<< A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

–A–

address (email) policy – see email address policy

Adding a Mailbox to Your Folder List , 2 – do not forget on the Exchange server – to give Full Permission to specific user

aliases - let's say you're looking for some user named, "admin" - like admin@yourdomain.com

When I first started looking for this, I got several articles touting the following, which is useless:

get-alias admin*

The reason it's useless is because this command simply returns aliases for commands, not email addresses. And by tacking on the "admin*" filter at the end, you're trying to find commands that start with "admin".

This kinda works, but doesn't seem to find aliases:

get-mailbox -anr admin

This returns much the same, but again, doesn't seem to find aliases:

get-recipient -anr admin

same with this:

Get-Recipient -resultSize unlimited | select name -expand emailAddresses | where {$_.smtpAddress -match "admin@.*"} | Format-Table name, smtpaddress

and this:

Get-Mailbox | Select-Object DisplayName,@{Name="EmailAddresses";Expression={$_.EmailAddresses | Where-Object {$_ -LIKE "SMTP:*"}}} | Sort

and this:

Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName,ServerName,PrimarySmtpAddress, @{Name="EmailAddresses";Expression={$_.EmailAddresses | Where-Object {$_.PrefixString -ceq "smtp"} | ForEach-Object {$_.Smtp Address}}}

Break this line above down: First, we get all mailboxes (Get-Mailbox –ResultSize Unlimited)

Pipe the results to Select-Object, where we select the DisplayName, ServerName, PrimarySMTPAddress, and then create the scriptblock to gather all secondary smtp addresses (The Primary SMTP address has a PrefixString of “SMTP” all others are a lower case “smtp”):

@{Name="EmailAddresses";Expression={$_.EmailAddresses | Where-Object {$_.PrefixString -ceq "smtp"} | ForEach-Object {$_.SmtpAddress}}}

Anti-spam agent, install on Hub Transport server

HOW TO: Install anti-spam agents on Hub Transport server

If you're using Exchange Server 2007 in a topology with an Edge Transport server, the anti-spam agents - Connection Filtering, Content Filter, Sender ID, Sender Filter, Recipient Filter, and Protocol Analysis - are installed on the Edge server. You do not need these agents installed on the Hub server(s).
In environments without an Edge server role, these need to be installed manually on the Hub Transport server(s).

To install anti-spam agents on a Hub Transport server, start Exchange Management Shell (EMS), navigate to the "\Exchange Server\Scripts" folder (by default C:\Program Files\Microsoft\Exchange Server\Scripts), and run:

.\install-antispamagents.ps1

Once installed successfully, the command will show each agent installed, whether it is enabled or not, and its priority

After the anti-spam agents are installed, you can see the Anti-spam tab in Organization Configuration | Hub Transport node in Exchange Management Console. (If your console was open during installation, you will need to restart it).

In such deployments, you can either route inbound mail through your service provider/ISP, or configure Hub Transport servers to receive inbound email directly. Read previous post " Exchange Server 2007: Internet email without Edge servers".

Antispam for Exchange (Symantec) not working – see instructions here or here.  Supposedly, you shouldn’t have to do this after version 6.5.5.  But I still have to for 6.5.6.  Short story:

Stop a couple services:

Symantec Mail Security for Microsoft Exchange

Symantec Mail Security Utility Service

Go to C:\ProgramFiles (x86)\Symantec\SMSMSE\6.5\Server and look at all folders starting with bm_ruleset.  They should be up-to-date and number somewhere between a dozen and a dozen and a half.  If older and more, then move to a temporary folder.

Move the following files to a backup folder:

.sequence.0

.sequence.2

blrm

hashes

restart the following Windows service: Exchange Transport Service

Start the following Windows Services that you stopped earlier:

Symantec Mail Security for Microsoft Exchange
Symantec Mail Security Utility Service

You should see the bm_ruleset folders start reappearing.

Anti-spam lists – see also block list providers, test

Attachment size – a lot of knobs to twirl.  Here’s a good synopsis.

Organizational limits: These apply to all Exchange servers in the Organization

From powershell

Get-TransportConfig
Set-TransportConfig -MaxReceiveSize 40MB -MaxSendSize 40MB

In Exchange 2007 SP1 and later, you can also set the organizational message size limits using the EMC by going to Organization Configuration | Hub Transport | Global Settings tab | Transport Settings | properties | General tab.

Receive Connector limit

To modify the maximum message size on a Receive Connector using the Exchange console, select Server Configuration | Hub Transport | select a Hub Transport server | Receive Connectors → select a connector | Properties | General tab.

To set ReceiveConnector limit using the shell:

Set-ReceiveConnector "CONNECTOR NAME" -MaxMessageSize 40Mb

Send Connector limit

select Organization Configuration | Hub Transport | Send Connectors → select connector | Properties | General tab

To set SendConnector limit using the shell:

Set-SendConnector "CONNECTOR NAME" -MaxMessageSize 40Mb

Recipient limit: In Exchange 2010/2007, you can configure individual message size limits to bypass the Organizational limits

To set these using the Exchange console: Recipients | Mailbox → select mailbox (or select another recipient type such as a contact or mail user from the corresponding node) | properties | Mail Flow Settings tab | Message Size Restrictions

To set these using the Exchange shell:

Set-Mailbox "Joe Adams" -MaxSendSize 20Mb -MaxReceiveSize 20Mb

Active Directory SiteLink limit

In Exchange Server 2007 SP1, you can also set maximum message size limit on AD Site Links. Exchange Server 2007 uses the AD Site topology to determine the least cost paths. If the message size to be delivered to a remote AD Site exceeds the limit on the AD Site Link, message delivery will fail. By default, the MaxMessageSize on AD Site Links is set to unlimited.

Get-ADSiteLink “SITE LINK NAME” | Format-Table Identity, MaxMessageSize

This can be changed using the following command:

Set-ADSiteLink “SITE LINK NAME” -MaxMessageSize 20Mb

Global Settings

Besides the above, another message size limit can impact Exchange Server 2010/2007 recipients if you’re transitioning from Exchange 2003/2000, but it’s often overlooked when troubleshooting.  The problem is, these are neither visible in the EMC, nor using any of the Exchange shell commands.

Run Adsiedit.msc

browse to the Configuration container | Services | Microsoft Exchange | YourOrgName | Global Settings | Message Delivery → Properties, and modify the following attributes as required

1. delivContentLength → corresponds to MaxReceiveSize parameter in Set-TransportConfig command.

2. SubmissionContentLength → corresponds to MaxSendSize parameter in Set-TransportConfig command.

Note: The maximum value for both of the above is 2097151 KB, slightly under 2 Gb.

3. msExchRecipLimit → corresponds to MaxRecipientEnvelopeLimit parameter in Set-TransportConfig command.

track failed message delivery

To track messages that failed because of recipient’s MaxReceiveSize:

Get-MessageTrackingLog -Start "05/24/11 8:00AM" -EventID FAIL | where {$_.RecipientStatus -like "*RecipSizeLimit*"}

To track messages that failed because of the sender’s MaxSendSize:

Get-MessageTrackingLog -Start "05/24/11 8:00AM" -EventID FAIL | where {$_.RecipientStatus -like "*SendSizeLimit*"}

–B–

block list providers, test

1.  Make sure your block list is configured right.  Either go to the GUI or from PowerShell run:

Get-IPBlockListConfig

Should yield something like:

Name                          : IPBlockListConfig
MachineEntryRejectionResponse : External client with IP address {0} does not have permissions to submit to this server. Visit
                                http://support.microsoft.com/kb/928123 for more information.
StaticEntryRejectionResponse  : External client with IP address {0} does not have permissions to submit to this server.
Enabled                       : True
ExternalMailEnabled           : True
InternalMailEnabled           : False
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=IPBlockListConfig,CN=Message Hygiene,CN=Transport Settings,CN=YourCompany,CN=Microsoft Exchange,
                                CN=Services,CN=Configuration,DC=yourcompany,DC=net
Identity                      : IPBlockListConfig
Guid                          : 0805bc9d-cb27-4cb4-b97f-165f5681aaa7
ObjectCategory                : yourcompany.net/Configuration/Schema/ms-Exch-Message-Hygiene-IP-Block-List-Config
ObjectClass                   : {top, msExchAgent, msExchMessageHygieneIPBlockListConfig}
WhenChanged                   : 3/7/2008 3:02:11 PM
WhenCreated                   : 3/7/2008 3:02:06 PM
OriginatingServer             : mail.yourcompany.net
IsValid                       : True

Note Enabled, ExternalMailEnabled and IsValid should all be True.  You might also want to look at your providers – again either through the GUI or the command:

Get-IPBlockListProvider

Should yield something like:

Name           LookupDomain       Priority
----           ------------       --------
SpamHaus       zen.spamhaus.org   1
SpamCop        bl.spamcop.net     2
abuseat cbl    cbl.abuseat.org    3
sorbs          dnsbl.sorbs.net    4

2.  Make sure your block list providers are actually working.  Go to a recent log at C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog to find a likely IP address that should have been blocked.  Test that specific IP address against all your providers.  From your Powershell prompt, pipe the Get-IpBlockListProvider cmdlet to the Test-IpBlockListProvider cmdlet:

Get-IpBlockListProvider | Test-IpBlockListProvider -IpAddress 190.65.193.69

Should yield something like:

Provider       ProviderResult            Matched
--------       --------------            -------
SpamHaus       {127.0.0.4, 127.0.0.11}      True
SpamCop        {127.0.0.2}                  True
abuseat cbl    {127.0.0.2}                  True
sorbs          {}                          False

3.  From the test above, we know there are no DNS problems and that the RBL works.  But is it actually being invoked in real time and blocking what it should?  Run the following to search logs in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog for instances of when each of your providers actually found and rejected an email.  Note you’ll likely have to change your directory to the C:\Program Files\Microsoft\Exchange Server\Scripts directory if it’s not in your path.

[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>.\Get-AntispamTopRBLProviders.ps1 -startDate:03/23/2008 -endDate:04/17/2008

This should yield something like:

Name        Value
----        -----
SpamHaus    11410
sorbs         407
SpamCop       149
abuseat cbl    10

If a later run returns nothing:

[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>.\Get-AntispamTopRBLProviders.ps1 -startDate:04/17/2008 -endDate:04/22/2008
[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>

Then you know you have a problem.  In this case, everything was chugging along just fine until 4/17/2008 when it just shut down completely.  Here’s how to specify an even narrower range: just a few hours in a day.

Get-AntispamTopRBLProviders.ps1 -startDate:"04/25/2008 10 am" -endDate:"04/26/2008 5 pm"

4.  Look at the priorities of the various services:

[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>Get-TransportAgent
 >
Identity                     Enabled  Priority
--------                     -------  --------
Transport Rule Agent         True     1
Journaling Agent             True     2
AD RMS Prelicensing Agent    False    3
Connection Filtering Agent   True     4
Content Filter Agent         True     5
Sender Id Agent              True     6
Sender Filter Agent          True     7
Recipient Filter Agent       True     8
Protocol Analysis Agent      True     9

Note the Connection Filtering Agent is pretty low.  Bump some of these up to a higher priority

Set-TransportAgent -identity "Connection Filtering Agent" -priority 1

After this and each of the following commands immediately, you’ll get:

WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport

Go ahead and reset the following:

Set-TransportAgent -identity "Content Filter Agent" -priority 2
Set-TransportAgent -identity "Sender ID Agent" -priority 3
Set-TransportAgent –identity "Sender Filter Agent" -priority 4
Set-TransportAgent –identity "Recipient Filter Agent" -priority 5
Set-TransportAgent –identity "Protocol Analysis Agent" -priority 6

Restart the transport service and look at the priorities afterwards:

Get-TransportAgent

Identity                      Enabled  Priority
--------                      -------  --------
Connection Filtering Agent    True     1
Content Filter Agent          True     2
Sender Id Agent               True     3
Sender Filter Agent           True     4
Recipient Filter Agent        True     5
Protocol Analysis Agent       True     6
Transport Rule Agent          True     7
Journaling Agent              True     8
AD RMS Prelicensing Agent     False    9

This doesn’t really seem to do anything, but it makes me feel better having the Transport Rule Agent further down toward the bottom.

5.  Here’s another “raw DNS” test which doesn’t even depend on Exchange and which might help flush out DNS problems.  For example, to test SpamHaus

In general, DNSBL queries are structured by the inverse IP address as a subdomain of the DNSBL zone. For example, to check that the general DNSBL test address of 127.0.0.2 is listed in SBL, query 2.0.0.127.sbl.spamhaus.org with any NS lookup tool such as...

$ host 2.0.0.127.sbl.spamhaus.org
2.0.0.127.sbl.spamhaus.org has address 127.0.0.2

Blocked email, find out why:

Get-AgentLog -StartDate "6/26/2008 4:03 pm" -EndDate "6/26/2008 4:04 pm" | where {$_.Reason -eq "BlockListProvider"}

What if you get something like:

The location "C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\AgentLog\" does not exist. Please specify a valid file or directory to look for agent logs using the -Location parameter.

Parameter name: Location

    + CategoryInfo          : InvalidArgument: (:) [Get-AgentLog], ArgumentException

    + FullyQualifiedErrorId : 79602AE3,Microsoft.Exchange.Management.AgentLog.GetAgentLog

If no agent logging has occurred on the server, this folder will not exist.

–C–

catch-all - see here

Certificate service – before you do anything, you need to make sure you’ve added “Active Directory Certificate Services” to your server roles.

Certificate, change

You can see lots of information by Run mmc, Choose “certificates”.  If “certificates” is not a choice in the mmc, then you’ll need to add it

To add Certificate Manager to Microsoft Management Console

  1. Click Start, and then click Run.
  2. In the Open box, type mmc, and then click OK.
  3. In the File menu, click Add/Remove Snap-in.
  4. In the Add/Remove Snap-in box, click Add.
  5. In the Available Standalone Snap-ins list, click Certificates, and then click Add.
  6. Click Computer Account, and then click Next.
  7. Click the Local computer (the computer this console is running on) option, and then click Finish.
  8. Click Close, and then click OK.

The certificates of interest all seem to be under Personal, Certificates.

You can also see things in the Exchange Management Console (EMC) under Server Organization. No lower level than that, just there.  In fact, this is a really good place to check to make sure that your mail.yourdomain.com has all the IMAP, POP, IIS and SMTP services.  I think only one certificate can have all these.

From the powershell:

Get-ExchangeCertificate

Should return something like

Thumbprint                                Services   Subject
----------                                --------   -------
9822DC23BB18AED03EB276639AAF78B8EF643B42  IP..S      CN=mail
92F3B7D4AE57D587F22D582666B3D2629DCF21A8  IP..S      CN=mail
FBAB5CB127F4EFF3EF7B084E3F665DF4A999827D  IP..S      CN=mail
3899DE08DBDE9C2971AAC840623551B1D66224DA  IP.WS      CN=mail
1CA830BCA102BEDC6FA1F4B79A48B2B11E0497E7  IP..S      CN=mail

Or, to get a more complete view including expiration:

Get-ExchangeCertificate | FL

Rather than just get a new one, sometimes better to feed the old one into a new one:

Get-ExchangeCertificate -Thumbprint 9822DC23BB18AED03EB276639AAF78B8EF643B42 | New- ExchangeCertificate

I’m still not sure which approach is better: the one above or the one below.  I’ve seen both approaches cited.

So, if you want, you can instead just get a new one without recycling the old one.

New-ExchangeCertificate -DomainName mail2.yourcompany.com

Confirm
Overwrite existing default SMTP certificate, '9822DC23BB18AED03EB27D239AAF78B8EF643B42' (expires 3/7/2009 3:25:23 PM), with certificate '1FA17137AA8DA7E359254232B7AA408BC89EDB21' (expires 4/23/2009 9:51:20 AM)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y
 
Thumbprint                                Services   Subject
----------                                --------   -------
1FA17137AA8DA7E359254232B7AA408BC89EDB21  .....      CN=mail2.yourcompany.com

And then enable SMTP services: copy and paste this new certificate thumbprint into the command below

Enable-ExchangeCertificate -Thumbprint 1FA17137AA8DA7E359254232B7AB108BC89EDB21 -Services:smtp

Now look again to see your changes

Get-ExchangeCertificate

Thumbprint                                Services  Subject
----------                                --------  -------
1FA17137AA8DA7E359254232B7AB108BC89EDB21  ....S     CN=mail.yourcompany.com
9822DC23BB18AED03EB276639AAF78B8EF643B42  IP..S     CN=mail
92F3B7D4AE57D587F22D582666B3D2629DCF21A8  IP..S     CN=mail
FBAB5CB127F4EFF3EF7B084E3F665DF4A999827D  IP..S     CN=mail
3899DE08DBDE9C2971AAC840623551B1D66224DA  IP.WS     CN=mail
1CA830BCA102BEDC6FA1F4B79A48B2B11E0497E7  IP..S     CN=mail

Might be a good idea to delete old, expired certificates:

Remove-ExchangeCertificate –thumbprint 9822DC23BB18AED03EB276639AAF78B8EF643B42

And you’ll have to assign those same I, P and W services to your mail.yourcompany.com certificate.

Certificate not trusted - "This CA Root Certificate Is Not Trusted. To enable Trust, Install This Certificate in the Trusted Root Certification Authorities Store"

  1. Go to the Default Web Site in IIS and remove the Self Signed Cert. Right click the Default Web Site, Directory Security, Server Certificate, Next, and Remove the cert.
  2. Open Certificates in MMC. Go to Run, MMC. File Add Remove Snap In, Add Certificates; Computer Account; Local Computer and Click OK.
  3. Once your Certificates MMC is open Go to Personal Certificates. Right Click Request New Cert, Next, Friendly Name = Hostname of your Server and Next and Finish.
  4. Copy the new cert to the Trusted Root Certification Authorities Certificates.
  5. Go back to the Default Website in IIS, Properties, Directory Security, Server Certificate. Assign an existing certificate and choose the new cert that was created.
  6. Issue

IISRESET

from your command prompt.

Certificate, proxy server’s security certificate - There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site mail.yourserver.com.

Outlook is unable to connect to the proxy server. (Error Code 10)

Let’s say the name of your mail server is “mail2” or “mail2.yourcompany.net” and you really want it to point to “mail.yourcompany.com”.  Run

Get-ClientAccessServer -Identity mail2 | fl

For the AutodiscoverServiceInternalUri entry, you’ll see something like

AutoDiscoverServiceInternalUri       : https://mail2.yourcompany.net/Autodiscover/Autodiscover.xml

Then run

Set-ClientAccessServer -Identity "mail2" –AutodiscoverServiceInternalUri https://mail.yourcompany.com/autodiscover/autodiscover.xml

Next run

Get-WebServicesVirtualDirectory -Identity "mail2\EWS (Default Web Site)" | fl

For the InternalUrl entry you’ll see something like

InternalUrl     : https://mail2.yourcompany.net/EWS/Exchange.asmx

Then run

Set-WebServicesVirtualDirectory -Identity "mail2\EWS (Default Web Site)" –InternalUrl https://mail.yourcompany.com/EWS/Exchange.asmx

Make sure you don’t accidently run the –InternalNLBBypassUrl by mistake.  ‘Cause it’ll come up first alphabetically if you just hit “tab” after putting in “in” or some such.

Next run

Get-OabVirtualDirectory -Identity "mail2\OAB (Default Web Site)" | fl

For the InternalUrl entry you’ll see something like

InternalUrl  : http://mail3.yourdomain.net/OAB

Then run

Set-OABVirtualDirectory -Identity "mail2\OAB (Default Web Site)" -InternalURL https://mail.yourcompany.com/OAB

Next run

Get-OutlookAnywhere

For the ExternalHostName entry and ClientAuthenticationMethod you might see something like

ExternalHostname                : https://mail2.yourcompany.net
ClientAuthenticationMethod      : Basic

Then run.

Set-OutlookAnywhere -Server mail2 -ExternalHostname "mail.yourcompany.com" -ClientAuthenticationMethod "NTLM"

This last command actually doesn’t run so good; complains “A positional parameter cannot be found that accepts argument ‘mail2’”.  Trying with using “-Identity” instead of “-Server” also fails: “The operation couldn't be performed because object 'mail2.yourdomain.net\mail2' couldn't be found on 'mail2.yourdomain.net'.

Next run.

Get-ActiveSyncVirtualDirectory -Identity "mail2\Microsoft-Server-ActiveSync (Default Web Site)" | fl

For the InternalUrl you’ll see something like

InternalUrl     : https://mail3.yourcompany.net/Microsoft-Server-ActiveSync

Then run.

Set-ActiveSyncVirtualDirectory -Identity "mail2\Microsoft-Server-ActiveSync (Default Web Site) " -InternalURL https://mail.yourcompany.com/Microsoft-Server-ActiveSync

certificates, single-domain vs multi-domain certificate – see Exchange 2010- Why do I need to use a UCC certificate? and Exchange 2007 - Multiple Name SSL Certificate Request and Installation

Certificate Templates snap-in missing– make sure you’ve added certificate authority as one of your server’s roles

Certificate that contains domain name mail2.yourcompany.com, Microsoft Exchange could not find – run the following 3 commands

Get-ExchangeCertificate | fl
Get-ReceiveConnector -Identity mail2 | fl name, fqdn, objectClass

Get-SendConnector | fl name, fqdn, objectClass

To repair the SendConnector, in the Exchange Management Console, Organization Configuration, Hub Transport, Send Connector tab

Change SMTP port 25 in Exchange 2007

For some reason you might want to change default SMTP port number 25 Exchange 2007 is using. Exchange 2007 uses RECEIVE AND SEND connectors, one for receiving mails and other for sending mails (obviously ;)

So you need to change ports on those connectors. I will not say those two, because you might be using more than two.

You change Receive connector port by opening the connector properties in Exchange Management Console → Hub Transport → RECEIVECONNECTORNAME → Properties → Network → Local IP Addresses (Edit Receive Connector Binding)

Just to clarify what "Local IP Addresses" and "Remote Servers" are:

Use these local IP Addresses to receive mail

Use this list to specify the IP addresses and port numbers on which this Receive connector listens for incoming mail.

Receive mail from remote servers which have these IP addresses

Use this list to specify the remote IP address range from which this Receive connector accepts connections.

You change Send Connector port by using PowerShell. Open Exchange Management Shell and type:

Get-SendConnector -Identity "SENDCONNECTORNAME" | fl

Check the port number then type:

Set-SendConnector -Identity "SENDCONNECTORNAME" -port 26

In this example I set port 26 as SMTP port for sending messages. Check the change by typing

Get-SendConnector -Identity "SENDCONNECTORNAME" | fl

HUB and EDGE servers are responsible for mail transport, so include all the servers you need in your requirement.

command line – use Exchange Management Shell (same as PowerShell)

Content Filter: How to move messages to Junk Mail folder - http://exchangepedia.com/blog/2007/02/exchange-2007-content-filter-how-to_07.html

You've setup Exchange Server 2007, and configured the shiny new Content Filter agent (CFA). The CFA has three thresholds - equivalent of Gateway thresholds and (gateway) actions in IMF. These are: 1) SCLDeleteThreshold 2) SCLRejectThreshold and 3) SCLQuarantineThreshold.

1. SCLDeleteThreshold: Messages with SCL equal to or higher than the SCLDeleteThreshold are deleted silently. To enable the SCLDeleteThreshold:

set-ContentFilterConfig -SCLDeleteThreshold 8 -SCLDeleteEnabled:$true

2. SCLRejectThreshold: Messages with SCL equal to or higher than the SCLRejectThreshold are rejected during the SMTP session, after the data is received. In this case, senders get a NDR. To enable the SCLRejectThreshold:

set-ContentFilterConfig -SCLRejectThreshold 7 -SCLRejectEnabled:$true

In the above case, Exchange doesn't accept the message. After the data is received, it responds with a 500 5.7.1 error and a rejection response (by default this response is: Message rejected due to content restrictions. This rejection message can be configured using the following command (response message used here is for illustration, not a real suggestion)

set-ContentFilterConfig -RejectionResponse "Stop spamming you *****!"

The actual NDR is generated and sent to the sender by the sending host. What the sending host will see after the message content is sent (and if you actually modified the rejection response based on my example :)

500 5.7.1 Stop spamming you *****!

 

Exchange Server 2007's Content Filtering agent can be configured with the equivalent of all 3 Gateway actions available in Exchange Server 2003's Intelligent Message Filter (IMF): 1) Delete messages 2) Reject messages and 4) Quarantine messages

 

3. SCLQuarantineThreshold: Messages with SCL equal to or higher than the SCLQuarantineThreshold are delivered to the quarantine mailbox, provided you have one configured. To enable the SCLQuarantineThreshold and configure a quarantine mailbox:

set-ContentFilterConfig -SCLQuarantineThreshold 6 -SCLQuarantineEnabled:$true -QuarantineMailbox:MyQuarantineMailbox@mydomain.com

The Content Filter agent allows the flexibility of enabling all three actions on the gateway - the rule is: SCLDeleteThreshold > SCLRejectThreshold > SCLQuarantineThreshold.

 

To get a list of all three SCL values and whether each action is enabled or not, use the following command:

get-ContentFilterConfig | Select SCL*

So where's the equivalent of IMF's Store threshold? (to move messages to users' Junk Mail folders)?

 

It's called SCLJunkThreshold, and it resides in a different location - in the Organization configuration. It can be set using the set-OrganizationConfig command:

set-OrganizationConfig -SCLJunkThreshold 5

Setting SCLJunkThreshold not intuitive?

Before you jump to conclusions about this being counter-intuitive, or confusing - which it may be, consider this - it is in response to the different server roles in Exchange Server 2007.

The gateway actions - delete, reject and quarantine - can be thought of as message transport actions, and thus applicable to transport server roles (the Edge server, or the Hub if you have antispam agents enabled on it). Moving messages to users' Junk Mail folders can be thought of as something that happens at the Store, performed by the Mailbox Server role.

Another aspect to consider when setting the SCLJunkThreshold - if you're in a topology with an Edge server, the SCLJunkThreshold on the Edge doesn't impact anything. This needs to be set on your Exchange Org - the Edge server is not a part of it.

 

The Defaults: By default, the SCLJunkThreshold is set to 4. If you have an existing Exchange Server 2003 SP2 server installed, and you haven't tweaked the Store threshold, IMF v2's default Store threshold of 8 is used - this is what you'll see in the Org's SCLJunkThreshold. Given that the SCLRejectThreshold is set to 7 by default, messages will not move to users' Junk Mail folder unless the SCLJunkThreshold is lower than the transport thresholds (i.e. the Delete, Reject and Quarantine thresholds).

 

How the Junk Mail threshold is calculated: Unlike the transport actions of deleting, rejecting, and quarantining messages - which check for SCL equal to or higher than their respective thresholds, for moving messages to Junk Mail folder the Store checks for SCLs higher than the SCLJunkThreshold. This is consistent with the behavior of IMF in Exchange Server 2003 (read previous post: IMF Confusion - Store threshold rating text in UI).

 

If you want to disable rejection of messages with SCL of 7 or above, use the following command:

set-ContentFilterConfig -SCLRejectEnabled:$false

–D–

database, move mailbox to

If you try to move a mailbox from Exchange 2007 to Exchange 2010 with

set-Mailbox -identity bob -database "Mailbox Database 2"

you might get something like

You cannot rehome a mailbox into a database that has a different version than the source server.

    + CategoryInfo          : NotSpecified: (joe:MailboxIdParameter) [Set-Mailbox], TaskArgumentException

    + FullyQualifiedErrorId : 54140E66,Microsoft.Exchange.Management.RecipientTasks.SetMailbox

You might want to try this instead:

'yourdomain.net/Users/bob’ | New-MoveRequest -TargetDatabase 'Mailbox Database 2'

database, see which mailboxes belong to

Get-Mailbox -database "Mailbox Database 0964096055"

Should return something like

Name                      Alias                ServerName       ProhibitSendQuota

----                      -----                ----------       -----------------

Administrator             Administrator        mail3            unlimited

DiscoverySearchMailbox... DiscoverySearchMa... mail3            50 GB (53,687,091,200 bytes)

test1                     test1                mail3            unlimited

test2                     test2                mail3            unlimited

database size, determine

Get-MailboxDatabase -Status | select ServerName,Name,DatabaseSize

DCOM – start by running dcomcnfg from the “run” box.

default email, change –see email, change default

deleted items folder, properties

Get-ManagedFolder -Identity "Deleted Items" | fl

deleted items, recover from any folder

1. Exit Outlook.

2. Open the Windows registry editor.

3. Browse to My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\Client\Options.

Or HKEY_LOCAL_MACHINE\SOFTWARE \Wow6432Node\Microsoft\Exchange\Client Extension\Options for Win 7

4. On the Edit menu, point to New, and then click DWORD Value.

5. Type the name DumpsterAlwaysOn.

Note Do not type any spaces in the name.

6. Set the DWORD value to 1.

7. Restart Outlook.

The Tools menu now has the Recover Deleted Items command for every Outlook folder.

deleted items usage for all mailboxes

get-mailbox | Get-MailboxStatistics | Select @{n="DisplayName";e={$_.DisplayName}}, StorageGroupName,@{e={$_.TotalDeletedItemSize.Value.ToMB()};n="TotalDeletedItemsSize(MB)"}, DeletedItemCount, @{e={$_.TotalItemSize.Value.ToMB()};n="TotalItemSize(MB)"}, ItemCount, StorageLimitStatus | ft

should return something like

DisplayName  StorageGroupName TotalDeletedItem DeletedItemCount TotalItemSize(MB  ItemCount StorageLimitStat
                                     sSize(MB)                                 )                          us
-----------  ---------------- ---------------- ---------------- ----------------  --------- ----------------
Bob Smith                                    0              154              551      23680       BelowLimit
Sam Jones                                    0                0                0          3       BelowLimit

distribution list, allow some people to modify themselves

Add-ADPermission -Identity 'accountants' -user carol -AccessRights writeproperty
 
Identity          User              Deny  Inherited Rights
--------          ----              ----  --------- ------
yourdomain.net... yourdomain\Carol  False False     WriteProperty

or

Add-ADPermission -Identity 'accountants' -user 'reception group' -AccessRights readproperty
 
Identity          User              Deny  Inherited Rights
--------          ----              ----  --------- ------
yourdomain.net... yourdomain\Rec... False False     ReadProperty

distribution group, display name -

Recipient ConfigurationDistribution Group. In the result pane, click the distribution group that you want to configure. In the action pane, click Properties. Use this unlabeled box at the top of the page to view or change the display name for the distribution group

Set-DistributionGroup -Identity "Accounting" -DisplayName "Accounting Group"

distribution group, setup in Exchange 2013

Create a new group in Active Directory and make it a Universal Distribution group

Once that is done then remote into the mail server and run the Exchange Management Shell (this step can't be done in the web gui)

then use this command to mail enable that group you created " Enable-DistributionGroup -Identity "GROUP NAME" -DomainController SERVER NAME WHERE AD IS INSTALLED"

distribution groups, activity last 30 days

get all distribution lists used over last 30 days and how many times the distribution group was used (from here). I have no idea how it works or how it limits activity to the last 30 days. Is this a default?

Get-MessageTrackingLog -EventId Expand -ResultSize Unlimited |Sort-Object RelatedRecipientAddress | Group-Object RelatedRecipientAddress |Sort-Object Name | Select-Object @{label=”PrimarySmtpAddress”;expression={$_.Name}}, Count | Export-CSV C:\Users\someuser\Documents\DL-Active.csv –notype

distribution groups, don't have permission to change

When you try to change the members of a distribution group, you get: “You don't have sufficient permissions. This operation can only be performed by a manager of the group.”

Need to run a PowerShell command:

Set-DistributionGroup somedistributiongroup -ManagedBy "somebody@yourdomain.com" -BypassSecurityGroupManagerCheck -DomainController somedomaincontroller.yourdomain.com

The "-DomainController" switch may not be necessary. This seems to work on security groups as well.

domains, which ones accepted by your Exchange server – Organization Configuration / Hub Transport / Accepted domains

domains, which ones can be used by a user – Recipient Configuration / Mailbox / <user> / Properties / Email addresses

domain, email on a domain other than your main domain one doesn’t work, can’t access – actually, this particular symptom also happens if you have another email on the same domain.  Anyway, just start the “Microsoft Exchange System Attendent” service.  This was the Sarah/Mahesh problem 5/17/11.

–E–

email address policy –

Using the GUI:

From the Exchange Management shell, type.  To see a list of

Get-EmailAddressPolicy

or, with some extras like which RecipientFilter and the ExchangeVersion,

Get-EmailAddressPolicy | Format-List Name,*RecipientFilter*,ExchangeVersion

To update, use the Set-EmailAddressPolicy cmdlet to edit the policy settings and the Update-EmailAddressPolicy to apply the e-mail address policy to the intended recipients.

email address, how a sending email address’ emails are disposed in the log:

Get-AgentLog -StartDate "6/18/2008" -EndDate "6/27/2008" | where {$_.P1FromAddress -like "foobar@yourdomain.com"}

email, change default – if you have several domains, one is the default.  But different people in your organization may want different defaults.  You might try Exchange console, Recipient configuration, Mailbox, select a mailbox you want to change, right click, properties, go to the “E-Mail Addresses” tab.  You might very well see that the “Set as Reply” option is greyed out.  Why is it greyed out?  Look at the bottom of that same tab and you’ll probably see the “Automatically update e-mail addresses based on email address policy” box is checked.  Which is probably what you want if you have a bunch of people who you want to default to the same domain.  So now what?  See email address policy

email stuck – see queue, email stuck in

Entourage and RPC over HTTP – 1

emails, count of from one user for a day

[Int ] $intRec = 0
Get-TransportService | `
  Get-MessageTrackingLog -ResultSize Unlimited -Start "4/09/2015" -End "4/10/2015" `
  -Recipients "someuser@yourdomain.com" -EventID DELIVER | `
  ForEach { $intRec++ }
Write-Host "E-mails received:", $intRec

Error messages when you try to connect Outlook 2007 to Exchange Server: "The action cannot be completed" or "Your Microsoft Exchange Server is unavailable" or "Cannot start Microsoft Office Outlook" – see here

SYMPTOMS

When you try to connect Microsoft Office Outlook 2007 to Microsoft Exchange Server, you may experience any one of the following symptoms:

CAUSE

This problem may occur if the Outlook 2007 client computer does not have a default gateway configured.

WORKAROUND

If you cannot configure a default gateway for your network settings, you can work around this problem by adding a DWORD value that is named DefConnectOpts to the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\RPC

To add this DWORD value, follow these steps.

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\RPC
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type DefConnectOpts, and then press ENTER.
  5. Right-click DefConnectOpts, and then click Modify.
  6. In the Value data box, type 0, and then click OK.
  7. Exit Registry Editor.

export data from a .pst file – run the Export-Mailbox cmdlet from a 32-bit computer that has the following installed:

For information about Exchange 2007 management tools 32-bit download, see Microsoft Exchange Server 2007 Management Tools (32-Bit).

If you export data to a folder in another mailbox, the target mailbox that you specify must exist before you run the command.

Exchange Server 2003 Mailflow (Part 1, 2) – for a general explanation of the mail flow

export mailbox data

You can export mailbox data from a mailbox to a .pst file. To export to a .pst file, you must use the PSTFolderPath parameter to specify the path to the .pst file to which data will be exported.
You can use the Export-Mailbox cmdlet to export data to either a folder or a .pst file.

This example exports the data from each mailbox to a separate .pst file located at C:\PSTFiles. The name of each .pst file will be <alias>.pst.

event viewer, change how much stuff from the transport agent gets logged there

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/MSExchangeTransport/Diagnostics/18 Agents - change from 0 to 7

–F–

forward mail (normal internal user) – Exc Mgt Console, Recipient Configuration, Mailbox, Mail Flow Settings tab.  Notice the “Properties…” button is greyed out.  Select “Delivery Options” so now the “Properties…” button is black.  Click the “Forward to:” check box and then Browse to whomever you want to forward.

forward mail to outside email address – create a Mail Contact (under Recipient Configuration), forward an email to there from the Mailbox.  Or, see here

full mailbox, see Mailbox Size GUI, mailbox size, which are getting close to full

–G–

Get-Mailbox outside current domain – include the "-ignoreDefaultScope" parameter

Get-Mailbox -ignoreDefaultScope | Select Name, alias | Sort-Object alias

GoDaddy peculiarities

POP – GoDaddy wants IDs in the format of “name@yourserver.com” whereas Exchange seems content with merely “name”.  Exchange seems to tolerate the “name@yourserver.com” with no special tweaking.

SMTP

change SMTP receive connector port to port 3535

SMTP authentication – first solve the unable to relay error message

greylist – greylisting is used on some mail servers to temporarily fail the first attempt of an email, asking the sending server to retry later.  Here’s some more explanation.  Try to reset “Glitch Retry Interval”.  But that registry key doesn’t seem to exist on 2007.

–H–

http, redirect to https

normally mail.yourdomain.com/owa will result in

Server Error

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied.

Which is annoying.  Users don’t want to have to type in “https://”.  So why not redirect?  Easier said than done.  In fact, I couldn’t get any of the things below to work right.

First, there’s Microsoft’s Simplify the Outlook Web App URL approach:

iisreset /noforce

to restart IIS.

Then there’s Redirecting OWA URLs in Exchange 2010to account for certain subdirectories.  It does all the steps above [only redirecting to https://mail.yourdoamin/owa rather than just /owa] and except messing with the Web.config file.  It then continues with:

Once this step is complete, you need to remove the enforced redirect from each of the virtual directories under the Default Web Site. To do this, select each virtual directory individually, and then open the HTTP Redirect property and uncheck the “Redirect requests to this destination” checkbox. You’ll need to do this on the following virtual directories:

If at this point you simply browse to http://mail.yourdomain.com, you’ll get an HTTP 403.4 error. This is because SSL is required at the top-level website. In order to get the redirect working, we need to disable SSL for the top level website while leaving it enabled for the relevant child virtual directories.

Select the Default Web Site and open the SSL Settings properties. Uncheck the Require SSL checkbox

Like the redirection settings, this change will be inherited down the tree for any virtual directory which does not explicitly set the setting independently. Ensure that SSL is required for the following virtual directories:

Well, that didn’t work either.  Someone commented, “had the same issue and fixed it by disabling the redirect just for Public”.  Nada.

The last thing I tried was Redirect Virtual Folder where they suggest:

Edit the web.config in the following directory "C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa". Delete the following line

"<httpRedirect enabled="false" />"

That didn’t do anything

Then

C:\Windows\System32\inetsrv>appcmd set config "Default Web Site/Exchange" /section:httpredirect /enabled:true -commit:apphost

Applied configuration changes to section "system.webServer/httpRedirect" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Exchange" at configuration commit path "MACHINE/WEBROOT/APPHOST"

 

C:\Windows\System32\inetsrv>appcmd set config "Default Web Site/Exchweb" /section:httpredirect /enabled:true -commit:apphost

Applied configuration changes to section "system.webServer/httpRedirect" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Exchweb" at configuration commit path "MACHINE/WEBROOT/APPHOST"

 

C:\Windows\System32\inetsrv>appcmd set config "Default Web Site/Public" /section:httpredirect /enabled:true -commit:apphost

Applied configuration changes to section "system.webServer/httpRedirect" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Public" at configuration commit path "MACHINE/WEBROOT/APPHOST"

And then this to disable redirection for /owa:

C:\Windows\System32\inetsrv>appcmd set config "Default Web Site/owa" /section:httpredirect /enabled:false -commit:apphost

Applied configuration changes to section "system.webServer/httpRedirect" for "MACHINE/WEBROOT/APPHOST/Default Web Site/owa" at configuration commit path "MACHINE/WEBROOT/APPHOST"

None of this worked.  Even with copious “iisreset” sprinkled in.  I finally gave up.  Maybe someday I’ll figure it out.  But for now, I just put the “https” on a web page and point folks there.

–I–

Install exchange server 2007 - tutorial

Prep Work:

In order to install Exchange 2007 the server must be running Windows Server 2003 x64 and have SP1 installed. You must also install the .NET 2.0 Framework and MMC 3.0 but if you do not have these two components installed, you can install them during setup.

Install IIS first, and then .Net 2.0

MMC 3.0 – you will be prompted to install from CD

PowerShell – you will be prompted to install from CD

enable ASP.net ver 2.XXX in IIS! – shouldn’t have to do this in 2007 – only in 2003

Raise Domain level - Computers, right click on yourdomain.com and select Raise Domain Functional Level.  From the drop-down box choose Windows Server 2003 and click on Raise.

Administrative Tools, Active Directory Domains and Trusts, right click on yourdomain.com.  Raise domain functional level.

After installation:

Even if you don’t set up a separate Edge Transport server, you still need to substitute a Hub Transport or else something important won’t work.  From Exchange Server 2007: Internet email without Edge servers:

The Edge Transport server role is not a required role. It's good to have if you don't want to expose your domain-joined Exchange servers to the internet, and the high amount of spam that mail gateways receive and filter. Nevertheless, many small environments - typically those with a single Exchange server - do not have that luxury.
In such environments, you can use a Hub Transport server to send/receive internet mail.
The default installation of a Hub Transport server creates two Receive Connectors –

The Default Receive Connector only accepts mails from authenticated senders/hosts. This is configured to accept mail from Mailbox Servers, other Hub Transport servers, and Edge Transport servers.
To make it accept inbound internet mail in an environment without an Edge Transport server, you need to configure it to accept mail from anonymous senders. Here's how you can do this from the Exchange command shell:

set-ReceiveConnector -identity "Name of Default Connector" -PermissionGroups AnonymousUsers

How to determine permissions:

Get-ReceiveConnector –identity “Client Mail3” | Get-ADPermission

By default, Hub Transport servers do not have anti-spam agents installed. Read related post " HOW TO: Install anti-spam agents on Hub Transport server".

Other steps not related to installation:

Open and forward port 25 (SMTP) on your router

Change some DNS settings at your DNS registrar (GoDaddy)

A (Host)

 

Host

Points To

 

 

add

mail

Your IP address

 

CNAMES (Aliases)

 

Host

Points To

 

 

No changes, additions, deletions necessary in CNAMES area

MX (Mail Exchange)

 

Priority

Host

Goes To

 

add

0

@

Either mail.yourdomain.com or IP address.  Might want to point directly to an IP address instead of to a CNAME.  DNSStuff frowns, otherwise.

 

change

From 0 to10

@

smtp.secureserver.net – changes from our primary to our secondary server

 

change

From 10 to 20

@

mailstore1.secureserver.net – changes from our secondary to our 3rd server

TXT (Text)

 

Host

TXT Value

 

 

add

@

v=spf1 a ~all

This will work.  But not recommended.  See SPF records.

You might want to point your MX record directly to an IP address instead of to another CNAME.  DNSStuff frowns, otherwise.

Call ISP about reverse DNS for your IP address; change to your name:  mail.yourdomain.com

internal emails, can’t send

You might be able to send emails outside the organization, but have problems sending them to another user on either

or both.  It will likely be stuck in the message queue.  It’s also possible that you can receive messages.  To track down the problem, send an email and we’ll look at what happens in the queue.  In the toolbox, go to “Tracking Log Explorer” (2010) or “Message Tracking Results” (2007) and focus on EventID “TRANSFER”.  Or from the PowerShell console:

get-messagetrackinglog -EventID "TRANSFER" -Start "12/20/2011 9:35:00 AM" -End "12/20/2011 11:45:00 AM"

This list might coincide with what’s stuck in the message queue.  Now if you want, you can try re-submitting the messages stuck in the queue.  But that probably won’t get you very far.

Your best bet is to look in the connectivity logs.  Often found at C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\Connectivity.  You might see something there like: Cannot achieve Exchange Server authentication.  If that’s the case, look at the properties of your “Default MAIL” (or whatever) Receive Connectors for all your Exchange clients.  Go to the Authentication tab and make sure the Exchange Server authentication box is set.  If it complains about the FQDN, fix it.  Don’t forget to restart the Transport service after you check the Exchange Server authentication box.

Since messages are able to get to the outside world but can’t send them internally, you could look at the receive connectors.  Specifically, you’d think you’d want to on protocol logging for the receive connectors and maybe the send connectors.  But really, no internal traffic will ever even get to the protocol logs.  So that’d be a waste of time.

–J–

–K–

–L–

labels: Exchange Server 2007, SMTP

last time someone used their email - see newest email for a user

log files for messages – C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking

log files for messages rejected -  C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog

logged in, last time

Get-MailboxStatistics "FirstName LastName"

logs, look at an extract – if you don’t want to manually trudge through the C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog

get-AgentLog -startDate:"04/25/2008 4 pm" -endDate:"04/25/2008 4:10 pm"

Should give you a bunch of entries like:

Timestamp       : 4/25/2008 4:06:43 PM
SessionId       : 08CA751B97841745
IPAddress       : 209.242.25.141
MessageId       : <2c05e4520de1fe763a348aa394e790a8@mailbc01.openfax.com>
P1FromAddress   : pbsbounce@yahoo.com
P2FromAddresses : {pbs@pbsworksforme.com}
Recipients      : {clyde@yourcompany.com}
Agent           : Content Filter Agent
Event           : OnEndOfData
Action          : QuarantineMessage
SmtpResponse    : 550 5.2.1 Content Filter agent quarantined this message
Reason          : SclAtOrAboveQuarantineThreshold
ReasonData      : 5
Diagnostics     : DV:3.3.6422.600;SID:SenderIDStatus Pass

But wait!  There's more!  There's now a new, improved command line that pops up a window with the stuff all nice and formated into a table:

Get-MessageTrackingLog -Start "April 17 2014 12:20pm" -End "April 17 2014 4:20pm" -sender "firstuser@yourdomain.com" -recipient "seconduser@yourdomain.com" -ResultSize Unlimited | select-object eventid, timestamp, messageid, sender, recipients, messagesubject | Out-Gridview

log, transcript

At the Command Shell prompt type

Start-Transcript

to collect the information.  Next do a

Get-ReceiveConnector | FL *

to collect all of the info on your Receive connectors.  Now do a

Stop-Transcript

to create a Transcript text file in the My Documents Folder

–M–

Mac integration – see also Entourage

mailbox, create –

New-Mailbox -Name 'test1' -Alias 'test1' -UserPrincipalName 'test1@yourdomain.net' -SamAccountName 'test1' -FirstName 'test1' -Initials '' -LastName '' -Password 'System.Security.SecureString' -ResetPasswordOnNextLogon $false

this command only works if you already have the user set up.  Otherwise you get:

Cannot process argument transformation on parameter 'Password'. Cannot convert the "System.Security.SecureString" value

 of type "System.String" to type "System.Security.SecureString".

    + CategoryInfo          : InvalidData: (:) [New-Mailbox], ParameterBindin...mationException

    + FullyQualifiedErrorId : ParameterArgumentTransformationError,New-Mailbox

mailbox folder list

Get-MailboxFolderStatistics bthompson | ft > C:\Users\someuser\Desktop\bthompson1.txt

But this truncates some data. So just select a few columns:

Get-MailboxFolderStatistics bthompson | Select Name, FolderPath, FolderSize, ItemsInFolder, ItemsInFolderAndSubfolders | ft > C:\Users\someuser\Desktop\bthompson4.txt

mailbox list doesn't show all the users you'd expect

The solution is below:

  1. the Exchange Management Console.
  2. Right-click Recipient Configuration.
  3. Select Modify Recipient Scope.
  4. Select the View all recipients in forest option.
  5. Select the Global Catalog check box and select the local global catalog server (AD1).
  6. To close, click OK.

mailbox, move – for example, from exchange 2003 to exchange 2010 – here’s a video

You can start by going to the Exchange Management Console, Recipient Configuration, Mailbox, <user’s mailbox>, right click, “New Local Move Request”.  If you go through the wizard, it’ll eventually generate the following command:

'mydomain.net/Users/Bob Smith | New-MoveRequest -TargetDatabase 'Mailbox Database 02'

To find out how it went:

Get-MoveRequest
 
DisplayName   Status   TargetDatabase
-----------   ------   --------------
Bob Smith     Failed   Mailbox Database 02

For more detail

Get-moverequest|get-moverequeststatistics
 
DisplayName   Status  TotalMailboxSize          TotalArchiveSize  PercentComplete
-----------   ------  ----------------          ----------------  ---------------
Bob Smith     Failed  1.634 GB (1,754,863,82...                   43

Well, that didn’t really give too much detail, did it?  Like, why did it fail? Let’s try:

Get-moverequest|get-moverequeststatistics | fl

This gives a lot more detail, including:

TotalMailboxSize          : 1.634 GB (1,754,863,829 bytes)
TotalMailboxItemCount     : 9332
BytesTransferred          : 506.2 MB (530,740,370 bytes)
BytesTransferredPerMinute :
ItemsTransferred          : 1777
PercentComplete           : 43
PositionInQueue           :
FailureCode               : -2146233088
FailureType               : TooManyBadItemsPermanentException
FailureSide               :
Message                   : Error: This mailbox exceeded the maximum number of corrupted items that were specified
                            for this move request.
FailureTimestamp          : 2/22/2012 2:53:16 PM

Well, at this point, we probably want to kill this and try to clean up his mailbox.  Go to the Exchange Management Console, Recipient Configuration.  You’ll see Move Request with a little green arrow by it.  Click here, right click on Bob Smith’s move request, click on “Remove Move Request”.

Now let’s say you decide to go into his Outlook and delete a whole bunch of old junk.  And you do so.  And you even empty the “deleted items” folder.  But how to purge that?  You can find out how long the junk is held there:

Get-Mailbox <user> | fl RetainDeletedItemsFor

Should return something like:

RetainDeletedItemsFor : 7.00:00:00

7 days??  We don’t want to wait that long!  But how to actually purge?  Supposedly, the following works with 2010, SP1 or higher:

Search-mailbox -identity “Bob Smith” -SearchDumpsterOnly -DeleteContent

But I keep getting:

The term 'Search-mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check

the spelling of the name, or if a path was included, verify that the path is correct and try again.

At line:1 char:15

+ Search-mailbox <<<<  -identity "Bob Smith" -SearchDumpsterOnly -DeleteContent

    + CategoryInfo          : ObjectNotFound: (Search-mailbox:String) [], CommandNotFoundException

    + FullyQualifiedErrorId : CommandNotFoundException

Even with 2010, SP2.  “Deleted Items” is a managed folder.  We could always re-run the initial move command, but allow some bad emails (200, in this case).  If you specify too large a number (51 or more) for the “BadItemLimit”, you might also need to add the “AcceptLargeDataLoss” parameter as well.

[PS] C:\Windows\system32>'yourdomain.net/Users/Bob Smith' | New-MoveRequest -TargetDatabase 'Mailbox Database 02' -BadItemLimit '200' -AcceptLargeDataLoss
WARNING: When an item can't be read from the source database or it can't be written to the destination database, it
will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that Exchange not copy such
items to the destination mailbox. At move completion, these corrupted items won't be available in the destination
mailbox.

To try to let corrupt messages just go away.  It should spit out something like what you see below:

 
DisplayName  Status  TotalMailboxSize          TotalArchiveSize  PercentComplete
-----------  ------  ----------------          ----------------  ---------------
Bob Smith    Queued  1.634 GB (1,754,674,21...                   0

Don’t let the “0 PercentComplete” annoy you.  Remember, just go

Get-moverequest|get-moverequeststatistics | fl

to see the progress.

mailbox size

Get-MailboxStatistics -Identity "Bob Smith" | fl

Did you just delete a whole bunch of stuff, but mailbox still same size?

Get-Mailbox "Bob Smith" | fl RetainDeletedItemsFor
 
RetainDeletedItemsFor : 7.00:00:00

mailbox size, which are getting close to full –
Get-MailboxStatistics | where {$_.StorageLimitStatus -ne "BelowLimit"}

mailbox size GUI – from here

Should be a file named mbsizereportv5.ps1.  Like maybe in C:\scripts.  Needless to say, you need to be in the powershell to run this thing.

Version 5 has now been posted that fixes issue with quotas please see this
download the new version here or here.

552 5.3.4 Message size exceeds fixed maximum message size

Set-ReceiveConnector -identity "Default [SERVERNAME]" -maxmessagesize 20MB

message, retry

message tracking missing when you try to run it from the toolbox of the Exchange Management Console – you get a pop-up screen with something like, “There is a problem with this website’s security certificate” and you can “Continue to this website (not recommended)”.  When you do so, you are presented with a log in screen.  But if you enter in the ID & password, you get, “The webpage cannot be found”.

One point to keep in mind: there’s a big difference between “Message Tracking” and “Tracking Log Explorer”.  The one of most interest is the latter (“Tracking Log Explorer”).  Most of the following to diagnose and fix concerns the former (“Message Tracking”).

Diagnosis:

First, get some ECPVirtualDirectory info:

Name                                                        Server
----                                                        ------
ecp (Default Web Site)                                      MAIL3
 
 
Get-EcpVirtualDirectory | fl *Authentication*
 
 
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication           : True
WindowsAuthentication         : False
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
ExternalAuthenticationMethods : {Fba}

You can also see these Authentication settings at and actually change Authentication settings to Windows Authentication in the Exchange Management Console → Server Configuration → Client Access → properties of ECP

Note there are two tabs: one on the left for OWA and one on the right for ECP.

The ECP authentication settings must match OWA's authentication settings on the same CAS server

Notice in the example above InternalAuthenticationMethods is wrongly set to {Basic, Fba}; we want {Ntlm, WindowsIntegrated}.  Similarly,

Fix:

Change Authentication settings to Windows Authentication in EMC → Server Configuration → Client Access → properties of EMC.  If it’s already Integrated Windows authentication, you can change it to forms-based authentication and then back again.  Need to

iisreset /noforce /timeout:120

after each change.  I had to do the timeout of 120 seconds ‘cause I kept getting:

Attempting stop...
Restart attempt failed.
The service did not respond to the start or control request in a timely fashion. (2147943453, 8007041d)

When you run

Get-EcpVirtualDirectory | fl *Authentication*

again, you should get.

InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
BasicAuthentication           : False
WindowsAuthentication         : True
DigestAuthentication          : False
FormsAuthentication           : False
LiveIdAuthentication          : False
ExternalAuthenticationMethods : {Fba}

Workaround:

Now you can always use the command line instead:

Get-MessageTrackingLog

Or, if you don’t like stuff getting chopped off and want to choose your fields, something like:

Get-MessageTrackingLog -Start "12/15/2011 09:00:00" -End "12/15/2011 17:00:00" | fl EventID, TimeStamp, Recipients, Sender, MessageSubject, MessageInfo, EventData

Or, more compact but truncated like 1st example:

Get-MessageTrackingLog -Start "12/15/2011 09:00:00" -End "12/15/2011 17:00:00" | ft -wrap EventID, TimeStamp, Recipients, Sender, MessageSubject, MessageInfo, EventData

Which gives you some info (probably all the info you’d need, actually), but not that pretty GUI we love so much.

Some other fixes I tried before I discovered the way to change authentication above:

First, make sure message tracking is enabled.

Chances are, message tracking is enabled.  So check it ahead of time:

Get-TransportServer

And skip the stuff immediately below if message tracking is enabled.

Two ways to do this: through GUI or command line.

Use the EMC to enable or disable message tracking on transport servers

  1. Perform one of the following steps:
  2. On the Properties page, click the Log Settings tab.
  3. In the Message tracking log section, perform one of the following steps:
  4. Click Apply to save changes and remain on the Properties page, or click OK to save changes and exit the Properties page.

Use the Shell to enable or disable message tracking on transport servers

This example disables message tracking on the Exchange 2010 computer Exchange01.

Set-TransportServer Exchange01 -MessageTrackingLogEnabled:$false

Chances are, however, message tracking was already enabled.

message tracking PowerShell script

determine how much email is going in and out of our mail stores for the last day, per user – description, download.  Generates .csv files

Migrate 2007 to 2010

most recent email for a user, date of - see newest email for a user

move exchange 2003 Mailbox to exchange 2010 – see mailbox, move

MX record, use NSLOOKUP to test your MX record – see NSLOOKUP to test your MX record

–N–

newest email for a user (timestamp of)

<#
script name: GetDateOfMostgRecentEmail.ps1
Purpose: Find the most recent email for a list of users

Reads from: mailboxes.txt in your My Documents directory - list of users you care about
Writes to:  Mailboxes.csv in your My Documents directory
#>

$mydocs = [environment]::getfolderpath("mydocuments")
$myList = "$mydocs\mailboxes.txt"
$mailboxes = Get-Content $myList
$OutArray =@()
foreach ($mailbox in $mailboxes){
$myobj = "" | Select "Mailbox","LastEmail"
$myobj.Mailbox = $mailbox
$myobj.LastEmail = Get-MessageTrackingLog -EventId Receive -Recipients $mailbox | select timestamp -Last 1
$outarray += $myobj
$myobj = $null
}
$outputList = "$mydocs\Mailboxes.csv"
$outarray | export-csv $outputList
$OutArray?

NSLOOKUP to test your MX record

C:\>nslookup
Default Server:  dns1.tri-isys.com
Address:  202.81.160.6
> server 192.168.100.2
Default Server:  DC01.mycompany.local
Address:  192.168.100.2
> set q=mx
> microsoft.com
Server:  DC01.mycompany.local
Address:  192.168.100.2
Non-authoritative answer:
microsoft.com   MX preference = 10, mail exchanger = maila.microsoft.com
microsoft.com   MX preference = 10, mail exchanger = mailb.microsoft.com
microsoft.com   MX preference = 10, mail exchanger = mailc.microsoft.com
microsoft.com   nameserver = ns2.msft.net
microsoft.com   nameserver = ns3.msft.net
microsoft.com   nameserver = ns4.msft.net
microsoft.com   nameserver = ns5.msft.net
microsoft.com   nameserver = ns1.msft.net
maila.microsoft.com     internet address = 131.107.3.125
maila.microsoft.com     internet address = 131.107.3.124
mailb.microsoft.com     internet address = 131.107.3.123
mailb.microsoft.com     internet address = 205.248.102.77
mailc.microsoft.com     internet address = 205.248.102.78
mailc.microsoft.com     internet address = 205.248.102.79
ns1.msft.net    internet address = 207.46.245.230
ns2.msft.net    internet address = 64.4.25.30
ns3.msft.net    internet address = 213.199.144.151
ns4.msft.net    internet address = 207.46.66.75
ns5.msft.net    internet address = 207.46.138.20
> exit

–O–

old server, see remains of – let’s say you just migrated from MAIL1 as your old server to MAIL2 as your new server.  You think you got everything moved over.  But how to tell for sure?

Get-ClientAccessServer | fl

open relay –see SMTP open relay

out of office – see here for Office 2007 run down

on the Exchange (server) side:

Organization ConfigurationHub Transport → click Remote Domains tab → right click Default → select properties

In the “General” tab, select “allow internal out-of-office messages, and out-of-office messages set by Outlook 2003 or earlier clients or sent by Exchange Server 2003 or earlier servers”.

In the “Format of original message sent as attachment to journal report” tab, make sure the “Allow automatic replies” check box is set.

on the Outlook (client) side:

Under Tools, you might have an “out of office assistant”.  But you might get “Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later.”  Especially in Outlook 2007 because the Availability Service isn’t up.  If so, then create a rule (from within Outlook) to have your mailbox automatically reply to a sender.

out of office not working properly – make sure the (supposedly automatic) “MSExchangeMailboxAssistants” service is running

Outlook profile or account, can’t add – Other users working just fine but can’t add an existing user to Outlook? Make sure the "Microsoft Exchange System Attendant" service is running!  Even though it's "automatic", it often doesn't start when you start/restart the server.  When it's not running, previously created Outlook profiles will work just fine.  But good luck creating a new one.  POP accounts work just fine.  But not new Exchange connections from Outlook.

outside access – see remote access

OWA (Outlook Web App)

Forward port 443.  It’s often labeled “HTTPS”, which is what it is.

Control Panel, Add remove programs, add/remove Windows components, Network Services, check “RPC over HTTP Proxy”.  If not installed, OWA doesn’t work.

Exchange Management Console, “Server Configuration”, “Client Access”, right click “owa (Default Web Site)”, go to properties, “General” tab.  By default the internal URL is already filled out.  But also need to fill in “https://mail.yourserver.com/owa” in the “External URL” field.  You should set up DNS on GoDaddy to point the MX record to this address.  In the “Authentication” tab select “Basic Authentication”.  Uncheck the rest (can’t remember what the defaults were).

OWA, stop IE from automatically logging on with the one you last logged in with.  That is, stop it from automatically remembering the ID and password

The following are all supposed to work but don’t

  1. Click on the settings icon (looks like a gear) at the top right. Select F12 developer tools.  A developer tool will appear on the bottom of the browse. It comes with a lots of menu. Click on Cache to expand the options.  Under cache, you’ll see “Clear cookies for domain”. Select the given option to delete the cookie.  But this doesn’t really seem to work to get rid of a stored user ID and password.
  2. Deleting HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\<numbers> will get OWA to start remembering passwords.  But not necessarily delete or change.  Since I was mainly interested in getting IE to stop remembering passwords, I haven’t tried it.
  3. Go to C:\Program Files\Microsoft\Exchange Server\v14\ClientAccess\Owa\auth, Modify login.aspx - replacing the string autocomplete="off" with autocomplete="on".  But when I checked, it was already set to autocomplete="off" and it was still automatically logging on.
  4. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings and
  5. a. On the Edit menu, click New, and then click DWORD Value.

    b. Type DisablePasswordCaching to name the new registry entry, and then press ENTER.

    c. Right-click DisablePasswordCaching, and then click Modify.

    d. Make sure that the Hexadecimal option button is selected, type 1 in the Value data box, and then click OK.

    e. To re-enable password caching, you can either delete the DisablePasswordCaching entry, or change its value to 0.

  6. Third-party IE PassView.  But that doesn’t seem to catch very many IDs and passwords either.  Certainly not the one for OWA.

–P–

Password, Outlook doesn’t remember – see credentials, keeps asking for every time you open up Outlook, doesn’t remember in Outlook.  Most of the stuff there pertains to the client machine.  But there is one Exchange tweak:

Get-outlookprovider -identity EXPR
 
Name     Server   CertPrincipalName  TTL
----     ------   -----------------  ---
EXPR                                 1

delete it:

Get-outlookprovider -identity EXPR | remove-outlookprovider
 
Confirm
Are you sure you want to perform this action?
Removing Outlook Provider "EXPR".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Once this is done, recycle the application pool of AutoDiscover in IIS.  This will keep the outlook clients from automatically propagate the settings for “Outlook Anywhere”, but retains the possibility for configuring it manually.

All web services and autodiscover information other than the proxy information itself are intact.  To restore the EXPR provider, run the following:

New-OutlookProvider -Name:EXPR

permissions

adsiedit.msc – part of the Windows Support Tools found in the D:\Support directory of your Server 2003 disk.  Once you install this, then figure out where to find what you’re looking for.  For example, to configure a receiving connector:

Configuration [mail.yourdomain.com] CN=Configuration, DC=yourdomain, DC=com CN=Services → CN=Microsoft Exchange → CN=yourdomain.com →CN=Administrative Groups → CN = Exchange Administrative Group (FYDIBOHF23SPDLT) → CN=Servers → CN=MAIL → CN=Protocols → CN=SMTP Receive Connectors → CN = Client MAIL → right click/properties → Security tab

determine – see hereget-ADPermission example:

get-adpermission "Default MAIL"

The example above chops off stuff where you can’t read everything.

This example below shows the Get-ADPermission cmdlet used to get the permissions for Ted, with the output piped into Format-List

Get-ADPermission -Identity  Ted | Format-List

But it’s kind of goofy looking. Format-table -wrap is a little more compact and doesn’t chop stuff off.  Out-File is much like the > redirector. 

Get-ADPermission "Client MAIL | Select ExtendedRights

It’s a little better in that at least the ExtendedRights aren’t chopped off.

add – Add-ADPermission as in:

Get-ReceiveConnector RelayConnector | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

where “RelayConnector” is the name of your connector.

remove - Remove-ADPermission – Example: this example will remove send as permissions from user Test1.

Remove-ADPermission -Identity Administrator -user Test1 -ExtendedRights "send as"

Remove-ADPermission –Identity "Client MAIL" –user Everyone –ExtendedRights ms-Exch-Store-Create-Named-Properties

ms-Exch-Open-Send-Queue

POP server, connect client to – 1

POP3, Server Response: '-ERR Command is not valid in this state.'

POP service – enable

In the Services, change POP and IMAP to “automatic”.  These aren’t started automatically be default.  From here

1. Open the Exchange 2007 Management Shell (PowerShell)

2. Set MSExchangePOP3 service to automatic (not enabled by default)

Set-service msExchangePOP3 -startuptype automatic

3. Configure IP Address and Port for POP3. To use POP3 with SSL, run the following command:

Set-PopSettings -SSLBindings IPaddress:Port

4. Configure POP3 Authentication. If you want to use TLS encryption before authentication (enabled by default), run the following command:

Set-PoPSettings -LoginType SecureLogin

5. Enable POP3 Protocol for the User Mailbox (enabled by default)

Set-CasMailbox MailboxName -Popenabled:$true

To find out the current setting, run the following command:

Get-CasMailbox MailboxName

6. Configure the SMTP Receive Connector on the Exchange Server to Allow Anonymous in order to send Email using the following command: - this failed 1/18/08

Set-ReceiveConnector “Servername\default Servername” -PermissionGroups
“ExchangeServers,ExchangeUsers,ExchangeLegacyServers,AnonymousUsers”

7. Restart the Microsoft Exchange POP3 Service to apply the settings

Restart-service MSExchangePOP3

From here, it becomes apparent that forwarding the following ports is very important: 25.  Others that haven’t seemed quite so important: 135, 993, 995.

Exchange Management Console → Server Configuration → Hub Transport →  Receive Connectors, choose all names – both Client Mail and Default MAIL in turn click Authentication tab and click the “Transport Layer Security (TLS)” box for both of them.  Leave “Basic Authentication” off.  On the “Permission Groups” check all of the boxes.

Exchange Management Console → Server Configuration → “Client Access”.  On the right most of the 3 panes, click “Enable Outlook Anywhere”.

Open “Exchange Management Control”, in “Recipient Configuration”, “Mailbox”, select user.  Right click that user and select Properties.  Go to the “Mailbox Features” tab, enable “MAPI”.

After you make all these changes, restart the following services: POP, IMAP, IIS.

POP, check Port 110 with the Telnet Command

You can check your POP3 Server on port 110 with the following Telnet command:

Open a command line and type

telnet exchange.domain.com 110

If your server is online a connection will be established on port 110 (POP3). An Exchange Server answers with the following output:

+OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (exchange.domain.com) ready.

Use the following commands for authentication and listing the messages:

USER Domain/Windows-NT-Account/Exchange-Mailbox
OK
PASS <password>
+OK User successfully logged on.  
LIST
1 6855
2 1483
3 1056
4 1841
5 2037

A list of messages is displayed. If you would like to read message number 2, use the following command:

RETR 2
+OK
Received: by exchange.domain.com
 
id <01C44FA6.6E523331@exchange.domain.com>; Fri, 11 Jun 2004 13:22:50 +0200

and so forth

ports, TCP and UDP ports used by Exchange Server

PowerShell editor -PowerGUI

protocol logging – records the SMTP conversations that occur between e-mail servers as part of message delivery – not messages that occur between users internally.

Enable Protocol Logging on Receive Connectors

To use the EMC to turn on protocol logging for receive connectors on a Hub Transport server, follow these steps:

  1. 1. Open the EMC and browse to the Server ConfigurationHub Transport node in the Console tree.
  2. Select the Hub Transport server that contains the receive connector from the list in the Results pane.
  3. In the list of receive connectors, select the connector that you want to enable protocol logging on and click the Properties action in the Actions pane.
  4. In the properties dialog box for the connector, select the General tab.
  5. Next to the Protocol Logging Level option, select Verbose from the drop-down list
  6. Click OK to make the changes and close the properties dialog box.

You can also enable protocol logging on a receive connector through the PowerShell.

To see whether your protocol logging level for all of your receive connectors is currently “none” or “verbose”

Get-ReceiveConnector * | Format-Table identity, ProtocolLoggingLevel

To enable protocol logging:

Set-ReceiveConnector ReceiveConnectorName -ProtocolLoggingLevel Verbose

Enable Protocol Logging on Send Connectors

To enable protocol logging on send connectors in the EMC, follow these steps:

  1. Open the EMC and browse to the Organization Configuration -> Hub Transport node in the Console tree.
  2. Select the Send Connectors tab in the Work area.
  3. In the list of send connectors, select the connector that you want to enable protocol logging on.
  4. In the Actions pane on the right, click the Properties action to open the properties dialog box for the connector.
  5. In the properties dialog box, select the General tab.
  6. To the right of the Protocol Logging Level field, select Verbose from the drop-down list.
  7. Click OK to make the change and close the properties dialog box.

Again, using the PowerShell to see whether your protocol logging level for all of your receive connectors is currently “none” or “verbose”

Get-SendConnector * | Format-Table identity, ProtocolLoggingLevel

To enable the protocol logs for send connectors using EMS command:

Set-SendConnector SendConnectorName -ProtocolLoggingLevel Verbose

Configure the Location of the Protocol Logs

When you enable protocol logging, information is written to the protocol logs. On each server there is one instance of these logs for send connectors and one instance for receive connectors. To determine where those logs are or to change the location of those logs, you can use the following steps in the EMC:

  1. Open the EMC and browse to the Server Configuration -> Hub Transport node in the Console tree.
  2. In the list of Hub Transport servers in the Results pane, select the server that you want to modify the location of the protocol logs on.
  3. In the Actions pane on the right, select the Properties task to display the properties dialog box for the server you have selected.
  4. In the properties dialog box, click the Log Settings tab.
  5. View or modify the folder path in the Send Protocol Log Path field or the Receive Protocol Log Path field
  6. If you changed any of the protocol log paths, click OK to make the changes and close the properties dialog box.

PTR's, also called Reverse DNS, are generally a concern for mail, as some mail servers will reject mail originating from IP's that don't have a valid PTR record.  A PTR is a DNS record that takes an IP address and points it to a domain name.  An IP can have only one PTR record. When we are referring to a specific Reverse DNS record, we are talking about a PTR for a specific IP address.

public folders, list with owners

Get-PublicFolder -Identity "\" -Recurse | Get-PublicFolderClientPermission | where{$_.Accessrights -eq "owner"}

public folders permissions, get

Get-PublicFolderClientPermission "\folder" | Format-List

public folders permissions, remove

] C:\Windows\system32>Remove-PublicFolderClientPermission -Identity "\folder" -User "some user"

public folders, remove

remove all user public folders

Get-PublicFolder -Server <server containing the public folder database> "\" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Server <server containing the public folder database> -Recurse -ErrorAction:SilentlyContinue

remove all user system folders.

Get-PublicFolder -Server <server containing the public folder database> "\Non_Ipm_Subtree" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Server <server containing the public folder database> -Recurse -ErrorAction:SilentlyContinue

–Q–

queues, 5 types –

submission queue – all messages received will always first be placed in the submission queue.

mailbox delivery queue – waiting to be delivered to a mailbox server in the same site

remote delivery queue – delivering messages to remote servers by using SMTP

poison message queue – messages that may screw up your Exchange environment after a server failure

unreachable queue – messages that can’t be routed to their destinations

queue, delete all messages in –

Say you’ve looked at all messages in a queue:

Get-Message –Filter {Queue –eq "mail3\65510"}

and you want to delete all these messages

Remove-Message –Filter {Queue –eq "mail3\65510"} -WithNDR $false

which doesn't send an NDR.  Or maybe you want to get rid of all our nicely generated, “unable to deliver” bounce backs for all the spam from unreachable sources:

Remove-Message –Filter {Subject –like "Undeliverable*"} -WithNDR $false

queue, email stuck in – see queues, see status, queues, retry, message, retry

queues, retry – The following will force a connection attempt for all queues that meet the following criteria:

· holding messages for the domain mail3

· have a status of Retry

· located on the server on which the command is executed

Retry-Queue -Filter {NextHopDomain -eq "mail3" -and Status -eq "Retry"}

queues, view

Get-Queue

to see queues with the most messages up top, or

Get-Queue –SortOrder: -MessageCount

might give something like:

Identity           DeliveryType Status MessageCount NextHopDomain
--------           ------------ ------ ------------ -------------
mail3\65510        DnsConnec... Retry  8            somedomain.com
mail3\8            SmtpRelay... Retry  2            hub version 8
mail3\Submission   Undefined    Ready  0            Submission

Status of “Retry” indicates problems.

If you want to see which messages are in the top-most queue above, note the “Queue” (in the column called “Identity” above) and

Get-Message –Filter {Queue –eq "mail3\65510"}

If, after looking at them, you want to delete all these messages are in the top-most queue above

Remove-Message –Filter {Queue –eq "mail3\65510"} -WithNDR $false

and don't send an NDR

quota, see which mailboxes are getting near – see mailbox size, which are getting close to full

–R–

RBL (real-time block list) – see block list providers, test

real-time block list (RBL) – see block list providers, test

receive connector FQDN, set

Set-ReceiveConnector –Identity "Default MAIL2" -Fqdn yourdomain.com

receive connector permissions

to determine permissions:

Get-ReceiveConnector –identity “Client Mail3” | Get-ADPermission

Or, for more detail on extended permissions

Get-ReceiveConnector –identity “Client Mail3” | Get-ADPermission | Format-Table User, Deny, ExtendedRights

To set, from the Exchange command shell:

set-ReceiveConnector -identity "Name of Default Connector" -PermissionGroups AnonymousUsers

receive connector info

Get-ReceiveConnector "Client Mail3" | sort-object | Format-List

redirect http to https – see http, redirect to https

relay open– see SMTP open relay

remote access – two ways

through Outlook using HTTP proxy

through IE using OWA

RPC over HTTP

configuring Outlook

RPC Proxy server

reply to email, change default –see email, change default

–S–

SACL Watcher sericelet encountered an error while monitoring SACL change.  Got error 1722 opening group policy on system xx.yourdomain.net in domain yourdomain – you can try the Ntdsutil.  But you might get:

Found 1 server(s)
0 - (null)

When you get to “list servers in site” if you’re doing this on Win 2008 and you have Win2003 servers.

send as alternate email address in Outlook – not straightforward.  See discussion & 3rd party tools here

send connector, create

new-SendConnector -Name 'SMTPSendConnectorMAIL3' -Usage 'Custom' -AddressSpaces 'SMTP:*;1' -IsScopedConnector $false -DNSRoutingEnabled $true -UseExternalDNSServersEnabled $false -SourceTransportServers 'MAIL3'

send connector FQDN, set

Set-SendConnector -Identity "SMTPSendConnectorMAIL3" -Fqdn yourdomain.com

send connector FQDN, show

Get-SendConnector -Identity "InternetMail" | ft -Property fqdn

send connector info

Get-SendConnector "SMTPSendConnectorMAIL3" | sort-object | Format-List

Set-SendConnector

Services, which aren’t running that should be – from a powershell prompt:

Test-ServiceHealth

Will show all services are open as well as those that aren’t that should be

sites

MSExchange.org

SMTP, check Port 25 with the Telnet Command

You can check your SMTP Server on SMTP port 25 with the following Telnet command:
Open a command line and type

telnet mailserver.domain.com 25

If your server is online a connection will be established on port 25 (SMTP).
An Exchange Server answers with the following output:

220 mailserver.domain.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at  Sat, 22 May 2004 08:34:14 +0200

If you type the ‘help’ command the available commands are listed:

214-This server supports the following commands:
214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY

Try the following to send an email from the command line:

helo myserver.domain.com

should return something like

250 mailserver.domain.com Hello [[192.168.100.17]

or perhaps merely

ehlo

will return a bit more verbose.  Either way, now you can begin issuing commands to send an email

mail from:myname@mydomain.com
250 2.1.0 Sender OK
rcpt to:recipientname@mydomain.com
250 2.1.5 Recipient OK

You can put more than one "rcpt to:", but it seems that sometimes when you do that you only ever get it delivered to the 1st one you specify.
At this point, type in "data" to begin putting in what the recipient will actually see

data
354 Start mail input

These next 3 lines can be in any order. Although it might seem odd that you specify senders and recipients again when you already specified them above. The ones you specified above are the ones that actually count. The 3 you specify below are optional and are more what the recipient will actually see.

from: sender@mydomain.com

to: recipientname@mydomain.com

subject: This is a test mail

Now you have to put in an empty carriage return. This is important because this empty carriage return is what tells the program that whatever follows is supposed to be in the body. If you omit this empty carriage return, the email will still go out. But all the stuff you type in after will simply be ignored and your email won't have anything in the body.


This is the text of my test mail.

Put in a dot to let the program know you’re done writing your email

.
250 Mail queued mail for delivery

Depending on your environment, it might not actually send the email ’til you type in “quit”.

quit
221 Closing connection. Good bye.

Connection to host lost.

SMTP, change receive connector port

Exchange Management Console → Server Configuration →Hub Transport → Receive Connectors, choose whichever name – probably Default MAIL→ right click Properties → choose the Network tab → add an entry to Local IP Addresses, type in the port and usually leave the “Use all IP addresses available on this server” radio button checked

SMTP open relay – see also SMTP unable to relay error message right below

check for – see SMTP above and when you attempt

rcpt to:recipientname@mydomain.com

you should get a response like

550 5.7.1 Unable to relay

if it’s closed or

250 2.1.5 Recipient OK

if it’s open

SMTP unable to relay error message "550 5.7.1 Unable to relay")

Note: following these instructions will result in an open, unprotected relay which anyone on the planet can use and abuse.  Do you really want that?  Probably not.

first, explicitly allow various domains and/or IP ranges to relay

Exchange Management ConsoleOrganization Configuration → Hub Transport → Send Connectors tab → select SmtpSendConnector → right click Properties → choose the Address Space tab → add entries for various domains and IP ranges

After you’re done with this, you still might get the error, “Client does not have permission to send as this sender”

Exchange Management ConsoleServer ConfigurationHub TransportReceive Connectors, choose all names – both Client Mail and Default MAIL in turn → right click Properties → choose the Authentication tab clear all boxes; choose the Permissions tab and check all the boxes

This grants the most common permissions to the anonymous account, but it does not grant the relay permission. This step must be done through the Exchange shell:

Get-ReceiveConnector "CRM Application" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

In addition to being more difficult to complete, this step does not allow the anonymous account to bypass anti-spam.  To fix that:

Exchange Management ConsoleOrganization ConfigurationHub TransportAntiSpam tab → right click Content Filtering and disable

spam – see also block list providers, test

spam police - see also block list providers, test

at&t

comcast

BlackList Monitor

Postini

SPF records – Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.  A typical record might look like this:

v=spf1 mx:61.18.45.14 mx:smtp.secureserver.net mx:mailstore1.secureserver.net mx:mail.your.com ip4:61.18.45.14  include:smtp.secureserver.net include:61.18.45.14  -all

which would allow GoDaddy’s main(smtp.secureserver.net) and backup (mailstore1.secureserver.net) server’s as well as a local ones at 61.18.254.14 and mail.your.com to send mail but – most importantly – will reject everyone else (-all).  This would work:

v=spf1 a ~all

But you really wouldn’t want to use it ’cause it allows anyone to send anything saying they’re you and rather defeats the whole purpose of having SPF records in the first place.  But if you’re trying to get something to work that requires an SPF record, then you can at least start with that.

SPF test - There are two types of SPF testers available. There are those that you send email to, which are good for testing how actually email will respond from the computer you are sitting at. There are also those that let fill in the appropriate information and can simulate an SPF check from anyone and from anywhere.

Email based SPF testers

Form based SPF testers

SPF wizard - here – this is especially helpful to convert each phrase in your existing SPF record into English sentences

SPN, add – rather than using the “-a” switch which merely adds an SPN, you might want to use the “-s” switch which checks to see if there’s a duplicate first before adding an SPN

setspn -S POP3/MAIL3 MAIL3
Checking domain DC=yourdomain,DC=net

Registering ServicePrincipalNames for CN=MAIL3,OU=Domain Controllers,DC=yourdomain,DC=net
        POP3/MAIL3
Updated object

SPNs, view (Service Principal Name)

setspn –l hostname | sort-object

If it's just a Hub Transport (HT) server you'll need these:

SMTP/<fqdn>
SMTP/<netbiosname>
SMTPSVC/<fqdn>
SMTPSVC/<netbiosname>
HOST/<fqdn>
HOST/<netbiosname>

If it's also a Client Access Server (CAS), you'll need these (one each for FQDN and netbiosname):

POP3
IMAP4
IMAP

If it's a mailbox (MB) server, you'll need these (one each for FQDN and netbiosname):

ExchangeRFR
ExchangeMDB

Symantec Antispam for Exchange not working – see instructions here

System health

Run

Test-SystemHealth

This brings up kind of a pop-up within the shell which shows progress with a succession of “o”.

Mailbox Role Checks
    Testing complete
    [oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo]

Which might take quite a while.  Eventually, you might get something like

WARNING: The Write DACL inherit (group) right for the Exchange Enterprise Servers group should be removed from the root of the domain.
WARNING: Current processor speed on server mail.yourdomain.net is less than the maximum possible speed. Maximum clock speed is 3301. Current clock speed is 1584.
WARNING: The SSL certificate for 'https://mail.yourdomain.com/ews/exchange.asmx' is self-signed. It does not provide any of the security guarantees provided by authority-signed or trusted certificates. It is strongly recommended that you install an authority-signed or trusted certificate.

And it might go on for quite a while.  I’ve never found this to be especially useful.

–T–

telnet – see POP and SMTP

for example, for SMTP:

telnet 192.168.0.1 25

term 'xx' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. (Exchange)

for example:

get-mailbox -ResultSize Unlimited

returns:

get-mailbox : The term 'get-mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ get-mailbox -ResultSize Unlimited
+ ~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (get-mailbox:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

need to run:

add-pssnapin *exchange* -erroraction SilentlyContinue

topology - Exchange Topology service on server localhost did not return a suitable domain controller –

Run policytest.  If it fails, it might look something like this:

policytest

This tool will check every domain controller in the local
domain to see if the "Manage auditing and security logs"
privilege granted to the "Exchange Enterprise Servers"
group by DomainPrep has replicated to that DC.  If the
policy change has not yet replicated to all DCs, then
you should avoid making policy changes on any DC that
has not received those changes yet.
 
You must have Domain Admin rights to run this tool
successfully.  If you see an error that says:
  !! LsaEnumerateAccountRights returned error 5 !!
then you don't have permission to open the LSA on the
given DC.


===============================================
Local domain is "yourdomain.net" (YOURDOMAIN)
Account is "YOURDOMAIN\Exchange Enterprise Servers"
========================
  DC      = "SERVER1"
  In site = "Default-First-Site-Name"
  !!! Right NOT found !!!
========================
  DC      = "SERVER2"
  In site = "Default-First-Site-Name"
  !!! Right NOT found !!!

Nothing below worked to fix either the main “topology” error above or the policytest errors.  But these are some of the things I tried.

Check Manage auditing and security log settings.

Open the Group Policy Management mmc snap-in on the domain controller specified in the event description
Navigate to Forest: yourdomain.net, Domains, yourdomain.net, Group Policy Objects.
Right click the Default Domain Controllers Security Settings, edit.  This should pop up the Group Policy Object Editor.
Navigate to Default Domain Controllers Security Settings, Computer Configuration, Windows Settings, Security Settings, expand Local Policies, and then click User Rights Assignments
In the results pane on the right, double-click Manage auditing and security log. Verify that both the Exchange Servers group and the Exchange Enterprise Servers group are listed.  If not, add them.

Make sure that Exchange server is member of proper groups.

Using commands

Make sure that the Exchange server is still a member of the Exchange Domain Servers group

dsquery group -samid "Exchange Domain Servers" | dsget group -members –expand

or

dsquery group -name "Exchange Domain Servers" | dsget group -members –expand

either one should both return something like

"CN=Administrator,CN=Users,DC=yourdomain,DC=net"
"CN=MAIL3,OU=Domain Controllers,DC=yourdomain,DC=net"

Make sure that Exchange Domain Servers group is a member of Exchange Enterprise Servers group.

dsquery group -samid "Exchange Enterprise Servers" | dsget group -members –expand

or

dsquery group -name "Exchange Enterprise Servers" | dsget group -members –expand

either one should both return something like

"CN=Exchange Domain Servers,CN=Users,DC=yourdomain,DC=net"
"CN=Administrator,CN=Users,DC=yourdomain,DC=net"
"CN=MAIL3,OU=Domain Controllers,DC=yourdomain,DC=net"

By default the ds* commands (dsquery, dsget, dsadd, dsrm) are only available on a Domain Controller

Using the graphic interface

Look in the Active Directory Users and Computers, yourdomain.net, Users for “Exchange Domain Servers” and “Exchange Enterprise Servers”.  Look in the “Members” and “Members OF” tabs.

What if the Exchange server is missing from “Exchange Domain Servers”?  Go to the Exchange server in either Computers or Domain Controllers group, find the Exchange server, and add to the group.  (I haven’t figured out how to do it the other way: going to the group and trying to add the computer.  Doesn’t seem to work.)

Run

Get-ExchangeServer servername –status |fl name, *controller*, *catalogs*

Look for CurrentDomainControllers and CurrentGlobalCatalogs

StaticDomainControllers           : {}
StaticGlobalCatalogs              : {}
StaticConfigDomainController      :
StaticExcludedDomainControllers   : {}
CurrentDomainControllers          : {servername.yourdomain.net}
CurrentGlobalCatalogs             : {servername.yourdomain.net}
CurrentConfigDomainController     : servername.yourdomain.net

Either the static or current of the above should be set; they can’t all be empty.  If they are all blank, it doesn’t seem as though you can set the “Current”, but you should be able to set the “Static”:

Set-ExchangeServer –identity servername –StaticDomainControllers yourdomaincontroller1.yourdomain.net,yourdomaincontroller2.yourdomain.net
  –StaticGlobalCatalogs "yourdomaincontroller.yourdomain.net"
  –StaticConfigDomainController "yourdomaincontroller.yourdomain.net"

To clear:

Set-ExchangeServer –identity servername –StaticDomainControllers $Null
  –StaticGlobalCatalogs $Null
  –StaticConfigDomainController $Null

traces of old server – see old server, see remains

training

CBT Nuggets

Transcript

  1. Startup the Exchange 2007 Command Shell
  2. At the Command Shell prompt type Start-Transcript (this will collect the information)
  3. Next go a Get-Receiveconnector | FL *   (| is the pipe symbol) this will collect all of the info on your Receive connectors.
  4. Now do a Stop-Transcript This will create a Transcript text file in the My Documents Folder

transport service won’t start

If you attempt to restart and it locks up in “restarting” and all the other options are greyed out, no help for it but to reboot.  But rebooting alone won’t always work!  Often, you’ll simply get a notice on boot up that one or more services failed and when you go to look at that service it’s still “booting”!  So need to make a registry entry (from a clue I found here):

Go to HKEY_LOCAL_MACHINE\\System\CurrentControlSet\Services\MSExchange TransportService\

add a new DWORD entry called “BootPause” and enter in 60 (decimal)

This is the value in seconds that we want to delay.  Since no other services depend on this, we don’t have to worry too much about.  The site I found this clue dealt with another service called MSExchangeSA and describes 3 other workarounds but on 1/31/08 adding the “BootPause” entry seemed to fix the problem.

–U–

unable to relay error message SMTP – see SMTP unable to relay error message

uninstall Exchange.  Let’s say you move all your mailboxes from an old Exchange 2007 server – MAIL2 – to a shiny new Exchange 2010 server – MAIL3.  You turn off your old Exchange 2007 server and, lo and behold, all your emails are processing just fine.  That means you’re done, right? Har!  You didn’t think you’d get off that easy, did you?  Let’s just take a look to see if there are any remains:

Get-ClientAccessServer | fl

You’ll see something like:

RunspaceId                           : 78075ede-f297-4a9d-92c4-d8cc2dfd72c3
Name                                 : MAIL2
Fqdn                                 : mail2.yourdomain.net
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : mail2
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://mail.yourdomain.com/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : False
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : unlimited
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           :
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=MAIL2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admini
                                       strative Groups,CN=Yourdomain,CN=Microsoft Exchange,CN=Services,CN=Configurat
                                       ion,DC=yourdomain,DC=net
Identity                             : MAIL2
Guid                                 : cc4db3ef-b6f5-412f-b906-796f5c968fba
ObjectCategory                       : yourdomain.net/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 3/7/2012 4:06:46 PM
WhenCreated                          : 3/7/2008 3:24:22 PM
WhenChangedUTC                       : 3/7/2012 10:06:46 PM
WhenCreatedUTC                       : 3/7/2008 9:24:22 PM
OrganizationId                       :
OriginatingServer                    : mail3.yourdomain.net

RunspaceId                           : 78075ede-f297-4a9d-92c4-d8cc2dfd72c3
Name                                 : MAIL3
Fqdn                                 : mail3.yourdomain.net
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : mail2
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://mail.yourdomain.com/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : False
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : unlimited
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           :
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=MAIL2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admini
                                       strative Groups,CN=Yourdomain,CN=Microsoft Exchange,CN=Services,CN=Configurat
                                       ion,DC=yourdomain,DC=net
Identity                             : MAIL2
Guid                                 : cc4db3ef-b6f5-412f-b906-796f5c968fba
ObjectCategory                       : yourdomain.net/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 8/3/2011 4:48:32 PM
WhenCreated                          : 3/7/2008 3:24:22 PM
WhenChangedUTC                       : 8/3/2011 9:48:32 PM
WhenCreatedUTC                       : 3/7/2008 9:24:22 PM
OrganizationId                       :
OriginatingServer                    : mail3.yourdomain.net
 
RunspaceId                           : 3ad5cb17-61f6-4cfa-9d81-20f70653b8be
Name                                 : MAIL3
Fqdn                                 : mail3.yourdomain.net
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : mail3
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://mail.yourdomain.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : True
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : 250 MB (262,144,000 bytes)
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           : C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=MAIL3,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admini
                                       strative Groups,CN=Yourdomain,CN=Microsoft Exchange,CN=Services,CN=Configurat
                                       ion,DC=yourdomain,DC=net
Identity                             : MAIL3
Guid                                 : 517ff858-9461-411b-9038-ea4456982cf7
ObjectCategory                       : yourdomain.net/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 3/1/2012 9:55:37 AM
WhenCreated                          : 8/19/2011 12:56:16 PM
WhenChangedUTC                       : 3/1/2012 3:55:37 PM
WhenCreatedUTC                       : 8/19/2011 5:56:16 PM
OrganizationId                      :
OriginatingServer                    : mail3.yourdomain.net

Just look at all the left over references to MAIL2!  How to get rid of them?  Got to uninstall Exchange from the old MAIL2 server.  Easier said than done.  Maybe first you try to remove Exchange using the Add/Remove programs in control panel.  But I quickly ran into problems.  Right off the bat, it complained the WMI wasn’t working.  I had to download WMIDiag.exe and fix all the problems it found.

It then complained,

Setup cannot use domain controller ‘’ because an override is set in the registry.  Run Setup again, and specify ‘/DomainController:mail3.yourdomain.net’

Well, I couldn’t very well run the uninstall program with arguments from the control panel GUI.  So I stuck in the Exchange 2007 install disk and ran the following command:

F:\>setup /m:Uninstall /r:M,H,C,T /dc:mail3.yourdomain.net

This is an ambitious start: trying to remove all roles at once (that’s what the “M,H,C,T” above are: 4 roles: Mailbox, Client Access, Hub Transport, Management Tools).  Of course, I immediately ran into all kinds of other problems.  It started by complaining about Public Folders.

Welcome to Microsoft Exchange Server 2007 Unattended Setup

Preparing Exchange Setup

The following server roles will be removed
    Mailbox Role
    Client Access Role
    Hub Transport Role
    Management Tools

Performing Microsoft Exchange Server Prerequisite Check

    Mailbox Role Checks              ......................... FAILED
     Uninstall cannot continue. Database 'Public Folder Database': Exchange is unable to check the public folder replicas for "MAIL2\Second Storage Group\Public  Folder Database". Verify the Microsoft Information Store service is running on mail2.yourdomain.net, and that the database is properly mounted.

Easiest way to deal with this is to remove those since 2010 doesn’t need ‘em.  First user folders

Get-PublicFolder -Server MAIL2 "\" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Server MAIL2 -Recurse -ErrorAction:SilentlyContinue
 
Confirm
Are you sure you want to perform this action?
Removing public folder "\".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

Followed by system folders

Get-PublicFolder -Server MAIL2 "\Non_IPM_SUBTREE" -Recurse -ResultSize:Unlimited | Remove-PublicFolde r -Server MAIL2 -Recurse -ErrorAction:SilentlyContinue
 
Confirm
Are you sure you want to perform this action?
Removing public folder "\NON_IPM_SUBTREE\EFORMS REGISTRY".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):a

It’ll complain about connectors

    Hub Transport Role Checks        ......................... FAILED
     This computer is configured as a source transport server for 1 connector(s) in the organization. These must be moved or deleted before Setup can continue.

So you need to remove those.  I was able to do that through the Exchange Management Console

It’ll complain about you still having mailbox databases.  But it does so indirectly and in a manner that doesn’t give you a clue it’s really talking about mailbox databases.
    Mailbox Server Role              ......................... FAILED
     Object is read only because it was created by a future version of Exchange: 0.10 (14.0.100.0). Current supported version is 0.1 (8.0.535.0).

You can try removing them ‘til you’re blue in the face through the Exchange Management Console.  I used ADSIedit.msc to remove them.  Connect to the “Configuration” container. Navigated to “Services –> Microsoft Exchange –> Org Name –> Administrative Groups –> Group Name –> Servers –> 2007servername –> Information Store –> Storage Group”.  Right click the "2007 Public Folder Database" and select "Delete". Wait for the replication to happen.  But I later found out I could have:

Remove-PublicFolderDatabase "E2K7MBX\SGPublicFolders\StoreSGPublicFolders"
 
Confirm   4: Are you sure you want to perform this action?5: Removing public folder database "E2K7MBX\SGPublicFolders\StoreSGPublicFolders".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
WARNING: The specified database has been removed. You must remove the database file located in K:\E2K7Data\SGPublicFolders\PublicFolderDatabase.edb from your computer manually if it exists. Specified database: PublicFolderDatabase

Anyway, when you remove them, then it complains about something else:

    Client Access Role Checks        ......................... FAILED
     Unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is installed.

So I scaled back my ambitions by trying to break the uninstall up into parts – at the very least omitting uninstalling the Client Access Role.  When I tried

F:\>setup /m:Uninstall /r:M,H,T /dc:mail3.yourdomain.net

It didn’t think it could deal with uninstalling the management tools all in one shot while there were still some other roles

The following server roles will be removed
    Mailbox Role
    Hub Transport Role
 
 Some roles are still installed. Management Tools cannot be uninstalled.
 
Exchange Server setup encountered an error.

So I split the uninstall up into two parts.

F:\>setup /m:Uninstall /r:M,H /dc:mail3.yourdomain.net

Which took a while, but it worked:

The following server roles will be removed
    Mailbox Role
    Hub Transport Role
 
Performing Microsoft Exchange Server Prerequisite Check
 
    Hub Transport Role Checks        ......................... COMPLETED
 
Configuring Microsoft Exchange Server
 
    Mailbox Server Role              ......................... COMPLETED
    Hub Transport Server Role        ......................... COMPLETED
    Removing Exchange Files          ......................... COMPLETED
 
The Microsoft Exchange Server setup operation completed successfully

That last “Removing Exchange Files” took the longest.  Then follow by

F:\>setup /m:Uninstall /r:C,T /dc:mail3.yourdomain.net

Which also took a while, but it also worked:

Preparing Exchange Setup
 
The following server roles will be removed
    Client Access Role
    Management Tools
 
Performing Microsoft Exchange Server Prerequisite Check
 
    Client Access Role Checks        ......................... COMPLETED
 
Configuring Microsoft Exchange Server
 
    Client Access server role        ......................... COMPLETED
    Exchange Management Tools        ......................... COMPLETED
    Removing Exchange Files          ......................... COMPLETED

Now when you run:

Get-ClientAccessServer | fl

You’ll see something much smaller:

RunspaceId                           : 78075ede-f297-4a9d-92c4-d8cc2dfd72c3
Name                                 : MAIL3
Fqdn                                 : mail3.yourdomain.net
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : mail3
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://mail.yourdomain.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : True
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : 250 MB (262,144,000 bytes)
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           : C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=MAIL3,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admini
                                       strative Groups,CN=Yourdomain,CN=Microsoft Exchange,CN=Services,CN=Configurat
                                       ion,DC=yourdomain,DC=net
Identity                             : MAIL3
Guid                                 : 517ff858-9461-411b-9038-ea4456982cf7
ObjectCategory                       : yourdomain.net/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 3/1/2012 9:55:37 AM
WhenCreated                          : 8/19/2011 12:56:16 PM
WhenChangedUTC                       : 3/1/2012 3:55:37 PM
WhenCreatedUTC                       : 8/19/2011 5:56:16 PM
OrganizationId                       :
OriginatingServer                    : mail3.yourdomain.net

With all traces of MAIL2 gone.

URL redirect http to https – see http, redirect to https

–V–

vacation – see out of office

version

Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion

should yield something like

Name                : SUN
Edition             : Standard
AdminDisplayVersion : Version 8.3 (Build 83.6)

there are different commands depending on which version of Exchange you have

convert build number to Cumulative Update (CU) number

–W–

Whitelist

Individual emails Sender SMTP addresses can be whitelisted using the following shell command

To set

set-ContentFilterConfig -BypassedSenders foo@somedomain.com
set-ContentFilterConfig -BypassedSenderDomains sales@yourdomain.com, info@yourdomain.com
Set-ContentFilterConfig -BypassedSenders xx@xx.com, yy@yy.com

To test

Get-ContentFilterConfig

Entire domains - To whitelist an entire sending domain

To set

Set-ContentFilterConfig -BypassedSenderDomains xx.com, yy.com
set-contentfilterconfig -BypassedSenderDomains somedomain.com
set-contentfilterconfig -BypassedSenderDomains sales@yourdomain.com, info@yourdomain.com

To test

Get-ContentFilterConfig | Format-List BypassedSenderDomains
BypassedSenderDomains : {xx.com, yy.com}

wildcard – see catch-all

–X–

–Y–

–Z–

–No's–

0x8004010F

10154 - WinRM service failed to create the following SPNs

dsacls "CN=AdminSDHolder,CN=System,DC=yourdomainname,DC=tld" /G "S-1-5-20:WS;Validated write to service principal name"

where you substitute something like “com” or “net” for “tld”