address (email) policy – see email address policy
Adding a Mailbox to Your Folder List , 2 – do not forget on the Exchange server – to give Full Permission to specific user
aliases - let's say you're looking for some user named, admin - like admin@yourdomain.com
When I first started looking for this, I got several articles touting the following, which is useless:
get-alias admin*
The reason it's useless is because this command simply returns aliases for commands, not email addresses. And by tacking on the admin* filter at the end, you're trying to find commands that start with admin.
This kinda works, but doesn't seem to find aliases:
get-mailbox -anr admin
This returns much the same, but again, doesn't seem to find aliases:
get-recipient -anr admin
same with this:
Get-Recipient -resultSize unlimited | select name -expand emailAddresses | where {$_.smtpAddress -match admin@.*} | Format-Table name, smtpaddress
and this:
Get-Mailbox | Select-Object DisplayName,@{Name=EmailAddresses;Expression={$_.EmailAddresses | Where-Object {$_ -LIKE SMTP:*}}} | Sort
and this:
Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName,ServerName,PrimarySmtpAddress, @{Name=EmailAddresses;Expression={$_.EmailAddresses | Where-Object {$_.PrefixString -ceq smtp} | ForEach-Object {$_.Smtp Address}}}
Break this line above down: First, we get all mailboxes (Get-Mailbox –ResultSize Unlimited)
Pipe the results to Select-Object, where we select the DisplayName, ServerName, PrimarySMTPAddress, and then create the scriptblock to gather all secondary smtp addresses (The Primary SMTP address has a PrefixString of “SMTP” all others are a lower case “smtp”):
@{Name="EmailAddresses";Expression={$_.EmailAddresses | Where-Object {$_.PrefixString -ceq "smtp"} | ForEach-Object {$_.SmtpAddress}}}
Anti-spam agent, install on Hub Transport server
HOW TO: Install anti-spam agents on Hub Transport server
If you're using Exchange Server 2007 in a topology with an Edge Transport server,
the anti-spam agents - Connection Filtering, Content Filter, Sender ID, Sender
Filter, Recipient Filter, and Protocol Analysis - are installed on the Edge
server. You do not need these agents installed on the Hub server(s).
In environments without an Edge server role, these need to be installed
manually on the Hub Transport server(s).
To install anti-spam agents on a Hub Transport server, start Exchange Management Shell (EMS), navigate to the "\Exchange Server\Scripts" folder (by default C:\Program Files\Microsoft\Exchange Server\Scripts), and run:
.\install-antispamagents.ps1
Once installed successfully, the command will show each agent installed, whether it is enabled or not, and its priority
After the anti-spam agents are installed, you can see the Anti-spam tab in Organization Configuration | Hub Transport node in Exchange Management Console. (If your console was open during installation, you will need to restart it).
In such deployments, you can either route inbound mail through your service provider/ISP, or configure Hub Transport servers to receive inbound email directly. Read previous post " Exchange Server 2007: Internet email without Edge servers".
Antispam for Exchange (Symantec) not working – see instructions here or here. Supposedly, you shouldn’t have to do this after version 6.5.5. But I still have to for 6.5.6. Short story:
Stop a couple services:
Symantec Mail Security for Microsoft Exchange
Symantec Mail Security Utility Service
Go to C:\ProgramFiles (x86)\Symantec\SMSMSE\6.5\Server and look at all folders starting with bm_ruleset. They should be up-to-date and number somewhere between a dozen and a dozen and a half. If older and more, then move to a temporary folder.
Move the following files to a backup folder:
.sequence.0
.sequence.2
blrm
hashes
restart the following Windows service: Exchange Transport Service
Start the following Windows Services that you stopped earlier:
Symantec Mail Security for Microsoft Exchange
Symantec Mail Security Utility Service
You should see the bm_ruleset folders start reappearing.
Anti-spam lists – see also block list providers, test
Attachment size – a lot of knobs to twirl. Here’s a good synopsis.
Organizational limits: These apply to all Exchange servers in the Organization
From powershell
Get-TransportConfig Set-TransportConfig -MaxReceiveSize 40MB -MaxSendSize 40MB
In Exchange 2007 SP1 and later, you can also set the organizational message size limits using the EMC by going to Organization Configuration | Hub Transport | Global Settings tab | Transport Settings | properties | General tab.
Receive Connector limit
To modify the maximum message size on a Receive Connector using the Exchange console, select Server Configuration | Hub Transport | select a Hub Transport server | Receive Connectors → select a connector | Properties | General tab.
To set ReceiveConnector limit using the shell:
Set-ReceiveConnector "CONNECTOR NAME" -MaxMessageSize 40Mb
Send Connector limit
select Organization Configuration | Hub Transport | Send Connectors → select connector | Properties | General tab
To set SendConnector limit using the shell:
Set-SendConnector "CONNECTOR NAME" -MaxMessageSize 40Mb
Recipient limit: In Exchange 2010/2007, you can configure individual message size limits to bypass the Organizational limits
To set these using the Exchange console: Recipients | Mailbox → select mailbox (or select another recipient type such as a contact or mail user from the corresponding node) | properties | Mail Flow Settings tab | Message Size Restrictions
To set these using the Exchange shell:
Set-Mailbox "Joe Adams" -MaxSendSize 20Mb -MaxReceiveSize 20Mb
Active Directory SiteLink limit
In Exchange Server 2007 SP1, you can also set maximum message size limit on AD Site Links. Exchange Server 2007 uses the AD Site topology to determine the least cost paths. If the message size to be delivered to a remote AD Site exceeds the limit on the AD Site Link, message delivery will fail. By default, the MaxMessageSize on AD Site Links is set to unlimited.
Get-ADSiteLink “SITE LINK NAME” | Format-Table Identity, MaxMessageSize
This can be changed using the following command:
Set-ADSiteLink “SITE LINK NAME” -MaxMessageSize 20Mb
Global Settings
Besides the above, another message size limit can impact Exchange Server 2010/2007 recipients if you’re transitioning from Exchange 2003/2000, but it’s often overlooked when troubleshooting. The problem is, these are neither visible in the EMC, nor using any of the Exchange shell commands.
Run Adsiedit.msc
browse to the Configuration container | Services | Microsoft Exchange | YourOrgName | Global Settings | Message Delivery → Properties, and modify the following attributes as required
1. delivContentLength →
corresponds to MaxReceiveSize parameter in Set-TransportConfig command.
2. SubmissionContentLength →
corresponds to MaxSendSize parameter in Set-TransportConfig command.
Note: The maximum value for both of the above is 2097151 KB, slightly under 2 Gb.
3. msExchRecipLimit →
corresponds to MaxRecipientEnvelopeLimit parameter in Set-TransportConfig command.
track failed message delivery
To track messages that failed because of recipient’s MaxReceiveSize:
Get-MessageTrackingLog -Start "05/24/11 8:00AM" -EventID FAIL | where {$_.RecipientStatus -like "*RecipSizeLimit*"}
To track messages that failed because of the sender’s MaxSendSize:
Get-MessageTrackingLog -Start "05/24/11 8:00AM" -EventID FAIL | where {$_.RecipientStatus -like "*SendSizeLimit*"}
1. Make sure your block list is configured right. Either go to the GUI or from PowerShell run:
Get-IPBlockListConfig
Should yield something like:
Name : IPBlockListConfig MachineEntryRejectionResponse : External client with IP address {0} does not have permissions to submit to this server. Visit http://support.microsoft.com/kb/928123 for more information. StaticEntryRejectionResponse : External client with IP address {0} does not have permissions to submit to this server. Enabled : True ExternalMailEnabled : True InternalMailEnabled : False AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=IPBlockListConfig,CN=Message Hygiene,CN=Transport Settings,CN=YourCompany,CN=Microsoft Exchange, CN=Services,CN=Configuration,DC=yourcompany,DC=net Identity : IPBlockListConfig Guid : 0805bc9d-cb27-4cb4-b97f-165f5681aaa7 ObjectCategory : yourcompany.net/Configuration/Schema/ms-Exch-Message-Hygiene-IP-Block-List-Config ObjectClass : {top, msExchAgent, msExchMessageHygieneIPBlockListConfig} WhenChanged : 3/7/2008 3:02:11 PM WhenCreated : 3/7/2008 3:02:06 PM OriginatingServer : mail.yourcompany.net IsValid : True
Note Enabled, ExternalMailEnabled
and IsValid should all be True. You might also want to
look at your providers – again either through the GUI or the command:
Get-IPBlockListProvider
Should yield something like:
Name LookupDomain Priority ---- ------------ -------- SpamHaus zen.spamhaus.org 1 SpamCop bl.spamcop.net 2 abuseat cbl cbl.abuseat.org 3 sorbs dnsbl.sorbs.net 4
2. Make sure your block list providers are actually working. Go to a recent log at C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog to find a likely IP address that should have been blocked. Test that specific IP address against all your providers. From your Powershell prompt, pipe the Get-IpBlockListProvider cmdlet to the Test-IpBlockListProvider cmdlet:
Get-IpBlockListProvider | Test-IpBlockListProvider -IpAddress 190.65.193.69
Should yield something like:
Provider ProviderResult Matched -------- -------------- ------- SpamHaus {127.0.0.4, 127.0.0.11} True SpamCop {127.0.0.2} True abuseat cbl {127.0.0.2} True sorbs {} False
3. From the test above, we know there are no DNS problems and that the RBL works. But is it actually being invoked in real time and blocking what it should? Run the following to search logs in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog for instances of when each of your providers actually found and rejected an email. Note you’ll likely have to change your directory to the C:\Program Files\Microsoft\Exchange Server\Scripts directory if it’s not in your path.
[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>.\Get-AntispamTopRBLProviders.ps1 -startDate:03/23/2008 -endDate:04/17/2008
This should yield something like:
Name Value ---- ----- SpamHaus 11410 sorbs 407 SpamCop 149 abuseat cbl 10
If a later run returns nothing:
[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>.\Get-AntispamTopRBLProviders.ps1 -startDate:04/17/2008 -endDate:04/22/2008 [PS] C:\Program Files\Microsoft\Exchange Server\Scripts>
Then you know you have a problem. In this case, everything was chugging along just fine until 4/17/2008 when it just shut down completely. Here’s how to specify an even narrower range: just a few hours in a day.
Get-AntispamTopRBLProviders.ps1 -startDate:"04/25/2008 10 am" -endDate:"04/26/2008 5 pm"
4. Look at the priorities of the various services:
[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>Get-TransportAgent > Identity Enabled Priority -------- ------- -------- Transport Rule Agent True 1 Journaling Agent True 2 AD RMS Prelicensing Agent False 3 Connection Filtering Agent True 4 Content Filter Agent True 5 Sender Id Agent True 6 Sender Filter Agent True 7 Recipient Filter Agent True 8 Protocol Analysis Agent True 9
Note the Connection Filtering Agent is pretty low. Bump some of these up to a higher priority
Set-TransportAgent -identity "Connection Filtering Agent" -priority 1
After this and each of the following commands immediately, you’ll get:
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
Go ahead and reset the following:
Set-TransportAgent -identity "Content Filter Agent" -priority 2 Set-TransportAgent -identity "Sender ID Agent" -priority 3 Set-TransportAgent –identity "Sender Filter Agent" -priority 4 Set-TransportAgent –identity "Recipient Filter Agent" -priority 5 Set-TransportAgent –identity "Protocol Analysis Agent" -priority 6
Restart the transport service and look at the priorities afterwards:
Get-TransportAgent Identity Enabled Priority -------- ------- -------- Connection Filtering Agent True 1 Content Filter Agent True 2 Sender Id Agent True 3 Sender Filter Agent True 4 Recipient Filter Agent True 5 Protocol Analysis Agent True 6 Transport Rule Agent True 7 Journaling Agent True 8 AD RMS Prelicensing Agent False 9
This doesn’t really seem to do anything, but it makes me feel better having the Transport Rule Agent further down toward the bottom.
5. Here’s another “raw DNS” test which doesn’t even depend on Exchange and which might help flush out DNS problems. For example, to test SpamHaus
In general, DNSBL queries are structured by the inverse IP address as a subdomain of the DNSBL zone. For example, to check that the general DNSBL test address of 127.0.0.2 is listed in SBL, query 2.0.0.127.sbl.spamhaus.org with any NS lookup tool such as...
$ host 2.0.0.127.sbl.spamhaus.org 2.0.0.127.sbl.spamhaus.org has address 127.0.0.2
Blocked email, find out why:
Get-AgentLog -StartDate "6/26/2008 4:03 pm" -EndDate "6/26/2008 4:04 pm" | where {$_.Reason -eq "BlockListProvider"}
What if you get something like:
The location "C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\AgentLog\" does not exist. Please specify a valid file or directory to look for agent logs using the -Location parameter.
Parameter name: Location
+ CategoryInfo : InvalidArgument: (:) [Get-AgentLog], ArgumentException
+ FullyQualifiedErrorId : 79602AE3,Microsoft.Exchange.Management.AgentLog.GetAgentLog
If no agent logging has occurred on the server, this folder will not exist.
Certificate service – before you do anything, you need to make sure you’ve added “Active Directory Certificate Services” to your server roles.
Certificate, change
You can see lots of information by Run mmc, Choose “certificates”. If “certificates” is not a choice in the mmc, then you’ll need to add it
To add Certificate Manager to Microsoft Management Console
- Click Start, and then click Run.
- In the Open box, type mmc, and then click OK.
- In the File menu, click Add/Remove Snap-in.
- In the Add/Remove Snap-in box, click Add.
- In the Available Standalone Snap-ins list, click Certificates, and then click Add.
- Click Computer Account, and then click Next.
- Click the Local computer (the computer this console is running on) option, and then click Finish.
- Click Close, and then click OK.
The certificates of interest all seem to be under Personal, Certificates.
You can also see things in the Exchange Management Console (EMC) under Server Organization. No lower level than that, just there. In fact, this is a really good place to check to make sure that your mail.yourdomain.com has all the IMAP, POP, IIS and SMTP services. I think only one certificate can have all these.
From the powershell:
Get-ExchangeCertificate
Should return something like
Thumbprint Services Subject ---------- -------- ------- 9822DC23BB18AED03EB276639AAF78B8EF643B42 IP..S CN=mail 92F3B7D4AE57D587F22D582666B3D2629DCF21A8 IP..S CN=mail FBAB5CB127F4EFF3EF7B084E3F665DF4A999827D IP..S CN=mail 3899DE08DBDE9C2971AAC840623551B1D66224DA IP.WS CN=mail 1CA830BCA102BEDC6FA1F4B79A48B2B11E0497E7 IP..S CN=mail
Or, to get a more complete view including expiration:
Get-ExchangeCertificate | FL
Rather than just get a new one, sometimes better to feed the old one into a new one:
Get-ExchangeCertificate -Thumbprint 9822DC23BB18AED03EB276639AAF78B8EF643B42 | New- ExchangeCertificate
I’m still not sure which approach is better: the one above or the one below. I’ve seen both approaches cited.
So, if you want, you can instead just get a new one without recycling the old one.
New-ExchangeCertificate -DomainName mail2.yourcompany.com Confirm Overwrite existing default SMTP certificate, '9822DC23BB18AED03EB27D239AAF78B8EF643B42' (expires 3/7/2009 3:25:23 PM), with certificate '1FA17137AA8DA7E359254232B7AA408BC89EDB21' (expires 4/23/2009 9:51:20 AM)? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):y Thumbprint Services Subject ---------- -------- ------- 1FA17137AA8DA7E359254232B7AA408BC89EDB21 ..... CN=mail2.yourcompany.com
And then enable SMTP services: copy and paste this new certificate thumbprint into the command below
Enable-ExchangeCertificate -Thumbprint 1FA17137AA8DA7E359254232B7AB108BC89EDB21 -Services:smtp
Now look again to see your changes
Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- 1FA17137AA8DA7E359254232B7AB108BC89EDB21 ....S CN=mail.yourcompany.com 9822DC23BB18AED03EB276639AAF78B8EF643B42 IP..S CN=mail 92F3B7D4AE57D587F22D582666B3D2629DCF21A8 IP..S CN=mail FBAB5CB127F4EFF3EF7B084E3F665DF4A999827D IP..S CN=mail 3899DE08DBDE9C2971AAC840623551B1D66224DA IP.WS CN=mail 1CA830BCA102BEDC6FA1F4B79A48B2B11E0497E7 IP..S CN=mail
Might be a good idea to delete old, expired certificates:
Remove-ExchangeCertificate –thumbprint 9822DC23BB18AED03EB276639AAF78B8EF643B42
And you’ll have to assign those same I, P and W services to your mail.yourcompany.com certificate.
Certificate not trusted - "This CA Root Certificate Is Not Trusted. To enable Trust, Install This Certificate in the Trusted Root Certification Authorities Store"
- Go to the Default Web Site in IIS and remove the Self Signed Cert. Right click the Default Web Site, Directory Security, Server Certificate, Next, and Remove the cert.
- Open Certificates in MMC. Go to Run, MMC. File Add Remove Snap In, Add Certificates; Computer Account; Local Computer and Click OK.
- Once your Certificates MMC is open Go to Personal Certificates. Right Click Request New Cert, Next, Friendly Name = Hostname of your Server and Next and Finish.
- Copy the new cert to the Trusted Root Certification Authorities Certificates.
- Go back to the Default Website in IIS, Properties, Directory Security, Server Certificate. Assign an existing certificate and choose the new cert that was created.
- Issue
IISRESET
from your command prompt.
Certificate, proxy server’s security certificate - There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site mail.yourserver.com.
Outlook is unable to connect to the proxy server. (Error Code 10)
Let’s say the name of your mail server is “mail2” or “mail2.yourcompany.net” and you really want it to point to “mail.yourcompany.com”. Run
Get-ClientAccessServer -Identity mail2 | fl
For the AutodiscoverServiceInternalUri entry, you’ll see something like
AutoDiscoverServiceInternalUri : https://mail2.yourcompany.net/Autodiscover/Autodiscover.xml
Then run
Set-ClientAccessServer -Identity "mail2" –AutodiscoverServiceInternalUri https://mail.yourcompany.com/autodiscover/autodiscover.xml
Next run
Get-WebServicesVirtualDirectory -Identity "mail2\EWS (Default Web Site)" | fl
For the InternalUrl entry you’ll see something like
InternalUrl : https://mail2.yourcompany.net/EWS/Exchange.asmx
Then run
Set-WebServicesVirtualDirectory -Identity "mail2\EWS (Default Web Site)" –InternalUrl https://mail.yourcompany.com/EWS/Exchange.asmx
Make sure you don’t accidently run the –InternalNLBBypassUrl by mistake. ‘Cause it’ll come up first alphabetically if you just hit “tab” after putting in “in” or some such.
Next run
Get-OabVirtualDirectory -Identity "mail2\OAB (Default Web Site)" | fl
For the InternalUrl entry you’ll see something like
InternalUrl : http://mail3.yourdomain.net/OAB
Then run
Set-OABVirtualDirectory -Identity "mail2\OAB (Default Web Site)" -InternalURL https://mail.yourcompany.com/OAB
Next run
Get-OutlookAnywhere
For the ExternalHostName entry and ClientAuthenticationMethod you might see something like
ExternalHostname : https://mail2.yourcompany.net ClientAuthenticationMethod : Basic
Then run.
Set-OutlookAnywhere -Server mail2 -ExternalHostname "mail.yourcompany.com" -ClientAuthenticationMethod "NTLM"
This last command actually doesn’t run so good; complains “A positional parameter cannot be found that accepts argument ‘mail2’”. Trying with using “-Identity” instead of “-Server” also fails: “The operation couldn't be performed because object 'mail2.yourdomain.net\mail2' couldn't be found on 'mail2.yourdomain.net'.”
Next run.
Get-ActiveSyncVirtualDirectory -Identity "mail2\Microsoft-Server-ActiveSync (Default Web Site)" | fl
For the InternalUrl you’ll see something like
InternalUrl : https://mail3.yourcompany.net/Microsoft-Server-ActiveSync
Then run.
Set-ActiveSyncVirtualDirectory -Identity "mail2\Microsoft-Server-ActiveSync (Default Web Site) " -InternalURL https://mail.yourcompany.com/Microsoft-Server-ActiveSync
certificates, single-domain vs multi-domain certificate – see Exchange 2010- Why do I need to use a UCC certificate? and Exchange 2007 - Multiple Name SSL Certificate Request and Installation
Certificate Templates snap-in missing– make sure you’ve added certificate authority as one of your server’s roles
Certificate that contains domain name mail2.yourcompany.com, Microsoft Exchange could not find – run the following 3 commands
Get-ExchangeCertificate | fl
Get-ReceiveConnector -Identity mail2 | fl name, fqdn, objectClass
To repair the SendConnector, in the Exchange Management Console, Organization Configuration, Hub Transport, Send Connector tab
Change SMTP port 25 in Exchange 2007
For some reason you might want to change default SMTP port number 25 Exchange 2007 is using. Exchange 2007 uses RECEIVE AND SEND connectors, one for receiving mails and other for sending mails (obviously ;)
So you need to change ports on those connectors. I will not say those two, because you might be using more than two.
You change Receive connector port by opening the connector properties in Exchange Management Console → Hub Transport → RECEIVECONNECTORNAME → Properties → Network → Local IP Addresses (Edit Receive Connector Binding)
Just to clarify what "Local IP Addresses" and "Remote Servers" are:
Use these local IP Addresses to receive mail
Use this list to specify the IP addresses and port numbers on which this Receive connector listens for incoming mail.
Receive mail from remote servers which have these IP addresses
Use this list to specify the remote IP address range from which this Receive connector accepts connections.
You change Send Connector port by using PowerShell. Open Exchange Management Shell and type:
Get-SendConnector -Identity "SENDCONNECTORNAME" | fl
Check the port number then type:
Set-SendConnector -Identity "SENDCONNECTORNAME" -port 26
In this example I set port 26 as SMTP port for sending messages. Check the change by typing
Get-SendConnector -Identity "SENDCONNECTORNAME" | fl
HUB and EDGE servers are responsible for mail transport, so include all the servers you need in your requirement.
command line – use Exchange Management Shell (same as PowerShell)
Content Filter: How to move messages to Junk Mail folder - http://exchangepedia.com/blog/2007/02/exchange-2007-content-filter-how-to_07.html
You've setup Exchange Server 2007, and configured the shiny new Content Filter agent (CFA). The CFA has three thresholds - equivalent of Gateway thresholds and (gateway) actions in IMF. These are: 1) SCLDeleteThreshold 2) SCLRejectThreshold and 3) SCLQuarantineThreshold.
1. SCLDeleteThreshold: Messages with SCL equal to or higher than the SCLDeleteThreshold are deleted silently. To enable the SCLDeleteThreshold:
set-ContentFilterConfig -SCLDeleteThreshold 8 -SCLDeleteEnabled:$true
2. SCLRejectThreshold: Messages with SCL equal to or higher than the SCLRejectThreshold are rejected during the SMTP session, after the data is received. In this case, senders get a NDR. To enable the SCLRejectThreshold:
set-ContentFilterConfig -SCLRejectThreshold 7 -SCLRejectEnabled:$true
In the above case, Exchange doesn't accept the message. After the data is received, it responds with a 500 5.7.1 error and a rejection response (by default this response is: Message rejected due to content restrictions. This rejection message can be configured using the following command (response message used here is for illustration, not a real suggestion)
set-ContentFilterConfig -RejectionResponse "Stop spamming you *****!"
The actual NDR is generated and sent to the sender by the sending host. What the sending host will see after the message content is sent (and if you actually modified the rejection response based on my example :)
500 5.7.1 Stop spamming you *****!
Exchange Server 2007's Content Filtering agent can be configured with the equivalent of all 3 Gateway actions available in Exchange Server 2003's Intelligent Message Filter (IMF): 1) Delete messages 2) Reject messages and 4) Quarantine messages
3. SCLQuarantineThreshold: Messages with SCL equal to or higher than the SCLQuarantineThreshold are delivered to the quarantine mailbox, provided you have one configured. To enable the SCLQuarantineThreshold and configure a quarantine mailbox:
set-ContentFilterConfig -SCLQuarantineThreshold 6 -SCLQuarantineEnabled:$true -QuarantineMailbox:MyQuarantineMailbox@mydomain.com
The Content Filter agent allows the flexibility of enabling all three actions on the gateway - the rule is: SCLDeleteThreshold > SCLRejectThreshold > SCLQuarantineThreshold.
To get a list of all three SCL values and whether each action is enabled or not, use the following command:
get-ContentFilterConfig | Select SCL*
So where's the equivalent of IMF's Store threshold? (to move messages to users' Junk Mail folders)?
It's called SCLJunkThreshold, and it resides in a different location - in the Organization configuration. It can be set using the set-OrganizationConfig command:
set-OrganizationConfig -SCLJunkThreshold 5
Setting SCLJunkThreshold not intuitive?
Before you jump to conclusions about this being counter-intuitive, or confusing - which it may be, consider this - it is in response to the different server roles in Exchange Server 2007.
The gateway actions - delete, reject and quarantine - can be thought of as message transport actions, and thus applicable to transport server roles (the Edge server, or the Hub if you have antispam agents enabled on it). Moving messages to users' Junk Mail folders can be thought of as something that happens at the Store, performed by the Mailbox Server role.
Another aspect to consider when setting the SCLJunkThreshold - if you're in a topology with an Edge server, the SCLJunkThreshold on the Edge doesn't impact anything. This needs to be set on your Exchange Org - the Edge server is not a part of it.
The Defaults: By default, the SCLJunkThreshold is set to 4. If you have an existing Exchange Server 2003 SP2 server installed, and you haven't tweaked the Store threshold, IMF v2's default Store threshold of 8 is used - this is what you'll see in the Org's SCLJunkThreshold. Given that the SCLRejectThreshold is set to 7 by default, messages will not move to users' Junk Mail folder unless the SCLJunkThreshold is lower than the transport thresholds (i.e. the Delete, Reject and Quarantine thresholds).
How the Junk Mail threshold is calculated: Unlike the transport actions of deleting, rejecting, and quarantining messages - which check for SCL equal to or higher than their respective thresholds, for moving messages to Junk Mail folder the Store checks for SCLs higher than the SCLJunkThreshold. This is consistent with the behavior of IMF in Exchange Server 2003 (read previous post: IMF Confusion - Store threshold rating text in UI).
If you want to disable rejection of messages with SCL of 7 or above, use the following command:
set-ContentFilterConfig -SCLRejectEnabled:$false
database, move mailbox to
If you try to move a mailbox from Exchange 2007 to Exchange 2010 with
set-Mailbox -identity bob -database "Mailbox Database 2"
you might get something like
You cannot rehome a mailbox into a database that has a different version than the source server.
+ CategoryInfo : NotSpecified: (joe:MailboxIdParameter) [Set-Mailbox], TaskArgumentException
+ FullyQualifiedErrorId : 54140E66,Microsoft.Exchange.Management.RecipientTasks.SetMailbox
You might want to try this instead:
'yourdomain.net/Users/bob’ | New-MoveRequest -TargetDatabase 'Mailbox Database 2'
database, see which mailboxes belong to
Get-Mailbox -database "Mailbox Database 0964096055"
Should return something like
Name Alias ServerName ProhibitSendQuota
---- ----- ---------- -----------------
Administrator Administrator mail3 unlimited
DiscoverySearchMailbox... DiscoverySearchMa... mail3 50 GB (53,687,091,200 bytes)
test1 test1 mail3 unlimited
test2 test2 mail3 unlimited
database size, determine
Get-MailboxDatabase -Status | select ServerName,Name,DatabaseSize
DCOM – start by running dcomcnfg from the “run” box.
default email, change –see email, change default
deleted items folder, properties
Get-ManagedFolder -Identity "Deleted Items" | fl
deleted items, recover from any folder
1. Exit Outlook.
2. Open the Windows registry editor.
3. Browse to My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\Client\Options.
Or HKEY_LOCAL_MACHINE\SOFTWARE \Wow6432Node\Microsoft\Exchange\Client Extension\Options for Win 7
4. On the Edit menu, point to New, and then click DWORD Value.
5. Type the name DumpsterAlwaysOn.
Note Do not type any spaces in the name.
6. Set the DWORD value to 1.
7. Restart Outlook.
The Tools menu now has the Recover Deleted Items command for every Outlook folder.
deleted items usage for all mailboxes
get-mailbox | Get-MailboxStatistics | Select @{n="DisplayName";e={$_.DisplayName}}, StorageGroupName,@{e={$_.TotalDeletedItemSize.Value.ToMB()};n="TotalDeletedItemsSize(MB)"}, DeletedItemCount, @{e={$_.TotalItemSize.Value.ToMB()};n="TotalItemSize(MB)"}, ItemCount, StorageLimitStatus | ft
should return something like
DisplayName
StorageGroupName TotalDeletedItem DeletedItemCount TotalItemSize(MB
ItemCount StorageLimitStat
sSize(MB)
)
us
-----------
---------------- ---------------- ---------------- ----------------
--------- ----------------
Bob
Smith
0
154
551 23680
BelowLimit
Sam
Jones
0
0
0
3 BelowLimit
distribution list, allow some people to modify themselves
Add-ADPermission -Identity
'accountants' -user carol -AccessRights writeproperty
Identity
User
Deny Inherited Rights
--------
----
---- --------- ------
yourdomain.net...
yourdomain\Carol False False WriteProperty
or
Add-ADPermission -Identity
'accountants' -user 'reception group' -AccessRights readproperty
Identity
User
Deny Inherited Rights
--------
----
---- --------- ------
yourdomain.net...
yourdomain\Rec... False False ReadProperty
distribution group, display name -
Recipient Configuration → Distribution Group. In the result pane, click the distribution group that you want to configure. In the action pane, click Properties. Use this unlabeled box at the top of the page to view or change the display name for the distribution group
Set-DistributionGroup -Identity Accounting -DisplayName Accounting Group
distribution group, setup in Exchange 2013
Create a new group in Active Directory and make it a Universal Distribution group
Once that is done then remote into the mail server and run the Exchange Management Shell (this step can't be done in the web gui)
then use this command to mail enable that group you created " Enable-DistributionGroup -Identity "GROUP NAME" -DomainController SERVER NAME WHERE AD IS INSTALLED"
distribution groups, activity last 30 days
get all distribution lists used over last 30 days and how many times the distribution group was used (from here). I have no idea how it works or how it limits activity to the last 30 days. Is this a default?
Get-MessageTrackingLog -EventId Expand -ResultSize Unlimited |Sort-Object RelatedRecipientAddress | Group-Object RelatedRecipientAddress |Sort-Object Name | Select-Object @{label=”PrimarySmtpAddress”;expression={$_.Name}}, Count | Export-CSV C:\Users\someuser\Documents\DL-Active.csv –notype
distribution groups, don't have permission to change
When you try to change the members of a distribution group, you get: “You don't have sufficient permissions. This operation can only be performed by a manager of the group.”
Need to run a PowerShell command:
Set-DistributionGroup somedistributiongroup -ManagedBy somebody@yourdomain.com -BypassSecurityGroupManagerCheck -DomainController somedomaincontroller.yourdomain.com
The -DomainController switch may not be necessary. This seems to work on security groups as well.
domains, which ones accepted by your Exchange server – Organization Configuration / Hub Transport / Accepted domains
domains, which ones can be used by a user – Recipient Configuration / Mailbox / <user> / Properties / Email addresses
domain, email on a domain other than your main domain one doesn’t work, can’t access – actually, this particular symptom also happens if you have another email on the same domain. Anyway, just start the “Microsoft Exchange System Attendent” service. This was the Sarah/Mahesh problem 5/17/11.
Using the GUI:
- Exchange Management Console → Organization Configuration → Hub Transport →
- In the result pane, click the E-Mail Address Policy tab, and then select the e-mail address policy that you want to edit.
- In the action pane, click Edit. The Edit E-Mail Address Policy wizard appears.
- On the Introduction page, edit the following fields:
- NameType the display name of the e-mail address policy that you are editing. The name can contain as many as 64 characters but cannot include wildcard characters.
- Users with Exchange mailboxes Select this check box if you want your e-mail address policy to apply to users who have Microsoft Exchange Server 2007, Exchange Server 2003, and Exchange 2000 Server mailboxes. Users with Exchange mailboxes are those that have a user domain account and a mailbox in the Exchange organization.
- Users with external e-mail addresses Select this check box if you want your e-mail address policy to apply to users who have external e-mail addresses. Users with external e-mail accounts have user domain accounts in the Active Directory directory service, but use e-mail accounts that are external to the organization. This enables them to be included in the global address list (GAL) and added to distribution lists.
- Resource mailboxes Select this check box if you want your e-mail address policy to apply to Exchange resource mailboxes. Resource mailboxes let you administer company resources through a mailbox, such as a conference room or a company vehicle.
- Contacts with external e-mail addresses Select this check box if you want your e-mail address policy to apply to contacts with external e-mail addresses. Mail-enabled groups resemble distribution groups where messages sent to a mail-enabled group account will go to several recipients.
- Mail-enabled groups Select this check box if you want your e-mail address policy to apply to security groups or distribution groups that have been mail-enabled.
- Click Next.
From the Exchange Management shell, type. To see a list of
Get-EmailAddressPolicy
or, with some extras like which RecipientFilter and the ExchangeVersion,
Get-EmailAddressPolicy | Format-List Name,*RecipientFilter*,ExchangeVersion
To update, use the Set-EmailAddressPolicy cmdlet to edit the policy settings and the Update-EmailAddressPolicy to apply the e-mail address policy to the intended recipients.
email address, how a sending email address’ emails are disposed in the log:
Get-AgentLog -StartDate "6/18/2008" -EndDate "6/27/2008" | where {$_.P1FromAddress -like "foobar@yourdomain.com"}
email, change default – if you have several domains, one is the default. But different people in your organization may want different defaults. You might try Exchange console, Recipient configuration, Mailbox, select a mailbox you want to change, right click, properties, go to the “E-Mail Addresses” tab. You might very well see that the “Set as Reply” option is greyed out. Why is it greyed out? Look at the bottom of that same tab and you’ll probably see the “Automatically update e-mail addresses based on email address policy” box is checked. Which is probably what you want if you have a bunch of people who you want to default to the same domain. So now what? See email address policy
email stuck – see queue, email stuck in
Entourage and RPC over HTTP – 1
emails, count of from one user for a day
[Int
]
$intRec
= 0
Get-TransportService
| `
Get-MessageTrackingLog
-ResultSize Unlimited
-Start "4/09/2015"
-End "4/10/2015" `
-Recipients
"someuser@yourdomain.com" -EventID DELIVER
| `
ForEach {
$intRec++ }
Write-Host
"E-mails received:", $intRec
Error messages when you try to connect Outlook 2007 to Exchange Server: "The action cannot be completed" or "Your Microsoft Exchange Server is unavailable" or "Cannot start Microsoft Office Outlook" – see here
SYMPTOMS
When you try to connect Microsoft Office Outlook 2007 to Microsoft Exchange Server, you may experience any one of the following symptoms:
- If your Outlook profile has been automatically
configured, you may receive the following error message:
The action cannot be completed. The connection to the Microsoft Exchange Server is unavailable. Your network adapter does not have a default gateway. - If your Outlook profile has been manually configured,
you may receive the following error message:
Your Microsoft Exchange Server is unavailable
For example, this error may occur when you have an existing profile that was previously connected to the Exchange Server, and then you lose the setting for your default gateway.
In this scenario, if you click Check Name to verify your settings in the E-mail Accounts dialog box, you may receive the following error message:
Outlook cannot log on. Verify that you are connected to the network and are using the proper server and mailbox name. The connection to the Microsoft Exchange Server is unavailable. Your network adapter does not have a default gateway.
When you try to connect Outlook 2007 to Microsoft Exchange Server 2003 by using RPC over HTTPS, you may receive the following error message:
Cannot start Microsoft Office Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The attempt to log on to Microsoft Exchange has failed.
CAUSE
This problem may occur if the Outlook 2007 client computer does not have a default gateway configured.
WORKAROUND
If you cannot configure a default
gateway for your network settings, you can work around this problem by adding a
DWORD value that is named DefConnectOpts to the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\RPC
To add this DWORD value, follow these steps.
- Click Start, click Run, type regedit in the Open box, and then click OK.
- Locate and then click the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\RPC - On the Edit menu, point to New, and then click DWORD Value.
- Type DefConnectOpts, and then press ENTER.
- Right-click DefConnectOpts, and then click Modify.
- In the Value data box, type 0, and then click OK.
- Exit Registry Editor.
export data from a .pst file – run the Export-Mailbox cmdlet from a 32-bit computer that has the following installed:
- The 32-bit version of the Exchange management tools
- Outlook 2003 Service Pack 2 (SP2) or Outlook 2007
For information about Exchange 2007 management tools 32-bit download, see Microsoft Exchange Server 2007 Management Tools (32-Bit).
If you export data to a folder in another mailbox, the target mailbox that you specify must exist before you run the command.
Exchange Server 2003 Mailflow (Part 1, 2) – for a general explanation of the mail flow
export mailbox data
You can export mailbox data from a
mailbox to a .pst file. To export to a .pst file, you must use the PSTFolderPath
parameter to specify the path to the .pst file to which data will be exported.
You can use the Export-Mailbox cmdlet to export data to either a folder
or a .pst file.
- grant full access to a mailbox, use the Add-MailboxPermission
- export data to a .pst file called john.pst located at C:\PSTFiles:
- export data from a group of mailboxes, such as all mailboxes for which the user title begins with "VP,":
- export data that was received between February 2, 2015, and February 15, 2015, to a .pst file, run the following command:
- export only data from the Sent Items folder:
- exclude folders from the export, such as excluding items in the Junk E-Mail and Contacts folders, run the following command:
- export data from all the mailboxes of users in the Marketing organizational unit:
Add-MailboxPermission
-Identity john -User Admin01 -AccessRights FullAccess
Add-MailboxPermission -Identity Export -User Admin01 -AccessRights FullAccess
Export-Mailbox -Identity john@contoso.com -TargetMailbox ExportMailbox -TargetFolder MyData
Export-Mailbox -Identity john@contoso.com -PSTFolderPath C:\PSTFiles\john.pst
Get-User | where { $_.Title -ilike "VP*" } | Export-Mailbox -TargetFolder VPData -TargetMailbox ExportMailbox
Export-Mailbox -Id john@contoso.com –StartDate "02/02/15" –EndDate "02/15/15" -PSTFolderPath C:\PSTFiles\john.pst
Export-Mailbox -Id john -IncludeFolders '\Sent Items' -TargetFolder 'John Sent Items' -TargetMailbox ExportMailbox
Get-Mailbox -Database DB1 | Export-Mailbox -PSTFolderPath C:\PSTFiles
Get-Mailbox -OrganizationalUnit Marketing | Export-Mailbox -PSTFolderPath C:\PSTFiles
This example exports the data from each mailbox to a separate .pst file located at C:\PSTFiles. The name of each .pst file will be <alias>.pst.
event viewer, change how much stuff from the transport agent gets logged there
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/MSExchangeTransport/Diagnostics/18 Agents - change from 0 to 7
forward mail (normal internal user) – Exc Mgt Console, Recipient Configuration, Mailbox, Mail Flow Settings tab. Notice the “Properties…” button is greyed out. Select “Delivery Options” so now the “Properties…” button is black. Click the “Forward to:” check box and then Browse to whomever you want to forward.
forward mail to outside email address – create a Mail Contact (under Recipient Configuration), forward an email to there from the Mailbox. Or, see here
full mailbox, see Mailbox Size GUI, mailbox size, which are getting close to full
Get-Mailbox outside current domain – include the -ignoreDefaultScope parameter
Get-Mailbox -ignoreDefaultScope | Select Name, alias | Sort-Object alias
GoDaddy peculiarities
POP – GoDaddy wants IDs in the format of “name@yourserver.com” whereas Exchange seems content with merely “name”. Exchange seems to tolerate the “name@yourserver.com” with no special tweaking.
SMTP
change SMTP receive connector port to port 3535
SMTP authentication – first solve the unable to relay error message
greylist – greylisting is used on some mail servers to temporarily fail the first attempt of an email, asking the sending server to retry later. Here’s some more explanation. Try to reset “Glitch Retry Interval”. But that registry key doesn’t seem to exist on 2007.
normally mail.yourdomain.com/owa will result in
Server Error
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
Which is annoying. Users don’t want to have to type in “https://”. So why not redirect? Easier said than done. In fact, I couldn’t get any of the things below to work right.
First, there’s Microsoft’s Simplify the Outlook Web App URL approach:
- Start IIS Manager.
- Expand the local computer, expand Sites, and then click Default Web Site.
- At the bottom of the Default Web Site Home pane, click Features View if this option isn't already selected.
- In the IIS section, double-click HTTP Redirect.
- Select the Redirect requests to this destination check box, and then type /owa. [or https://mail.yourdoamin/owa I’ve seen in other places – like below]
- Under Redirect Behavior, select the Only redirect requests to content in this directory (not subdirectories) check box.
- In the Status code list, click Found (302).
- In the Actions pane, click Apply.
- Close IIS Manager
- Find the Outlook Web App Web.config file on the Client Access server. The default location is <drive>\Program Files\Microsoft\Exchange Server\<version>\ClientAccess\Owa.
- Make a backup copy of the file.
- Open the original file using an editor such as Notepad. Don't use IIS Manager to edit the Web.config file.
- Find httpCookies httpOnlyCookies="false" requireSSL="true" domain="" and change the requireSSL flag to false.
- Save and close the file.
- For the new settings to take effect, open a Command Prompt window, and then type
iisreset /noforce
to restart IIS.
Then there’s Redirecting OWA URLs in Exchange 2010to account for certain subdirectories. It does all the steps above [only redirecting to https://mail.yourdoamin/owa rather than just /owa] and except messing with the Web.config file. It then continues with:
Once this step is complete, you need to remove the enforced redirect from each of the virtual directories under the Default Web Site. To do this, select each virtual directory individually, and then open the HTTP Redirect property and uncheck the “Redirect requests to this destination” checkbox. You’ll need to do this on the following virtual directories:
- aspnet_client
- Autodiscover
- ecp
- EWS
- Microsoft-Server-ActiveSync
- OAB
- PowerShell
- Rpc
If at this point you simply browse to http://mail.yourdomain.com, you’ll get an HTTP 403.4 error. This is because SSL is required at the top-level website. In order to get the redirect working, we need to disable SSL for the top level website while leaving it enabled for the relevant child virtual directories.
Select the Default Web Site and open the SSL Settings properties. Uncheck the Require SSL checkbox
Like the redirection settings, this change will be inherited down the tree for any virtual directory which does not explicitly set the setting independently. Ensure that SSL is required for the following virtual directories:
- Autodiscover
- ecp
- EWS
- Microsoft-Server-ActiveSync
- OAB
- owa
- Rpc
Well, that didn’t work either. Someone commented, “had the same issue and fixed it by disabling the redirect just for Public”. Nada.
The last thing I tried was Redirect Virtual Folder where they suggest:
Edit the web.config in the following directory "C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa". Delete the following line
"<httpRedirect enabled="false" />"
That didn’t do anything
Then
C:\Windows\System32\inetsrv>appcmd set config "Default Web Site/Exchange" /section:httpredirect /enabled:true -commit:apphost
Applied configuration changes to section "system.webServer/httpRedirect" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Exchange" at configuration commit path "MACHINE/WEBROOT/APPHOST"
C:\Windows\System32\inetsrv>appcmd set config "Default Web Site/Exchweb" /section:httpredirect /enabled:true -commit:apphost
Applied configuration changes to section "system.webServer/httpRedirect" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Exchweb" at configuration commit path "MACHINE/WEBROOT/APPHOST"
C:\Windows\System32\inetsrv>appcmd set config "Default Web Site/Public" /section:httpredirect /enabled:true -commit:apphost
Applied configuration changes to section "system.webServer/httpRedirect" for "MACHINE/WEBROOT/APPHOST/Default Web Site/Public" at configuration commit path "MACHINE/WEBROOT/APPHOST"
And then this to disable redirection for /owa:
C:\Windows\System32\inetsrv>appcmd set config "Default Web Site/owa" /section:httpredirect /enabled:false -commit:apphost
Applied configuration changes to section "system.webServer/httpRedirect" for "MACHINE/WEBROOT/APPHOST/Default Web Site/owa" at configuration commit path "MACHINE/WEBROOT/APPHOST"
None of this worked. Even with copious “iisreset” sprinkled in. I finally gave up. Maybe someday I’ll figure it out. But for now, I just put the “https” on a web page and point folks there.
Install exchange server 2007 - tutorial
Prep Work:
In order to install Exchange 2007 the server must be running Windows Server 2003 x64 and have SP1 installed. You must also install the .NET 2.0 Framework and MMC 3.0 but if you do not have these two components installed, you can install them during setup.
Install IIS first, and then .Net 2.0
MMC 3.0 – you will be prompted to install from CD
PowerShell – you will be prompted to install from CD
enable ASP.net ver 2.XXX in IIS! – shouldn’t have to do this in 2007 – only in 2003
Raise Domain level - Computers, right click on yourdomain.com and select Raise Domain Functional Level. From the drop-down box choose Windows Server 2003 and click on Raise.
Administrative Tools, Active Directory Domains and Trusts, right click on yourdomain.com. Raise domain functional level.
After installation:
Even if you don’t set up a separate Edge Transport server, you still need to substitute a Hub Transport or else something important won’t work. From Exchange Server 2007: Internet email without Edge servers:
The Edge Transport server role is not a
required role. It's good to have if you don't want to expose your domain-joined
Exchange servers to the internet, and the high amount of spam that mail
gateways receive and filter. Nevertheless, many small environments - typically
those with a single Exchange server - do not have that luxury.
In such environments, you can use a Hub Transport server to send/receive
internet mail.
The default installation of a Hub Transport server creates two Receive
Connectors –
- Receive Connector which listens on smtp port 25, and
- Client receive connector intended for remote clients to submit mail - this listens on port 587
The Default Receive Connector only
accepts mails from authenticated senders/hosts. This is configured to accept
mail from Mailbox Servers, other Hub Transport servers, and Edge Transport
servers.
To make it accept inbound internet mail in an environment without an Edge
Transport server, you need to configure it to accept mail from anonymous
senders. Here's how you can do this from the Exchange command shell:
set-ReceiveConnector -identity "Name of Default Connector" -PermissionGroups AnonymousUsers
How to determine permissions:
Get-ReceiveConnector –identity “Client Mail3” | Get-ADPermission
By default, Hub Transport servers do not have anti-spam agents installed. Read related post " HOW TO: Install anti-spam agents on Hub Transport server".
Other steps not related to installation:
Open and forward port 25 (SMTP) on your router
Change some DNS settings at your DNS registrar (GoDaddy)
|
A (Host) |
|
Host |
Points To |
|
|
|
add |
|
Your IP address |
|
|
CNAMES (Aliases) |
|
Host |
Points To |
|
|
|
No changes, additions, deletions necessary in CNAMES area |
|||
|
MX (Mail Exchange) |
|
Priority |
Host |
Goes To |
|
|
add |
0 |
@ |
Either mail.yourdomain.com or IP address. Might want to point directly to an IP address instead of to a CNAME. DNSStuff frowns, otherwise. |
|
|
change |
From 0 to10 |
@ |
smtp.secureserver.net – changes from our primary to our secondary server |
|
|
change |
From 10 to 20 |
@ |
mailstore1.secureserver.net – changes from our secondary to our 3rd server |
|
TXT (Text) |
|
Host |
TXT Value |
|
|
|
add |
@ |
v=spf1 a ~all |
This will work. But not recommended. See SPF records. |
You might want to point your MX record directly to an IP address instead of to another CNAME. DNSStuff frowns, otherwise.
Call ISP about reverse DNS for your IP address; change to your name: mail.yourdomain.com
You might be able to send emails outside the organization, but have problems sending them to another user on either
- the same Exchange server from the one you’re sending from or
- another Exchange server within your organization.
or both. It will likely be stuck in the message queue. It’s also possible that you can receive messages. To track down the problem, send an email and we’ll look at what happens in the queue. In the toolbox, go to “Tracking Log Explorer” (2010) or “Message Tracking Results” (2007) and focus on EventID “TRANSFER”. Or from the PowerShell console:
get-messagetrackinglog -EventID "TRANSFER" -Start "12/20/2011 9:35:00 AM" -End "12/20/2011 11:45:00 AM"
This list might coincide with what’s stuck in the message queue. Now if you want, you can try re-submitting the messages stuck in the queue. But that probably won’t get you very far.
Your best bet is to look in the connectivity logs. Often found at C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\Connectivity. You might see something there like: Cannot achieve Exchange Server authentication. If that’s the case, look at the properties of your “Default MAIL” (or whatever) Receive Connectors for all your Exchange clients. Go to the Authentication tab and make sure the Exchange Server authentication box is set. If it complains about the FQDN, fix it. Don’t forget to restart the Transport service after you check the Exchange Server authentication box.
Since messages are able to get to the outside world but can’t send them internally, you could look at the receive connectors. Specifically, you’d think you’d want to on protocol logging for the receive connectors and maybe the send connectors. But really, no internal traffic will ever even get to the protocol logs. So that’d be a waste of time.
labels: Exchange Server 2007, SMTP
last time someone used their email - see newest email for a user
log files for messages – C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking
log files for messages rejected - C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog
logged in, last time
Get-MailboxStatistics FirstName LastName
logs, look at an extract – if you don’t want to manually trudge through the C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog
get-AgentLog -startDate:"04/25/2008 4 pm" -endDate:"04/25/2008 4:10 pm"
Should give you a bunch of entries like:
Timestamp : 4/25/2008 4:06:43 PM
SessionId : 08CA751B97841745
IPAddress : 209.242.25.141
MessageId : <2c05e4520de1fe763a348aa394e790a8@mailbc01.openfax.com>
P1FromAddress : pbsbounce@yahoo.com
P2FromAddresses : {pbs@pbsworksforme.com}
Recipients : {clyde@yourcompany.com}
Agent : Content Filter Agent
Event : OnEndOfData
Action : QuarantineMessage
SmtpResponse : 550 5.2.1 Content Filter agent quarantined this message
Reason : SclAtOrAboveQuarantineThreshold
ReasonData : 5
Diagnostics : DV:3.3.6422.600;SID:SenderIDStatus Pass
But wait! There's more! There's now a new, improved command line that pops up a window with the stuff all nice and formated into a table:
Get-MessageTrackingLog -Start April 17 2014 12:20pm -End April 17 2014 4:20pm -sender firstuser@yourdomain.com -recipient seconduser@yourdomain.com -ResultSize Unlimited | select-object eventid, timestamp, messageid, sender, recipients, messagesubject | Out-Gridview
log, transcript
At the Command Shell prompt type
Start-Transcript
to collect the information. Next do a
Get-ReceiveConnector | FL *
to collect all of the info on your Receive connectors. Now do a
Stop-Transcript
to create a Transcript text file in the My Documents Folder
Mac integration – see also Entourage
mailbox, create –
New-Mailbox -Name 'test1' -Alias 'test1' -UserPrincipalName 'test1@yourdomain.net' -SamAccountName 'test1' -FirstName 'test1' -Initials '' -LastName '' -Password 'System.Security.SecureString' -ResetPasswordOnNextLogon $false
this command only works if you already have the user set up. Otherwise you get:
Cannot process argument transformation on parameter 'Password'. Cannot convert the "System.Security.SecureString" value
of type "System.String" to type "System.Security.SecureString".
+ CategoryInfo : InvalidData: (:) [New-Mailbox], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,New-Mailbox
mailbox folder list
Get-MailboxFolderStatistics bthompson | ft > C:\Users\someuser\Desktop\bthompson1.txt
But this truncates some data. So just select a few columns:
Get-MailboxFolderStatistics bthompson | Select Name, FolderPath, FolderSize, ItemsInFolder, ItemsInFolderAndSubfolders | ft > C:\Users\someuser\Desktop\bthompson4.txt
mailbox list doesn't show all the users you'd expect
The solution is below:
- the Exchange Management Console.
- Right-click Recipient Configuration.
- Select Modify Recipient Scope.
- Select the View all recipients in forest option.
- Select the Global Catalog check box and select the local global catalog server (AD1).
- To close, click OK.
mailbox, move – for example, from exchange 2003 to exchange 2010 – here’s a video
You can start by going to the Exchange Management Console, Recipient Configuration, Mailbox, <user’s mailbox>, right click, “New Local Move Request”. If you go through the wizard, it’ll eventually generate the following command:
'mydomain.net/Users/Bob Smith | New-MoveRequest -TargetDatabase 'Mailbox Database 02'
To find out how it went:
Get-MoveRequest DisplayName Status TargetDatabase ----------- ------ -------------- Bob Smith Failed Mailbox Database 02
For more detail
Get-moverequest|get-moverequeststatistics DisplayName Status TotalMailboxSize TotalArchiveSize PercentComplete ----------- ------ ---------------- ---------------- --------------- Bob Smith Failed 1.634 GB (1,754,863,82... 43
Well, that didn’t really give too much detail, did it? Like, why did it fail? Let’s try:
Get-moverequest|get-moverequeststatistics | fl
This gives a lot more detail, including:
TotalMailboxSize : 1.634 GB (1,754,863,829 bytes) TotalMailboxItemCount : 9332 BytesTransferred : 506.2 MB (530,740,370 bytes) BytesTransferredPerMinute : ItemsTransferred : 1777 PercentComplete : 43 PositionInQueue : FailureCode : -2146233088 FailureType : TooManyBadItemsPermanentException FailureSide : Message : Error: This mailbox exceeded the maximum number of corrupted items that were specified for this move request. FailureTimestamp : 2/22/2012 2:53:16 PM
Now let’s say you decide to go into his Outlook and delete a whole bunch of old junk. And you do so. And you even empty the “deleted items” folder. But how to purge that? You can find out how long the junk is held there:
Get-Mailbox <user> | fl RetainDeletedItemsFor
Should return something like:
RetainDeletedItemsFor : 7.00:00:00
7 days?? We don’t want to wait that long! But how to actually purge? Supposedly, the following works with 2010, SP1 or higher:
Search-mailbox -identity “Bob Smith” -SearchDumpsterOnly -DeleteContent
But I keep getting:
The term 'Search-mailbox' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:15
+ Search-mailbox <<<< -identity "Bob Smith" -SearchDumpsterOnly -DeleteContent
+ CategoryInfo : ObjectNotFound: (Search-mailbox:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Even with 2010, SP2. “Deleted Items” is a managed folder. We could always re-run the initial move command, but allow some bad emails (200, in this case). If you specify too large a number (51 or more) for the “BadItemLimit”, you might also need to add the “AcceptLargeDataLoss” parameter as well.
[PS] C:\Windows\system32>'yourdomain.net/Users/Bob Smith' | New-MoveRequest -TargetDatabase 'Mailbox Database 02' -BadItemLimit '200' -AcceptLargeDataLoss WARNING: When an item can't be read from the source database or it can't be written to the destination database, it will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that Exchange not copy such items to the destination mailbox. At move completion, these corrupted items won't be available in the destination mailbox.
To try to let corrupt messages just go away. It should spit out something like what you see below:
DisplayName Status TotalMailboxSize TotalArchiveSize PercentComplete ----------- ------ ---------------- ---------------- --------------- Bob Smith Queued 1.634 GB (1,754,674,21... 0
Don’t let the “0 PercentComplete” annoy you. Remember, just go
Get-moverequest|get-moverequeststatistics | fl
to see the progress.
mailbox size
Get-MailboxStatistics -Identity "Bob Smith" | fl
Did you just delete a whole bunch of stuff, but mailbox still same size?
Get-Mailbox "Bob Smith" | fl RetainDeletedItemsFor RetainDeletedItemsFor : 7.00:00:00
mailbox size, which are getting close to full – Get-MailboxStatistics | where {$_.StorageLimitStatus -ne "BelowLimit"}
mailbox size GUI – from here
Should be a file named mbsizereportv5.ps1. Like maybe in C:\scripts. Needless to say, you need to be in the powershell to run this thing.
Version 5 has now been posted that fixes issue with quotas
please see this
download the new version here or here.
552 5.3.4 Message size exceeds fixed maximum message size
Set-ReceiveConnector -identity "Default [SERVERNAME]" -maxmessagesize 20MB
message tracking missing when you try to run it from the toolbox of the Exchange Management Console – you get a pop-up screen with something like, “There is a problem with this website’s security certificate” and you can “Continue to this website (not recommended)”. When you do so, you are presented with a log in screen. But if you enter in the ID & password, you get, “The webpage cannot be found”.
One point to keep in mind: there’s a big difference between “Message Tracking” and “Tracking Log Explorer”. The one of most interest is the latter (“Tracking Log Explorer”). Most of the following to diagnose and fix concerns the former (“Message Tracking”).
Diagnosis:
First, get some ECPVirtualDirectory info:
Name Server ---- ------ ecp (Default Web Site) MAIL3 Get-EcpVirtualDirectory | fl *Authentication* InternalAuthenticationMethods : {Basic, Fba} BasicAuthentication : True WindowsAuthentication : False DigestAuthentication : False FormsAuthentication : True LiveIdAuthentication : False ExternalAuthenticationMethods : {Fba}
You can also see these Authentication settings at and actually change Authentication settings to Windows Authentication in the Exchange Management Console → Server Configuration → Client Access → properties of ECP
Note there are two tabs: one on the left for OWA and one on the right for ECP.
The ECP authentication settings must match OWA's authentication settings on the same CAS server
Notice in the example above InternalAuthenticationMethods is wrongly set to {Basic, Fba}; we want {Ntlm, WindowsIntegrated}. Similarly,
- BasicAuthentication should be False instead of True
- WindowsAuthentication should be True instead of False
- FormsAuthentication should be False instead of True
Fix:
Change Authentication settings to Windows Authentication in EMC → Server Configuration → Client Access → properties of EMC. If it’s already Integrated Windows authentication, you can change it to forms-based authentication and then back again. Need to
iisreset /noforce /timeout:120
after each change. I had to do the timeout of 120 seconds ‘cause I kept getting:
Attempting stop... Restart attempt failed. The service did not respond to the start or control request in a timely fashion. (2147943453, 8007041d)
When you run
Get-EcpVirtualDirectory | fl *Authentication*
again, you should get.
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated} BasicAuthentication : False WindowsAuthentication : True DigestAuthentication : False FormsAuthentication : False LiveIdAuthentication : False ExternalAuthenticationMethods : {Fba}
Workaround:
Now you can always use the command line instead:
Get-MessageTrackingLog
Or, if you don’t like stuff getting chopped off and want to choose your fields, something like:
Get-MessageTrackingLog -Start "12/15/2011 09:00:00" -End "12/15/2011 17:00:00" | fl EventID, TimeStamp, Recipients, Sender, MessageSubject, MessageInfo, EventData
Or, more compact but truncated like 1st example:
Get-MessageTrackingLog -Start "12/15/2011 09:00:00" -End "12/15/2011 17:00:00" | ft -wrap EventID, TimeStamp, Recipients, Sender, MessageSubject, MessageInfo, EventData
Which gives you some info (probably all the info you’d need, actually), but not that pretty GUI we love so much.
Some other fixes I tried before I discovered the way to change authentication above:
First, make sure message tracking is enabled.
Chances are, message tracking is enabled. So check it ahead of time:
Get-TransportServer
And skip the stuff immediately below if message tracking is enabled.
Two ways to do this: through GUI or command line.
Use the EMC to enable or disable message tracking on transport servers
- Perform one of the following steps:
- On a computer that has the Edge Transport server role installed, select Edge Transport, and then in the action pane, click the Properties link that's directly under the server name.
- On a computer that has the Hub Transport server role installed, in the console tree, expand Server Configuration, and select Hub Transport. In the action pane, click the Properties link that's directly under the server name.
- On the Properties page, click the Log Settings tab.
- In the Message tracking log section, perform one of the following steps:
- Select Enable message tracking log to enable message tracking.
- Clear Enable message tracking log to disable message tracking.
- Click Apply to save changes and remain on the Properties page, or click OK to save changes and exit the Properties page.
Use the Shell to enable or disable message tracking on transport servers
This example disables message tracking on the Exchange 2010 computer Exchange01.
Set-TransportServer Exchange01 -MessageTrackingLogEnabled:$false
Chances are, however, message tracking was already enabled.
message tracking PowerShell script
determine how much email is going in and out of our mail stores for the last day, per user – description, download. Generates .csv files
most recent email for a user, date of - see newest email for a user
move exchange 2003 Mailbox to exchange 2010 – see mailbox, move
MX record, use NSLOOKUP to test your MX record – see NSLOOKUP to test your MX record
newest email for a user (timestamp of)
<#
script name: GetDateOfMostgRecentEmail.ps1
Purpose: Find the most recent email for a list of users
Reads from: mailboxes.txt in your My Documents directory - list of users you care about
Writes to: Mailboxes.csv in your My Documents directory
#>
$mydocs =
[environment]::getfolderpath("mydocuments")
$myList =
"$mydocs\mailboxes.txt"
$mailboxes =
Get-Content $myList
$OutArray =@()
foreach ($mailbox
in $mailboxes){
$myobj =
"" |
Select "Mailbox","LastEmail"
$myobj.Mailbox = $mailbox
$myobj.LastEmail = Get-MessageTrackingLog
-EventId Receive
-Recipients $mailbox
| select timestamp -Last
1
$outarray +=
$myobj
$myobj =
$null
}
$outputList =
"$mydocs\Mailboxes.csv"
$outarray |
export-csv $outputList
$OutArray?
NSLOOKUP to test your MX record
C:\>nslookup
Default Server: dns1.tri-isys.com
Address: 202.81.160.6
> server
192.168.100.2
Default Server: DC01.mycompany.local
Address: 192.168.100.2
> set q=mx
> microsoft.com
Server: DC01.mycompany.local
Address: 192.168.100.2
Non-authoritative answer:
microsoft.com MX preference = 10, mail exchanger = maila.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailb.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailc.microsoft.com
microsoft.com
nameserver = ns2.msft.net
microsoft.com nameserver = ns3.msft.net
microsoft.com nameserver = ns4.msft.net
microsoft.com nameserver = ns5.msft.net
microsoft.com nameserver = ns1.msft.net
maila.microsoft.com internet address = 131.107.3.125
maila.microsoft.com internet address = 131.107.3.124
mailb.microsoft.com internet address = 131.107.3.123
mailb.microsoft.com internet address = 205.248.102.77
mailc.microsoft.com internet address = 205.248.102.78
mailc.microsoft.com internet address = 205.248.102.79
ns1.msft.net internet address = 207.46.245.230
ns2.msft.net internet address = 64.4.25.30
ns3.msft.net internet address = 213.199.144.151
ns4.msft.net internet address = 207.46.66.75
ns5.msft.net internet address = 207.46.138.20
> exit
old server, see remains of – let’s say you just migrated from MAIL1 as your old server to MAIL2 as your new server. You think you got everything moved over. But how to tell for sure?
Get-ClientAccessServer | fl
open relay –see SMTP open relay
out of office – see here for Office 2007 run down
on the Exchange (server) side:
Organization Configuration → Hub Transport → click Remote Domains tab → right click Default → select properties
In the “General” tab, select “allow internal out-of-office messages, and out-of-office messages set by Outlook 2003 or earlier clients or sent by Exchange Server 2003 or earlier servers”.
In the “Format of original message sent as attachment to journal report” tab, make sure the “Allow automatic replies” check box is set.
on the Outlook (client) side:
Under Tools, you might have an “out of office assistant”. But you might get “Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later.” Especially in Outlook 2007 because the Availability Service isn’t up. If so, then create a rule (from within Outlook) to have your mailbox automatically reply to a sender.
- In Outlook on the Tools menu, click Rules Wizard.
- when the dialog box appears click new.
- under which type of rule do you want to create select Check messages when they arrive then click “next”.
- under which conditions do you want to check, don’t check anything. When you click “Next” you’ll probably get a pop-up message, “This rule will be applied to every message you receive. Is this correct?” Click “Yes”.
- under what do you want to do with the message, click to select the have server reply using a specific message check box
- Under Rule Description, click the underlined phrase a specific message.
- In the untitled message View menu, type the subject and the message body that you want to be sent, then click save, and close.
- Click finish
out of office not working properly – make sure the (supposedly automatic) “MSExchangeMailboxAssistants” service is running
Outlook profile or account, can’t add – Other users working just fine but can’t add an existing user to Outlook? Make sure the "Microsoft Exchange System Attendant" service is running! Even though it's "automatic", it often doesn't start when you start/restart the server. When it's not running, previously created Outlook profiles will work just fine. But good luck creating a new one. POP accounts work just fine. But not new Exchange connections from Outlook.
outside access – see remote access
OWA (Outlook Web App)
Forward port 443. It’s often labeled “HTTPS”, which is what it is.
Control Panel, Add remove programs, add/remove Windows components, Network Services, check “RPC over HTTP Proxy”. If not installed, OWA doesn’t work.
Exchange Management Console, “Server Configuration”, “Client Access”, right click “owa (Default Web Site)”, go to properties, “General” tab. By default the internal URL is already filled out. But also need to fill in “https://mail.yourserver.com/owa” in the “External URL” field. You should set up DNS on GoDaddy to point the MX record to this address. In the “Authentication” tab select “Basic Authentication”. Uncheck the rest (can’t remember what the defaults were).
OWA, stop IE from automatically logging on with the one you last logged in with. That is, stop it from automatically remembering the ID and password
The following are all supposed to work but don’t
- Click on the settings icon (looks like a gear) at the top right. Select F12 developer tools. A developer tool will appear on the bottom of the browse. It comes with a lots of menu. Click on Cache to expand the options. Under cache, you’ll see “Clear cookies for domain”. Select the given option to delete the cookie. But this doesn’t really seem to work to get rid of a stored user ID and password.
- Deleting HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\<numbers> will get OWA to start remembering passwords. But not necessarily delete or change. Since I was mainly interested in getting IE to stop remembering passwords, I haven’t tried it.
- Go to
C:\Program Files\Microsoft\Exchange Server\v14\ClientAccess\Owa\auth, Modify login.aspx - replacing the stringautocomplete="off"withautocomplete="on". But when I checked, it was already set toautocomplete="off"and it was still automatically logging on. - Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings and
- Third-party IE PassView. But that doesn’t seem to catch very many IDs and passwords either. Certainly not the one for OWA.
a. On the Edit menu, click New, and then click DWORD Value.
b. Type DisablePasswordCaching to name the new registry entry, and then press ENTER.
c. Right-click DisablePasswordCaching, and then click Modify.
d. Make sure that the Hexadecimal option button is selected, type 1 in the Value data box, and then click OK.
e. To re-enable password caching, you can either delete the DisablePasswordCaching entry, or change its value to 0.
Password, Outlook doesn’t remember – see credentials, keeps asking for every time you open up Outlook, doesn’t remember in Outlook. Most of the stuff there pertains to the client machine. But there is one Exchange tweak:
Get-outlookprovider -identity EXPR Name Server CertPrincipalName TTL ---- ------ ----------------- --- EXPR 1
delete it:
Get-outlookprovider -identity EXPR | remove-outlookprovider Confirm Are you sure you want to perform this action? Removing Outlook Provider "EXPR". [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
Once this is done, recycle the application pool of AutoDiscover in IIS. This will keep the outlook clients from automatically propagate the settings for “Outlook Anywhere”, but retains the possibility for configuring it manually.
All web services and autodiscover information other than the proxy information itself are intact. To restore the EXPR provider, run the following:
New-OutlookProvider -Name:EXPR
permissions
adsiedit.msc – part of the Windows Support Tools found in the D:\Support directory of your Server 2003 disk. Once you install this, then figure out where to find what you’re looking for. For example, to configure a receiving connector:
Configuration [mail.yourdomain.com] →CN=Configuration, DC=yourdomain, DC=com → CN=Services → CN=Microsoft Exchange → CN=yourdomain.com →CN=Administrative Groups → CN = Exchange Administrative Group (FYDIBOHF23SPDLT) → CN=Servers → CN=MAIL → CN=Protocols → CN=SMTP Receive Connectors → CN = Client MAIL → right click/properties → Security tab
determine – see here – get-ADPermission example:
get-adpermission "Default MAIL"
The example above chops off stuff where you can’t read everything.
This example below shows the Get-ADPermission
cmdlet used to get the permissions for Ted, with the output piped into Format-List
Get-ADPermission -Identity Ted | Format-List
But it’s kind of goofy looking.
Format-table -wrap is a little more
compact and doesn’t chop stuff off. Out-File is much like
the > redirector.
Get-ADPermission "Client MAIL | Select ExtendedRights
It’s a little better in that at least the ExtendedRights aren’t chopped off.
add – Add-ADPermission as in:
Get-ReceiveConnector RelayConnector | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
where “RelayConnector” is the name of your connector.
remove - Remove-ADPermission – Example: this example will remove send as permissions from user Test1.
Remove-ADPermission -Identity Administrator -user Test1 -ExtendedRights "send as"
Remove-ADPermission –Identity "Client MAIL" –user Everyone –ExtendedRights ms-Exch-Store-Create-Named-Properties
ms-Exch-Open-Send-Queue
POP server, connect client to – 1
POP3, Server Response: '-ERR Command is not valid in this state.'
POP service – enable
In the Services, change POP and IMAP to “automatic”. These aren’t started automatically be default. From here
1. Open the Exchange 2007 Management Shell (PowerShell)
2. Set MSExchangePOP3 service to automatic (not enabled by default)
Set-service msExchangePOP3 -startuptype automatic
3. Configure IP Address and Port for POP3. To use POP3 with SSL, run the following command:
Set-PopSettings -SSLBindings IPaddress:Port
4. Configure POP3 Authentication. If you want to use TLS encryption before authentication (enabled by default), run the following command:
Set-PoPSettings -LoginType SecureLogin
5. Enable POP3 Protocol for the User Mailbox (enabled by default)
Set-CasMailbox MailboxName -Popenabled:$true
To find out the current setting, run the following command:
Get-CasMailbox MailboxName
6. Configure the SMTP Receive Connector on the Exchange Server to Allow Anonymous in order to send Email using the following command: - this failed 1/18/08
Set-ReceiveConnector
“Servername\default Servername” -PermissionGroups
“ExchangeServers,ExchangeUsers,ExchangeLegacyServers,AnonymousUsers”
7. Restart the Microsoft Exchange POP3 Service to apply the settings
Restart-service MSExchangePOP3
From here, it becomes apparent that forwarding the following ports is very important: 25. Others that haven’t seemed quite so important: 135, 993, 995.
Exchange Management Console → Server Configuration → Hub Transport → Receive Connectors, choose all names – both Client Mail and Default MAIL in turn → click Authentication tab and click the “Transport Layer Security (TLS)” box for both of them. Leave “Basic Authentication” off. On the “Permission Groups” check all of the boxes.
Exchange Management Console → Server Configuration → “Client Access”. On the right most of the 3 panes, click “Enable Outlook Anywhere”.
Open “Exchange Management Control”, in “Recipient Configuration”, “Mailbox”, select user. Right click that user and select Properties. Go to the “Mailbox Features” tab, enable “MAPI”.
After you make all these changes, restart the following services: POP, IMAP, IIS.
POP, check Port 110 with the Telnet Command
You can check your POP3 Server on port 110 with the following Telnet command:
Open a command line and type
telnet exchange.domain.com 110
If your server is online a connection will be established on port 110 (POP3). An Exchange Server answers with the following output:
+OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (exchange.domain.com) ready.
Use the following commands for authentication and listing the messages:
USER Domain/Windows-NT-Account/Exchange-Mailbox OK PASS <password> +OK User successfully logged on. LIST 1 6855 2 1483 3 1056 4 1841 5 2037
A list of messages is displayed. If you would like to read message number 2, use the following command:
RETR 2 +OK Received: by exchange.domain.com id <01C44FA6.6E523331@exchange.domain.com>; Fri, 11 Jun 2004 13:22:50 +0200 …
and so forth
ports, TCP and UDP ports used by Exchange Server
PowerShell editor -PowerGUI
protocol logging – records the SMTP conversations that occur between e-mail servers as part of message delivery – not messages that occur between users internally.
Enable Protocol Logging on Receive Connectors
To use the EMC to turn on protocol logging for receive connectors on a Hub Transport server, follow these steps:
- 1. Open the EMC and browse to the Server Configuration → Hub Transport node in the Console tree.
- Select the Hub Transport server that contains the receive connector from the list in the Results pane.
- In the list of receive connectors, select the connector that you want to enable protocol logging on and click the Properties action in the Actions pane.
- In the properties dialog box for the connector, select the General tab.
- Next to the Protocol Logging Level option, select Verbose from the drop-down list
- Click OK to make the changes and close the properties dialog box.
You can also enable protocol logging on a receive connector through the PowerShell.
To see whether your protocol logging level for all of your receive connectors is currently “none” or “verbose”
Get-ReceiveConnector * | Format-Table identity, ProtocolLoggingLevel
To enable protocol logging:
Set-ReceiveConnector ReceiveConnectorName -ProtocolLoggingLevel Verbose
Enable Protocol Logging on Send Connectors
To enable protocol logging on send connectors in the EMC, follow these steps:
- Open the EMC and browse to the Organization Configuration -> Hub Transport node in the Console tree.
- Select the Send Connectors tab in the Work area.
- In the list of send connectors, select the connector that you want to enable protocol logging on.
- In the Actions pane on the right, click the Properties action to open the properties dialog box for the connector.
- In the properties dialog box, select the General tab.
- To the right of the Protocol Logging Level field, select Verbose from the drop-down list.
- Click OK to make the change and close the properties dialog box.
Again, using the PowerShell to see whether your protocol logging level for all of your receive connectors is currently “none” or “verbose”
Get-SendConnector * | Format-Table identity, ProtocolLoggingLevel
To enable the protocol logs for send connectors using EMS command:
Set-SendConnector SendConnectorName -ProtocolLoggingLevel Verbose
Configure the Location of the Protocol Logs
When you enable protocol logging, information is written to the protocol logs. On each server there is one instance of these logs for send connectors and one instance for receive connectors. To determine where those logs are or to change the location of those logs, you can use the following steps in the EMC:
- Open the EMC and browse to the Server Configuration -> Hub Transport node in the Console tree.
- In the list of Hub Transport servers in the Results pane, select the server that you want to modify the location of the protocol logs on.
- In the Actions pane on the right, select the Properties task to display the properties dialog box for the server you have selected.
- In the properties dialog box, click the Log Settings tab.
- View or modify the folder path in the Send Protocol Log Path field or the Receive Protocol Log Path field
- If you changed any of the protocol log paths, click OK to make the changes and close the properties dialog box.
PTR's, also called Reverse DNS, are generally a concern for mail, as some mail servers will reject mail originating from IP's that don't have a valid PTR record. A PTR is a DNS record that takes an IP address and points it to a domain name. An IP can have only one PTR record. When we are referring to a specific Reverse DNS record, we are talking about a PTR for a specific IP address.
public folders, list with owners –
Get-PublicFolder -Identity \ -Recurse | Get-PublicFolderClientPermission | where{$_.Accessrights -eq owner}
public folders permissions, get –
Get-PublicFolderClientPermission \folder | Format-List
public folders permissions, remove –
] C:\Windows\system32>Remove-PublicFolderClientPermission -Identity \folder -User some user
remove all user public folders
Get-PublicFolder -Server <server containing the public folder database> "\" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Server <server containing the public folder database> -Recurse -ErrorAction:SilentlyContinue
remove all user system folders.
Get-PublicFolder -Server <server containing the public folder database> "\Non_Ipm_Subtree" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Server <server containing the public folder database> -Recurse -ErrorAction:SilentlyContinue
queues, 5 types –
submission queue – all messages received will always first be placed in the submission queue.
mailbox delivery queue – waiting to be delivered to a mailbox server in the same site
remote delivery queue – delivering messages to remote servers by using SMTP
poison message queue – messages that may screw up your Exchange environment after a server failure
unreachable queue – messages that can’t be routed to their destinations
queue, delete all messages in –
Say you’ve looked at all messages in a queue:
Get-Message –Filter {Queue –eq "mail3\65510"}
and you want to delete all these messages
Remove-Message –Filter {Queue –eq "mail3\65510"} -WithNDR $false
which doesn't send an NDR. Or maybe you want to get rid of all our nicely generated, “unable to deliver” bounce backs for all the spam from unreachable sources:
Remove-Message –Filter {Subject –like "Undeliverable*"} -WithNDR $false
queue, email stuck in – see queues, see status, queues, retry, message, retry
queues, retry – The following will force a connection attempt for all queues that meet the following criteria:
· holding messages for the domain mail3
· have a status of Retry
· located on the server on which the command is executed
Retry-Queue -Filter {NextHopDomain -eq "mail3" -and Status -eq "Retry"}
Get-Queue
to see queues with the most messages up top, or
Get-Queue –SortOrder: -MessageCount
Identity DeliveryType Status MessageCount NextHopDomain -------- ------------ ------ ------------ ------------- mail3\65510 DnsConnec... Retry 8 somedomain.com mail3\8 SmtpRelay... Retry 2 hub version 8 mail3\Submission Undefined Ready 0 Submission
Status of “Retry” indicates problems.
If you want to see which messages are in the top-most queue above, note the “Queue” (in the column called “Identity” above) and
Get-Message –Filter {Queue –eq "mail3\65510"}
If, after looking at them, you want to delete all these messages are in the top-most queue above
Remove-Message –Filter {Queue –eq "mail3\65510"} -WithNDR $false
and don't send an NDR
quota, see which mailboxes are getting near – see mailbox size, which are getting close to full
RBL (real-time block list) – see block list providers, test
real-time block list (RBL) – see block list providers, test
Set-ReceiveConnector –Identity "Default MAIL2" -Fqdn yourdomain.com
receive connector permissions
to determine permissions:
Get-ReceiveConnector –identity “Client Mail3” | Get-ADPermission
Or, for more detail on extended permissions
Get-ReceiveConnector –identity “Client Mail3” | Get-ADPermission | Format-Table User, Deny, ExtendedRights
To set, from the Exchange command shell:
set-ReceiveConnector -identity "Name of Default Connector" -PermissionGroups AnonymousUsers
receive connector info
Get-ReceiveConnector "Client Mail3" | sort-object | Format-List
redirect http to https – see http, redirect to https
relay open– see SMTP open relay
remote access – two ways
through Outlook using HTTP proxy
through IE using OWA
RPC over HTTP
RPC Proxy server
reply to email, change default –see email, change default
SACL Watcher sericelet encountered an error while monitoring SACL change. Got error 1722 opening group policy on system xx.yourdomain.net in domain yourdomain – you can try the Ntdsutil. But you might get:
Found 1 server(s)
0 - (null)
When you get to “list servers in site” if you’re doing this on Win 2008 and you have Win2003 servers.
send as alternate email address in Outlook – not straightforward. See discussion & 3rd party tools here
send connector, create
new-SendConnector -Name 'SMTPSendConnectorMAIL3' -Usage 'Custom' -AddressSpaces 'SMTP:*;1' -IsScopedConnector $false -DNSRoutingEnabled $true -UseExternalDNSServersEnabled $false -SourceTransportServers 'MAIL3'
send connector FQDN, set
Set-SendConnector -Identity "SMTPSendConnectorMAIL3" -Fqdn yourdomain.com
send connector FQDN, show
Get-SendConnector -Identity InternetMail | ft -Property fqdn
send connector info
Get-SendConnector "SMTPSendConnectorMAIL3" | sort-object | Format-List
Services, which aren’t running that should be – from a powershell prompt:
Test-ServiceHealth
Will show all services are open as well as those that aren’t that should be
sites
SMTP Auth enabled in O365
- Open the Microsoft 365 admin center and go to Users → Active users.
- Select the user, and in the flyout that appears, click Mail.
- In the Email apps section, click Manage email apps.
- Verify the Authenticated SMTP setting: unchecked = disabled, checked = enabled
SMTP, check Port 25 with the Telnet Command
You can check your SMTP Server on SMTP port 25 with the following Telnet command:
Open a command line and type
telnet mailserver.domain.com 25
If your server is online a connection will be established on port 25 (SMTP).
An Exchange Server answers with the following output:
220 mailserver.domain.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Sat, 22 May 2004 08:34:14 +0200
If you type the ‘help’ command the available commands are listed:
214-This server supports the following commands:
214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY
Try the following to send an email from the command line:
helo myserver.domain.com
should return something like
250 mailserver.domain.com Hello [[192.168.100.17]
or perhaps merely
ehlo
will return a bit more verbose. Either way, now you can begin issuing commands to send an email
mail from:myname@mydomain.com
250 2.1.0 Sender OK
rcpt to:recipientname@mydomain.com
250 2.1.5 Recipient OK
You can put more than one rcpt to:, but it seems that sometimes when you do that
you only ever get it delivered to the 1st one you specify.
At this point, type in data to begin putting in what the recipient will actually see
data
354 Start mail input
These next 3 lines can be in any order. Although it might seem odd that you specify senders and recipients again when you already specified them above. The ones you specified above are the ones that actually count. The 3 you specify below are optional and are more what the recipient will actually see.
from: sender@mydomain.com
to: recipientname@mydomain.com
subject: This is a test mail
Now you have to put in an empty carriage return. This is important because this empty carriage return is what tells the program that whatever follows is supposed to be in the body. If you omit this empty carriage return, the email will still go out. But all the stuff you type in after will simply be ignored and your email won't have anything in the body.
This is the text of my test mail.
Put in a dot to let the program know you’re done writing your email
.
250 Mail queued mail for delivery
Depending on your environment, it might not actually send the email ’til you type in “quit”.
quit
221 Closing connection. Good bye.
Connection to host lost.
SMTP, change receive connector port –
Exchange Management Console → Server Configuration →Hub Transport → Receive Connectors, choose whichever name – probably Default MAIL→ right click Properties → choose the Network tab → add an entry to Local IP Addresses, type in the port and usually leave the “Use all IP addresses available on this server” radio button checked
SMTP open relay – see also SMTP unable to relay error message right below
check for – see SMTP above and when you attempt
rcpt to:recipientname@mydomain.com
you should get a response like
550 5.7.1 Unable to relay
if it’s closed or
250 2.1.5 Recipient OK
if it’s open
SMTP unable to relay error message
"550 5.7.1 Unable to relay")
Note: following these instructions will result in an open, unprotected relay which anyone on the planet can use and abuse. Do you really want that? Probably not.
first, explicitly allow various domains and/or IP ranges to relay
Exchange Management Console → Organization Configuration → Hub Transport → Send Connectors tab → select SmtpSendConnector → right click Properties → choose the Address Space tab → add entries for various domains and IP ranges
After you’re done with this, you still might get the error, “Client does not have permission to send as this sender”
Exchange Management Console → Server Configuration → Hub Transport → Receive Connectors, choose all names – both Client Mail and Default MAIL in turn → right click Properties → choose the Authentication tab clear all boxes; choose the Permissions tab and check all the boxes
This grants the most common permissions to the anonymous account, but it does not grant the relay permission. This step must be done through the Exchange shell:
Get-ReceiveConnector "CRM Application" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
In addition to being more difficult to complete, this step does not allow the anonymous account to bypass anti-spam. To fix that:
Exchange Management Console → Organization Configuration → Hub Transport → AntiSpam tab → right click Content Filtering and disable
spam – see also block list providers, test
spam police - see also block list providers, test
BlackList Monitor
Postini
SPF records – Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam. A typical record might look like this:
v=spf1 mx:61.18.45.14 mx:smtp.secureserver.net mx:mailstore1.secureserver.net mx:mail.your.com ip4:61.18.45.14 include:smtp.secureserver.net include:61.18.45.14 -all
which would allow GoDaddy’s main(smtp.secureserver.net) and backup (mailstore1.secureserver.net) server’s as well as a local ones at 61.18.254.14 and mail.your.com to send mail but – most importantly – will reject everyone else (-all). This would work:
v=spf1 a ~all
But you really wouldn’t want to use it ’cause it allows anyone to send anything saying they’re you and rather defeats the whole purpose of having SPF records in the first place. But if you’re trying to get something to work that requires an SPF record, then you can at least start with that.
SPF test - There are two types of SPF testers available. There are those that you send email to, which are good for testing how actually email will respond from the computer you are sitting at. There are also those that let fill in the appropriate information and can simulate an SPF check from anyone and from anywhere.
Email based SPF testers
- You can also send mail to spfenabled@pobox.com and see what happens. If you send mail from an unlisted server it will be rejected. Please don't make up bogus addresses if that would cause random third parties to get mysterious bounce messages.
- Port25.com also provides a tool to test whether SPF is working. Send an email to check-auth@verifier.port25.com and you will receive a reply containing the results of the SPF check.
- The ESPC also provides an SPF verification tool
Form based SPF testers
SPF wizard - here – this is especially helpful to convert each phrase in your existing SPF record into English sentences
SPN, add – rather than using the “-a” switch which merely adds an SPN, you might want to use the “-s” switch which checks to see if there’s a duplicate first before adding an SPN
setspn -S POP3/MAIL3 MAIL3
Checking domain DC=yourdomain,DC=net
Registering ServicePrincipalNames for
CN=MAIL3,OU=Domain Controllers,DC=yourdomain,DC=net
POP3/MAIL3
Updated object
SPNs, view (Service Principal Name)
setspn –l hostname | sort-object
If it's just a Hub Transport (HT) server you'll need these:
SMTP/<fqdn>
SMTP/<netbiosname>
SMTPSVC/<fqdn>
SMTPSVC/<netbiosname>
HOST/<fqdn>
HOST/<netbiosname>
If it's also a Client Access Server (CAS), you'll need these (one each for FQDN and netbiosname):
POP3
IMAP4
IMAP
If it's a mailbox (MB) server, you'll need these (one each for FQDN and netbiosname):
ExchangeRFR
ExchangeMDB
Symantec Antispam for Exchange not working – see instructions here
System health
Run
Test-SystemHealth
This brings up kind of a pop-up within the shell which shows progress with a succession of “o”.
Mailbox Role Checks
Testing complete
[oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo]
Which might take quite a while. Eventually, you might get something like
WARNING: The Write DACL inherit (group) right for the Exchange Enterprise Servers
group should be removed from the root of the domain.
WARNING: Current processor speed on server mail.yourdomain.net is less than the maximum possible speed. Maximum
clock speed is 3301. Current clock speed is 1584.
WARNING: The SSL certificate for
'https://mail.yourdomain.com/ews/exchange.asmx' is self-signed. It does not provide any of the
security guarantees provided by authority-signed or trusted certificates. It is strongly recommended that
you install an authority-signed or trusted certificate.
And it might go on for quite a while. I’ve never found this to be especially useful.
for example, for SMTP:
telnet 192.168.0.1 25
term 'xx' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. (Exchange)
for example:
get-mailbox -ResultSize Unlimited
returns:
get-mailbox : The term 'get-mailbox' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At line:1 char:1
+ get-mailbox -ResultSize Unlimited
+ ~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (get-mailbox:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
need to run:
add-pssnapin *exchange* -erroraction SilentlyContinue
topology - Exchange Topology service on server localhost did not return a suitable domain controller –
Run policytest. If it fails, it might look something like this:
policytest
This tool will check every domain controller in the local
domain to see if the "Manage auditing and security logs"
privilege granted to the "Exchange Enterprise Servers"
group by DomainPrep has replicated to that DC. If the
policy change has not yet replicated to all DCs, then
you should avoid making policy changes on any DC that
has not received those changes yet.
You must have Domain Admin rights to run this tool
successfully. If you see an error that says:
!! LsaEnumerateAccountRights returned error 5 !!
then you don't have permission to open the LSA on the
given DC.
===============================================
Local domain is "yourdomain.net" (YOURDOMAIN)
Account is "YOURDOMAIN\Exchange Enterprise Servers"
========================
DC = "SERVER1"
In site = "Default-First-Site-Name"
!!! Right NOT found !!!
========================
DC = "SERVER2"
In site = "Default-First-Site-Name"
!!! Right NOT found !!!
Nothing below worked to fix either the main “topology” error above or the policytest errors. But these are some of the things I tried.
Check Manage auditing and security log settings.
Open the Group Policy Management mmc snap-in on the domain controller specified in the event description Navigate to Forest: yourdomain.net, Domains, yourdomain.net, Group Policy Objects. Right click the Default Domain Controllers Security Settings, edit. This should pop up the Group Policy Object Editor. Navigate to Default Domain Controllers Security Settings, Computer Configuration, Windows Settings, Security Settings, expand Local Policies, and then click User Rights Assignments In the results pane on the right, double-click Manage auditing and security log. Verify that both the Exchange Servers group and the Exchange Enterprise Servers group are listed. If not, add them.
Make sure that Exchange server is member of proper groups.
Using commands
Make sure that the Exchange server is still a member of the Exchange Domain Servers group
dsquery group -samid "Exchange Domain Servers" | dsget group -members –expand
or
dsquery group -name "Exchange Domain Servers" | dsget group -members –expand
either one should both return something like
"CN=Administrator,CN=Users,DC=yourdomain,DC=net" "CN=MAIL3,OU=Domain Controllers,DC=yourdomain,DC=net"
Make sure that Exchange Domain Servers group is a member of Exchange Enterprise Servers group.
dsquery group -samid "Exchange Enterprise Servers" | dsget group -members –expand
or
dsquery group -name "Exchange Enterprise Servers" | dsget group -members –expand
either one should both return something like
"CN=Exchange Domain Servers,CN=Users,DC=yourdomain,DC=net" "CN=Administrator,CN=Users,DC=yourdomain,DC=net" "CN=MAIL3,OU=Domain Controllers,DC=yourdomain,DC=net"
By default the ds* commands (dsquery, dsget, dsadd, dsrm) are only available on a Domain Controller
Using the graphic interface
Look in the Active Directory Users and Computers, yourdomain.net, Users for “Exchange Domain Servers” and “Exchange Enterprise Servers”. Look in the “Members” and “Members OF” tabs.
What if the Exchange server is missing from “Exchange Domain Servers”? Go to the Exchange server in either Computers or Domain Controllers group, find the Exchange server, and add to the group. (I haven’t figured out how to do it the other way: going to the group and trying to add the computer. Doesn’t seem to work.)
Run
Get-ExchangeServer servername –status |fl name, *controller*, *catalogs*
Look for CurrentDomainControllers and CurrentGlobalCatalogs
StaticDomainControllers : {} StaticGlobalCatalogs : {} StaticConfigDomainController : StaticExcludedDomainControllers : {} CurrentDomainControllers : {servername.yourdomain.net} CurrentGlobalCatalogs : {servername.yourdomain.net} CurrentConfigDomainController : servername.yourdomain.net
Either the static or current of the above should be set; they can’t all be empty. If they are all blank, it doesn’t seem as though you can set the “Current”, but you should be able to set the “Static”:
Set-ExchangeServer –identity servername –StaticDomainControllers yourdomaincontroller1.yourdomain.net,yourdomaincontroller2.yourdomain.net –StaticGlobalCatalogs "yourdomaincontroller.yourdomain.net" –StaticConfigDomainController "yourdomaincontroller.yourdomain.net"
To clear:
Set-ExchangeServer –identity servername –StaticDomainControllers $Null –StaticGlobalCatalogs $Null –StaticConfigDomainController $Null
traces of old server – see old server, see remains
training
Transcript
- Startup the Exchange 2007 Command Shell
- At the Command Shell prompt type Start-Transcript (this will collect the information)
- Next go a Get-Receiveconnector | FL * (| is the pipe symbol) this will collect all of the info on your Receive connectors.
- Now do a Stop-Transcript This will create a Transcript text file in the My Documents Folder
transport service won’t start
If you attempt to restart and it locks up in “restarting” and all the other options are greyed out, no help for it but to reboot. But rebooting alone won’t always work! Often, you’ll simply get a notice on boot up that one or more services failed and when you go to look at that service it’s still “booting”! So need to make a registry entry (from a clue I found here):
Go to HKEY_LOCAL_MACHINE\\System\CurrentControlSet\Services\MSExchange TransportService\
add a new DWORD entry called “BootPause” and enter in 60 (decimal)
This is the value in seconds that we want to delay. Since no other services depend on this, we don’t have to worry too much about. The site I found this clue dealt with another service called MSExchangeSA and describes 3 other workarounds but on 1/31/08 adding the “BootPause” entry seemed to fix the problem.
unable to relay error message SMTP – see SMTP unable to relay error message
uninstall Exchange. Let’s say you move all your mailboxes from an old Exchange 2007 server – MAIL2 – to a shiny new Exchange 2010 server – MAIL3. You turn off your old Exchange 2007 server and, lo and behold, all your emails are processing just fine. That means you’re done, right? Har! You didn’t think you’d get off that easy, did you? Let’s just take a look to see if there are any remains:
Get-ClientAccessServer | fl
You’ll see something like:
RunspaceId : 78075ede-f297-4a9d-92c4-d8cc2dfd72c3 Name : MAIL2 Fqdn : mail2.yourdomain.net OutlookAnywhereEnabled : True AutoDiscoverServiceCN : mail2 AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service AutoDiscoverServiceInternalUri : https://mail.yourdomain.com/Autodiscover/Autodiscover.xml AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596 AutoDiscoverSiteScope : {Default-First-Site-Name} AlternateServiceAccountConfiguration : IrmLogEnabled : False IrmLogMaxAge : 30.00:00:00 IrmLogMaxDirectorySize : unlimited IrmLogMaxFileSize : 10 MB (10,485,760 bytes) IrmLogPath : MigrationLogLoggingLevel : Information MigrationLogFilePath : MigrationLogMaxAge : 180.00:00:00 MigrationLogMaxDirectorySize : 10 GB (10,737,418,240 bytes) MigrationLogMaxFileSize : 100 MB (104,857,600 bytes) IsValid : True ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=MAIL2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admini strative Groups,CN=Yourdomain,CN=Microsoft Exchange,CN=Services,CN=Configurat ion,DC=yourdomain,DC=net Identity : MAIL2 Guid : cc4db3ef-b6f5-412f-b906-796f5c968fba ObjectCategory : yourdomain.net/Configuration/Schema/ms-Exch-Exchange-Server ObjectClass : {top, server, msExchExchangeServer} WhenChanged : 3/7/2012 4:06:46 PM WhenCreated : 3/7/2008 3:24:22 PM WhenChangedUTC : 3/7/2012 10:06:46 PM WhenCreatedUTC : 3/7/2008 9:24:22 PM OrganizationId : OriginatingServer : mail3.yourdomain.net RunspaceId : 78075ede-f297-4a9d-92c4-d8cc2dfd72c3 Name : MAIL3 Fqdn : mail3.yourdomain.net OutlookAnywhereEnabled : True AutoDiscoverServiceCN : mail2 AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service AutoDiscoverServiceInternalUri : https://mail.yourdomain.com/Autodiscover/Autodiscover.xml AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596 AutoDiscoverSiteScope : {Default-First-Site-Name} AlternateServiceAccountConfiguration : IrmLogEnabled : False IrmLogMaxAge : 30.00:00:00 IrmLogMaxDirectorySize : unlimited IrmLogMaxFileSize : 10 MB (10,485,760 bytes) IrmLogPath : MigrationLogLoggingLevel : Information MigrationLogFilePath : MigrationLogMaxAge : 180.00:00:00 MigrationLogMaxDirectorySize : 10 GB (10,737,418,240 bytes) MigrationLogMaxFileSize : 100 MB (104,857,600 bytes) IsValid : True ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=MAIL2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admini strative Groups,CN=Yourdomain,CN=Microsoft Exchange,CN=Services,CN=Configurat ion,DC=yourdomain,DC=net Identity : MAIL2 Guid : cc4db3ef-b6f5-412f-b906-796f5c968fba ObjectCategory : yourdomain.net/Configuration/Schema/ms-Exch-Exchange-Server ObjectClass : {top, server, msExchExchangeServer} WhenChanged : 8/3/2011 4:48:32 PM WhenCreated : 3/7/2008 3:24:22 PM WhenChangedUTC : 8/3/2011 9:48:32 PM WhenCreatedUTC : 3/7/2008 9:24:22 PM OrganizationId : OriginatingServer : mail3.yourdomain.net RunspaceId : 3ad5cb17-61f6-4cfa-9d81-20f70653b8be Name : MAIL3 Fqdn : mail3.yourdomain.net OutlookAnywhereEnabled : True AutoDiscoverServiceCN : mail3 AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service AutoDiscoverServiceInternalUri : https://mail.yourdomain.com/autodiscover/autodiscover.xml AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596 AutoDiscoverSiteScope : {Default-First-Site-Name} AlternateServiceAccountConfiguration : IrmLogEnabled : True IrmLogMaxAge : 30.00:00:00 IrmLogMaxDirectorySize : 250 MB (262,144,000 bytes) IrmLogMaxFileSize : 10 MB (10,485,760 bytes) IrmLogPath : C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs MigrationLogLoggingLevel : Information MigrationLogFilePath : MigrationLogMaxAge : 180.00:00:00 MigrationLogMaxDirectorySize : 10 GB (10,737,418,240 bytes) MigrationLogMaxFileSize : 100 MB (104,857,600 bytes) IsValid : True ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=MAIL3,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admini strative Groups,CN=Yourdomain,CN=Microsoft Exchange,CN=Services,CN=Configurat ion,DC=yourdomain,DC=net Identity : MAIL3 Guid : 517ff858-9461-411b-9038-ea4456982cf7 ObjectCategory : yourdomain.net/Configuration/Schema/ms-Exch-Exchange-Server ObjectClass : {top, server, msExchExchangeServer} WhenChanged : 3/1/2012 9:55:37 AM WhenCreated : 8/19/2011 12:56:16 PM WhenChangedUTC : 3/1/2012 3:55:37 PM WhenCreatedUTC : 8/19/2011 5:56:16 PM OrganizationId : OriginatingServer : mail3.yourdomain.net
Just look at all the left over references to MAIL2! How to get rid of them? Got to uninstall Exchange from the old MAIL2 server. Easier said than done. Maybe first you try to remove Exchange using the Add/Remove programs in control panel. But I quickly ran into problems. Right off the bat, it complained the WMI wasn’t working. I had to download WMIDiag.exe and fix all the problems it found.
It then complained,
Setup cannot use domain controller ‘’ because an override is set in the registry. Run Setup again, and specify ‘/DomainController:mail3.yourdomain.net’
Well, I couldn’t very well run the uninstall program with arguments from the control panel GUI. So I stuck in the Exchange 2007 install disk and ran the following command:
F:\>setup /m:Uninstall /r:M,H,C,T /dc:mail3.yourdomain.net
This is an ambitious start: trying to remove all roles at once (that’s what the “M,H,C,T” above are: 4 roles: Mailbox, Client Access, Hub Transport, Management Tools). Of course, I immediately ran into all kinds of other problems. It started by complaining about Public Folders.
Welcome to Microsoft Exchange Server 2007 Unattended Setup Preparing Exchange Setup The following server roles will be removed Mailbox Role Client Access Role Hub Transport Role Management Tools Performing Microsoft Exchange Server Prerequisite Check Mailbox Role Checks ......................... FAILED Uninstall cannot continue. Database 'Public Folder Database': Exchange is unable to check the public folder replicas for "MAIL2\Second Storage Group\Public Folder Database". Verify the Microsoft Information Store service is running on mail2.yourdomain.net, and that the database is properly mounted.
Easiest way to deal with this is to remove those since 2010 doesn’t need ‘em. First user folders
Get-PublicFolder -Server MAIL2 "\" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Server MAIL2 -Recurse -ErrorAction:SilentlyContinue Confirm Are you sure you want to perform this action? Removing public folder "\". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):y
Followed by system folders
Get-PublicFolder -Server MAIL2 "\Non_IPM_SUBTREE" -Recurse -ResultSize:Unlimited | Remove-PublicFolde r -Server MAIL2 -Recurse -ErrorAction:SilentlyContinue Confirm Are you sure you want to perform this action? Removing public folder "\NON_IPM_SUBTREE\EFORMS REGISTRY". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):a
It’ll complain about connectors
Hub Transport Role Checks ......................... FAILED This computer is configured as a source transport server for 1 connector(s) in the organization. These must be moved or deleted before Setup can continue.
So you need to remove those. I was able to do that through the Exchange Management Console
It’ll complain about you still having mailbox databases. But it does so indirectly and in a manner that doesn’t give you a clue it’s really talking about mailbox databases. Mailbox Server Role ......................... FAILED Object is read only because it was created by a future version of Exchange: 0.10 (14.0.100.0). Current supported version is 0.1 (8.0.535.0).
You can try removing them ‘til you’re blue in the face through the Exchange Management Console. I used ADSIedit.msc to remove them. Connect to the “Configuration” container. Navigated to “Services –> Microsoft Exchange –> Org Name –> Administrative Groups –> Group Name –> Servers –> 2007servername –> Information Store –> Storage Group”. Right click the "2007 Public Folder Database" and select "Delete". Wait for the replication to happen. But I later found out I could have:
Remove-PublicFolderDatabase "E2K7MBX\SGPublicFolders\StoreSGPublicFolders" Confirm 4: Are you sure you want to perform this action?5: Removing public folder database "E2K7MBX\SGPublicFolders\StoreSGPublicFolders". [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y WARNING: The specified database has been removed. You must remove the database file located in K:\E2K7Data\SGPublicFolders\PublicFolderDatabase.edb from your computer manually if it exists. Specified database: PublicFolderDatabase
Anyway, when you remove them, then it complains about something else:
Client Access Role Checks ......................... FAILED Unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is installed.
So I scaled back my ambitions by trying to break the uninstall up into parts – at the very least omitting uninstalling the Client Access Role. When I tried
F:\>setup /m:Uninstall /r:M,H,T /dc:mail3.yourdomain.net
It didn’t think it could deal with uninstalling the management tools all in one shot while there were still some other roles
The following server roles will be removed Mailbox Role Hub Transport Role Some roles are still installed. Management Tools cannot be uninstalled. Exchange Server setup encountered an error.
So I split the uninstall up into two parts.
F:\>setup /m:Uninstall /r:M,H /dc:mail3.yourdomain.net
Which took a while, but it worked:
The following server roles will be removed Mailbox Role Hub Transport Role Performing Microsoft Exchange Server Prerequisite Check Hub Transport Role Checks ......................... COMPLETED Configuring Microsoft Exchange Server Mailbox Server Role ......................... COMPLETED Hub Transport Server Role ......................... COMPLETED Removing Exchange Files ......................... COMPLETED The Microsoft Exchange Server setup operation completed successfully
That last “Removing Exchange Files” took the longest. Then follow by
F:\>setup /m:Uninstall /r:C,T /dc:mail3.yourdomain.net
Which also took a while, but it also worked:
Preparing Exchange Setup The following server roles will be removed Client Access Role Management Tools Performing Microsoft Exchange Server Prerequisite Check Client Access Role Checks ......................... COMPLETED Configuring Microsoft Exchange Server Client Access server role ......................... COMPLETED Exchange Management Tools ......................... COMPLETED Removing Exchange Files ......................... COMPLETED
Now when you run:
Get-ClientAccessServer | fl
You’ll see something much smaller:
RunspaceId : 78075ede-f297-4a9d-92c4-d8cc2dfd72c3 Name : MAIL3 Fqdn : mail3.yourdomain.net OutlookAnywhereEnabled : True AutoDiscoverServiceCN : mail3 AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service AutoDiscoverServiceInternalUri : https://mail.yourdomain.com/autodiscover/autodiscover.xml AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596 AutoDiscoverSiteScope : {Default-First-Site-Name} AlternateServiceAccountConfiguration : IrmLogEnabled : True IrmLogMaxAge : 30.00:00:00 IrmLogMaxDirectorySize : 250 MB (262,144,000 bytes) IrmLogMaxFileSize : 10 MB (10,485,760 bytes) IrmLogPath : C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs MigrationLogLoggingLevel : Information MigrationLogFilePath : MigrationLogMaxAge : 180.00:00:00 MigrationLogMaxDirectorySize : 10 GB (10,737,418,240 bytes) MigrationLogMaxFileSize : 100 MB (104,857,600 bytes) IsValid : True ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=MAIL3,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admini strative Groups,CN=Yourdomain,CN=Microsoft Exchange,CN=Services,CN=Configurat ion,DC=yourdomain,DC=net Identity : MAIL3 Guid : 517ff858-9461-411b-9038-ea4456982cf7 ObjectCategory : yourdomain.net/Configuration/Schema/ms-Exch-Exchange-Server ObjectClass : {top, server, msExchExchangeServer} WhenChanged : 3/1/2012 9:55:37 AM WhenCreated : 8/19/2011 12:56:16 PM WhenChangedUTC : 3/1/2012 3:55:37 PM WhenCreatedUTC : 8/19/2011 5:56:16 PM OrganizationId : OriginatingServer : mail3.yourdomain.net
With all traces of MAIL2 gone.
URL redirect http to https – see http, redirect to https
vacation – see out of office
version
Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion
should yield something like
Name : SUN Edition : Standard AdminDisplayVersion : Version 8.3 (Build 83.6)
there are different commands depending on which version of Exchange you have
convert build number to Cumulative Update (CU) number
Whitelist
Individual emails Sender SMTP addresses can be whitelisted using the following shell command
To set
set-ContentFilterConfig -BypassedSenders foo@somedomain.com set-ContentFilterConfig -BypassedSenderDomains sales@yourdomain.com, info@yourdomain.com Set-ContentFilterConfig -BypassedSenders xx@xx.com, yy@yy.com
To test
Get-ContentFilterConfig
Entire domains - To whitelist an entire sending domain
To set
Set-ContentFilterConfig -BypassedSenderDomains xx.com, yy.com set-contentfilterconfig -BypassedSenderDomains somedomain.com set-contentfilterconfig -BypassedSenderDomains sales@yourdomain.com, info@yourdomain.com
To test
Get-ContentFilterConfig | Format-List BypassedSenderDomains BypassedSenderDomains : {xx.com, yy.com}
wildcard – see catch-all
10154 - WinRM service failed to create the following SPNs
dsacls "CN=AdminSDHolder,CN=System,DC=yourdomainname,DC=tld" /G "S-1-5-20:WS;Validated write to service principal name"
where you substitute something like “com” or “net” for “tld”