Tag Archives: Exchange 2010

Error FileAccessDenied (JET_errFileAccessDenied …)

I ran into the following message when running an operation on one of my Exchange databases: Operation terminated with error -1032 (JET_errFileAccessDenied, Cannot access file, the file is locked or in use) after 10.79 seconds.

The operation’s I was attempting was an integrity check on a database (ESEUTIL /G database_filename.edb). When this failed with the error above. I verified that the database was dismounted and that my antivirus scanner was not locking the file.

It took me a little bit of time but I soon released that the temp file for the database would be on my system volume which did not have the space required to run this operation.

That said I ran the command again; this time specifying a location for the temp file. That command looks something like this:

ESEUTIL /G database_filename.edb /TE:\Mailbox\Temp\thisismytempfile.edb

Please note that there is no space used after the command switch /T

For more info on the ESEUTIL: http://support.microsoft.com/kb/192185

Unresolved Error: Server 2012 – Event 1000, Application Error

I came across an issues with my Windows Server 2012 / Exchange 2013 RU2 Server. After an unexpected shutdown message I was able to find out the faulting application which caused the reboot was LSASS.

There was an event message in the system event log of:

The process wininit.exe has initiated the restart of computer EXSERVER on behalf of user for the following reason: No title for this reason could be found
Reason Code: 0×50006
Shutdown Type: restart
Comment: The system process ‘C:Windows\system32\lsass.exe‘ terminated unexpectedly with status code 255. The system will now shut down and restart.

Later found in the application log event 1000 application error::

Faulting application name: lsass.exe, version: 6.2.9200.16384, time stamp: 0x50108ab2
Faulting module name: schannel.DLL, version: 6.2.9200.16384, time stamp: 0x5010892c
Exception code: 0xc0000409
Fault offset: 0x000000000001a73a
Faulting process id: 0×224
Faulting application start time: 0x01ce7f8a27d7e7ff
Faulting application path: C:Windowssystem32lsass.exe
Faulting module path: C:Windowssystem32schannel.DLL
Report Id: c2142447-f4f2-11e2-9404-000c299625b9
Faulting package full name:
Faulting package-relative application ID:

Looking into the Exception code: 0xc0000409 only tells me that the application experienced an event it could not handle and crashed causing windows to reboot.

Another bit of info I will keep in mind is right before this issue there were several Application Events, Event 4002, MSExchangeIS that reads:

Microsoft Exchange Information Store service has promoted the following properties (65F3, 65E9, 0E99, 0E9A) for mailbox (59bfe395-06d4-4407-8d6c-4f763e37e698) and folder (Inbox <hidden>) with session client type (Migration).

This so happens to be during a migration period where I am moving mailboxes from Exchange 2010 to Exchange 2013 RU2. It has me also wondering if items from one of the legacy mailboxes has some form of corruption within them which may be the root cause of this.

For now this is unresolved and I will keep an eye on it.  If you know of this issues please hit me up via email jermsmit ( at ) gmail (dot) (com).

Thanks

Freeware Active Directory, Exchange, Lync provisioning tool

I can’t wait to play with this free software called Z-Hire. Z-Hire is a employee provisioning that handles account creations in Active Directory, Exchange, Lync. With just a few simple clicks (one click) accounts for Active Directory, Exchange, and Lync will be created.

Z-Hire doesn’t just assist those account administrators with creating new accounts; It simplifies account closures. Z-Hire can even create accounts in Office 365 and SalesForce. So take a look at it. I am sure you will find it very useful. Best of all, its free.

Link to help info:

http://www.zohno.com/docs/Z-Hire_V4_Administration_Guide.pdf

http://www.zohno.com/docs/Z-Term_V4_Administration_Guide.pdf

Download Z-Hire from TechNet

 

System Requirements
- Windows 7 X64 w/ .NET 3.5 and .NET 4.0 (Domain Joined)
- Windows Server 2008 X64 w/ .NET 3.5 and .NET 4.0 (Domain Joined)
- Windows Server 2008 R2 X64 w/ .NET 3.5 and .NET 4.0 (Domain Joined)

Permission Requirements
- Ability to create Active Directory user
- Ability to create Exchange Mailbox
- Ability to create / enable Lync user

Supported Environments
- Active Directory (all versions)
- Exchange 2007 (all versions)
- Exchange 2010 / 2013 (all versions)
- Lync 2010 / 2013 (both Standard and Enterprise versions)
- Office 365 Cloud
- SalesForce CRM Cloud

Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.”

In my previous post I was banging my head over an Exchange 2013 issue. I was able to finally resolve it. And it took some steps to do so…

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.”

After an Exchange 2013 Install I found myself having issues with sending emails between two Exchange Servers; 2010 and 2013. The messages on both server seem to be stuck in the mail Queue.

Full message reads: 451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

This issue existed because the Exchange servers could not authenticate with one another. This type of authentication is required for Exchange to route email internally. The respective servers use the X-EXPS command to authenticate. This error will happen when servers don’t have this method of authentication enabled.

In my case this wasn’t true, however there was another issue preventing the X-EXPS command from being passed and that was our Cisco security appliance/router. In fact the Extended SMTP verbs X-ANONYMOUSTLS, X-EXPS, and GSSAPI must be able to pass. I will get to this a bit later…

In my adventure to troubleshoot this issue the following was done (thank you Microsoft for providing details. While useful did not directly solve the overall issue. These steps are below

 

Step 1 – Enable Exchange Authentication on Receive Connectors

For Microsoft Exchange Server 2013 remote servers:

  1. Go to the following website to access the Exchange Administration Center (EAC):

https://<CAS>/ECP

  1. Sign in to the ECA by using the administrator account.
  2. Click mail flow.
  3. Click receive connectors.
  4. In the Select server box, select the remote Exchange server that the email message should be sent to.Note To determine the correct Exchange server, review the send protocol logs from the server that the email message is stuck in.
  5. Select the receive connector and then click Edit.Note Typically, the receive connector is the Default server_name receive connector for the remote Exchange server
  6. Click security, under Authentication, make sure that Exchange Server Authentication check box is selected.

For Microsoft Exchange Server 2007 or 2010 remote servers:

  1. Start Exchange Management Console.
  2. Expand Server Configuration and then click Hub Transport.
  3. Click the Receive Connectors tab.
  4. Locate the remote Exchange server receive connector that the e-mail message is trying to be sent to.
  5. Right-click the receive connector and then click Properties.
  6. On the Authentication tab, make sure that the Exchange Server authentication check box is selected.

For Microsoft Exchange Server 2003 remotes servers:

  1. Start Exchange System Management.
  2. Expand the Servers container.
  3. Under the problematic remote Exchange server, locate to the Protocols container.
  4. Expand the Protocols container, right-click SMTP.
  5. Right-click Default SMTP Virtual Server and then click Properties.
  6. Click the Access tab and then click Authentication.
  7. Make sure that the Integrated Windows Authentication check box is selected.

As I mentioned above this did not resolve my issue as this was already enabled, so I went onto the next step in troubleshooting the problem.

 

Step 2 – Event ID 12014 (MSExchangeTransport)

I had (for some time) many errors in my Application Event Log referencing the ID of 12014, where the TLS Certificate for SMTP was no longer valid. Event message below.

Log Name:      Application
Source:        MSExchangeTransport
Date:          7/3/2013 4:30:06 PM
Event ID:      12014
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      exchange.jermsmit.com

Description:

Microsoft Exchange could not find a certificate that contains the domain name mail.jermsmit.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector To Internet with a FQDN parameter of mail.jermsmit.com. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

To correct this issue I needed to log open the Exchange Power Shell on my Exchange 2010 server and enter the following: New-ExchangeCertificate -DomainName mail.jermsmit.com -services SMTP” followed by a restart of the Transport Services (I did this on both).

I tested out my change and now the event error message is gone however I am still unable to send email between the Exchange Servers.

 

Step 3 – Back to the basics

I later logged into each Exchange Host (2010/2013) and used telnet to connect to the respective hosts SMTP address. I got a response: 220**************************************************** but this was not the proper response for an Exchange SMTP.

Then it was apparent that a firewall was blocking the communication between one Exchange host and the other. In my case it was a Cisco ASA which has a mailguard feature turned by.  The Auth and Auth login commands (Extended Simple Mail Transfer Protocol [ESMTP] commands) are stripped by the firewall

So the logical thing was to turn it off. This was done by entering the following command:
no fixup protocol smtp 25

Once this command was issued I restarted the transport services on each host and to use an old coined phrase “You Got Mail” I was back in business.

 

Info Resources:

http://support.microsoft.com/kb/979175

http://technet.microsoft.com/en-us/library/bb123786(v=exchg.65).aspx

http://support.microsoft.com/kb/320027

 

Exchange 2010 SP3 Upgrade Error

I just got finished with upgrading my Exchange 2010 Server to SP3 in preparation for next weeks online of Exchange 2013. During the service pack upgrade I encountered a few issues:

  1. After the prerequisite test the upgrade failed due to my antivirus software
  2. Upgrade failed due to the Exchange MMC being open by other users session
  3. Upgrade in a bad state after the two failures above

During the upgrade some of the roles had updated and my install was failing on the mailbox role. Exchange would not continue the upgrade process. To fix this I needed to delete an entry from the registry.

These are the steps I had taken:

  1. Opened regedit (Start > Run)
  2. Browsed the the following key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv14
  3. Listed here are each role; Hub Transport, Client Access, Mailbox – I looked for the the following: action and watermark entries and deleted them. In my case they only existed under the Mailbox role.
  4. Rebooted Server
  5. Started the Exchange 2010 SP3 Upgrade

This completed with success. After the completion of the upgrade I gave my server a restart and once online and all services running tested via my Outlook Client, Outlook Web Access, and via Mobile Devices to ensure Exchange was running as expected.

I hope this saves you some time if you are attempting this or looking for a solution.

How To Create Shared Mailbox In Exchange 2010

Open the Exchange Shell and type the following command:
New-Mailbox shared –shared –userprincipalname shared@jermsmit.com

If the mailbox was already a user mailbox and you are converting to shared type the following command:
Set-Mailbox -Identity shared@jermsmit.com -Type Shared

You can now verify that the box is indeed a shared mailbox by typing the following command:
Get-Mailbox -Identity shared@jermsmit.com | Format-List RecipientTypeDetails

Removing an auto-mapped mailbox

In Exchange Server 2010 SP1, shared mailbox with full access rights will be auto mapped to the users given such rights. This is fine for that user who doesn’t seem to know how to add an additional mailbox to their Outlook 2007, 2010, 2013 client. But what about those support and systems admins who grant themselves access for troubleshooting and find out later they are stuck with this new folder under their Outlook folder that can’t be removed.

Well we never say “can’t”. So what you need to do to remote the auto-mapping attribute is to reach out to the administrator if you are not one or if you are just find your way to the Exchange Management Power Shell and issue the following command:

Add-MailboxPermission -Identity <shared mailbox alias> -User <your mailbox alias> -AccessRights FullAccess -InheritanceType All -Automapping $false

Once this command is run the additional mailbox will automatically be removed.

Reference: Disable Outlook Auto-Mapping with Full Access

Issue: Outlook Address Book Not Updating

Symptoms:

New users added to Exchange 2010 do not show up in global address book

Tests Performed:

1. Searched for new users from Outlook – This failed
2. Searched for new users from OWA – This works
3. Put Outlook in non-cached mode and searched – this worked

Suspected Problem:

Offline Address Book Generation is not happening – Possible cause, resources (memory) on host server, service failure.

Steps Taken: *note* I have seen this before so I know where I am looking first

1. Stop the Microsoft Exchange File Distribution Service

2. Stop the Microsoft Exchange Address Book

3. Clear the files from ‘C:Program FilesMicrosoftExchange ServerV14ExchangeOAB’ putting them into a backup folder of some sort.

4. Restart the services above.

5. To get the OAM to immediately generate run the following command: Update-OfflineAddressbook “name of offline address book”. You may encounter an issue stating that the System Attendant Service is not running or you do not have permission. 1. Make sure you are running the Exchange Management Shell as Administrator and 2. The System Attendant Service is running. *note* The Service is named “Microsoft Exchange System Attendant”.

6. You will now notice that the GUIDS and files have started to populate under ExchangeOAB folder

Follow-up Testing that things now work:

1. Exit Outlook and delete the Offline Address Book cache from ‘C:Users%user profile%AppDataLocalMicrosoftOutlookOffline Address Books’

2. Open outlook again cache should repopulate at this point.

3. Open a new email message or click the Address Book and search for the person(s) who were not showing previously.

Conclusion:

The Outlook Client failed to download an updated copy of the Offline Address Book because the services have stopped functioning. I was unable to obtain errors in the event logs regarding this, however having experienced this in the past it has become suspect

- For Darlene

Simple Exchange 2010 Database White Space Report

I was looking at some of my database on Exchange that seemed to be very large in size so first thought was that an offline defrag may be needed, but before I reach that point I wanted to know how much ‘slack’ or white space existed in each of my Exchange databases.

This was done by using the following command syntax in the Exchange Management Shell:

Get-MailboxDatabase -Status | Select-Object Server,Name,AvailableNewMailboxSpace

To export this into a CSV format the following can also be done, so that you can give to any management members for review of your findings:

Get-MailboxDatabase -Status | Select-Object Server,Name,AvailableNewMailboxSpace | Export-Csv C:workwhite_space_report.csv -Force -NoType

Next, I may find a way to setup this to email a weekly report…

Exchange 2010 SP2 | Mailbox Export Request


Exchange 2010 has many improvements.  As we know when things change they do not often stay the same. In this case the method used to export exchange email boxes to PST files. Back in a previous post I went over the steps of exporting a mailbox to PST. To do this all you needed was a system with the Exchange 2007 tools installed and office.  This has changed in Exchange 2010 SP2. I note the SP2 because this is what I am using and the methods have changed from the initial release.

In Exchange 2010, you first need to be assigned the “Mailbox Import Export” role to import or export email boxes.  To assign the “Mailbox Import Export” role to an individual user, use the following syntax:

New-ManagementRoleAssignment -Role "Mailbox Import Export" -User jsmith

To assign the “Mailbox Import Export”role to a Windows security group, use the following syntax

New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup Administrators

In addition to the “Mailbox Import Export” role, the user which will actually perform export / import must also be member of the local Administrators group on the Exchange server on which the export operation is taking place.

To run the command to export the mailbox we need to open the EMC and run the following command:

New-MailboxExportRequest -Mailbox jermsmit -FilePath "\\SERVER\Folder_Name\PSTBackup.pst"

You need to grant read/write (full) permission to the group Exchange Trusted Subsystem to the network share where you’ll export or import mailboxes. If you don’t grant this permission, you’ll receive an error message stating that Exchange is unable to establish a connection to the target mailbox.

With this new method, the requirement for Office to be installed no longer exists and Exchange 2010 queues up the backup to the UNC folder path specified.

- Jermal