and an app called Nine (which I do like).

What's funny is that on those clients, you WILL be able see/edit the settings you are thinking of. But if you need to, something else is wrong and you should fix it.

https://www.amazon.com/70-345-Designing-Deploying-Microsoft-Exchange-ebook/dp/B01LHSV9ZS/ref=sr_1_5?dchild=1&keywords=Paul+Cunningham&qid=1595358117&sr=8-5

Read the Technet docu, buy http://www.amazon.de/Microsoft-System-Center-Protection-Manager/dp/1849686300

Backup is pretty straight forward, it just works. Restoring mailboxes or databases is simple. Restoring individual messages or folders is a bit of a PITA since you have to use the Exchange tools for that (recovery database + powershell).

Both of these are good. I did the technical review for the second one.

http://www.amazon.com/70-341-Solutions-Microsoft-Exchange-Server/dp/0735697248

http://www.amazon.com/70-342-Advanced-Solutions-Microsoft-Exchange/dp/0735697418

Learning Powershell (at the very least) is twofold: on one hand, a person needs to understand how scripts are structured and designed. On the other, a person need the vocabulary and knowledge of commands. Neither of these is really something anyone new is gonna just absorb over lunch. But I would say that you can help yourself with this- although it's definitely not going to help you right away with this issue, it makes things easier in the long run:

http://www.amazon.com/Learn-Windows-PowerShell-Month-Lunches/dp/1617291080

There are free versions of Linux that will do more than your current router. You can get an entry level Cisco firewall for < $300. Upgrading to something appropriate for you environment would probably be more cost effective in the long run since you won't be wasting your time trying to find workarounds like this.

http://www.amazon.com/Cisco-ASA5505-BUN-K9-ASA-5505/dp/B000O0Z8GC

There's a bunch of products that do this. Google "room booking kiosk". I know there was one for Android I saw last year. I'll try to find it.

Edit: here's the one I was thinking of https://play.google.com/store/apps/details?id=com.gogetcorp.roomdisplay.v5